CVSS: 6.9EPSS: 0%CPEs: 184EXPL: 0CVE-2012-4206
https://notcve.org/view.php?id=CVE-2012-4206
Untrusted search path vulnerability in the installer in Mozilla Firefox before 17.0 and Firefox ESR 10.x before 10.0.11 on Windows allows local users to gain privileges via a Trojan horse DLL in the default downloads directory. Vulnerabilidad de no confianza de ruta de búsqueda en el instalador de Mozilla Firefox anterior a v17.0 y Firefox ESR v10.x anterior a v10.0.11 en Windows permite a usuarios locales obtener privilegios a través de un troyano DLL en el directorio predeterminado de descargas. • http://lists.opensuse.org/opensuse-security-announce/2012-11/msg00021.html http://www.mozilla.org/security/announce/2012/mfsa2012-98.html https://bugzilla.mozilla.org/show_bug.cgi?id=792106 https://exchange.xforce.ibmcloud.com/vulnerabilities/80176 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16991 •
CVSS: 6.8EPSS: 0%CPEs: 171EXPL: 0CVE-2012-5837
https://notcve.org/view.php?id=CVE-2012-5837
The Web Developer Toolbar in Mozilla Firefox before 17.0 executes script with chrome privileges, which allows user-assisted remote attackers to conduct cross-site scripting (XSS) attacks via a crafted string. Web Developer Toolbar en Mozilla Firefox antes de v17.0 ejecuta comandos con privilegios de chrome, que permite a atacantes remotos asistidos por el usuario para realizar ataques de ejecución de secuencias de comandos en sitios cruzados (XSS) a través de una cadena de caracteres manipulada. • http://lists.opensuse.org/opensuse-security-announce/2012-11/msg00021.html http://lists.opensuse.org/opensuse-security-announce/2013-01/msg00022.html http://lists.opensuse.org/opensuse-updates/2012-11/msg00090.html http://lists.opensuse.org/opensuse-updates/2012-11/msg00092.html http://lists.opensuse.org/opensuse-updates/2012-11/msg00093.html http://osvdb.org/87586 http://secunia.com/advisories/51369 http://secunia.com/advisories/51434 http://secunia.com/advisories/51439 http://www. • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.8EPSS: 0%CPEs: 17EXPL: 0CVE-2012-4205
https://notcve.org/view.php?id=CVE-2012-4205
Mozilla Firefox before 17.0, Thunderbird before 17.0, and SeaMonkey before 2.14 assign the system principal, rather than the sandbox principal, to XMLHttpRequest objects created in sandboxes, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks or obtain sensitive information by leveraging a sandboxed add-on. Mozilla Firefox antes de v17.0 Thunderbird antes de v17.0 y SeaMonkey antes v2.14, asigna el principal sistema, en lugar del entorno de seguridad, a los objetos XMLHttpRequest creados en entornos controlados, lo que permite a atacantes remotos realizar falsificación de peticiones en sitios cruzados (CSRF) u obtener información sensible mediante el aprovechamiento del complemento de entorno controlado. • http://lists.opensuse.org/opensuse-security-announce/2012-11/msg00021.html http://lists.opensuse.org/opensuse-security-announce/2013-01/msg00022.html http://lists.opensuse.org/opensuse-updates/2012-11/msg00090.html http://lists.opensuse.org/opensuse-updates/2012-11/msg00092.html http://lists.opensuse.org/opensuse-updates/2012-11/msg00093.html http://secunia.com/advisories/51369 http://secunia.com/advisories/51370 http://secunia.com/advisories/51381 http://secunia.com/advisories/51434 http:& • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.3EPSS: 0%CPEs: 17EXPL: 0CVE-2012-4208
https://notcve.org/view.php?id=CVE-2012-4208
The XrayWrapper implementation in Mozilla Firefox before 17.0, Thunderbird before 17.0, and SeaMonkey before 2.14 does not consider the compartment during property filtering, which allows remote attackers to bypass intended chrome-only restrictions on reading DOM object properties via a crafted web site. La implementación XrayWrapper en Mozilla Firefox anterior a v17.0, Thunderbird anterior a v17.0, y SeaMonkey anterior a v2.14 no considera el compartimiento durante la característica de filtrado, permitiendo a atacantes remotos eludir las restricciones chrome-only sobre la lectura de propiedades de objetos DOM mediante un sitio manipulado. • http://lists.opensuse.org/opensuse-security-announce/2012-11/msg00021.html http://lists.opensuse.org/opensuse-security-announce/2013-01/msg00022.html http://lists.opensuse.org/opensuse-updates/2012-11/msg00090.html http://lists.opensuse.org/opensuse-updates/2012-11/msg00092.html http://lists.opensuse.org/opensuse-updates/2012-11/msg00093.html http://secunia.com/advisories/51369 http://secunia.com/advisories/51370 http://secunia.com/advisories/51381 http://secunia.com/advisories/51434 http:& • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.8EPSS: 5%CPEs: 171EXPL: 0CVE-2012-4203
https://notcve.org/view.php?id=CVE-2012-4203
The New Tab page in Mozilla Firefox before 17.0 uses a privileged context for execution of JavaScript code by bookmarklets, which allows user-assisted remote attackers to run arbitrary programs by leveraging a javascript: URL in a bookmark. Página en nueva pestaña en Mozilla Firefox antes de v17.0, utiliza un contexto con privilegios elevados para la ejecución de código javascript de bookmarklets, lo que permite a atacantes remotos asistidos por el usuario ejecutar programas arbitrarios mediante el aprovechamiento de una javascript: URL de un marcador. • http://lists.opensuse.org/opensuse-security-announce/2012-11/msg00021.html http://lists.opensuse.org/opensuse-security-announce/2013-01/msg00022.html http://lists.opensuse.org/opensuse-updates/2012-11/msg00090.html http://lists.opensuse.org/opensuse-updates/2012-11/msg00093.html http://secunia.com/advisories/51369 http://secunia.com/advisories/51434 http://secunia.com/advisories/51439 http://www.mozilla.org/security/announce/2012/mfsa2012-95.html http://www.securityfocus.com/bid/56623 http • CWE-264: Permissions, Privileges, and Access Controls •