CVE-2012-4194

Mozilla Firefox before 16.0.2, Firefox ESR 10.x before 10.0.10, Thunderbird before 16.0.2, Thunderbird ESR 10.x before 10.0.10, and SeaMonkey before 2.13.2 do not prevent use of the valueOf method to shadow the location object (aka window.location), which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via vectors involving a plugin.

Published: Oct 29, 2012
Updated: Apr 13, 2023
CVE: CVE-2012-4194
Severity: Low
Exploit:

CVSS v2:

Severity: Low
Score: 4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
mozilla / firefox	-	16.0.2
mozilla / seamonkey	-	2.13.2
mozilla / thunderbird	-	16.0.2
mozilla / firefox_esr	10.0	10.0.10
mozilla / thunderbird_esr	10.0	10.0.10
suse / linux_enterprise_server	10-sp4	10-sp4.x
suse / linux_enterprise_desktop	11-sp2	11-sp2.x
opensuse / opensuse	11.4	11.4.x
opensuse / opensuse	12.2	12.2.x
suse / linux_enterprise_desktop	10-sp4	10-sp4.x
opensuse / opensuse	12.1	12.1.x
suse / linux_enterprise_server	11-sp2	11-sp2.x
suse / linux_enterprise_software_development_kit	11-sp2	11-sp2.x
suse / linux_enterprise_software_development_kit	10-sp4	10-sp4.x
canonical / ubuntu_linux	11.04	11.04.x
canonical / ubuntu_linux	11.10	11.10.x
canonical / ubuntu_linux	12.10	12.10.x
canonical / ubuntu_linux	12.04	12.04.x
canonical / ubuntu_linux	10.04	10.04.x
redhat / enterprise_linux_server	7.0	7.0.x
redhat / enterprise_linux_workstation	5.0	5.0.x
redhat / enterprise_linux_desktop	6.0	6.0.x
redhat / enterprise_linux_server	6.0	6.0.x
redhat / enterprise_linux_workstation	6.0	6.0.x
redhat / enterprise_linux_desktop	5.0	5.0.x
redhat / enterprise_linux_eus	6.3	6.3.x

Vulnerability Database

289,689

CVE-2012-4194