Vulnerability Details : CVE-2012-0455
Mozilla Firefox before 3.6.28 and 4.x through 10.0, Firefox ESR 10.x before 10.0.3, Thunderbird before 3.1.20 and 5.0 through 10.0, Thunderbird ESR 10.x before 10.0.3, and SeaMonkey before 2.8 do not properly restrict drag-and-drop operations on javascript: URLs, which allows user-assisted remote attackers to conduct cross-site scripting (XSS) attacks via a crafted web page, related to a "DragAndDropJacking" issue.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2012-0455
- cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:4.0:beta5:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:4.0:beta3:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:4.0:beta4:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:4.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:4.0:beta7:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:4.0:beta8:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:4.0:beta9:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:4.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:4.0:beta10:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:4.0:beta11:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:4.0:beta6:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:4.0:beta12:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:4.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:4.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:5.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:6.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:6.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:5.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:6.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:7.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:8.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:7.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:8.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:9.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:9.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:10.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:thunderbird:5.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:thunderbird:6.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:thunderbird:6.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:thunderbird:6.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:thunderbird:8.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:thunderbird:9.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:thunderbird:9.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:seamonkey:*:beta5:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:10.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:10.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:thunderbird_esr:10.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:thunderbird_esr:10.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:thunderbird_esr:10.0.1:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2012-0455
0.34%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 72 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2012-0455
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST |
CWE ids for CVE-2012-0455
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
References for CVE-2012-0455
-
http://rhn.redhat.com/errata/RHSA-2012-0387.html
RHSA-2012:0387 - Security Advisory - Red Hat Customer Portal
-
http://www.ubuntu.com/usn/USN-1400-4
USN-1400-4: Thunderbird regressions | Ubuntu security noticesThird Party Advisory
-
http://secunia.com/advisories/48920
Sign inThird Party Advisory
-
http://www.mozilla.org/security/announce/2012/mfsa2012-13.html
XSS with Drag and Drop and Javascript: URL — MozillaVendor Advisory
-
https://bugzilla.mozilla.org/show_bug.cgi?id=704354
704354 - (CVE-2012-0455) "DragAndDropJacking" (?) + javAscript: URL = XSSIssue Tracking;Third Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2012-03/msg00014.html
[security-announce] SUSE-SU-2012:0424-1: critical: Security update for M
-
http://secunia.com/advisories/48495
Sign inThird Party Advisory
-
http://www.ubuntu.com/usn/USN-1400-2
USN-1400-2: ubufox update | Ubuntu security noticesThird Party Advisory
-
http://www.ubuntu.com/usn/USN-1400-3
USN-1400-3: Thunderbird vulnerabilities | Ubuntu security noticesThird Party Advisory
-
http://www.securitytracker.com/id?1026803
Mozilla Seamonkey Multiple Bugs Let Remote Users Execute Arbitrary Code and Conduct Cross-Site Scripting Attacks - SecurityTracker
-
http://www.securitytracker.com/id?1026804
Mozilla Thunderbird Multiple Bugs Let Remote Users Execute Arbitrary Code and Conduct Cross-Site Scripting Attacks - SecurityTracker
-
http://www.mandriva.com/security/advisories?name=MDVSA-2012:032
mandriva.com
-
http://secunia.com/advisories/48553
Sign inThird Party Advisory
-
http://secunia.com/advisories/48823
Sign inThird Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2012-03/msg00015.html
[security-announce] SUSE-SU-2012:0425-1: critical: Security update for M
-
http://www.ubuntu.com/usn/USN-1400-5
USN-1400-5: GSettings desktop schemas regression | Ubuntu security noticesThird Party Advisory
-
http://secunia.com/advisories/48496
Sign inThird Party Advisory
-
http://secunia.com/advisories/48414
Sign in
-
http://secunia.com/advisories/48359
Sign in
-
http://rhn.redhat.com/errata/RHSA-2012-0388.html
RHSA-2012:0388 - Security Advisory - Red Hat Customer Portal
-
http://www.mandriva.com/security/advisories?name=MDVSA-2012:031
mandriva.com
-
http://secunia.com/advisories/48561
Runtime ErrorThird Party Advisory
-
http://secunia.com/advisories/48629
Sign inThird Party Advisory
-
http://secunia.com/advisories/48402
Sign in
-
http://www.securityfocus.com/bid/52458
Mozilla Firefox, Thunderbird, and SeaMonkey Drag and Drop Cross Site Scripting Vulnerability
-
http://www.ubuntu.com/usn/USN-1401-1
USN-1401-1: Xulrunner vulnerabilities | Ubuntu security noticesThird Party Advisory
-
http://lists.opensuse.org/opensuse-updates/2012-03/msg00042.html
openSUSE-SU-2012:0417-1: moderate: update for MozillaFirefox, MozillaThuMailing List;Third Party Advisory
-
http://www.securitytracker.com/id?1026801
Mozilla Firefox Multiple Bugs Let Remote Users Execute Arbitrary Code and Conduct Cross-Site Scripting Attacks - SecurityTracker
-
http://secunia.com/advisories/48624
Sign inThird Party Advisory
-
http://www.debian.org/security/2012/dsa-2433
Debian -- Security Information -- DSA-2433-1 iceweaselThird Party Advisory
-
http://secunia.com/advisories/48513
Sign inThird Party Advisory
-
http://www.ubuntu.com/usn/USN-1400-1
USN-1400-1: Firefox vulnerabilities | Ubuntu security notices
-
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14829
Repository / Oval RepositoryThird Party Advisory
-
http://www.debian.org/security/2012/dsa-2458
Debian -- Security Information -- DSA-2458-2 iceape
Jump to