Vulnerability Details : CVE-2012-4194
Mozilla Firefox before 16.0.2, Firefox ESR 10.x before 10.0.10, Thunderbird before 16.0.2, Thunderbird ESR 10.x before 10.0.10, and SeaMonkey before 2.13.2 do not prevent use of the valueOf method to shadow the location object (aka window.location), which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via vectors involving a plugin.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2012-4194
- cpe:2.3:o:redhat:enterprise_linux_desktop:5.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_eus:6.3:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_workstation:5.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:suse:linux_enterprise_desktop:10:sp4:*:*:*:*:*:*
- cpe:2.3:o:suse:linux_enterprise_desktop:11:sp2:*:*:*:*:*:*
- cpe:2.3:o:suse:linux_enterprise_server:10:sp4:*:*:*:*:*:*
- cpe:2.3:o:suse:linux_enterprise_server:11:sp2:*:*:*:-:*:*
- cpe:2.3:o:suse:linux_enterprise_server:11:sp2:*:*:*:vmware:*:*
- cpe:2.3:o:suse:linux_enterprise_software_development_kit:10:sp4:*:*:*:*:*:*
- cpe:2.3:o:suse:linux_enterprise_software_development_kit:11:sp2:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:seamonkey:*:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:thunderbird_esr:*:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:12.10:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:10.04:*:*:*:-:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:11.04:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:11.10:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*
- cpe:2.3:o:opensuse:opensuse:11.4:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:opensuse:12.2:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:opensuse:12.1:*:*:*:*:*:*:*
Threat overview for CVE-2012-4194
Top countries where our scanners detected CVE-2012-4194
Top open port discovered on systems with this issue
8200
IPs affected by CVE-2012-4194 341
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2012-4194!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2012-4194
0.44%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 74 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2012-4194
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST |
CWE ids for CVE-2012-4194
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
References for CVE-2012-4194
-
http://lists.opensuse.org/opensuse-security-announce/2012-10/msg00019.html
[security-announce] openSUSE-SU-2012:1412-1: important: Mozilla Suite: UMailing List;Third Party Advisory
-
http://secunia.com/advisories/51146
Sign inThird Party Advisory
-
http://secunia.com/advisories/55318
Sign inThird Party Advisory
-
http://www.securityfocus.com/bid/56301
Mozilla Firefox/SeaMonkey/Thunderbird CVE-2012-4194 Cross Site Scripting VulnerabilityThird Party Advisory;VDB Entry
-
http://www.ubuntu.com/usn/USN-1620-1
USN-1620-1: Firefox vulnerabilities | Ubuntu security noticesThird Party Advisory
-
http://rhn.redhat.com/errata/RHSA-2012-1407.html
RHSA-2012:1407 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://bugzilla.mozilla.org/show_bug.cgi?id=800666
800666 - (CVE-2012-4194) Location can be spoofed using |valueOf|Exploit;Issue Tracking;Patch;Vendor Advisory
-
http://rhn.redhat.com/errata/RHSA-2012-1413.html
RHSA-2012:1413 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
http://www.mozilla.org/security/announce/2012/mfsa2012-90.html
Fixes for Location object issues — MozillaVendor Advisory
-
http://secunia.com/advisories/51165
Sign inThird Party Advisory
-
http://secunia.com/advisories/51147
Sign inThird Party Advisory
-
http://secunia.com/advisories/51144
Sign inThird Party Advisory
-
http://secunia.com/advisories/51123
Sign inThird Party Advisory
-
http://secunia.com/advisories/51127
Sign inThird Party Advisory
-
http://secunia.com/advisories/51121
Sign inThird Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2012-10/msg00025.html
[security-announce] SUSE-SU-2012:1426-1: important: Security update forMailing List;Third Party Advisory
-
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16918
Repository / Oval RepositoryThird Party Advisory
-
http://www.ubuntu.com/usn/USN-1620-2
USN-1620-2: Thunderbird vulnerabilities | Ubuntu security noticesThird Party Advisory
Jump to