CVE-2012-4205 — Cross-Site Request Forgery in Mozilla Firefox

CWE-352 — Cross-Site Request Forgery7 documents6 sources

Severity

6.8MEDIUMNVD

EPSS

0.8%

top 25.98%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Mozilla Seamonkey Mozilla Thunderbird +5 more

Timeline

PublishedNov 21

Latest updateMay 13

Description

Mozilla Firefox before 17.0, Thunderbird before 17.0, and SeaMonkey before 2.14 assign the system principal, rather than the sandbox principal, to XMLHttpRequest objects created in sandboxes, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks or obtain sensitive information by leveraging a sandboxed add-on.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages7 packages

▶NVDmozilla/firefox< 17.0

▶NVDmozilla/seamonkey< 2.14

▶NVDmozilla/thunderbird< 17.0

▶NVDopensuse/opensuse11.4, 12.1, 12.2+2

▶NVDsuse/linux_enterprise_server10, 11+1

Also affects: Ubuntu Linux 10.04, 11.10, 12.04, 12.10

🔴Vulnerability Details

GHSA

GHSA-mj3h-hrp4-mfr6: Mozilla Firefox before 17↗2022-05-13

▶

CVEList

CVE-2012-4205: Mozilla Firefox before 17↗2012-11-21

▶

📋Vendor Advisories

Ubuntu

Firefox vulnerabilities↗2012-11-21

▶

Ubuntu

Thunderbird vulnerabilities↗2012-11-21

▶

Red Hat

Mozilla: XMLHttpRequest inherits incorrect principal within sandbox (MFSA 2012-97)↗2012-11-20

▶

💬Community

Bugzilla

CVE-2012-4205 Mozilla: XMLHttpRequest inherits incorrect principal within sandbox (MFSA 2012-97)↗2012-11-17

▶