Rapid7 Vulnerability & Exploit Database

MFSA2012-99 Thunderbird: XrayWrappers exposes chrome-only properties when not in chrome compartment (CVE-2012-4208)

Back to Search

MFSA2012-99 Thunderbird: XrayWrappers exposes chrome-only properties when not in chrome compartment (CVE-2012-4208)

Severity
4
CVSS
(AV:N/AC:M/Au:N/C:P/I:N/A:N)
Published
11/20/2012
Created
07/25/2018
Added
11/21/2012
Modified
04/05/2017

Description

The XrayWrapper implementation in Mozilla Firefox before 17.0, Thunderbird before 17.0, and SeaMonkey before 2.14 does not consider the compartment during property filtering, which allows remote attackers to bypass intended chrome-only restrictions on reading DOM object properties via a crafted web site.

Solution(s)

  • mozilla-thunderbird-upgrade-17_0

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;