CVSS: 4.3EPSS: 0%CPEs: 328EXPL: 0CVE-2012-1956 – Mozilla: Location object can be shadowed using Object.defineProperty (MFSA 2012-59)
https://notcve.org/view.php?id=CVE-2012-1956
Mozilla Firefox before 15.0, Thunderbird before 15.0, and SeaMonkey before 2.12 do not prevent use of the Object.defineProperty method to shadow the location object (aka window.location), which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via vectors involving a plugin. Mozilla Firefox anterior a v15.0, Thunderbird anterior a v15.0 y SeaMonkey anterior a v2.12 no impiden el uso del método Object.defineProperty a la sombra de la localización de objetos (window.location aka), lo que hace que sea más fácil para los atacantes remotos realizar cross-site scripting (XSS ataques) a través de vectores relacionados con un plugin. • http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00028.html http://lists.opensuse.org/opensuse-security-announce/2012-09/msg00011.html http://lists.opensuse.org/opensuse-security-announce/2012-09/msg00014.html http://rhn.redhat.com/errata/RHSA-2012-1351.html http://www.mozilla.org/security/announce/2012/mfsa2012-59.html http://www.securityfocus.com/bid/55260 http://www.ubuntu.com/usn/USN-1548-1 http://www.ubuntu.com/usn/USN-1548-2 https://bugzilla.mozilla.org&#x • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.0EPSS: 0%CPEs: 115EXPL: 0CVE-2012-1960
https://notcve.org/view.php?id=CVE-2012-1960
The qcms_transform_data_rgb_out_lut_sse2 function in the QCMS implementation in Mozilla Firefox 4.x through 13.0, Thunderbird 5.0 through 13.0, and SeaMonkey before 2.11 might allow remote attackers to obtain sensitive information from process memory via a crafted color profile that triggers an out-of-bounds read operation. La función qcms_transform_data_rgb_out_lut_sse2 en la aplicación QCMS en Mozilla Firefox v4.x a v13.0, Thunderbird v5.0 a v13.0, y SeaMonkey antes de v2.11 podría permitir a atacantes remotos obtener información sensible de la memoria del proceso a través de un perfil de color hecho a mano que dispara una operación de lectura fuera de límites . • http://lists.opensuse.org/opensuse-security-announce/2012-07/msg00011.html http://lists.opensuse.org/opensuse-security-announce/2012-07/msg00012.html http://lists.opensuse.org/opensuse-security-announce/2012-07/msg00013.html http://lists.opensuse.org/opensuse-security-announce/2012-07/msg00016.html http://osvdb.org/84010 http://secunia.com/advisories/49965 http://secunia.com/advisories/49968 http://secunia.com/advisories/49972 http://secunia.com/advisories/49993 http://secunia.com/advisori • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.3EPSS: 4%CPEs: 115EXPL: 0CVE-2012-1949
https://notcve.org/view.php?id=CVE-2012-1949
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox 4.x through 13.0, Thunderbird 5.0 through 13.0, and SeaMonkey before 2.11 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Múltiples vulnerabilidades no especificadas en el motor del navegador de Mozilla Firefox v4.x a v13.0, Thunderbird v5.0 a v13.0, y SeaMonkey antes de v2.11 permite a atacantes remotos causar una denegación de servicio (corrupción de la memoria y la caída de la aplicación) o posiblemente ejecutar código de su elección a través de vectores desconocidos. • http://lists.opensuse.org/opensuse-security-announce/2012-07/msg00011.html http://lists.opensuse.org/opensuse-security-announce/2012-07/msg00012.html http://lists.opensuse.org/opensuse-security-announce/2012-07/msg00013.html http://lists.opensuse.org/opensuse-security-announce/2012-07/msg00016.html http://osvdb.org/84006 http://secunia.com/advisories/49965 http://secunia.com/advisories/49968 http://secunia.com/advisories/49972 http://secunia.com/advisories/49992 http://secunia.com/advisori •
CVSS: 6.8EPSS: 2%CPEs: 127EXPL: 0CVE-2012-1955 – Mozilla: Spoofing issue with location (MFSA 2012-45)
https://notcve.org/view.php?id=CVE-2012-1955
Mozilla Firefox 4.x through 13.0, Firefox ESR 10.x before 10.0.6, Thunderbird 5.0 through 13.0, Thunderbird ESR 10.x before 10.0.6, and SeaMonkey before 2.11 allow remote attackers to spoof the address bar via vectors involving history.forward and history.back calls. Mozilla Firefox v4.x a v13.0, Firefox ESR v10.x antes de v10.0.6, Thunderbird v5.0 a v13.0, Thunderbird ESR v10.x antes de v10.0.6, y SeaMonkey antes de v2.11 permiten a atacantes remotos falsificar los datos de la barra de direcciones a través de vectores relacionados con llamadas a history.forward y history.back. • http://lists.opensuse.org/opensuse-security-announce/2012-07/msg00011.html http://lists.opensuse.org/opensuse-security-announce/2012-07/msg00012.html http://lists.opensuse.org/opensuse-security-announce/2012-07/msg00013.html http://lists.opensuse.org/opensuse-security-announce/2012-07/msg00016.html http://osvdb.org/83996 http://rhn.redhat.com/errata/RHSA-2012-1088.html http://secunia.com/advisories/49965 http://secunia.com/advisories/49968 http://secunia.com/advisories/49972 http:// •
CVSS: 4.3EPSS: 0%CPEs: 127EXPL: 0CVE-2012-1957 – Mozilla: Improper filtering of javascript in HTML feed-view (MFSA 2012-47)
https://notcve.org/view.php?id=CVE-2012-1957
An unspecified parser-utility class in Mozilla Firefox 4.x through 13.0, Firefox ESR 10.x before 10.0.6, Thunderbird 5.0 through 13.0, Thunderbird ESR 10.x before 10.0.6, and SeaMonkey before 2.11 does not properly handle EMBED elements within description elements in RSS feeds, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a feed. Una utilidad de parseo no especificado en Mozilla Firefox v4.x a v13.0v, Firefox ESR v10.x antes de v10.0.6, Thunderbird v5.0 a v13.0, Thunderbird ESR v10.x antes de v10.0.6, y SeaMonkey antes de v2.11 no maneja adecuadamente los elementos EMBED dentro de los elementos de descripción de los canales RSS, lo que permite a atacantes remotos llevar a cabo ataques de ejecución de comandos en sitios cruzados (XSS) a través de un feed. • http://lists.opensuse.org/opensuse-security-announce/2012-07/msg00011.html http://lists.opensuse.org/opensuse-security-announce/2012-07/msg00012.html http://lists.opensuse.org/opensuse-security-announce/2012-07/msg00013.html http://lists.opensuse.org/opensuse-security-announce/2012-07/msg00016.html http://osvdb.org/84000 http://rhn.redhat.com/errata/RHSA-2012-1088.html http://secunia.com/advisories/49965 http://secunia.com/advisories/49968 http://secunia.com/advisories/49972 http:// • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •