ID CVE-2012-1949
Summary Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox 4.x through 13.0, Thunderbird 5.0 through 13.0, and SeaMonkey before 2.11 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.
References
Vulnerable Configurations
  • Mozilla Firefox 4.0
    cpe:2.3:a:mozilla:firefox:4.0
  • Mozilla Firefox 4.0 beta1
    cpe:2.3:a:mozilla:firefox:4.0:beta1
  • Mozilla Firefox 4.0 beta10
    cpe:2.3:a:mozilla:firefox:4.0:beta10
  • Mozilla Firefox 4.0 beta11
    cpe:2.3:a:mozilla:firefox:4.0:beta11
  • Mozilla Firefox 4.0 beta12
    cpe:2.3:a:mozilla:firefox:4.0:beta12
  • Mozilla Firefox 4.0 beta2
    cpe:2.3:a:mozilla:firefox:4.0:beta2
  • Mozilla Firefox 4.0 beta3
    cpe:2.3:a:mozilla:firefox:4.0:beta3
  • Mozilla Firefox 4.0 beta4
    cpe:2.3:a:mozilla:firefox:4.0:beta4
  • Mozilla Firefox 4.0 beta5
    cpe:2.3:a:mozilla:firefox:4.0:beta5
  • Mozilla Firefox 4.0 beta6
    cpe:2.3:a:mozilla:firefox:4.0:beta6
  • Mozilla Firefox 4.0 beta7
    cpe:2.3:a:mozilla:firefox:4.0:beta7
  • Mozilla Firefox 4.0 beta8
    cpe:2.3:a:mozilla:firefox:4.0:beta8
  • Mozilla Firefox 4.0 beta9
    cpe:2.3:a:mozilla:firefox:4.0:beta9
  • Mozilla Firefox 4.0.1
    cpe:2.3:a:mozilla:firefox:4.0.1
  • Mozilla Firefox 5.0
    cpe:2.3:a:mozilla:firefox:5.0
  • Mozilla Firefox 5.0.1
    cpe:2.3:a:mozilla:firefox:5.0.1
  • Mozilla Firefox 6.0
    cpe:2.3:a:mozilla:firefox:6.0
  • Mozilla Firefox 6.0.1
    cpe:2.3:a:mozilla:firefox:6.0.1
  • Mozilla Firefox 6.0.2
    cpe:2.3:a:mozilla:firefox:6.0.2
  • Mozilla Firefox 7.0
    cpe:2.3:a:mozilla:firefox:7.0
  • Mozilla Firefox 7.0.1
    cpe:2.3:a:mozilla:firefox:7.0.1
  • Mozilla Firefox 8.0
    cpe:2.3:a:mozilla:firefox:8.0
  • Mozilla Firefox 8.0.1
    cpe:2.3:a:mozilla:firefox:8.0.1
  • Mozilla Firefox 9.0
    cpe:2.3:a:mozilla:firefox:9.0
  • Mozilla Firefox 9.0.1
    cpe:2.3:a:mozilla:firefox:9.0.1
  • Mozilla Firefox 11.0
    cpe:2.3:a:mozilla:firefox:11.0
  • Mozilla Firefox 12.0
    cpe:2.3:a:mozilla:firefox:12.0
  • Mozilla Firefox 12.0 beta6
    cpe:2.3:a:mozilla:firefox:12.0:beta6
  • Mozilla Firefox 13.0
    cpe:2.3:a:mozilla:firefox:13.0
  • Mozilla Thunderbird 5.0
    cpe:2.3:a:mozilla:thunderbird:5.0
  • Mozilla Thunderbird 6.0
    cpe:2.3:a:mozilla:thunderbird:6.0
  • Mozilla Thunderbird 6.0.1
    cpe:2.3:a:mozilla:thunderbird:6.0.1
  • Mozilla Thunderbird 6.0.2
    cpe:2.3:a:mozilla:thunderbird:6.0.2
  • Mozilla Thunderbird 7.0
    cpe:2.3:a:mozilla:thunderbird:7.0
  • Mozilla Thunderbird 7.0.1
    cpe:2.3:a:mozilla:thunderbird:7.0.1
  • Mozilla Thunderbird 8.0
    cpe:2.3:a:mozilla:thunderbird:8.0
  • Mozilla Thunderbird 9.0
    cpe:2.3:a:mozilla:thunderbird:9.0
  • Mozilla Thunderbird 9.0.1
    cpe:2.3:a:mozilla:thunderbird:9.0.1
  • Mozilla Thunderbird 10.0
    cpe:2.3:a:mozilla:thunderbird:10.0
  • Mozilla Thunderbird 10.0.1
    cpe:2.3:a:mozilla:thunderbird:10.0.1
  • Mozilla Thunderbird 10.0.2
    cpe:2.3:a:mozilla:thunderbird:10.0.2
  • Mozilla Thunderbird 10.0.3
    cpe:2.3:a:mozilla:thunderbird:10.0.3
  • Mozilla Thunderbird 10.0.4
    cpe:2.3:a:mozilla:thunderbird:10.0.4
  • Mozilla Thunderbird 11.0
    cpe:2.3:a:mozilla:thunderbird:11.0
  • Mozilla Thunderbird 12.0
    cpe:2.3:a:mozilla:thunderbird:12.0
  • Mozilla Thunderbird 13.0
    cpe:2.3:a:mozilla:thunderbird:13.0
  • Mozilla SeaMonkey 1.0
    cpe:2.3:a:mozilla:seamonkey:1.0
  • Mozilla SeaMonkey 1.0 alpha
    cpe:2.3:a:mozilla:seamonkey:1.0:alpha
  • Mozilla SeaMonkey 1.0 beta
    cpe:2.3:a:mozilla:seamonkey:1.0:beta
  • Mozilla SeaMonkey 1.0.1
    cpe:2.3:a:mozilla:seamonkey:1.0.1
  • Mozilla SeaMonkey 1.0.2
    cpe:2.3:a:mozilla:seamonkey:1.0.2
  • Mozilla SeaMonkey 1.0.3
    cpe:2.3:a:mozilla:seamonkey:1.0.3
  • Mozilla SeaMonkey 1.0.4
    cpe:2.3:a:mozilla:seamonkey:1.0.4
  • Mozilla SeaMonkey 1.0.5
    cpe:2.3:a:mozilla:seamonkey:1.0.5
  • Mozilla SeaMonkey 1.0.6
    cpe:2.3:a:mozilla:seamonkey:1.0.6
  • Mozilla SeaMonkey 1.0.7
    cpe:2.3:a:mozilla:seamonkey:1.0.7
  • Mozilla SeaMonkey 1.0.8
    cpe:2.3:a:mozilla:seamonkey:1.0.8
  • Mozilla SeaMonkey 1.0.9
    cpe:2.3:a:mozilla:seamonkey:1.0.9
  • Mozilla SeaMonkey 1.1
    cpe:2.3:a:mozilla:seamonkey:1.1
  • Mozilla SeaMonkey 1.1 alpha
    cpe:2.3:a:mozilla:seamonkey:1.1:alpha
  • Mozilla SeaMonkey 1.1 beta
    cpe:2.3:a:mozilla:seamonkey:1.1:beta
  • Mozilla Seamonkey 1.1.1
    cpe:2.3:a:mozilla:seamonkey:1.1.1
  • Mozilla Seamonkey 1.1.2
    cpe:2.3:a:mozilla:seamonkey:1.1.2
  • Mozilla Seamonkey 1.1.3
    cpe:2.3:a:mozilla:seamonkey:1.1.3
  • Mozilla Seamonkey 1.1.4
    cpe:2.3:a:mozilla:seamonkey:1.1.4
  • Mozilla Seamonkey 1.1.5
    cpe:2.3:a:mozilla:seamonkey:1.1.5
  • Mozilla Seamonkey 1.1.6
    cpe:2.3:a:mozilla:seamonkey:1.1.6
  • Mozilla Seamonkey 1.1.7
    cpe:2.3:a:mozilla:seamonkey:1.1.7
  • Mozilla SeaMonkey 1.1.8
    cpe:2.3:a:mozilla:seamonkey:1.1.8
  • Mozilla SeaMonkey 1.1.9
    cpe:2.3:a:mozilla:seamonkey:1.1.9
  • Mozilla SeaMonkey 1.1.10
    cpe:2.3:a:mozilla:seamonkey:1.1.10
  • Mozilla SeaMonkey 1.1.11
    cpe:2.3:a:mozilla:seamonkey:1.1.11
  • Mozilla SeaMonkey 1.1.12
    cpe:2.3:a:mozilla:seamonkey:1.1.12
  • Mozilla SeaMonkey 1.1.13
    cpe:2.3:a:mozilla:seamonkey:1.1.13
  • Mozilla SeaMonkey 1.1.14
    cpe:2.3:a:mozilla:seamonkey:1.1.14
  • Mozilla SeaMonkey 1.1.15
    cpe:2.3:a:mozilla:seamonkey:1.1.15
  • Mozilla SeaMonkey 1.1.16
    cpe:2.3:a:mozilla:seamonkey:1.1.16
  • Mozilla SeaMonkey 1.1.17
    cpe:2.3:a:mozilla:seamonkey:1.1.17
  • Mozilla Seamonkey 1.1.18
    cpe:2.3:a:mozilla:seamonkey:1.1.18
  • Mozilla Seamonkey 1.1.19
    cpe:2.3:a:mozilla:seamonkey:1.1.19
  • Mozilla SeaMonkey 1.5.0.8
    cpe:2.3:a:mozilla:seamonkey:1.5.0.8
  • Mozilla SeaMonkey 1.5.0.9
    cpe:2.3:a:mozilla:seamonkey:1.5.0.9
  • Mozilla SeaMonkey 1.5.0.10
    cpe:2.3:a:mozilla:seamonkey:1.5.0.10
  • Mozilla SeaMonkey 2.0
    cpe:2.3:a:mozilla:seamonkey:2.0
  • Mozilla SeaMonkey 2.0 Alpha 1
    cpe:2.3:a:mozilla:seamonkey:2.0:alpha_1
  • Mozilla SeaMonkey 2.0 Alpha 2
    cpe:2.3:a:mozilla:seamonkey:2.0:alpha_2
  • Mozilla SeaMonkey 2.0 Alpha 3
    cpe:2.3:a:mozilla:seamonkey:2.0:alpha_3
  • Mozilla SeaMonkey 2.0 Beta 1
    cpe:2.3:a:mozilla:seamonkey:2.0:beta_1
  • Mozilla SeaMonkey 2.0 Beta 2
    cpe:2.3:a:mozilla:seamonkey:2.0:beta_2
  • Mozilla SeaMonkey 2.0 RC1
    cpe:2.3:a:mozilla:seamonkey:2.0:rc1
  • Mozilla SeaMonkey 2.0 RC2
    cpe:2.3:a:mozilla:seamonkey:2.0:rc2
  • Mozilla SeaMonkey 2.0.1
    cpe:2.3:a:mozilla:seamonkey:2.0.1
  • Mozilla SeaMonkey 2.0.2
    cpe:2.3:a:mozilla:seamonkey:2.0.2
  • Mozilla SeaMonkey 2.0.3
    cpe:2.3:a:mozilla:seamonkey:2.0.3
  • Mozilla SeaMonkey 2.0.4
    cpe:2.3:a:mozilla:seamonkey:2.0.4
  • Mozilla SeaMonkey 2.0.5
    cpe:2.3:a:mozilla:seamonkey:2.0.5
  • Mozilla SeaMonkey 2.0.6
    cpe:2.3:a:mozilla:seamonkey:2.0.6
  • Mozilla SeaMonkey 2.0.7
    cpe:2.3:a:mozilla:seamonkey:2.0.7
  • Mozilla SeaMonkey 2.0.8
    cpe:2.3:a:mozilla:seamonkey:2.0.8
  • Mozilla SeaMonkey 2.0.9
    cpe:2.3:a:mozilla:seamonkey:2.0.9
  • Mozilla SeaMonkey 2.0.10
    cpe:2.3:a:mozilla:seamonkey:2.0.10
  • Mozilla SeaMonkey 2.0.11
    cpe:2.3:a:mozilla:seamonkey:2.0.11
  • Mozilla SeaMonkey 2.0.12
    cpe:2.3:a:mozilla:seamonkey:2.0.12
  • Mozilla SeaMonkey 2.0.13
    cpe:2.3:a:mozilla:seamonkey:2.0.13
  • Mozilla SeaMonkey 2.0.14
    cpe:2.3:a:mozilla:seamonkey:2.0.14
  • Mozilla SeaMonkey 2.1
    cpe:2.3:a:mozilla:seamonkey:2.1
  • Mozilla SeaMonkey 2.1 alpha1
    cpe:2.3:a:mozilla:seamonkey:2.1:alpha1
  • Mozilla SeaMonkey 2.1 alpha2
    cpe:2.3:a:mozilla:seamonkey:2.1:alpha2
  • Mozilla SeaMonkey 2.1 alpha3
    cpe:2.3:a:mozilla:seamonkey:2.1:alpha3
  • Mozilla SeaMonkey 2.1 Beta 1
    cpe:2.3:a:mozilla:seamonkey:2.1:beta1
  • Mozilla SeaMonkey 2.1 Beta 2
    cpe:2.3:a:mozilla:seamonkey:2.1:beta2
  • Mozilla SeaMonkey 2.1 Beta 3
    cpe:2.3:a:mozilla:seamonkey:2.1:beta3
  • Mozilla SeaMonkey 2.1 Release Candidate 1
    cpe:2.3:a:mozilla:seamonkey:2.1:rc1
  • Mozilla SeaMonkey 2.1 Release Candidate 2
    cpe:2.3:a:mozilla:seamonkey:2.1:rc2
  • Mozilla SeaMonkey 2.10
    cpe:2.3:a:mozilla:seamonkey:2.10
CVSS
Base: 9.3 (as of 18-07-2012 - 13:20)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
nessus via4
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2012-410.NASL
    description MozillaFirefox was updated to 14.0.1 to fix various bugs and security issues. Following security issues were fixed: MFSA 2012-42: Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. CVE-2012-1949: Brian Smith, Gary Kwong, Christian Holler, Jesse Ruderman, Christoph Diehl, Chris Jones, Brad Lassey, and Kyle Huey reported memory safety problems and crashes that affect Firefox 13. CVE-2012-1948: Benoit Jacob, Jesse Ruderman, Christian Holler, and Bill McCloskey reported memory safety problems and crashes that affect Firefox ESR 10 and Firefox 13. MFSA 2012-43 / CVE-2012-1950: Security researcher Mario Gomes andresearch firm Code Audit Labs reported a mechanism to short-circuit page loads through drag and drop to the addressbar by canceling the page load. This causes the address of the previously site entered to be displayed in the addressbar instead of the currently loaded page. This could lead to potential phishing attacks on users. MFSA 2012-44 Google security researcher Abhishek Arya used the Address Sanitizer tool to uncover four issues: two use-after-free problems, one out of bounds read bug, and a bad cast. The first use-after-free problem is caused when an array of nsSMILTimeValueSpec objects is destroyed but attempts are made to call into objects in this array later. The second use-after-free problem is in nsDocument::AdoptNode when it adopts into an empty document and then adopts into another document, emptying the first one. The heap buffer overflow is in ElementAnimations when data is read off of end of an array and then pointers are dereferenced. The bad cast happens when nsTableFrame::InsertFrames is called with frames in aFrameList that are a mix of row group frames and column group frames. AppendFrames is not able to handle this mix. All four of these issues are potentially exploitable. CVE-2012-1951: Heap-use-after-free in nsSMILTimeValueSpec::IsEventBased CVE-2012-1954: Heap-use-after-free in nsDocument::AdoptNode CVE-2012-1953: Out of bounds read in ElementAnimations::EnsureStyleRuleFor CVE-2012-1952: Bad cast in nsTableFrame::InsertFrames MFSA 2012-45 / CVE-2012-1955: Security researcher Mariusz Mlynski reported an issue with spoofing of the location property. In this issue, calls to history.forward and history.back are used to navigate to a site while displaying the previous site in the addressbar but changing the baseURI to the newer site. This can be used for phishing by allowing the user input form or other data on the newer, attacking, site while appearing to be on the older, displayed site. MFSA 2012-46 / CVE-2012-1966: Mozilla security researcher moz_bug_r_a4 reported a cross-site scripting (XSS) attack through the context menu using a data: URL. In this issue, context menu functionality ('View Image', 'Show only this frame', and 'View background image') are disallowed in a javascript: URL but allowed in a data: URL, allowing for XSS. This can lead to arbitrary code execution. MFSA 2012-47 / CVE-2012-1957: Security researcher Mario Heiderich reported that JavaScript could be executed in the HTML feed-view using tag within the RSS . This problem is due to tags not being filtered out during parsing and can lead to a potential cross-site scripting (XSS) attack. The flaw existed in a parser utility class and could affect other parts of the browser or add-ons which rely on that class to sanitize untrusted input. MFSA 2012-48 / CVE-2012-1958: Security researcher Arthur Gerkis used the Address Sanitizer tool to find a use-after-free in nsGlobalWindow::PageHidden when mFocusedContent is released and oldFocusedContent is used afterwards. This use-after-free could possibly allow for remote code execution. MFSA 2012-49 / CVE-2012-1959: Mozilla developer Bobby Holley found that same-compartment security wrappers (SCSW) can be bypassed by passing them to another compartment. Cross-compartment wrappers often do not go through SCSW, but have a filtering policy built into them. When an object is wrapped cross-compartment, the SCSW is stripped off and, when the object is read read back, it is not known that SCSW was previously present, resulting in a bypassing of SCSW. This could result in untrusted content having access to the XBL that implements browser functionality. MFSA 2012-50 / CVE-2012-1960: Google developer Tony Payne reported an out of bounds (OOB) read in QCMS, Mozilla’s color management library. With a carefully crafted color profile portions of a user's memory could be incorporated into a transformed image and possibly deciphered. MFSA 2012-51 / CVE-2012-1961: Bugzilla developer Frédéric Buclin reported that the 'X-Frame-Options header is ignored when the value is duplicated, for example X-Frame-Options: SAMEORIGIN, SAMEORIGIN. This duplication occurs for unknown reasons on some websites and when it occurs results in Mozilla browsers not being protected against possible clickjacking attacks on those pages. MFSA 2012-52 / CVE-2012-1962: Security researcher Bill Keese reported a memory corruption. This is caused by JSDependentString::undepend changing a dependent string into a fixed string when there are additional dependent strings relying on the same base. When the undepend occurs during conversion, the base data is freed, leaving other dependent strings with dangling pointers. This can lead to a potentially exploitable crash. MFSA 2012-53 / CVE-2012-1963: Security researcher Karthikeyan Bhargavan of Prosecco at INRIA reported Content Security Policy (CSP) 1.0 implementation errors. CSP violation reports generated by Firefox and sent to the 'report-uri' location include sensitive data within the 'blocked-uri' parameter. These include fragment components and query strings even if the 'blocked-uri' parameter has a different origin than the protected resource. This can be used to retrieve a user's OAuth 2.0 access tokens and OpenID credentials by malicious sites. MFSA 2012-54 / CVE-2012-1964: Security Researcher Matt McCutchen reported that a clickjacking attack using the certificate warning page. A man-in-the-middle (MITM) attacker can use an iframe to display its own certificate error warning page (about:certerror) with the 'Add Exception' button of a real warning page from a malicious site. This can mislead users to adding a certificate exception for a different site than the perceived one. This can lead to compromised communications with the user perceived site through the MITM attack once the certificate exception has been added. MFSA 2012-55 / CVE-2012-1965: Security researchers Mario Gomes and Soroush Dalili reported that since Mozilla allows the pseudo-protocol feed: to prefix any valid URL, it is possible to construct feed:javascript: URLs that will execute scripts in some contexts. On some sites it may be possible to use this to evade output filtering that would otherwise strip javascript: URLs and thus contribute to cross-site scripting (XSS) problems on these sites. MFSA 2012-56 / CVE-2012-1967: Mozilla security researcher moz_bug_r_a4 reported a arbitrary code execution attack using a javascript: URL. The Gecko engine features a JavaScript sandbox utility that allows the browser or add-ons to safely execute script in the context of a web page. In certain cases, javascript: URLs are executed in such a sandbox with insufficient context that can allow those scripts to escape from the sandbox and run with elevated privilege. This can lead to arbitrary code execution.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 74687
    published 2014-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=74687
    title openSUSE Security Update : MozillaFirefox (openSUSE-SU-2012:0899-1)
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_FIREFOX_14_0.NASL
    description The installed version of Firefox is earlier than 14.0 and thus, is potentially affected by the following security issues : - Several memory safety issues exist, some of which could potentially allow arbitrary code execution. (CVE-2012-1948, CVE-2012-1949) - An error related to drag and drop can allow incorrect URLs to be displayed. (CVE-2012-1950) - Several memory safety issues exist related to the Gecko layout engine. (CVE-2012-1951, CVE-2012-1952, CVE-2012-1953, CVE-2012-1954) - An error related to JavaScript functions 'history.forward' and 'history.back' can allow incorrect URLs to be displayed. (CVE-2012-1955) - Cross-site scripting attacks are possible due to an error related to the '' tag within an RSS '' element. (CVE-2012-1957) - A use-after-free error exists related to the method 'nsGlobalWindow::PageHidden'. (CVE-2012-1958) - An error exists that can allow 'same-compartment security wrappers' (SCSW) to be bypassed. (CVE-2012-1959) - An out-of-bounds read error exists related to the color management library (QCMS). (CVE-2012-1960) - The 'X-Frames-Options' header is ignored if it is duplicated. (CVE-2012-1961) - A memory corruption error exists related to the method 'JSDependentString::undepend'. (CVE-2012-1962) - An error related to the 'Content Security Policy' (CSP) implementation can allow the disclosure of OAuth 2.0 access tokens and OpenID credentials. (CVE-2012-1963) - An error exists related to the 'feed:' URL that can allow cross-site scripting attacks. (CVE-2012-1965) - Cross-site scripting attacks are possible due to an error related to the 'data:' URL and context menus. (CVE-2012-1966) - An error exists related to the 'javascript:' URL that can allow scripts to run at elevated privileges outside the sandbox. (CVE-2012-1967)
    last seen 2019-02-21
    modified 2018-07-14
    plugin id 60039
    published 2012-07-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60039
    title Firefox < 14.0 Multiple Vulnerabilities (Mac OS X)
  • NASL family Windows
    NASL id SEAMONKEY_211.NASL
    description The installed version of SeaMonkey is earlier than 2.11.0. Such versions are potentially affected by the following security issues : - Several memory safety issues exist, some of which could potentially allow arbitrary code execution. (CVE-2012-1948, CVE-2012-1949) - Several memory safety issues exist related to the Gecko layout engine. (CVE-2012-1951, CVE-2012-1952, CVE-2012-1953, CVE-2012-1954) - An error related to JavaScript functions 'history.forward' and 'history.back' can allow incorrect URLs to be displayed. (CVE-2012-1955) - Cross-site scripting attacks are possible due to an error related to the '' tag within an RSS '' element. (CVE-2012-1957) - A use-after-free error exists related to the method 'nsGlobalWindow::PageHidden'. (CVE-2012-1958) - An error exists that can allow 'same-compartment security wrappers' (SCSW) to be bypassed. (CVE-2012-1959) - An out-of-bounds read error exists related to the color management library (QCMS). (CVE-2012-1960) - The 'X-Frames-Options' header is ignored if it is duplicated. (CVE-2012-1961) - A memory corruption error exists related to the method 'JSDependentString::undepend'. (CVE-2012-1962) - An error related to the 'Content Security Policy' (CSP) implementation can allow the disclosure of OAuth 2.0 access tokens and OpenID credentials. (CVE-2012-1963) - An error exists related to the 'javascript:' URL that can allow scripts to run at elevated privileges outside the sandbox. (CVE-2012-1967)
    last seen 2019-02-21
    modified 2018-07-27
    plugin id 60046
    published 2012-07-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60046
    title SeaMonkey < 2.11.0 Multiple Vulnerabilities
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2012-465.NASL
    description Mozilla XULRunner was updated to 14.0.1, fixing bugs and security issues : Following security issues were fixed: MFSA 2012-42: Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. CVE-2012-1949: Brian Smith, Gary Kwong, Christian Holler, Jesse Ruderman, Christoph Diehl, Chris Jones, Brad Lassey, and Kyle Huey reported memory safety problems and crashes that affect Firefox 13. CVE-2012-1948: Benoit Jacob, Jesse Ruderman, Christian Holler, and Bill McCloskey reported memory safety problems and crashes that affect Firefox ESR 10 and Firefox 13. MFSA 2012-43 / CVE-2012-1950: Security researcher Mario Gomes andresearch firm Code Audit Labs reported a mechanism to short-circuit page loads through drag and drop to the addressbar by canceling the page load. This causes the address of the previously site entered to be displayed in the addressbar instead of the currently loaded page. This could lead to potential phishing attacks on users. MFSA 2012-44 Google security researcher Abhishek Arya used the Address Sanitizer tool to uncover four issues: two use-after-free problems, one out of bounds read bug, and a bad cast. The first use-after-free problem is caused when an array of nsSMILTimeValueSpec objects is destroyed but attempts are made to call into objects in this array later. The second use-after-free problem is in nsDocument::AdoptNode when it adopts into an empty document and then adopts into another document, emptying the first one. The heap buffer overflow is in ElementAnimations when data is read off of end of an array and then pointers are dereferenced. The bad cast happens when nsTableFrame::InsertFrames is called with frames in aFrameList that are a mix of row group frames and column group frames. AppendFrames is not able to handle this mix. All four of these issues are potentially exploitable. CVE-2012-1951: Heap-use-after-free in nsSMILTimeValueSpec::IsEventBased CVE-2012-1954: Heap-use-after-free in nsDocument::AdoptNode CVE-2012-1953: Out of bounds read in ElementAnimations::EnsureStyleRuleFor CVE-2012-1952: Bad cast in nsTableFrame::InsertFrames MFSA 2012-45 / CVE-2012-1955: Security researcher Mariusz Mlynski reported an issue with spoofing of the location property. In this issue, calls to history.forward and history.back are used to navigate to a site while displaying the previous site in the addressbar but changing the baseURI to the newer site. This can be used for phishing by allowing the user input form or other data on the newer, attacking, site while appearing to be on the older, displayed site. MFSA 2012-46 / CVE-2012-1966: Mozilla security researcher moz_bug_r_a4 reported a cross-site scripting (XSS) attack through the context menu using a data: URL. In this issue, context menu functionality ('View Image', 'Show only this frame', and 'View background image') are disallowed in a javascript: URL but allowed in a data: URL, allowing for XSS. This can lead to arbitrary code execution. MFSA 2012-47 / CVE-2012-1957: Security researcher Mario Heiderich reported that JavaScript could be executed in the HTML feed-view using tag within the RSS . This problem is due to tags not being filtered out during parsing and can lead to a potential cross-site scripting (XSS) attack. The flaw existed in a parser utility class and could affect other parts of the browser or add-ons which rely on that class to sanitize untrusted input. MFSA 2012-48 / CVE-2012-1958: Security researcher Arthur Gerkis used the Address Sanitizer tool to find a use-after-free in nsGlobalWindow::PageHidden when mFocusedContent is released and oldFocusedContent is used afterwards. This use-after-free could possibly allow for remote code execution. MFSA 2012-49 / CVE-2012-1959: Mozilla developer Bobby Holley found that same-compartment security wrappers (SCSW) can be bypassed by passing them to another compartment. Cross-compartment wrappers often do not go through SCSW, but have a filtering policy built into them. When an object is wrapped cross-compartment, the SCSW is stripped off and, when the object is read read back, it is not known that SCSW was previously present, resulting in a bypassing of SCSW. This could result in untrusted content having access to the XBL that implements browser functionality. MFSA 2012-50 / CVE-2012-1960: Google developer Tony Payne reported an out of bounds (OOB) read in QCMS, Mozilla’s color management library. With a carefully crafted color profile portions of a user's memory could be incorporated into a transformed image and possibly deciphered. MFSA 2012-51 / CVE-2012-1961: Bugzilla developer Frédéric Buclin reported that the 'X-Frame-Options header is ignored when the value is duplicated, for example X-Frame-Options: SAMEORIGIN, SAMEORIGIN. This duplication occurs for unknown reasons on some websites and when it occurs results in Mozilla browsers not being protected against possible clickjacking attacks on those pages. MFSA 2012-52 / CVE-2012-1962: Security researcher Bill Keese reported a memory corruption. This is caused by JSDependentString::undepend changing a dependent string into a fixed string when there are additional dependent strings relying on the same base. When the undepend occurs during conversion, the base data is freed, leaving other dependent strings with dangling pointers. This can lead to a potentially exploitable crash. MFSA 2012-53 / CVE-2012-1963: Security researcher Karthikeyan Bhargavan of Prosecco at INRIA reported Content Security Policy (CSP) 1.0 implementation errors. CSP violation reports generated by Firefox and sent to the 'report-uri' location include sensitive data within the 'blocked-uri' parameter. These include fragment components and query strings even if the 'blocked-uri' parameter has a different origin than the protected resource. This can be used to retrieve a user's OAuth 2.0 access tokens and OpenID credentials by malicious sites. MFSA 2012-54 / CVE-2012-1964: Security Researcher Matt McCutchen reported that a clickjacking attack using the certificate warning page. A man-in-the-middle (MITM) attacker can use an iframe to display its own certificate error warning page (about:certerror) with the 'Add Exception' button of a real warning page from a malicious site. This can mislead users to adding a certificate exception for a different site than the perceived one. This can lead to compromised communications with the user perceived site through the MITM attack once the certificate exception has been added. MFSA 2012-55 / CVE-2012-1965: Security researchers Mario Gomes and Soroush Dalili reported that since Mozilla allows the pseudo-protocol feed: to prefix any valid URL, it is possible to construct feed:javascript: URLs that will execute scripts in some contexts. On some sites it may be possible to use this to evade output filtering that would otherwise strip javascript: URLs and thus contribute to cross-site scripting (XSS) problems on these sites. MFSA 2012-56 / CVE-2012-1967: Mozilla security researcher moz_bug_r_a4 reported a arbitrary code execution attack using a javascript: URL. The Gecko engine features a JavaScript sandbox utility that allows the browser or add-ons to safely execute script in the context of a web page. In certain cases, javascript: URLs are executed in such a sandbox with insufficient context that can allow those scripts to escape from the sandbox and run with elevated privilege. This can lead to arbitrary code execution.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 74693
    published 2014-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=74693
    title openSUSE Security Update : xulrunner (openSUSE-SU-2012:0924-1)
  • NASL family Windows
    NASL id MOZILLA_THUNDERBIRD_140.NASL
    description The installed version of Thunderbird is earlier than 14.0 and thus, is potentially affected by the following security issues : - Several memory safety issues exist, some of which could potentially allow arbitrary code execution. (CVE-2012-1948, CVE-2012-1949) - Several memory safety issues exist related to the Gecko layout engine. (CVE-2012-1951, CVE-2012-1952, CVE-2012-1953, CVE-2012-1954) - An error related to JavaScript functions 'history.forward' and 'history.back' can allow incorrect URLs to be displayed. (CVE-2012-1955) - Cross-site scripting attacks are possible due to an error related to the '' tag within an RSS '' element. (CVE-2012-1957) - A use-after-free error exists related to the method 'nsGlobalWindow::PageHidden'. (CVE-2012-1958) - An error exists that can allow 'same-compartment security wrappers' (SCSW) to be bypassed. (CVE-2012-1959) - An out-of-bounds read error exists related to the color management library (QCMS). (CVE-2012-1960) - The 'X-Frames-Options' header is ignored if it is duplicated. (CVE-2012-1961) - A memory corruption error exists related to the method 'JSDependentString::undepend'. (CVE-2012-1962) - An error related to the 'Content Security Policy' (CSP) implementation can allow the disclosure of OAuth 2.0 access tokens and OpenID credentials. (CVE-2012-1963) - An error exists related to the 'javascript:' URL that can allow scripts to run at elevated privileges outside the sandbox. (CVE-2012-1967)
    last seen 2019-02-21
    modified 2018-07-16
    plugin id 60045
    published 2012-07-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60045
    title Mozilla Thunderbird < 14.0 Multiple Vulnerabilities
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_FIREFOX-201207-120719.NASL
    description Mozilla Firefox has been updated to the 10.0.6ESR security release fixing various bugs and several security issues, some critical. The following security issues have been fixed : - Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. (MFSA 2012-42) - Benoit Jacob, Jesse Ruderman, Christian Holler, and Bill McCloskey reported memory safety problems and crashes that affect Firefox ESR 10 and Firefox 13. (CVE-2012-1948) - Security researcher Mario Gomes andresearch firm Code Audit Labs reported a mechanism to short-circuit page loads through drag and drop to the addressbar by canceling the page load. This causes the address of the previously site entered to be displayed in the addressbar instead of the currently loaded page. This could lead to potential phishing attacks on users. (MFSA 2012-43 / CVE-2012-1950) - Google security researcher Abhishek Arya used the Address Sanitizer tool to uncover four issues: two use-after-free problems, one out of bounds read bug, and a bad cast. The first use-afte.r-free problem is caused when an array of nsSMILTimeValueSpec objects is destroyed but attempts are made to call into objects in this array later. The second use-after-free problem is in nsDocument::AdoptNode when it adopts into an empty document and then adopts into another document, emptying the first one. The heap buffer overflow is in ElementAnimations when data is read off of end of an array and then pointers are dereferenced. The bad cast happens when nsTableFrame::InsertFrames is called with frames in aFrameList that are a mix of row group frames and column group frames. AppendFrames is not able to handle this mix. (MFSA 2012-44) All four of these issues are potentially exploitable. - Heap-use-after-free in nsSMILTimeValueSpec::IsEventBased. (CVE-2012-1951) - Heap-use-after-free in nsDocument::AdoptNode. (CVE-2012-1954) - Out of bounds read in ElementAnimations::EnsureStyleRuleFor. (CVE-2012-1953) - Bad cast in nsTableFrame::InsertFrames. (CVE-2012-1952) - Security researcher Mariusz Mlynski reported an issue with spoofing of the location property. In this issue, calls to history.forward and history.back are used to navigate to a site while displaying the previous site in the addressbar but changing the baseURI to the newer site. This can be used for phishing by allowing the user input form or other data on the newer, attacking, site while appearing to be on the older, displayed site. (MFSA 2012-45 / CVE-2012-1955) - Mozilla security researcher moz_bug_r_a4 reported a cross-site scripting (XSS) attack through the context menu using a data: URL. In this issue, context menu functionality ('View Image', 'Show only this frame', and 'View background image') are disallowed in a javascript: URL but allowed in a data: URL, allowing for XSS. This can lead to arbitrary code execution. (MFSA 2012-46 / CVE-2012-1966) - Security researcher Mario Heiderich reported that JavaScript could be executed in the HTML feed-view using tag within the RSS . This problem is due to tags not being filtered out during parsing and can lead to a potential cross-site scripting (XSS) attack. The flaw existed in a parser utility class and could affect other parts of the browser or add-ons which rely on that class to sanitize untrusted input. (MFSA 2012-47 / CVE-2012-1957) - Security researcher Arthur Gerkis used the Address Sanitizer tool to find a use-after-free in nsGlobalWindow::PageHidden when mFocusedContent is released and oldFocusedContent is used afterwards. This use-after-free could possibly allow for remote code execution. (MFSA 2012-48 / CVE-2012-1958) - Mozilla developer Bobby Holley found that same-compartment security wrappers (SCSW) can be bypassed by passing them to another compartment. Cross-compartment wrappers often do not go through SCSW, but have a filtering policy built into them. When an object is wrapped cross-compartment, the SCSW is stripped off and, when the object is read read back, it is not known that SCSW was previously present, resulting in a bypassing of SCSW. This could result in untrusted content having access to the XBL that implements browser functionality. (MFSA 2012-49 / CVE-2012-1959) - Google developer Tony Payne reported an out of bounds (OOB) read in QCMS, Mozilla's color management library. With a carefully crafted color profile portions of a user's memory could be incorporated into a transformed image and possibly deciphered. (MFSA 2012-50 / CVE-2012-1960) - Bugzilla developer Frederic Buclin reported that the 'X-Frame-Options header is ignored when the value is duplicated, for example X-Frame-Options: SAMEORIGIN, SAMEORIGIN. This duplication occurs for unknown reasons on some websites and when it occurs results in Mozilla browsers not being protected against possible clickjacking attacks on those pages. (MFSA 2012-51 / CVE-2012-1961) - Security researcher Bill Keese reported a memory corruption. This is caused by JSDependentString::undepend changing a dependent string into a fixed string when there are additional dependent strings relying on the same base. When the undepend occurs during conversion, the base data is freed, leaving other dependent strings with dangling pointers. This can lead to a potentially exploitable crash. (MFSA 2012-52 / CVE-2012-1962) - Security researcher Karthikeyan Bhargavan of Prosecco at INRIA reported Content Security Policy (CSP) 1.0 implementation errors. CSP violation reports generated by Firefox and sent to the 'report-uri' location include sensitive data within the 'blocked-uri' parameter. These include fragment components and query strings even if the 'blocked-uri' parameter has a different origin than the protected resource. This can be used to retrieve a user's OAuth 2.0 access tokens and OpenID credentials by malicious sites. (MFSA 2012-53 / CVE-2012-1963) - Security Researcher Matt McCutchen reported that a clickjacking attack using the certificate warning page. A man-in-the-middle (MITM) attacker can use an iframe to display its own certificate error warning page (about:certerror) with the 'Add Exception' button of a real warning page from a malicious site. This can mislead users to adding a certificate exception for a different site than the perceived one. This can lead to compromised communications with the user perceived site through the MITM attack once the certificate exception has been added. (MFSA 2012-54 / CVE-2012-1964) - Security researchers Mario Gomes and Soroush Dalili reported that since Mozilla allows the pseudo-protocol feed: to prefix any valid URL, it is possible to construct feed:javascript: URLs that will execute scripts in some contexts. On some sites it may be possible to use this to evade output filtering that would otherwise strip javascript: URLs and thus contribute to cross-site scripting (XSS) problems on these sites. (MFSA 2012-55 / CVE-2012-1965) - Mozilla security researcher moz_bug_r_a4 reported a arbitrary code execution attack using a javascript: URL. The Gecko engine features a JavaScript sandbox utility that allows the browser or add-ons to safely execute script in the context of a web page. In certain cases, javascript: URLs are executed in such a sandbox with insufficient context that can allow those scripts to escape from the sandbox and run with elevated privilege. This can lead to arbitrary code execution. (MFSA 2012-56 / CVE-2012-1967)
    last seen 2019-02-21
    modified 2014-05-22
    plugin id 64131
    published 2013-01-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=64131
    title SuSE 11.1 Security Update : Mozilla Firefox (SAT Patch Number 6574)
  • NASL family Windows
    NASL id MOZILLA_FIREFOX_140.NASL
    description The installed version of Firefox is earlier than 14.0 and thus, is potentially affected by the following security issues : - Several memory safety issues exist, some of which could potentially allow arbitrary code execution. (CVE-2012-1948, CVE-2012-1949) - An error related to drag and drop can allow incorrect URLs to be displayed. (CVE-2012-1950) - Several memory safety issues exist related to the Gecko layout engine. (CVE-2012-1951, CVE-2012-1952, CVE-2012-1953, CVE-2012-1954) - An error related to JavaScript functions 'history.forward' and 'history.back' can allow incorrect URLs to be displayed. (CVE-2012-1955) - Cross-site scripting attacks are possible due to an error related to the '' tag within an RSS '' element. (CVE-2012-1957) - A use-after-free error exists related to the method 'nsGlobalWindow::PageHidden'. (CVE-2012-1958) - An error exists that can allow 'same-compartment security wrappers' (SCSW) to be bypassed. (CVE-2012-1959) - An out-of-bounds read error exists related to the color management library (QCMS). (CVE-2012-1960) - The 'X-Frames-Options' header is ignored if it is duplicated. (CVE-2012-1961) - A memory corruption error exists related to the method 'JSDependentString::undepend'. (CVE-2012-1962) - An error related to the 'Content Security Policy' (CSP) implementation can allow the disclosure of OAuth 2.0 access tokens and OpenID credentials. (CVE-2012-1963) - An error exists related to the 'feed:' URL that can allow cross-site scripting attacks. (CVE-2012-1965) - Cross-site scripting attacks are possible due to an error related to the 'data:' URL and context menus. (CVE-2012-1966) - An error exists related to the 'javascript:' URL that can allow scripts to run at elevated privileges outside the sandbox. (CVE-2012-1967)
    last seen 2019-02-21
    modified 2018-07-16
    plugin id 60043
    published 2012-07-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60043
    title Firefox < 14.0 Multiple Vulnerabilities
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-1509-2.NASL
    description USN-1509-1 fixed vulnerabilities in Firefox. This update provides an updated ubufox package for use with the lastest Firefox. Benoit Jacob, Jesse Ruderman, Christian Holler, Bill McCloskey, Brian Smith, Gary Kwong, Christoph Diehl, Chris Jones, Brad Lassey, and Kyle Huey discovered memory safety issues affecting Firefox. If the user were tricked into opening a specially crafted page, an attacker could possibly exploit these to cause a denial of service via application crash, or potentially execute code with the privileges of the user invoking Firefox. (CVE-2012-1948, CVE-2012-1949) Mario Gomes discovered that the address bar may be incorrectly updated. Drag-and-drop events in the address bar may cause the address of the previous site to be displayed while a new page is loaded. An attacker could exploit this to conduct phishing attacks. (CVE-2012-1950) Abhishek Arya discovered four memory safety issues affecting Firefox. If the user were tricked into opening a specially crafted page, an attacker could possibly exploit these to cause a denial of service via application crash, or potentially execute code with the privileges of the user invoking Firefox. (CVE-2012-1951, CVE-2012-1952, CVE-2012-1953, CVE-2012-1954) Mariusz Mlynski discovered that the address bar may be incorrectly updated. Calls to history.forward and history.back could be used to navigate to a site while the address bar still displayed the previous site. A remote attacker could exploit this to conduct phishing attacks. (CVE-2012-1955) Mario Heiderich discovered that HTML tags were not filtered out of the HTML of RSS feeds. A remote attacker could exploit this to conduct cross-site scripting (XSS) attacks via JavaScript execution in the HTML feed view. (CVE-2012-1957) Arthur Gerkis discovered a use-after-free vulnerability. If the user were tricked into opening a specially crafted page, an attacker could possibly exploit this to cause a denial of service via application crash, or potentially execute code with the privileges of the user invoking Firefox. (CVE-2012-1958) Bobby Holley discovered that same-compartment security wrappers (SCSW) could be bypassed to allow XBL access. If the user were tricked into opening a specially crafted page, an attacker could possibly exploit this to execute code with the privileges of the user invoking Firefox. (CVE-2012-1959) Tony Payne discovered an out-of-bounds memory read in Mozilla's color management library (QCMS). If the user were tricked into opening a specially crafted color profile, an attacker could possibly exploit this to cause a denial of service via application crash. (CVE-2012-1960) Frederic Buclin discovered that the X-Frame-Options header was ignored when its value was specified multiple times. An attacker could exploit this to conduct clickjacking attacks. (CVE-2012-1961) Bill Keese discovered a memory corruption vulnerability. If the user were tricked into opening a specially crafted page, an attacker could possibly exploit this to cause a denial of service via application crash, or potentially execute code with the privileges of the user invoking Firefox. (CVE-2012-1962) Karthikeyan Bhargavan discovered an information leakage vulnerability in the Content Security Policy (CSP) 1.0 implementation. If the user were tricked into opening a specially crafted page, an attacker could possibly exploit this to access a user's OAuth 2.0 access tokens and OpenID credentials. (CVE-2012-1963) Matt McCutchen discovered a clickjacking vulnerability in the certificate warning page. A remote attacker could trick a user into accepting a malicious certificate via a crafted certificate warning page. (CVE-2012-1964) Mario Gomes and Soroush Dalili discovered that JavaScript was not filtered out of feed URLs. If the user were tricked into opening a specially crafted URL, an attacker could possibly exploit this to conduct cross-site scripting (XSS) attacks. (CVE-2012-1965) A vulnerability was discovered in the context menu of data: URLs. If the user were tricked into opening a specially crafted URL, an attacker could possibly exploit this to conduct cross-site scripting (XSS) attacks. (CVE-2012-1966) It was discovered that the execution of javascript: URLs was not properly handled in some cases. A remote attacker could exploit this to execute code with the privileges of the user invoking Firefox. (CVE-2012-1967). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 60013
    published 2012-07-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60013
    title Ubuntu 10.04 LTS / 11.04 / 11.10 / 12.04 LTS : ubufox update (USN-1509-2)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-1509-1.NASL
    description Benoit Jacob, Jesse Ruderman, Christian Holler, Bill McCloskey, Brian Smith, Gary Kwong, Christoph Diehl, Chris Jones, Brad Lassey, and Kyle Huey discovered memory safety issues affecting Firefox. If the user were tricked into opening a specially crafted page, an attacker could possibly exploit these to cause a denial of service via application crash, or potentially execute code with the privileges of the user invoking Firefox. (CVE-2012-1948, CVE-2012-1949) Mario Gomes discovered that the address bar may be incorrectly updated. Drag-and-drop events in the address bar may cause the address of the previous site to be displayed while a new page is loaded. An attacker could exploit this to conduct phishing attacks. (CVE-2012-1950) Abhishek Arya discovered four memory safety issues affecting Firefox. If the user were tricked into opening a specially crafted page, an attacker could possibly exploit these to cause a denial of service via application crash, or potentially execute code with the privileges of the user invoking Firefox. (CVE-2012-1951, CVE-2012-1952, CVE-2012-1953, CVE-2012-1954) Mariusz Mlynski discovered that the address bar may be incorrectly updated. Calls to history.forward and history.back could be used to navigate to a site while the address bar still displayed the previous site. A remote attacker could exploit this to conduct phishing attacks. (CVE-2012-1955) Mario Heiderich discovered that HTML tags were not filtered out of the HTML of RSS feeds. A remote attacker could exploit this to conduct cross-site scripting (XSS) attacks via JavaScript execution in the HTML feed view. (CVE-2012-1957) Arthur Gerkis discovered a use-after-free vulnerability. If the user were tricked into opening a specially crafted page, an attacker could possibly exploit this to cause a denial of service via application crash, or potentially execute code with the privileges of the user invoking Firefox. (CVE-2012-1958) Bobby Holley discovered that same-compartment security wrappers (SCSW) could be bypassed to allow XBL access. If the user were tricked into opening a specially crafted page, an attacker could possibly exploit this to execute code with the privileges of the user invoking Firefox. (CVE-2012-1959) Tony Payne discovered an out-of-bounds memory read in Mozilla's color management library (QCMS). If the user were tricked into opening a specially crafted color profile, an attacker could possibly exploit this to cause a denial of service via application crash. (CVE-2012-1960) Frederic Buclin discovered that the X-Frame-Options header was ignored when its value was specified multiple times. An attacker could exploit this to conduct clickjacking attacks. (CVE-2012-1961) Bill Keese discovered a memory corruption vulnerability. If the user were tricked into opening a specially crafted page, an attacker could possibly exploit this to cause a denial of service via application crash, or potentially execute code with the privileges of the user invoking Firefox. (CVE-2012-1962) Karthikeyan Bhargavan discovered an information leakage vulnerability in the Content Security Policy (CSP) 1.0 implementation. If the user were tricked into opening a specially crafted page, an attacker could possibly exploit this to access a user's OAuth 2.0 access tokens and OpenID credentials. (CVE-2012-1963) Matt McCutchen discovered a clickjacking vulnerability in the certificate warning page. A remote attacker could trick a user into accepting a malicious certificate via a crafted certificate warning page. (CVE-2012-1964) Mario Gomes and Soroush Dalili discovered that JavaScript was not filtered out of feed URLs. If the user were tricked into opening a specially crafted URL, an attacker could possibly exploit this to conduct cross-site scripting (XSS) attacks. (CVE-2012-1965) A vulnerability was discovered in the context menu of data: URLs. If the user were tricked into opening a specially crafted URL, an attacker could possibly exploit this to conduct cross-site scripting (XSS) attacks. (CVE-2012-1966) It was discovered that the execution of javascript: URLs was not properly handled in some cases. A remote attacker could exploit this to execute code with the privileges of the user invoking Firefox. (CVE-2012-1967). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 60012
    published 2012-07-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60012
    title Ubuntu 10.04 LTS / 11.04 / 11.10 / 12.04 LTS : firefox vulnerabilities (USN-1509-1)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2012-443.NASL
    description Mozilla Thunderbird was updated to version 14.0 (bnc#771583) - MFSA 2012-42/CVE-2012-1949/CVE-2012-1948 Miscellaneous memory safety hazards - MFSA 2012-44/CVE-2012-1951/CVE-2012-1954/CVE-2012-1953/CVE-20 12-1952 Gecko memory corruption - MFSA 2012-45/CVE-2012-1955 (bmo#757376) Spoofing issue with location - MFSA 2012-47/CVE-2012-1957 (bmo#750096) Improper filtering of JavaScript in HTML feed-view - MFSA 2012-48/CVE-2012-1958 (bmo#750820) use-after-free in nsGlobalWindow::PageHidden - MFSA 2012-49/CVE-2012-1959 (bmo#754044, bmo#737559) Same-compartment Security Wrappers can be bypassed - MFSA 2012-50/CVE-2012-1960 (bmo#761014) Out of bounds read in QCMS - MFSA 2012-51/CVE-2012-1961 (bmo#761655) X-Frame-Options header ignored when duplicated - MFSA 2012-52/CVE-2012-1962 (bmo#764296) JSDependentString::undepend string conversion results in memory corruption - MFSA 2012-53/CVE-2012-1963 (bmo#767778) Content Security Policy 1.0 implementation errors cause data leakage - MFSA 2012-56/CVE-2012-1967 (bmo#758344) Code execution through javascript: URLs - relicensed to MPL-2.0 - update Enigmail to 1.4.3 - no crashreport on %arm, fixing build
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 74691
    published 2014-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=74691
    title openSUSE Security Update : MozillaThunderbird (openSUSE-SU-2012:0917-1)
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_THUNDERBIRD_14_0.NASL
    description The installed version of Thunderbird is earlier than 14.0 and thus, is potentially affected by the following security issues : - Several memory safety issues exist, some of which could potentially allow arbitrary code execution. (CVE-2012-1948, CVE-2012-1949) - Several memory safety issues exist related to the Gecko layout engine. (CVE-2012-1951, CVE-2012-1952, CVE-2012-1953, CVE-2012-1954) - An error related to JavaScript functions 'history.forward' and 'history.back' can allow incorrect URLs to be displayed. (CVE-2012-1955) - Cross-site scripting attacks are possible due to an error related to the '' tag within an RSS '' element. (CVE-2012-1957) - A use-after-free error exists related to the method 'nsGlobalWindow::PageHidden'. (CVE-2012-1958) - An error exists that can allow 'same-compartment security wrappers' (SCSW) to be bypassed. (CVE-2012-1959) - An out-of-bounds read error exists related to the color management library (QCMS). (CVE-2012-1960) - The 'X-Frames-Options' header is ignored if it is duplicated. (CVE-2012-1961) - A memory corruption error exists related to the method 'JSDependentString::undepend'. (CVE-2012-1962) - An error related to the 'Content Security Policy' (CSP) implementation can allow the disclosure of OAuth 2.0 access tokens and OpenID credentials. (CVE-2012-1963) - An error exists related to the 'javascript:' URL that can allow scripts to run at elevated privileges outside the sandbox. (CVE-2012-1967)
    last seen 2019-02-21
    modified 2018-07-14
    plugin id 60041
    published 2012-07-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60041
    title Thunderbird < 14.0 Multiple Vulnerabilities (Mac OS X)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201301-01.NASL
    description The remote host is affected by the vulnerability described in GLSA-201301-01 (Mozilla Products: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Mozilla Firefox, Thunderbird, SeaMonkey, NSS, GNU IceCat, and XULRunner. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could entice a user to view a specially crafted web page or email, possibly resulting in execution of arbitrary code or a Denial of Service condition. Furthermore, a remote attacker may be able to perform Man-in-the-Middle attacks, obtain sensitive information, bypass restrictions and protection mechanisms, force file downloads, conduct XML injection attacks, conduct XSS attacks, bypass the Same Origin Policy, spoof URL’s for phishing attacks, trigger a vertical scroll, spoof the location bar, spoof an SSL indicator, modify the browser’s font, conduct clickjacking attacks, or have other unspecified impact. A local attacker could gain escalated privileges, obtain sensitive information, or replace an arbitrary downloaded file. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-11-19
    plugin id 63402
    published 2013-01-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=63402
    title GLSA-201301-01 : Mozilla Products: Multiple vulnerabilities (BEAST)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_DBF338D0DCE511E1B65514DAE9EBCF89.NASL
    description The Mozilla Project reports : MFSA 2012-42 Miscellaneous memory safety hazards (rv:14.0/ rv:10.0.6) MFSA 2012-43 Incorrect URL displayed in addressbar through drag and drop MFSA 2012-44 Gecko memory corruption MFSA 2012-45 Spoofing issue with location MFSA 2012-46 XSS through data: URLs MFSA 2012-47 Improper filtering of JavaScript in HTML feed-view MFSA 2012-48 use-after-free in nsGlobalWindow::PageHidden MFSA 2012-49 Same-compartment Security Wrappers can be bypassed MFSA 2012-50 Out of bounds read in QCMS MFSA 2012-51 X-Frame-Options header ignored when duplicated MFSA 2012-52 JSDependentString::undepend string conversion results in memory corruption MFSA 2012-53 Content Security Policy 1.0 implementation errors cause data leakage MFSA 2012-54 Clickjacking of certificate warning page MFSA 2012-55 feed: URLs with an innerURI inherit security context of page MFSA 2012-56 Code execution through javascript: URLs
    last seen 2019-02-21
    modified 2018-11-23
    plugin id 61402
    published 2012-08-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=61402
    title FreeBSD : mozilla -- multiple vulnerabilities (dbf338d0-dce5-11e1-b655-14dae9ebcf89)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2012-473.NASL
    description SeaMonkey was updated to version 2.11 (bnc#771583) - MFSA 2012-42/CVE-2012-1949/CVE-2012-1948 Miscellaneous memory safety hazards - MFSA 2012-44/CVE-2012-1951/CVE-2012-1954/CVE-2012-1953/CVE-20 12-1952 Gecko memory corruption - MFSA 2012-45/CVE-2012-1955 (bmo#757376) Spoofing issue with location - MFSA 2012-47/CVE-2012-1957 (bmo#750096) Improper filtering of JavaScript in HTML feed-view - MFSA 2012-48/CVE-2012-1958 (bmo#750820) use-after-free in nsGlobalWindow::PageHidden - MFSA 2012-49/CVE-2012-1959 (bmo#754044, bmo#737559) Same-compartment Security Wrappers can be bypassed - MFSA 2012-50/CVE-2012-1960 (bmo#761014) Out of bounds read in QCMS - MFSA 2012-51/CVE-2012-1961 (bmo#761655) X-Frame-Options header ignored when duplicated - MFSA 2012-52/CVE-2012-1962 (bmo#764296) JSDependentString::undepend string conversion results in memory corruption - MFSA 2012-53/CVE-2012-1963 (bmo#767778) Content Security Policy 1.0 implementation errors cause data leakage - MFSA 2012-56/CVE-2012-1967 (bmo#758344) Code execution through javascript: URLs - relicensed to MPL-2.0 - updated/removed patches - requires NSS 3.13.5 - update to SeaMonkey 2.10.1
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 74698
    published 2014-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=74698
    title openSUSE Security Update : seamonkey (openSUSE-SU-2012:0935-1)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-1510-1.NASL
    description Benoit Jacob, Jesse Ruderman, Christian Holler, Bill McCloskey, Brian Smith, Gary Kwong, Christoph Diehl, Chris Jones, Brad Lassey, and Kyle Huey discovered memory safety issues affecting Thunderbird. If the user were tricked into opening a specially crafted page, an attacker could possibly exploit these to cause a denial of service via application crash, or potentially execute code with the privileges of the user invoking Thunderbird. (CVE-2012-1948, CVE-2012-1949) Abhishek Arya discovered four memory safety issues affecting Thunderbird. If the user were tricked into opening a specially crafted page, an attacker could possibly exploit these to cause a denial of service via application crash, or potentially execute code with the privileges of the user invoking Thunderbird. (CVE-2012-1951, CVE-2012-1952, CVE-2012-1953, CVE-2012-1954) Mariusz Mlynski discovered that the address bar may be incorrectly updated. Calls to history.forward and history.back could be used to navigate to a site while the address bar still displayed the previous site. A remote attacker could exploit this to conduct phishing attacks. (CVE-2012-1955) Mario Heiderich discovered that HTML tags were not filtered out of the HTML of RSS feeds. A remote attacker could exploit this to conduct cross-site scripting (XSS) attacks via JavaScript execution in the HTML feed view. (CVE-2012-1957) Arthur Gerkis discovered a use-after-free vulnerability. If the user were tricked into opening a specially crafted page, an attacker could possibly exploit this to cause a denial of service via application crash, or potentially execute code with the privileges of the user invoking Thunderbird. (CVE-2012-1958) Bobby Holley discovered that same-compartment security wrappers (SCSW) could be bypassed to allow XBL access. If the user were tricked into opening a specially crafted page, an attacker could possibly exploit this to execute code with the privileges of the user invoking Thunderbird. (CVE-2012-1959) Tony Payne discovered an out-of-bounds memory read in Mozilla's color management library (QCMS). If the user were tricked into opening a specially crafted color profile, an attacker could possibly exploit this to cause a denial of service via application crash. (CVE-2012-1960) Frederic Buclin discovered that the X-Frame-Options header was ignored when its value was specified multiple times. An attacker could exploit this to conduct clickjacking attacks. (CVE-2012-1961) Bill Keese discovered a memory corruption vulnerability. If the user were tricked into opening a specially crafted page, an attacker could possibly exploit this to cause a denial of service via application crash, or potentially execute code with the privileges of the user invoking Thunderbird. (CVE-2012-1962) Karthikeyan Bhargavan discovered an information leakage vulnerability in the Content Security Policy (CSP) 1.0 implementation. If the user were tricked into opening a specially crafted page, an attacker could possibly exploit this to access a user's OAuth 2.0 access tokens and OpenID credentials. (CVE-2012-1963) It was discovered that the execution of javascript: URLs was not properly handled in some cases. A remote attacker could exploit this to execute code with the privileges of the user invoking Thunderbird. (CVE-2012-1967). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 60014
    published 2012-07-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60014
    title Ubuntu 10.04 LTS / 11.04 / 11.10 / 12.04 LTS : thunderbird vulnerabilities (USN-1510-1)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2012-110.NASL
    description Security issues were identified and fixed in mozilla firefox and thunderbird : Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code (CVE-2012-1949, CVE-2012-1948). Security researcher Mario Gomes andresearch firm Code Audit Labs reported a mechanism to short-circuit page loads through drag and drop to the addressbar by canceling the page load. This causes the address of the previously site entered to be displayed in the addressbar instead of the currently loaded page. This could lead to potential phishing attacks on users (CVE-2012-1950). Google security researcher Abhishek Arya used the Address Sanitizer tool to uncover four issues: two use-after-free problems, one out of bounds read bug, and a bad cast. The first use-after-free problem is caused when an array of nsSMILTimeValueSpec objects is destroyed but attempts are made to call into objects in this array later. The second use-after-free problem is in nsDocument::AdoptNode when it adopts into an empty document and then adopts into another document, emptying the first one. The heap buffer overflow is in ElementAnimations when data is read off of end of an array and then pointers are dereferenced. The bad cast happens when nsTableFrame::InsertFrames is called with frames in aFrameList that are a mix of row group frames and column group frames. AppendFrames is not able to handle this mix. All four of these issues are potentially exploitable (CVE-2012-1951, CVE-2012-1954, CVE-2012-1953, CVE-2012-1952). Security researcher Mariusz Mlynski reported an issue with spoofing of the location property. In this issue, calls to history.forward and history.back are used to navigate to a site while displaying the previous site in the addressbar but changing the baseURI to the newer site. This can be used for phishing by allowing the user input form or other data on the newer, attacking, site while appearing to be on the older, displayed site (CVE-2012-1955). Mozilla security researcher moz_bug_r_a4 reported a cross-site scripting (XSS) attack through the context menu using a data: URL. In this issue, context menu functionality (View Image, Show only this frame, and View background image) are disallowed in a javascript: URL but allowed in a data: URL, allowing for XSS. This can lead to arbitrary code execution (CVE-2012-1966). Security researcher Mario Heiderich reported that JavaScript could be executed in the HTML feed-view using tag within the RSS . This problem is due to tags not being filtered out during parsing and can lead to a potential cross-site scripting (XSS) attack. The flaw existed in a parser utility class and could affect other parts of the browser or add-ons which rely on that class to sanitize untrusted input (CVE-2012-1957). Security researcher Arthur Gerkis used the Address Sanitizer tool to find a use-after-free in nsGlobalWindow::PageHidden when mFocusedContent is released and oldFocusedContent is used afterwards. This use-after-free could possibly allow for remote code execution (CVE-2012-1958). Mozilla developer Bobby Holley found that same-compartment security wrappers (SCSW) can be bypassed by passing them to another compartment. Cross-compartment wrappers often do not go through SCSW, but have a filtering policy built into them. When an object is wrapped cross-compartment, the SCSW is stripped off and, when the object is read read back, it is not known that SCSW was previously present, resulting in a bypassing of SCSW. This could result in untrusted content having access to the XBL that implements browser functionality (CVE-2012-1959). Google developer Tony Payne reported an out of bounds (OOB) read in QCMS, Mozillas color management library. With a carefully crafted color profile portions of a user's memory could be incorporated into a transformed image and possibly deciphered (CVE-2012-1960). Bugzilla developer Fredric Buclin reported that the X-Frame-Options header is ignored when the value is duplicated, for example X-Frame-Options: SAMEORIGIN, SAMEORIGIN. This duplication occurs for unknown reasons on some websites and when it occurs results in Mozilla browsers not being protected against possible clickjacking attacks on those pages (CVE-2012-1961). Security researcher Bill Keese reported a memory corruption. This is caused by JSDependentString::undepend changing a dependent string into a fixed string when there are additional dependent strings relying on the same base. When the undepend occurs during conversion, the base data is freed, leaving other dependent strings with dangling pointers. This can lead to a potentially exploitable crash (CVE-2012-1962). Security researcher Karthikeyan Bhargavan of Prosecco at INRIA reported Content Security Policy (CSP) 1.0 implementation errors. CSP violation reports generated by Firefox and sent to the report-uri location include sensitive data within the blocked-uri parameter. These include fragment components and query strings even if the blocked-uri parameter has a different origin than the protected resource. This can be used to retrieve a user's OAuth 2.0 access tokens and OpenID credentials by malicious sites (CVE-2012-1963). Security Researcher Matt McCutchen reported that a clickjacking attack using the certificate warning page. A man-in-the-middle (MITM) attacker can use an iframe to display its own certificate error warning page (about:certerror) with the Add Exception button of a real warning page from a malicious site. This can mislead users to adding a certificate exception for a different site than the perceived one. This can lead to compromised communications with the user perceived site through the MITM attack once the certificate exception has been added (CVE-2012-1964). Security researchers Mario Gomes and Soroush Dalili reported that since Mozilla allows the pseudo-protocol feed: to prefix any valid URL, it is possible to construct feed:javascript: URLs that will execute scripts in some contexts. On some sites it may be possible to use this to evade output filtering that would otherwise strip javascript: URLs and thus contribute to cross-site scripting (XSS) problems on these sites (CVE-2012-1965). Mozilla security researcher moz_bug_r_a4 reported a arbitrary code execution attack using a javascript: URL. The Gecko engine features a JavaScript sandbox utility that allows the browser or add-ons to safely execute script in the context of a web page. In certain cases, javascript: URLs are executed in such a sandbox with insufficient context that can allow those scripts to escape from the sandbox and run with elevated privilege. This can lead to arbitrary code execution (CVE-2012-1967). The mozilla firefox and thunderbird packages has been upgraded to the latest respective versions which is unaffected by these security flaws. Additionally the rootcerts packages has been upgraded to the latest version which brings updated root CA data. Update : Localization packages for firefox was missing with the MDVSA-2012:110 advisory and is being provided with this advisory.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 61963
    published 2012-09-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=61963
    title Mandriva Linux Security Advisory : mozilla (MDVSA-2012:110-1)
oval via4
accepted 2014-10-06T04:02:29.206-04:00
class vulnerability
contributors
  • name Sergey Artykhov
    organization ALTX-SOFT
  • name Maria Kedovskaya
    organization ALTX-SOFT
  • name Shane Shaffer
    organization G2, Inc.
  • name Maria Kedovskaya
    organization ALTX-SOFT
  • name Maria Kedovskaya
    organization ALTX-SOFT
  • name Richard Helbing
    organization baramundi software
  • name Evgeniy Pavlov
    organization ALTX-SOFT
  • name Evgeniy Pavlov
    organization ALTX-SOFT
  • name Evgeniy Pavlov
    organization ALTX-SOFT
  • name Evgeniy Pavlov
    organization ALTX-SOFT
  • name Evgeniy Pavlov
    organization ALTX-SOFT
  • name Evgeniy Pavlov
    organization ALTX-SOFT
definition_extensions
  • comment Mozilla Thunderbird Mainline release is installed
    oval oval:org.mitre.oval:def:22093
  • comment Mozilla Seamonkey is installed
    oval oval:org.mitre.oval:def:6372
  • comment Mozilla Firefox Mainline release is installed
    oval oval:org.mitre.oval:def:22259
description Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox 4.x through 13.0, Thunderbird 5.0 through 13.0, and SeaMonkey before 2.11 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.
family windows
id oval:org.mitre.oval:def:17027
status accepted
submitted 2013-05-13T10:26:26.748+04:00
title Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox 4.x through 13.0, Thunderbird 5.0 through 13.0, and SeaMonkey before 2.11 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.
version 35
refmap via4
bid 54580
confirm
osvdb 84006
sectrack
  • 1027256
  • 1027257
  • 1027258
secunia
  • 49965
  • 49968
  • 49972
  • 49992
  • 49993
  • 49994
suse
  • SUSE-SU-2012:0895
  • SUSE-SU-2012:0896
  • openSUSE-SU-2012:0899
  • openSUSE-SU-2012:0917
ubuntu
  • USN-1509-1
  • USN-1509-2
  • USN-1510-1
Last major update 10-10-2014 - 00:51
Published 18-07-2012 - 06:26
Last modified 28-12-2017 - 21:29
Back to Top