Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbird before 16.0, Thunderbird ESR 10.x before 10.0.8, and SeaMonkey before 2.13 do not properly restrict calls to DOMWindowUtils (aka nsDOMWindowUtils) methods, which allows remote attackers to bypass intended access restrictions via crafted JavaScript code.

Metrics

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.0084.

Key SSVC decision points have not yet been added.

Affected Vendors & Products

Vendors Products
Canonical
  • Ubuntu Linux
Debian
  • Debian Linux
Mozilla
  • Firefox
  • Seamonkey
  • Thunderbird
  • Thunderbird Esr
Redhat
  • Enterprise Linux
  • Enterprise Linux Desktop
  • Enterprise Linux Eus
  • Enterprise Linux Server
  • Enterprise Linux Workstation
Suse
  • Linux Enterprise Desktop
  • Linux Enterprise Sdk
  • Linux Enterprise Server

Configuration 1 [-]

cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*

Configuration 2 [-]

cpe:2.3:a:mozilla:thunderbird_esr:*:*:*:*:*:*:*:*

Configuration 3 [-]

cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*

Configuration 4 [-]

cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*

Configuration 5 [-]

cpe:2.3:a:mozilla:seamonkey:*:*:*:*:*:*:*:*

Configuration 6 [-]

OR cpe:2.3:o:canonical:ubuntu_linux:10.04:*:*:*:-:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:11.04:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:11.10:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*
cpe:2.3:o:redhat:enterprise_linux_desktop:5.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_eus:6.3:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server:5.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_workstation:5.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*

Configuration 7 [-]

OR cpe:2.3:o:debian:debian_linux:6.0:*:*:*:*:*:*:*
cpe:2.3:o:suse:linux_enterprise_desktop:10:sp4:*:*:*:*:*:*
cpe:2.3:o:suse:linux_enterprise_desktop:11:sp3:*:*:*:*:*:*
cpe:2.3:o:suse:linux_enterprise_sdk:10:sp4:*:*:*:*:*:*
cpe:2.3:o:suse:linux_enterprise_server:10:sp4:*:*:*:*:*:*
cpe:2.3:o:suse:linux_enterprise_server:11:sp3:*:*:*:*:*:*
cpe:2.3:o:suse:linux_enterprise_server:11:sp3:*:*:*:vmware:*:*
Package CPE Advisory Released Date
Red Hat Enterprise Linux 5
firefox-0:10.0.8-1.el5_8 cpe:/o:redhat:enterprise_linux:5 RHSA-2012:1350 2012-10-09T00:00:00Z
xulrunner-0:10.0.8-1.el5_8 cpe:/o:redhat:enterprise_linux:5 RHSA-2012:1350 2012-10-09T00:00:00Z
thunderbird-0:10.0.8-1.el5_8 cpe:/o:redhat:enterprise_linux:5 RHSA-2012:1351 2012-10-09T00:00:00Z
Red Hat Enterprise Linux 6
firefox-0:10.0.8-1.el6_3 cpe:/o:redhat:enterprise_linux:6 RHSA-2012:1350 2012-10-09T00:00:00Z
xulrunner-0:10.0.8-1.el6_3 cpe:/o:redhat:enterprise_linux:6 RHSA-2012:1350 2012-10-09T00:00:00Z
thunderbird-0:10.0.8-1.el6_3 cpe:/o:redhat:enterprise_linux:6 RHSA-2012:1351 2012-10-09T00:00:00Z

No data.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-2565-1 iceweasel security update
Debian DSA Debian DSA DSA-2569-1 icedove security update
Debian DSA Debian DSA DSA-2572-1 iceape security update
EUVD EUVD EUVD-2012-3930 Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbird before 16.0, Thunderbird ESR 10.x before 10.0.8, and SeaMonkey before 2.13 do not properly restrict calls to DOMWindowUtils (aka nsDOMWindowUtils) methods, which allows remote attackers to bypass intended access restrictions via crafted JavaScript code.
Ubuntu USN Ubuntu USN USN-1600-1 Firefox vulnerabilities
Ubuntu USN Ubuntu USN USN-1611-1 Thunderbird vulnerabilities
Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References
Link Providers
http://lists.opensuse.org/opensuse-security-announce/2012-10/msg00010.html cve-icon cve-icon
http://rhn.redhat.com/errata/RHSA-2012-1351.html cve-icon cve-icon
http://secunia.com/advisories/50856 cve-icon cve-icon
http://secunia.com/advisories/50892 cve-icon cve-icon
http://secunia.com/advisories/50904 cve-icon cve-icon
http://secunia.com/advisories/50935 cve-icon cve-icon
http://secunia.com/advisories/50936 cve-icon cve-icon
http://secunia.com/advisories/50984 cve-icon cve-icon
http://secunia.com/advisories/51181 cve-icon cve-icon
http://secunia.com/advisories/55318 cve-icon cve-icon
http://www.debian.org/security/2012/dsa-2565 cve-icon cve-icon
http://www.debian.org/security/2012/dsa-2569 cve-icon cve-icon
http://www.debian.org/security/2012/dsa-2572 cve-icon cve-icon
http://www.mandriva.com/security/advisories?name=MDVSA-2012:163 cve-icon cve-icon
http://www.mozilla.org/security/announce/2012/mfsa2012-77.html cve-icon cve-icon cve-icon
http://www.securityfocus.com/bid/55922 cve-icon cve-icon
http://www.ubuntu.com/usn/USN-1611-1 cve-icon cve-icon
https://bugzilla.mozilla.org/show_bug.cgi?id=775868 cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2012-3986 cve-icon
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16834 cve-icon cve-icon
https://www.cve.org/CVERecord?id=CVE-2012-3986 cve-icon
History

Mon, 21 Oct 2024 14:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*
Vendors & Products Mozilla firefox Esr
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2024-08-06T20:21:04.183Z

Reserved: 2012-07-11T00:00:00

Link: CVE-2012-3986

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2012-10-10T17:55:01.707

Modified: 2025-04-11T00:51:21.963

Link: CVE-2012-3986

cve-icon Redhat

Severity : Moderate

Publid Date: 2012-10-09T00:00:00Z

Links: CVE-2012-3986 - Bugzilla

cve-icon OpenCVE Enrichment

No data.