CVE-2012-1964

critical

Description

The certificate-warning functionality in browser/components/certerror/content/aboutCertError.xhtml in Mozilla Firefox 4.x through 12.0, Firefox ESR 10.x before 10.0.6, Thunderbird 5.0 through 12.0, Thunderbird ESR 10.x before 10.0.6, and SeaMonkey before 2.10 does not properly handle attempted clickjacking of the about:certerror page, which allows man-in-the-middle attackers to trick users into adding an unintended exception via an IFRAME element.

References

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16783

https://bugzilla.mozilla.org/show_bug.cgi?id=633691

http://www.ubuntu.com/usn/USN-1509-2

http://www.ubuntu.com/usn/USN-1509-1

http://www.securityfocus.com/bid/54581

http://www.mozilla.org/security/announce/2012/mfsa2012-54.html

http://secunia.com/advisories/49994

http://secunia.com/advisories/49993

http://secunia.com/advisories/49992

http://secunia.com/advisories/49979

http://secunia.com/advisories/49977

http://secunia.com/advisories/49972

http://secunia.com/advisories/49965

http://rhn.redhat.com/errata/RHSA-2012-1088.html

http://osvdb.org/84011

http://lists.opensuse.org/opensuse-security-announce/2012-07/msg00013.html

http://lists.opensuse.org/opensuse-security-announce/2012-07/msg00012.html

http://lists.opensuse.org/opensuse-security-announce/2012-07/msg00011.html

Details

Source: Mitre, NVD

Published: 2012-07-18

Updated: 2024-11-21

Risk Information

CVSS v2

Base Score: 4

Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical