Vulnerability Details : CVE-2012-1965
Mozilla Firefox 4.x through 13.0 and Firefox ESR 10.x before 10.0.6 do not properly establish the security context of a feed: URL, which allows remote attackers to bypass unspecified cross-site scripting (XSS) protection mechanisms via a feed:javascript: URL.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2012-1965
- cpe:2.3:a:mozilla:firefox:4.0:beta5:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:4.0:beta3:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:4.0:beta4:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:4.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:4.0:beta7:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:4.0:beta8:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:4.0:beta9:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:4.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:4.0:beta10:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:4.0:beta11:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:4.0:beta6:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:4.0:beta12:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:4.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:4.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:5.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:6.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:6.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:5.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:6.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:7.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:8.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:7.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:8.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:9.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:12.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:12.0:beta6:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:9.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:10.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:10.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:10.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:11.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:13.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:10.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:10.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:10.0.3:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2012-1965
0.33%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 70 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2012-1965
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST |
CWE ids for CVE-2012-1965
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
References for CVE-2012-1965
-
http://www.securityfocus.com/bid/54579
Mozilla Firefox CVE-2012-1965 Cross Site Scripting Vulnerability
-
http://rhn.redhat.com/errata/RHSA-2012-1088.html
RHSA-2012:1088 - Security Advisory - Red Hat Customer Portal
-
http://secunia.com/advisories/49992
Sign in
-
http://lists.opensuse.org/opensuse-security-announce/2012-07/msg00011.html
[security-announce] SUSE-SU-2012:0895-1: important: Security update for
-
http://secunia.com/advisories/49972
Sign in
-
http://www.ubuntu.com/usn/USN-1509-1
USN-1509-1: Firefox vulnerabilities | Ubuntu security notices
-
http://www.mozilla.org/security/announce/2012/mfsa2012-55.html
feed: URLs with an innerURI inherit security context of page — MozillaVendor Advisory
-
http://www.securitytracker.com/id?1027256
Mozilla Firefox Multiple Bugs Let Remote Users Execute Arbitrary Code, Spoof Web Sites, Obtain Information, and Conduct Cross-Site Scripting Attacks - SecurityTracker
-
http://lists.opensuse.org/opensuse-security-announce/2012-07/msg00013.html
[security-announce] openSUSE-SU-2012:0899-1: critical: MozillaFirefox to
-
http://secunia.com/advisories/49965
Sign in
-
http://secunia.com/advisories/49979
-
http://www.ubuntu.com/usn/USN-1509-2
USN-1509-2: ubufox update | Ubuntu security notices
-
https://bugzilla.mozilla.org/show_bug.cgi?id=758990
758990 - (CVE-2012-1965) Don't allow feed: URLs with an innerURI that inherits the page's security context
-
http://osvdb.org/84012
-
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A17001
Repository / Oval Repository
-
http://lists.opensuse.org/opensuse-security-announce/2012-07/msg00012.html
[security-announce] SUSE-SU-2012:0896-1: important: Security update for
Jump to