CVE-2012-1963
9.1 High
AI Score
Confidence
High
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
0.004 Low
EPSS
Percentile
73.3%
The Content Security Policy (CSP) functionality in Mozilla Firefox 4.x through 13.0, Firefox ESR 10.x before 10.0.6, Thunderbird 5.0 through 13.0, Thunderbird ESR 10.x before 10.0.6, and SeaMonkey before 2.11 does not properly restrict the strings placed into the blocked-uri parameter of a violation report, which allows remote web servers to capture OpenID credentials and OAuth 2.0 access tokens by triggering a violation.
References
lists.opensuse.org/opensuse-security-announce/2012-07/msg00011.html
lists.opensuse.org/opensuse-security-announce/2012-07/msg00012.html
lists.opensuse.org/opensuse-security-announce/2012-07/msg00013.html
lists.opensuse.org/opensuse-security-announce/2012-07/msg00016.html
osvdb.org/84005
rhn.redhat.com/errata/RHSA-2012-1088.html
secunia.com/advisories/49965
secunia.com/advisories/49968
secunia.com/advisories/49972
secunia.com/advisories/49977
secunia.com/advisories/49979
secunia.com/advisories/49992
secunia.com/advisories/49993
secunia.com/advisories/49994
www.mozilla.org/security/announce/2012/mfsa2012-53.html
www.securityfocus.com/bid/54582
www.securitytracker.com/id?1027256
www.securitytracker.com/id?1027257
www.securitytracker.com/id?1027258
www.ubuntu.com/usn/USN-1509-1
www.ubuntu.com/usn/USN-1509-2
www.ubuntu.com/usn/USN-1510-1
bugzilla.mozilla.org/show_bug.cgi?id=767778
oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A17056
Related
9.1 High
AI Score
Confidence
High
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
0.004 Low
EPSS
Percentile
73.3%