CVE-2012-1944Cross-site Scripting in Mozilla Seamonkey

CWE-79Cross-site Scripting9 documents6 sources
Severity
4.3MEDIUMNVD
EPSS
0.7%
top 28.05%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Mozilla SeamonkeyMozilla FirefoxMozilla Thunderbird+1 more
Timeline
PublishedJun 5
Latest updateMay 14

Description

The Content Security Policy (CSP) implementation in Mozilla Firefox 4.x through 12.0, Firefox ESR 10.x before 10.0.5, Thunderbird 5.0 through 12.0, Thunderbird ESR 10.x before 10.0.5, and SeaMonkey before 2.10 does not block inline event handlers, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via a crafted HTML document.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages4 packages

NVDmozilla/firefox20 versions+19
NVDmozilla/thunderbird16 versions+15
NVDmozilla/thunderbird_esr5 versions+4
NVDmozilla/seamonkey2.9+64

🔴Vulnerability Details

2
GHSA
GHSA-mpv9-qhv2-p7fj: The Content Security Policy (CSP) implementation in Mozilla Firefox 42022-05-14
CVEList
CVE-2012-1944: The Content Security Policy (CSP) implementation in Mozilla Firefox 42012-06-05

📋Vendor Advisories

4
Ubuntu
Thunderbird vulnerabilities2012-06-27
Ubuntu
Firefox regressions2012-06-20
Ubuntu
Firefox vulnerabilities2012-06-06
Red Hat
Mozilla: Content Security Policy inline-script bypass (MFSA 2012-36)2012-06-05

💬Community

2
Bugzilla
CVE-2012-1944 Mozilla: Content Security Policy inline-script bypass (MFSA 2012-36)2012-06-03
Bugzilla
<img onerror="..."> execute even when inline scripts are blocked by CSP2012-05-02
CVE-2012-1944 — Cross-site Scripting in Mozilla | cvebase