Executive Summary
Summary | |
---|---|
Title | Thunderbird vulnerabilities |
Informations | |||
---|---|---|---|
Name | USN-1620-2 | First vendor Publication | 2012-10-30 |
Vendor | Ubuntu | Last vendor Modification | 2012-10-30 |
Severity (Vendor) | N/A | Revision | N/A |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:H/Au:N/C:P/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 5.1 | Attack Range | Network |
Cvss Impact Score | 6.4 | Attack Complexity | High |
Cvss Expoit Score | 4.9 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 12.10 - Ubuntu 12.04 LTS - Ubuntu 11.10 - Ubuntu 10.04 LTS Summary: Several security issues were fixed in Thunderbird. Software Description: - thunderbird: Mozilla Open Source mail and newsgroup client Details: USN-1620-1 fixed vulnerabilities in Firefox. This update provides the corresponding updates for Thunderbird. Please note that Thunderbird is only affected by window.location issues through RSS feeds and extensions that load web content. Original advisory details: Mariusz Mlynski and others discovered several flaws in Firefox that allowed Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 12.10: Ubuntu 12.04 LTS: Ubuntu 11.10: Ubuntu 10.04 LTS: After a standard system update you need to restart Thunderbird to make all the necessary changes. References: Package Information: |
Original Source
Url : http://www.ubuntu.com/usn/USN-1620-2 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
67 % | CWE-79 | Failure to Preserve Web Page Structure ('Cross-site Scripting') (CWE/SANS Top 25) |
33 % | CWE-74 | Failure to Sanitize Data into a Different Plane ('Injection') |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:16856 | |||
Oval ID: | oval:org.mitre.oval:def:16856 | ||
Title: | The nsLocation::CheckURL function in Mozilla Firefox before 16.0.2, Firefox ESR 10.x before 10.0.10, Thunderbird before 16.0.2, Thunderbird ESR 10.x before 10.0.10, and SeaMonkey before 2.13.2 does not properly determine the calling document and principal in its return value, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via a crafted web site, and makes it easier for remote attackers to execute arbitrary JavaScript code by leveraging certain add-on behavior. | ||
Description: | The nsLocation::CheckURL function in Mozilla Firefox before 16.0.2, Firefox ESR 10.x before 10.0.10, Thunderbird before 16.0.2, Thunderbird ESR 10.x before 10.0.10, and SeaMonkey before 2.13.2 does not properly determine the calling document and principal in its return value, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via a crafted web site, and makes it easier for remote attackers to execute arbitrary JavaScript code by leveraging certain add-on behavior. | ||
Family: | windows | Class: | vulnerability |
Reference(s): | CVE-2012-4195 | Version: | 22 |
Platform(s): | Microsoft Windows 7 Microsoft Windows Server 2008 Microsoft Windows Vista Microsoft Windows Server 2003 Microsoft Windows XP Microsoft Windows 2000 Microsoft Windows 8 Microsoft Windows Server 2012 | Product(s): | Mozilla Firefox Mozilla Thunderbird Mozilla SeaMonkey Mozilla Firefox ESR Mozilla Thunderbird ESR |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:16918 | |||
Oval ID: | oval:org.mitre.oval:def:16918 | ||
Title: | Mozilla Firefox before 16.0.2, Firefox ESR 10.x before 10.0.10, Thunderbird before 16.0.2, Thunderbird ESR 10.x before 10.0.10, and SeaMonkey before 2.13.2 do not prevent use of the valueOf method to shadow the location object (aka window.location), which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via vectors involving a plugin. | ||
Description: | Mozilla Firefox before 16.0.2, Firefox ESR 10.x before 10.0.10, Thunderbird before 16.0.2, Thunderbird ESR 10.x before 10.0.10, and SeaMonkey before 2.13.2 do not prevent use of the valueOf method to shadow the location object (aka window.location), which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via vectors involving a plugin. | ||
Family: | windows | Class: | vulnerability |
Reference(s): | CVE-2012-4194 | Version: | 21 |
Platform(s): | Microsoft Windows 7 Microsoft Windows Server 2008 Microsoft Windows Vista Microsoft Windows Server 2003 Microsoft Windows XP Microsoft Windows 2000 Microsoft Windows 8 Microsoft Windows Server 2012 | Product(s): | Mozilla Firefox Mozilla Thunderbird Mozilla SeaMonkey Mozilla Firefox ESR Mozilla Thunderbird ESR |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:16962 | |||
Oval ID: | oval:org.mitre.oval:def:16962 | ||
Title: | Mozilla Firefox before 16.0.2, Firefox ESR 10.x before 10.0.10, Thunderbird before 16.0.2, Thunderbird ESR 10.x before 10.0.10, and SeaMonkey before 2.13.2 allow remote attackers to bypass the Same Origin Policy and read the Location object via a prototype property-injection attack that defeats certain protection mechanisms for this object. | ||
Description: | Mozilla Firefox before 16.0.2, Firefox ESR 10.x before 10.0.10, Thunderbird before 16.0.2, Thunderbird ESR 10.x before 10.0.10, and SeaMonkey before 2.13.2 allow remote attackers to bypass the Same Origin Policy and read the Location object via a prototype property-injection attack that defeats certain protection mechanisms for this object. | ||
Family: | windows | Class: | vulnerability |
Reference(s): | CVE-2012-4196 | Version: | 21 |
Platform(s): | Microsoft Windows 7 Microsoft Windows Server 2008 Microsoft Windows Vista Microsoft Windows Server 2003 Microsoft Windows XP Microsoft Windows 2000 Microsoft Windows 8 Microsoft Windows Server 2012 | Product(s): | Mozilla Firefox Mozilla Thunderbird Mozilla SeaMonkey Mozilla Firefox ESR Mozilla Thunderbird ESR |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:18095 | |||
Oval ID: | oval:org.mitre.oval:def:18095 | ||
Title: | USN-1620-1 -- firefox vulnerabilities | ||
Description: | Several security issues were fixed in Firefox. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-1620-1 CVE-2012-4194 CVE-2012-4195 CVE-2012-4196 | Version: | 7 |
Platform(s): | Ubuntu 12.10 Ubuntu 12.04 Ubuntu 11.10 Ubuntu 11.04 Ubuntu 10.04 | Product(s): | firefox |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:18153 | |||
Oval ID: | oval:org.mitre.oval:def:18153 | ||
Title: | USN-1620-2 -- thunderbird vulnerabilities | ||
Description: | Several security issues were fixed in Thunderbird. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-1620-2 CVE-2012-4194 CVE-2012-4195 CVE-2012-4196 | Version: | 7 |
Platform(s): | Ubuntu 12.10 Ubuntu 12.04 Ubuntu 11.10 Ubuntu 10.04 | Product(s): | thunderbird |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:20689 | |||
Oval ID: | oval:org.mitre.oval:def:20689 | ||
Title: | RHSA-2012:1407: firefox security update (Critical) | ||
Description: | Mozilla Firefox before 16.0.2, Firefox ESR 10.x before 10.0.10, Thunderbird before 16.0.2, Thunderbird ESR 10.x before 10.0.10, and SeaMonkey before 2.13.2 allow remote attackers to bypass the Same Origin Policy and read the Location object via a prototype property-injection attack that defeats certain protection mechanisms for this object. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2012:1407-01 CESA-2012:1407 CVE-2012-4194 CVE-2012-4195 CVE-2012-4196 | Version: | 42 |
Platform(s): | Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 CentOS Linux 5 CentOS Linux 6 | Product(s): | firefox xulrunner |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:20823 | |||
Oval ID: | oval:org.mitre.oval:def:20823 | ||
Title: | RHSA-2012:1413: thunderbird security update (Important) | ||
Description: | Mozilla Firefox before 16.0.2, Firefox ESR 10.x before 10.0.10, Thunderbird before 16.0.2, Thunderbird ESR 10.x before 10.0.10, and SeaMonkey before 2.13.2 allow remote attackers to bypass the Same Origin Policy and read the Location object via a prototype property-injection attack that defeats certain protection mechanisms for this object. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2012:1413-01 CESA-2012:1413 CVE-2012-4194 CVE-2012-4195 CVE-2012-4196 | Version: | 42 |
Platform(s): | Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 CentOS Linux 5 CentOS Linux 6 | Product(s): | thunderbird |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:23050 | |||
Oval ID: | oval:org.mitre.oval:def:23050 | ||
Title: | DEPRECATED: ELSA-2012:1413: thunderbird security update (Important) | ||
Description: | Mozilla Firefox before 16.0.2, Firefox ESR 10.x before 10.0.10, Thunderbird before 16.0.2, Thunderbird ESR 10.x before 10.0.10, and SeaMonkey before 2.13.2 allow remote attackers to bypass the Same Origin Policy and read the Location object via a prototype property-injection attack that defeats certain protection mechanisms for this object. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2012:1413-01 CVE-2012-4194 CVE-2012-4195 CVE-2012-4196 | Version: | 18 |
Platform(s): | Oracle Linux 5 Oracle Linux 6 | Product(s): | thunderbird |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:23274 | |||
Oval ID: | oval:org.mitre.oval:def:23274 | ||
Title: | DEPRECATED: ELSA-2012:1407: firefox security update (Critical) | ||
Description: | Mozilla Firefox before 16.0.2, Firefox ESR 10.x before 10.0.10, Thunderbird before 16.0.2, Thunderbird ESR 10.x before 10.0.10, and SeaMonkey before 2.13.2 allow remote attackers to bypass the Same Origin Policy and read the Location object via a prototype property-injection attack that defeats certain protection mechanisms for this object. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2012:1407-01 CVE-2012-4194 CVE-2012-4195 CVE-2012-4196 | Version: | 18 |
Platform(s): | Oracle Linux 5 Oracle Linux 6 | Product(s): | firefox xulrunner |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:23409 | |||
Oval ID: | oval:org.mitre.oval:def:23409 | ||
Title: | ELSA-2012:1407: firefox security update (Critical) | ||
Description: | Mozilla Firefox before 16.0.2, Firefox ESR 10.x before 10.0.10, Thunderbird before 16.0.2, Thunderbird ESR 10.x before 10.0.10, and SeaMonkey before 2.13.2 allow remote attackers to bypass the Same Origin Policy and read the Location object via a prototype property-injection attack that defeats certain protection mechanisms for this object. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2012:1407-01 CVE-2012-4194 CVE-2012-4195 CVE-2012-4196 | Version: | 17 |
Platform(s): | Oracle Linux 5 Oracle Linux 6 | Product(s): | firefox xulrunner |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:23959 | |||
Oval ID: | oval:org.mitre.oval:def:23959 | ||
Title: | ELSA-2012:1413: thunderbird security update (Important) | ||
Description: | Mozilla Firefox before 16.0.2, Firefox ESR 10.x before 10.0.10, Thunderbird before 16.0.2, Thunderbird ESR 10.x before 10.0.10, and SeaMonkey before 2.13.2 allow remote attackers to bypass the Same Origin Policy and read the Location object via a prototype property-injection attack that defeats certain protection mechanisms for this object. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2012:1413-01 CVE-2012-4194 CVE-2012-4195 CVE-2012-4196 | Version: | 17 |
Platform(s): | Oracle Linux 5 Oracle Linux 6 | Product(s): | thunderbird |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:27126 | |||
Oval ID: | oval:org.mitre.oval:def:27126 | ||
Title: | DEPRECATED: ELSA-2012-1407 -- firefox security update (critical) | ||
Description: | firefox [10.0.10-1.0.1.el6_3] - Replaced firefox-redhat-default-prefs.js with firefox-oracle-default-prefs.js [10.0.10-1] - Update to 10.0.10 ESR [10.0.8-2] - Fixed rhbz#865284 - add the storage.nfs_filesystem config key to property list - disable OOP for wrapped plugins (nspluginwrapper) xulrunner [10.0.10-1.0.1.el6_3] - Replaced xulrunner-redhat-default-prefs.js with xulrunner-oracle-default-prefs.js [10.0.10-1] - Added patches from 10.0.10 ESR | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2012-1407 CVE-2012-4194 CVE-2012-4195 CVE-2012-4196 | Version: | 4 |
Platform(s): | Oracle Linux 5 Oracle Linux 6 | Product(s): | firefox xulrunner |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:27771 | |||
Oval ID: | oval:org.mitre.oval:def:27771 | ||
Title: | DEPRECATED: ELSA-2012-1413 -- thunderbird security update (important) | ||
Description: | [10.0.10-1.0.1.el6_3] - Replaced thunderbird-redhat-default-prefs.js with thunderbird-oracle-default-prefs.js [10.0.10-1] - Update to 10.0.10 ESR | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2012-1413 CVE-2012-4194 CVE-2012-4195 CVE-2012-4196 | Version: | 4 |
Platform(s): | Oracle Linux 5 Oracle Linux 6 | Product(s): | thunderbird |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2012-12-13 | Name : SuSE Update for Mozilla Suite openSUSE-SU-2012:1412-1 (Mozilla Suite) File : nvt/gb_suse_2012_1412_1.nasl |
2012-11-02 | Name : CentOS Update for thunderbird CESA-2012:1413 centos5 File : nvt/gb_CESA-2012_1413_thunderbird_centos5.nasl |
2012-11-02 | Name : CentOS Update for thunderbird CESA-2012:1413 centos6 File : nvt/gb_CESA-2012_1413_thunderbird_centos6.nasl |
2012-11-02 | Name : RedHat Update for thunderbird RHSA-2012:1413-01 File : nvt/gb_RHSA-2012_1413-01_thunderbird.nasl |
2012-11-02 | Name : Mozilla Firefox Multiple Vulnerabilities - November12 (Mac OS X) File : nvt/gb_mozilla_prdts_mult_vuln_nov12_macosx.nasl |
2012-11-02 | Name : Mozilla Firefox Multiple Vulnerabilities - November12 (Windows) File : nvt/gb_mozilla_prdts_mult_vuln_nov12_win.nasl |
2012-10-31 | Name : Ubuntu Update for thunderbird USN-1620-2 File : nvt/gb_ubuntu_USN_1620_2.nasl |
2012-10-29 | Name : FreeBSD Ports: firefox File : nvt/freebsd_firefox71.nasl |
2012-10-29 | Name : CentOS Update for firefox CESA-2012:1407 centos5 File : nvt/gb_CESA-2012_1407_firefox_centos5.nasl |
2012-10-29 | Name : CentOS Update for firefox CESA-2012:1407 centos6 File : nvt/gb_CESA-2012_1407_firefox_centos6.nasl |
2012-10-29 | Name : RedHat Update for firefox RHSA-2012:1407-01 File : nvt/gb_RHSA-2012_1407-01_firefox.nasl |
2012-10-29 | Name : Ubuntu Update for firefox USN-1620-1 File : nvt/gb_ubuntu_USN_1620_1.nasl |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2012-745.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing a security update. File : oraclelinux_ELSA-2012-1413.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2012-1407.nasl - Type : ACT_GATHER_INFO |
2013-01-25 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_firefox-201210b-121029.nasl - Type : ACT_GATHER_INFO |
2013-01-08 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201301-01.nasl - Type : ACT_GATHER_INFO |
2012-11-14 | Name : The remote Fedora host is missing a security update. File : fedora_2012-17841.nasl - Type : ACT_GATHER_INFO |
2012-11-01 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_firefox-201210b-8348.nasl - Type : ACT_GATHER_INFO |
2012-10-31 | Name : The remote CentOS host is missing a security update. File : centos_RHSA-2012-1413.nasl - Type : ACT_GATHER_INFO |
2012-10-31 | Name : The remote Scientific Linux host is missing a security update. File : sl_20121029_thunderbird_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
2012-10-30 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2012-1413.nasl - Type : ACT_GATHER_INFO |
2012-10-30 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-1620-2.nasl - Type : ACT_GATHER_INFO |
2012-10-29 | Name : The remote Windows host contains a web browser that is affected by multiple v... File : mozilla_firefox_10010.nasl - Type : ACT_GATHER_INFO |
2012-10-29 | Name : The remote Windows host contains a web browser that is affected by multiple v... File : mozilla_firefox_1602.nasl - Type : ACT_GATHER_INFO |
2012-10-29 | Name : The remote Windows host contains a mail client that is potentially affected b... File : mozilla_thunderbird_10010.nasl - Type : ACT_GATHER_INFO |
2012-10-29 | Name : The remote Windows host contains a mail client that is potentially affected b... File : mozilla_thunderbird_1602.nasl - Type : ACT_GATHER_INFO |
2012-10-29 | Name : The remote Mac OS X host contains a mail client that is potentially affected ... File : macosx_thunderbird_16_0_2.nasl - Type : ACT_GATHER_INFO |
2012-10-29 | Name : The remote Mac OS X host contains a mail client that is potentially affected ... File : macosx_thunderbird_10_0_10.nasl - Type : ACT_GATHER_INFO |
2012-10-29 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2012-1407.nasl - Type : ACT_GATHER_INFO |
2012-10-29 | Name : The remote Windows host contains a web browser that is affected by multiple v... File : seamonkey_2132.nasl - Type : ACT_GATHER_INFO |
2012-10-29 | Name : The remote Mac OS X host contains a web browser that is affected by multiple ... File : macosx_firefox_16_0_2.nasl - Type : ACT_GATHER_INFO |
2012-10-29 | Name : The remote Mac OS X host contains a web browser that is affected by multiple ... File : macosx_firefox_10_0_10.nasl - Type : ACT_GATHER_INFO |
2012-10-29 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_6b3b1b97207c11e2a03fc8600054b392.nasl - Type : ACT_GATHER_INFO |
2012-10-29 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-1620-1.nasl - Type : ACT_GATHER_INFO |
2012-10-29 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2012-1407.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 12:01:00 |
|