Executive Summary
Informations | |||
---|---|---|---|
Name | MDVSA-2012:167 | First vendor Publication | 2012-10-13 |
Vendor | Mandriva | Last vendor Modification | 2012-10-13 |
Severity (Vendor) | N/A | Revision | N/A |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C) | |||
---|---|---|---|
Cvss Base Score | 9.3 | Attack Range | Network |
Cvss Impact Score | 10 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
A security issue were identified and fixed in mozilla firefox: Mozilla security researcher moz_bug_r_a4 reported a regression where security wrappers are unwrapped without doing a security check in defaultValue(). This can allow for improper access access to the Location object. In versions 15 and earlier of affected products, there was also the potential for arbitrary code execution (CVE-2012-4193). The mozilla firefox packages has been upgraded to the latest version which is unaffected by this security flaw. |
Original Source
Url : http://www.mandriva.com/security/advisories?name=MDVSA-2012:167 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-346 | Origin Validation Error |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:16786 | |||
Oval ID: | oval:org.mitre.oval:def:16786 | ||
Title: | Mozilla Firefox before 16.0.1, Firefox ESR 10.x before 10.0.9, Thunderbird before 16.0.1, Thunderbird ESR 10.x before 10.0.9, and SeaMonkey before 2.13.1 omit a security check in the defaultValue function during the unwrapping of security wrappers, which allows remote attackers to bypass the Same Origin Policy and read the properties of a Location object, or execute arbitrary JavaScript code, via a crafted web site. | ||
Description: | Mozilla Firefox before 16.0.1, Firefox ESR 10.x before 10.0.9, Thunderbird before 16.0.1, Thunderbird ESR 10.x before 10.0.9, and SeaMonkey before 2.13.1 omit a security check in the defaultValue function during the unwrapping of security wrappers, which allows remote attackers to bypass the Same Origin Policy and read the properties of a Location object, or execute arbitrary JavaScript code, via a crafted web site. | ||
Family: | windows | Class: | vulnerability |
Reference(s): | CVE-2012-4193 | Version: | 21 |
Platform(s): | Microsoft Windows 7 Microsoft Windows Server 2008 Microsoft Windows Vista Microsoft Windows Server 2003 Microsoft Windows XP Microsoft Windows 2000 Microsoft Windows 8 Microsoft Windows Server 2012 | Product(s): | Mozilla Firefox Mozilla Thunderbird Mozilla SeaMonkey Mozilla Firefox ESR Mozilla Thunderbird ESR |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:18116 | |||
Oval ID: | oval:org.mitre.oval:def:18116 | ||
Title: | USN-1611-1 -- thunderbird vulnerabilities | ||
Description: | Several security issues were fixed in Thunderbird. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-1611-1 CVE-2012-3982 CVE-2012-3983 CVE-2012-3988 CVE-2012-3989 CVE-2012-4191 CVE-2012-3984 CVE-2012-3985 CVE-2012-3986 CVE-2012-3991 CVE-2012-3992 CVE-2012-3993 CVE-2012-3994 CVE-2012-4184 CVE-2012-3990 CVE-2012-3995 CVE-2012-4179 CVE-2012-4180 CVE-2012-4181 CVE-2012-4182 CVE-2012-4183 CVE-2012-4185 CVE-2012-4186 CVE-2012-4187 CVE-2012-4188 CVE-2012-4192 CVE-2012-4193 | Version: | 7 |
Platform(s): | Ubuntu 12.04 Ubuntu 11.10 Ubuntu 11.04 Ubuntu 10.04 | Product(s): | thunderbird |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:21341 | |||
Oval ID: | oval:org.mitre.oval:def:21341 | ||
Title: | RHSA-2012:1361: xulrunner security update (Critical) | ||
Description: | Mozilla Firefox before 16.0.1, Firefox ESR 10.x before 10.0.9, Thunderbird before 16.0.1, Thunderbird ESR 10.x before 10.0.9, and SeaMonkey before 2.13.1 omit a security check in the defaultValue function during the unwrapping of security wrappers, which allows remote attackers to bypass the Same Origin Policy and read the properties of a Location object, or execute arbitrary JavaScript code, via a crafted web site. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2012:1361-01 CESA-2012:1361 CVE-2012-4193 | Version: | 4 |
Platform(s): | Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 CentOS Linux 5 CentOS Linux 6 | Product(s): | xulrunner |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:21545 | |||
Oval ID: | oval:org.mitre.oval:def:21545 | ||
Title: | RHSA-2012:1362: thunderbird security update (Critical) | ||
Description: | Mozilla Firefox before 16.0.1, Firefox ESR 10.x before 10.0.9, Thunderbird before 16.0.1, Thunderbird ESR 10.x before 10.0.9, and SeaMonkey before 2.13.1 omit a security check in the defaultValue function during the unwrapping of security wrappers, which allows remote attackers to bypass the Same Origin Policy and read the properties of a Location object, or execute arbitrary JavaScript code, via a crafted web site. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2012:1362-01 CESA-2012:1362 CVE-2012-4193 | Version: | 4 |
Platform(s): | Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 5 CentOS Linux 5 CentOS Linux 6 | Product(s): | thunderbird |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:23004 | |||
Oval ID: | oval:org.mitre.oval:def:23004 | ||
Title: | DEPRECATED: ELSA-2012:1361: xulrunner security update (Critical) | ||
Description: | Mozilla Firefox before 16.0.1, Firefox ESR 10.x before 10.0.9, Thunderbird before 16.0.1, Thunderbird ESR 10.x before 10.0.9, and SeaMonkey before 2.13.1 omit a security check in the defaultValue function during the unwrapping of security wrappers, which allows remote attackers to bypass the Same Origin Policy and read the properties of a Location object, or execute arbitrary JavaScript code, via a crafted web site. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2012:1361-01 CVE-2012-4193 | Version: | 7 |
Platform(s): | Oracle Linux 5 Oracle Linux 6 | Product(s): | xulrunner |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:23099 | |||
Oval ID: | oval:org.mitre.oval:def:23099 | ||
Title: | ELSA-2012:1361: xulrunner security update (Critical) | ||
Description: | Mozilla Firefox before 16.0.1, Firefox ESR 10.x before 10.0.9, Thunderbird before 16.0.1, Thunderbird ESR 10.x before 10.0.9, and SeaMonkey before 2.13.1 omit a security check in the defaultValue function during the unwrapping of security wrappers, which allows remote attackers to bypass the Same Origin Policy and read the properties of a Location object, or execute arbitrary JavaScript code, via a crafted web site. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2012:1361-01 CVE-2012-4193 | Version: | 6 |
Platform(s): | Oracle Linux 5 Oracle Linux 6 | Product(s): | xulrunner |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:23105 | |||
Oval ID: | oval:org.mitre.oval:def:23105 | ||
Title: | DEPRECATED: ELSA-2012:1362: thunderbird security update (Critical) | ||
Description: | Mozilla Firefox before 16.0.1, Firefox ESR 10.x before 10.0.9, Thunderbird before 16.0.1, Thunderbird ESR 10.x before 10.0.9, and SeaMonkey before 2.13.1 omit a security check in the defaultValue function during the unwrapping of security wrappers, which allows remote attackers to bypass the Same Origin Policy and read the properties of a Location object, or execute arbitrary JavaScript code, via a crafted web site. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2012:1362-01 CVE-2012-4193 | Version: | 7 |
Platform(s): | Oracle Linux 6 Oracle Linux 5 | Product(s): | thunderbird |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:23952 | |||
Oval ID: | oval:org.mitre.oval:def:23952 | ||
Title: | ELSA-2012:1362: thunderbird security update (Critical) | ||
Description: | Mozilla Firefox before 16.0.1, Firefox ESR 10.x before 10.0.9, Thunderbird before 16.0.1, Thunderbird ESR 10.x before 10.0.9, and SeaMonkey before 2.13.1 omit a security check in the defaultValue function during the unwrapping of security wrappers, which allows remote attackers to bypass the Same Origin Policy and read the properties of a Location object, or execute arbitrary JavaScript code, via a crafted web site. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2012:1362-01 CVE-2012-4193 | Version: | 6 |
Platform(s): | Oracle Linux 6 Oracle Linux 5 | Product(s): | thunderbird |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:26871 | |||
Oval ID: | oval:org.mitre.oval:def:26871 | ||
Title: | DEPRECATED: ELSA-2012-1362 -- thunderbird security update (critical) | ||
Description: | [10.0.8-2.0.1.el6_3] - Replaced thunderbird-redhat-default-prefs.js with thunderbird-oracle-default-prefs.js - Replace clean.gif in tarball [10.0.8-2] - Added patches from 10.0.9 ESR | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2012-1362 CVE-2012-4193 | Version: | 4 |
Platform(s): | Oracle Linux 5 Oracle Linux 6 | Product(s): | thunderbird |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:27077 | |||
Oval ID: | oval:org.mitre.oval:def:27077 | ||
Title: | DEPRECATED: ELSA-2012-1361 -- xulrunner security update (critical) | ||
Description: | [10.0.8-2.0.1.el6_3] - Replace xulrunner-redhat-default-prefs.js with xulrunner-oracle-default-prefs.js [10.0.8-2] - Added patches from 10.0.9 ESR | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2012-1361 CVE-2012-4193 | Version: | 4 |
Platform(s): | Oracle Linux 5 Oracle Linux 6 | Product(s): | xulrunner |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2012-12-13 | Name : SuSE Update for MozillaFirefox openSUSE-SU-2012:1345-1 (MozillaFirefox) File : nvt/gb_suse_2012_1345_1.nasl |
2012-10-16 | Name : CentOS Update for xulrunner CESA-2012:1361 centos5 File : nvt/gb_CESA-2012_1361_xulrunner_centos5.nasl |
2012-10-16 | Name : CentOS Update for xulrunner CESA-2012:1361 centos6 File : nvt/gb_CESA-2012_1361_xulrunner_centos6.nasl |
2012-10-16 | Name : CentOS Update for thunderbird CESA-2012:1362 centos5 File : nvt/gb_CESA-2012_1362_thunderbird_centos5.nasl |
2012-10-16 | Name : CentOS Update for thunderbird CESA-2012:1362 centos6 File : nvt/gb_CESA-2012_1362_thunderbird_centos6.nasl |
2012-10-16 | Name : RedHat Update for xulrunner RHSA-2012:1361-01 File : nvt/gb_RHSA-2012_1361-01_xulrunner.nasl |
2012-10-16 | Name : RedHat Update for thunderbird RHSA-2012:1362-01 File : nvt/gb_RHSA-2012_1362-01_thunderbird.nasl |
2012-10-16 | Name : Ubuntu Update for thunderbird USN-1611-1 File : nvt/gb_ubuntu_USN_1611_1.nasl |
2012-10-15 | Name : Mozilla Firefox Security Bypass Vulnerabilities - Oct 12 (Mac OS X) File : nvt/gb_mozilla_prdts_sec_bypass_vuln_oct12_macosx.nasl |
2012-10-15 | Name : Mozilla Firefox Security Bypass Vulnerabilities - Oct 12 (Windows) File : nvt/gb_mozilla_prdts_sec_bypass_vuln_oct12_win.nasl |
2012-10-13 | Name : FreeBSD Ports: firefox File : nvt/freebsd_firefox70.nasl |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2015-05-20 | Name : The remote SUSE host is missing one or more security updates. File : suse_SU-2012-1351-1.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2012-709.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing a security update. File : oraclelinux_ELSA-2012-1362.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2012-1361.nasl - Type : ACT_GATHER_INFO |
2013-01-25 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_firefox-201210-121015.nasl - Type : ACT_GATHER_INFO |
2013-01-08 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201301-01.nasl - Type : ACT_GATHER_INFO |
2012-10-17 | Name : The remote Windows host contains a mail client that is potentially affected b... File : mozilla_thunderbird_1601.nasl - Type : ACT_GATHER_INFO |
2012-10-17 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_firefox-201210-8327.nasl - Type : ACT_GATHER_INFO |
2012-10-17 | Name : The remote Windows host contains a web browser that is affected by multiple v... File : seamonkey_2131.nasl - Type : ACT_GATHER_INFO |
2012-10-17 | Name : The remote Windows host contains a mail client that is potentially affected b... File : mozilla_thunderbird_1009.nasl - Type : ACT_GATHER_INFO |
2012-10-17 | Name : The remote Windows host contains a web browser that is affected by multiple v... File : mozilla_firefox_1601.nasl - Type : ACT_GATHER_INFO |
2012-10-17 | Name : The remote Windows host contains a web browser that is affected by multiple v... File : mozilla_firefox_1009.nasl - Type : ACT_GATHER_INFO |
2012-10-17 | Name : The remote Mac OS X host contains a mail client that is potentially affected ... File : macosx_thunderbird_16_0_1.nasl - Type : ACT_GATHER_INFO |
2012-10-17 | Name : The remote Mac OS X host contains a mail client that is potentially affected ... File : macosx_thunderbird_10_0_9.nasl - Type : ACT_GATHER_INFO |
2012-10-17 | Name : The remote Mac OS X host contains a web browser that is affected by multiple ... File : macosx_firefox_16_0_1.nasl - Type : ACT_GATHER_INFO |
2012-10-17 | Name : The remote Mac OS X host contains a web browser that is affected by multiple ... File : macosx_firefox_10_0_9.nasl - Type : ACT_GATHER_INFO |
2012-10-16 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20121012_xulrunner_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
2012-10-15 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2012-1361.nasl - Type : ACT_GATHER_INFO |
2012-10-15 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2012-1361.nasl - Type : ACT_GATHER_INFO |
2012-10-15 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2012-1362.nasl - Type : ACT_GATHER_INFO |
2012-10-15 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-1611-1.nasl - Type : ACT_GATHER_INFO |
2012-10-15 | Name : The remote CentOS host is missing a security update. File : centos_RHSA-2012-1362.nasl - Type : ACT_GATHER_INFO |
2012-10-11 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_6e5a9afd12d311e2b47dc8600054b392.nasl - Type : ACT_GATHER_INFO |