CVE-2012-0455

Published: Mar 14, 2012Modified: Apr 29, 2026

4.3

Vector

AV:N/AC:M/Au:N/C:N/I:P/A:N

Exploitability: 8.6 / Impact: 2.9

Source: NVD

Description

Mozilla Firefox before 3.6.28 and 4.x through 10.0, Firefox ESR 10.x before 10.0.3, Thunderbird before 3.1.20 and 5.0 through 10.0, Thunderbird ESR 10.x before 10.0.3, and SeaMonkey before 2.8 do not properly restrict drag-and-drop operations on javascript: URLs, which allows user-assisted remote attackers to conduct cross-site scripting (XSS) attacks via a crafted web page, related to a "DragAndDropJacking" issue.

Affected (41)

Products: Mozilla: Firefox, Firefox Esr, Thunderbird, Thunderbird Esr, Seamonkey

5 products

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Mozilla Firefox	Up to 3.6.27

Configuration B

25 vulnerable

Vulnerable Software	Affected Versions
Mozilla Firefox	Version 4.0.1
Mozilla Firefox	Version 4.0
Mozilla Firefox	Version 4.0 beta10
Mozilla Firefox	Version 4.0 beta11
Mozilla Firefox	Version 4.0 beta12
Mozilla Firefox	Version 4.0 beta1
Mozilla Firefox	Version 4.0 beta2
Mozilla Firefox	Version 4.0 beta3
Mozilla Firefox	Version 4.0 beta4
Mozilla Firefox	Version 4.0 beta5
Mozilla Firefox	Version 4.0 beta6
Mozilla Firefox	Version 4.0 beta7
Mozilla Firefox	Version 4.0 beta8
Mozilla Firefox	Version 4.0 beta9
Mozilla Firefox	Version 5.0.1
Mozilla Firefox	Version 5.0
Mozilla Firefox	Version 6.0.1
Mozilla Firefox	Version 6.0.2
Mozilla Firefox	Version 6.0
Mozilla Firefox	Version 7.0.1
Mozilla Firefox	Version 7.0
Mozilla Firefox	Version 8.0.1
Mozilla Firefox	Version 8.0
Mozilla Firefox	Version 9.0.1
Mozilla Firefox	Version 9.0

Configuration C

3 vulnerable

Vulnerable Software	Affected Versions
Mozilla Firefox	Version 10.0
Mozilla Firefox Esr	Version 10.1
Mozilla Firefox Esr	Version 10.2

Configuration D

1 vulnerable

Vulnerable Software	Affected Versions
Mozilla Thunderbird	Up to 3.1.19

Configuration E

7 vulnerable

Vulnerable Software	Affected Versions
Mozilla Thunderbird	Version 5.0
Mozilla Thunderbird	Version 6.0.1
Mozilla Thunderbird	Version 6.0.2
Mozilla Thunderbird	Version 6.0
Mozilla Thunderbird	Version 8.0
Mozilla Thunderbird	Version 9.0.1
Mozilla Thunderbird	Version 9.0

Configuration F

3 vulnerable

Vulnerable Software	Affected Versions
Mozilla Thunderbird Esr	Version 10.0.1
Mozilla Thunderbird Esr	Version 10.0.2
Mozilla Thunderbird Esr	Version 10.0

Configuration G

1 vulnerable

Vulnerable Software	Affected Versions
Mozilla Seamonkey	Up to 2.7

Related CWEs

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (68)

http://lists.opensuse.org/opensuse-security-announce/2012-03/msg00014.html

Source: cve@mitre.org

http://lists.opensuse.org/opensuse-security-announce/2012-03/msg00015.html

Source: cve@mitre.org

http://lists.opensuse.org/opensuse-updates/2012-03/msg00042.html

Source: cve@mitre.org

Mailing ListThird Party Advisory

http://rhn.redhat.com/errata/RHSA-2012-0387.html

Source: cve@mitre.org

http://rhn.redhat.com/errata/RHSA-2012-0388.html

Source: cve@mitre.org

http://secunia.com/advisories/48359

Source: cve@mitre.org

http://secunia.com/advisories/48402

Source: cve@mitre.org

http://secunia.com/advisories/48414

Source: cve@mitre.org

http://secunia.com/advisories/48495

Source: cve@mitre.org

Third Party Advisory

http://secunia.com/advisories/48496

Source: cve@mitre.org

Third Party Advisory

http://secunia.com/advisories/48513

Source: cve@mitre.org

Third Party Advisory

http://secunia.com/advisories/48553

Source: cve@mitre.org

Third Party Advisory

http://secunia.com/advisories/48561

Source: cve@mitre.org

Third Party Advisory

http://secunia.com/advisories/48624

Source: cve@mitre.org

Third Party Advisory

http://secunia.com/advisories/48629

Source: cve@mitre.org

Third Party Advisory

http://secunia.com/advisories/48823

Source: cve@mitre.org

Third Party Advisory

http://secunia.com/advisories/48920

Source: cve@mitre.org

Third Party Advisory

http://www.debian.org/security/2012/dsa-2433

Source: cve@mitre.org

Third Party Advisory

http://www.debian.org/security/2012/dsa-2458

Source: cve@mitre.org

http://www.mandriva.com/security/advisories?name=MDVSA-2012:031

Source: cve@mitre.org

http://www.mandriva.com/security/advisories?name=MDVSA-2012:032

Source: cve@mitre.org

http://www.mozilla.org/security/announce/2012/mfsa2012-13.html

Source: cve@mitre.org

Vendor Advisory

http://www.securityfocus.com/bid/52458

Source: cve@mitre.org

http://www.securitytracker.com/id?1026801

Source: cve@mitre.org

http://www.securitytracker.com/id?1026803

Source: cve@mitre.org

http://www.securitytracker.com/id?1026804

Source: cve@mitre.org

http://www.ubuntu.com/usn/USN-1400-1

Source: cve@mitre.org

http://www.ubuntu.com/usn/USN-1400-2

Source: cve@mitre.org

Third Party Advisory

http://www.ubuntu.com/usn/USN-1400-3

Source: cve@mitre.org

Third Party Advisory

http://www.ubuntu.com/usn/USN-1400-4

Source: cve@mitre.org

Third Party Advisory

http://www.ubuntu.com/usn/USN-1400-5

Source: cve@mitre.org

Third Party Advisory

http://www.ubuntu.com/usn/USN-1401-1

Source: cve@mitre.org

Third Party Advisory

https://bugzilla.mozilla.org/show_bug.cgi?id=704354

Source: cve@mitre.org

Issue TrackingThird Party Advisory

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14829

Source: cve@mitre.org

Third Party Advisory

http://lists.opensuse.org/opensuse-security-announce/2012-03/msg00014.html