CVE-2012-4208 Information

Description

The XrayWrapper implementation in Mozilla Firefox before 17.0 Thunderbird before 17.0 and SeaMonkey before 2.14 does not consider the compartment during property filtering which allows remote attackers to bypass intended chrome-only restrictions on reading DOM object properties via a crafted web site.

Reference

http://lists.opensuse.org/opensuse-security-announce/2012-11/msg00021.html http://lists.opensuse.org/opensuse-security-announce/2013-01/msg00022.html http://lists.opensuse.org/opensuse-updates/2012-11/msg00090.html http://lists.opensuse.org/opensuse-updates/2012-11/msg00092.html http://lists.opensuse.org/opensuse-updates/2012-11/msg00093.html http://secunia.com/advisories/51369 http://secunia.com/advisories/51370 http://secunia.com/advisories/51381 http://secunia.com/advisories/51434 http://secunia.com/advisories/51439 http://secunia.com/advisories/51440 http://www.mozilla.org/security/announce/2012/mfsa2012-99.html http://www.securityfocus.com/bid/56627 http://www.ubuntu.com/usn/USN-1636-1 http://www.ubuntu.com/usn/USN-1638-1 http://www.ubuntu.com/usn/USN-1638-2 http://www.ubuntu.com/usn/USN-1638-3 https://bugzilla.mozilla.org/show_bug.cgi?id=798264 https://oval.cisecurity.org/repository/search/definition/oval3Aorg.mitre.oval3Adef3A16695