First published: Wed Nov 21 2012(Updated: )
The evalInSandbox implementation in Mozilla Firefox before 17.0, Firefox ESR 10.x before 10.0.11, Thunderbird before 17.0, Thunderbird ESR 10.x before 10.0.11, and SeaMonkey before 2.14 uses an incorrect context during the handling of JavaScript code that sets the location.href property, which allows remote attackers to conduct cross-site scripting (XSS) attacks or read arbitrary files by leveraging a sandboxed add-on.
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Mozilla Firefox | <17.0 | |
Mozilla Firefox | >=10.0<10.0.11 | |
Mozilla SeaMonkey | <2.14 | |
Mozilla Thunderbird | <17.0 | |
Mozilla Thunderbird ESR | >=10.0<10.0.11 | |
openSUSE | =11.4 | |
openSUSE | =12.1 | |
openSUSE | =12.2 | |
SUSE Linux Enterprise Desktop with Beagle | =10-sp4 | |
SUSE Linux Enterprise Desktop with Beagle | =11-sp2 | |
SUSE Linux Enterprise Server | =10-sp4 | |
SUSE Linux Enterprise Server | =11-sp2 | |
suse linux enterprise server vmware | =11-sp2 | |
SUSE Linux Enterprise Software Development Kit | =10-sp4 | |
SUSE Linux Enterprise Software Development Kit | =11-sp2 | |
redhat enterprise Linux desktop | =5.0 | |
redhat enterprise Linux desktop | =6.0 | |
redhat enterprise Linux eus | =6.3 | |
redhat enterprise Linux server | =5.0 | |
redhat enterprise Linux server | =6.0 | |
redhat enterprise Linux workstation | =5.0 | |
redhat enterprise Linux workstation | =6.0 | |
Ubuntu | =10.04 | |
Ubuntu | =11.10 | |
Ubuntu | =12.04 | |
Ubuntu | =12.10 | |
Debian | =6.0 | |
Debian | =7.0 | |
Mozilla Firefox ESR | >=10.0<10.0.11 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2012-4201 has a moderate severity level as it can lead to security issues in affected versions of Mozilla products.
To fix CVE-2012-4201, update your Mozilla Firefox, Thunderbird, or SeaMonkey to the latest version.
CVE-2012-4201 affects Mozilla Firefox prior to version 17.0, Thunderbird before 17.0, and SeaMonkey before 2.14.
Yes, CVE-2012-4201 can potentially be exploited remotely through crafted JavaScript code.
CVE-2012-4201 impacts multiple operating systems including openSUSE, Ubuntu, Red Hat, and Debian running affected versions of Mozilla software.