| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 4.9 | $5k-$25k | 0.15 |
Summary
A vulnerability, which was classified as critical, was found in Mozilla Firefox and Thunderbird 16. Affected by this vulnerability is the function defaultValue. The manipulation results in security check.
This vulnerability is identified as CVE-2012-4193. The attack can be executed remotely. There is not any exploit available.
You should upgrade the affected component.
Details
A vulnerability was found in Mozilla Firefox and Thunderbird 16 (Web Browser). It has been classified as critical. Affected is the function defaultValue. The manipulation with an unknown input leads to a security check vulnerability. CWE is classifying the issue as CWE-358. The product does not implement or incorrectly implements one or more security-relevant checks as specified by the design of a standardized algorithm, protocol, or technique. This is going to have an impact on confidentiality, integrity, and availability. CVE summarizes:
Mozilla Firefox before 16.0.1, Firefox ESR 10.x before 10.0.9, Thunderbird before 16.0.1, Thunderbird ESR 10.x before 10.0.9, and SeaMonkey before 2.13.1 omit a security check in the defaultValue function during the unwrapping of security wrappers, which allows remote attackers to bypass the Same Origin Policy and read the properties of a Location object, or execute arbitrary JavaScript code, via a crafted web site.
The weakness was released 10/10/2012 by moz_bug_r_a4 with Mozilla as MFSA 2012-89 as not defined advisory (Website). The advisory is available at mozilla.org. The public release was coordinated with the vendor. This vulnerability is traded as CVE-2012-4193 since 08/08/2012. The exploitability is told to be difficult. It is possible to launch the attack remotely. The exploitation doesn't require any form of authentication. Technical details are known, but there is no available exploit. The structure of the vulnerability defines a possible price range of USD $5k-$25k at the moment (estimation calculated on 10/22/2024). This vulnerability is assigned to T1211 by the MITRE ATT&CK project.
The vulnerability scanner Nessus provides a plugin with the ID 68638 (Oracle Linux 5 / 6 : xulrunner (ELSA-2012-1361)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family Oracle Linux Local Security Checks. The commercial vulnerability scanner Qualys is able to test this issue with plugin 121254 (Mozilla Firefox / Thunderbird / SeaMonkey Multiple Vulnerabilities (MFSA 2012-88 through MFSA 2012-89)).
Upgrading eliminates this vulnerability. The upgrade is hosted for download at mozilla.org. A possible mitigation has been published 1 days after the disclosure of the vulnerability.
The vulnerability is also documented in the databases at X-Force (79197), Tenable (68638), SecurityFocus (BID 56155†), OSVDB (86128†) and Secunia (SA50904†). Entries connected to this vulnerability are available at VDB-6663 and VDB-6665. If you want to get best quality of vulnerability data, you may have to visit VulDB.
Product
Type
Vendor
Name
Version
License
Website
- Vendor: https://www.mozilla.org/
- Product: https://www.mozilla.org/en-US/firefox/
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 5.6VulDB Meta Temp Score: 4.9
VulDB Base Score: 5.6
VulDB Temp Score: 4.9
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Security checkCWE: CWE-358
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Yes
Availability: 🔍
Status: Unproven
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Nessus ID: 68638
Nessus Name: Oracle Linux 5 / 6 : xulrunner (ELSA-2012-1361)
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
Nessus Port: 🔍
OpenVAS ID: 72477
OpenVAS Name: FreeBSD Ports: firefox
OpenVAS File: 🔍
OpenVAS Family: 🔍
Qualys ID: 🔍
Qualys Name: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
Reaction Time: 🔍
0-Day Time: 🔍
Exposure Time: 🔍
Upgrade: mozilla.org
McAfee IPS: 🔍
McAfee IPS Version: 🔍
PaloAlto IPS: 🔍
Timeline
08/08/2012 🔍10/10/2012 🔍
10/11/2012 🔍
10/11/2012 🔍
10/11/2012 🔍
10/11/2012 🔍
10/11/2012 🔍
10/12/2012 🔍
10/12/2012 🔍
10/14/2012 🔍
07/12/2013 🔍
10/22/2024 🔍
Sources
Vendor: mozilla.orgProduct: mozilla.org
Advisory: MFSA 2012-89
Researcher: moz_bug_r_a4
Organization: Mozilla
Status: Not defined
Confirmation: 🔍
Coordinated: 🔍
CVE: CVE-2012-4193 (🔍)
GCVE (CVE): GCVE-0-2012-4193
GCVE (VulDB): GCVE-100-6666
OVAL: 🔍
X-Force: 79197 - Mozilla Firefox location security bypass, Medium Risk
SecurityFocus: 56155
Secunia: 50904 - Ubuntu update for thunderbird, Highly Critical
OSVDB: 86128
SecurityTracker: 1027643 - Mozilla Firefox Lets Remote Users Execute Arbitrary Code or Obtain Recently Visited URLs to Remote Users
Vulnerability Center: 36500 - Mozilla Firefox, Thunderbird and SeaMonkey Allow Same Origin Policy Bypass - CVE-2012-4193, Medium
See also: 🔍
Entry
Created: 10/12/2012 15:10Updated: 10/22/2024 03:28
Changes: 10/12/2012 15:10 (88), 01/31/2018 09:54 (8), 04/18/2021 09:38 (4), 04/18/2021 09:44 (1), 10/22/2024 03:28 (19)
Complete: 🔍
Committer:
Cache ID: 216:599:103
If you want to get best quality of vulnerability data, you may have to visit VulDB.
No comments yet. Languages: en.
Please log in to comment.