CVE-2012-4208 — Sensitive Information Exposure in Mozilla Firefox

CWE-200 — Sensitive Information Exposure7 documents6 sources

Severity

4.3MEDIUMNVD

EPSS

0.6%

top 31.15%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

8

Mozilla Firefox Mozilla Seamonkey Mozilla Thunderbird +5 more

Timeline

PublishedNov 21

Latest updateMay 13

Description

The XrayWrapper implementation in Mozilla Firefox before 17.0, Thunderbird before 17.0, and SeaMonkey before 2.14 does not consider the compartment during property filtering, which allows remote attackers to bypass intended chrome-only restrictions on reading DOM object properties via a crafted web site.

CVSS vector

AV:N/AC:M/C:P/I:N/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages7 packages

▶NVDmozilla/firefox< 17.0

▶NVDmozilla/seamonkey< 2.14

▶NVDmozilla/thunderbird< 17.0

▶NVDopensuse/opensuse11.4, 12.1, 12.2+2

▶NVDsuse/linux_enterprise_server10, 11+1

Also affects: Ubuntu Linux 10.04, 11.10, 12.04, 12.10

Patches

Patch: bugzilla.mozilla.org ↗Patch: bugzilla.mozilla.org ↗

🔴Vulnerability Details

2

GHSA

GHSA-hg78-jqpr-v9fg: The XrayWrapper implementation in Mozilla Firefox before 17↗2022-05-13

▶

CVEList

CVE-2012-4208: The XrayWrapper implementation in Mozilla Firefox before 17↗2012-11-21

▶

📋Vendor Advisories

3

Ubuntu

Firefox vulnerabilities↗2012-11-21

▶

Ubuntu

Thunderbird vulnerabilities↗2012-11-21

▶

Red Hat

Mozilla: XrayWrappers exposes chrome-only properties when not in chrome compartment (MFSA 2012-99)↗2012-11-20

▶

💬Community

1

Bugzilla

CVE-2012-4208 Mozilla: XrayWrappers exposes chrome-only properties when not in chrome compartment (MFSA 2012-99)↗2012-11-17

▶

CVE-2012-4208 — Sensitive Information Exposure | cvebase