CVE-2012-4193

Published: 11 October 2012

Mozilla Firefox before 16.0.1, Firefox ESR 10.x before 10.0.9, Thunderbird before 16.0.1, Thunderbird ESR 10.x before 10.0.9, and SeaMonkey before 2.13.1 omit a security check in the defaultValue function during the unwrapping of security wrappers, which allows remote attackers to bypass the Same Origin Policy and read the properties of a Location object, or execute arbitrary JavaScript code, via a crafted web site.

Priority

Medium

Status

Package Release Status
firefox
Launchpad, Ubuntu, Debian
Upstream
Released (16.0.1)
Ubuntu 14.04 ESM (Trusty Tahr) Not vulnerable
(16.0+build1-0ubuntu1)
seamonkey
Launchpad, Ubuntu, Debian
Upstream
Released (2.13.1)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

thunderbird
Launchpad, Ubuntu, Debian
Upstream
Released (16.0.1)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (16.0.1+build1-0ubuntu1)
xulrunner-1.9.2
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

xulrunner-2.0
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Notes

AuthorNote
jdstrand
xulrunner-1.9.2 unmaintained upstream (see README.mozilla for
details)
micahg
this CVE is for the pre-16 fix

References