CVE-2012-0455 - Vulnerability Details

- Mozilla: XSS with Drag and Drop and Javascript: URL (MFSA 2012-13)

Description

Mozilla Firefox before 3.6.28 and 4.x through 10.0, Firefox ESR 10.x before 10.0.3, Thunderbird before 3.1.20 and 5.0 through 10.0, Thunderbird ESR 10.x before 10.0.3, and SeaMonkey before 2.8 do not properly restrict drag-and-drop operations on javascript: URLs, which allows user-assisted remote attackers to conduct cross-site scripting (XSS) attacks via a crafted web page, related to a "DragAndDropJacking" issue.

Published: 2012-03-14

Score: 4.3 Medium

EPSS: 1.1% Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

Configuration 1 [-]

cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:a:mozilla:firefox:4.0:::::::*
	cpe:2.3:a:mozilla:firefox:4.0:beta1::::::
	cpe:2.3:a:mozilla:firefox:4.0:beta10::::::
	cpe:2.3:a:mozilla:firefox:4.0:beta11::::::
	cpe:2.3:a:mozilla:firefox:4.0:beta12::::::
	cpe:2.3:a:mozilla:firefox:4.0:beta2::::::
	cpe:2.3:a:mozilla:firefox:4.0:beta3::::::
	cpe:2.3:a:mozilla:firefox:4.0:beta4::::::
	cpe:2.3:a:mozilla:firefox:4.0:beta5::::::
	cpe:2.3:a:mozilla:firefox:4.0:beta6::::::
	cpe:2.3:a:mozilla:firefox:4.0:beta7::::::
	cpe:2.3:a:mozilla:firefox:4.0:beta8::::::
	cpe:2.3:a:mozilla:firefox:4.0:beta9::::::
	cpe:2.3:a:mozilla:firefox:4.0.1:::::::*
	cpe:2.3:a:mozilla:firefox:5.0:::::::*
	cpe:2.3:a:mozilla:firefox:5.0.1:::::::*
	cpe:2.3:a:mozilla:firefox:6.0:::::::*
	cpe:2.3:a:mozilla:firefox:6.0.1:::::::*
	cpe:2.3:a:mozilla:firefox:6.0.2:::::::*
	cpe:2.3:a:mozilla:firefox:7.0:::::::*
	cpe:2.3:a:mozilla:firefox:7.0.1:::::::*
	cpe:2.3:a:mozilla:firefox:8.0:::::::*
	cpe:2.3:a:mozilla:firefox:8.0.1:::::::*
	cpe:2.3:a:mozilla:firefox:9.0:::::::*
	cpe:2.3:a:mozilla:firefox:9.0.1:::::::*

Configuration 3 [-]

OR	cpe:2.3:a:mozilla:firefox:10.0:::::::*
	cpe:2.3:a:mozilla:firefox_esr:10.1:::::::*
	cpe:2.3:a:mozilla:firefox_esr:10.2:::::::*

Configuration 4 [-]

cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*

Configuration 5 [-]

OR	cpe:2.3:a:mozilla:thunderbird:5.0:::::::*
	cpe:2.3:a:mozilla:thunderbird:6.0:::::::*
	cpe:2.3:a:mozilla:thunderbird:6.0.1:::::::*
	cpe:2.3:a:mozilla:thunderbird:6.0.2:::::::*
	cpe:2.3:a:mozilla:thunderbird:8.0:::::::*
	cpe:2.3:a:mozilla:thunderbird:9.0:::::::*
	cpe:2.3:a:mozilla:thunderbird:9.0.1:::::::*

Configuration 6 [-]

OR	cpe:2.3:a:mozilla:thunderbird_esr:10.0:::::::*
	cpe:2.3:a:mozilla:thunderbird_esr:10.0.1:::::::*
	cpe:2.3:a:mozilla:thunderbird_esr:10.0.2:::::::*

Configuration 7 [-]

cpe:2.3:a:mozilla:seamonkey:*:beta5:*:*:*:*:*:*

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 5
firefox-0:10.0.3-1.el5_8	cpe:/o:redhat:enterprise_linux:5	RHSA-2012:0387	2012-03-14T00:00:00Z
xulrunner-0:10.0.3-1.el5_8	cpe:/o:redhat:enterprise_linux:5	RHSA-2012:0387	2012-03-14T00:00:00Z
thunderbird-0:10.0.3-1.el5_8	cpe:/o:redhat:enterprise_linux:5	RHSA-2012:0388	2012-03-14T00:00:00Z
Red Hat Enterprise Linux 6
firefox-0:10.0.3-1.el6_2	cpe:/o:redhat:enterprise_linux:6	RHSA-2012:0387	2012-03-14T00:00:00Z
xulrunner-0:10.0.3-1.el6_2	cpe:/o:redhat:enterprise_linux:6	RHSA-2012:0387	2012-03-14T00:00:00Z
thunderbird-0:10.0.3-1.el6_2	cpe:/o:redhat:enterprise_linux:6	RHSA-2012:0388	2012-03-14T00:00:00Z

No data available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DSA	DSA-2433-1	iceweasel security update
Debian DSA	DSA-2437-1	icedove security update
Debian DSA	DSA-2548-1	iceape security update
EUVD	EUVD-2012-0487	Mozilla Firefox before 3.6.28 and 4.x through 10.0, Firefox ESR 10.x before 10.0.3, Thunderbird before 3.1.20 and 5.0 through 10.0, Thunderbird ESR 10.x before 10.0.3, and SeaMonkey before 2.8 do not properly restrict drag-and-drop operations on javascript: URLs, which allows user-assisted remote attackers to conduct cross-site scripting (XSS) attacks via a crafted web page, related to a "DragAndDropJacking" issue.
Ubuntu USN	USN-1400-1	Firefox vulnerabilities
Ubuntu USN	USN-1400-3	Thunderbird vulnerabilities
Ubuntu USN	USN-1401-1	Xulrunner vulnerabilities
Ubuntu USN	USN-1401-2	Thunderbird vulnerabilities

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.01144.

Key SSVC decision points have not yet been added.

References

Link	Providers
http://lists.opensuse.org/opensuse-security-announce/2012-03/msg00014.html
http://lists.opensuse.org/opensuse-security-announce/2012-03/msg00015.html
http://lists.opensuse.org/opensuse-updates/2012-03/msg00042.html
http://rhn.redhat.com/errata/RHSA-2012-0387.html
http://rhn.redhat.com/errata/RHSA-2012-0388.html
http://secunia.com/advisories/48359
http://secunia.com/advisories/48402
http://secunia.com/advisories/48414
http://secunia.com/advisories/48495
http://secunia.com/advisories/48496
http://secunia.com/advisories/48513
http://secunia.com/advisories/48553
http://secunia.com/advisories/48561
http://secunia.com/advisories/48624
http://secunia.com/advisories/48629
http://secunia.com/advisories/48823
http://secunia.com/advisories/48920
http://www.debian.org/security/2012/dsa-2433
http://www.debian.org/security/2012/dsa-2458
http://www.mandriva.com/security/advisories?name=MDVSA-2012:031
http://www.mandriva.com/security/advisories?name=MDVSA-2012:032
http://www.mozilla.org/security/announce/2012/mfsa2012-13.html
http://www.securityfocus.com/bid/52458
http://www.securitytracker.com/id?1026801
http://www.securitytracker.com/id?1026803
http://www.securitytracker.com/id?1026804
http://www.ubuntu.com/usn/USN-1400-1
http://www.ubuntu.com/usn/USN-1400-2
http://www.ubuntu.com/usn/USN-1400-3
http://www.ubuntu.com/usn/USN-1400-4
http://www.ubuntu.com/usn/USN-1400-5
http://www.ubuntu.com/usn/USN-1401-1
https://bugzilla.mozilla.org/show_bug.cgi?id=704354
https://nvd.nist.gov/vuln/detail/CVE-2012-0455
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14829
https://www.cve.org/CVERecord?id=CVE-2012-0455

History

Mon, 21 Oct 2024 14:15:00 +0000

Type	Values Removed	Values Added
CPEs	cpe:2.3:a:mozilla:firefox_esr:10.0:::::::*	cpe:2.3:a:mozilla:firefox:10.0:::::::*

Subscriptions

Mozilla Firefox Firefox Esr Seamonkey Thunderbird Thunderbird Esr

Redhat Enterprise Linux

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2012-03-14T19:00:00.000Z

Updated: 2024-08-06T18:23:30.984Z

Reserved: 2012-01-09T00:00:00.000Z

Link: CVE-2012-0455

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2012-03-14T19:55:01.837

Modified: 2025-04-11T00:51:21.963

Link: CVE-2012-0455

Redhat

Severity : Moderate

Publid Date: 2012-03-13T00:00:00Z

Links: CVE-2012-0455 - Bugzilla

OpenCVE Enrichment

No data.

Weaknesses

CWE-79

Tracking

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object