Published: 18/07/2012 Updated: 29/12/2017

CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6

VMScore: 383

Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N

The Content Security Policy (CSP) functionality in Mozilla Firefox 4.x up to and including 13.0, Firefox ESR 10.x prior to 10.0.6, Thunderbird 5.0 up to and including 13.0, Thunderbird ESR 10.x prior to 10.0.6, and SeaMonkey prior to 2.11 does not properly restrict the strings placed into the blocked-uri parameter of a violation report, which allows remote web servers to capture OpenID credentials and OAuth 2.0 access tokens by triggering a violation.

Vulnerable Product	Search on Vulmon	Subscribe to Product
mozilla firefox 4.0
mozilla firefox 8.0
mozilla firefox 8.0.1
mozilla firefox 4.0.1
mozilla firefox 6.0
mozilla firefox 6.0.2
mozilla firefox 11.0
mozilla firefox 12.0
mozilla firefox 5.0
mozilla firefox 5.0.1
mozilla firefox 9.0.1
mozilla firefox 9.0
mozilla firefox 6.0.1
mozilla firefox 7.0.1
mozilla firefox 7.0
mozilla firefox 13.0
mozilla firefox esr 10.0.1
mozilla firefox esr 10.0.4
mozilla firefox esr 10.0
mozilla firefox esr 10.0.2
mozilla firefox esr 10.0.3
mozilla firefox esr 10.0.5
mozilla thunderbird 5.0
mozilla thunderbird 6.0
mozilla thunderbird 10.0.2
mozilla thunderbird 10.0.3
mozilla thunderbird 7.0.1
mozilla thunderbird 7.0
mozilla thunderbird 8.0
mozilla thunderbird 10.0.4
mozilla thunderbird 11.0
mozilla thunderbird 6.0.1
mozilla thunderbird 6.0.2
mozilla thunderbird 10.0.1
mozilla thunderbird 10.0
mozilla thunderbird 9.0.1
mozilla thunderbird 9.0
mozilla thunderbird 12.0
mozilla thunderbird 13.0
mozilla thunderbird esr 10.0.5
mozilla thunderbird esr 10.0
mozilla thunderbird esr 10.0.1
mozilla thunderbird esr 10.0.3
mozilla thunderbird esr 10.0.4
mozilla thunderbird esr 10.0.2
mozilla seamonkey
mozilla seamonkey 2.1
mozilla seamonkey 2.0.8
mozilla seamonkey 2.0.1
mozilla seamonkey 2.0.12
mozilla seamonkey 2.0.4
mozilla seamonkey 2.0
mozilla seamonkey 1.1.8
mozilla seamonkey 1.1.17
mozilla seamonkey 1.1.6
mozilla seamonkey 1.1.9
mozilla seamonkey 1.5.0.8
mozilla seamonkey 1.5.0.9
mozilla seamonkey 2.0.9
mozilla seamonkey 2.0.6
mozilla seamonkey 2.0.14
mozilla seamonkey 2.0.3
mozilla seamonkey 1.1.1
mozilla seamonkey 1.1.14
mozilla seamonkey 1.0
mozilla seamonkey 1.1.10
mozilla seamonkey 1.0.7
mozilla seamonkey 1.0.6
mozilla seamonkey 1.1
mozilla seamonkey 1.1.2
mozilla seamonkey 1.1.13
mozilla seamonkey 1.0.3
mozilla seamonkey 1.0.2
mozilla seamonkey 2.0.7
mozilla seamonkey 2.0.11
mozilla seamonkey 2.0.13
mozilla seamonkey 2.0.10
mozilla seamonkey 1.1.7
mozilla seamonkey 1.1.16
mozilla seamonkey 1.1.12
mozilla seamonkey 1.0.9
mozilla seamonkey 1.0.8
mozilla seamonkey 1.0.1
mozilla seamonkey 2.0.5
mozilla seamonkey 2.0.2
mozilla seamonkey 1.1.19
mozilla seamonkey 1.1.18
mozilla seamonkey 1.1.15
mozilla seamonkey 1.1.11
mozilla seamonkey 1.1.4
mozilla seamonkey 1.1.5
mozilla seamonkey 1.5.0.10
mozilla seamonkey 1.1.3
mozilla seamonkey 1.0.5
mozilla seamonkey 1.0.4

Synopsis Critical: firefox security update Type/Severity Security Advisory: Critical Topic Updated firefox packages that fix multiple security issues are nowavailable for Red Hat Enterprise Linux 5 and 6The Red Hat Security Response Team has rated this update as having criticalsecurity impact Common Vulne ...

Synopsis Critical: thunderbird security update Type/Severity Security Advisory: Critical Topic An updated thunderbird package that fixes multiple security issues is nowavailable for Red Hat Enterprise Linux 5 and 6The Red Hat Security Response Team has rated this update as having criticalsecurity impact C ...

This update provides compatible ubufox packages for the latest Firefox ...

Several security issues were fixed in Thunderbird ...

Several security issues were fixed in Firefox ...

Mozilla Foundation Security Advisory 2012-53 Content Security Policy 10 implementation errors cause data leakage Announced July 17, 2012 Reporter Karthikeyan Bhargavan Impact High Products Firefox, Firefox ESR, SeaMonkey, Th ...

CWE-264 http://www.mozilla.org/security/announce/2012/mfsa2012-53.html https://bugzilla.mozilla.org/show_bug.cgi?id=767778 http://lists.opensuse.org/opensuse-security-announce/2012-07/msg00013.html http://rhn.redhat.com/errata/RHSA-2012-1088.html http://lists.opensuse.org/opensuse-security-announce/2012-07/msg00016.html http://lists.opensuse.org/opensuse-security-announce/2012-07/msg00012.html http://lists.opensuse.org/opensuse-security-announce/2012-07/msg00011.html http://www.ubuntu.com/usn/USN-1509-2 http://www.securitytracker.com/id?1027256 http://secunia.com/advisories/49965 http://secunia.com/advisories/49972 http://www.ubuntu.com/usn/USN-1509-1 http://secunia.com/advisories/49992 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A17056 http://www.ubuntu.com/usn/USN-1510-1 http://www.securitytracker.com/id?1027258 http://www.securitytracker.com/id?1027257 http://www.securityfocus.com/bid/54582 http://secunia.com/advisories/49994 http://secunia.com/advisories/49993 http://secunia.com/advisories/49979 http://secunia.com/advisories/49977 http://secunia.com/advisories/49968 http://osvdb.org/84005 https://access.redhat.com/errata/RHSA-2012:1088 https://nvd.nist.gov https://usn.ubuntu.com/1509-2/

Get Started

CVE-2012-1963

Vulnerability Summary

Vendor Advisories

References

Vulmon Search

About

Products

Connect