CVE-2012-5354 - OpenCVE

Mozilla Firefox before 16.0, Thunderbird before 16.0, and SeaMonkey before 2.13 do not properly handle navigation away from a web page that has multiple menus of SELECT elements active, which allows remote attackers to conduct clickjacking attacks via vectors involving an XPI file, the window.open method, and the Geolocation API, a different vulnerability than CVE-2012-3984.

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Mozilla	Seamonkey Firefox Thunderbird

Configuration 1 [-]

OR	cpe:2.3:a:mozilla:firefox::::::::
	cpe:2.3:a:mozilla:seamonkey::::::::
	cpe:2.3:a:mozilla:thunderbird::::::::

References

Link	Resource
http://osvdb.org/86171	Broken Link
http://secunia.com/advisories/50856	Broken Link
http://secunia.com/advisories/50935	Broken Link
http://www.mozilla.org/security/announce/2012/mfsa2012-75.html	Vendor Advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=726264	Issue Tracking Vendor Advisory
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16972	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2012-10-10T17:00:00

Updated: 2017-09-18T12:57:01

Reserved: 2012-10-10T00:00:00

Link: CVE-2012-5354

JSON object: View

NVD Information

Status : Analyzed

Published: 2012-10-10T17:55:02.657

Modified: 2020-08-26T19:40:33.743

Link: CVE-2012-5354

JSON object: View

Redhat Information

No data.

CWE

NVD-CWE-Other

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2012-10-09T00:00:00", "descriptions": [{"lang": "en", "value": "Mozilla Firefox before 16.0, Thunderbird before 16.0, and SeaMonkey before 2.13 do not properly handle navigation away from a web page that has multiple menus of SELECT elements active, which allows remote attackers to conduct clickjacking attacks via vectors involving an XPI file, the window.open method, and the Geolocation API, a different vulnerability than CVE-2012-3984."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-09-18T12:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "50935", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/50935"}, {"name": "50856", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/50856"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.mozilla.org/security/announce/2012/mfsa2012-75.html"}, {"name": "oval:org.mitre.oval:def:16972", "tags": ["vdb-entry", "signature", "x_refsource_OVAL"], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16972"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=726264"}, {"name": "86171", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://osvdb.org/86171"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2012-5354", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Mozilla Firefox before 16.0, Thunderbird before 16.0, and SeaMonkey before 2.13 do not properly handle navigation away from a web page that has multiple menus of SELECT elements active, which allows remote attackers to conduct clickjacking attacks via vectors involving an XPI file, the window.open method, and the Geolocation API, a different vulnerability than CVE-2012-3984."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "50935", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/50935"}, {"name": "50856", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/50856"}, {"name": "http://www.mozilla.org/security/announce/2012/mfsa2012-75.html", "refsource": "CONFIRM", "url": "http://www.mozilla.org/security/announce/2012/mfsa2012-75.html"}, {"name": "oval:org.mitre.oval:def:16972", "refsource": "OVAL", "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16972"}, {"name": "https://bugzilla.mozilla.org/show_bug.cgi?id=726264", "refsource": "CONFIRM", "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=726264"}, {"name": "86171", "refsource": "OSVDB", "url": "http://osvdb.org/86171"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2012-5354", "datePublished": "2012-10-10T17:00:00", "dateReserved": "2012-10-10T00:00:00", "dateUpdated": "2017-09-18T12:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*", "matchCriteriaId": "98C70070-253F-4D0B-8717-85E7FA089D20", "versionEndExcluding": "16.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:seamonkey:*:*:*:*:*:*:*:*", "matchCriteriaId": "751D51E0-7240-4385-BB86-5F0619B79491", "versionEndExcluding": "2.13", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*", "matchCriteriaId": "8064CC14-2AA6-4631-946B-0915E7204835", "versionEndExcluding": "16.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Mozilla Firefox before 16.0, Thunderbird before 16.0, and SeaMonkey before 2.13 do not properly handle navigation away from a web page that has multiple menus of SELECT elements active, which allows remote attackers to conduct clickjacking attacks via vectors involving an XPI file, the window.open method, and the Geolocation API, a different vulnerability than CVE-2012-3984."}, {"lang": "es", "value": "Mozilla Firefox anteriores a v16.0, Thunderbird anteriores a v16.0 y SeaMonkey anteriores a v2.13 no manejan apropiadamente la navegaci\u00f3n fuera de una p\u00e1gina web que tenga m\u00faltiples men\u00fas de elementos SELECT activos, permitiendo a atacantes remotos realizar ataques de clickjacking mediante vectores relacionados con un fichero XPI, el m\u00e9todo window.open y la API de geo-localizaci\u00f3n, siendo una vulnerabilidad diferente que CVE-2012-3984."}], "id": "CVE-2012-5354", "lastModified": "2020-08-26T19:40:33.743", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}]}, "published": "2012-10-10T17:55:02.657", "references": [{"source": "cve@mitre.org", "tags": ["Broken Link"], "url": "http://osvdb.org/86171"}, {"source": "cve@mitre.org", "tags": ["Broken Link"], "url": "http://secunia.com/advisories/50856"}, {"source": "cve@mitre.org", "tags": ["Broken Link"], "url": "http://secunia.com/advisories/50935"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://www.mozilla.org/security/announce/2012/mfsa2012-75.html"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=726264"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16972"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}