CVSS: 4.3EPSS: 0%CPEs: 127EXPL: 0CVE-2012-1963 – Mozilla: Content Security Policy 1.0 implementation errors cause data leakage (MFSA 2012-53)
https://notcve.org/view.php?id=CVE-2012-1963
The Content Security Policy (CSP) functionality in Mozilla Firefox 4.x through 13.0, Firefox ESR 10.x before 10.0.6, Thunderbird 5.0 through 13.0, Thunderbird ESR 10.x before 10.0.6, and SeaMonkey before 2.11 does not properly restrict the strings placed into the blocked-uri parameter of a violation report, which allows remote web servers to capture OpenID credentials and OAuth 2.0 access tokens by triggering a violation. La Política de Seguridad de Contenidos (CSP) en Mozilla Firefox v4.x a v13.0, Firefox ESR v10.x antes de v10.0.6, Thunderbird v5.0 a v13.0, Thunderbird ESR v10.x antes de v10.0.6, y SeaMonkey antes de v2.11 no restringen adecuadamente las cadenas de texto que se colocan en el parámetro blocked-uri de un informe de violación, lo que permite capturar las credenciales de acceso OpenID y OAuth 2.0 a los servidores web remotos mediante la activación de una violación. • http://lists.opensuse.org/opensuse-security-announce/2012-07/msg00011.html http://lists.opensuse.org/opensuse-security-announce/2012-07/msg00012.html http://lists.opensuse.org/opensuse-security-announce/2012-07/msg00013.html http://lists.opensuse.org/opensuse-security-announce/2012-07/msg00016.html http://osvdb.org/84005 http://rhn.redhat.com/errata/RHSA-2012-1088.html http://secunia.com/advisories/49965 http://secunia.com/advisories/49968 http://secunia.com/advisories/49972 http:// • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 4.3EPSS: 0%CPEs: 126EXPL: 0CVE-2012-1964 – Mozilla: Clickjacking of certificate warning page (MFSA 2012-54)
https://notcve.org/view.php?id=CVE-2012-1964
The certificate-warning functionality in browser/components/certerror/content/aboutCertError.xhtml in Mozilla Firefox 4.x through 12.0, Firefox ESR 10.x before 10.0.6, Thunderbird 5.0 through 12.0, Thunderbird ESR 10.x before 10.0.6, and SeaMonkey before 2.10 does not properly handle attempted clickjacking of the about:certerror page, which allows man-in-the-middle attackers to trick users into adding an unintended exception via an IFRAME element. La funcionalidad de aviso de certificados en browser/components/certerror/content/aboutCertError.xhtml en Mozilla Firefox v4.x a v12.0, Firefox vESR 10.x antes de v10.0.6, Thunderbird v5.0 a v12.0, Thunderbird ESR v10.x antes de v10.0.6 y SeaMonkey antes de v2.10 no gestiona adecuadamente el intento de clickjacking (secuestro de clicks de raton) de la página about:certerror, lo que permite a atacantes man-in-the-middle engañar a los usuarios para añadir una excepción no deseada a través de un elemento IFRAME. • http://lists.opensuse.org/opensuse-security-announce/2012-07/msg00011.html http://lists.opensuse.org/opensuse-security-announce/2012-07/msg00012.html http://lists.opensuse.org/opensuse-security-announce/2012-07/msg00013.html http://osvdb.org/84011 http://rhn.redhat.com/errata/RHSA-2012-1088.html http://secunia.com/advisories/49965 http://secunia.com/advisories/49972 http://secunia.com/advisories/49977 http://secunia.com/advisories/49979 http://secunia.com/advisories/49992 http:/&# •
CVSS: 6.8EPSS: 0%CPEs: 127EXPL: 0CVE-2012-1959 – Mozilla: Same-compartment Security Wrappers can be bypassed (MFSA 2012-49)
https://notcve.org/view.php?id=CVE-2012-1959
Mozilla Firefox 4.x through 13.0, Firefox ESR 10.x before 10.0.6, Thunderbird 5.0 through 13.0, Thunderbird ESR 10.x before 10.0.6, and SeaMonkey before 2.11 do not consider the presence of same-compartment security wrappers (SCSW) during the cross-compartment wrapping of objects, which allows remote attackers to bypass intended XBL access restrictions via crafted content. Mozilla Firefox v4.x a v13.0, Firefox ESR v10.x antes de v10.0.6, Thunderbird v5.0 a v13.0, Thunderbird ESR v10.x antes de v10.0.6, y SeaMonkey antes de v2.11 no tienen en cuenta la presencia de contenedores de seguridad de mismo compartimento (SCSW - same-compartment security wrappers) durante el ajuste transversal de objetos, lo que permite a atacantes remotos eludir restricciones de acceso XBL a través de contenidos especificamente creados para este fin. • http://lists.opensuse.org/opensuse-security-announce/2012-07/msg00011.html http://lists.opensuse.org/opensuse-security-announce/2012-07/msg00012.html http://lists.opensuse.org/opensuse-security-announce/2012-07/msg00013.html http://lists.opensuse.org/opensuse-security-announce/2012-07/msg00016.html http://osvdb.org/84002 http://rhn.redhat.com/errata/RHSA-2012-1088.html http://secunia.com/advisories/49965 http://secunia.com/advisories/49968 http://secunia.com/advisories/49972 http:// • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 10.0EPSS: 2%CPEs: 127EXPL: 0CVE-2012-1967 – Mozilla: Code execution through javascript: URLs (MFSA 2012-56)
https://notcve.org/view.php?id=CVE-2012-1967
Mozilla Firefox 4.x through 13.0, Firefox ESR 10.x before 10.0.6, Thunderbird 5.0 through 13.0, Thunderbird ESR 10.x before 10.0.6, and SeaMonkey before 2.11 do not properly implement the JavaScript sandbox utility, which allows remote attackers to execute arbitrary JavaScript code with improper privileges via a javascript: URL. Mozilla Firefox v4.x a v13.0, Firefox ESR v10.x antes de v10.0.6, Thunderbird v5.0 a v13.0, Thunderbird ESR v10.x antes de v10.0.6 y SeaMonkey antes de v2.11 no implementan adecuadamente la utilidad de caja de arena (sandbox) de Javascript, lo que permite ejecutar código JavaScript de su elección con privilegios indebidos a atacantes remotos a través de una URL javascript: . • http://lists.opensuse.org/opensuse-security-announce/2012-07/msg00011.html http://lists.opensuse.org/opensuse-security-announce/2012-07/msg00012.html http://lists.opensuse.org/opensuse-security-announce/2012-07/msg00013.html http://lists.opensuse.org/opensuse-security-announce/2012-07/msg00016.html http://osvdb.org/84013 http://rhn.redhat.com/errata/RHSA-2012-1088.html http://secunia.com/advisories/49963 http://secunia.com/advisories/49964 http://secunia.com/advisories/49965 http:// •
CVSS: 9.3EPSS: 2%CPEs: 127EXPL: 0CVE-2012-1953 – Mozilla: Gecko memory corruption (MFSA 2012-44)
https://notcve.org/view.php?id=CVE-2012-1953
The ElementAnimations::EnsureStyleRuleFor function in Mozilla Firefox 4.x through 13.0, Firefox ESR 10.x before 10.0.6, Thunderbird 5.0 through 13.0, Thunderbird ESR 10.x before 10.0.6, and SeaMonkey before 2.11 allows remote attackers to cause a denial of service (buffer over-read, incorrect pointer dereference, and heap-based buffer overflow) or possibly execute arbitrary code via a crafted web site. La función ElementAnimations::EnsureStyleRuleFor en Mozilla Firefox v4.x a v13.0, Firefox ESR v10.x antes de v10.0.6, Thunderbird v5.0 a v13.0, Thunderbird ESR v10.x antes de v10.0.6, y SeaMonkey antes de v2.11 permite a atacantes remotos causar una denegación de servicio (sobre-lectura de búfer, desreferencia a puntero nulo, y un desbordamiento de búfer basado en memoria dinámica 'heap') o posiblemente ejecutar código de su elección a través de un sitio web diseñado para tal fin. • http://lists.opensuse.org/opensuse-security-announce/2012-07/msg00011.html http://lists.opensuse.org/opensuse-security-announce/2012-07/msg00012.html http://lists.opensuse.org/opensuse-security-announce/2012-07/msg00013.html http://lists.opensuse.org/opensuse-security-announce/2012-07/msg00016.html http://osvdb.org/83998 http://rhn.redhat.com/errata/RHSA-2012-1088.html http://secunia.com/advisories/49965 http://secunia.com/advisories/49968 http://secunia.com/advisories/49972 http:// • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •