CVE-2012-4201

Mozilla Firefox < 17.0 - Cross-Site Scripting via evalInSandbox

Title source: llm
STIX 2.1

Description

The evalInSandbox implementation in Mozilla Firefox before 17.0, Firefox ESR 10.x before 10.0.11, Thunderbird before 17.0, Thunderbird ESR 10.x before 10.0.11, and SeaMonkey before 2.14 uses an incorrect context during the handling of JavaScript code that sets the location.href property, which allows remote attackers to conduct cross-site scripting (XSS) attacks or read arbitrary files by leveraging a sandboxed add-on.

References (29)

Core 29
Core References
Third Party Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-1638-3
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/51370
Third Party Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-1638-2
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2012-11/msg00093.html
Third Party Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-1636-1
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2013-01/msg00022.html
Third Party Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2012-1483.html
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2012/dsa-2584
Third Party Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2012-1482.html
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/51434
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2012-11/msg00090.html
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/51439
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/51440
Third Party Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-1638-1
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2012-11/msg00021.html
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/51359
Third Party Advisory vendor-advisory x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDVSA-2012:173
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/56618
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2012-11/msg00092.html
Broken Link vdb-entry x_refsource_osvdb
http://osvdb.org/87594
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/51381
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2012/dsa-2583
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/51369
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/80171
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/51360
Exploit, Issue Tracking, Patch, Vendor Advisory x_refsource_confirm
https://bugzilla.mozilla.org/show_bug.cgi?id=747607
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2012/dsa-2588

Scores

EPSS 0.0196
EPSS Percentile 83.7%

Details

CWE
CWE-79
Status published
Products (26)
canonical/ubuntu_linux 10.04
canonical/ubuntu_linux 11.10
canonical/ubuntu_linux 12.04
canonical/ubuntu_linux 12.10
debian/debian_linux 6.0
debian/debian_linux 7.0
mozilla/firefox < 17.0
mozilla/seamonkey < 2.14
mozilla/thunderbird < 17.0
mozilla/thunderbird_esr 10.0 - 10.0.11
... and 16 more
Published Nov 21, 2012
Tracked Since Feb 18, 2026