6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.023 Low
EPSS
Percentile
89.5%
Mozilla Firefox before 16.0.1, Firefox ESR 10.x before 10.0.9, Thunderbird
before 16.0.1, Thunderbird ESR 10.x before 10.0.9, and SeaMonkey before
2.13.1 omit a security check in the defaultValue function during the
unwrapping of security wrappers, which allows remote attackers to bypass
the Same Origin Policy and read the properties of a Location object, or
execute arbitrary JavaScript code, via a crafted web site.
Author | Note |
---|---|
jdstrand | xulrunner-1.9.2 unmaintained upstream (see README.mozilla for details) |
micahg | this CVE is for the pre-16 fix |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 10.04 | noarch | thunderbird | < 16.0.1+build1-0ubuntu0.10.04.1 | UNKNOWN |
ubuntu | 11.04 | noarch | thunderbird | < 16.0.1+build1-0ubuntu0.11.04.1 | UNKNOWN |
ubuntu | 11.10 | noarch | thunderbird | < 16.0.1+build1-0ubuntu0.11.10.1 | UNKNOWN |
ubuntu | 12.04 | noarch | thunderbird | < 16.0.1+build1-0ubuntu0.12.04.1 | UNKNOWN |
ubuntu | 12.10 | noarch | thunderbird | < 16.0.1+build1-0ubuntu1 | UNKNOWN |
ubuntu | 13.04 | noarch | thunderbird | < 16.0.1+build1-0ubuntu1 | UNKNOWN |
ubuntu | 13.10 | noarch | thunderbird | < 16.0.1+build1-0ubuntu1 | UNKNOWN |