Cross-site scripting in Firefox ESR - CVE-2012-3994
Published: October 10, 2012 / Updated: August 11, 2020
Vulnerability identifier: #VU43405
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2012-3994
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Mozilla
Affected software:
Firefox ESR
Firefox ESR
Detailed vulnerability description
The vulnerability allows a remote non-authenticated attacker to manipulate data.
Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbird before 16.0, Thunderbird ESR 10.x before 10.0.8, and SeaMonkey before 2.13 allow remote attackers to conduct cross-site scripting (XSS) attacks via a binary plugin that uses Object.defineProperty to shadow the top object, and leverages the relationship between top.location and the location property.
How to mitigate CVE-2012-3994
Install update from vendor's website.
Sources
- http://lists.opensuse.org/opensuse-security-announce/2012-10/msg00010.html
- http://osvdb.org/86110
- http://rhn.redhat.com/errata/RHSA-2012-1351.html
- http://secunia.com/advisories/50856
- http://secunia.com/advisories/50892
- http://secunia.com/advisories/50904
- http://secunia.com/advisories/50935
- http://secunia.com/advisories/50936
- http://secunia.com/advisories/50984
- http://secunia.com/advisories/55318
- http://www.mandriva.com/security/advisories?name=MDVSA-2012:163
- http://www.mozilla.org/security/announce/2012/mfsa2012-82.html
- http://www.securityfocus.com/bid/56118
- http://www.ubuntu.com/usn/USN-1611-1
- https://bugzilla.mozilla.org/show_bug.cgi?id=765527
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16798