Vulnerability Details : CVE-2012-4208
The XrayWrapper implementation in Mozilla Firefox before 17.0, Thunderbird before 17.0, and SeaMonkey before 2.14 does not consider the compartment during property filtering, which allows remote attackers to bypass intended chrome-only restrictions on reading DOM object properties via a crafted web site.
Vulnerability category: Information leak
Products affected by CVE-2012-4208
- cpe:2.3:o:suse:linux_enterprise_desktop:10:sp4:*:*:*:*:*:*
- cpe:2.3:o:suse:linux_enterprise_desktop:11:sp2:*:*:*:*:*:*
- cpe:2.3:o:suse:linux_enterprise_server:10:sp4:*:*:*:*:*:*
- cpe:2.3:o:suse:linux_enterprise_server:11:sp2:*:*:*:-:*:*
- cpe:2.3:o:suse:linux_enterprise_server:11:sp2:*:*:*:vmware:*:*
- cpe:2.3:o:suse:linux_enterprise_software_development_kit:10:sp4:*:*:*:*:*:*
- cpe:2.3:o:suse:linux_enterprise_software_development_kit:11:sp2:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:seamonkey:*:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:12.10:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:10.04:*:*:*:-:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:11.10:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*
- cpe:2.3:o:opensuse:opensuse:11.4:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:opensuse:12.2:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:opensuse:12.1:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2012-4208
0.47%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 75 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2012-4208
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:N/A:N |
8.6
|
2.9
|
NIST |
CWE ids for CVE-2012-4208
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: nvd@nist.gov (Primary)
References for CVE-2012-4208
-
http://lists.opensuse.org/opensuse-updates/2012-11/msg00093.html
openSUSE-SU-2012:1586-1: moderate: update for xulrunnerMailing List;Third Party Advisory
-
http://lists.opensuse.org/opensuse-updates/2012-11/msg00092.html
openSUSE-SU-2012:1585-1: moderate: update for MozillaThunderbirdMailing List;Third Party Advisory
-
http://lists.opensuse.org/opensuse-updates/2012-11/msg00090.html
openSUSE-SU-2012:1583-1: moderate: update for MozillaFirefoxMailing List;Third Party Advisory
-
http://www.ubuntu.com/usn/USN-1638-3
USN-1638-3: Firefox regressions | Ubuntu security noticesThird Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2012-11/msg00021.html
[security-announce] SUSE-SU-2012:1592-1: important: Security update forMailing List;Third Party Advisory
-
http://www.ubuntu.com/usn/USN-1638-1
USN-1638-1: Firefox vulnerabilities | Ubuntu security noticesThird Party Advisory
-
http://www.mozilla.org/security/announce/2012/mfsa2012-99.html
XrayWrappers exposes chrome-only properties when not in chrome compartment — MozillaVendor Advisory
-
http://www.ubuntu.com/usn/USN-1638-2
USN-1638-2: ubufox update | Ubuntu security noticesThird Party Advisory
-
https://bugzilla.mozilla.org/show_bug.cgi?id=798264
798264 - (CVE-2012-4208) Xrays for new DOM bindings need to filter properties based on their compartmentIssue Tracking;Patch;Vendor Advisory
-
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16695
Repository / Oval RepositoryThird Party Advisory
-
http://www.ubuntu.com/usn/USN-1636-1
USN-1636-1: Thunderbird vulnerabilities | Ubuntu security noticesThird Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2013-01/msg00022.html
[security-announce] openSUSE-SU-2013:0175-1: important: security updateMailing List;Third Party Advisory
-
http://www.securityfocus.com/bid/56627
Mozilla Firefox/Thunderbird/SeaMonkey CVE-2012-4208 Security Bypass VulnerabilityThird Party Advisory;VDB Entry
Jump to