NVD Vulnerability Detail

CVE-2012-0455

Summary	Mozilla Firefox before 3.6.28 and 4.x through 10.0, Firefox ESR 10.x before 10.0.3, Thunderbird before 3.1.20 and 5.0 through 10.0, Thunderbird ESR 10.x before 10.0.3, and SeaMonkey before 2.8 do not properly restrict drag-and-drop operations on javascript: URLs, which allows user-assisted remote attackers to conduct cross-site scripting (XSS) attacks via a crafted web page, related to a "DragAndDropJacking" issue.
Publication Date	March 15, 2012, 4:55 a.m.
Registration Date	Jan. 28, 2021, 2:53 p.m.
Last Update	Nov. 21, 2024, 10:35 a.m.

CVSS2.0 : MEDIUM
Score	4.3
Vector	AV:N/AC:M/Au:N/C:N/I:P/A:N
攻撃元区分(AV)	ネットワーク
攻撃条件の複雑さ(AC)	中
攻撃前の認証要否(Au)	不要
機密性への影響(C)	なし
完全性への影響(I)	低
可用性への影響(A)	なし
Get all privileges.	いいえ
Get user privileges	いいえ
Get other privileges	いいえ
User operation required	はい

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:mozilla:firefox::::::::			3.6.27

Configuration2	or higher	or less	more than	less than
cpe:2.3:a:mozilla:firefox:4.0:beta6::::::
cpe:2.3:a:mozilla:firefox:4.0:beta1::::::
cpe:2.3:a:mozilla:firefox:8.0:::::::*
cpe:2.3:a:mozilla:firefox:4.0:beta9::::::
cpe:2.3:a:mozilla:firefox:4.0:beta5::::::
cpe:2.3:a:mozilla:firefox:4.0:beta8::::::
cpe:2.3:a:mozilla:firefox:4.0:beta12::::::
cpe:2.3:a:mozilla:firefox:4.0:beta3::::::
cpe:2.3:a:mozilla:firefox:5.0.1:::::::*
cpe:2.3:a:mozilla:firefox:5.0:::::::*
cpe:2.3:a:mozilla:firefox:7.0:::::::*
cpe:2.3:a:mozilla:firefox:6.0.2:::::::*
cpe:2.3:a:mozilla:firefox:4.0:beta2::::::
cpe:2.3:a:mozilla:firefox:4.0:beta4::::::
cpe:2.3:a:mozilla:firefox:4.0:beta10::::::
cpe:2.3:a:mozilla:firefox:6.0.1:::::::*
cpe:2.3:a:mozilla:firefox:4.0:::::::*
cpe:2.3:a:mozilla:firefox:6.0:::::::*
cpe:2.3:a:mozilla:firefox:7.0.1:::::::*
cpe:2.3:a:mozilla:firefox:4.0:beta11::::::
cpe:2.3:a:mozilla:firefox:8.0.1:::::::*
cpe:2.3:a:mozilla:firefox:9.0.1:::::::*
cpe:2.3:a:mozilla:firefox:4.0:beta7::::::
cpe:2.3:a:mozilla:firefox:9.0:::::::*
cpe:2.3:a:mozilla:firefox:4.0.1:::::::*

Configuration3	or higher	or less	more than	less than
cpe:2.3:a:mozilla:firefox_esr:10.2:::::::*
cpe:2.3:a:mozilla:firefox:10.0:::::::*
cpe:2.3:a:mozilla:firefox_esr:10.1:::::::*

Configuration4		or higher	or less	more than	less than
cpe:2.3:a:mozilla:thunderbird::::::::			3.1.19

Configuration5	or higher	or less	more than	less than
cpe:2.3:a:mozilla:thunderbird:6.0.1:::::::*
cpe:2.3:a:mozilla:thunderbird:5.0:::::::*
cpe:2.3:a:mozilla:thunderbird:6.0.2:::::::*
cpe:2.3:a:mozilla:thunderbird:8.0:::::::*
cpe:2.3:a:mozilla:thunderbird:9.0.1:::::::*
cpe:2.3:a:mozilla:thunderbird:9.0:::::::*
cpe:2.3:a:mozilla:thunderbird:6.0:::::::*

Configuration6	or higher	or less	more than	less than
cpe:2.3:a:mozilla:thunderbird_esr:10.0:::::::*
cpe:2.3:a:mozilla:thunderbird_esr:10.0.2:::::::*
cpe:2.3:a:mozilla:thunderbird_esr:10.0.1:::::::*

Configuration7		or higher	or less	more than	less than
cpe:2.3:a:mozilla:seamonkey::beta5::::::*			2.7

Related information, measures and tools

No	URL	タグ
1	http://lists.opensuse.org/opensuse-security-announce/2012-03/msg00014.html
2	http://lists.opensuse.org/opensuse-security-announce/2012-03/msg00015.html
3	http://lists.opensuse.org/opensuse-updates/2012-03/msg00042.html	Mailing List Third Party Advisory
4	http://rhn.redhat.com/errata/RHSA-2012-0387.html
5	http://rhn.redhat.com/errata/RHSA-2012-0388.html
6	http://secunia.com/advisories/48359
7	http://secunia.com/advisories/48402
8	http://secunia.com/advisories/48414
9	http://secunia.com/advisories/48495	Third Party Advisory
10	http://secunia.com/advisories/48496	Third Party Advisory
11	http://secunia.com/advisories/48513	Third Party Advisory
12	http://secunia.com/advisories/48553	Third Party Advisory
13	http://secunia.com/advisories/48561	Third Party Advisory
14	http://secunia.com/advisories/48624	Third Party Advisory
15	http://secunia.com/advisories/48629	Third Party Advisory
16	http://secunia.com/advisories/48823	Third Party Advisory
17	http://secunia.com/advisories/48920	Third Party Advisory
18	http://www.debian.org/security/2012/dsa-2433	Third Party Advisory
19	http://www.debian.org/security/2012/dsa-2458
20	http://www.mandriva.com/security/advisories?name=MDVSA-2012:031
21	http://www.mandriva.com/security/advisories?name=MDVSA-2012:032
22	http://www.mozilla.org/security/announce/2012/mfsa2012-13.html	Vendor Advisory
23	http://www.securityfocus.com/bid/52458
24	http://www.securitytracker.com/id?1026801
25	http://www.securitytracker.com/id?1026803
26	http://www.securitytracker.com/id?1026804
27	http://www.ubuntu.com/usn/USN-1400-1
28	http://www.ubuntu.com/usn/USN-1400-2	Third Party Advisory
29	http://www.ubuntu.com/usn/USN-1400-3	Third Party Advisory
30	http://www.ubuntu.com/usn/USN-1400-4	Third Party Advisory
31	http://www.ubuntu.com/usn/USN-1400-5	Third Party Advisory
32	http://www.ubuntu.com/usn/USN-1401-1	Third Party Advisory
33	https://bugzilla.mozilla.org/show_bug.cgi?id=704354	Issue Tracking Third Party Advisory
34	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14829	Third Party Advisory
35	http://lists.opensuse.org/opensuse-security-announce/2012-03/msg00014.html
36	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14829	Third Party Advisory
37	https://bugzilla.mozilla.org/show_bug.cgi?id=704354	Issue Tracking Third Party Advisory
38	http://www.ubuntu.com/usn/USN-1401-1	Third Party Advisory
39	http://www.ubuntu.com/usn/USN-1400-5	Third Party Advisory
40	http://www.ubuntu.com/usn/USN-1400-4	Third Party Advisory
41	http://www.ubuntu.com/usn/USN-1400-3	Third Party Advisory
42	http://www.ubuntu.com/usn/USN-1400-2	Third Party Advisory
43	http://www.ubuntu.com/usn/USN-1400-1
44	http://www.securitytracker.com/id?1026804
45	http://www.securitytracker.com/id?1026803
46	http://www.securitytracker.com/id?1026801
47	http://www.securityfocus.com/bid/52458
48	http://www.mozilla.org/security/announce/2012/mfsa2012-13.html	Vendor Advisory
49	http://www.mandriva.com/security/advisories?name=MDVSA-2012:032
50	http://www.mandriva.com/security/advisories?name=MDVSA-2012:031
51	http://www.debian.org/security/2012/dsa-2458
52	http://www.debian.org/security/2012/dsa-2433	Third Party Advisory
53	http://secunia.com/advisories/48920	Third Party Advisory
54	http://secunia.com/advisories/48823	Third Party Advisory
55	http://secunia.com/advisories/48629	Third Party Advisory
56	http://secunia.com/advisories/48624	Third Party Advisory
57	http://secunia.com/advisories/48561	Third Party Advisory
58	http://secunia.com/advisories/48553	Third Party Advisory
59	http://secunia.com/advisories/48513	Third Party Advisory
60	http://secunia.com/advisories/48496	Third Party Advisory
61	http://secunia.com/advisories/48495	Third Party Advisory
62	http://secunia.com/advisories/48414
63	http://secunia.com/advisories/48402
64	http://secunia.com/advisories/48359
65	http://rhn.redhat.com/errata/RHSA-2012-0388.html
66	http://rhn.redhat.com/errata/RHSA-2012-0387.html
67	http://lists.opensuse.org/opensuse-updates/2012-03/msg00042.html	Mailing List Third Party Advisory
68	http://lists.opensuse.org/opensuse-security-announce/2012-03/msg00015.html

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-79	クロスサイト・スクリプティング（XSS）	https://cwe.mitre.org/data/definitions/79.html

JVN Vulnerability Information

複数の Mozilla 製品におけるクロスサイトスクリプティング (XSS) 攻撃を誘発される脆弱性

Title	複数の Mozilla 製品におけるクロスサイトスクリプティング (XSS) 攻撃を誘発される脆弱性
Summary	複数の Mozilla 製品は、javascript: URL のドラッグ＆ドロップ操作を適切に制限しないため、クロスサイトスクリプティング (XSS) 攻撃を誘発される脆弱性が存在します。
Possible impacts	攻撃者により、巧妙に細工された Web ページを介して、クロスサイトスクリプティング (XSS) 攻撃を誘発される可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	March 13, 2012, midnight
Registration Date	March 16, 2012, 2:01 p.m.
Last Update	Aug. 24, 2012, 5:30 p.m.

Affected System

Mozilla Foundation

Mozilla Firefox 3.6.28 未満

Mozilla Firefox 4.x から 10.0

Mozilla Firefox ESR 10.0.3 未満の 10.x

Mozilla SeaMonkey 2.8 未満

Mozilla Thunderbird 3.1.20 未満

Mozilla Thunderbird 5.0 から 10.0

Mozilla Thunderbird ESR 10.0.3 未満の 10.x

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2012-0455	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0455
National Vulnerability Database (NVD)
2	CVE-2012-0455	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0455

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-79	https://jvndb.jvn.jp/ja/cwe/CWE-79.html

ベンダー情報

No	Name	URL
Debian Security Advisory
1	DSA-2433	http://www.debian.org/security/2012/dsa-2433
Mozilla Foundation Security Advisory
2	MFSA2012-13	http://www.mozilla.org/security/announce/2012/mfsa2012-13.html
Mozilla Foundation セキュリティアドバイザリ
3	MFSA2012-13	http://www.mozilla-japan.org/security/announce/2012/mfsa2012-13.html
opensuse-updates
4	openSUSE-SU-2012:0417	http://lists.opensuse.org/opensuse-updates/2012-03/msg00042.html
SECURITY BLOG
5	Multiple vulnerabilities in Firefox web browser	https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_firefox_web
6	Multiple vulnerabilities in Thunderbird	https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_thunderbird4
Ubuntu Security Notice
7	USN-1400-2	http://www.ubuntu.com/usn/USN-1400-2
8	USN-1400-3	http://www.ubuntu.com/usn/USN-1400-3/
9	USN-1400-4	http://www.ubuntu.com/usn/USN-1400-4
10	USN-1400-5	http://www.ubuntu.com/usn/USN-1400-5
11	USN-1401-1	http://www.ubuntu.com/usn/USN-1401-1

Change Log

No	Changed Details	Date of change
0	[2012年03月16日] 掲載 [2012年06月12日] ベンダ情報：Ubuntu (USN-1400-3) を追加ベンダ情報：Debian (DSA-2433) を追加 [2012年06月29日] ベンダ情報：オラクル (Multiple vulnerabilities in Firefox web browser) を追加ベンダ情報：オラクル (Multiple vulnerabilities in Thunderbird) を追加 [2012年07月30日] ベンダ情報：openSUSE (openSUSE-SU-2012:0417) を追加 [2012年08月24日] ベンダ情報：Ubuntu (USN-1400-2) を追加ベンダ情報：Ubuntu (USN-1400-4) を追加ベンダ情報：Ubuntu (USN-1400-5) を追加ベンダ情報：Ubuntu (USN-1401-1) を追加	Feb. 17, 2018, 10:37 a.m.

Configuration2	or higher	or less	more than	less than
cpe:2.3:a:mozilla:firefox:4.0:beta6::::::
cpe:2.3:a:mozilla:firefox:4.0:beta1::::::
cpe:2.3:a:mozilla:firefox:8.0:::::::*
cpe:2.3:a:mozilla:firefox:4.0:beta9::::::
cpe:2.3:a:mozilla:firefox:4.0:beta5::::::
cpe:2.3:a:mozilla:firefox:4.0:beta8::::::
cpe:2.3:a:mozilla:firefox:4.0:beta12::::::
cpe:2.3:a:mozilla:firefox:4.0:beta3::::::
cpe:2.3:a:mozilla:firefox:5.0.1:::::::*
cpe:2.3:a:mozilla:firefox:5.0:::::::*
cpe:2.3:a:mozilla:firefox:7.0:::::::*
cpe:2.3:a:mozilla:firefox:6.0.2:::::::*
cpe:2.3:a:mozilla:firefox:4.0:beta2::::::
cpe:2.3:a:mozilla:firefox:4.0:beta4::::::
cpe:2.3:a:mozilla:firefox:4.0:beta10::::::
cpe:2.3:a:mozilla:firefox:6.0.1:::::::*
cpe:2.3:a:mozilla:firefox:4.0:::::::*
cpe:2.3:a:mozilla:firefox:6.0:::::::*
cpe:2.3:a:mozilla:firefox:7.0.1:::::::*
cpe:2.3:a:mozilla:firefox:4.0:beta11::::::
cpe:2.3:a:mozilla:firefox:8.0.1:::::::*
cpe:2.3:a:mozilla:firefox:9.0.1:::::::*
cpe:2.3:a:mozilla:firefox:4.0:beta7::::::
cpe:2.3:a:mozilla:firefox:9.0:::::::*
cpe:2.3:a:mozilla:firefox:4.0.1:::::::*

Configuration5	or higher	or less	more than	less than
cpe:2.3:a:mozilla:thunderbird:6.0.1:::::::*
cpe:2.3:a:mozilla:thunderbird:5.0:::::::*
cpe:2.3:a:mozilla:thunderbird:6.0.2:::::::*
cpe:2.3:a:mozilla:thunderbird:8.0:::::::*
cpe:2.3:a:mozilla:thunderbird:9.0.1:::::::*
cpe:2.3:a:mozilla:thunderbird:9.0:::::::*
cpe:2.3:a:mozilla:thunderbird:6.0:::::::*