CVE-2012-1963

The Content Security Policy (CSP) functionality in Mozilla Firefox 4.x through 13.0, Firefox ESR 10.x before 10.0.6, Thunderbird 5.0 through 13.0, Thunderbird ESR 10.x before 10.0.6, and SeaMonkey before 2.11 does not properly restrict the strings placed into the blocked-uri parameter of a violation report, which allows remote web servers to capture OpenID credentials and OAuth 2.0 access tokens by triggering a violation.

CVSS v2.0 4.3 MEDIUM

4.3^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:N/C:P/I:N/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
http://www.mozilla.org/security/announce/2012/mfsa2012-53.html	Vendor Advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=767778
http://lists.opensuse.org/opensuse-security-announce/2012-07/msg00013.html
http://rhn.redhat.com/errata/RHSA-2012-1088.html
http://lists.opensuse.org/opensuse-security-announce/2012-07/msg00016.html
http://lists.opensuse.org/opensuse-security-announce/2012-07/msg00012.html
http://lists.opensuse.org/opensuse-security-announce/2012-07/msg00011.html
http://www.ubuntu.com/usn/USN-1509-2
http://www.securitytracker.com/id?1027256
http://secunia.com/advisories/49965
http://secunia.com/advisories/49972
http://www.ubuntu.com/usn/USN-1509-1
http://secunia.com/advisories/49992
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A17056
http://www.ubuntu.com/usn/USN-1510-1
http://www.securitytracker.com/id?1027258
http://www.securitytracker.com/id?1027257
http://www.securityfocus.com/bid/54582
http://secunia.com/advisories/49994
http://secunia.com/advisories/49993
http://secunia.com/advisories/49979
http://secunia.com/advisories/49977
http://secunia.com/advisories/49968
http://osvdb.org/84005

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:mozilla:firefox:4.0:beta1::::::
	cpe:2.3:a:mozilla:firefox:4.0:beta10::::::
	cpe:2.3:a:mozilla:firefox:4.0:beta4::::::
	cpe:2.3:a:mozilla:firefox:4.0:beta2::::::
	cpe:2.3:a:mozilla:firefox:8.0:::::::*
	cpe:2.3:a:mozilla:firefox:8.0.1:::::::*
	cpe:2.3:a:mozilla:firefox:4.0.1:::::::*
	cpe:2.3:a:mozilla:firefox:4.0:beta7::::::
	cpe:2.3:a:mozilla:firefox:4.0:::::::*
	cpe:2.3:a:mozilla:firefox:4.0:beta5::::::
	cpe:2.3:a:mozilla:firefox:6.0:::::::*
	cpe:2.3:a:mozilla:firefox:4.0:beta6::::::
	cpe:2.3:a:mozilla:firefox:4.0:beta9::::::
	cpe:2.3:a:mozilla:firefox:4.0:beta8::::::
	cpe:2.3:a:mozilla:firefox:4.0:beta12::::::
	cpe:2.3:a:mozilla:firefox:4.0:beta3::::::
	cpe:2.3:a:mozilla:firefox:5.0.1:::::::*
	cpe:2.3:a:mozilla:firefox:5.0:::::::*
	cpe:2.3:a:mozilla:firefox:7.0:::::::*
	cpe:2.3:a:mozilla:firefox:6.0.2:::::::*
	cpe:2.3:a:mozilla:firefox:13.0:::::::*
	cpe:2.3:a:mozilla:firefox:12.0:beta6::::::
	cpe:2.3:a:mozilla:firefox:6.0.1:::::::*
	cpe:2.3:a:mozilla:firefox:11.0:::::::*
	cpe:2.3:a:mozilla:firefox:7.0.1:::::::*
	cpe:2.3:a:mozilla:firefox:4.0:beta11::::::
	cpe:2.3:a:mozilla:firefox:12.0:::::::*
	cpe:2.3:a:mozilla:firefox:9.0.1:::::::*
	cpe:2.3:a:mozilla:firefox:9.0:::::::*

Configuration 2 (hide)

OR	cpe:2.3:a:mozilla:firefox_esr:10.0.1:::::::*
	cpe:2.3:a:mozilla:firefox_esr:10.0.4:::::::*
	cpe:2.3:a:mozilla:firefox_esr:10.0:::::::*
	cpe:2.3:a:mozilla:firefox_esr:10.0.2:::::::*
	cpe:2.3:a:mozilla:firefox_esr:10.0.3:::::::*
	cpe:2.3:a:mozilla:firefox_esr:10.0.5:::::::*

Configuration 3 (hide)

OR	cpe:2.3:a:mozilla:thunderbird:5.0:::::::*
	cpe:2.3:a:mozilla:thunderbird:6.0:::::::*
	cpe:2.3:a:mozilla:thunderbird:10.0.2:::::::*
	cpe:2.3:a:mozilla:thunderbird:10.0.3:::::::*
	cpe:2.3:a:mozilla:thunderbird:7.0.1:::::::*
	cpe:2.3:a:mozilla:thunderbird:7.0:::::::*
	cpe:2.3:a:mozilla:thunderbird:8.0:::::::*
	cpe:2.3:a:mozilla:thunderbird:10.0.4:::::::*
	cpe:2.3:a:mozilla:thunderbird:11.0:::::::*
	cpe:2.3:a:mozilla:thunderbird:6.0.1:::::::*
	cpe:2.3:a:mozilla:thunderbird:6.0.2:::::::*
	cpe:2.3:a:mozilla:thunderbird:10.0:::::::*
	cpe:2.3:a:mozilla:thunderbird:10.0.1:::::::*
	cpe:2.3:a:mozilla:thunderbird:13.0:::::::*
	cpe:2.3:a:mozilla:thunderbird:12.0:::::::*
	cpe:2.3:a:mozilla:thunderbird:9.0.1:::::::*
	cpe:2.3:a:mozilla:thunderbird:9.0:::::::*

Configuration 4 (hide)

OR	cpe:2.3:a:mozilla:thunderbird_esr:10.0.5:::::::*
	cpe:2.3:a:mozilla:thunderbird_esr:10.0:::::::*
	cpe:2.3:a:mozilla:thunderbird_esr:10.0.1:::::::*
	cpe:2.3:a:mozilla:thunderbird_esr:10.0.3:::::::*
	cpe:2.3:a:mozilla:thunderbird_esr:10.0.4:::::::*
	cpe:2.3:a:mozilla:thunderbird_esr:10.0.2:::::::*

Configuration 5 (hide)

OR	cpe:2.3:a:mozilla:seamonkey::::::::
	cpe:2.3:a:mozilla:seamonkey:2.1:alpha1::::::
	cpe:2.3:a:mozilla:seamonkey:2.1:beta1::::::
	cpe:2.3:a:mozilla:seamonkey:2.0.8:::::::*
	cpe:2.3:a:mozilla:seamonkey:2.0.1:::::::*
	cpe:2.3:a:mozilla:seamonkey:2.0.12:::::::*
	cpe:2.3:a:mozilla:seamonkey:2.0.4:::::::*
	cpe:2.3:a:mozilla:seamonkey:2.0:alpha_2::::::
	cpe:2.3:a:mozilla:seamonkey:2.0:alpha_1::::::
	cpe:2.3:a:mozilla:seamonkey:1.1.8:::::::*
	cpe:2.3:a:mozilla:seamonkey:1.1.17:::::::*
	cpe:2.3:a:mozilla:seamonkey:1.1.10:::::::*
	cpe:2.3:a:mozilla:seamonkey:1.0.6:::::::*
	cpe:2.3:a:mozilla:seamonkey:1.0:::::::*
	cpe:2.3:a:mozilla:seamonkey:2.0.3:::::::*
	cpe:2.3:a:mozilla:seamonkey:1.0.7:::::::*
	cpe:2.3:a:mozilla:seamonkey:2.0:alpha_3::::::
	cpe:2.3:a:mozilla:seamonkey:1.0:alpha::::::
	cpe:2.3:a:mozilla:seamonkey:1.1.14:::::::*
	cpe:2.3:a:mozilla:seamonkey:1.1.2:::::::*
	cpe:2.3:a:mozilla:seamonkey:2.1:rc1::::::
	cpe:2.3:a:mozilla:seamonkey:1.5.0.9:::::::*
	cpe:2.3:a:mozilla:seamonkey:1.1:beta::::::
	cpe:2.3:a:mozilla:seamonkey:1.1.1:::::::*
	cpe:2.3:a:mozilla:seamonkey:2.0.9:::::::*
	cpe:2.3:a:mozilla:seamonkey:1.5.0.8:::::::*
	cpe:2.3:a:mozilla:seamonkey:2.0.14:::::::*
	cpe:2.3:a:mozilla:seamonkey:1.1.6:::::::*
	cpe:2.3:a:mozilla:seamonkey:2.0:beta_1::::::
	cpe:2.3:a:mozilla:seamonkey:2.1:rc2::::::
	cpe:2.3:a:mozilla:seamonkey:1.1.9:::::::*
	cpe:2.3:a:mozilla:seamonkey:1.1.13:::::::*
	cpe:2.3:a:mozilla:seamonkey:2.0.6:::::::*
	cpe:2.3:a:mozilla:seamonkey:2.0.10:::::::*
	cpe:2.3:a:mozilla:seamonkey:1.0.3:::::::*
	cpe:2.3:a:mozilla:seamonkey:2.0.13:::::::*
	cpe:2.3:a:mozilla:seamonkey:1.0.1:::::::*
	cpe:2.3:a:mozilla:seamonkey:1.1.7:::::::*
	cpe:2.3:a:mozilla:seamonkey:1.5.0.10:::::::*
	cpe:2.3:a:mozilla:seamonkey:1.0.9:::::::*
	cpe:2.3:a:mozilla:seamonkey:1.1.3:::::::*
	cpe:2.3:a:mozilla:seamonkey:2.1:alpha2::::::
	cpe:2.3:a:mozilla:seamonkey:2.0.2:::::::*
	cpe:2.3:a:mozilla:seamonkey:1.1.5:::::::*
	cpe:2.3:a:mozilla:seamonkey:1.0:beta::::::
	cpe:2.3:a:mozilla:seamonkey:1.1:alpha::::::
	cpe:2.3:a:mozilla:seamonkey:2.0:rc2::::::
	cpe:2.3:a:mozilla:seamonkey:1.1.12:::::::*
	cpe:2.3:a:mozilla:seamonkey:1.1:::::::*
	cpe:2.3:a:mozilla:seamonkey:2.0.11:::::::*
	cpe:2.3:a:mozilla:seamonkey:2.0:beta_2::::::
	cpe:2.3:a:mozilla:seamonkey:1.0.2:::::::*
	cpe:2.3:a:mozilla:seamonkey:1.0.8:::::::*
	cpe:2.3:a:mozilla:seamonkey:2.1:::::::*
	cpe:2.3:a:mozilla:seamonkey:1.1.11:::::::*
	cpe:2.3:a:mozilla:seamonkey:2.1:beta2::::::
	cpe:2.3:a:mozilla:seamonkey:1.0.5:::::::*
	cpe:2.3:a:mozilla:seamonkey:1.1.15:::::::*
	cpe:2.3:a:mozilla:seamonkey:2.0.7:::::::*
	cpe:2.3:a:mozilla:seamonkey:1.1.16:::::::*
	cpe:2.3:a:mozilla:seamonkey:1.1.19:::::::*
	cpe:2.3:a:mozilla:seamonkey:2.0.5:::::::*
	cpe:2.3:a:mozilla:seamonkey:2.1:beta3::::::
	cpe:2.3:a:mozilla:seamonkey:2.0:rc1::::::
cpe:2.3:a:mozilla:seamonkey:1.0.4:::::::*
cpe:2.3:a:mozilla:seamonkey:1.1.18:::::::*
cpe:2.3:a:mozilla:seamonkey:2.1:alpha3::::::
cpe:2.3:a:mozilla:seamonkey:2.0:::::::*
cpe:2.3:a:mozilla:seamonkey:1.1.4:::::::*

Information

Published : 2012-07-18 03:26

Updated : 2017-12-28 18:29

NVD link : CVE-2012-1963

Mitre link : CVE-2012-1963

JSON object : View

CWE

CWE-264

Permissions, Privileges, and Access Controls

Products Affected

mozilla

firefox_esr
thunderbird
firefox
thunderbird_esr
seamonkey

4.3 /10