{
  "threat_severity" : "Moderate",
  "public_date" : "2012-11-20T00:00:00Z",
  "bugzilla" : {
    "description" : "Mozilla: evalInSanbox location context incorrectly applied (MFSA 2012-93)",
    "id" : "877616",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=877616"
  },
  "cvss" : {
    "cvss_base_score" : "4.3",
    "cvss_scoring_vector" : "AV:N/AC:M/Au:N/C:N/I:P/A:N",
    "status" : "verified"
  },
  "details" : [ "The evalInSandbox implementation in Mozilla Firefox before 17.0, Firefox ESR 10.x before 10.0.11, Thunderbird before 17.0, Thunderbird ESR 10.x before 10.0.11, and SeaMonkey before 2.14 uses an incorrect context during the handling of JavaScript code that sets the location.href property, which allows remote attackers to conduct cross-site scripting (XSS) attacks or read arbitrary files by leveraging a sandboxed add-on." ],
  "acknowledgement" : "Red Hat would like to thank Mozilla project for reporting this issue. Upstream acknowledges moz_bug_r_a4 as the original reporter.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 5",
    "release_date" : "2012-11-20T00:00:00Z",
    "advisory" : "RHSA-2012:1482",
    "cpe" : "cpe:/o:redhat:enterprise_linux:5",
    "package" : "firefox-0:10.0.11-1.el5_8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 5",
    "release_date" : "2012-11-20T00:00:00Z",
    "advisory" : "RHSA-2012:1482",
    "cpe" : "cpe:/o:redhat:enterprise_linux:5",
    "package" : "xulrunner-0:10.0.11-1.el5_8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 5",
    "release_date" : "2012-11-20T00:00:00Z",
    "advisory" : "RHSA-2012:1483",
    "cpe" : "cpe:/o:redhat:enterprise_linux:5",
    "package" : "thunderbird-0:10.0.11-1.el5_8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "release_date" : "2012-11-20T00:00:00Z",
    "advisory" : "RHSA-2012:1482",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6",
    "package" : "firefox-0:10.0.11-1.el6_3"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "release_date" : "2012-11-20T00:00:00Z",
    "advisory" : "RHSA-2012:1482",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6",
    "package" : "xulrunner-0:10.0.11-1.el6_3"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "release_date" : "2012-11-20T00:00:00Z",
    "advisory" : "RHSA-2012:1483",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6",
    "package" : "thunderbird-0:10.0.11-1.el6_3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2012-4201\nhttps://nvd.nist.gov/vuln/detail/CVE-2012-4201\nhttp://www.mozilla.org/security/announce/2012/mfsa2012-93.html" ],
  "name" : "CVE-2012-4201",
  "csaw" : false
}