Executive Summary
Summary | |
---|---|
Title | Firefox vulnerabilities |
Informations | |||
---|---|---|---|
Name | USN-1620-1 | First vendor Publication | 2012-10-26 |
Vendor | Ubuntu | Last vendor Modification | 2012-10-26 |
Severity (Vendor) | N/A | Revision | N/A |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:H/Au:N/C:P/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 5.1 | Attack Range | Network |
Cvss Impact Score | 6.4 | Attack Complexity | High |
Cvss Expoit Score | 4.9 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 12.10 - Ubuntu 12.04 LTS - Ubuntu 11.10 - Ubuntu 11.04 - Ubuntu 10.04 LTS Summary: Several security issues were fixed in Firefox. Software Description: - firefox: Mozilla Open Source web browser Details: Mariusz Mlynski and others discovered several flaws in Firefox that allowed a remote attacker to conduct cross-site scripting (XSS) attacks. (CVE-2012-4194, CVE-2012-4195) Antoine Delignat-Lavaud discovered a flaw in the way Firefox handled the Location object. If a user were tricked into opening a specially crafted page, a remote attacker could exploit this to bypass security protections and perform cross-origin reading of the Location object. (CVE-2012-4196) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 12.10: Ubuntu 12.04 LTS: Ubuntu 11.10: Ubuntu 11.04: Ubuntu 10.04 LTS: After a standard system update you need to restart Firefox to make all the necessary changes. References: Package Information: https://launchpad.net/ubuntu/+source/firefox/16.0.2+build1-0ubuntu0.12.10.1 https://launchpad.net/ubuntu/+source/firefox/16.0.2+build1-0ubuntu0.12.04.1 https://launchpad.net/ubuntu/+source/firefox/16.0.2+build1-0ubuntu0.11.10.1 https://launchpad.net/ubuntu/+source/firefox/16.0.2+build1-0ubuntu0.11.04.1 https://launchpad.net/ubuntu/+source/firefox/16.0.2+build1-0ubuntu0.10.04.1 |
Original Source
Url : http://www.ubuntu.com/usn/USN-1620-1 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
67 % | CWE-79 | Failure to Preserve Web Page Structure ('Cross-site Scripting') (CWE/SANS Top 25) |
33 % | CWE-74 | Failure to Sanitize Data into a Different Plane ('Injection') |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:16856 | |||
Oval ID: | oval:org.mitre.oval:def:16856 | ||
Title: | The nsLocation::CheckURL function in Mozilla Firefox before 16.0.2, Firefox ESR 10.x before 10.0.10, Thunderbird before 16.0.2, Thunderbird ESR 10.x before 10.0.10, and SeaMonkey before 2.13.2 does not properly determine the calling document and principal in its return value, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via a crafted web site, and makes it easier for remote attackers to execute arbitrary JavaScript code by leveraging certain add-on behavior. | ||
Description: | The nsLocation::CheckURL function in Mozilla Firefox before 16.0.2, Firefox ESR 10.x before 10.0.10, Thunderbird before 16.0.2, Thunderbird ESR 10.x before 10.0.10, and SeaMonkey before 2.13.2 does not properly determine the calling document and principal in its return value, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via a crafted web site, and makes it easier for remote attackers to execute arbitrary JavaScript code by leveraging certain add-on behavior. | ||
Family: | windows | Class: | vulnerability |
Reference(s): | CVE-2012-4195 | Version: | 22 |
Platform(s): | Microsoft Windows 7 Microsoft Windows Server 2008 Microsoft Windows Vista Microsoft Windows Server 2003 Microsoft Windows XP Microsoft Windows 2000 Microsoft Windows 8 Microsoft Windows Server 2012 | Product(s): | Mozilla Firefox Mozilla Thunderbird Mozilla SeaMonkey Mozilla Firefox ESR Mozilla Thunderbird ESR |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:16918 | |||
Oval ID: | oval:org.mitre.oval:def:16918 | ||
Title: | Mozilla Firefox before 16.0.2, Firefox ESR 10.x before 10.0.10, Thunderbird before 16.0.2, Thunderbird ESR 10.x before 10.0.10, and SeaMonkey before 2.13.2 do not prevent use of the valueOf method to shadow the location object (aka window.location), which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via vectors involving a plugin. | ||
Description: | Mozilla Firefox before 16.0.2, Firefox ESR 10.x before 10.0.10, Thunderbird before 16.0.2, Thunderbird ESR 10.x before 10.0.10, and SeaMonkey before 2.13.2 do not prevent use of the valueOf method to shadow the location object (aka window.location), which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via vectors involving a plugin. | ||
Family: | windows | Class: | vulnerability |
Reference(s): | CVE-2012-4194 | Version: | 21 |
Platform(s): | Microsoft Windows 7 Microsoft Windows Server 2008 Microsoft Windows Vista Microsoft Windows Server 2003 Microsoft Windows XP Microsoft Windows 2000 Microsoft Windows 8 Microsoft Windows Server 2012 | Product(s): | Mozilla Firefox Mozilla Thunderbird Mozilla SeaMonkey Mozilla Firefox ESR Mozilla Thunderbird ESR |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:16962 | |||
Oval ID: | oval:org.mitre.oval:def:16962 | ||
Title: | Mozilla Firefox before 16.0.2, Firefox ESR 10.x before 10.0.10, Thunderbird before 16.0.2, Thunderbird ESR 10.x before 10.0.10, and SeaMonkey before 2.13.2 allow remote attackers to bypass the Same Origin Policy and read the Location object via a prototype property-injection attack that defeats certain protection mechanisms for this object. | ||
Description: | Mozilla Firefox before 16.0.2, Firefox ESR 10.x before 10.0.10, Thunderbird before 16.0.2, Thunderbird ESR 10.x before 10.0.10, and SeaMonkey before 2.13.2 allow remote attackers to bypass the Same Origin Policy and read the Location object via a prototype property-injection attack that defeats certain protection mechanisms for this object. | ||
Family: | windows | Class: | vulnerability |
Reference(s): | CVE-2012-4196 | Version: | 21 |
Platform(s): | Microsoft Windows 7 Microsoft Windows Server 2008 Microsoft Windows Vista Microsoft Windows Server 2003 Microsoft Windows XP Microsoft Windows 2000 Microsoft Windows 8 Microsoft Windows Server 2012 | Product(s): | Mozilla Firefox Mozilla Thunderbird Mozilla SeaMonkey Mozilla Firefox ESR Mozilla Thunderbird ESR |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:18095 | |||
Oval ID: | oval:org.mitre.oval:def:18095 | ||
Title: | USN-1620-1 -- firefox vulnerabilities | ||
Description: | Several security issues were fixed in Firefox. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-1620-1 CVE-2012-4194 CVE-2012-4195 CVE-2012-4196 | Version: | 7 |
Platform(s): | Ubuntu 12.10 Ubuntu 12.04 Ubuntu 11.10 Ubuntu 11.04 Ubuntu 10.04 | Product(s): | firefox |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:18153 | |||
Oval ID: | oval:org.mitre.oval:def:18153 | ||
Title: | USN-1620-2 -- thunderbird vulnerabilities | ||
Description: | Several security issues were fixed in Thunderbird. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-1620-2 CVE-2012-4194 CVE-2012-4195 CVE-2012-4196 | Version: | 7 |
Platform(s): | Ubuntu 12.10 Ubuntu 12.04 Ubuntu 11.10 Ubuntu 10.04 | Product(s): | thunderbird |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:20689 | |||
Oval ID: | oval:org.mitre.oval:def:20689 | ||
Title: | RHSA-2012:1407: firefox security update (Critical) | ||
Description: | Mozilla Firefox before 16.0.2, Firefox ESR 10.x before 10.0.10, Thunderbird before 16.0.2, Thunderbird ESR 10.x before 10.0.10, and SeaMonkey before 2.13.2 allow remote attackers to bypass the Same Origin Policy and read the Location object via a prototype property-injection attack that defeats certain protection mechanisms for this object. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2012:1407-01 CESA-2012:1407 CVE-2012-4194 CVE-2012-4195 CVE-2012-4196 | Version: | 42 |
Platform(s): | Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 CentOS Linux 5 CentOS Linux 6 | Product(s): | firefox xulrunner |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:20823 | |||
Oval ID: | oval:org.mitre.oval:def:20823 | ||
Title: | RHSA-2012:1413: thunderbird security update (Important) | ||
Description: | Mozilla Firefox before 16.0.2, Firefox ESR 10.x before 10.0.10, Thunderbird before 16.0.2, Thunderbird ESR 10.x before 10.0.10, and SeaMonkey before 2.13.2 allow remote attackers to bypass the Same Origin Policy and read the Location object via a prototype property-injection attack that defeats certain protection mechanisms for this object. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2012:1413-01 CESA-2012:1413 CVE-2012-4194 CVE-2012-4195 CVE-2012-4196 | Version: | 42 |
Platform(s): | Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 CentOS Linux 5 CentOS Linux 6 | Product(s): | thunderbird |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:23050 | |||
Oval ID: | oval:org.mitre.oval:def:23050 | ||
Title: | DEPRECATED: ELSA-2012:1413: thunderbird security update (Important) | ||
Description: | Mozilla Firefox before 16.0.2, Firefox ESR 10.x before 10.0.10, Thunderbird before 16.0.2, Thunderbird ESR 10.x before 10.0.10, and SeaMonkey before 2.13.2 allow remote attackers to bypass the Same Origin Policy and read the Location object via a prototype property-injection attack that defeats certain protection mechanisms for this object. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2012:1413-01 CVE-2012-4194 CVE-2012-4195 CVE-2012-4196 | Version: | 18 |
Platform(s): | Oracle Linux 5 Oracle Linux 6 | Product(s): | thunderbird |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:23274 | |||
Oval ID: | oval:org.mitre.oval:def:23274 | ||
Title: | DEPRECATED: ELSA-2012:1407: firefox security update (Critical) | ||
Description: | Mozilla Firefox before 16.0.2, Firefox ESR 10.x before 10.0.10, Thunderbird before 16.0.2, Thunderbird ESR 10.x before 10.0.10, and SeaMonkey before 2.13.2 allow remote attackers to bypass the Same Origin Policy and read the Location object via a prototype property-injection attack that defeats certain protection mechanisms for this object. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2012:1407-01 CVE-2012-4194 CVE-2012-4195 CVE-2012-4196 | Version: | 18 |
Platform(s): | Oracle Linux 5 Oracle Linux 6 | Product(s): | firefox xulrunner |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:23409 | |||
Oval ID: | oval:org.mitre.oval:def:23409 | ||
Title: | ELSA-2012:1407: firefox security update (Critical) | ||
Description: | Mozilla Firefox before 16.0.2, Firefox ESR 10.x before 10.0.10, Thunderbird before 16.0.2, Thunderbird ESR 10.x before 10.0.10, and SeaMonkey before 2.13.2 allow remote attackers to bypass the Same Origin Policy and read the Location object via a prototype property-injection attack that defeats certain protection mechanisms for this object. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2012:1407-01 CVE-2012-4194 CVE-2012-4195 CVE-2012-4196 | Version: | 17 |
Platform(s): | Oracle Linux 5 Oracle Linux 6 | Product(s): | firefox xulrunner |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:23959 | |||
Oval ID: | oval:org.mitre.oval:def:23959 | ||
Title: | ELSA-2012:1413: thunderbird security update (Important) | ||
Description: | Mozilla Firefox before 16.0.2, Firefox ESR 10.x before 10.0.10, Thunderbird before 16.0.2, Thunderbird ESR 10.x before 10.0.10, and SeaMonkey before 2.13.2 allow remote attackers to bypass the Same Origin Policy and read the Location object via a prototype property-injection attack that defeats certain protection mechanisms for this object. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2012:1413-01 CVE-2012-4194 CVE-2012-4195 CVE-2012-4196 | Version: | 17 |
Platform(s): | Oracle Linux 5 Oracle Linux 6 | Product(s): | thunderbird |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:27126 | |||
Oval ID: | oval:org.mitre.oval:def:27126 | ||
Title: | DEPRECATED: ELSA-2012-1407 -- firefox security update (critical) | ||
Description: | firefox [10.0.10-1.0.1.el6_3] - Replaced firefox-redhat-default-prefs.js with firefox-oracle-default-prefs.js [10.0.10-1] - Update to 10.0.10 ESR [10.0.8-2] - Fixed rhbz#865284 - add the storage.nfs_filesystem config key to property list - disable OOP for wrapped plugins (nspluginwrapper) xulrunner [10.0.10-1.0.1.el6_3] - Replaced xulrunner-redhat-default-prefs.js with xulrunner-oracle-default-prefs.js [10.0.10-1] - Added patches from 10.0.10 ESR | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2012-1407 CVE-2012-4194 CVE-2012-4195 CVE-2012-4196 | Version: | 4 |
Platform(s): | Oracle Linux 5 Oracle Linux 6 | Product(s): | firefox xulrunner |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:27771 | |||
Oval ID: | oval:org.mitre.oval:def:27771 | ||
Title: | DEPRECATED: ELSA-2012-1413 -- thunderbird security update (important) | ||
Description: | [10.0.10-1.0.1.el6_3] - Replaced thunderbird-redhat-default-prefs.js with thunderbird-oracle-default-prefs.js [10.0.10-1] - Update to 10.0.10 ESR | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2012-1413 CVE-2012-4194 CVE-2012-4195 CVE-2012-4196 | Version: | 4 |
Platform(s): | Oracle Linux 5 Oracle Linux 6 | Product(s): | thunderbird |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2012-12-13 | Name : SuSE Update for Mozilla Suite openSUSE-SU-2012:1412-1 (Mozilla Suite) File : nvt/gb_suse_2012_1412_1.nasl |
2012-11-02 | Name : CentOS Update for thunderbird CESA-2012:1413 centos5 File : nvt/gb_CESA-2012_1413_thunderbird_centos5.nasl |
2012-11-02 | Name : CentOS Update for thunderbird CESA-2012:1413 centos6 File : nvt/gb_CESA-2012_1413_thunderbird_centos6.nasl |
2012-11-02 | Name : RedHat Update for thunderbird RHSA-2012:1413-01 File : nvt/gb_RHSA-2012_1413-01_thunderbird.nasl |
2012-11-02 | Name : Mozilla Firefox Multiple Vulnerabilities - November12 (Mac OS X) File : nvt/gb_mozilla_prdts_mult_vuln_nov12_macosx.nasl |
2012-11-02 | Name : Mozilla Firefox Multiple Vulnerabilities - November12 (Windows) File : nvt/gb_mozilla_prdts_mult_vuln_nov12_win.nasl |
2012-10-31 | Name : Ubuntu Update for thunderbird USN-1620-2 File : nvt/gb_ubuntu_USN_1620_2.nasl |
2012-10-29 | Name : FreeBSD Ports: firefox File : nvt/freebsd_firefox71.nasl |
2012-10-29 | Name : CentOS Update for firefox CESA-2012:1407 centos5 File : nvt/gb_CESA-2012_1407_firefox_centos5.nasl |
2012-10-29 | Name : CentOS Update for firefox CESA-2012:1407 centos6 File : nvt/gb_CESA-2012_1407_firefox_centos6.nasl |
2012-10-29 | Name : RedHat Update for firefox RHSA-2012:1407-01 File : nvt/gb_RHSA-2012_1407-01_firefox.nasl |
2012-10-29 | Name : Ubuntu Update for firefox USN-1620-1 File : nvt/gb_ubuntu_USN_1620_1.nasl |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2012-745.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing a security update. File : oraclelinux_ELSA-2012-1413.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2012-1407.nasl - Type : ACT_GATHER_INFO |
2013-01-25 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_firefox-201210b-121029.nasl - Type : ACT_GATHER_INFO |
2013-01-08 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201301-01.nasl - Type : ACT_GATHER_INFO |
2012-11-14 | Name : The remote Fedora host is missing a security update. File : fedora_2012-17841.nasl - Type : ACT_GATHER_INFO |
2012-11-01 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_firefox-201210b-8348.nasl - Type : ACT_GATHER_INFO |
2012-10-31 | Name : The remote CentOS host is missing a security update. File : centos_RHSA-2012-1413.nasl - Type : ACT_GATHER_INFO |
2012-10-31 | Name : The remote Scientific Linux host is missing a security update. File : sl_20121029_thunderbird_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
2012-10-30 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2012-1413.nasl - Type : ACT_GATHER_INFO |
2012-10-30 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-1620-2.nasl - Type : ACT_GATHER_INFO |
2012-10-29 | Name : The remote Windows host contains a web browser that is affected by multiple v... File : mozilla_firefox_10010.nasl - Type : ACT_GATHER_INFO |
2012-10-29 | Name : The remote Windows host contains a web browser that is affected by multiple v... File : mozilla_firefox_1602.nasl - Type : ACT_GATHER_INFO |
2012-10-29 | Name : The remote Windows host contains a mail client that is potentially affected b... File : mozilla_thunderbird_10010.nasl - Type : ACT_GATHER_INFO |
2012-10-29 | Name : The remote Windows host contains a mail client that is potentially affected b... File : mozilla_thunderbird_1602.nasl - Type : ACT_GATHER_INFO |
2012-10-29 | Name : The remote Mac OS X host contains a mail client that is potentially affected ... File : macosx_thunderbird_16_0_2.nasl - Type : ACT_GATHER_INFO |
2012-10-29 | Name : The remote Mac OS X host contains a mail client that is potentially affected ... File : macosx_thunderbird_10_0_10.nasl - Type : ACT_GATHER_INFO |
2012-10-29 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2012-1407.nasl - Type : ACT_GATHER_INFO |
2012-10-29 | Name : The remote Windows host contains a web browser that is affected by multiple v... File : seamonkey_2132.nasl - Type : ACT_GATHER_INFO |
2012-10-29 | Name : The remote Mac OS X host contains a web browser that is affected by multiple ... File : macosx_firefox_16_0_2.nasl - Type : ACT_GATHER_INFO |
2012-10-29 | Name : The remote Mac OS X host contains a web browser that is affected by multiple ... File : macosx_firefox_10_0_10.nasl - Type : ACT_GATHER_INFO |
2012-10-29 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_6b3b1b97207c11e2a03fc8600054b392.nasl - Type : ACT_GATHER_INFO |
2012-10-29 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-1620-1.nasl - Type : ACT_GATHER_INFO |
2012-10-29 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2012-1407.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 12:01:00 |
|