Release Date: | 2012-07-18 | |
Impact: | None | What is this? |
The Content Security Policy (CSP) functionality in Mozilla Firefox 4.x through 13.0, Firefox ESR 10.x before 10.0.6, Thunderbird 5.0 through 13.0, Thunderbird ESR 10.x before 10.0.6, and SeaMonkey before 2.11 does not properly restrict the strings placed into the blocked-uri parameter of a violation report, which allows remote web servers to capture OpenID credentials and OAuth 2.0 access tokens by triggering a violation.
See more information about CVE-2012-1963 from MITRE CVE dictionary and NIST NVD
NOTE: The following CVSS metrics and score provided are preliminary and subject to review.
Base Score: | 4.3 |
Vector String: | AV:N/AC:M/Au:N/C:P/I:N/A:N |
Version: | 2.0 |
Attack Vector: | Network |
Attack Complexity: | Medium |
Authentication: | None |
Confidentiality Impact: | Partial |
Integrity Impact: | None |
Availability Impact: | None |
Platform | Errata | Release Date |
Oracle Linux version 5 (firefox) | ELSA-2012-1088 | 2012-07-17 |
Oracle Linux version 5 (xulrunner) | ELSA-2012-1088 | 2012-07-17 |
Oracle Linux version 6 (firefox) | ELSA-2012-1088 | 2012-07-17 |
Oracle Linux version 6 (thunderbird) | ELSA-2012-1089 | 2012-07-17 |
Oracle Linux version 6 (xulrunner) | ELSA-2012-1088 | 2012-07-17 |
This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections: