CVSS: 6.8EPSS: 2%CPEs: 22EXPL: 1CVE-2012-4193 – Mozilla: defaultValue security checks not applied (MFSA 2012-89)
https://notcve.org/view.php?id=CVE-2012-4193
Mozilla Firefox before 16.0.1, Firefox ESR 10.x before 10.0.9, Thunderbird before 16.0.1, Thunderbird ESR 10.x before 10.0.9, and SeaMonkey before 2.13.1 omit a security check in the defaultValue function during the unwrapping of security wrappers, which allows remote attackers to bypass the Same Origin Policy and read the properties of a Location object, or execute arbitrary JavaScript code, via a crafted web site. Mozilla Firefox anteriores a v16.0.1, Firefox ESR v10.x anteriores a v10.0.9, Thunderbird anteriores a v16.0.1, Thunderbird ESR v10.x anteriores a v10.0.9, y SeaMonkey anteriores a v2.13.1 omite un chekeo de seguridad en la función defaultValue durante el desempaqueta de una envoltura de seguridad, lo que permite a atacantes remotos evitar la política "Same Origin Policy" y leer las propiedades del objeto Location, or ejecutar código JavaScript a través de un sitio Web moficado. • http://lists.opensuse.org/opensuse-security-announce/2012-10/msg00010.html http://rhn.redhat.com/errata/RHSA-2012-1361.html http://rhn.redhat.com/errata/RHSA-2012-1362.html http://secunia.com/advisories/50904 http://secunia.com/advisories/50906 http://secunia.com/advisories/50907 http://secunia.com/advisories/50964 http://secunia.com/advisories/50984 http://secunia.com/advisories/55318 http://www.mozilla.org/security/announce/2012/mfsa2012-89.html http://www.ubuntu.com/ • CWE-346: Origin Validation Error •
CVSS: 9.3EPSS: 4%CPEs: 7EXPL: 0CVE-2012-4191
https://notcve.org/view.php?id=CVE-2012-4191
The mozilla::net::FailDelayManager::Lookup function in the WebSockets implementation in Mozilla Firefox before 16.0.1, Thunderbird before 16.0.1, and SeaMonkey before 2.13.1 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unspecified vectors. La función mozilla::net::FailDelayManager::Lookup en la implementación de WebSockets en Mozilla Firefox anteriores a v16.0.1, Thunderbird anteriores a v16.0.1, y SeaMonkey anteiores a v2.13.1 permite a atacantes remotos provocar una denegación de servicio (corrupción de memoria y caída de la aplicación) o posiblemente ejecutar comandos a travésd e vectores no especificados. • http://osvdb.org/86125 http://secunia.com/advisories/50904 http://secunia.com/advisories/50929 http://secunia.com/advisories/50984 http://www.mozilla.org/security/announce/2012/mfsa2012-88.html http://www.securitytracker.com/id?1027653 http://www.ubuntu.com/usn/USN-1608-1 http://www.ubuntu.com/usn/USN-1611-1 https://bugzilla.mozilla.org/show_bug.cgi?id=798045 https://exchange.xforce.ibmcloud.com/vulnerabilities/79209 https://oval.cisecurity.org/repository/search/definitio • CWE-787: Out-of-bounds Write •
CVSS: 6.8EPSS: 1%CPEs: 3EXPL: 0CVE-2012-5354
https://notcve.org/view.php?id=CVE-2012-5354
Mozilla Firefox before 16.0, Thunderbird before 16.0, and SeaMonkey before 2.13 do not properly handle navigation away from a web page that has multiple menus of SELECT elements active, which allows remote attackers to conduct clickjacking attacks via vectors involving an XPI file, the window.open method, and the Geolocation API, a different vulnerability than CVE-2012-3984. Mozilla Firefox anteriores a v16.0, Thunderbird anteriores a v16.0 y SeaMonkey anteriores a v2.13 no manejan apropiadamente la navegación fuera de una página web que tenga múltiples menús de elementos SELECT activos, permitiendo a atacantes remotos realizar ataques de clickjacking mediante vectores relacionados con un fichero XPI, el método window.open y la API de geo-localización, siendo una vulnerabilidad diferente que CVE-2012-3984. • http://osvdb.org/86171 http://secunia.com/advisories/50856 http://secunia.com/advisories/50935 http://www.mozilla.org/security/announce/2012/mfsa2012-75.html https://bugzilla.mozilla.org/show_bug.cgi?id=726264 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16972 •
CVSS: 6.8EPSS: 0%CPEs: 22EXPL: 0CVE-2012-4184 – Mozilla: Chrome Object Wrapper (COW) does not disallow acces to privileged functions or properties (MFSA 2012-83)
https://notcve.org/view.php?id=CVE-2012-4184
The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbird before 16.0, Thunderbird ESR 10.x before 10.0.8, and SeaMonkey before 2.13 does not prevent access to properties of a prototype for a standard class, which allows remote attackers to execute arbitrary JavaScript code with chrome privileges via a crafted web site. La implementación Chrome Object Wrapper (COW) en Mozilla Firefox v16.0, Firefox ESR v10.x antes de v10.0.8, Thunderbird antes de v16.0, Thunderbird ESR v10.x antes de v10.0.8, y SeaMonkey antes de v2.13, no previene el acceso a las propiedades de un prototipo para una clase estandar, lo que permite a atacantes remotos ejecutar código JavaScript de su elección con privilegios chrome a través de una pagina web manipulada. • http://lists.opensuse.org/opensuse-security-announce/2012-10/msg00010.html http://osvdb.org/86113 http://rhn.redhat.com/errata/RHSA-2012-1351.html http://secunia.com/advisories/50892 http://secunia.com/advisories/50904 http://secunia.com/advisories/50984 http://secunia.com/advisories/55318 http://www.mandriva.com/security/advisories?name=MDVSA-2012:163 http://www.mozilla.org/security/announce/2012/mfsa2012-83.html http://www.securityfocus.com/bid/56120 http://www.ubuntu.c • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.8EPSS: 1%CPEs: 12EXPL: 0CVE-2012-3984
https://notcve.org/view.php?id=CVE-2012-3984
Mozilla Firefox before 16.0, Thunderbird before 16.0, and SeaMonkey before 2.13 do not properly handle navigation away from a web page that has a SELECT element's menu active, which allows remote attackers to spoof page content via vectors involving absolute positioning and scrolling. Mozilla Firefox v16.0, Thunderbird antes de v16.0, y SeaMonkey antes de v2.13, no controla correctamente la navegación más allá de una página web que tiene activo un elemento de menú SELECT, lo que permite a atacantes remotos falsificar contenido de la página a través de vectores relacionados con el posicionamiento absoluto y el desplazamiento. • http://lists.opensuse.org/opensuse-security-announce/2012-10/msg00010.html http://secunia.com/advisories/50856 http://secunia.com/advisories/50892 http://secunia.com/advisories/50904 http://secunia.com/advisories/50935 http://secunia.com/advisories/50984 http://www.mozilla.org/security/announce/2012/mfsa2012-75.html http://www.ubuntu.com/usn/USN-1611-1 https://bugzilla.mozilla.org/show_bug.cgi?id=575294 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.ova •