You are here

CVE-2012-4193

Vincent (CVE) Danen's picture
Mozilla Firefox before 16.0.1, Firefox ESR 10.x before 10.0.9, Thunderbird before 16.0.1, Thunderbird ESR 10.x before 10.0.9, and SeaMonkey before 2.13.1 omit a security check in the defaultValue function during the unwrapping of security wrappers, which allows remote attackers to bypass the Same Origin Policy and read the properties of a Location object, or execute arbitrary JavaScript code, via a crafted web site.

Details Source

Mitre

Public Date

2012-10-11 00:00:00

Impact

Critical

Bugzilla

CVE-2012-4193 Mozilla: defaultValue security checks not applied (MFSA 2012-89)

Bugzilla ID

865 215

CVSS Status

verified

Base Score

6.80

Base Metrics

AV:N/AC:M/Au:N/C:P/I:P/A:P

Acknowledgements

Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges moz_bug_r_a4 as the original reporter.

External References

http://www.mozilla.org/security/announce/2012/mfsa2012-89.html

Red Hat Security Errata

Platform Errata Release Date
Red Hat Enterprise Linux 6 (xulrunner) RHSA-2012:1361 2012-10-12
Red Hat Enterprise Linux Optional Productivity Applications (v. 5 server) (thunderbird) RHSA-2012:1362 2012-10-12
Red Hat Enterprise Linux 6 (thunderbird) RHSA-2012:1362 2012-10-12
Red Hat Enterprise Linux 5 (xulrunner) RHSA-2012:1361 2012-10-12
Red Hat Enterprise Linux 5 (thunderbird) RHSA-2012:1362 2012-10-12

Affected Packages State

Platform Package State
Red Hat Enterprise Linux 6 firefox Affected
Red Hat Enterprise Linux 5 firefox Affected