Cross site scripting

2012-10-2918:55:00

PRIOn knowledge base

www.prio-n.com

5.8 Medium

AI Score

Confidence

High

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.004 Low

EPSS

Percentile

72.6%

JSON

Mozilla Firefox before 16.0.2, Firefox ESR 10.x before 10.0.10, Thunderbird before 16.0.2, Thunderbird ESR 10.x before 10.0.10, and SeaMonkey before 2.13.2 do not prevent use of the valueOf method to shadow the location object (aka window.location), which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via vectors involving a plugin.

CPENameOperatorVersion
ubuntu_linuxeq11.04
ubuntu_linuxeq11.10
ubuntu_linuxeq12.10
ubuntu_linuxeq12.04
ubuntu_linuxeq10.04
firefoxlt16.0.2
firefox_esrge10.0
firefox_esrlt10.0.10
seamonkeylt2.13.2
thunderbirdlt16.0.2

Name	Operator	Version
ubuntu_linux	eq	11.04
ubuntu_linux	eq	11.10
ubuntu_linux	eq	12.10
ubuntu_linux	eq	12.04
ubuntu_linux	eq	10.04
firefox	lt	16.0.2
firefox_esr	ge	10.0
firefox_esr	lt	10.0.10
seamonkey	lt	2.13.2
thunderbird	lt	16.0.2