{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/2331?format=json","vulnerability_id":"VCID-mf9j-kke2-bfak","summary":"Security researcher Mariusz Mlynski reported that when\nInstallTrigger fails, it throws an error wrapped in a Chrome Object Wrapper\n(COW) that fails to specify exposed properties. These can then be added to the\nresulting object by an attacker, allowing access to chrome privileged functions\nthrough script.\nWhile investigating this issue, Mozilla security researcher\nmoz_bug_r_a4 found that COW did not disallow accessing of\nproperties from a standard prototype in some situations, even when the original\nissue had been fixed.\nThese issues could allow for a cross-site scripting (XSS) attack or arbitrary\ncode execution. \nIn general these flaws cannot be exploited through email in the\nThunderbird and SeaMonkey products because scripting is disabled, but are\npotentially a risk in browser or browser-like contexts in those products.","aliases":[{"alias":"CVE-2012-4184"}],"fixed_packages":[],"affected_packages":[],"references":[{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4184","reference_id":"CVE-2012-4184","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4184"},{"reference_url":"https://www.mozilla.org/en-US/security/advisories/mfsa2012-83","reference_id":"mfsa2012-83","reference_type":"","scores":[{"value":"critical","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.mozilla.org/en-US/security/advisories/mfsa2012-83"}],"weaknesses":[],"exploits":[],"severity_range_score":"9.0 - 10.0","exploitability":null,"weighted_severity":null,"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-mf9j-kke2-bfak"}