CVE-2012-4205: CSRF
First published: Wed Nov 21 2012(Updated: )
Mozilla Firefox before 17.0, Thunderbird before 17.0, and SeaMonkey before 2.14 assign the system principal, rather than the sandbox principal, to XMLHttpRequest objects created in sandboxes, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks or obtain sensitive information by leveraging a sandboxed add-on.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Firefox | <17.0 | |
| Mozilla SeaMonkey | <2.14 | |
| Thunderbird | <17.0 | |
| Ubuntu | =10.04 | |
| Ubuntu | =11.10 | |
| Ubuntu | =12.04 | |
| Ubuntu | =12.10 | |
| SUSE Linux | =11.4 | |
| SUSE Linux | =12.1 | |
| SUSE Linux | =12.2 | |
| SUSE Linux Enterprise Desktop | =10-sp4 | |
| SUSE Linux Enterprise Desktop | =11-sp2 | |
| SUSE Linux Enterprise Server | =10-sp4 | |
| SUSE Linux Enterprise Server | =11-sp2 | |
| SUSE Linux Enterprise Server | =11-sp2 | |
| SUSE Linux Enterprise Software Development Kit | =11-sp2 | |
| SUSE Linux Enterprise Software Development Kit | =11-sp3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.opensuse.org/opensuse-security-announce/2012-11/msg00021.html
- http://lists.opensuse.org/opensuse-security-announce/2013-01/msg00022.html
- http://lists.opensuse.org/opensuse-updates/2012-11/msg00090.html
- http://lists.opensuse.org/opensuse-updates/2012-11/msg00092.html
- http://lists.opensuse.org/opensuse-updates/2012-11/msg00093.html
- http://secunia.com/advisories/51369
- http://secunia.com/advisories/51370
- http://secunia.com/advisories/51381
- http://secunia.com/advisories/51434
- http://secunia.com/advisories/51439
- http://secunia.com/advisories/51440
- http://www.mozilla.org/security/announce/2012/mfsa2012-97.html
- http://www.securityfocus.com/bid/56621
- http://www.ubuntu.com/usn/USN-1636-1
- http://www.ubuntu.com/usn/USN-1638-1
- http://www.ubuntu.com/usn/USN-1638-2
- http://www.ubuntu.com/usn/USN-1638-3
- https://bugzilla.mozilla.org/show_bug.cgi?id=779821
- https://exchange.xforce.ibmcloud.com/vulnerabilities/80175
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16965
Frequently Asked Questions
What is the severity of CVE-2012-4205?
CVE-2012-4205 is classified as a moderate severity vulnerability due to its potential for cross-site request forgery attacks.
How do I fix CVE-2012-4205?
To fix CVE-2012-4205, update Mozilla Firefox, Thunderbird, or SeaMonkey to the latest version above 17.0 or 2.14, respectively.
Which software is affected by CVE-2012-4205?
CVE-2012-4205 affects Mozilla Firefox versions before 17.0, Thunderbird before 17.0, and SeaMonkey before 2.14, along with specific versions of Ubuntu and openSUSE.
What type of attack can CVE-2012-4205 enable?
CVE-2012-4205 can enable remote attackers to conduct cross-site request forgery (CSRF) attacks.
What versions of software should I be concerned about regarding CVE-2012-4205?
Concerns should focus on versions of Firefox before 17.0, Thunderbird before 17.0, and SeaMonkey before 2.14, as well as the specified versions of Ubuntu and openSUSE.
- agent/references
- agent/type
- agent/severity
- agent/author
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/source
- agent/weakness
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/mozilla
- canonical/firefox
- canonical/mozilla seamonkey
- canonical/thunderbird
- vendor/canonical
- canonical/ubuntu
- version/ubuntu/10.04
- version/ubuntu/11.10
- version/ubuntu/12.04
- version/ubuntu/12.10
- vendor/opensuse
- canonical/suse linux
- version/suse linux/11.4
- version/suse linux/12.1
- version/suse linux/12.2
- vendor/suse
- canonical/suse linux enterprise desktop
- version/suse linux enterprise desktop/10-sp4
- version/suse linux enterprise desktop/11-sp2
- canonical/suse linux enterprise server
- version/suse linux enterprise server/10-sp4
- version/suse linux enterprise server/11-sp2
- canonical/suse linux enterprise software development kit
- version/suse linux enterprise software development kit/11-sp2
- version/suse linux enterprise software development kit/11-sp3