Unrated severityNVD Advisory· Published Nov 21, 2012· Updated Jun 16, 2026
CVE-2012-4201
CVE-2012-4201
Description
The evalInSandbox implementation in Mozilla Firefox before 17.0, Firefox ESR 10.x before 10.0.11, Thunderbird before 17.0, Thunderbird ESR 10.x before 10.0.11, and SeaMonkey before 2.14 uses an incorrect context during the handling of JavaScript code that sets the location.href property, which allows remote attackers to conduct cross-site scripting (XSS) attacks or read arbitrary files by leveraging a sandboxed add-on.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
32cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*range: <17.0
- (no CPE)range: <17.0
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*+ 2 more
- cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*range: <17.0
- cpe:2.3:a:mozilla:thunderbird_esr:*:*:*:*:*:*:*:*range: >=10.0,<10.0.11
- (no CPE)range: <17.0
cpe:2.3:o:canonical:ubuntu_linux:10.04:*:*:*:-:*:*:*+ 3 more
- cpe:2.3:o:canonical:ubuntu_linux:10.04:*:*:*:-:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:11.10:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:12.10:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_desktop:5.0:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:redhat:enterprise_linux_desktop:5.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_eus:6.3:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server:5.0:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:redhat:enterprise_linux_server:5.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_workstation:5.0:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:redhat:enterprise_linux_workstation:5.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*
cpe:2.3:o:suse:linux_enterprise_desktop:10:sp4:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:suse:linux_enterprise_desktop:10:sp4:*:*:*:*:*:*
- cpe:2.3:o:suse:linux_enterprise_desktop:11:sp2:*:*:*:*:*:*
cpe:2.3:o:suse:linux_enterprise_server:10:sp4:*:*:*:*:*:*+ 2 more
- cpe:2.3:o:suse:linux_enterprise_server:10:sp4:*:*:*:*:*:*
- cpe:2.3:o:suse:linux_enterprise_server:11:sp2:*:*:*:*:*:*
- cpe:2.3:o:suse:linux_enterprise_server:11:sp2:*:*:*:vmware:*:*
cpe:2.3:o:suse:linux_enterprise_software_development_kit:10:sp4:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:suse:linux_enterprise_software_development_kit:10:sp4:*:*:*:*:*:*
- cpe:2.3:o:suse:linux_enterprise_software_development_kit:11:sp2:*:*:*:*:*:*
- osv-coords3 versionspkg:rpm/opensuse/firefox-esr&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/MozillaFirefox&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/MozillaThunderbird&distro=openSUSE%20Tumbleweed
< 128.5.1-1.1+ 2 more
- (no CPE)range: < 128.5.1-1.1
- (no CPE)range: < 50.1.0-1.1
- (no CPE)range: < 45.5.1-1.1
Patches
Vulnerability mechanics
References
29- bugzilla.mozilla.org/show_bug.cginvdExploitIssue TrackingPatchVendor Advisory
- lists.opensuse.org/opensuse-security-announce/2012-11/msg00021.htmlnvdMailing ListThird Party Advisory
- lists.opensuse.org/opensuse-security-announce/2013-01/msg00022.htmlnvdMailing ListThird Party Advisory
- lists.opensuse.org/opensuse-updates/2012-11/msg00090.htmlnvdMailing ListThird Party Advisory
- lists.opensuse.org/opensuse-updates/2012-11/msg00092.htmlnvdMailing ListThird Party Advisory
- lists.opensuse.org/opensuse-updates/2012-11/msg00093.htmlnvdMailing ListThird Party Advisory
- rhn.redhat.com/errata/RHSA-2012-1482.htmlnvdThird Party Advisory
- rhn.redhat.com/errata/RHSA-2012-1483.htmlnvdThird Party Advisory
- secunia.com/advisories/51359nvdThird Party Advisory
- secunia.com/advisories/51360nvdThird Party Advisory
- secunia.com/advisories/51369nvdThird Party Advisory
- secunia.com/advisories/51370nvdThird Party Advisory
- secunia.com/advisories/51381nvdThird Party Advisory
- secunia.com/advisories/51434nvdThird Party Advisory
- secunia.com/advisories/51439nvdThird Party Advisory
- secunia.com/advisories/51440nvdThird Party Advisory
- www.debian.org/security/2012/dsa-2583nvdThird Party Advisory
- www.debian.org/security/2012/dsa-2584nvdThird Party Advisory
- www.debian.org/security/2012/dsa-2588nvdThird Party Advisory
- www.mandriva.com/security/advisoriesnvdThird Party Advisory
- www.mozilla.org/security/announce/2012/mfsa2012-93.htmlnvdVendor Advisory
- www.securityfocus.com/bid/56618nvdThird Party AdvisoryVDB Entry
- www.ubuntu.com/usn/USN-1636-1nvdThird Party Advisory
- www.ubuntu.com/usn/USN-1638-1nvdThird Party Advisory
- www.ubuntu.com/usn/USN-1638-2nvdThird Party Advisory
- www.ubuntu.com/usn/USN-1638-3nvdThird Party Advisory
- exchange.xforce.ibmcloud.com/vulnerabilities/80171nvdThird Party AdvisoryVDB Entry
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15995nvdThird Party Advisory
- osvdb.org/87594nvdBroken Link
News mentions
0No linked articles in our index yet.