CVE-2012-1956 — Cross-site Scripting in Mozilla Firefox

CWE-79 — Cross-site Scripting8 documents6 sources

Severity

4.3MEDIUMNVD

EPSS

0.7%

top 26.95%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Mozilla Seamonkey Mozilla Thunderbird

Timeline

PublishedAug 29

Latest updateMay 17

Description

Mozilla Firefox before 15.0, Thunderbird before 15.0, and SeaMonkey before 2.12 do not prevent use of the Object.defineProperty method to shadow the location object (aka window.location), which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via vectors involving a plugin.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages3 packages

▶NVDmozilla/firefox14.0+130

▶NVDmozilla/seamonkey2.11+32

▶NVDmozilla/thunderbird14.0+99

🔴Vulnerability Details

GHSA

GHSA-8449-cw6v-fqcw: Mozilla Firefox before 15↗2022-05-17

▶

CVEList

CVE-2012-1956: Mozilla Firefox before 15↗2012-08-29

▶

📋Vendor Advisories

Ubuntu

Thunderbird vulnerabilities↗2012-08-30

▶

Ubuntu

Firefox vulnerabilities↗2012-08-29

▶

Red Hat

Mozilla: Location object can be shadowed using Object.defineProperty (MFSA 2012-59)↗2012-08-28

▶

💬Community

Bugzilla

window.document needs to be [Unforgeable]↗2013-07-03

▶

Bugzilla

CVE-2012-1956 Mozilla: Location object can be shadowed using Object.defineProperty (MFSA 2012-59)↗2012-08-27

▶