| 0 |
| url |
VCID-114z-7ta8-mqe7 |
| vulnerability_id |
VCID-114z-7ta8-mqe7 |
| summary |
Security researcher Gregory Fleischer reported
that when an Adobe Flash file is loaded via
the view-source: scheme, the Flash plugin misinterprets
the origin of the content as localhost, leading to two specific
vulnerabilities: |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
CVE-2009-1307
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-114z-7ta8-mqe7 |
|
| 1 |
| url |
VCID-12eu-2nge-u3hu |
| vulnerability_id |
VCID-12eu-2nge-u3hu |
| summary |
Mozilla developer Boris Zbarsky reported that the resource: protocol allowed directory traversal on Linux when using URL-encoded slashes.Mozilla developer Georgi Guninski reported that the restrictions imposed on local HTML files could be bypassed using the resource: protocol. The vulnerability allowed an attacker to read information about the system and prompt the victim to save the information in a file. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
CVE-2008-4068
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-12eu-2nge-u3hu |
|
| 2 |
|
| 3 |
| url |
VCID-13rr-43nj-h7af |
| vulnerability_id |
VCID-13rr-43nj-h7af |
| summary |
Mozilla security researcher moz_bug_r_a4 reported that frame
scripts bypass XPConnect security checks when calling untrusted objects. This
allows for cross-site scripting (XSS) attacks through web pages and Firefox
extensions. The fix enables the Script Security Manager (SSM) to force security
checks on all frame scripts.
Firefox 3.6 and Thunderbird 3.1 are not affected by this
vulnerability. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-0446
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-13rr-43nj-h7af |
|
| 4 |
| url |
VCID-16sb-uhrd-xfaf |
| vulnerability_id |
VCID-16sb-uhrd-xfaf |
| summary |
Mozilla developer Blake Kaplan reported that the
window.location object was made a normal overridable JavaScript object
in the Firefox 3.6 browser engine (Gecko 1.9.2) because new mechanisms
were developed to enforce the same-origin policy between windows and frames.
This object is unfortunately also used by some plugins to determine the page
origin used for access restrictions. A malicious page could override this
object to fool a plugin into granting access to data on another site or the
local file system. The behavior of older Firefox versions has been restored.
This flaw does not affect earlier versions of Firefox, or other
programs such as Thunderbird or SeaMonkey built on older versions
of the browser engine. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2010-0170
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-16sb-uhrd-xfaf |
|
| 5 |
| url |
VCID-18dk-sq41-5kfp |
| vulnerability_id |
VCID-18dk-sq41-5kfp |
| summary |
Mozilla developers and community members identified and fixed
several stability bugs in the browser engine used in Firefox and other
Mozilla-based products. Some of these crashes showed evidence of
memory corruption under certain circumstances and we presume that with
enough effort at least some of these could be exploited to run
arbitrary code. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2009-3070
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-18dk-sq41-5kfp |
|
| 6 |
| url |
VCID-19ut-3c72-1kfk |
| vulnerability_id |
VCID-19ut-3c72-1kfk |
| summary |
Security researcher Abhishek Arya (Inferno) of the Google Chrome Security Team discovered a series critically rated of use-after-free and buffer overflow issues using the Address Sanitizer tool in shipped software. These issues are potentially exploitable, allowing for remote code execution. We would also like to thank Abhishek for reporting five additional use-after-free, out of bounds read, and buffer overflow flaws introduced during Firefox development that were fixed before general release.
In general these flaws cannot be exploited through email in the
Thunderbird and SeaMonkey products because scripting is disabled, but are
potentially a risk in browser or browser-like contexts in those products. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-4215
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-19ut-3c72-1kfk |
|
| 7 |
| url |
VCID-1m8n-68ks-cqd4 |
| vulnerability_id |
VCID-1m8n-68ks-cqd4 |
| summary |
Mozilla developers identified and fixed several memory safety bugs
in the browser engine used in Firefox and other Mozilla-based
products. Some of these bugs showed evidence of memory corruption
under certain circumstances, and we presume that with enough effort at
least some of these could be exploited to run arbitrary code.In general these flaws cannot be exploited through email in the Thunderbird
and SeaMonkey products because scripting is disabled,, but are potentially a risk
in browser or browser-like contexts in those products. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2011-2996
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-1m8n-68ks-cqd4 |
|
| 8 |
| url |
VCID-1nsv-4xw6-q3bh |
| vulnerability_id |
VCID-1nsv-4xw6-q3bh |
| summary |
Security researcher Abhishek Arya (Inferno) of the Google Chrome Security Team discovered a series of use-after-free issues using the Address Sanitizer tool. Many of these issues are potentially exploitable, allowing for remote code execution. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-1973
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-1nsv-4xw6-q3bh |
|
| 9 |
| url |
VCID-1rgf-x73x-33dk |
| vulnerability_id |
VCID-1rgf-x73x-33dk |
| summary |
Security researcher Arthur Gerkis used the Address Sanitizer
tool to find a use-after-free in nsGlobalWindow::PageHidden when mFocusedContent
is released and oldFocusedContent is used afterwards. This use-after-free could
possibly allow for remote code execution. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-1958
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-1rgf-x73x-33dk |
|
| 10 |
|
| 11 |
| url |
VCID-1v1p-3xrs-jfgt |
| vulnerability_id |
VCID-1v1p-3xrs-jfgt |
| summary |
Security researcher Abhishek Arya (Inferno) of the Google Chrome Security Team discovered a series of use-after-free issues using the Address Sanitizer tool. Many of these issues are potentially exploitable, allowing for remote code execution. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-3958
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-1v1p-3xrs-jfgt |
|
| 12 |
| url |
VCID-2479-hg85-6qa5 |
| vulnerability_id |
VCID-2479-hg85-6qa5 |
| summary |
Security researcher Arthur Gerkis used the Address Sanitizer
tool to find a use-after-free while replacing/inserting a node in a document.
This use-after-free could possibly allow for remote code execution. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-1946
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-2479-hg85-6qa5 |
|
| 13 |
| url |
VCID-26q8-bbpg-5fgk |
| vulnerability_id |
VCID-26q8-bbpg-5fgk |
| summary |
Mozilla community member Michael reported that
when a server responds with a Refresh header containing a
javascript: URI, Firefox will redirect to the javascript: URI. If an
attacker could inject a Refresh header into a server
response, or could control the value that a site places in
the Refresh header, they could use this vulnerability to
perform an XSS attack and execute arbitrary JavaScript within the
context of that site. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2009-1312
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-26q8-bbpg-5fgk |
|
| 14 |
| url |
VCID-2a9n-tz4u-jyep |
| vulnerability_id |
VCID-2a9n-tz4u-jyep |
| summary |
Ian Graham of Citrix Online reported that when multiple
Location headers were present in a redirect response
Mozilla behavior differed from other browsers: Mozilla would use the second
Location header while Chrome and Internet Explorer would use
the first. Two copies of this header with different values could be a symptom
of a CRLF injection attack against a vulnerable server. Most commonly it is
the Location header itself that is vulnerable to the response
splitting and therefore the copy preferred by Mozilla is more likely to be
the malicious one. It is possible, however, that the first copy was the
injected one depending on the nature of the server vulnerability.
The Mozilla browser engine has been changed to treat two copies of this
header with different values as an error condition. The same has been done
with the headers Content-Length and Content-Disposition |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2011-3000
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-2a9n-tz4u-jyep |
|
| 15 |
| url |
VCID-2b7j-hzma-nbfb |
| vulnerability_id |
VCID-2b7j-hzma-nbfb |
| summary |
Security researcher Kaspar Brand found a flaw in how the
Network Security Services (NSS) ASN.1 decoder handles zero length items. Effects
of this issue depend on the field. One known symptom is an unexploitable crash
in handling OCSP responses. NSS also mishandles zero-length basic constraints,
assuming default values for some types that should be rejected as malformed.
These issues have been addressed in NSS 3.13.4, which is now being used by
Mozilla. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
|
| fixed_packages |
|
| aliases |
CVE-2012-0441
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-2b7j-hzma-nbfb |
|
| 16 |
| url |
VCID-2bc6-1f4c-fkag |
| vulnerability_id |
VCID-2bc6-1f4c-fkag |
| summary |
Mozilla security researcher moz_bug_r_a4 reports that
by using an appropriately wrapped object it was possible to bypass the fix
for
MFSA 2007-19. Prior to Firefox 3.6 this gives an attacker the ability
to perform cross-site scripting attacks against arbitrary sites as in the
original MFSA 2007-19 attack. Due to unrelated changes in the browser engine
used by Firefox 3.6, attacks in that version are limited to capturing keystroke
events from a cross-origin frame or window rather than full DOM access.
Those events might be sufficient to illicitly obtain passwords
or other sensitive information entered into web forms.
Thunderbird does not allow JavaScript to run in mail
messages, but users who open web content (such as RSS feeds, or other
content through add-ons) could be at risk. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2010-0171
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-2bc6-1f4c-fkag |
|
| 17 |
| url |
VCID-2e82-n7c1-5kc3 |
| vulnerability_id |
VCID-2e82-n7c1-5kc3 |
| summary |
Marius Schilder of Google Security reported that
when a XMLHttpRequest is made to a same-origin resource
which 302 redirects to a resource in a different domain, the response
from the cross-domain resource is readable by the site issuing the
XHR. Cookies marked HttpOnly were not readable, but
other potentially sensitive data could be revealed in the XHR response
including URL parameters and content in the response body.Thunderbird shares the browser engine with Firefox and
could be vulnerable if JavaScript were to be enabled in mail. This is
not the default setting and we strongly discourage users from running
JavaScript in mail. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
|
| fixed_packages |
|
| aliases |
CVE-2008-5506
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-2e82-n7c1-5kc3 |
|
| 18 |
| url |
VCID-2j5j-gpjs-ubfp |
| vulnerability_id |
VCID-2j5j-gpjs-ubfp |
| summary |
Matt Haggard reported that
the statusText property of an XMLHttpRequest
object is readable by the requester even when the request is made
across origins. This status information reveals the presence of a web
server and could be used to gather information about servers on
internal private networks.This issue was also independently reported to Mozilla
by Nicholas Berthaume |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2010-2764
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-2j5j-gpjs-ubfp |
|
| 19 |
| url |
VCID-2pzu-trgn-cfgj |
| vulnerability_id |
VCID-2pzu-trgn-cfgj |
| summary |
Mozilla security researcher moz_bug_r_a4 reported that
the problem described in MFSA 2011-43 and fixed in
Firefox 7 also affected Firefox 3.6: a malicious page could potentially
exploit a Firefox user who had installed an add-on that used loadSubscript
in vulnerable ways. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2011-3647
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-2pzu-trgn-cfgj |
|
| 20 |
| url |
VCID-2r2b-3wt6-wuh2 |
| vulnerability_id |
VCID-2r2b-3wt6-wuh2 |
| summary |
Mozilla security researcher moz_bug_r_a4 reported
a series of vulnerabilities in which objects that normally receive
a XPCCrossOriginWrapper are constructed without the
wrapper. This can lead to cases where JavaScript from one website may
unsafely access properties of such an object which had been set by a
different website. A malicious website could use this vulnerability
to launch a XSS attack and run arbitrary JavaScript within the context
of another site. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2009-2472
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-2r2b-3wt6-wuh2 |
|
| 21 |
|
| 22 |
| url |
VCID-2u4r-fn32-n7d3 |
| vulnerability_id |
VCID-2u4r-fn32-n7d3 |
| summary |
Security researcher Mariusz Mlynski reported that when a
page opens a new tab, a subsequent window can then be opened that can be
navigated to about:newtab, a chrome privileged page. Once
about:newtab is loaded, the special context can potentially be used
to escalate privilege, allowing for arbitrary code execution on the local system
in a maliciously crafted attack. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-3965
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-2u4r-fn32-n7d3 |
|
| 23 |
| url |
VCID-2vaj-7wrh-juhc |
| vulnerability_id |
VCID-2vaj-7wrh-juhc |
| summary |
Security researcher Abhishek Arya (Inferno) of the Google Chrome Security Team discovered a series critically rated of use-after-free, out of bounds read, and buffer overflow issues using the Address Sanitizer tool in shipped software. These issues are potentially exploitable, allowing for remote code execution. We would also like to thank Abhishek for reporting three additional user-after-free and out of bounds read flaws introduced during Firefox development that were fixed before general release.
In general these flaws cannot be exploited through email in the
Thunderbird and SeaMonkey products because scripting is disabled, but are
potentially a risk in browser or browser-like contexts in those products. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
CVE-2012-5829
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-2vaj-7wrh-juhc |
|
| 24 |
| url |
VCID-3149-34hy-pqds |
| vulnerability_id |
VCID-3149-34hy-pqds |
| summary |
Multiple vulnerabilities have been found in Mozilla Firefox,
Thunderbird, SeaMonkey, NSS, GNU IceCat, and XULRunner, some of which may
allow execution of arbitrary code or local privilege escalation. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2007-3073
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-3149-34hy-pqds |
|
| 25 |
| url |
VCID-36bj-gja7-gkch |
| vulnerability_id |
VCID-36bj-gja7-gkch |
| summary |
Mozilla developers identified and fixed several stability bugs in
the browser engine used in Firefox and other Mozilla-based
products. Some of these crashes showed evidence of memory corruption
under certain circumstances and we presume that with enough effort at
least some of these could be exploited to run arbitrary code. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2010-0166
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-36bj-gja7-gkch |
|
| 26 |
| url |
VCID-37t5-vgwu-yqe1 |
| vulnerability_id |
VCID-37t5-vgwu-yqe1 |
| summary |
Security researcher Abhishek Arya (Inferno) of the Google
Chrome Security Team discovered a series of use-after-free, buffer overflow, and
out of bounds read issues using the Address Sanitizer tool in shipped software.
These issues are potentially exploitable, allowing for remote code execution.
We would also like to thank Abhishek for reporting two additional use-after-free
flaws introduced during Firefox 16 development and fixed before general release.
In general these flaws cannot be exploited through email in the
Thunderbird and SeaMonkey products because scripting is disabled, but are
potentially a risk in browser or browser-like contexts in those products. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-3995
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-37t5-vgwu-yqe1 |
|
| 27 |
| url |
VCID-3ap9-a2as-q7hd |
| vulnerability_id |
VCID-3ap9-a2as-q7hd |
| summary |
Mozilla developers identified and fixed several memory safety bugs
in the browser engine used in Firefox and other Mozilla-based
products. Some of these bugs showed evidence of memory corruption
under certain circumstances, and we presume that with enough effort at
least some of these could be exploited to run arbitrary code.In general these flaws cannot be exploited through email in the Thunderbird
and SeaMonkey products because scripting is disabled, but are potentially a risk
in browser or browser-like contexts in those products. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-0462
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-3ap9-a2as-q7hd |
|
| 28 |
| url |
VCID-3bx3-fn1g-4kbh |
| vulnerability_id |
VCID-3bx3-fn1g-4kbh |
| summary |
Google security researcher Abhishek Arya used the Address
Sanitizer tool to uncover four issues: two use-after-free problems, one out of
bounds read bug, and a bad cast. The first use-after-free problem is caused
when an array of nsSMILTimeValueSpec objects is destroyed but attempts are made
to call into objects in this array later. The second use-after-free problem is
in nsDocument::AdoptNode when it adopts into an empty document and then adopts
into another document, emptying the first one. The heap buffer overflow is in
ElementAnimations when data is read off of end of an array and then pointers are
dereferenced. The bad cast happens when nsTableFrame::InsertFrames is called
with frames in aFrameList that are a mix of row group frames and column group
frames. AppendFrames is not able to handle this mix.All four of these issues are potentially exploitable. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-1952
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-3bx3-fn1g-4kbh |
|
| 29 |
| url |
VCID-3cum-vygx-wfae |
| vulnerability_id |
VCID-3cum-vygx-wfae |
| summary |
Security researcher J23 reported via
TippingPoint's Zero Day Initiative that an array class used to store
CSS values contained an integer overflow vulnerability. The 16 bit
integer value used in allocating the size of the array could overflow,
resulting in too small a memory buffer being created. When the array
was later populated with CSS values data would be written past the end
of the buffer potentially resulting in the execution of
attacker-controlled memory. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2010-2752
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-3cum-vygx-wfae |
|
| 30 |
| url |
VCID-3g7q-89gg-hkb5 |
| vulnerability_id |
VCID-3g7q-89gg-hkb5 |
| summary |
Mozilla developer Daniel Veditz reported that when
the jar: scheme is used to wrap a URI which serves the
content with Content-Disposition: attachment, the HTTP
header is ignored and the content is unpacked and displayed inline. A
site may depend on this HTTP header to prevent potentially untrusted
content that it serves from executing within the context of the site.
An attacker could use this vulnerability to subvert sites using this
mechanism to mitigate content injection attacks.This vulnerability has not been fixed on the Mozilla 1.8.1 branch,
which is used to build Firefox 2 and Thunderbird 2. However, note
that there are several mitigating factors which prevent easy
exploitation of this issue. In order for a website to be exploitable
it must: |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
CVE-2009-1306
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-3g7q-89gg-hkb5 |
|
| 31 |
| url |
VCID-3gwb-npby-tbek |
| vulnerability_id |
VCID-3gwb-npby-tbek |
| summary |
Justin Schuh and Tom Cross of the
IBM X-Force and Peter Williams of IBM Watson Labs reported
errors in Mozilla URL parsing routines. These errors could be exploited
using a specially crafted UTF-8 URL in a hyperlink which could overflow
a stack buffer and allow an attacker to execute arbitrary code.Firefox 3 is not affected by this issue |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2008-0016
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-3gwb-npby-tbek |
|
| 32 |
| url |
VCID-3jng-4mfe-q7a5 |
| vulnerability_id |
VCID-3jng-4mfe-q7a5 |
| summary |
Mozilla developers identified and fixed several memory safety bugs
in the browser engine used in Firefox and other Mozilla-based
products. Some of these bugs showed evidence of memory corruption
under certain circumstances, and we presume that with enough effort at
least some of these could be exploited to run arbitrary code.In general these flaws cannot be exploited through email in the Thunderbird
and SeaMonkey products because scripting is disabled, but are potentially a risk
in browser or browser-like contexts in those products. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-1939
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-3jng-4mfe-q7a5 |
|
| 33 |
| url |
VCID-3maa-g3v4-eqc4 |
| vulnerability_id |
VCID-3maa-g3v4-eqc4 |
| summary |
Mozilla developers and community members identified and fixed
several stability bugs in the browser engine used in Firefox and other
Mozilla-based products. Some of these crashes showed evidence of
memory corruption under certain circumstances and we presume that with
enough effort at least some of these could be exploited to run
arbitrary code. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2009-2465
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-3maa-g3v4-eqc4 |
|
| 34 |
|
| 35 |
| url |
VCID-3qjw-kmzd-hubj |
| vulnerability_id |
VCID-3qjw-kmzd-hubj |
| summary |
Mozilla security researcher moz_bug_r_a4 reported a
series of vulnerabilities by which page content can pollute
XPCNativeWrappers and have arbitrary code run with chrome privileges.
One variant reported by moz_bug_r_a4 only affected Firefox 2.Mozilla developer Olli Pettay reported that XSLT can
create documents which do not have script handling objects. moz_bug_r_a4
also reported that document.loadBindingDocument() returns a
document that does not have a script handling object. These issues could
also be used by an attacker to run arbitrary script with chrome privileges.Thunderbird shares the browser engine with Firefox and
could be vulnerable if JavaScript were to be enabled in mail. This is not
the default setting and we strongly discourage users from running
JavaScript in mail. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
CVE-2008-4058
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-3qjw-kmzd-hubj |
|
| 36 |
| url |
VCID-3rmk-5j6r-sydb |
| vulnerability_id |
VCID-3rmk-5j6r-sydb |
| summary |
Mozilla developer Peter Van der Beken discovered that same-origin XrayWrappers expose chrome-only properties even when not in a chrome compartment. This can allow web content to get properties of DOM objects that are intended to be chrome-only.
In general these flaws cannot be exploited through email in the
Thunderbird and SeaMonkey products because scripting is disabled, but are
potentially a risk in browser or browser-like contexts in those products. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-4208
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-3rmk-5j6r-sydb |
|
| 37 |
| url |
VCID-3rsc-9zzp-qfeh |
| vulnerability_id |
VCID-3rsc-9zzp-qfeh |
| summary |
Mozilla developers identified and fixed several memory safety bugs
in the browser engine used in Firefox and other Mozilla-based
products. Some of these bugs showed evidence of memory corruption
under certain circumstances, and we presume that with enough effort at
least some of these could be exploited to run arbitrary code.In general these flaws cannot be exploited through email in the Thunderbird
and SeaMonkey products because scripting is disabled, but are potentially a risk
in browser or browser-like contexts in those products. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-1937
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-3rsc-9zzp-qfeh |
|
| 38 |
|
| 39 |
| url |
VCID-3uq6-mbus-sudu |
| vulnerability_id |
VCID-3uq6-mbus-sudu |
| summary |
Mateusz Jurczyk of the Google Security Team discovered an
off-by-one error in the OpenType Sanitizer using the Address Sanitizer tool.
This can lead to an out-of-bounds read and execution of an uninitialized
function pointer during parsing and possible remote code execution. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2011-3062
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-3uq6-mbus-sudu |
|
| 40 |
| url |
VCID-413h-nkvf-wbck |
| vulnerability_id |
VCID-413h-nkvf-wbck |
| summary |
Mark Kaplan reported a potentially exploitable crash due to
integer underflow when using a large JavaScript RegExp expression.
We would also like to thank Mark for contributing the fix for this problem.
The Regular Expression engine was replaced in Firefox 4 and
the newer engine does not suffer from this bug. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2011-2998
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-413h-nkvf-wbck |
|
| 41 |
| url |
VCID-43ch-bzjt-1ycr |
| vulnerability_id |
VCID-43ch-bzjt-1ycr |
| summary |
Multiple vulnerabilities have been found in Mozilla Firefox,
Thunderbird, SeaMonkey, NSS, GNU IceCat, and XULRunner, some of which may
allow execution of arbitrary code or local privilege escalation. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2010-3399
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-43ch-bzjt-1ycr |
|
| 42 |
| url |
VCID-43q7-k9by-2uhh |
| vulnerability_id |
VCID-43q7-k9by-2uhh |
| summary |
Security researcher Abhishek Arya (Inferno) of the Google Chrome Security Team discovered a series of use-after-free issues using the Address Sanitizer tool. Many of these issues are potentially exploitable, allowing for remote code execution. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-3962
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-43q7-k9by-2uhh |
|
| 43 |
| url |
VCID-457x-cvps-5kbr |
| vulnerability_id |
VCID-457x-cvps-5kbr |
| summary |
Microsoft developer Dave Reed reported that certain
BOM characters are stripped from JavaScript code before it is executed.
This can lead to code, which would otherwise be treated as part of a quoted
string, to be executed. The issue could potentially be used by an attacker
to bypass or evade script filters and perform a cross-site scripting (XSS)
attack. Chris Weber of Casaba Security independently
reported the same issue, noting that the same parsing problem affected
other attributes, such as the -moz-binding style property,
that could also be used to perform XSS attacks.
Security researcher Gareth Heyes reported an issue with the HTML parser in which the parser ignored certain low surrogate characters if they were HTML-escaped. This issue could potentially be used to bypass naive script filtering and used in an XSS attack. This issue only affected Firefox 2.Thunderbird shares the browser engine with Firefox and could be vulnerable if JavaScript were to be enabled in mail. This is not the default setting and we strongly discourage users from running JavaScript in mail. Without further investigation we cannot rule out the possibility that for some of these an attacker might be able to prepare memory for exploitation through some means other than JavaScript such as large images. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
CVE-2008-4065
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-457x-cvps-5kbr |
|
| 44 |
| url |
VCID-477c-8h5g-nqha |
| vulnerability_id |
VCID-477c-8h5g-nqha |
| summary |
Mozilla developers identified and fixed several memory safety bugs in the
browser engine used in Firefox and other Mozilla-based products. Some of these
bugs showed evidence of memory corruption under certain circumstances, and we
presume that with enough effort at least some of these could be exploited to run
arbitrary code.In general these flaws cannot be exploited through email in the Thunderbird and SeaMonkey products because scripting is disabled, but are potentially a risk in browser or browser-like contexts in those products. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-5842
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-477c-8h5g-nqha |
|
| 45 |
| url |
VCID-479a-zv6z-2feu |
| vulnerability_id |
VCID-479a-zv6z-2feu |
| summary |
Security researcher Abhishek Arya (Inferno) of the Google Chrome Security Team discovered a series critically rated of use-after-free and buffer overflow issues using the Address Sanitizer tool in shipped software. These issues are potentially exploitable, allowing for remote code execution. We would also like to thank Abhishek for reporting five additional use-after-free, out of bounds read, and buffer overflow flaws introduced during Firefox development that were fixed before general release.
In general these flaws cannot be exploited through email in the
Thunderbird and SeaMonkey products because scripting is disabled, but are
potentially a risk in browser or browser-like contexts in those products. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-5839
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-479a-zv6z-2feu |
|
| 46 |
| url |
VCID-47rg-f2g6-hyff |
| vulnerability_id |
VCID-47rg-f2g6-hyff |
| summary |
Security researcher Abhishek Arya (Inferno) of the Google Chrome Security Team discovered a series of use-after-free issues using the Address Sanitizer tool. Many of these issues are potentially exploitable, allowing for remote code execution. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-1975
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-47rg-f2g6-hyff |
|
| 47 |
| url |
VCID-48bp-txah-9qbh |
| vulnerability_id |
VCID-48bp-txah-9qbh |
| summary |
Mozilla developers identified and fixed several memory safety bugs
in the browser engine used in Firefox and other Mozilla-based
products. Some of these bugs showed evidence of memory corruption
under certain circumstances, and we presume that with enough effort at
least some of these could be exploited to run arbitrary code. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
CVE-2011-2365
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-48bp-txah-9qbh |
|
| 48 |
| url |
VCID-48rt-hx1w-p7ct |
| vulnerability_id |
VCID-48rt-hx1w-p7ct |
| summary |
Mozilla developers identified and fixed several memory safety bugs
in the browser engine used in Firefox and other Mozilla-based
products. Some of these bugs showed evidence of memory corruption
under certain circumstances, and we presume that with enough effort at
least some of these could be exploited to run arbitrary code. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
CVE-2011-0069
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-48rt-hx1w-p7ct |
|
| 49 |
| url |
VCID-4bey-3rug-uuev |
| vulnerability_id |
VCID-4bey-3rug-uuev |
| summary |
Mozilla security researcher moz_bug_r_a4 reported
that the same-origin check in nsXMLDocument::OnChannelRedirect()
could be bypassed. This vulnerability could be used to execute JavaScript
in the context of a different website.Firefox 3 is not affected by this issueThunderbird shares the browser engine with Firefox and
could be vulnerable if JavaScript were to be enabled in mail. This is not
the default setting and we strongly discourage users from running
JavaScript in mail. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2008-3835
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-4bey-3rug-uuev |
|
| 50 |
| url |
VCID-4ch9-f2dm-17f1 |
| vulnerability_id |
VCID-4ch9-f2dm-17f1 |
| summary |
Security researcher Masato Kinugawa found that during the
decoding of ISO-2022-KR and ISO-2022-CN character sets, characters near 1024
bytes are treated incorrectly, either doubling or deleting bytes. On certain
pages it might be possible for an attacker to pad the output of the page such
that these errors fall in the right place to affect the structure of the page,
allowing for cross-site script (XSS) injection. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-0477
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-4ch9-f2dm-17f1 |
|
| 51 |
| url |
VCID-4fs2-bedf-wbg3 |
| vulnerability_id |
VCID-4fs2-bedf-wbg3 |
| summary |
Mozilla developers identified and fixed several stability bugs in
the browser engine used in Firefox and other Mozilla-based
products. Some of these crashes showed evidence of memory corruption
under certain circumstances and we presume that with enough effort at
least some of these could be exploited to run arbitrary code.Thunderbird shares the browser engine with Firefox and
could be vulnerable if JavaScript were to be enabled in mail. This is
not the default setting and we strongly discourage users from running
JavaScript in mail. Without further investigation we cannot rule out
the possibility that for some of these an attacker might be able to
prepare memory for exploitation through some means other than
JavaScript such as large images. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2009-1304
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-4fs2-bedf-wbg3 |
|
| 52 |
| url |
VCID-4fvg-h8g2-uqhk |
| vulnerability_id |
VCID-4fvg-h8g2-uqhk |
| summary |
Mozilla developers identified and fixed several memory safety bugs
in the browser engine used in Firefox and other Mozilla-based
products. Some of these bugs showed evidence of memory corruption
under certain circumstances, and we presume that with enough effort at
least some of these could be exploited to run arbitrary code. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
|
| fixed_packages |
|
| aliases |
CVE-2010-1211
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-4fvg-h8g2-uqhk |
|
| 53 |
|
| 54 |
| url |
VCID-4khp-3yca-efa6 |
| vulnerability_id |
VCID-4khp-3yca-efa6 |
| summary |
Security researcher Abhishek Arya (Inferno) of the Google
Chrome Security Team discovered a series of use-after-free, buffer overflow, and
out of bounds read issues using the Address Sanitizer tool in shipped software.
These issues are potentially exploitable, allowing for remote code execution.
We would also like to thank Abhishek for reporting two additional use-after-free
flaws introduced during Firefox 16 development and fixed before general release.
In general these flaws cannot be exploited through email in the
Thunderbird and SeaMonkey products because scripting is disabled, but are
potentially a risk in browser or browser-like contexts in those products. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-4179
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-4khp-3yca-efa6 |
|
| 55 |
| url |
VCID-4mej-pecf-mba2 |
| vulnerability_id |
VCID-4mej-pecf-mba2 |
| summary |
Firefox user zbyte reported a crash that we determined
could result in an exploitable memory corruption problem. In certain cases
after a return from a native function, such as escape(), the
Just-in-Time (JIT) compiler could get into a corrupt state. This could be
exploited by an attacker to run arbitrary code such as installing malware.
We would like to thank community members Lucas
Kruijswijk and Nochum Sossonko for isolating
the problematic script from the original crashing site.
This vulnerability does not affect earlier versions of Firefox which
do not support the JIT feature. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2009-2477
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-4mej-pecf-mba2 |
|
| 56 |
| url |
VCID-4q1f-9mtr-4ufm |
| vulnerability_id |
VCID-4q1f-9mtr-4ufm |
| summary |
Mozilla developers Andrew McCreight and Olli Pettay found that ReadPrototypeBindings will leave a XBL binding in a hash table even when the function fails. If this occurs, when the cycle collector reads this hash table and attempts to do a virtual method on this binding a crash will occur. This crash may be potentially exploitable.
Firefox 9 and earlier are not affected by this vulnerability. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-0452
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-4q1f-9mtr-4ufm |
|
| 57 |
| url |
VCID-4qgz-6wnq-s3b8 |
| vulnerability_id |
VCID-4qgz-6wnq-s3b8 |
| summary |
Mozilla developers identified and fixed several memory safety bugs
in the browser engine used in Firefox and other Mozilla-based
products. Some of these bugs showed evidence of memory corruption
under certain circumstances, and we presume that with enough effort at
least some of these could be exploited to run arbitrary code.In general these flaws cannot be exploited through email in the Thunderbird
and SeaMonkey products because scripting is disabled, but are potentially a risk
in browser or browser-like contexts in those products. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-1948
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-4qgz-6wnq-s3b8 |
|
| 58 |
| url |
VCID-4s1y-4wue-qkdj |
| vulnerability_id |
VCID-4s1y-4wue-qkdj |
| summary |
Chris Evans of the Chrome Security Team reported
that the XSLT generate-id() function returned a string that revealed
a specific valid address of an object on the memory heap. It is possible
that in some cases this address would be valuable information that could
be used by an attacker while exploiting a different memory corruption
but, in order to make an exploit more reliable or work around mitigation
features in the browser or operating system. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
|
| fixed_packages |
|
| aliases |
CVE-2011-1202
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-4s1y-4wue-qkdj |
|
| 59 |
| url |
VCID-4uw5-jy37-47g7 |
| vulnerability_id |
VCID-4uw5-jy37-47g7 |
| summary |
Mozilla upgraded several third party libraries used in media
rendering to address multiple memory safety and stability bugs
identified by members of the Mozilla community. Some of the bugs
discovered could potentially be used by an attacker to crash a
victim's browser and execute arbitrary code on their
computer. liboggz, libvorbis,
and liboggplay were all upgraded to address these
issues.Audio and video capabilities were added in Firefox 3.5
so prior releases of Firefox were not affected. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2009-3379
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-4uw5-jy37-47g7 |
|
| 60 |
| url |
VCID-4vcw-dt9x-wqdd |
| vulnerability_id |
VCID-4vcw-dt9x-wqdd |
| summary |
Security researcher miaubiz used the Address Sanitizer tool
to discover a series critically rated of use-after-free, buffer overflow, and memory corruption issues in shipped software. These issues are potentially exploitable, allowing for remote code execution. We would also like to thank miaubiz for reporting two additional use-after-free and memory corruption issues introduced during Firefox development that were fixed before general release.
In general these flaws cannot be exploited through email in the
Thunderbird and SeaMonkey products because scripting is disabled, but are
potentially a risk in browser or browser-like contexts in those products. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-5835
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-4vcw-dt9x-wqdd |
|
| 61 |
| url |
VCID-4vst-t6ee-4yay |
| vulnerability_id |
VCID-4vst-t6ee-4yay |
| summary |
Mozilla developers and community members identified and fixed
several stability bugs in the browser engine used in Firefox and other
Mozilla-based products. Some of these crashes showed evidence of
memory corruption under certain circumstances and we presume that with
enough effort at least some of these could be exploited to run
arbitrary code.Thunderbird shares the browser engine with Firefox and
could be vulnerable if JavaScript were to be enabled in mail. This is
not the default setting and we strongly discourage users from running
JavaScript in mail. Without further investigation we cannot rule out
the possibility that for some of these an attacker might be able to
prepare memory for exploitation through some means other than
JavaScript such as large images. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2009-1832
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-4vst-t6ee-4yay |
|
| 62 |
| url |
VCID-4w5k-qnky-ybdy |
| vulnerability_id |
VCID-4w5k-qnky-ybdy |
| summary |
Security researcher Sergey Glazunov reported that
it was possible to access the locationbar property of
a window object after it had been closed. Since the
closed window's memory could have been subsequently
reused by the system it was possible that an attempt to access
the locationbar property could result in the execution of
attacker-controlled memory. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
|
| fixed_packages |
|
| aliases |
CVE-2010-3180
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-4w5k-qnky-ybdy |
|
| 63 |
| url |
VCID-4wrh-r3y9-kyb2 |
| vulnerability_id |
VCID-4wrh-r3y9-kyb2 |
| summary |
Security researcher regenrecht reported via
TippingPoint's Zero Day Initiative that a select event handler for XUL
tree items could be called after the tree item was deleted. This
results in the execution of previously freed memory which an attacker
could use to crash a victim's browser and run arbitrary code on the
victim's computer.This vulnerability does not affect Firefox 3.6 |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
CVE-2010-0175
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-4wrh-r3y9-kyb2 |
|
| 64 |
| url |
VCID-4yrw-kmpa-z7dz |
| vulnerability_id |
VCID-4yrw-kmpa-z7dz |
| summary |
Security researcher wushi of team509 reported that
when a XUL tree had an HTML <div> element nested inside a
<treechildren> element then code attempting to display content
in the XUL tree would incorrectly treat the <div> element as a
parent node to tree content underneath it resulting in incorrect
indexes being calculated for the child content. These incorrect
indexes were used in subsequent array operations which resulted in
writing data past the end of an allocated buffer. An attacker could
use this issue to crash a victim's browser and run arbitrary code on
their machine. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2010-3772
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-4yrw-kmpa-z7dz |
|
| 65 |
| url |
VCID-53t6-ecve-13g2 |
| vulnerability_id |
VCID-53t6-ecve-13g2 |
| summary |
Mozilla community member Ms2ger reported a crash due to an
invalid cast when using the instanceof operator on certain types of JavaScript
objects. This can lead to a potentially exploitable crash.
In general these flaws cannot be exploited through email in the
Thunderbird and SeaMonkey products because scripting is disabled, but are
potentially a risk in browser or browser-like contexts in those products. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-3989
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-53t6-ecve-13g2 |
|
| 66 |
| url |
VCID-55j1-htng-9ydy |
| vulnerability_id |
VCID-55j1-htng-9ydy |
| summary |
Using the Address Sanitizer tool, security researcher Atte
Kettunen from OUSPG found a heap corruption in gfxImageSurface which
allows for invalid frees and possible remote code execution. This happens due to
float error, resulting from graphics values being passed through different
number systems. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-0470
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-55j1-htng-9ydy |
|
| 67 |
| url |
VCID-58ej-gc1s-t7ha |
| vulnerability_id |
VCID-58ej-gc1s-t7ha |
| summary |
Security researcher Evgeny Legerov of Intevydis
reported that the WOFF decoder contains an integer overflow in a
font decompression routine. This flaw could result in too small a
memory buffer being allocated to store a downloadable font. An
attacker could use this vulnerability to crash a victim's browser
and execute arbitrary code on his/her system.Support for the WOFF downloadable font format
is new in Firefox 3.6 (Gecko 1.9.2); this vulnerability does not affect
products built on earlier versions of the Mozilla browser engine. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2010-1028
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-58ej-gc1s-t7ha |
|
| 68 |
| url |
VCID-58qe-8axq-u3ad |
| vulnerability_id |
VCID-58qe-8axq-u3ad |
| summary |
Mozilla security researcher moz_bug_r_a4 reported
that when content script which is running in a chrome context accesses
a content object via SJOW, the content code can gain access to an
object from the chrome scope and use that object to run arbitrary
JavaScript with chrome privileges.Firefox 3.5 and other Mozilla products built from
Gecko 1.9.1 were not affected by this issue. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2010-1215
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-58qe-8axq-u3ad |
|
| 69 |
| url |
VCID-5d21-y9nj-cqgm |
| vulnerability_id |
VCID-5d21-y9nj-cqgm |
| summary |
Mozilla added the OTS
font sanitizing library to prevent downloadable fonts from exposing
vulnerabilities in the underlying OS font code. This library mitigates
against several issues independently reported by Red Hat Security
Response Team member Marc Schoenefeld and Mozilla
security researcher Christoph Diehl. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2010-3768
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-5d21-y9nj-cqgm |
|
| 70 |
| url |
VCID-5d9g-kv5g-27d2 |
| vulnerability_id |
VCID-5d9g-kv5g-27d2 |
| summary |
Using the Address Sanitizer tool, security researcher Aki
Helin from OUSPG found that IDBKeyRange of indexedDB remains in the
XPConnect hashtable instead of being unlinked before being destroyed. When it is
destroyed, this causes a use-after-free, which is potentially exploitable. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-0469
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-5d9g-kv5g-27d2 |
|
| 71 |
| url |
VCID-5e33-3pm6-b7e4 |
| vulnerability_id |
VCID-5e33-3pm6-b7e4 |
| summary |
Security researcher Alin Rad Pop of Secunia
Research reported that the HTML parser incorrectly freed used memory
when insufficient space was available to process remaining input.
Under such circumstances, memory occupied by in-use objects was freed
and could later be filled with attacker-controlled text. These
conditions could result in the execution or arbitrary code if methods
on the freed objects were subsequently called. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
CVE-2009-1571
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-5e33-3pm6-b7e4 |
|
| 72 |
| url |
VCID-5eu6-8wqn-8udn |
| vulnerability_id |
VCID-5eu6-8wqn-8udn |
| summary |
Security researchers Nicolas Grégoire and Aki
Helin independently reported that when processing a malformed
embedded XSLT stylesheet, Firefox can crash due to a memory corruption.
While there is no evidence that this is directly exploitable, there is
a possibility of remote code execution. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
CVE-2012-0449
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-5eu6-8wqn-8udn |
|
| 73 |
|
| 74 |
| url |
VCID-5jra-q7ve-d3h8 |
| vulnerability_id |
VCID-5jra-q7ve-d3h8 |
| summary |
Mozilla developers fixed several memory safety bugs
in the browser engine used in Firefox and other Mozilla-based
products. Some of these bugs showed evidence of memory corruption
under certain circumstances, and we presume that with enough effort at
least some of these could be exploited to run arbitrary code.In general these flaws cannot be exploited through email in the Thunderbird
and SeaMonkey products because scripting is disabled, but are potentially a risk
in browser or browser-like contexts in those products. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2011-3652
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-5jra-q7ve-d3h8 |
|
| 75 |
| url |
VCID-5mat-a9vu-nfff |
| vulnerability_id |
VCID-5mat-a9vu-nfff |
| summary |
Google security researcher Robert Swiecki reported
that functions used by the Gopher parser to convert text to HTML tags
could be exploited to turn text into executable JavaScript. If an
attacker could create a file or directory on a Gopher server with the
encoded script as part of its name the script would then run in a
victim's browser within the context of the site. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2010-3177
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-5mat-a9vu-nfff |
|
| 76 |
| url |
VCID-5ms1-cy9k-2fdb |
| vulnerability_id |
VCID-5ms1-cy9k-2fdb |
| summary |
Mozilla developers identified and fixed two top crashing bugs in the
browser engine used in Firefox and other Mozilla-based products. These bugs showed evidence of memory corruption under certain circumstances, and we
presume that with enough effort at least some of these could be exploited to run
arbitrary code.The first of these bugs, a FreeType issue, is a mobile only issue which happens on custom kernels like Cyanogenmod, not on standard Android installations. The second bug is a websockets crash affecting Firefox 16 but not Firefox ESR. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-4191
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-5ms1-cy9k-2fdb |
|
| 77 |
| url |
VCID-5p1r-wxng-wbaj |
| vulnerability_id |
VCID-5p1r-wxng-wbaj |
| summary |
Security researcher Scott Bell of Security-Assessment.com used the Address Sanitizer tool to discover a memory corruption in str_unescape in the Javascript engine. This could potentially lead to arbitrary code execution.
In general these flaws cannot be exploited through email in the
Thunderbird and SeaMonkey products because scripting is disabled, but are
potentially a risk in browser or browser-like contexts in those products. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-4204
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-5p1r-wxng-wbaj |
|
| 78 |
| url |
VCID-5ppx-c568-kkc6 |
| vulnerability_id |
VCID-5ppx-c568-kkc6 |
| summary |
Security researcher Soroush Dalili reported that a
combination of invoking full screen mode and navigating backwards in history
could, in some circumstances, cause a hang or crash due to a timing dependent
use-after-free pointer reference. This crash may be potentially exploitable.
In general these flaws cannot be exploited through email in the
Thunderbird and SeaMonkey products because scripting is disabled, but are
potentially a risk in browser or browser-like contexts in those products. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-3988
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-5ppx-c568-kkc6 |
|
| 79 |
| url |
VCID-5px5-rt4z-b7fs |
| vulnerability_id |
VCID-5px5-rt4z-b7fs |
| summary |
Security researcher Arthur Gerkis used the Address Sanitizer
tool to find two issues involving Scalable Vector Graphics (SVG) files. The
first issue is a buffer overflow in Gecko's SVG filter code when the sum of two
values is too large to be stored as a signed 32-bit integer, causing the
function to write past the end of an array. The second issue is a use-after-free
when an element with a "requiredFeatures" attribute is moved between documents.
In that situation, the internal representation of the "requiredFeatures" value
could be freed prematurely. Both issues are potentially exploitable. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-3969
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-5px5-rt4z-b7fs |
|
| 80 |
| url |
VCID-5q44-hdc9-tqb1 |
| vulnerability_id |
VCID-5q44-hdc9-tqb1 |
| summary |
Security researcher Christian Holler reported that
the JavaScript engine's internal mapping of string values contained an
error in cases where the number of values being stored was above 64K.
In such cases an offset pointer was manually moved forwards and
backwards to access the larger address space. If an exception was
thrown between the time that the offset pointer was moved forward and
the time it was reset, then the exception object would be read from an
invalid memory address, potentially executing attacker-controlled
memory. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2011-0056
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-5q44-hdc9-tqb1 |
|
| 81 |
| url |
VCID-5ua9-4mhs-zkdj |
| vulnerability_id |
VCID-5ua9-4mhs-zkdj |
| summary |
Mozilla developers and community members identified and fixed
several stability bugs in the browser engine used in Firefox and other
Mozilla-based products. Some of these crashes showed evidence of
memory corruption under certain circumstances and we presume that with
enough effort at least some of these could be exploited to run
arbitrary code. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2009-3981
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-5ua9-4mhs-zkdj |
|
| 82 |
| url |
VCID-5uyz-ue98-kkbt |
| vulnerability_id |
VCID-5uyz-ue98-kkbt |
| summary |
Marc Schoenefeld reported a crash when using Firebug
to profile a JavaScript file with many functions. It may be possible
to trigger this crash without the use of debugging APIs, and if so
this could be exploitable. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
CVE-2011-3650
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-5uyz-ue98-kkbt |
|
| 83 |
| url |
VCID-5v52-h1rp-13bx |
| vulnerability_id |
VCID-5v52-h1rp-13bx |
| summary |
Firefox prevents the dropping of javascript: links onto a frame
to prevent malicious sites from tricking users into performing a cross-site
scripting (XSS) attacks on themselves. Security researcher Soroush
Dalili reported a way to bypass this protection. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
CVE-2012-0455
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-5v52-h1rp-13bx |
|
| 84 |
| url |
VCID-5vwk-nwpu-gfhw |
| vulnerability_id |
VCID-5vwk-nwpu-gfhw |
| summary |
Mozilla developers identified and fixed several memory safety bugs
in the browser engine used in Firefox and other Mozilla-based
products. Some of these bugs showed evidence of memory corruption
under certain circumstances, and we presume that with enough effort at
least some of these could be exploited to run arbitrary code. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2011-0062
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-5vwk-nwpu-gfhw |
|
| 85 |
| url |
VCID-5x9v-qerc-37gg |
| vulnerability_id |
VCID-5x9v-qerc-37gg |
| summary |
Security researcher Aki Helin reported a crash
in the YARR regular expression library that could be triggered by
javascript in web content.
The YARR library was not used in older versions of
the Mozilla browser engine. This vulnerability does not affect
Firefox 3.6 or Thunderbird 3.1 |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2011-3661
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-5x9v-qerc-37gg |
|
| 86 |
| url |
VCID-5xwh-7b2a-uydt |
| vulnerability_id |
VCID-5xwh-7b2a-uydt |
| summary |
Mozilla security researcher moz_bug_r_a4 reported
vulnerabilities in the session-restore feature by which content could be
injected into an incorrect document storage location, including
storage locations for other domains. An attacker could utilize these
issues to violate the browser's same-origin policy and perform an XSS
attack while SessionStore data is being restored.moz_bug_r_a4 also reported that one variant could be used by an
attacker to run arbitrary JavaScript with chrome privileges. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2008-5513
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-5xwh-7b2a-uydt |
|
| 87 |
| url |
VCID-61aa-8jww-jbb5 |
| vulnerability_id |
VCID-61aa-8jww-jbb5 |
| summary |
Security researcher Jordi Chancel reported that a
JPEG image could be constructed that would be decoded incorrectly,
causing data to be written past the end of a buffer created to store
the image. An attacker could potentially craft such an image that
would cause malicious code to be stored in memory and then later
executed on a victim's computer.Firefox 3.5 was not affected by this issue. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2011-0061
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-61aa-8jww-jbb5 |
|
| 88 |
| url |
VCID-6217-dck9-hqht |
| vulnerability_id |
VCID-6217-dck9-hqht |
| summary |
Security researcher regenrecht reported via
TippingPoint's Zero Day Initiative an error in Mozilla's
implementation of NodeIterator in which a
malicious NodeFilter could be created which would detach
nodes from the DOM tree while it was being traversed. The use of a
detached and subsequently deleted node could result in the execution
of attacker-controlled memory. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2010-1209
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-6217-dck9-hqht |
|
| 89 |
| url |
VCID-64g4-tpfq-7qf4 |
| vulnerability_id |
VCID-64g4-tpfq-7qf4 |
| summary |
Security researcher Martin Barbella reported that
under certain conditions, viewing a XUL document while JavaScript was
disabled caused deleted memory to be accessed. This flaw could
potentially be used by an attacker to crash a victim's browser and run
arbitrary code on their computer.XUL document support was disabled by default in
Firefox 4 and SeaMonkey 2.1 and users of those versions are not generally
at risk. It is possible for add-ons to re-enable the feature for specific
sites (for example, to support a legacy intranet XUL application) which would
have introduced this vulnerability while browsing those sites. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
CVE-2011-2373
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-64g4-tpfq-7qf4 |
|
| 90 |
| url |
VCID-6bkj-wqzq-5bgs |
| vulnerability_id |
VCID-6bkj-wqzq-5bgs |
| summary |
Security researcher Chris Rohlf of Matasano
Security reported that the implementation of the HTML frameset element
contained an integer overflow vulnerability. The code responsible for
parsing the frameset columns used an 8-byte counter for the column
numbers, so when a very large number of columns was passed in the
counter would overflow. When this counter was subsequently used to
allocate memory for the frameset, the memory buffer would be too
small, potentially resulting in a heap buffer overflow and execution
of attacker-controlled memory. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2010-2765
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-6bkj-wqzq-5bgs |
|
| 91 |
| url |
VCID-6chh-16fh-p3a4 |
| vulnerability_id |
VCID-6chh-16fh-p3a4 |
| summary |
Security researcher O. Andersen reported that
undefined positions within various 8 bit character encodings are
mapped to the sequence U+FFFD which when displayed causes the
immediately following character to disappear from the text run. This
could potentially contribute to XSS problems on sites which expected
extra characters to be present within strings being sanitized on the
server. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2010-1210
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-6chh-16fh-p3a4 |
|
| 92 |
| url |
VCID-6cxk-w6ct-2qcp |
| vulnerability_id |
VCID-6cxk-w6ct-2qcp |
| summary |
Security researcher Sergey Glazunov reported a
dangling pointer vulnerability in the implementation
of navigator.plugins in which the navigator
object could retain a pointer to the plugins array even after it had
been destroyed. An attacker could potentially use this issue to crash
the browser and run arbitrary code on a victim's computer. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2010-2767
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-6cxk-w6ct-2qcp |
|
| 93 |
| url |
VCID-6ewf-t4h5-jyaf |
| vulnerability_id |
VCID-6ewf-t4h5-jyaf |
| summary |
Security researcher miaubiz used the Address Sanitizer tool
to discover two WebGL issues. The first issue is a use-after-free when WebGL
shaders are called after being destroyed. The second issue exposes a problem
with Mesa drivers on Linux, leading to a potentially exploitable crash. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-3967
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-6ewf-t4h5-jyaf |
|
| 94 |
| url |
VCID-6f2s-hecz-2yha |
| vulnerability_id |
VCID-6f2s-hecz-2yha |
| summary |
Mozilla developers identified and fixed several stability bugs in the browser
engine used in Firefox and other Mozilla-based products. Some of these crashes
showed evidence of memory corruption under certain circumstances and we presume
that with enough effort at least some of these could be exploited to run
arbitrary code.Thunderbird shares the browser engine with Firefox and could be
vulnerable if JavaScript were to be enabled in mail. This is not the default
setting and we strongly discourage users from running JavaScript in
mail. Without further investigation we cannot rule out the possibility that for
some of these an attacker might be able to prepare memory for exploitation
through some means other than JavaScript such as large images. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2008-5501
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-6f2s-hecz-2yha |
|
| 95 |
| url |
VCID-6m78-bdd6-vfgw |
| vulnerability_id |
VCID-6m78-bdd6-vfgw |
| summary |
Security researcher Gregory Fleischer reported
that when a Java LiveConnect script was loaded via
a data: URL which redirects via a meta refresh, then the
resulting plugin object was created with the wrong security principal
and thus received elevated privileges such as the abilities to read
local files, launch processes, and create network connections. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2010-3775
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-6m78-bdd6-vfgw |
|
| 96 |
|
| 97 |
| url |
VCID-6mxs-cd1d-qkh3 |
| vulnerability_id |
VCID-6mxs-cd1d-qkh3 |
| summary |
Web developer Cefn Hoile reported that sites which
allow users to embed third-party stylesheets are vulnerable to script
injection attacks using XBL bindings. While this behavior was
documented previously, it was determined that this particular risk was
not well-understood by some websites. To mitigate this risk Mozilla
added a restriction that requires XBL bindings to come from the same
origin as the bound document.Thunderbird shares the browser engine with Firefox and
could be vulnerable if JavaScript were to be enabled in mail. This is
not the default setting and we strongly discourage users from running
JavaScript in mail. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2009-1308
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-6mxs-cd1d-qkh3 |
|
| 98 |
| url |
VCID-6vvv-yczm-pue9 |
| vulnerability_id |
VCID-6vvv-yczm-pue9 |
| summary |
Dirk Heinrich reported that on Windows platforms
when document.write() was called with a very long string
a buffer overflow was caused in line breaking routines attempting to
process the string for display. Such cases triggered an invalid read
past the end of an array causing a crash which an attacker could
potentially use to run arbitrary code on a victim's computer. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2010-3769
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-6vvv-yczm-pue9 |
|
| 99 |
| url |
VCID-6w8d-f2v4-4bd4 |
| vulnerability_id |
VCID-6w8d-f2v4-4bd4 |
| summary |
Mozilla developer Bobby Holley reported that security wrappers filter at the time of property access, but once a function is returned, the caller can use this function without further security checks. This affects cross-origin wrappers, allowing for write actions on objects when only read actions should be properly allowed. This can lead to cross-site scripting (XSS) attacks.
In general these flaws cannot be exploited through email in the
Thunderbird and SeaMonkey products because scripting is disabled, but are
potentially a risk in browser or browser-like contexts in those products. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-5841
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-6w8d-f2v4-4bd4 |
|
| 100 |
| url |
VCID-72a2-1hry-zqd5 |
| vulnerability_id |
VCID-72a2-1hry-zqd5 |
| summary |
Mozilla developers identified and fixed several memory safety bugs
in the browser engine used in Firefox and other Mozilla-based
products. Some of these bugs showed evidence of memory corruption
under certain circumstances, and we presume that with enough effort at
least some of these could be exploited to run arbitrary code.Update (March 1, 2011): CVE-2010-3777 was
fixed in Firefox 3.5.17 |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
|
| fixed_packages |
|
| aliases |
CVE-2010-3776
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-72a2-1hry-zqd5 |
|
| 101 |
| url |
VCID-76dz-7sqa-fqdn |
| vulnerability_id |
VCID-76dz-7sqa-fqdn |
| summary |
Microsoft security researchers Shuo
Chen, Ziqing Mao, Yi-Min
Wang, and Ming Zhang reported that when a
CONNECT request is sent to a proxy server and a non-200 response is
returned, then the body of the response is incorrectly rendered
within the context of the request Host: header. An
active network attacker could use this vulnerability to intercept a
CONNECT request and reply with a non-200 response containing malicious
code which would be executed within the context of the victim's
requested SSL-protected domain. Since this attack requires the victim
to have a proxy configured, the severity of this issue was determined
to be high.Thunderbird mail messages are not vulnerable to this flaw,
but if Thunderbird were being used in a browser-like manner (through Add-ons,
perhaps) and JavaScript were enabled (not the default setting) then users could
be vulnerable to this flaw in older versions. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2009-1836
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-76dz-7sqa-fqdn |
|
| 102 |
| url |
VCID-76s6-dzts-b7b6 |
| vulnerability_id |
VCID-76s6-dzts-b7b6 |
| summary |
Google security researcher Michal Zalewski
reported two methods for spoofing the contents of the location bar.
The first method works by opening a new window containing a resource
that responds with an HTTP 204 (no content) and then using the
reference to the new window to insert HTML content into the blank
document. The second location bar spoofing method does not require that the
resource opened in a new window respond with 204, as long as the
opener calls window.stop() before the document is loaded.
In either case a user could be mislead as to the correct location of
the document they are currently viewing.Security researcher Jordi Chancel reported that
the location bar could be spoofed to look like a secure page when the
current document was served via plaintext. The vulnerability is
triggered by a server by first redirecting a request for a plaintext
resource to another resource behind a valid SSL/TLS certificate. A
second request made to the original plaintext resource which is
responded to not with a redirect but with JavaScript
containing history.back()
and history.forward() will result in the plaintext
resource being displayed with valid SSL/TLS badging in the location
bar. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2010-2751
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-76s6-dzts-b7b6 |
|
| 103 |
| url |
VCID-7aj6-mfpj-myb3 |
| vulnerability_id |
VCID-7aj6-mfpj-myb3 |
| summary |
Security researcher Mariusz Mlynski reported that when
InstallTrigger fails, it throws an error wrapped in a Chrome Object Wrapper
(COW) that fails to specify exposed properties. These can then be added to the
resulting object by an attacker, allowing access to chrome privileged functions
through script.
While investigating this issue, Mozilla security researcher
moz_bug_r_a4 found that COW did not disallow accessing of
properties from a standard prototype in some situations, even when the original
issue had been fixed.
These issues could allow for a cross-site scripting (XSS) attack or arbitrary
code execution.
In general these flaws cannot be exploited through email in the
Thunderbird and SeaMonkey products because scripting is disabled, but are
potentially a risk in browser or browser-like contexts in those products. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-4184
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-7aj6-mfpj-myb3 |
|
| 104 |
| url |
VCID-7brb-puuf-fya8 |
| vulnerability_id |
VCID-7brb-puuf-fya8 |
| summary |
Mozilla developers identified and fixed several memory safety bugs
in the browser engine used in Firefox and other Mozilla-based
products. Some of these bugs showed evidence of memory corruption
under certain circumstances, and we presume that with enough effort at
least some of these could be exploited to run arbitrary code. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
CVE-2011-0072
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-7brb-puuf-fya8 |
|
| 105 |
| url |
VCID-7dzj-wguk-j3bs |
| vulnerability_id |
VCID-7dzj-wguk-j3bs |
| summary |
Morten Kråkvik of Telenor SOC reported an exploit
targeting particular versions of Firefox 3.6 on Windows XP that
Telenor found while investigating an intrusion attempt on a customer
network. The underlying vulnerability, however, was present on both
the Firefox 3.5 and Firefox 3.6 development branches and affected all
supported platforms.Reading mail in Thunderbird does not pose a risk to
users, however the vulnerability is present and could be triggered in
RSS feeds if JavaScript is enabled or by an add-on that enables
browser-like functionality. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
| 30 |
|
| 31 |
|
| 32 |
|
| 33 |
|
| 34 |
|
| 35 |
|
| 36 |
|
| 37 |
|
| 38 |
|
| 39 |
|
| 40 |
|
| 41 |
|
| 42 |
|
| 43 |
|
| 44 |
|
| 45 |
|
| 46 |
|
| 47 |
|
| 48 |
|
| 49 |
|
| 50 |
|
| 51 |
|
| 52 |
|
| 53 |
|
| 54 |
|
| 55 |
|
| 56 |
|
| 57 |
|
| 58 |
|
| 59 |
|
| 60 |
|
| 61 |
|
| 62 |
|
| 63 |
|
| 64 |
|
| 65 |
|
| 66 |
|
| 67 |
|
| 68 |
|
|
| fixed_packages |
|
| aliases |
CVE-2010-3765
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-7dzj-wguk-j3bs |
|
| 106 |
| url |
VCID-7hxm-91q8-37de |
| vulnerability_id |
VCID-7hxm-91q8-37de |
| summary |
An anonymous security researcher reported via TippingPoint's Zero
Day Initiative that insufficient checks were being performed to test
whether the Flash module was properly dynamically unloaded.
The researcher demonstrated that a SWF file which dynamically unloads
itself from an outside JavaScript function can cause the browser to access
a memory address no longer mapped to the Flash module, resulting in a
crash. This crash could be used by an attacker to run arbitrary code
on a victim's computer.Firefox 3 is not affected by this issue. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2008-5013
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-7hxm-91q8-37de |
|
| 107 |
| url |
VCID-7q2k-463k-ryg1 |
| vulnerability_id |
VCID-7q2k-463k-ryg1 |
| summary |
Security researchers Jordi Chancel and Eddy
Bordi reported that they could short-circuit page loads to show the
address of a different site than what is loaded in the window in the addressbar.
Security researcher Chris McGowen independently reported the
same flaw, and further demonstrated that this could lead to loading scripts from
the attacker's site, leaving users vulnerable to cross-site scripting (XSS)
attacks. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-0474
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-7q2k-463k-ryg1 |
|
| 108 |
| url |
VCID-7q63-dfrh-wuh3 |
| vulnerability_id |
VCID-7q63-dfrh-wuh3 |
| summary |
Security researcher Mario Heiderich reported that
HTML-encoded entities were being improperly decoded when displayed
inside SVG elements. This could lead to XSS attacks on sites relying
on HTML encoding of user-supplied content.The inline SVG feature was introduced in the browser engine used
by Firefox 4 and SeaMonkey 2.1; the vulnerability does not affect earlier versions. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2011-2369
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-7q63-dfrh-wuh3 |
|
| 109 |
| url |
VCID-7st2-j9h1-mfdg |
| vulnerability_id |
VCID-7st2-j9h1-mfdg |
| summary |
Mozilla developer Johnny Stenback discovered that several
methods of a feature used for testing (DOMWindowUtils) are not protected by
existing security checks, allowing these methods to be called through script by
web pages. This was addressed by adding the existing security checks to these
methods.
In general these flaws cannot be exploited through email in the
Thunderbird and SeaMonkey products because scripting is disabled, but are
potentially a risk in browser or browser-like contexts in those products. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-3986
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-7st2-j9h1-mfdg |
|
| 110 |
| url |
VCID-7vd9-7uht-j3e7 |
| vulnerability_id |
VCID-7vd9-7uht-j3e7 |
| summary |
Security researcher regenrecht reported via
TippingPoint's Zero Day Initiative that XUL <tree> objects could
be manipulated such that the setting of certain properties on the
object would trigger the removal of the tree from the DOM and cause
certain sections of deleted memory to be accessed. In products based on
Gecko version 1.9.2 (Firefox 3.6, Thunderbird 3.1) and newer
this memory has been overwritten by a value that will cause an
unexploitable crash. In products based on Gecko version 1.9.1 (Firefox 3.5,
Thunderbird 3.0, and SeaMonkey 2.0) and older an attacker could
potentially use this vulnerability to crash a victim's browser and run
arbitrary code on their computer. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2010-3168
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-7vd9-7uht-j3e7 |
|
| 111 |
| url |
VCID-7vzr-cjqw-c3az |
| vulnerability_id |
VCID-7vzr-cjqw-c3az |
| summary |
Mozilla developers and community members identified and fixed
several stability bugs in the browser engine used in Firefox and other
Mozilla-based products. Some of these crashes showed evidence of
memory corruption under certain circumstances and we presume that with
enough effort at least some of these could be exploited to run
arbitrary code. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2009-2462
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-7vzr-cjqw-c3az |
|
| 112 |
|
| 113 |
| url |
VCID-7xf8-83su-tuet |
| vulnerability_id |
VCID-7xf8-83su-tuet |
| summary |
Mozilla developers and community members identified and fixed
several stability bugs in the browser engine used in Firefox and other
Mozilla-based products. Some of these crashes showed evidence of
memory corruption under certain circumstances and we presume that with
enough effort at least some of these could be exploited to run
arbitrary code. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2009-2664
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-7xf8-83su-tuet |
|
| 114 |
| url |
VCID-83vx-q5b9-pfax |
| vulnerability_id |
VCID-83vx-q5b9-pfax |
| summary |
Mozilla developers identified and fixed several memory safety bugs
in the browser engine used in Firefox and other Mozilla-based
products. Some of these bugs showed evidence of memory corruption
under certain circumstances, and we presume that with enough effort at
least some of these could be exploited to run arbitrary code. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2011-2375
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-83vx-q5b9-pfax |
|
| 115 |
| url |
VCID-84n5-7t1b-e3de |
| vulnerability_id |
VCID-84n5-7t1b-e3de |
| summary |
Security researcher regenrecht reported via
TippingPoint's Zero Day Initiative that a flaw in the Mozilla SVG
implementation could result in an out-of-bounds memory access if
SVG elements were removed during a DOMAttrModified event handler.
This vulnerability does not affect products prior to Firefox 8
and SeaMonkey 2.5. Thunderbird 8 users would be vulnerable only if
using a browser-like feature that allowed scripts to run; users
are not at risk while reading mail. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
CVE-2011-3658
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-84n5-7t1b-e3de |
|
| 116 |
| url |
VCID-88qm-sqq1-g3ck |
| vulnerability_id |
VCID-88qm-sqq1-g3ck |
| summary |
Mozilla developers identified and fixed several memory safety bugs
in the browser engine used in Firefox and other Mozilla-based
products. Some of these bugs showed evidence of memory corruption
under certain circumstances, and we presume that with enough effort at
least some of these could be exploited to run arbitrary code. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
CVE-2011-2376
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-88qm-sqq1-g3ck |
|
| 117 |
| url |
VCID-8ajm-cdtz-gbe6 |
| vulnerability_id |
VCID-8ajm-cdtz-gbe6 |
| summary |
Mozilla security researcher moz_bug_r_a4 reported a regression where security wrappers are unwrapped without doing a security check in defaultValue(). This can allow for improper access to the Location object. In versions 15 and earlier of affected products, there was also the potential for arbitrary code execution.
Security researcher Gareth Heyes also blogged about a Firefox 16 only symptom that is fixed in the updated versions. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-4193
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-8ajm-cdtz-gbe6 |
|
| 118 |
| url |
VCID-8bcy-rzxv-pbcy |
| vulnerability_id |
VCID-8bcy-rzxv-pbcy |
| summary |
Security researcher Gregory Fleischer reported
that local resources loaded via the file: protocol can
access any domain's cookies which have been saved on a user's machine.
Fleischer demonstrated that a local document's domain was being
calculated incorrectly from its URL. If a victim could be persuaded
to download a malicious file and then open that file in their browser,
the malicious file could then steal arbitrary cookies from the
victim's computer. Due to the interaction required for this attack,
the severity of the issue was determined to be moderate. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2009-1835
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-8bcy-rzxv-pbcy |
|
| 119 |
| url |
VCID-8c5a-phhj-6kek |
| vulnerability_id |
VCID-8c5a-phhj-6kek |
| summary |
Security researcher Arthur Gerkis used the Address Sanitizer
tool to find two issues involving Scalable Vector Graphics (SVG) files. The
first issue is a buffer overflow in Gecko's SVG filter code when the sum of two
values is too large to be stored as a signed 32-bit integer, causing the
function to write past the end of an array. The second issue is a use-after-free
when an element with a "requiredFeatures" attribute is moved between documents.
In that situation, the internal representation of the "requiredFeatures" value
could be freed prematurely. Both issues are potentially exploitable. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-3970
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-8c5a-phhj-6kek |
|
| 120 |
| url |
VCID-8dat-6cwu-cbfh |
| vulnerability_id |
VCID-8dat-6cwu-cbfh |
| summary |
Security researcher Paul Stone reported that a
browser applet could be used to turn a simple mouse click into a
drag-and-drop action, potentially resulting in the unintended loading
of resources in a user's browser. This behavior could be used twice
in succession to first load a privileged chrome: URL in a
victim's browser, then load a malicious javascript: URL
on top of the same document resulting in arbitrary script execution
with chrome privileges. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2010-0178
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-8dat-6cwu-cbfh |
|
| 121 |
| url |
VCID-8djv-agez-ekdf |
| vulnerability_id |
VCID-8djv-agez-ekdf |
| summary |
Security researcher Marc Schoenefeld reported that
a specially crafted font could be applied to a document and cause a
crash on Mac systems. The crash showed signs of memory corruption and
presumably could be used by an attacker to execute arbitrary code on a
victim's computer. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2010-2770
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-8djv-agez-ekdf |
|
| 122 |
| url |
VCID-8f9d-wjv2-8kfj |
| vulnerability_id |
VCID-8f9d-wjv2-8kfj |
| summary |
Mozilla developers identified and fixed several stability bugs in
the browser engine used in Firefox and other Mozilla-based
products. Some of these crashes showed evidence of memory corruption
under certain circumstances, and we presume that with enough effort at
least some of these could be exploited to run arbitrary code. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
CVE-2010-0174
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-8f9d-wjv2-8kfj |
|
| 123 |
| url |
VCID-8gvs-b724-9yfd |
| vulnerability_id |
VCID-8gvs-b724-9yfd |
| summary |
Multiple vulnerabilities have been found in Mozilla Firefox,
Thunderbird, SeaMonkey, NSS, GNU IceCat, and XULRunner, some of which may
allow execution of arbitrary code or local privilege escalation. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2008-6961
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-8gvs-b724-9yfd |
|
| 124 |
| url |
VCID-8j92-vm1q-kqbk |
| vulnerability_id |
VCID-8j92-vm1q-kqbk |
| summary |
Security researcher Amit Klein reported that it
was possible to reverse engineer the value used to
seed Math.random(). Since the pseudo-random number
generator was only seeded once per browsing session, this seed value
could be used as a unique token to identify and track users across
different web sites.Update (October 27, 2010): After the Firefox 3.6.4
and Firefox 3.5.10 releases, Amit Klein reported that there was an
additional unfixed case where user tracking could occur using the
above-mentioned technique and a pop-up window or iframe that was
subsequently navigated by the user. This additional variant is
identified as CVE-2010-3171. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2008-5913
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-8j92-vm1q-kqbk |
|
| 125 |
| url |
VCID-8qn7-4rcc-v7bx |
| vulnerability_id |
VCID-8qn7-4rcc-v7bx |
| summary |
Security researcher vsemozhetbyt reported that when the
DOMParser is used to parse text/html data in a Firefox extension, linked
resources within this HTML data will be loaded. If the data being parsed in the
extension is untrusted, it could lead to information leakage and can
potentially be combined with other attacks to become exploitable. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-3975
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-8qn7-4rcc-v7bx |
|
| 126 |
| url |
VCID-8sxb-49bw-g3fn |
| vulnerability_id |
VCID-8sxb-49bw-g3fn |
| summary |
Security researcher Jonathan Morgan reported that
when a page loaded over an insecure protocol, such as http: or file:,
sets its document.location to a https: URL which
responds with a 204 status and empty response body, the insecure page
will receive SSL indicators near the location bar, but will not have
its page content modified in any way. This could lead to a user
believing they were on a secure page when in fact they were not.Security researcher Jordi Chancel reported an
issue similar to one fixed
in mfsa2009-44 in which a web page can
set document.location to a URL that can't be displayed
properly and then inject content into the resulting blank page. An
attacker could use this vulnerability to place a legitimate-looking
but invalid URL in the location bar and inject HTML and JavaScript
into the body of the page, resulting in a spoofing attack. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2009-3984
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-8sxb-49bw-g3fn |
|
| 127 |
|
| 128 |
| url |
VCID-8zph-aky5-aycp |
| vulnerability_id |
VCID-8zph-aky5-aycp |
| summary |
Security researcher miaubiz used the Address Sanitizer tool
to discover a series critically rated of use-after-free, buffer overflow, and memory corruption issues in shipped software. These issues are potentially exploitable, allowing for remote code execution. We would also like to thank miaubiz for reporting two additional use-after-free and memory corruption issues introduced during Firefox development that were fixed before general release.
In general these flaws cannot be exploited through email in the
Thunderbird and SeaMonkey products because scripting is disabled, but are
potentially a risk in browser or browser-like contexts in those products. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-5838
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-8zph-aky5-aycp |
|
| 129 |
| url |
VCID-94h3-jftn-tqg2 |
| vulnerability_id |
VCID-94h3-jftn-tqg2 |
| summary |
Mozilla developers identified and fixed several memory safety bugs in the
browser engine used in Firefox and other Mozilla-based products. Some of these
bugs showed evidence of memory corruption under certain circumstances, and we
presume that with enough effort at least some of these could be exploited to run
arbitrary code.In general these flaws cannot be exploited through email in the Thunderbird and SeaMonkey products because scripting is disabled, but are potentially a risk in browser or browser-like contexts in those products. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-5843
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-94h3-jftn-tqg2 |
|
| 130 |
| url |
VCID-94xc-pjbs-ckar |
| vulnerability_id |
VCID-94xc-pjbs-ckar |
| summary |
Mozilla community member Ms2ger found an image rendering
issue with WebGL when texImage2D uses use JSVAL_TO_OBJECT on arbitrary objects.
This can lead to a crash on a maliciously crafted web page. While there is no
evidence that this is directly exploitable, there is a possibility of remote
code execution. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-0478
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-94xc-pjbs-ckar |
|
| 131 |
| url |
VCID-99nn-nb21-pyaz |
| vulnerability_id |
VCID-99nn-nb21-pyaz |
| summary |
Mozilla developers identified and fixed several memory safety bugs in the
browser engine used in Firefox and other Mozilla-based products. Some of these
bugs showed evidence of memory corruption under certain circumstances, and we
presume that with enough effort at least some of these could be exploited to run
arbitrary code.In general these flaws cannot be exploited through email in the Thunderbird
and SeaMonkey products because scripting is disabled, but are potentially a risk
in browser or browser-like contexts in those products. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-3982
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-99nn-nb21-pyaz |
|
| 132 |
| url |
VCID-9bde-enk3-9kbq |
| vulnerability_id |
VCID-9bde-enk3-9kbq |
| summary |
Security researcher Mariusz Mlynski reported an issue with
spoofing of the location property. In this issue, writes to
location.hash can be used in concert with scripted history
navigation to cause a specific website to be loaded into the history object. The
baseURI can then be changed to this stored site, allowing an attacker to inject
a script or intercept posted data posted to a location specified with a relative
path.
In general these flaws cannot be exploited through email in the
Thunderbird and SeaMonkey products because scripting is disabled, but are
potentially a risk in browser or browser-like contexts in those products. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-3992
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-9bde-enk3-9kbq |
|
| 133 |
| url |
VCID-9d41-nsk6-sufx |
| vulnerability_id |
VCID-9d41-nsk6-sufx |
| summary |
Security researcher Hish reported that
the persist attribute in XUL elements can be used to
store cookie-like information on a user's computer which could later
be read by a website. This creates a privacy issue for users who have
a non-standard cookie preference and wish to prevent sites from
setting cookies on their machine. Even with cookies turned off, this
issue could be used by a website to write persistent data in a user's
browser and track the user across browsing sessions. Additionally,
this issue could allow a website to bypass the limits normally placed
on cookie size and number. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2008-5505
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-9d41-nsk6-sufx |
|
| 134 |
| url |
VCID-9f3w-zp9z-3yc7 |
| vulnerability_id |
VCID-9f3w-zp9z-3yc7 |
| summary |
Mozilla developers and community members identified and fixed
several stability bugs in the browser engine used in Firefox and other
Mozilla-based products. Some of these crashes showed evidence of
memory corruption under certain circumstances and we presume that with
enough effort at least some of these could be exploited to run
arbitrary code. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2009-3982
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-9f3w-zp9z-3yc7 |
|
| 135 |
| url |
VCID-9f45-79mn-3ug8 |
| vulnerability_id |
VCID-9f45-79mn-3ug8 |
| summary |
Yosuke Hasegawa reported that the Mozilla browser engine
mishandled invalid sequences in the Shift-JIS encoding. When encountering an
invalid pair Mozilla would turn the entire two-byte sequence into a single
unknown character rather than an unknown character followed by a valid
single-byte character. On some sites attackers may have been able to
end their input with the first byte of a two byte sequence; when that
input was later put into a page context it might cause the following
delimiter (such as a double-quote) to be consumed, breaking the format
of the page. Depending on the page this could potentially be used to
steal data or inject script into the page. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
|
| fixed_packages |
|
| aliases |
CVE-2011-3648
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-9f45-79mn-3ug8 |
|
| 136 |
| url |
VCID-9fbv-p14w-quch |
| vulnerability_id |
VCID-9fbv-p14w-quch |
| summary |
Security researcher Chris Evans reported an error
in the method used to parse the default namespace in an E4X document.
The error was caused by quote characters in the namespace not being
properly escaped. The severity of this issue was determined to be
low. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2008-5024
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-9fbv-p14w-quch |
|
| 137 |
|
| 138 |
| url |
VCID-9km7-m142-abbt |
| vulnerability_id |
VCID-9km7-m142-abbt |
| summary |
Mozilla security researchers Jesse Ruderman
and Sid Stamm reported that when downloading a file
containing a right-to-left override character (RTL) in the filename,
the name displayed in the dialog title bar conflicts with the name of
the file shown in the dialog body. An attacker could use this
vulnerability to obfuscate the name and file extension of a file to be
downloaded and opened, potentially causing a user to run an executable
file when they expected to open a non-executable file. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
CVE-2009-3376
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-9km7-m142-abbt |
|
| 139 |
| url |
VCID-9qs9-ys17-v3bg |
| vulnerability_id |
VCID-9qs9-ys17-v3bg |
| summary |
Mozilla developers identified and fixed several memory safety bugs
in the browser engine used in Firefox and other Mozilla-based
products. Some of these bugs showed evidence of memory corruption
under certain circumstances, and we presume that with enough effort at
least some of these could be exploited to run arbitrary code. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
|
| fixed_packages |
|
| aliases |
CVE-2011-0074
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-9qs9-ys17-v3bg |
|
| 140 |
| url |
VCID-9ubz-x94a-w3dr |
| vulnerability_id |
VCID-9ubz-x94a-w3dr |
| summary |
Mozilla developers identified and fixed several stability bugs in
the browser engine used in Firefox and other Mozilla-based
products. Some of these crashes showed evidence of memory corruption
under certain circumstances and we presume that with enough effort at
least some of these could be exploited to run arbitrary code. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2010-0167
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-9ubz-x94a-w3dr |
|
| 141 |
| url |
VCID-9xyn-fzdn-3qen |
| vulnerability_id |
VCID-9xyn-fzdn-3qen |
| summary |
Security researcher Zach Hoffman reported that a
recursive call to eval() wrapped in
a try/catch statement places the browser into a
inconsistent state. Any dialog box opened in this state is displayed
without text and with non-functioning buttons. Closing the window
causes the dialog to evaluate to true. An attacker could use this
issue to force a user into accepting any dialog, such as one granting
elevated privileges to the page presenting the dialog. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2011-0051
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-9xyn-fzdn-3qen |
|
| 142 |
| url |
VCID-a1hg-12wv-a7h5 |
| vulnerability_id |
VCID-a1hg-12wv-a7h5 |
| summary |
Security researcher Atte Kettunen from OUSPG used the Address Sanitizer tool to discover a buffer overflow while rendering GIF format images. This issue is potentially exploitable and could lead to arbitrary code execution. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-4202
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-a1hg-12wv-a7h5 |
|
| 143 |
| url |
VCID-a23w-uvk3-d7g8 |
| vulnerability_id |
VCID-a23w-uvk3-d7g8 |
| summary |
Mozilla developers and community members identified and fixed
several stability bugs in the browser engine used in Firefox and other
Mozilla-based products. Some of these crashes showed evidence of
memory corruption under certain circumstances and we presume that with
enough effort at least some of these could be exploited to run
arbitrary code. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2009-3381
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-a23w-uvk3-d7g8 |
|
| 144 |
| url |
VCID-a28h-p654-8bgm |
| vulnerability_id |
VCID-a28h-p654-8bgm |
| summary |
Mozilla developer Boris Zbarsky reported that the resource: protocol allowed directory traversal on Linux when using URL-encoded slashes.Mozilla developer Georgi Guninski reported that the restrictions imposed on local HTML files could be bypassed using the resource: protocol. The vulnerability allowed an attacker to read information about the system and prompt the victim to save the information in a file. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
CVE-2008-4067
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-a28h-p654-8bgm |
|
| 145 |
| url |
VCID-a2pm-eupm-dfaq |
| vulnerability_id |
VCID-a2pm-eupm-dfaq |
| summary |
Mozilla community member Wladimir Palant reported
that XML documents were failing to call certain security checks when
loading new content. This could result in certain resources being
loaded that would otherwise violate security policies set by the
browser or installed add-ons.This issue has not been fixed in Firefox 3.0 |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2010-0182
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-a2pm-eupm-dfaq |
|
| 146 |
| url |
VCID-a59b-rr52-b3hs |
| vulnerability_id |
VCID-a59b-rr52-b3hs |
| summary |
Mozilla developers identified and fixed several stability bugs in the browser
engine used in Firefox and other Mozilla-based products. Some of these crashes
showed evidence of memory corruption under certain circumstances and we presume
that with enough effort at least some of these could be exploited to run
arbitrary code.Thunderbird shares the browser engine with Firefox and could be
vulnerable if JavaScript were to be enabled in mail. This is not the default
setting and we strongly discourage users from running JavaScript in
mail. Without further investigation we cannot rule out the possibility that for
some of these an attacker might be able to prepare memory for exploitation
through some means other than JavaScript such as large images. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2008-5017
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-a59b-rr52-b3hs |
|
| 147 |
| url |
VCID-a6uw-zff3-n3e6 |
| vulnerability_id |
VCID-a6uw-zff3-n3e6 |
| summary |
Mozilla developers identified and fixed several memory safety bugs
in the browser engine used in Firefox and other Mozilla-based
products. Some of these bugs showed evidence of memory corruption
under certain circumstances, and we presume that with enough effort at
least some of these could be exploited to run arbitrary code.In general these flaws cannot be exploited through email in the Thunderbird
and SeaMonkey products because scripting is disabled, but are potentially a risk
in browser or browser-like contexts in those products. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-1938
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-a6uw-zff3-n3e6 |
|
| 148 |
| url |
VCID-a85v-byy9-vqf7 |
| vulnerability_id |
VCID-a85v-byy9-vqf7 |
| summary |
Mozilla developers identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code.Drew Yao of Apple Product Security reported two crashes in Mozilla image rendering code. This vulnerability only affected Firefox 3.David Maciejak of Fortinet's FortiGuard Global Security
Research Team also reported a crash in graphics rendering which only
affected Firefox 3.Thunderbird shares the browser engine with Firefox and could be vulnerable if JavaScript were to be enabled in mail. This is not the default setting and we strongly discourage users from running JavaScript in mail. Without further investigation we cannot rule out the possibility that for some of these an attacker might be able to prepare memory for exploitation through some means other than JavaScript such as large images. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2008-4064
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-a85v-byy9-vqf7 |
|
| 149 |
| url |
VCID-a89m-g6m7-tqbr |
| vulnerability_id |
VCID-a89m-g6m7-tqbr |
| summary |
Security researcher Abhishek Arya (Inferno) of the Google Chrome Security Team discovered a series of use-after-free issues using the Address Sanitizer tool. Many of these issues are potentially exploitable, allowing for remote code execution. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-1972
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-a89m-g6m7-tqbr |
|
| 150 |
| url |
VCID-a8hd-tfek-8yfa |
| vulnerability_id |
VCID-a8hd-tfek-8yfa |
| summary |
Mozilla developers identified and fixed several stability bugs in
the browser engine used in Firefox and other Mozilla-based
products. Some of these crashes showed evidence of memory corruption
under certain circumstances and we presume that with enough effort at
least some of these could be exploited to run arbitrary code.Thunderbird shares the browser engine with Firefox and
could be vulnerable if JavaScript were to be enabled in mail. This is
not the default setting and we strongly discourage users from running
JavaScript in mail. Without further investigation we cannot rule out
the possibility that for some of these an attacker might be able to
prepare memory for exploitation through some means other than
JavaScript such as large images. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
CVE-2009-1305
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-a8hd-tfek-8yfa |
|
| 151 |
| url |
VCID-a97g-r4rk-sqb3 |
| vulnerability_id |
VCID-a97g-r4rk-sqb3 |
| summary |
Mozilla developers identified and fixed several stability bugs in
the browser engine used in Firefox and other Mozilla-based
products. Some of these crashes showed evidence of memory corruption
under certain circumstances, and we presume that with enough effort at
least some of these could be exploited to run arbitrary code. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
|
| fixed_packages |
|
| aliases |
CVE-2010-1200
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-a97g-r4rk-sqb3 |
|
| 152 |
| url |
VCID-a9xv-yc56-c3ca |
| vulnerability_id |
VCID-a9xv-yc56-c3ca |
| summary |
Using the Address Sanitizer tool, Mozilla security researcher
Christoph Diehl discovered two memory corruption issues
involving the Graphite 2 library used in Mozilla products. Both of these issues
can cause a potentially exploitable crash. These problems were fixed in the
Graphite 2 library, which has been updated for Mozilla products. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-3971
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-a9xv-yc56-c3ca |
|
| 153 |
| url |
VCID-aa94-6k3c-gua9 |
| vulnerability_id |
VCID-aa94-6k3c-gua9 |
| summary |
Mozilla developers took fixes from previously fixed memory safety
bugs in newer Mozilla-based products and ported them to the Mozilla
1.8.1 branch so they can be utilized by Thunderbird 2 and SeaMonkey
1.1. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2010-0163
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-aa94-6k3c-gua9 |
|
| 154 |
| url |
VCID-aejk-rng6-r3dj |
| vulnerability_id |
VCID-aejk-rng6-r3dj |
| summary |
Mozilla developer Josh Soref of Nokia reported that
documents failed to call certain security checks when attempting to
preload images. Although the image content is not available to the page, it
is possible to specify protocols that are normally not allowed in a web page
such as file:. This includes internal schemes implemented by
add-ons that might perform privileged actions resulting in something like a
Cross-Site Request Forgery (CSRF) attack against the add-on. Potential severity
would depend on the add-ons installed. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2010-0168
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-aejk-rng6-r3dj |
|
| 155 |
| url |
VCID-af65-mt6s-m7gm |
| vulnerability_id |
VCID-af65-mt6s-m7gm |
| summary |
Mozilla developers and community members identified and fixed
several stability bugs in the browser engine used in Firefox and other
Mozilla-based products. Some of these crashes showed evidence of
memory corruption under certain circumstances and we presume that with
enough effort at least some of these could be exploited to run
arbitrary code. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2009-3071
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-af65-mt6s-m7gm |
|
| 156 |
|
| 157 |
| url |
VCID-aj7f-gyqy-c7d2 |
| vulnerability_id |
VCID-aj7f-gyqy-c7d2 |
| summary |
Security researcher Collin Jackson reported a violation of
the HTML5 specifications for document.domain behavior. Specified
behavior requires pages to only have access to windows in a new
document.domain but the observed violation allowed pages to retain
access to windows from the page's initial origin in addition to the new
document.domain. This could potentially lead to cross-site
scripting (XSS) attacks.
In general these flaws cannot be exploited through email in the
Thunderbird and SeaMonkey products because scripting is disabled, but are
potentially a risk in browser or browser-like contexts in those products. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-3985
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-aj7f-gyqy-c7d2 |
|
| 158 |
| url |
VCID-an8x-4b2f-cket |
| vulnerability_id |
VCID-an8x-4b2f-cket |
| summary |
Mozilla security researcher moz_bug_r_a4 reported that if code executed by the evalInSandbox function sets location.href, it can get the wrong subject principal for the URL check, ignoring the sandbox's Javascript context and gaining the context of evalInSandbox object. This can lead to malicious web content being able to perform a cross-site scripting (XSS) attack or stealing a copy of a local file if the user has installed an add-on vulnerable to this attack. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-4201
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-an8x-4b2f-cket |
|
| 159 |
| url |
VCID-and6-s8wt-rkfc |
| vulnerability_id |
VCID-and6-s8wt-rkfc |
| summary |
Security researcher regenrecht reported via
TippingPoint's Zero Day Initiative the possibility of memory corruption during
the decoding of Ogg Vorbis files. This can cause a crash during decoding and has
the potential for remote code execution. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
|
| fixed_packages |
|
| aliases |
CVE-2012-0444
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-and6-s8wt-rkfc |
|
| 160 |
| url |
VCID-ane4-965q-wfh8 |
| vulnerability_id |
VCID-ane4-965q-wfh8 |
| summary |
Security researcher Robert Kugler reported that when a specifically named DLL file on a Windows computer is placed in the default downloads directory with the Firefox installer, the Firefox installer will load this DLL when it is launched. In circumstances where the installer is run by an administrator privileged account, this allows for the downloaded DLL file to be run with administrator privileges. This can lead to arbitrary code execution from a privileged account.
Additional vulnerable DLL file names were found and fixed in Firefox 18.0, Firefox ESR 17.0.1, and Firefox ESR 10.0.12 releases. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-4206
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ane4-965q-wfh8 |
|
| 161 |
| url |
VCID-ap5q-gg9g-43fb |
| vulnerability_id |
VCID-ap5q-gg9g-43fb |
| summary |
Mozilla developer Paul Nickerson reported a variant of a click-hijacking vulnerability discovered in Internet Explorer by Liu Die Yu. The vulnerability allowed an attacker to move the content window while the mouse was being clicked, causing an item to be dragged rather than clicked-on. This issue could potentially be used to force a user to download a file or perform other drag-and-drop actions. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2008-3837
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ap5q-gg9g-43fb |
|
| 162 |
| url |
VCID-arxf-63u9-bbhw |
| vulnerability_id |
VCID-arxf-63u9-bbhw |
| summary |
Multiple vulnerabilities have been found in Mozilla Firefox,
Thunderbird, SeaMonkey, NSS, GNU IceCat, and XULRunner, some of which may
allow execution of arbitrary code or local privilege escalation. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2007-2671
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-arxf-63u9-bbhw |
|
| 163 |
|
| 164 |
| url |
VCID-atd3-6j8b-4ygt |
| vulnerability_id |
VCID-atd3-6j8b-4ygt |
| summary |
Security researcher Atte Kettunen from OUSPG reported
several heap memory corruption issues found using the Address Sanitizer tool.
These issues are potentially exploitable, allowing for remote code execution.
In general these flaws cannot be exploited through email in the
Thunderbird and SeaMonkey products because scripting is disabled, but are
potentially a risk in browser or browser-like contexts in those products. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-4188
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-atd3-6j8b-4ygt |
|
| 165 |
| url |
VCID-atww-ctz6-23fg |
| vulnerability_id |
VCID-atww-ctz6-23fg |
| summary |
Security researcher Atte Kettunen from OUSPG reported
several heap memory corruption issues found using the Address Sanitizer tool.
These issues are potentially exploitable, allowing for remote code execution.
In general these flaws cannot be exploited through email in the
Thunderbird and SeaMonkey products because scripting is disabled, but are
potentially a risk in browser or browser-like contexts in those products. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-4186
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-atww-ctz6-23fg |
|
| 166 |
| url |
VCID-auq4-xkn6-3fc9 |
| vulnerability_id |
VCID-auq4-xkn6-3fc9 |
| summary |
Mozilla developers and community members identified and fixed
several stability bugs in the browser engine used in Firefox and other
Mozilla-based products. Some of these crashes showed evidence of
memory corruption under certain circumstances and we presume that with
enough effort at least some of these could be exploited to run
arbitrary code. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2009-3380
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-auq4-xkn6-3fc9 |
|
| 167 |
| url |
VCID-avuv-znfu-wff5 |
| vulnerability_id |
VCID-avuv-znfu-wff5 |
| summary |
Mozilla developers and community members identified and fixed
several stability bugs in the browser engine used in Firefox and other
Mozilla-based products. Some of these crashes showed evidence of
memory corruption under certain circumstances and we presume that with
enough effort at least some of these could be exploited to run
arbitrary code. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2009-3069
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-avuv-znfu-wff5 |
|
| 168 |
| url |
VCID-awgw-xs6s-pufr |
| vulnerability_id |
VCID-awgw-xs6s-pufr |
| summary |
Mozilla developer Boris Zbarsky reported that XBL
bindings could be used to read data from other domains, a violation
of the same-origin policy. The severity of this issue was determined
to be moderate due to several mitigating factors: |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
CVE-2008-5503
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-awgw-xs6s-pufr |
|
| 169 |
| url |
VCID-ax4n-ycz1-2kfk |
| vulnerability_id |
VCID-ax4n-ycz1-2kfk |
| summary |
Security Researcher Matt McCutchen reported that a
clickjacking attack using the certificate warning page. A man-in-the-middle
(MITM) attacker can use an iframe to display its own certificate error warning
page (about:certerror) with the "Add Exception" button of a real warning page
from a malicious site. This can mislead users to adding a certificate exception
for a different site than the perceived one. This can lead to compromised
communications with the user perceived site through the MITM attack once the
certificate exception has been added. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-1964
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ax4n-ycz1-2kfk |
|
| 170 |
| url |
VCID-aykv-pwdn-rkb6 |
| vulnerability_id |
VCID-aykv-pwdn-rkb6 |
| summary |
Mozilla developers identified and fixed
several stability bugs in the browser engine used in Firefox and other
Mozilla-based products. Some of these crashes showed evidence of
memory corruption under certain circumstances and we presume that with
enough effort at least some of these could be exploited to run
arbitrary code. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
CVE-2010-0159
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-aykv-pwdn-rkb6 |
|
| 171 |
| url |
VCID-azf5-cjq7-6uc1 |
| vulnerability_id |
VCID-azf5-cjq7-6uc1 |
| summary |
Michael Jordon of Context IS reported that in the ANGLE
library used by WebGL the return value from GrowAtomTable()
was not checked for errors. If an attacker could cause requests that
exceeded the available memory those would fail and potentially lead
to a buffer overrun as subsequent code wrote into the non-allocated space.
Ben Hawkes of the Google Security Team reported a WebGL
test case that demonstrated an out of bounds write after an allocation failed. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2011-3002
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-azf5-cjq7-6uc1 |
|
| 172 |
| url |
VCID-azu7-x774-kfdz |
| vulnerability_id |
VCID-azu7-x774-kfdz |
| summary |
Mozilla developers identified and fixed several stability bugs in
the browser engine used in Firefox and other Mozilla-based
products. Some of these crashes showed evidence of memory corruption
under certain circumstances and we presume that with enough effort at
least some of these could be exploited to run arbitrary code.Thunderbird shares the browser engine with Firefox and
could be vulnerable if JavaScript were to be enabled in mail. This is
not the default setting and we strongly discourage users from running
JavaScript in mail. Without further investigation we cannot rule out
the possibility that for some of these an attacker might be able to
prepare memory for exploitation through some means other than
JavaScript such as large images. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2009-0771
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-azu7-x774-kfdz |
|
| 173 |
| url |
VCID-b31y-7bzb-9ufb |
| vulnerability_id |
VCID-b31y-7bzb-9ufb |
| summary |
Security researcher Jeremy Brown reported that the
file naming scheme used for downloading a file which already exists in
the downloads folder is predictable. If an attacker had local access
to a victim's computer and knew the name of a file the victim intended
to open through the Download Manager, he could use this vulnerability
to place a malicious file in the world-writable directory used to save
temporary downloaded files and cause the browser to choose the
incorrect file when opening it. Since this attack requires local
access to the victim's machine, the severity of this vulnerability was
determined to be low. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2009-3274
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-b31y-7bzb-9ufb |
|
| 174 |
| url |
VCID-b3p1-qqys-9udq |
| vulnerability_id |
VCID-b3p1-qqys-9udq |
| summary |
Mozilla developers identified and fixed several memory safety bugs
in the browser engine used in Firefox and other Mozilla-based
products. Some of these bugs showed evidence of memory corruption
under certain circumstances, and we presume that with enough effort at
least some of these could be exploited to run arbitrary code.In general these flaws cannot be exploited through email in the Thunderbird and SeaMonkey products because scripting is disabled, but are potentially a risk in browser or browser-like contexts in those products. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-0443
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-b3p1-qqys-9udq |
|
| 175 |
| url |
VCID-b7t8-kqn7-jfcm |
| vulnerability_id |
VCID-b7t8-kqn7-jfcm |
| summary |
Mozilla developers identified and fixed two top crashing bugs in the
browser engine used in Firefox and other Mozilla-based products. These bugs showed evidence of memory corruption under certain circumstances, and we
presume that with enough effort at least some of these could be exploited to run
arbitrary code.The first of these bugs, a FreeType issue, is a mobile only issue which happens on custom kernels like Cyanogenmod, not on standard Android installations. The second bug is a websockets crash affecting Firefox 16 but not Firefox ESR. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-4190
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-b7t8-kqn7-jfcm |
|
| 176 |
| url |
VCID-bb7c-gufb-ybat |
| vulnerability_id |
VCID-bb7c-gufb-ybat |
| summary |
Mozilla developers identified and fixed several memory safety bugs in the
browser engine used in Firefox and other Mozilla-based products. Some of these
bugs showed evidence of memory corruption under certain circumstances, and we
presume that with enough effort at least some of these could be exploited to run
arbitrary code.In general these flaws cannot be exploited through email in the Thunderbird
and SeaMonkey products because scripting is disabled, but are potentially a risk
in browser or browser-like contexts in those products. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-1970
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-bb7c-gufb-ybat |
|
| 177 |
| url |
VCID-bc4u-zpu7-bbgx |
| vulnerability_id |
VCID-bc4u-zpu7-bbgx |
| summary |
Security researcher miaubiz used the Address Sanitizer tool
to discover a series critically rated of use-after-free, buffer overflow, and memory corruption issues in shipped software. These issues are potentially exploitable, allowing for remote code execution. We would also like to thank miaubiz for reporting two additional use-after-free and memory corruption issues introduced during Firefox development that were fixed before general release.
In general these flaws cannot be exploited through email in the
Thunderbird and SeaMonkey products because scripting is disabled, but are
potentially a risk in browser or browser-like contexts in those products. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-5830
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-bc4u-zpu7-bbgx |
|
| 178 |
| url |
VCID-bcbh-azrk-fqe7 |
| vulnerability_id |
VCID-bcbh-azrk-fqe7 |
| summary |
Mozilla developers identified and fixed several memory safety bugs
in the browser engine used in Firefox and other Mozilla-based
products. Some of these bugs showed evidence of memory corruption
under certain circumstances, and we presume that with enough effort at
least some of these could be exploited to run arbitrary code.In general these flaws cannot be exploited through email in the Thunderbird
and SeaMonkey products because scripting is disabled, but are potentially a risk
in browser or browser-like contexts in those products.These vulnerabilities did not affect the older browser engine used
prior to Firefox 4. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2011-3660
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-bcbh-azrk-fqe7 |
|
| 179 |
| url |
VCID-bdw1-fw83-q7ac |
| vulnerability_id |
VCID-bdw1-fw83-q7ac |
| summary |
Security researcher Guido Landi discovered that a
XSL stylesheet could be used to crash the browser during a XSL
transformation. An attacker could potentially use this crash to run
arbitrary code on a victim's computer.This vulnerability was also previously reported as a stability
problem by Ubuntu community member, Andre. Ubuntu
community member Michael Rooney reported Andre's
findings to Mozilla, and Mozilla community member Martin
helped reduce Andre's original testcase and contributed a patch to fix
the vulnerability. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2009-1169
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-bdw1-fw83-q7ac |
|
| 180 |
| url |
VCID-beyj-rs2t-8kgv |
| vulnerability_id |
VCID-beyj-rs2t-8kgv |
| summary |
Mozilla security researcher moz_bug_r_a4 reported that
an internal privilege check failed to respect the NoWaiverWrappers introduced
with Firefox 4. This could result in elevated privilege being granted to web content. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2011-3655
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-beyj-rs2t-8kgv |
|
| 181 |
| url |
VCID-bez8-mm4d-pqf3 |
| vulnerability_id |
VCID-bez8-mm4d-pqf3 |
| summary |
Security researcher Amit Klein reported that it
was possible to reverse engineer the value used to
seed Math.random(). Since the pseudo-random number
generator was only seeded once per browsing session, this seed value
could be used as a unique token to identify and track users across
different web sites.Update (October 27, 2010): After the Firefox 3.6.4
and Firefox 3.5.10 releases, Amit Klein reported that there was an
additional unfixed case where user tracking could occur using the
above-mentioned technique and a pop-up window or iframe that was
subsequently navigated by the user. This additional variant is
identified as CVE-2010-3171. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2010-3171
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-bez8-mm4d-pqf3 |
|
| 182 |
| url |
VCID-bf3g-e7fs-t3g4 |
| vulnerability_id |
VCID-bf3g-e7fs-t3g4 |
| summary |
Bjoern Hoehrmann and security researcher Moxie
Marlinspike independently reported
that Unicode box drawing characters were allowed in Internationalized
Domain Names (IDN) where they could be visually confused with
punctuation used in valid web addresses. This could be combined with
a phishing-type scam to trick a victim into thinking they were on a
different website than they actually were. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2009-0652
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-bf3g-e7fs-t3g4 |
|
| 183 |
|
| 184 |
| url |
VCID-bhha-rf3c-dkdn |
| vulnerability_id |
VCID-bhha-rf3c-dkdn |
| summary |
Mozilla security researcher Georgi Guninski
reported that a website could use nsIRDFService and a
cross-domain redirect to steal arbitrary XML data from another domain,
a violation of the same-origin policy. This vulnerability could be
used by a malicious website to steal private data from users
authenticated to the redirected website.Thunderbird shares the browser engine with Firefox and
could be vulnerable if JavaScript were to be enabled in mail. This is
not the default setting and we strongly discourage users from running
JavaScript in mail. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
|
| fixed_packages |
|
| aliases |
CVE-2009-0776
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-bhha-rf3c-dkdn |
|
| 185 |
| url |
VCID-bhv2-kaa4-u3hr |
| vulnerability_id |
VCID-bhv2-kaa4-u3hr |
| summary |
A memory corruption flaw leading to code execution was reported by
security researcher Nils of MWR InfoSecurity during the
2010 Pwn2Own contest sponsored by TippingPoint's Zero Day Initiative.
By moving DOM nodes between documents Nils found a case where the moved
node incorrectly retained its old scope. If garbage collection could
be triggered at the right time then Firefox would later use this freed
object.The contest winning exploit only affects Firefox 3.6
and not earlier versions.Updated (June 22, 2010): Firefox 3.5, SeaMonkey 2.0, and
Thunderbird 3.0 based on earlier versions of the browser
engine were patched just in case there
is an alternate way of triggering the underlying flaw. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2010-1121
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-bhv2-kaa4-u3hr |
|
| 186 |
| url |
VCID-bkqh-bg7u-mug1 |
| vulnerability_id |
VCID-bkqh-bg7u-mug1 |
| summary |
Microsoft Vulnerability Research reported that two
plugin instances could interact in a way in which one plugin gets a
reference to an object owned by a second plugin and continues to hold
that reference after the second plugin is unloaded and its object is
destroyed. In these cases, the first plugin would contain a pointer
to freed memory which, if accessed, could be used by an attacker to
execute arbitrary code on a victim's computer. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
|
| fixed_packages |
|
| aliases |
CVE-2010-1198
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-bkqh-bg7u-mug1 |
|
| 187 |
| url |
VCID-bmcs-22gj-nbeq |
| vulnerability_id |
VCID-bmcs-22gj-nbeq |
| summary |
Security researcher Frédéric Hoguin reported two related
issues with the decoding of bitmap (.BMP) format images embedded in icon (.ICO)
format files. When processing a negative "height" header value for the bitmap
image, a memory corruption can be induced, allowing an attacker to write random
memory and cause a crash. This crash may be potentially exploitable. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-3966
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-bmcs-22gj-nbeq |
|
| 188 |
| url |
VCID-bqd9-snzc-b7fj |
| vulnerability_id |
VCID-bqd9-snzc-b7fj |
| summary |
An integer overflow in the libpng library can lead to a heap-buffer
overflow when decompressing certain PNG images. This leads to a
crash, which may be potentially exploitable. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
|
| fixed_packages |
|
| aliases |
CVE-2011-3026
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-bqd9-snzc-b7fj |
|
| 189 |
| url |
VCID-brj2-m46s-5yb8 |
| vulnerability_id |
VCID-brj2-m46s-5yb8 |
| summary |
Mozilla developers and community members identified and fixed
several stability bugs in the browser engine used in Firefox and other
Mozilla-based products. Some of these crashes showed evidence of
memory corruption under certain circumstances and we presume that with
enough effort at least some of these could be exploited to run
arbitrary code. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2009-2466
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-brj2-m46s-5yb8 |
|
| 190 |
| url |
VCID-bs5a-44n6-tug1 |
| vulnerability_id |
VCID-bs5a-44n6-tug1 |
| summary |
Security researcher Mariusz Mlynski reported that when a maliciously crafted stylesheet is inspected in the Style Inspector, HTML and CSS can run in a chrome privileged context without being properly sanitized first. This can lead to arbitrary code execution. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-4210
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-bs5a-44n6-tug1 |
|
| 191 |
| url |
VCID-bt4y-zzfb-3kbc |
| vulnerability_id |
VCID-bt4y-zzfb-3kbc |
| summary |
Mozilla Firefox 3.0.10 and earlier on Linux allows remote attackers to cause a denial of service (application crash) via a URI for a large GIF image in the BACKGROUND attribute of a BODY element. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2009-2044
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-bt4y-zzfb-3kbc |
|
| 192 |
| url |
VCID-bv7y-5uve-5ffk |
| vulnerability_id |
VCID-bv7y-5uve-5ffk |
| summary |
Mozilla developers identified and fixed several memory safety bugs
in the browser engine used in Firefox and other Mozilla-based
products. Some of these bugs showed evidence of memory corruption
under certain circumstances, and we presume that with enough effort at
least some of these could be exploited to run arbitrary code. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
|
| fixed_packages |
|
| aliases |
CVE-2011-0080
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-bv7y-5uve-5ffk |
|
| 193 |
| url |
VCID-bvph-4hqk-u3ah |
| vulnerability_id |
VCID-bvph-4hqk-u3ah |
| summary |
Security researcher Abhishek Arya (Inferno) of the Google Chrome Security Team discovered a series critically rated of use-after-free and buffer overflow issues using the Address Sanitizer tool in shipped software. These issues are potentially exploitable, allowing for remote code execution. We would also like to thank Abhishek for reporting five additional use-after-free, out of bounds read, and buffer overflow flaws introduced during Firefox development that were fixed before general release.
In general these flaws cannot be exploited through email in the
Thunderbird and SeaMonkey products because scripting is disabled, but are
potentially a risk in browser or browser-like contexts in those products. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-5840
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-bvph-4hqk-u3ah |
|
| 194 |
| url |
VCID-bw9h-t8jr-zfac |
| vulnerability_id |
VCID-bw9h-t8jr-zfac |
| summary |
Michael Jordon of Context IS reported that in the ANGLE
library used by WebGL the return value from GrowAtomTable()
was not checked for errors. If an attacker could cause requests that
exceeded the available memory those would fail and potentially lead
to a buffer overrun as subsequent code wrote into the non-allocated space.
Ben Hawkes of the Google Security Team reported a WebGL
test case that demonstrated an out of bounds write after an allocation failed. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2011-3003
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-bw9h-t8jr-zfac |
|
| 195 |
| url |
VCID-c141-m4yb-zkf3 |
| vulnerability_id |
VCID-c141-m4yb-zkf3 |
| summary |
Security researcher David James reported that a
content window which is opened by a chrome window retains a reference
to the chrome window via the window.opener property. Using
this reference, content in the new window can access functions
inside the chrome window, such as eval, and use these
functions to run arbitrary JavaScript code with chrome privileges. In
a stock Mozilla browser a remote attacker can not cause these application
dialogs to appear nor to automatically load the attack code that takes advantage
of this flaw in window.opener. There may be add-ons which open
potentially hostile web-content in this way, and combined with such an add-on the
severity of this flaw could be upgraded to Critical. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2009-3986
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-c141-m4yb-zkf3 |
|
| 196 |
| url |
VCID-c3mx-m2ka-s7fm |
| vulnerability_id |
VCID-c3mx-m2ka-s7fm |
| summary |
Security researcher Abhishek Arya (Inferno) of the Google Chrome Security Team discovered a series of use-after-free issues using the Address Sanitizer tool. Many of these issues are potentially exploitable, allowing for remote code execution. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-3959
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-c3mx-m2ka-s7fm |
|
| 197 |
| url |
VCID-c6uk-gmwa-87e8 |
| vulnerability_id |
VCID-c6uk-gmwa-87e8 |
| summary |
Mozilla developers identified and fixed several stability bugs in
the browser engine used in Firefox and other Mozilla-based
products. Some of these crashes showed evidence of memory corruption
under certain circumstances and we presume that with enough effort at
least some of these could be exploited to run arbitrary code.Thunderbird shares the browser engine with Firefox and
could be vulnerable if JavaScript were to be enabled in mail. This is
not the default setting and we strongly discourage users from running
JavaScript in mail. Without further investigation we cannot rule out
the possibility that for some of these an attacker might be able to
prepare memory for exploitation through some means other than
JavaScript such as large images. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2009-0773
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-c6uk-gmwa-87e8 |
|
| 198 |
| url |
VCID-c7cm-h81n-6fhj |
| vulnerability_id |
VCID-c7cm-h81n-6fhj |
| summary |
Security researcher Martin Barbella reported via
TippingPoint's Zero Day Initiative that an XSLT node sorting routine
contained an integer overflow vulnerability. In cases where one of
the nodes to be sorted contained a very large text value, the integer
used to allocate a memory buffer to store its value would overflow,
resulting in too small a buffer being created. An attacker could use
this vulnerability to write data past the end of the buffer, causing
the browser to crash and potentially running arbitrary code on a
victim's computer. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
|
| fixed_packages |
|
| aliases |
CVE-2010-1199
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-c7cm-h81n-6fhj |
|
| 199 |
| url |
VCID-c81m-9s68-zbgx |
| vulnerability_id |
VCID-c81m-9s68-zbgx |
| summary |
Mozilla developers identified and fixed several memory safety bugs
in the browser engine used in Firefox and other Mozilla-based
products. Some of these bugs showed evidence of memory corruption
under certain circumstances, and we presume that with enough effort at
least some of these could be exploited to run arbitrary code. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
|
| fixed_packages |
|
| aliases |
CVE-2010-3176
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-c81m-9s68-zbgx |
|
| 200 |
| url |
VCID-cats-tmkd-pbf3 |
| vulnerability_id |
VCID-cats-tmkd-pbf3 |
| summary |
Mozilla developers identified and fixed several memory safety bugs
in the browser engine used in Firefox and other Mozilla-based
products. Some of these bugs showed evidence of memory corruption
under certain circumstances, and we presume that with enough effort at
least some of these could be exploited to run arbitrary code. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2010-3169
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-cats-tmkd-pbf3 |
|
| 201 |
| url |
VCID-cb3n-ay7x-aff4 |
| vulnerability_id |
VCID-cb3n-ay7x-aff4 |
| summary |
Security researcher Takehiro Takahashi of the IBM
X-Force reported that Mozilla's NTLM implementation was vulnerable to
reflection attacks in which NTLM credentials from one application
could be forwarded to another arbitrary application via the browser.
If an attacker could get a user to visit a web page he controlled he
could force NTLM authenticated requests to be forwarded to another
application on behalf of the user. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2009-3983
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-cb3n-ay7x-aff4 |
|
| 202 |
| url |
VCID-cd4g-54yc-bqhd |
| vulnerability_id |
VCID-cd4g-54yc-bqhd |
| summary |
Perl developer Chip Salzenberg reported that
certain control characters, when placed at the beginning of a URL,
would lead to incorrect parsing resulting in a malformed URL being
output by the parser. IBM researchers Justin Schuh,
Tom Cross, and Peter William also
reported a related symptom as part of their research that resulted in
MFSA 2008-37.
There was no direct security impact from this issue and its effect
was limited to the improper rendering of hyperlinks containing
specific characters. The severity of this issue was determined to be
low. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
|
| fixed_packages |
|
| aliases |
CVE-2008-5508
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-cd4g-54yc-bqhd |
|
| 203 |
| url |
VCID-cfnb-jsaa-a3g2 |
| vulnerability_id |
VCID-cfnb-jsaa-a3g2 |
| summary |
Mozilla developers identified and fixed several memory safety bugs
in the browser engine used in Firefox and other Mozilla-based
products. Some of these bugs showed evidence of memory corruption
under certain circumstances, and we presume that with enough effort at
least some of these could be exploited to run arbitrary code. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
|
| fixed_packages |
|
| aliases |
CVE-2011-0075
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-cfnb-jsaa-a3g2 |
|
| 204 |
| url |
VCID-chve-znmf-w7at |
| vulnerability_id |
VCID-chve-znmf-w7at |
| summary |
Mozilla developers took fixes from previously fixed memory safety
bugs in newer Mozilla-based products and ported them to the Mozilla
1.8.1 branch so they can be utilized by Thunderbird 2 and SeaMonkey
1.1. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
|
| fixed_packages |
|
| aliases |
CVE-2009-3075
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-chve-znmf-w7at |
|
| 205 |
| url |
VCID-ckwu-zacg-d3bj |
| vulnerability_id |
VCID-ckwu-zacg-d3bj |
| summary |
Security researcher Abhishek Arya (Inferno) of the Google Chrome Security Team discovered a series of use-after-free issues using the Address Sanitizer tool. Many of these issues are potentially exploitable, allowing for remote code execution. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-1974
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ckwu-zacg-d3bj |
|
| 206 |
| url |
VCID-ct5t-awyq-8udv |
| vulnerability_id |
VCID-ct5t-awyq-8udv |
| summary |
Mozilla security researcher moz_bug_r_a4 reported
that an XBL binding, when attached to an unloaded document, can be
used to violate the same-origin policy and execute arbitrary
JavaScript within the context of a different website.moz_bug_r_a4 also reported two vulnerabilities by which page
content can pollute XPCNativeWrappers and run arbitrary JavaScript with
chrome privileges.Thunderbird shares the browser engine with Firefox and
could be vulnerable if JavaScript were to be enabled in mail. This is not
the default setting and we strongly discourage users from running
JavaScript in mail. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
|
| fixed_packages |
|
| aliases |
CVE-2008-5511
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ct5t-awyq-8udv |
|
| 207 |
| url |
VCID-ctgf-gs1u-wygc |
| vulnerability_id |
VCID-ctgf-gs1u-wygc |
| summary |
An anonymous researcher, via TippingPoint's Zero Day Initiative
program, reported a vulnerability in Mozilla's garbage collection
process. The vulnerability was caused by improper memory management
of a set of cloned XUL DOM elements which were linked as a parent and
child. After reloading the browser on a page with such linked
elements, the browser would crash when attempting to access an object
which was already destroyed. An attacker could use this crash to run
arbitrary code on the victim's computer.This vulnerability does not affect Firefox 2,
Thunderbird 2, or released versions of SeaMonkey. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2009-0775
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ctgf-gs1u-wygc |
|
| 208 |
| url |
VCID-cv76-zkt8-87e3 |
| vulnerability_id |
VCID-cv76-zkt8-87e3 |
| summary |
Mozilla developers and community members identified and fixed
several stability bugs in the browser engine used in Firefox and other
Mozilla-based products. Some of these crashes showed evidence of
memory corruption under certain circumstances and we presume that with
enough effort at least some of these could be exploited to run
arbitrary code. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2009-2464
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-cv76-zkt8-87e3 |
|
| 209 |
|
| 210 |
| url |
VCID-czbz-3q9u-e3dy |
| vulnerability_id |
VCID-czbz-3q9u-e3dy |
| summary |
Multiple vulnerabilities have been found in Mozilla Firefox,
Thunderbird, SeaMonkey, NSS, GNU IceCat, and XULRunner, some of which may
allow execution of arbitrary code or local privilege escalation. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2011-0068
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-czbz-3q9u-e3dy |
|
| 211 |
| url |
VCID-d18j-gp7z-kyfd |
| vulnerability_id |
VCID-d18j-gp7z-kyfd |
| summary |
Mariusz Mlynski reported that if you could convince
a user to hold down the Enter key--as part of a game or test,
perhaps--a malicious page could pop up a download dialog where the held
key would then activate the default Open action. For some file types this
would be merely annoying (the equivalent of a pop-up) but other file
types have powerful scripting capabilities. And this would provide an
avenue for an attacker to exploit a vulnerability in applications not
normally exposed to potentially hostile internet content.
Mariusz also reported a similar flaw with manual plugin installation
using the PLUGINSPAGE attribute. It was possible to create
an internal error that suppressed a confirmation dialog, such that holding
enter would lead to the installation of an arbitrary add-on. (This variant
did not affect Firefox 3.6) |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2011-2372
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-d18j-gp7z-kyfd |
|
| 212 |
| url |
VCID-d2bp-jqx3-9kb3 |
| vulnerability_id |
VCID-d2bp-jqx3-9kb3 |
| summary |
Mozilla developers and community members identified and fixed
several stability bugs in the browser engine used in Firefox and other
Mozilla-based products. Some of these crashes showed evidence of
memory corruption under certain circumstances and we presume that with
enough effort at least some of these could be exploited to run
arbitrary code. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2009-3382
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-d2bp-jqx3-9kb3 |
|
| 213 |
| url |
VCID-d964-8bnu-7qdb |
| vulnerability_id |
VCID-d964-8bnu-7qdb |
| summary |
Mozilla developers identified and fixed several stability bugs in the browser
engine used in Firefox and other Mozilla-based products. Some of these crashes
showed evidence of memory corruption under certain circumstances and we presume
that with enough effort at least some of these could be exploited to run
arbitrary code.Thunderbird shares the browser engine with Firefox and could be
vulnerable if JavaScript were to be enabled in mail. This is not the default
setting and we strongly discourage users from running JavaScript in
mail. Without further investigation we cannot rule out the possibility that for
some of these an attacker might be able to prepare memory for exploitation
through some means other than JavaScript such as large images. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2008-5502
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-d964-8bnu-7qdb |
|
| 214 |
| url |
VCID-d9m2-xqje-s7am |
| vulnerability_id |
VCID-d9m2-xqje-s7am |
| summary |
Multiple vulnerabilities have been found in Mozilla Firefox,
Thunderbird, SeaMonkey, NSS, GNU IceCat, and XULRunner, some of which may
allow execution of arbitrary code or local privilege escalation. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2009-1828
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-d9m2-xqje-s7am |
|
| 215 |
| url |
VCID-d9xx-kdwq-6fgg |
| vulnerability_id |
VCID-d9xx-kdwq-6fgg |
| summary |
Mozilla developers and community members identified and fixed
several stability bugs in the browser engine used in Firefox and other
Mozilla-based products. Some of these crashes showed evidence of
memory corruption under certain circumstances and we presume that with
enough effort at least some of these could be exploited to run
arbitrary code. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
CVE-2009-3979
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-d9xx-kdwq-6fgg |
|
| 216 |
| url |
VCID-dcjk-caxq-a3g3 |
| vulnerability_id |
VCID-dcjk-caxq-a3g3 |
| summary |
Security researcher Orlando Berrera of Sec Theory
reported that recursive creation of JavaScript web-workers can be used
to create a set of objects whose memory could be freed prior to their
use. These conditions often result in a crash which could potentially
be used by an attacker to run arbitrary code on a victim's
computer.Web Workers were introduced in Firefox 3.5 so this
vulnerability did not affect earlier releases such as Firefox 3. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2009-3371
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-dcjk-caxq-a3g3 |
|
| 217 |
| url |
VCID-depk-81ux-wua9 |
| vulnerability_id |
VCID-depk-81ux-wua9 |
| summary |
Security researcher Nils of MWR InfoSecurity
reported that the routine for setting the text value for certain types
of DOM nodes contained an integer overflow vulnerability. When a very
long string was passed to this routine, the integer value used in
creating a new memory buffer to hold the string would overflow,
resulting in too small a buffer being allocated. An attacker could
use this vulnerability to write data past the end of the buffer,
causing a crash and potentially running arbitrary code on a victim's
computer. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2010-1196
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-depk-81ux-wua9 |
|
| 218 |
| url |
VCID-desa-fpt9-8qaa |
| vulnerability_id |
VCID-desa-fpt9-8qaa |
| summary |
Security researcher regenrecht reported via
TippingPoint's Zero Day Initiative that a method used
by JSON.stringify contained a use-after-free error in
which a currently in-use pointer was freed and subsequently
dereferenced. This could lead to arbitrary code execution if an
attacker was able to store malicious code in the freed section of
memory.Mozilla developer Igor Bukanov also independently
discovered and reported this issue two weeks after the initial
report was received. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2011-0055
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-desa-fpt9-8qaa |
|
| 219 |
| url |
VCID-dfx3-vhn9-fkbh |
| vulnerability_id |
VCID-dfx3-vhn9-fkbh |
| summary |
Security researcher Bill Keese reported a memory corruption.
This is caused by JSDependentString::undepend changing a dependent string into a
fixed string when there are additional dependent strings relying on the same
base. When the undepend occurs during conversion, the base data is freed,
leaving other dependent strings with dangling pointers. This can lead to a
potentially exploitable crash. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-1962
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-dfx3-vhn9-fkbh |
|
| 220 |
| url |
VCID-dk9z-4a47-67g9 |
| vulnerability_id |
VCID-dk9z-4a47-67g9 |
| summary |
Mozilla security researcher moz_bug_r_a4 reported
that it was possible for a non-whitelisted site to trigger an install
dialog for add-ons and themes.This vulnerability was introduced in the browser engine used
by Firefox 4 and SeaMonkey 2.1; it does not affect earlier versions. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2011-2370
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-dk9z-4a47-67g9 |
|
| 221 |
| url |
VCID-dnur-7qxp-g7g1 |
| vulnerability_id |
VCID-dnur-7qxp-g7g1 |
| summary |
Security researcher Abhishek Arya (Inferno) of the Google Chrome Security Team discovered a series of use-after-free issues using the Address Sanitizer tool. Many of these issues are potentially exploitable, allowing for remote code execution. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-1976
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-dnur-7qxp-g7g1 |
|
| 222 |
| url |
VCID-dwfw-frsy-tfcr |
| vulnerability_id |
VCID-dwfw-frsy-tfcr |
| summary |
Mozilla developers identified and fixed several memory safety bugs
in the browser engine used in Firefox and other Mozilla-based
products. Some of these bugs showed evidence of memory corruption
under certain circumstances, and we presume that with enough effort at
least some of these could be exploited to run arbitrary code.In general these flaws cannot be exploited through email in the Thunderbird
and SeaMonkey products because scripting is disabled, but are potentially a risk
in browser or browser-like contexts in those products. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
CVE-2012-0461
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-dwfw-frsy-tfcr |
|
| 223 |
| url |
VCID-dzph-njyd-1qeu |
| vulnerability_id |
VCID-dzph-njyd-1qeu |
| summary |
Security researcher Liu Die Yu of
TopsecTianRongXin reported that locally saved .url shortcut files
could be used to read information stored in the local cache. An
attacker could use this vulnerability to steal information from a
victim's browser cache if they were able to get the victim to download
two separate files, a .url shortcut and a HTML file. Given the
relative complexity of this attack, the severity of the issue was
determined to be moderate. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2008-4582
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-dzph-njyd-1qeu |
|
| 224 |
| url |
VCID-e1zc-uz7j-vqgf |
| vulnerability_id |
VCID-e1zc-uz7j-vqgf |
| summary |
Security researcher regenrecht reported via
TippingPoint's Zero Day Initiative that code used to normalize a
document contained a logical flaw that could be leveraged to run
arbitrary code. When the normalization code ran, a static count of
the document's child nodes was used in the traversal, so a page could
be constructed that would remove DOM nodes during this normalization
which could lead to the accessing of a deleted object and potentially
the execution of attacker-controlled memory. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2010-2766
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-e1zc-uz7j-vqgf |
|
| 225 |
| url |
VCID-e2zn-rn59-gyfv |
| vulnerability_id |
VCID-e2zn-rn59-gyfv |
| summary |
Mozilla security researcher moz_bug_r_a4 reported
that the BrowserFeedWriter could be leveraged to run
JavaScript code from web content with elevated privileges. Using this
vulnerability, an attacker could construct an object containing
malicious JavaScript and cause the FeedWriter to process the object,
running the malicious code with chrome privileges.Thunderbird does not support
the BrowserFeedWriter object and is not vulnerable in its
default configuration. Thunderbird might be vulnerable if the user has
installed any add-on which adds a similarly implemented feature and
then enables JavaScript in mail messages. This is not the default
setting and we strongly discourage users from running JavaScript in
mail. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2009-3079
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-e2zn-rn59-gyfv |
|
| 226 |
| url |
VCID-e5dd-61fv-efe7 |
| vulnerability_id |
VCID-e5dd-61fv-efe7 |
| summary |
Mozilla community member Matias Juntunen discovered an error
in WebGLBuffer where FindMaxElementInSubArray receives wrong template arguments
from FindMaxUshortElement. This bug causes maximum index to be computed
incorrectly within WebGL.drawElements, allowing the reading of illegal video
memory. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-0473
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-e5dd-61fv-efe7 |
|
| 227 |
| url |
VCID-e8gx-6nqq-xbcx |
| vulnerability_id |
VCID-e8gx-6nqq-xbcx |
| summary |
Security researcher Simone Fabiano reported that if a
cross-site XHR or WebSocket is opened on a web server on a non-standard port for
web traffic while using an IPv6 address, the browser will send an ambiguous
origin headers if the IPv6 address contains at least 2 consecutive 16-bit fields
of zeroes. If there is an origin access control list that uses IPv6 literals,
this issue could be used to bypass these access controls on the server. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-0475
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-e8gx-6nqq-xbcx |
|
| 228 |
| url |
VCID-e921-wz2n-cycp |
| vulnerability_id |
VCID-e921-wz2n-cycp |
| summary |
Security researcher Atte Kettunen from OUSPG reported
several heap memory corruption issues found using the Address Sanitizer tool.
These issues are potentially exploitable, allowing for remote code execution.
In general these flaws cannot be exploited through email in the
Thunderbird and SeaMonkey products because scripting is disabled, but are
potentially a risk in browser or browser-like contexts in those products. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-4187
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-e921-wz2n-cycp |
|
| 229 |
| url |
VCID-ea8w-cmzd-hqan |
| vulnerability_id |
VCID-ea8w-cmzd-hqan |
| summary |
Security researcher Soroush Dalili reported that
the resource: protocol could be exploited to allow directory traversal
on Windows and the potential loading of resources from non-permitted
locations. The impact would depend on whether interesting files existed
in predictable locations in a useful format. For example, the existence
or non-existence of particular images might indicate whether certain
software was installed. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
CVE-2011-0071
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ea8w-cmzd-hqan |
|
| 230 |
| url |
VCID-ec9h-nv75-tkc6 |
| vulnerability_id |
VCID-ec9h-nv75-tkc6 |
| summary |
Security researcher Mariusz Mlynski reported that it is possible to shadow the location object using Object.defineProperty. This could be used to confuse the current location to plugins, allowing for possible cross-site scripting (XSS) attacks.
Update October 9, 2012: This advisory was updated to reflect the fact that bug 756719 was also fixed in ESR 10.0.8. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-1956
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ec9h-nv75-tkc6 |
|
| 231 |
| url |
VCID-eftp-v3k7-xkct |
| vulnerability_id |
VCID-eftp-v3k7-xkct |
| summary |
Security researcher Abhishek Arya (Inferno) of the Google Chrome Security Team discovered a series of use-after-free issues using the Address Sanitizer tool. Many of these issues are potentially exploitable, allowing for remote code execution. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-3960
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-eftp-v3k7-xkct |
|
| 232 |
| url |
VCID-embn-ntxv-73bh |
| vulnerability_id |
VCID-embn-ntxv-73bh |
| summary |
Mozilla developer Justin Dolske reported that the new
asynchronous Authorization Prompt (HTTP username and password) was not
always attached to the correct window. Although we have not
demonstrated this, it may be possible for a malicious page to convince
a user to open a new tab or popup to a trusted service and then have
the HTTP authorization prompt from the malicious page appear to be
the login prompt for the trusted page. This potential attack is greatly
mitigated by the fact that very few web sites use HTTP authorization,
preferring instead to use web forms and cookies.This issue does not affect older versions of Firefox or
products based on the Mozilla browser engine, such as Thunderbird and
SeaMonkey, using an older version of the engine. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2010-0172
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-embn-ntxv-73bh |
|
| 233 |
| url |
VCID-ermf-rt9s-duhy |
| vulnerability_id |
VCID-ermf-rt9s-duhy |
| summary |
Mozilla developer Bobby Holley found that same-compartment
security wrappers (SCSW) can be bypassed by passing them to another compartment.
Cross-compartment wrappers often do not go through SCSW, but have a filtering
policy built into them. When an object is wrapped cross-compartment, the SCSW is
stripped off and, when the object is read read back, it is not known that SCSW
was previously present, resulting in a bypassing of SCSW. This could result in
untrusted content having access to the XBL that implements browser
functionality. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-1959
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ermf-rt9s-duhy |
|
| 234 |
| url |
VCID-ess5-nmfb-kygw |
| vulnerability_id |
VCID-ess5-nmfb-kygw |
| summary |
Mozilla developers identified and fixed several memory safety bugs
in the browser engine used in Firefox and other Mozilla-based
products. Some of these bugs showed evidence of memory corruption
under certain circumstances, and we presume that with enough effort at
least some of these could be exploited to run arbitrary code. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2011-0079
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ess5-nmfb-kygw |
|
| 235 |
| url |
VCID-ez55-uvz6-gfh8 |
| vulnerability_id |
VCID-ez55-uvz6-gfh8 |
| summary |
Security researcher Mariusz Mlynski reported an issue with
spoofing of the location property. In this issue, calls to history.forward and
history.back are used to navigate to a site while displaying the previous site
in the addressbar but changing the baseURI to the newer site. This can be used
for phishing by allowing the user to input form or other data on the newer,
attacking, site while appearing to be on the older, displayed site. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-1955
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ez55-uvz6-gfh8 |
|
| 236 |
| url |
VCID-f5qs-usvq-7ygn |
| vulnerability_id |
VCID-f5qs-usvq-7ygn |
| summary |
Security researcher Roberto Suggi Liverani
reported that ParanoidFragmentSink, a class used to
sanitize potentially unsafe HTML for display,
allows javascript: URLs and other inline JavaScript when
the embedding document is a chrome document. While there are no
unsafe uses of this class in any released products, extension code
could have potentially used it in an unsafe manner. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2010-1585
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-f5qs-usvq-7ygn |
|
| 237 |
| url |
VCID-f7b5-ehbj-m7eq |
| vulnerability_id |
VCID-f7b5-ehbj-m7eq |
| summary |
Google security researcher Michal Zalewski
reported that when a window was opened to a site resulting in a
network or certificate error page, the opening site could access the
document inside the opened window and inject arbitrary content. An
attacker could use this bug to spoof the location bar and trick a user
into thinking they were on a different site than they actually
were. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2010-3774
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-f7b5-ehbj-m7eq |
|
| 238 |
| url |
VCID-fj5e-3c6k-2qc7 |
| vulnerability_id |
VCID-fj5e-3c6k-2qc7 |
| summary |
Security researcher David Bloom reported that the
browser's session restore feature can be used to violate the
same-origin policy and run JavaScript in the context of another site.
Any otherwise unexploitable crash can be used to force the user into the
session restore state Mozilla security researcher moz_bug_r_a4 demonstrated that
this vulnerability could also be used by an attacker to run arbitrary
JavaScript with chrome privileges. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2008-5019
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-fj5e-3c6k-2qc7 |
|
| 239 |
| url |
VCID-fjd2-qz3j-quct |
| vulnerability_id |
VCID-fjd2-qz3j-quct |
| summary |
Mozilla developers identified and fixed several memory safety bugs
in the browser engine used in Firefox and other Mozilla-based
products. Some of these bugs showed evidence of memory corruption
under certain circumstances, and we presume that with enough effort at
least some of these could be exploited to run arbitrary code.In general these flaws cannot be exploited through email in the Thunderbird and SeaMonkey products because scripting is disabled, but are potentially a risk in browser or browser-like contexts in those products. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
|
| fixed_packages |
|
| aliases |
CVE-2012-0442
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-fjd2-qz3j-quct |
|
| 240 |
| url |
VCID-fjza-kzrj-h7bf |
| vulnerability_id |
VCID-fjza-kzrj-h7bf |
| summary |
Mozilla developers fixed several memory safety bugs
in the browser engine used in Firefox and other Mozilla-based
products. Some of these bugs showed evidence of memory corruption
under certain circumstances, and we presume that with enough effort at
least some of these could be exploited to run arbitrary code.In general these flaws cannot be exploited through email in the Thunderbird
and SeaMonkey products because scripting is disabled, but are potentially a risk
in browser or browser-like contexts in those products. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2011-3654
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-fjza-kzrj-h7bf |
|
| 241 |
| url |
VCID-fkcd-dn21-k3aa |
| vulnerability_id |
VCID-fkcd-dn21-k3aa |
| summary |
Alex Miller reported that when very long strings
were constructed and inserted into an HTML document, the browser would
incorrectly construct the layout objects used to display the text.
Under such conditions an incorrect length would be calculated for a
text run resulting in too small of a memory buffer being allocated to
store the text. This issue could be used by an attacker to write data
past the end of the buffer and execute malicious code on a victim's
computer. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2011-0058
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-fkcd-dn21-k3aa |
|
| 242 |
| url |
VCID-fm6v-97ps-qkb1 |
| vulnerability_id |
VCID-fm6v-97ps-qkb1 |
| summary |
Mozilla developers identified and fixed several memory safety bugs
in the browser engine used in Firefox and other Mozilla-based
products. Some of these bugs showed evidence of memory corruption
under certain circumstances, and we presume that with enough effort at
least some of these could be exploited to run arbitrary code. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2010-3175
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-fm6v-97ps-qkb1 |
|
| 243 |
| url |
VCID-fmxb-m3xe-y7hd |
| vulnerability_id |
VCID-fmxb-m3xe-y7hd |
| summary |
Anne van Kesteren of Opera Software found a
multi-octet encoding issue where certain octets will destroy the following
octets in the processing of some multibyte character sets. This can leave users
vulnerable to cross-site scripting (XSS) attacks on maliciously crafted web
pages. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-0471
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-fmxb-m3xe-y7hd |
|
| 244 |
| url |
VCID-fnqu-d93p-nyht |
| vulnerability_id |
VCID-fnqu-d93p-nyht |
| summary |
Google security researcher Abhishek Arya used the Address
Sanitizer tool to uncover four issues: two use-after-free problems, one out of
bounds read bug, and a bad cast. The first use-after-free problem is caused
when an array of nsSMILTimeValueSpec objects is destroyed but attempts are made
to call into objects in this array later. The second use-after-free problem is
in nsDocument::AdoptNode when it adopts into an empty document and then adopts
into another document, emptying the first one. The heap buffer overflow is in
ElementAnimations when data is read off of end of an array and then pointers are
dereferenced. The bad cast happens when nsTableFrame::InsertFrames is called
with frames in aFrameList that are a mix of row group frames and column group
frames. AppendFrames is not able to handle this mix.All four of these issues are potentially exploitable. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-1954
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-fnqu-d93p-nyht |
|
| 245 |
| url |
VCID-fshd-5yva-8yc8 |
| vulnerability_id |
VCID-fshd-5yva-8yc8 |
| summary |
Justin Schuh of the IBM X-Force reported a flaw in
the way Mozilla parses the http-index-format MIME type. By sending a
specially crafted 200 header line in the HTTP index response, an
attacker can cause the browser to crash and run arbitrary code on the
victim's computer. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2008-0017
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-fshd-5yva-8yc8 |
|
| 246 |
| url |
VCID-fu4j-atx7-p3by |
| vulnerability_id |
VCID-fu4j-atx7-p3by |
| summary |
Mozilla community member Alice White reported that when the
GetProperty function is invoked through JSAPI, security checking
can be bypassed when getting cross-origin properties. This potentially allowed
for arbitrary code execution.
In general these flaws cannot be exploited through email in the
Thunderbird and SeaMonkey products because scripting is disabled, but are
potentially a risk in browser or browser-like contexts in those products. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-3991
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-fu4j-atx7-p3by |
|
| 247 |
| url |
VCID-fw1w-z9qg-2uef |
| vulnerability_id |
VCID-fw1w-z9qg-2uef |
| summary |
Mozilla has fixed a number of issues related to the Location object in order to enhance overall security. Details for each of the current fixed issues are below.
Thunderbird is only affected by window.location issues through RSS feeds and extensions that load web content.Security researcher Mariusz Mlynski reported that the true value of window.location could be shadowed by user content through the use of the valueOf method, which can be combined with some plugins to perform a cross-site scripting (XSS) attack on users. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-4196
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-fw1w-z9qg-2uef |
|
| 248 |
|
| 249 |
| url |
VCID-fwmk-3y43-hyhv |
| vulnerability_id |
VCID-fwmk-3y43-hyhv |
| summary |
Andrej Andolsek reported that when Firefox
receives a reply from a SOCKS5 proxy which contains a DNS name longer
than 15 characters, the subsequent data stream in the response can
become corrupted. There was no evidence of memory corruption,
however, and the severity of the issue was determined to be low. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2009-2470
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-fwmk-3y43-hyhv |
|
| 250 |
| url |
VCID-g214-2v75-dfd2 |
| vulnerability_id |
VCID-g214-2v75-dfd2 |
| summary |
Security researchers Mario Gomes and Soroush
Dalili reported that since Mozilla allows the pseudo-protocol feed: to prefix any valid URL, it is possible to construct feed:javascript: URLs that will execute scripts in some contexts. On some sites it may be possible to use this to evade output filtering that would otherwise strip javascript: URLs and thus contribute to cross-site scripting (XSS) problems on these sites. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-1965
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-g214-2v75-dfd2 |
|
| 251 |
| url |
VCID-g2cj-8shy-uqcc |
| vulnerability_id |
VCID-g2cj-8shy-uqcc |
| summary |
Security researcher Abhishek Arya of Google used the Address
Sanitizer tool to uncover several issues: two heap buffer overflow bugs and a
use-after-free problem. The first heap buffer overflow was found in conversion
from unicode to native character sets when the function fails. The
use-after-free occurs in nsFrameList when working with column layout with
absolute positioning in a container that changes size. The second buffer
overflow occurs in nsHTMLReflowState when a window is resized on a page with
nested columns and a combination of absolute and relative positioning. All three
of these issues are potentially exploitable. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-1941
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-g2cj-8shy-uqcc |
|
| 252 |
| url |
VCID-g7fv-ggv2-aqhn |
| vulnerability_id |
VCID-g7fv-ggv2-aqhn |
| summary |
Security researcher regenrecht reported via
TippingPoint's Zero Day Initiative an error in the DOM attribute
cloning routine where under certain circumstances an event attribute
node can be deleted while another object still contains a reference to
it. This reference could subsequently be accessed, potentially
causing the execution of attacker controlled memory. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2010-1208
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-g7fv-ggv2-aqhn |
|
| 253 |
| url |
VCID-g8pv-awkj-5bh8 |
| vulnerability_id |
VCID-g8pv-awkj-5bh8 |
| summary |
Security researcher echo reported that a web page
could open a window with an about:blank location and then inject an
<isindex> element into that page which upon submission would
redirect to a chrome: document. The effect of this defect was that
the original page would wind up with a reference to a
chrome-privileged object, the opened window, which could be leveraged
for privilege escalation attacks.Mozilla security researcher moz_bug_r_a4 provided
proof-of-concept code demonstrating how the above vulnerability could
be used to run arbitrary code with chrome privileges. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2010-3771
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-g8pv-awkj-5bh8 |
|
| 254 |
| url |
VCID-g8ty-gg8e-nug5 |
| vulnerability_id |
VCID-g8ty-gg8e-nug5 |
| summary |
Security researcher Abhishek Arya (Inferno) of the Google
Chrome Security Team discovered a series of use-after-free, buffer overflow, and
out of bounds read issues using the Address Sanitizer tool in shipped software.
These issues are potentially exploitable, allowing for remote code execution.
We would also like to thank Abhishek for reporting two additional use-after-free
flaws introduced during Firefox 16 development and fixed before general release.
In general these flaws cannot be exploited through email in the
Thunderbird and SeaMonkey products because scripting is disabled, but are
potentially a risk in browser or browser-like contexts in those products. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-4181
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-g8ty-gg8e-nug5 |
|
| 255 |
| url |
VCID-g9e6-nygw-wydy |
| vulnerability_id |
VCID-g9e6-nygw-wydy |
| summary |
Security researcher Abhishek Arya (Inferno) of the Google Chrome Security Team discovered a series critically rated of use-after-free and buffer overflow issues using the Address Sanitizer tool in shipped software. These issues are potentially exploitable, allowing for remote code execution. We would also like to thank Abhishek for reporting five additional use-after-free, out of bounds read, and buffer overflow flaws introduced during Firefox development that were fixed before general release.
In general these flaws cannot be exploited through email in the
Thunderbird and SeaMonkey products because scripting is disabled, but are
potentially a risk in browser or browser-like contexts in those products. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-4216
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-g9e6-nygw-wydy |
|
| 256 |
| url |
VCID-gb3u-y5z4-hyb7 |
| vulnerability_id |
VCID-gb3u-y5z4-hyb7 |
| summary |
Security researcher miaubiz used the Address Sanitizer tool
to discover a use-after-free in the IME State Manager code. This could lead to a
potentially exploitable crash.
In general these flaws cannot be exploited through email in the
Thunderbird and SeaMonkey products because scripting is disabled, but are
potentially a risk in browser or browser-like contexts in those products. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-3990
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-gb3u-y5z4-hyb7 |
|
| 257 |
|
| 258 |
| url |
VCID-gesr-3egw-kydd |
| vulnerability_id |
VCID-gesr-3egw-kydd |
| summary |
Google security researcher Chris Evans reported
that data can be read across domains by injecting bogus CSS selectors
into a target site and then retrieving the data using JavaScript APIs.
If an attacker can inject opening and closing portions of a CSS
selector into points A and B of a target page, then the region between
the two injection points becomes readable to JavaScript through, for
example, the getComputedStyle() API. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2010-0654
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-gesr-3egw-kydd |
|
| 259 |
| url |
VCID-gm28-kdg7-bbgm |
| vulnerability_id |
VCID-gm28-kdg7-bbgm |
| summary |
Mozilla developers and community members identified and fixed
several stability bugs in the browser engine used in Firefox and other
Mozilla-based products. Some of these crashes showed evidence of
memory corruption under certain circumstances and we presume that with
enough effort at least some of these could be exploited to run
arbitrary code. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2009-3383
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-gm28-kdg7-bbgm |
|
| 260 |
| url |
VCID-gqcx-9dd1-y7ev |
| vulnerability_id |
VCID-gqcx-9dd1-y7ev |
| summary |
Google security researcher Abhishek Arya used the Address
Sanitizer tool to uncover four issues: two use-after-free problems, one out of
bounds read bug, and a bad cast. The first use-after-free problem is caused
when an array of nsSMILTimeValueSpec objects is destroyed but attempts are made
to call into objects in this array later. The second use-after-free problem is
in nsDocument::AdoptNode when it adopts into an empty document and then adopts
into another document, emptying the first one. The heap buffer overflow is in
ElementAnimations when data is read off of end of an array and then pointers are
dereferenced. The bad cast happens when nsTableFrame::InsertFrames is called
with frames in aFrameList that are a mix of row group frames and column group
frames. AppendFrames is not able to handle this mix.All four of these issues are potentially exploitable. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-1953
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-gqcx-9dd1-y7ev |
|
| 261 |
| url |
VCID-gsqx-hgzq-77a3 |
| vulnerability_id |
VCID-gsqx-hgzq-77a3 |
| summary |
Mozilla security researcher moz_bug_r_a4 reported
that it is possible to create a document whose URI does not match the
document's principal using XMLHttpRequest. This type of
mismatch leads to incorrect results in principal-based security
checks. An attacker could use this vulnerability to execute arbitrary
JavaScript within the context of another site.moz_bug_r_a4 separately reported
that XPCNativeWrapper.toString's
__proto__ comes from the wrong scope which results in
calls to that function being executed in the wrong context in certain
circumstances. An attacker could use this vulnerability to run
arbitrary code within the context of a different site. Alternatively,
if chrome were to call content.toString.call(), then
attacker-defined functions could be run with chrome privileges.Thunderbird shares the browser engine with Firefox and
could be vulnerable if JavaScript were to be enabled in mail. This is
not the default setting and we strongly discourage users from running
JavaScript in mail. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
CVE-2009-1309
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-gsqx-hgzq-77a3 |
|
| 262 |
| url |
VCID-h14f-dndv-g3db |
| vulnerability_id |
VCID-h14f-dndv-g3db |
| summary |
Mozilla developers took fixes from previously fixed memory safety
bugs in newer Mozilla-based products and ported them to the Mozilla
1.8.1 branch so they can be utilized by Thunderbird 2 and SeaMonkey
1.1. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
|
| fixed_packages |
|
| aliases |
CVE-2009-3072
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-h14f-dndv-g3db |
|
| 263 |
| url |
VCID-h2c2-87br-k7h9 |
| vulnerability_id |
VCID-h2c2-87br-k7h9 |
| summary |
Multiple vulnerabilities have been found in Mozilla Firefox,
Thunderbird, SeaMonkey, NSS, GNU IceCat, and XULRunner, some of which may
allow execution of arbitrary code or local privilege escalation. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2007-2436
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-h2c2-87br-k7h9 |
|
| 264 |
| url |
VCID-h2zb-y8qu-rkhm |
| vulnerability_id |
VCID-h2zb-y8qu-rkhm |
| summary |
Security researcher regenrecht reported via
TippingPoint's Zero Day Initiative that a nsDOMAttribute
node can be modified without informing the iterator object responsible
for various DOM traversals. This flaw could lead to a inconsistent
state where the iterator points to an object it believes is part of
the DOM but actually points to some other object. If such an object
had been deleted and its memory reclaimed by the system, then the
iterator could be used to call into attacker-controlled memory. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2010-3766
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-h2zb-y8qu-rkhm |
|
| 265 |
|
| 266 |
| url |
VCID-h3nn-6nww-fubf |
| vulnerability_id |
VCID-h3nn-6nww-fubf |
| summary |
Security researcher Karthikeyan Bhargavan of Prosecco at
INRIA reported Content Security Policy (CSP) 1.0 implementation errors. CSP
violation reports generated by Firefox and sent to the "report-uri" location
include sensitive data within the "blocked-uri" parameter. These include
fragment components and query strings even if the "blocked-uri" parameter has a
different origin than the protected resource. This can be used to retrieve a
user's OAuth 2.0 access tokens and OpenID credentials by malicious sites. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-1963
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-h3nn-6nww-fubf |
|
| 267 |
| url |
VCID-h632-fbq3-uqh5 |
| vulnerability_id |
VCID-h632-fbq3-uqh5 |
| summary |
Security researcher Abhishek Arya (Inferno) of the Google
Chrome Security Team discovered a series of use-after-free, buffer overflow, and
out of bounds read issues using the Address Sanitizer tool in shipped software.
These issues are potentially exploitable, allowing for remote code execution.
We would also like to thank Abhishek for reporting two additional use-after-free
flaws introduced during Firefox 16 development and fixed before general release.
In general these flaws cannot be exploited through email in the
Thunderbird and SeaMonkey products because scripting is disabled, but are
potentially a risk in browser or browser-like contexts in those products. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-4182
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-h632-fbq3-uqh5 |
|
| 268 |
| url |
VCID-hb8p-k984-2bbb |
| vulnerability_id |
VCID-hb8p-k984-2bbb |
| summary |
Security researcher David Bloom of Cue discovered that
<select> elements are always-on-top chromeless windows and
that navigation away from a page with an active <select> menu
does not remove this window.When another menu is opened programmatically on a
new page, the original <select> menu can be retained and
arbitrary HTML content within it rendered, allowing an attacker to cover
arbitrary portions of the new page through absolute positioning/scrolling,
leading to spoofing attacks. Security researcher Jordi Chancel
found a variation that would allow for click-jacking attacks was well.
In general these flaws cannot be exploited through email in the
Thunderbird and SeaMonkey products because scripting is disabled, but are
potentially a risk in browser or browser-like contexts in those products. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-3984
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-hb8p-k984-2bbb |
|
| 269 |
| url |
VCID-hcjp-8k4f-fuhf |
| vulnerability_id |
VCID-hcjp-8k4f-fuhf |
| summary |
Security researcher Alexander Miller reported that
passing an excessively long string to document.write
could cause text rendering routines to end up in an inconsistent state
with sections of stack memory being overwritten with the string data.
An attacker could use this flaw to crash a victim's browser and
potentially run arbitrary code on their computer. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
|
| fixed_packages |
|
| aliases |
CVE-2010-3179
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-hcjp-8k4f-fuhf |
|
| 270 |
| url |
VCID-hdy1-ad14-9bdr |
| vulnerability_id |
VCID-hdy1-ad14-9bdr |
| summary |
Daniel Kozlowski reported that a
JavaScript Worker could be used to keep a reference to an
object that could be freed during garbage collection. Subsequent
calls through this deleted reference could cause attacker-controlled
memory to be executed on a victim's computer. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2011-0057
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-hdy1-ad14-9bdr |
|
| 271 |
| url |
VCID-heem-dnwk-ufby |
| vulnerability_id |
VCID-heem-dnwk-ufby |
| summary |
Google developer Tony Payne reported an out of bounds (OOB)
read in QCMS, Mozilla’s color management library. With a carefully crafted color profile portions of a user's memory could be incorporated into a transformed image and possibly deciphered. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-1960
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-heem-dnwk-ufby |
|
| 272 |
| url |
VCID-hfwt-3n83-8yaz |
| vulnerability_id |
VCID-hfwt-3n83-8yaz |
| summary |
Security researcher Prateek Saxena reported that a
malicious MozSearch plugin could be created using a javascript: URI in
the SearchForm value. This URI is used as the default
landing page when an empty search is performed. If an attacker could
get a user to install the malicious plugin and perform an empty
search, the SearchForm javascript: URI would be executed
within the context of the currently open page. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2009-1310
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-hfwt-3n83-8yaz |
|
| 273 |
|
| 274 |
| url |
VCID-hnqn-9dyg-fyaf |
| vulnerability_id |
VCID-hnqn-9dyg-fyaf |
| summary |
Mozilla developers identified and fixed several stability bugs in
the browser engine used in Firefox and other Mozilla-based
products. Some of these crashes showed evidence of memory corruption
under certain circumstances, and we presume that with enough effort at
least some of these could be exploited to run arbitrary code. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2010-1202
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-hnqn-9dyg-fyaf |
|
| 275 |
| url |
VCID-hpes-a26j-eubg |
| vulnerability_id |
VCID-hpes-a26j-eubg |
| summary |
magicant starmen reported that if a user chooses to
export their Firefox Sync key the "Firefox Recovery Key.html" file is
saved with incorrect permissions, making the file contents potentially
readable by other users on Linux and OS X systems.
Firefox 3.6 is not affected by this vulnerability. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-0450
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-hpes-a26j-eubg |
|
| 276 |
| url |
VCID-hq8b-hhzz-zyag |
| vulnerability_id |
VCID-hq8b-hhzz-zyag |
| summary |
Mozilla developers identified and fixed several memory safety bugs
in the browser engine used in Firefox and other Mozilla-based
products. Some of these bugs showed evidence of memory corruption
under certain circumstances, and we presume that with enough effort at
least some of these could be exploited to run arbitrary code. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
|
| fixed_packages |
|
| aliases |
CVE-2011-0077
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-hq8b-hhzz-zyag |
|
| 277 |
|
| 278 |
| url |
VCID-huw3-d12r-6yb5 |
| vulnerability_id |
VCID-huw3-d12r-6yb5 |
| summary |
Security researcher Yosuke Hasegawa reported that
the Web Worker method importScripts can read and parse
resources from other domains even when the content is not valid
JavaScript. This is a violation of the same-origin policy and could
be used by an attacker to steal information from other sites. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2010-1213
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-huw3-d12r-6yb5 |
|
| 279 |
| url |
VCID-hvvv-dc2z-r7ed |
| vulnerability_id |
VCID-hvvv-dc2z-r7ed |
| summary |
Mozilla upgraded several third party libraries used in media
rendering to address multiple memory safety and stability bugs
identified by members of the Mozilla community. Some of the bugs
discovered could potentially be used by an attacker to crash a
victim's browser and execute arbitrary code on their
computer. liboggz, libvorbis,
and liboggplay were all upgraded to address these
issues.Audio and video capabilities were added in Firefox 3.5
so prior releases of Firefox were not affected. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2009-3378
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-hvvv-dc2z-r7ed |
|
| 280 |
| url |
VCID-hw8a-1fyr-5uda |
| vulnerability_id |
VCID-hw8a-1fyr-5uda |
| summary |
Mozilla developers and community members identified and fixed
several stability bugs in the browser engine used in Firefox and other
Mozilla-based products. Some of these crashes showed evidence of
memory corruption under certain circumstances and we presume that with
enough effort at least some of these could be exploited to run
arbitrary code. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2009-3074
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-hw8a-1fyr-5uda |
|
| 281 |
| url |
VCID-hx1c-5urc-q7ar |
| vulnerability_id |
VCID-hx1c-5urc-q7ar |
| summary |
Mozilla developers identified and fixed several memory safety bugs
in the browser engine used in Firefox and other Mozilla-based
products. Some of these bugs showed evidence of memory corruption
under certain circumstances, and we presume that with enough effort at
least some of these could be exploited to run arbitrary code. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
|
| fixed_packages |
|
| aliases |
CVE-2011-0078
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-hx1c-5urc-q7ar |
|
| 282 |
| url |
VCID-hxra-yff9-r3fr |
| vulnerability_id |
VCID-hxra-yff9-r3fr |
| summary |
Mozilla developer Daniel Holbert reported that the
fix to the plugin parameter array crash that was fixed in Firefox
3.6.7 caused a crash showing signs of memory corruption. In certain
circumstances, properties in the plugin instance's parameter array
could be freed prematurely leaving a dangling pointer that the plugin
could execute, potentially calling into attacker-controlled
memory.Firefox 3.5.11 was also affected by the regression
but the equivalent pointer was always initialized to NULL and
not exploitable. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2010-2755
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-hxra-yff9-r3fr |
|
| 283 |
|
| 284 |
| url |
VCID-j2te-qzzx-kkay |
| vulnerability_id |
VCID-j2te-qzzx-kkay |
| summary |
Mozilla developers identified and fixed several memory safety bugs
in the browser engine used in Firefox and other Mozilla-based
products. Some of these bugs showed evidence of memory corruption
under certain circumstances, and we presume that with enough effort at
least some of these could be exploited to run arbitrary code.In general these flaws cannot be exploited through email in the Thunderbird
and SeaMonkey products because scripting is disabled, but are potentially a risk
in browser or browser-like contexts in those products. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-0467
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-j2te-qzzx-kkay |
|
| 285 |
| url |
VCID-j5hf-agzm-8bfj |
| vulnerability_id |
VCID-j5hf-agzm-8bfj |
| summary |
Mozilla developer Bas Schouten reported that the
introduction of the "Azure" graphics back-end on Windows in Firefox 7
re-introduced the cross-origin data theft issue reported by
nasalislarvatus3000 as described in
MFSA 2011-29. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2011-3649
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-j5hf-agzm-8bfj |
|
| 286 |
| url |
VCID-j86k-vcuv-5uhe |
| vulnerability_id |
VCID-j86k-vcuv-5uhe |
| summary |
Mozilla upgraded several third party libraries used in media
rendering to address multiple memory safety and stability bugs
identified by members of the Mozilla community. Some of the bugs
discovered could potentially be used by an attacker to crash a
victim's browser and execute arbitrary code on their
computer. liboggz, libvorbis,
and liboggplay were all upgraded to address these
issues.Audio and video capabilities were added in Firefox 3.5
so prior releases of Firefox were not affected. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2009-3377
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-j86k-vcuv-5uhe |
|
| 287 |
| url |
VCID-jh6n-bau7-byhg |
| vulnerability_id |
VCID-jh6n-bau7-byhg |
| summary |
Mozilla developer Boris Zbarsky reported that a frame
named "location" could shadow the window.location object unless a
script in a page grabbed a reference to the true object before the frame
was created. Because some plugins use the value of window.location to determine
the page origin this could fool the plugin into granting the plugin content
access to another site or the local file system in violation of the Same Origin
Policy. This flaw allows circumvention of the fix added for
MFSA 2010-10. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
|
| fixed_packages |
|
| aliases |
CVE-2011-2999
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-jh6n-bau7-byhg |
|
| 288 |
| url |
VCID-jhgh-37q6-17fm |
| vulnerability_id |
VCID-jhgh-37q6-17fm |
| summary |
Security researcher Billy Hoffman discovered a bug in the XBM decoder that allowed random small chunks of uninitialized memory to be read. The severity of this bug was low and did not appear to cause any memory corruption.Firefox 3 is not affected by this issue |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2008-4069
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-jhgh-37q6-17fm |
|
| 289 |
| url |
VCID-jjg5-q8kj-yyg9 |
| vulnerability_id |
VCID-jjg5-q8kj-yyg9 |
| summary |
Security researcher Eduardo Vela Nava reported that
if a web page opened a new window and used a javascript: URL to make a
modal call, such as alert(), then subsequently navigated
the page to a different domain, once the modal call returned the
opener of the window could get access to objects in the navigated
window. This is a violation of the same-origin policy and could be
used by an attacker to steal information from another web site. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2010-3178
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-jjg5-q8kj-yyg9 |
|
| 290 |
| url |
VCID-jjza-54cz-9kcg |
| vulnerability_id |
VCID-jjza-54cz-9kcg |
| summary |
Mozilla security researcher moz_bug_r_a4 reported a cross-site scripting (XSS) attack through the context menu using a
data: URL. In this issue, context menu functionality ("View Image", "Show only this frame", and "View background image") are disallowed in a javascript: URL but allowed in a data: URL, allowing for XSS. This can lead to arbitrary code execution. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-1966
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-jjza-54cz-9kcg |
|
| 291 |
| url |
VCID-jkjk-6r2p-jbcu |
| vulnerability_id |
VCID-jkjk-6r2p-jbcu |
| summary |
Mozilla developer Blake Kaplan reported
that setTimeout, when called with certain object
parameters which should be protected with
a XPCNativeWrapper, will fail to keep the object wrapped
when compiling the new function to be executed. If chrome privileged
code were to call setTimeout using this as
an argument, the this object will lose its wrapper and
could be unsafely accessed by chrome code. An attacker could use such
vulnerable code to run arbitrary JavaScript with chrome
privileges. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2009-2471
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-jkjk-6r2p-jbcu |
|
| 292 |
| url |
VCID-jkxv-jgzt-yue7 |
| vulnerability_id |
VCID-jkxv-jgzt-yue7 |
| summary |
Mozilla security researcher moz_bug_r_a4 reported
that an XBL binding, when attached to an unloaded document, can be
used to violate the same-origin policy and execute arbitrary
JavaScript within the context of a different website.moz_bug_r_a4 also reported two vulnerabilities by which page
content can pollute XPCNativeWrappers and run arbitrary JavaScript with
chrome privileges.Thunderbird shares the browser engine with Firefox and
could be vulnerable if JavaScript were to be enabled in mail. This is not
the default setting and we strongly discourage users from running
JavaScript in mail. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
|
| fixed_packages |
|
| aliases |
CVE-2008-5512
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-jkxv-jgzt-yue7 |
|
| 293 |
| url |
VCID-jn2a-9g3e-pqc4 |
| vulnerability_id |
VCID-jn2a-9g3e-pqc4 |
| summary |
Google security researcher Michal Zalewski
reported that focus() could be used to change a user's
cursor focus while they are typing, potentially directing their
keyboard input to an unintended location. This behavior was also
present across origins when content from one domain was embedded
within another via an iframe. A malicious web page could use this
behavior to steal keystrokes from a victim while they were typing
sensitive information such as a password. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2010-1125
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-jn2a-9g3e-pqc4 |
|
| 294 |
| url |
VCID-jrca-ffpb-yuhd |
| vulnerability_id |
VCID-jrca-ffpb-yuhd |
| summary |
Multiple vulnerabilities have been found in Mozilla Firefox,
Thunderbird, SeaMonkey, NSS, GNU IceCat, and XULRunner, some of which may
allow execution of arbitrary code or local privilege escalation. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2009-2065
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-jrca-ffpb-yuhd |
|
| 295 |
| url |
VCID-junk-cvrr-h3ey |
| vulnerability_id |
VCID-junk-cvrr-h3ey |
| summary |
Mozilla developers identified and fixed several stability bugs in
the browser engine used in Firefox and other Mozilla-based
products. Some of these crashes showed evidence of memory corruption
under certain circumstances and we presume that with enough effort at
least some of these could be exploited to run arbitrary code.Thunderbird shares the browser engine with Firefox and
could be vulnerable if JavaScript were to be enabled in mail. This is
not the default setting and we strongly discourage users from running
JavaScript in mail. Without further investigation we cannot rule out
the possibility that for some of these an attacker might be able to
prepare memory for exploitation through some means other than
JavaScript such as large images. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
|
| fixed_packages |
|
| aliases |
CVE-2009-0772
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-junk-cvrr-h3ey |
|
| 296 |
| url |
VCID-jx4t-39du-9khz |
| vulnerability_id |
VCID-jx4t-39du-9khz |
| summary |
Mozilla add-on developer and community member Wladimir
Palant reported that content-loading policies were not
checked before loading external script files into XUL documents.
The severity of this problem would depend on the reasons behind the
content policy check, which include privacy from "web bugs" in
Thunderbird mail messages, blocking of Ads and Ad-server tracking
in AdBlock Plus.The original version of this advisory incorrectly claimed
that NoScript protection could by bypassed; NoScript was unaffected. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2009-1840
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-jx4t-39du-9khz |
|
| 297 |
|
| 298 |
| url |
VCID-jzxs-ubpc-kkhq |
| vulnerability_id |
VCID-jzxs-ubpc-kkhq |
| summary |
Microsoft developer Dave Reed reported that certain
BOM characters are stripped from JavaScript code before it is executed.
This can lead to code, which would otherwise be treated as part of a quoted
string, to be executed. The issue could potentially be used by an attacker
to bypass or evade script filters and perform a cross-site scripting (XSS)
attack. Chris Weber of Casaba Security independently
reported the same issue, noting that the same parsing problem affected
other attributes, such as the -moz-binding style property,
that could also be used to perform XSS attacks.
Security researcher Gareth Heyes reported an issue with the HTML parser in which the parser ignored certain low surrogate characters if they were HTML-escaped. This issue could potentially be used to bypass naive script filtering and used in an XSS attack. This issue only affected Firefox 2.Thunderbird shares the browser engine with Firefox and could be vulnerable if JavaScript were to be enabled in mail. This is not the default setting and we strongly discourage users from running JavaScript in mail. Without further investigation we cannot rule out the possibility that for some of these an attacker might be able to prepare memory for exploitation through some means other than JavaScript such as large images. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2008-4066
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-jzxs-ubpc-kkhq |
|
| 299 |
| url |
VCID-jzxt-hzwv-a3ay |
| vulnerability_id |
VCID-jzxt-hzwv-a3ay |
| summary |
Security researcher Juan Pablo Lopez Yacubian
reported that the default Windows font used to render the locationbar
and other text fields was improperly displaying certain Unicode
characters with tall line-height. In such cases the tall line-height
would cause the rest of the text in the input field to be scrolled
vertically out of view. An attacker could use this vulnerability to
prevent a user from seeing the URL of a malicious site.Corrie Sloot also independently reported this
issue to Mozilla. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2009-3078
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-jzxt-hzwv-a3ay |
|
| 300 |
| url |
VCID-k4bn-xfgy-a3en |
| vulnerability_id |
VCID-k4bn-xfgy-a3en |
| summary |
Mozilla developers and community members identified and fixed
several stability bugs in the browser engine used in Firefox and other
Mozilla-based products. Some of these crashes showed evidence of
memory corruption under certain circumstances and we presume that with
enough effort at least some of these could be exploited to run
arbitrary code. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2009-3980
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-k4bn-xfgy-a3en |
|
| 301 |
| url |
VCID-k6sa-x522-yba2 |
| vulnerability_id |
VCID-k6sa-x522-yba2 |
| summary |
Mozilla developers and community members identified and fixed
several stability bugs in the browser engine used in Firefox and other
Mozilla-based products. Some of these crashes showed evidence of
memory corruption under certain circumstances and we presume that with
enough effort at least some of these could be exploited to run
arbitrary code.Thunderbird shares the browser engine with Firefox and
could be vulnerable if JavaScript were to be enabled in mail. This is
not the default setting and we strongly discourage users from running
JavaScript in mail. Without further investigation we cannot rule out
the possibility that for some of these an attacker might be able to
prepare memory for exploitation through some means other than
JavaScript such as large images. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
CVE-2009-1392
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-k6sa-x522-yba2 |
|
| 302 |
| url |
VCID-k7qg-pc6m-3fde |
| vulnerability_id |
VCID-k7qg-pc6m-3fde |
| summary |
Vitaly Nevgen reported that an attacker could replace a
sub-frame in another domain's document by using the name attribute of the
sub-frame as a form submission target. This can potentially allow for phishing
attacks against users and violates the HTML5 frame navigation policy.
Firefox 3.6 and Thunderbird 3.1 are not affected by this
vulnerability. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-0445
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-k7qg-pc6m-3fde |
|
| 303 |
| url |
VCID-k8gc-ufm1-9ffn |
| vulnerability_id |
VCID-k8gc-ufm1-9ffn |
| summary |
Mozilla has fixed a number of issues related to the Location object in order to enhance overall security. Details for each of the current fixed issues are below.
Thunderbird is only affected by window.location issues through RSS feeds and extensions that load web content.Security researcher Mariusz Mlynski reported that the true value of window.location could be shadowed by user content through the use of the valueOf method, which can be combined with some plugins to perform a cross-site scripting (XSS) attack on users. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-4195
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-k8gc-ufm1-9ffn |
|
| 304 |
| url |
VCID-k9js-qqg1-pyfh |
| vulnerability_id |
VCID-k9js-qqg1-pyfh |
| summary |
Mozilla developers identified and fixed several stability bugs in the browser
engine used in Firefox and other Mozilla-based products. Some of these crashes
showed evidence of memory corruption under certain circumstances and we presume
that with enough effort at least some of these could be exploited to run
arbitrary code.Thunderbird shares the browser engine with Firefox and could be
vulnerable if JavaScript were to be enabled in mail. This is not the default
setting and we strongly discourage users from running JavaScript in
mail. Without further investigation we cannot rule out the possibility that for
some of these an attacker might be able to prepare memory for exploitation
through some means other than JavaScript such as large images. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2008-5018
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-k9js-qqg1-pyfh |
|
| 305 |
| url |
VCID-ka4t-w5r8-43hu |
| vulnerability_id |
VCID-ka4t-w5r8-43hu |
| summary |
Multiple vulnerabilities have been found in Mozilla Firefox,
Thunderbird, SeaMonkey, NSS, GNU IceCat, and XULRunner, some of which may
allow execution of arbitrary code or local privilege escalation. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2010-3400
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ka4t-w5r8-43hu |
|
| 306 |
|
| 307 |
| url |
VCID-kkaz-32r9-4fhc |
| vulnerability_id |
VCID-kkaz-32r9-4fhc |
| summary |
Mozilla security researcher moz_bug_r_a4 reported a
arbitrary code execution attack using a javascript: URL. The Gecko
engine features a JavaScript sandbox utility that allows the browser or add-ons
to safely execute script in the context of a web page. In certain cases,
javascript: URLs are executed in such a sandbox with insufficient
context that can allow those scripts to escape from the sandbox and run with
elevated privilege. This can lead to arbitrary code execution. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-1967
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-kkaz-32r9-4fhc |
|
| 308 |
| url |
VCID-knbx-h6rk-9qfu |
| vulnerability_id |
VCID-knbx-h6rk-9qfu |
| summary |
Mozilla discovered several bugs in liboggplay which posed potential
memory safety issues. The bugs which were fixed could potentially be
used by an attacker to crash a victim's browser and execute arbitrary
code on their computer.Audio and Video capabilities were added to the Mozilla browser
engine in Firefox 3.5, SeaMonkey 2.0, and Thunderbird 3.0; prior releases of
these products were not affected. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2009-3388
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-knbx-h6rk-9qfu |
|
| 309 |
| url |
VCID-knur-edxh-4ydw |
| vulnerability_id |
VCID-knur-edxh-4ydw |
| summary |
Independent security researcher Kuza55 and
Microsoft security researcher Tom Gallagher reported
that when plugin-initiated requests receive a 307 redirect response,
the plugin is not notified and the request is forwarded to the new
location. This is true even for cross-site redirects, so any custom
headers that were added as part of the initial request would be
forwarded intact across origins. This poses a CSRF risk for web
applications that rely on custom headers only being present in
requests from their own origin. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2011-0059
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-knur-edxh-4ydw |
|
| 310 |
| url |
VCID-kr3x-4kyw-rbcv |
| vulnerability_id |
VCID-kr3x-4kyw-rbcv |
| summary |
Mozilla security researcher moz_bug_r_a4 reported
that the XPCOM utility XPCVariant::VariantDataToJS
unwrapped doubly-wrapped objects before returning them to chrome
callers. This could result in chrome privileged code calling methods
on an object which had previously been created or modified by web
content, potentially executing malicious JavaScript code with chrome
privileges. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2009-3374
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-kr3x-4kyw-rbcv |
|
| 311 |
| url |
VCID-ksst-4srh-c3eu |
| vulnerability_id |
VCID-ksst-4srh-c3eu |
| summary |
Mozilla developers and community members identified and fixed
several stability bugs in the browser engine used in Firefox and other
Mozilla-based products. Some of these crashes showed evidence of
memory corruption under certain circumstances and we presume that with
enough effort at least some of these could be exploited to run
arbitrary code.Thunderbird shares the browser engine with Firefox and
could be vulnerable if JavaScript were to be enabled in mail. This is
not the default setting and we strongly discourage users from running
JavaScript in mail. Without further investigation we cannot rule out
the possibility that for some of these an attacker might be able to
prepare memory for exploitation through some means other than
JavaScript such as large images. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
CVE-2009-1833
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ksst-4srh-c3eu |
|
| 312 |
| url |
VCID-kts9-w6sz-kkbj |
| vulnerability_id |
VCID-kts9-w6sz-kkbj |
| summary |
Security researcher wushi of team509 reported that
the frame construction process for certain types of menus could result
in a menu containing a pointer to a previously freed menu item.
During the cycle collection process, this freed item could be accessed,
resulting in the execution of a section of code potentially controlled
by an attacker. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2010-0183
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-kts9-w6sz-kkbj |
|
| 313 |
| url |
VCID-kufy-1tyw-4qa2 |
| vulnerability_id |
VCID-kufy-1tyw-4qa2 |
| summary |
Mozilla developers identified and fixed several stability bugs in the browser
engine used in Firefox and other Mozilla-based products. Some of these crashes
showed evidence of memory corruption under certain circumstances and we presume
that with enough effort at least some of these could be exploited to run
arbitrary code.Thunderbird shares the browser engine with Firefox and could be
vulnerable if JavaScript were to be enabled in mail. This is not the default
setting and we strongly discourage users from running JavaScript in
mail. Without further investigation we cannot rule out the possibility that for
some of these an attacker might be able to prepare memory for exploitation
through some means other than JavaScript such as large images. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2008-5016
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-kufy-1tyw-4qa2 |
|
| 314 |
| url |
VCID-kvaw-h1xw-vuf5 |
| vulnerability_id |
VCID-kvaw-h1xw-vuf5 |
| summary |
Security researchers Adam Barth and Collin
Jackson reported that when a file: resource is
loaded via the location bar it inherits the principal of the
previously loaded document. This vulnerability can potentially give
the newly loaded document additional privileges to access the contents
of other local files that it wouldn't otherwise have permission to read.
A potential victim would first have to have downloaded the attackers
document to their local machine. Then the victim would have to open another
document in a directory of interest to the attacker before opening the
attacker's file in the same window.
Prior to version 3.0, Firefox (like browsers from other
vendors) treated all local files as having the same origin without
restriction. This vulnerability is a partial bypass of the restrictions
implemented in Firefox 3.0 |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2009-1839
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-kvaw-h1xw-vuf5 |
|
| 315 |
| url |
VCID-kvg8-pa7m-2bfg |
| vulnerability_id |
VCID-kvg8-pa7m-2bfg |
| summary |
Security researcher Richard Moore reported that
when an SSL certificate was created with a common name containing a
wildcard followed by a partial IP address a valid SSL connection could be
established with a server whose IP address matched the wildcard range
by browsing directly to the IP address. It is extremely unlikely that
such a certificate would be issued by a Certificate Authority. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2010-3170
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-kvg8-pa7m-2bfg |
|
| 316 |
| url |
VCID-kws9-mf7a-syh8 |
| vulnerability_id |
VCID-kws9-mf7a-syh8 |
| summary |
Mozilla developer Georgi Guninski reported that
the canvas element could be used in conjunction with an HTTP redirect
to bypass same-origin restrictions and gain access to the content in
arbitrary images from other domains. This vulnerability could be used
by an attacker to steal private information from a victim who is
logged into a website that stores the data in images.Security researchers Michal Zalewski
and Chris Evans also reported an additional threat
caused by this vulnerability in which an attacker can enumerate the
software installed on a victim's computer by using moz-icon as the
redirection target.Firefox 3 is not affected by this issue. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2008-5012
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-kws9-mf7a-syh8 |
|
| 317 |
| url |
VCID-kzjq-mq5p-w7em |
| vulnerability_id |
VCID-kzjq-mq5p-w7em |
| summary |
Mozilla security researcher moz_bug_r_a4 reported
that the same-origin check in
nsXMLHttpRequest::NotifyEventListeners() could be
bypassed. This vulnerability could be used to execute JavaScript in
the context of a different website.Thunderbird shares the browser engine with Firefox and
could be vulnerable if JavaScript were to be enabled in mail. This is
not the default setting and we strongly discourage users from running
JavaScript in mail. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2008-5022
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-kzjq-mq5p-w7em |
|
| 318 |
|
| 319 |
| url |
VCID-m7sq-29rx-pff5 |
| vulnerability_id |
VCID-m7sq-29rx-pff5 |
| summary |
Security researcher Mariusz Mlynski reported that when
InstallTrigger fails, it throws an error wrapped in a Chrome Object Wrapper
(COW) that fails to specify exposed properties. These can then be added to the
resulting object by an attacker, allowing access to chrome privileged functions
through script.
While investigating this issue, Mozilla security researcher
moz_bug_r_a4 found that COW did not disallow accessing of
properties from a standard prototype in some situations, even when the original
issue had been fixed.
These issues could allow for a cross-site scripting (XSS) attack or arbitrary
code execution.
In general these flaws cannot be exploited through email in the
Thunderbird and SeaMonkey products because scripting is disabled, but are
potentially a risk in browser or browser-like contexts in those products. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
CVE-2012-3993
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-m7sq-29rx-pff5 |
|
| 320 |
| url |
VCID-mbgs-b2qj-ukg1 |
| vulnerability_id |
VCID-mbgs-b2qj-ukg1 |
| summary |
Security researcher Abhishek Arya (Inferno) of the Google Chrome Security Team discovered a series of use-after-free issues using the Address Sanitizer tool. Many of these issues are potentially exploitable, allowing for remote code execution. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-3961
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-mbgs-b2qj-ukg1 |
|
| 321 |
| url |
VCID-mcy6-z48m-tufs |
| vulnerability_id |
VCID-mcy6-z48m-tufs |
| summary |
David Remahl of Apple Product Security reported
that the Java Embedding Plugin (JEP) shipped with the Mac OS X versions
of Firefox could be exploited to obtain elevated access to resources on
a user's system.Firefox 4 was not affected by this issue. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2011-0076
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-mcy6-z48m-tufs |
|
| 322 |
| url |
VCID-mfbd-41mr-7kg5 |
| vulnerability_id |
VCID-mfbd-41mr-7kg5 |
| summary |
Security researcher regenrecht reported (via TippingPoint's
Zero Day Initiative) a potential reuse of a deleted image frame in Firefox
3.6's handling of multipart/x-mixed-replace images. Although
no exploit was shown, re-use of freed memory has led to exploitable
vulnerabilities in the past. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2010-0164
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-mfbd-41mr-7kg5 |
|
| 323 |
| url |
VCID-mftz-nzj1-hudz |
| vulnerability_id |
VCID-mftz-nzj1-hudz |
| summary |
Mozilla developers identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code.Drew Yao of Apple Product Security reported two crashes in Mozilla image rendering code. This vulnerability only affected Firefox 3.David Maciejak of Fortinet's FortiGuard Global Security
Research Team also reported a crash in graphics rendering which only
affected Firefox 3.Thunderbird shares the browser engine with Firefox and could be vulnerable if JavaScript were to be enabled in mail. This is not the default setting and we strongly discourage users from running JavaScript in mail. Without further investigation we cannot rule out the possibility that for some of these an attacker might be able to prepare memory for exploitation through some means other than JavaScript such as large images. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2008-4063
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-mftz-nzj1-hudz |
|
| 324 |
| url |
VCID-mh43-ax68-gkhz |
| vulnerability_id |
VCID-mh43-ax68-gkhz |
| summary |
Security researcher Abhishek Arya (Inferno) of the Google
Chrome Security Team discovered a series of use-after-free, buffer overflow, and
out of bounds read issues using the Address Sanitizer tool in shipped software.
These issues are potentially exploitable, allowing for remote code execution.
We would also like to thank Abhishek for reporting two additional use-after-free
flaws introduced during Firefox 16 development and fixed before general release.
In general these flaws cannot be exploited through email in the
Thunderbird and SeaMonkey products because scripting is disabled, but are
potentially a risk in browser or browser-like contexts in those products. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-4180
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-mh43-ax68-gkhz |
|
| 325 |
| url |
VCID-mj22-p5cg-43c3 |
| vulnerability_id |
VCID-mj22-p5cg-43c3 |
| summary |
Mozilla developers identified and fixed several memory safety bugs
in the browser engine used in Firefox and other Mozilla-based
products. Some of these bugs showed evidence of memory corruption
under certain circumstances, and we presume that with enough effort at
least some of these could be exploited to run arbitrary code. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
CVE-2011-2364
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-mj22-p5cg-43c3 |
|
| 326 |
| url |
VCID-mm8q-zcef-e3g1 |
| vulnerability_id |
VCID-mm8q-zcef-e3g1 |
| summary |
sczimmer reported that Firefox crashed when loading
a particular .ogg file. This was due to a use-after-free
condition and could potentially be exploited to install malware.
This vulnerability does not affect Firefox 3.6 or earlier. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2011-3005
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-mm8q-zcef-e3g1 |
|
| 327 |
| url |
VCID-mmc8-9gbv-fbat |
| vulnerability_id |
VCID-mmc8-9gbv-fbat |
| summary |
Mozilla developers identified and fixed several memory safety bugs
in the browser engine used in Firefox and other Mozilla-based
products. Some of these bugs showed evidence of memory corruption
under certain circumstances, and we presume that with enough effort at
least some of these could be exploited to run arbitrary code. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
|
| fixed_packages |
|
| aliases |
CVE-2011-0070
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-mmc8-9gbv-fbat |
|
| 328 |
| url |
VCID-mmw9-8yss-vke8 |
| vulnerability_id |
VCID-mmw9-8yss-vke8 |
| summary |
Security researcher Ilja van Sprundel of IOActive
reported that the Content-Disposition: attachment HTTP
header was ignored when Content-Type: multipart was also
present. This issue could potentially lead to XSS problems in sites
that allow users to upload arbitrary files and specify a Content-Type
but rely on Content-Disposition: attachment to prevent
the content from being displayed inline. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
|
| fixed_packages |
|
| aliases |
CVE-2010-1197
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-mmw9-8yss-vke8 |
|
| 329 |
| url |
VCID-ms5v-jk9f-dkbd |
| vulnerability_id |
VCID-ms5v-jk9f-dkbd |
| summary |
Security researcher Abhishek Arya (Inferno) of the Google
Chrome Security Team discovered a series of use-after-free, buffer overflow, and
out of bounds read issues using the Address Sanitizer tool in shipped software.
These issues are potentially exploitable, allowing for remote code execution.
We would also like to thank Abhishek for reporting two additional use-after-free
flaws introduced during Firefox 16 development and fixed before general release.
In general these flaws cannot be exploited through email in the
Thunderbird and SeaMonkey products because scripting is disabled, but are
potentially a risk in browser or browser-like contexts in those products. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-4183
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ms5v-jk9f-dkbd |
|
| 330 |
| url |
VCID-n4t4-2b9j-hqa1 |
| vulnerability_id |
VCID-n4t4-2b9j-hqa1 |
| summary |
Mozilla add-on developer and community member Wladimir
Palant reported broken functionality on pages that had a
Link: HTTP header when an add-on was installed
which implemented a Content Policy in JavaScript, such
as AdBlock Plus or NoScript. Mozilla security
researcher moz_bug_r_a4 demonstrated that the broken
functionality was due to the window's global object
receiving an incorrect security wrapper and that this issue could be
used to execute arbitrary JavaScript with chrome privileges.This vulnerability does not affect Firefox
prior to version 3.5 |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2009-2665
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-n4t4-2b9j-hqa1 |
|
| 331 |
| url |
VCID-n5sw-3tyh-nbcm |
| vulnerability_id |
VCID-n5sw-3tyh-nbcm |
| summary |
Mozilla developer Gabor Krizsanits discovered that XMLHttpRequest objects created within sandboxes have the system principal instead of the sandbox principal. This can lead to cross-site request forgery (CSRF) or information theft via an add-on running untrusted code in a sandbox. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-4205
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-n5sw-3tyh-nbcm |
|
| 332 |
| url |
VCID-n5xr-5qvw-2yah |
| vulnerability_id |
VCID-n5xr-5qvw-2yah |
| summary |
Security researcher Nils reported via
TippingPoint's Zero Day Initiative that the XUL tree
method _moveToEdgeShift was in some cases triggering
garbage collection routines on objects which were still in use. In
such cases, the browser would crash when attempting to access a
previously destroyed object and this crash could be used by an
attacker to run arbitrary code on a victim's computer.This vulnerability was used by the reporter to win the
2009 CanSecWest Pwn2Own contest.This vulnerability does not affect Firefox 2,
Thunderbird 2, or released versions of SeaMonkey. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2009-1044
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-n5xr-5qvw-2yah |
|
| 333 |
| url |
VCID-n747-sujq-tqgf |
| vulnerability_id |
VCID-n747-sujq-tqgf |
| summary |
Mozilla community member Daniel Glazman of Disruptive
Innovations reported a crash when accessing a keyframe's cssText after dynamic
modification. This crash may be potentially exploitable.
Firefox 3.6 and Thunderbird 3.1 are not affected by this
vulnerability. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-0459
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-n747-sujq-tqgf |
|
| 334 |
| url |
VCID-n7vg-xm1u-qkcq |
| vulnerability_id |
VCID-n7vg-xm1u-qkcq |
| summary |
Security researcher Mark Poticha reported an issue where
incorrect SSL certificate information can be displayed on the addressbar,
showing the SSL data for a previous site while another has been loaded. This is
caused by two onLocationChange events being fired out of the expected order,
leading to the displayed certificate data to not be updated. This can be used
for phishing attacks by allowing the user to input form or other data on a
newer, attacking, site while the credentials of an older site appear on the
addressbar. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-3976
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-n7vg-xm1u-qkcq |
|
| 335 |
| url |
VCID-n9a3-1qv2-6yfw |
| vulnerability_id |
VCID-n9a3-1qv2-6yfw |
| summary |
Mozilla security researcher moz_bug_r_a4 reported a regression where security wrappers are unwrapped without doing a security check in defaultValue(). This can allow for improper access to the Location object. In versions 15 and earlier of affected products, there was also the potential for arbitrary code execution.
Security researcher Gareth Heyes also blogged about a Firefox 16 only symptom that is fixed in the updated versions. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-4192
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-n9a3-1qv2-6yfw |
|
| 336 |
| url |
VCID-najm-etj8-sffz |
| vulnerability_id |
VCID-najm-etj8-sffz |
| summary |
Multiple vulnerabilities have been found in Mozilla Firefox,
Thunderbird, SeaMonkey, NSS, GNU IceCat, and XULRunner, some of which may
allow execution of arbitrary code or local privilege escalation. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-1994
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-najm-etj8-sffz |
|
| 337 |
| url |
VCID-ncyn-54s5-yqcw |
| vulnerability_id |
VCID-ncyn-54s5-yqcw |
| summary |
ling and wushi of team509, via
TippingPoint's Zero Day Initiative program, reported a flaw in part of
Mozilla's DOM constructing code. This vulnerability can be exploited
by modifying certain properties of a file input element before it has
finished initializing. When the blur method of the
modified input element is called, uninitialized memory is accessed by
the browser, resulting in a crash. This crash may be used by an
attacker to run arbitrary code on a victim's computer.Thunderbird shares the browser engine with Firefox and
could be vulnerable if JavaScript were to be enabled in mail. This is
not the default setting and we strongly discourage users from running
JavaScript in mail. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2008-5021
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ncyn-54s5-yqcw |
|
| 338 |
| url |
VCID-nd55-spy5-9qau |
| vulnerability_id |
VCID-nd55-spy5-9qau |
| summary |
Security researcher regenrecht reported several
dangling pointer vulnerabilities via TippingPoint's Zero Day
Initiative.Firefox 4 was not affected by these issues. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
|
| fixed_packages |
|
| aliases |
CVE-2011-0073
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-nd55-spy5-9qau |
|
| 339 |
| url |
VCID-nesy-7bkx-87ax |
| vulnerability_id |
VCID-nesy-7bkx-87ax |
| summary |
Security researcher Abhishek Arya (Inferno) of the Google Chrome Security Team discovered a series of use-after-free issues using the Address Sanitizer tool. Many of these issues are potentially exploitable, allowing for remote code execution. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-3957
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-nesy-7bkx-87ax |
|
| 340 |
|
| 341 |
| url |
VCID-nhbn-aqde-vue5 |
| vulnerability_id |
VCID-nhbn-aqde-vue5 |
| summary |
Mozilla cryptographer Nelson Bolyard reported that
the SSL implementation was permitting servers to use Diffie-Hellman
Ephemeral mode (DHE) with too short of a minimum key length. DHE keys
of such lengths are trivially breakable on modern hardware so SSL
servers operating in this mode were providing very little effective
security for their clients. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2010-3173
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-nhbn-aqde-vue5 |
|
| 342 |
| url |
VCID-nhpz-urjv-bfet |
| vulnerability_id |
VCID-nhpz-urjv-bfet |
| summary |
Mozilla security researcher moz_bug_r_a4 reported a
series of vulnerabilities by which page content can pollute
XPCNativeWrappers and have arbitrary code run with chrome privileges.
One variant reported by moz_bug_r_a4 only affected Firefox 2.Mozilla developer Olli Pettay reported that XSLT can
create documents which do not have script handling objects. moz_bug_r_a4
also reported that document.loadBindingDocument() returns a
document that does not have a script handling object. These issues could
also be used by an attacker to run arbitrary script with chrome privileges.Thunderbird shares the browser engine with Firefox and
could be vulnerable if JavaScript were to be enabled in mail. This is not
the default setting and we strongly discourage users from running
JavaScript in mail. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
CVE-2008-4060
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-nhpz-urjv-bfet |
|
| 343 |
| url |
VCID-nkdg-ez7k-7qdh |
| vulnerability_id |
VCID-nkdg-ez7k-7qdh |
| summary |
Security researcher Abhishek Arya of Google used the Address
Sanitizer tool to uncover several issues: two heap buffer overflow bugs and a
use-after-free problem. The first heap buffer overflow was found in conversion
from unicode to native character sets when the function fails. The
use-after-free occurs in nsFrameList when working with column layout with
absolute positioning in a container that changes size. The second buffer
overflow occurs in nsHTMLReflowState when a window is resized on a page with
nested columns and a combination of absolute and relative positioning. All three
of these issues are potentially exploitable. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-1940
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-nkdg-ez7k-7qdh |
|
| 344 |
| url |
VCID-nnck-qb21-3ueg |
| vulnerability_id |
VCID-nnck-qb21-3ueg |
| summary |
Multiple vulnerabilities have been found in Mozilla Firefox,
Thunderbird, SeaMonkey, NSS, GNU IceCat, and XULRunner, some of which may
allow execution of arbitrary code or local privilege escalation. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2010-5074
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-nnck-qb21-3ueg |
|
| 345 |
| url |
VCID-nqeq-nees-u3dk |
| vulnerability_id |
VCID-nqeq-nees-u3dk |
| summary |
Security researcher Paul Stone reported that when
an HTML selection containing JavaScript is copy-and-pasted or dropped
onto a document with designMode enabled the JavaScript will be
executed within the context of the site where the code was dropped. A
malicious site could leverage this issue in an XSS attack by
persuading a user into taking such an action and in the process
running malicious JavaScript within the context of another site. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2010-2769
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-nqeq-nees-u3dk |
|
| 346 |
| url |
VCID-nwhc-qysh-3qfk |
| vulnerability_id |
VCID-nwhc-qysh-3qfk |
| summary |
Security researcher Gregory Fleischer reported
that the exception messages generated by
Mozilla's GeckoActiveXObject differ based on whether or
not the requested COM object's ProgID is present in the system
registry. A malicious site could use this vulnerability to enumerate
a list of COM objects installed on a user's system and create a
profile to track the user across browsing sessions. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2009-3987
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-nwhc-qysh-3qfk |
|
| 347 |
| url |
VCID-nwkn-p5sh-jbhk |
| vulnerability_id |
VCID-nwkn-p5sh-jbhk |
| summary |
Mozilla add-on developer Pavel Cvrcek reported
that certain invalid unicode characters, when used as part of an IDN,
are displayed as whitespace in the location bar. This whitespace
could be used to force part of the URL out of view in the location
bar. An attacker could use this vulnerability to spoof the location
bar and display a misleading URL for their malicious web page. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2009-1834
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-nwkn-p5sh-jbhk |
|
| 348 |
| url |
VCID-nxgs-2jdy-sbbp |
| vulnerability_id |
VCID-nxgs-2jdy-sbbp |
| summary |
Security researcher regenrecht reported via
TippingPoint's Zero Day Initiative two instances of code which
modifies SVG element lists failed to account for changes made to the
list by user-supplied callbacks before accessing list elements. If a
user-supplied callback deleted such an object, the element-modifying
code could wind up accessing deleted memory and potentially executing
attacker-controlled memory.regenrecht also reported via TippingPoint's Zero Day Initiative
that a XUL document could force the nsXULCommandDispatcher to remove
all command updaters from the queue, including the one currently in
use. This could result in the execution of deleted memory which an
attacker could use to run arbitrary code on a victim's computer.Firefox 4 and SeaMonkey 2.1 and newer were not affected by
these issues. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
CVE-2011-2363
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-nxgs-2jdy-sbbp |
|
| 349 |
| url |
VCID-nyu8-zhfr-ubhx |
| vulnerability_id |
VCID-nyu8-zhfr-ubhx |
| summary |
Security researcher Haifei Li of FortiGuard Labs
reported that Firefox could be used to load a malicious code library
that had been planted on a victim's computer. Firefox attempts to
load dwmapi.dll upon startup as part of its platform detection, so on
systems that don't have this library, such as Windows XP, Firefox will
subsequently attempt to load the library from the current working
directory. An attacker could use this vulnerability to trick a user
into downloading a HTML file and a malicious copy of dwmapi.dll into
the same directory on their computer and opening the HTML file with
Firefox, thus causing the malicious code to be executed. If the
attacker was on the same network as the victim, the malicious DLL
could also be loaded via a UNC path. This DLL is only loaded at
startup so a successful attack requires that Firefox not currently
be running when it is asked to open the HTML
file and accompanying DLL.This issue was also independently reported to Mozilla
by Acros Security. After the issue became public a
number of other community members contacted Mozilla to report the
issue.Firefox users on Windows Vista or Windows 7
were not vulnerable to this attack because dwmapi.dll is part
of the OS in Vista and later versions and the legitimate copy
is successfully loaded by
Firefox before attempting to load the planted DLL. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2010-3131
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-nyu8-zhfr-ubhx |
|
| 350 |
| url |
VCID-p51y-by4w-qyd7 |
| vulnerability_id |
VCID-p51y-by4w-qyd7 |
| summary |
An anonymous security researcher, via TippingPoint's Zero Day
Initiative, reported that the columns of a XUL tree element could be
manipulated in a particular way which would leave a pointer owned by
the column pointing to freed memory. An attacker could potentially
use this vulnerability to crash a victim's browser and run arbitrary
code on the victim's computer. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
|
| fixed_packages |
|
| aliases |
CVE-2009-3077
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-p51y-by4w-qyd7 |
|
| 351 |
| url |
VCID-p5zn-r2n7-8ugt |
| vulnerability_id |
VCID-p5zn-r2n7-8ugt |
| summary |
Security researcher Paul Stone reported an attack where an
HTML page hosted on a Windows share and then loaded could then load Windows
shortcut files (.lnk) in the same share. These shortcut files could then link to
arbitrary locations on the local file system of the individual loading the HTML
page. That page could show the contents of these linked files or directories
from the local file system in an iframe, causing information disclosure.
This issue could potentially affect Linux machines with samba
shares enabled. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-1945
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-p5zn-r2n7-8ugt |
|
| 352 |
| url |
VCID-p6xe-qepz-7kez |
| vulnerability_id |
VCID-p6xe-qepz-7kez |
| summary |
Mozilla security researcher moz_bug_r_a4 reported that
certain security checks in the location object can be bypassed if chrome code is
called content in a specific manner. This allowed for the loading of restricted
content. This can be combined with other issues to become potentially
exploitable. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-3978
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-p6xe-qepz-7kez |
|
| 353 |
| url |
VCID-pc3m-3w52-9yb1 |
| vulnerability_id |
VCID-pc3m-3w52-9yb1 |
| summary |
Google security researcher Abhishek Arya used the Address
Sanitizer tool to uncover four issues: two use-after-free problems, one out of
bounds read bug, and a bad cast. The first use-after-free problem is caused
when an array of nsSMILTimeValueSpec objects is destroyed but attempts are made
to call into objects in this array later. The second use-after-free problem is
in nsDocument::AdoptNode when it adopts into an empty document and then adopts
into another document, emptying the first one. The heap buffer overflow is in
ElementAnimations when data is read off of end of an array and then pointers are
dereferenced. The bad cast happens when nsTableFrame::InsertFrames is called
with frames in aFrameList that are a mix of row group frames and column group
frames. AppendFrames is not able to handle this mix.All four of these issues are potentially exploitable. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-1951
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-pc3m-3w52-9yb1 |
|
| 354 |
| url |
VCID-pgt7-k439-dyby |
| vulnerability_id |
VCID-pgt7-k439-dyby |
| summary |
Security researcher PenPal reported a crash
involving a SVG element on which a watch function
and __defineSetter__ function have been set for a
particular property. The crash showed evidence of memory corruption
and could potentially be used by an attacker to run arbitrary code on
a victim's computer. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2009-2469
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-pgt7-k439-dyby |
|
| 355 |
|
| 356 |
| url |
VCID-phx6-pmuh-8bdr |
| vulnerability_id |
VCID-phx6-pmuh-8bdr |
| summary |
Security researcher Atte Kettunen from OUSPG found two
issues with Firefox's handling of SVG using the Address Sanitizer tool. The
first issue, critically rated, is a use-after-free in SVG animation that could
potentially lead to arbitrary code execution. The second issue is rated moderate
and is an out of bounds read in SVG Filters. This could potentially incorporate
data from the user's memory, making it accessible to the page content. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-0456
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-phx6-pmuh-8bdr |
|
| 357 |
| url |
VCID-phyz-e3br-qffu |
| vulnerability_id |
VCID-phyz-e3br-qffu |
| summary |
Security researcher regenrecht reported via
TippingPoint's Zero Day Initiative two instances of code which
modifies SVG element lists failed to account for changes made to the
list by user-supplied callbacks before accessing list elements. If a
user-supplied callback deleted such an object, the element-modifying
code could wind up accessing deleted memory and potentially executing
attacker-controlled memory.regenrecht also reported via TippingPoint's Zero Day Initiative
that a XUL document could force the nsXULCommandDispatcher to remove
all command updaters from the queue, including the one currently in
use. This could result in the execution of deleted memory which an
attacker could use to run arbitrary code on a victim's computer.Firefox 4 and SeaMonkey 2.1 and newer were not affected by
these issues. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
CVE-2011-0085
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-phyz-e3br-qffu |
|
| 358 |
| url |
VCID-pkky-dzgj-2qay |
| vulnerability_id |
VCID-pkky-dzgj-2qay |
| summary |
Security researcher regenrecht reported via
TippingPoint's Zero Day Initiative an error in the
way <option> elements are inserted into a XUL
tree <optgroup>. In certain cases, the number of
references to an <option> element is under-counted so
that when the element is deleted, a live pointer to its old location
is kept around and may later be used. An attacker could potentially
use these conditions to run arbitrary code on a victim's computer. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
CVE-2010-0176
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-pkky-dzgj-2qay |
|
| 359 |
| url |
VCID-pq8y-auvb-mkgw |
| vulnerability_id |
VCID-pq8y-auvb-mkgw |
| summary |
Mozilla developers identified and fixed several memory safety bugs
in the browser engine used in Firefox and other Mozilla-based
products. Some of these bugs showed evidence of memory corruption
under certain circumstances, and we presume that with enough effort at
least some of these could be exploited to run arbitrary code.Update (March 1, 2011): CVE-2010-3777 was
fixed in Firefox 3.5.17 |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2010-3777
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-pq8y-auvb-mkgw |
|
| 360 |
| url |
VCID-ps3u-nesw-myaw |
| vulnerability_id |
VCID-ps3u-nesw-myaw |
| summary |
Security researcher Mario Gomes andresearch firm
Code Audit Labs reported a mechanism to short-circuit page
loads through drag and drop to the addressbar by canceling the page load. This
causes the address of the previously site entered to be displayed in the
addressbar instead of the currently loaded page. This could lead to potential
phishing attacks on users. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-1950
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ps3u-nesw-myaw |
|
| 361 |
|
| 362 |
| url |
VCID-pwuc-1qfh-wue2 |
| vulnerability_id |
VCID-pwuc-1qfh-wue2 |
| summary |
Multiple vulnerabilities have been found in Mozilla Firefox,
Thunderbird, SeaMonkey, NSS, GNU IceCat, and XULRunner, some of which may
allow execution of arbitrary code or local privilege escalation. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2009-2043
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-pwuc-1qfh-wue2 |
|
| 363 |
| url |
VCID-q19p-umh9-rydp |
| vulnerability_id |
VCID-q19p-umh9-rydp |
| summary |
Security researcher wushi of team509 reported a
heap buffer overflow in code routines responsible for transforming
text runs. A page could be constructed with a bidirectional text run
which upon reflow could result in an incorrect length being calculated
for the run of text. When this value is subsequently used to allocate
memory for the text too small a buffer may be created potentially
resulting in a buffer overflow and the execution of attacker
controlled memory. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2010-3166
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-q19p-umh9-rydp |
|
| 364 |
| url |
VCID-q3gb-89sm-8yc3 |
| vulnerability_id |
VCID-q3gb-89sm-8yc3 |
| summary |
Security researcher Masato Kinugawa found when HZ-GB-2312 charset encoding is used for text, the "~" character will destroy another character near the chunk delimiter. This can lead to a cross-site scripting (XSS) attack in pages encoded in HZ-GB-2312. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-4207
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-q3gb-89sm-8yc3 |
|
| 365 |
| url |
VCID-q4xw-urcg-83bw |
| vulnerability_id |
VCID-q4xw-urcg-83bw |
| summary |
Mozilla developer Matt Brubeck reported that
window.fullScreen is writeable by untrusted content now that the DOM fullscreen
API is enabled. Because window.fullScreen does not include
mozRequestFullscreen's security protections, it could be used for UI spoofing.
This code change makes window.fullScreen read only by untrusted content, forcing
the use of the DOM fullscreen API in normal usage.
Firefox 3.6 and Thunderbird 3.1 are not affected by this
vulnerability. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-0460
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-q4xw-urcg-83bw |
|
| 366 |
| url |
VCID-q8zq-w7zs-h3gp |
| vulnerability_id |
VCID-q8zq-w7zs-h3gp |
| summary |
Moxie Marlinspike reported a heap overflow vulnerability
in the code that handles regular expressions in certificate names. This
vulnerability could be used to compromise the browser and run arbitrary code
by presenting a specially crafted certificate to the client. This code
provided compatibility with the non-standard regular expression syntax
historically supported by Netscape clients and servers. With version 3.5
Firefox switched to the more limited industry-standard wildcard syntax
instead and is not vulnerable to this flaw. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
|
| fixed_packages |
|
| aliases |
CVE-2009-2404
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-q8zq-w7zs-h3gp |
|
| 367 |
| url |
VCID-qemc-854g-kfgx |
| vulnerability_id |
VCID-qemc-854g-kfgx |
| summary |
Mozilla security researcher moz_bug_r_a4 reported
an additional variation on the feed preview vulnerabilities
fixed in Firefox 2.0.0.17.
moz_bug_r_a4 demonstrated that it was still possible to
use the feed preview as a vector for JavaScript privilege escalation.
An attacker could use this issue to run arbitrary JavaScript with
chrome privileges.Firefox 3 is not affected by this issue. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2008-5504
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-qemc-854g-kfgx |
|
| 368 |
|
| 369 |
|
| 370 |
| url |
VCID-qj9j-vc8m-1uhp |
| vulnerability_id |
VCID-qj9j-vc8m-1uhp |
| summary |
Security researcher Juan Pablo Lopez Yacubian
reported that an attacker could call window.open() on an
invalid URL which looks similar to a legitimate URL and then
use document.write() to place content within the new
document, appearing to have come from the spoofed location.
Additionally, if the spoofed document was created by a document with a
valid SSL certificate, the SSL indicators would be carried over into
the spoofed document. An attacker could use these issues to display
misleading location and SSL information for a malicious web page. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
CVE-2009-2654
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-qj9j-vc8m-1uhp |
|
| 371 |
| url |
VCID-qkw1-m8aa-2qgn |
| vulnerability_id |
VCID-qkw1-m8aa-2qgn |
| summary |
Security researcher Jeroen van der Gun reported that if RSS
or Atom XML invalid content is loaded over HTTPS, the addressbar updates to
display the new location of the loaded resource, including SSL indicators, while
the main window still displays the previously loaded content. This allows for
phishing attacks where a malicious page can spoof the identify of another
seemingly secure site. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-0479
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-qkw1-m8aa-2qgn |
|
| 372 |
| url |
VCID-qmh7-fvnc-tqhn |
| vulnerability_id |
VCID-qmh7-fvnc-tqhn |
| summary |
Mozilla developers identified and fixed several memory safety bugs
in the browser engine used in Firefox and other Mozilla-based
products. Some of these bugs showed evidence of memory corruption
under certain circumstances, and we presume that with enough effort at
least some of these could be exploited to run arbitrary code. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
CVE-2011-0081
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-qmh7-fvnc-tqhn |
|
| 373 |
| url |
VCID-qn4t-s1ek-vkcm |
| vulnerability_id |
VCID-qn4t-s1ek-vkcm |
| summary |
Security researcher regenrecht reported via
TippingPoint's Zero Day Initiative that
when window.__lookupGetter__ is called with no arguments
the code assumes the top JavaScript stack value is a property name.
Since there were no arguments passed into the function, the top value
could represent uninitialized memory or a pointer to a previously
freed JavaScript object. Under such circumstances the value is passed
to another subroutine which calls through the dangling pointer,
potentially executing attacker-controlled memory. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2010-3183
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-qn4t-s1ek-vkcm |
|
| 374 |
| url |
VCID-qns8-fjf9-13fr |
| vulnerability_id |
VCID-qns8-fjf9-13fr |
| summary |
Mozilla developers identified and fixed several memory safety bugs
in the browser engine used in Firefox and other Mozilla-based
products. Some of these bugs showed evidence of memory corruption
under certain circumstances, and we presume that with enough effort at
least some of these could be exploited to run arbitrary code.In general these flaws cannot be exploited through email in the Thunderbird
and SeaMonkey products because scripting is disabled, but are potentially a risk
in browser or browser-like contexts in those products. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-0468
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-qns8-fjf9-13fr |
|
| 375 |
|
| 376 |
| url |
VCID-qwt7-qwnt-5qan |
| vulnerability_id |
VCID-qwt7-qwnt-5qan |
| summary |
Mozilla security researcher moz_bug_r_a4 reported
that a chrome XBL method can be used in conjunction
with window.eval to execute arbitrary JavaScript within
the context of another website, violating the same origin policy.Firefox 2 releases are not affected. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2009-0354
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-qwt7-qwnt-5qan |
|
| 377 |
| url |
VCID-qyxv-c1m4-pbc7 |
| vulnerability_id |
VCID-qyxv-c1m4-pbc7 |
| summary |
Security researcher regenrecht reported via
TippingPoint's Zero Day Initiative that there was a remaining dangling
pointer issue leftover from the fix
to CVE-2010-2753.
Under certain circumstances one of the pointers held by a XUL tree
selection could be freed and then later reused, potentially resulting
in the execution of attacker-controlled memory. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
|
| fixed_packages |
|
| aliases |
CVE-2010-2753
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-qyxv-c1m4-pbc7 |
|
| 378 |
|
| 379 |
|
| 380 |
| url |
VCID-r4hv-qrsj-77gz |
| vulnerability_id |
VCID-r4hv-qrsj-77gz |
| summary |
Security researcher Marco C. reported a flaw in
the parsing of regular expressions used in Proxy Auto-configuration
(PAC) files. In certain cases this flaw could be used by an attacker
to crash a victim's browser and run arbitrary code on their computer.
Since this vulnerability requires the victim to have PAC configured in
their environment with specific regular expressions which can trigger
the crash, the severity of the issue was determined to be
moderate. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2009-3372
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-r4hv-qrsj-77gz |
|
| 381 |
| url |
VCID-r8vx-y8mz-hqcu |
| vulnerability_id |
VCID-r8vx-y8mz-hqcu |
| summary |
Security researcher Mario Heiderich reported it was
possible to use SVG animation accessKey events to detect
key strokes even when JavaScript was disabled. Since web pages can normally
detect key events through script and most users have scripting enabled this
does not present a risk for most users. In contexts where the user knows
scripting is disabled (reading mail, for example, or NoScript users) this
could allow a malicious web page to fool a user into interacting with
a prompt thinking it came from the browser or mail program.
Accessing remote content is disabled by default When reading mail in
Thunderbird and SeaMonkey. Successfully capturing keystrokes remotely would
require some social engineering to convince the user to turn it on.
SVG animation is not supported in Thunderbird 3.1 or Firefox 3.6. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2011-3663
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-r8vx-y8mz-hqcu |
|
| 382 |
| url |
VCID-rb1h-hqfc-hkfq |
| vulnerability_id |
VCID-rb1h-hqfc-hkfq |
| summary |
Mozilla developers took fixes from previously fixed memory safety
bugs in newer Mozilla-based products and ported them to the Mozilla
1.8.1 branch so they can be utilized by Thunderbird 2 and SeaMonkey
1.1. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
|
| fixed_packages |
|
| aliases |
CVE-2009-2463
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-rb1h-hqfc-hkfq |
|
| 383 |
|
| 384 |
| url |
VCID-reea-m7yc-47e8 |
| vulnerability_id |
VCID-reea-m7yc-47e8 |
| summary |
Mozilla contributor Masahiro Yamada reported that
certain invisible control characters were being decoded when displayed
in the location bar, resulting in fewer visible characters than were
present in the actual location. An attacker could use this
vulnerability to spoof the location bar and display a misleading URL
for their malicious web page.The initial version of this advisory incorrectly listed
Thunderbird and SeaMonkey as affected products. Firefox is the only
product affected by this vulnerability. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2009-0777
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-reea-m7yc-47e8 |
|
| 385 |
| url |
VCID-reun-f46b-skb1 |
| vulnerability_id |
VCID-reun-f46b-skb1 |
| summary |
Bugzilla developer Frédéric Buclin reported that the
"X-Frame-Options header is ignored when the value is duplicated,
for example X-Frame-Options: SAMEORIGIN, SAMEORIGIN. This
duplication occurs for unknown reasons on some websites and when it occurs
results in Mozilla browsers not being protected against possible clickjacking
attacks on those pages |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-1961
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-reun-f46b-skb1 |
|
| 386 |
|
| 387 |
| url |
VCID-rhhn-tqga-gqea |
| vulnerability_id |
VCID-rhhn-tqga-gqea |
| summary |
Security researcher Mariusz Mlynski reported that the
location property can be accessed by binary plugins through
top.location and top can be shadowed by
Object.defineProperty as well. This can allow for possible
cross-site scripting (XSS) attacks through plugins.
In general these flaws cannot be exploited through email in the
Thunderbird and SeaMonkey products because scripting is disabled, but are
potentially a risk in browser or browser-like contexts in those products. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-3994
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-rhhn-tqga-gqea |
|
| 388 |
|
| 389 |
| url |
VCID-rrat-t5xc-4qdr |
| vulnerability_id |
VCID-rrat-t5xc-4qdr |
| summary |
Jakob Balle and Carsten Eiram of
Secunia Research reported a race condition
in NPObjWrapper_NewResolve when accessing the properties
of a NPObject, a wrapped JSObject. Balle
and Eiram demonstrated that this condition could be reached by
navigating away from a web page during the loading of a Java applet.
Under such conditions the Java object would be destroyed but later
called into resulting in a free memory read. It might be possible
for an attacker to write to the freed memory before it is reused and run
arbitrary code on the victim's computer.This vulnerability does not affect Firefox 2 nor other
products built using the "Gecko 1.8" version of Mozilla code. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2009-1837
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-rrat-t5xc-4qdr |
|
| 390 |
| url |
VCID-rt45-ac3f-xqau |
| vulnerability_id |
VCID-rt45-ac3f-xqau |
| summary |
Mozilla security researcher Mark Goodwin discovered an issue
with the Firefox developer tools' debugger. If remote debugging is disabled, but
the experimental HTTPMonitor extension has been installed and enabled, a remote
user can connect to and use the remote debugging service through the port used
by HTTPMonitor. A remote-enabled flag has been added to resolve
this problem and close the port unless debugging is explicitly enabled. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-3973
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-rt45-ac3f-xqau |
|
| 391 |
| url |
VCID-rvf4-88af-f7ga |
| vulnerability_id |
VCID-rvf4-88af-f7ga |
| summary |
Google security researcher Michal Zalewski
reported two methods for spoofing the contents of the location bar.
The first method works by opening a new window containing a resource
that responds with an HTTP 204 (no content) and then using the
reference to the new window to insert HTML content into the blank
document. The second location bar spoofing method does not require that the
resource opened in a new window respond with 204, as long as the
opener calls window.stop() before the document is loaded.
In either case a user could be mislead as to the correct location of
the document they are currently viewing.Security researcher Jordi Chancel reported that
the location bar could be spoofed to look like a secure page when the
current document was served via plaintext. The vulnerability is
triggered by a server by first redirecting a request for a plaintext
resource to another resource behind a valid SSL/TLS certificate. A
second request made to the original plaintext resource which is
responded to not with a redirect but with JavaScript
containing history.back()
and history.forward() will result in the plaintext
resource being displayed with valid SSL/TLS badging in the location
bar. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2010-1206
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-rvf4-88af-f7ga |
|
| 392 |
| url |
VCID-rxnh-fjyt-cyab |
| vulnerability_id |
VCID-rxnh-fjyt-cyab |
| summary |
Security researcher Abhishek Arya (Inferno) of the Google Chrome Security Team discovered a series critically rated of use-after-free and buffer overflow issues using the Address Sanitizer tool in shipped software. These issues are potentially exploitable, allowing for remote code execution. We would also like to thank Abhishek for reporting five additional use-after-free, out of bounds read, and buffer overflow flaws introduced during Firefox development that were fixed before general release.
In general these flaws cannot be exploited through email in the
Thunderbird and SeaMonkey products because scripting is disabled, but are
potentially a risk in browser or browser-like contexts in those products. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-4212
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-rxnh-fjyt-cyab |
|
| 393 |
| url |
VCID-rzj8-31mb-ebf8 |
| vulnerability_id |
VCID-rzj8-31mb-ebf8 |
| summary |
Mozilla developers identified and fixed several stability bugs in
the browser engine used in Firefox and other Mozilla-based
products. Some of these crashes showed evidence of memory corruption
under certain circumstances and we presume that with enough effort at
least some of these could be exploited to run arbitrary code.Thunderbird shares the browser engine with Firefox and
could be vulnerable if JavaScript were to be enabled in mail. This is
not the default setting and we strongly discourage users from running
JavaScript in mail. Without further investigation we cannot rule out
the possibility that for some of these an attacker might be able to
prepare memory for exploitation through some means other than
JavaScript such as large images. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
|
| fixed_packages |
|
| aliases |
CVE-2009-0774
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-rzj8-31mb-ebf8 |
|
| 394 |
| url |
VCID-s1mt-2tfz-skfw |
| vulnerability_id |
VCID-s1mt-2tfz-skfw |
| summary |
Paul Nel reported that certain HTTP directives to
not cache web pages, Cache-Control: no-store and Cache-Control:
no-cache for HTTPS pages, were being ignored by Firefox 3. On a
shared system, applications relying upon these HTTP directives could
potentially expose private data. Another user on the system could use
this vulnerability to view improperly cached pages containing private
data by navigating the browser back.Firefox 2 releases are not affected. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2009-0358
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-s1mt-2tfz-skfw |
|
| 395 |
| url |
VCID-s1nm-cdq2-nqec |
| vulnerability_id |
VCID-s1nm-cdq2-nqec |
| summary |
Security researcher regenrecht reported several
dangling pointer vulnerabilities via TippingPoint's Zero Day
Initiative.Firefox 4 was not affected by these issues. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
|
| fixed_packages |
|
| aliases |
CVE-2011-0065
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-s1nm-cdq2-nqec |
|
| 396 |
| url |
VCID-s27c-6ahy-gbgd |
| vulnerability_id |
VCID-s27c-6ahy-gbgd |
| summary |
Security researcher regenrecht reported via
TippingPoint's Zero Day Initiative two instances of code which
modifies SVG element lists failed to account for changes made to the
list by user-supplied callbacks before accessing list elements. If a
user-supplied callback deleted such an object, the element-modifying
code could wind up accessing deleted memory and potentially executing
attacker-controlled memory.regenrecht also reported via TippingPoint's Zero Day Initiative
that a XUL document could force the nsXULCommandDispatcher to remove
all command updaters from the queue, including the one currently in
use. This could result in the execution of deleted memory which an
attacker could use to run arbitrary code on a victim's computer.Firefox 4 and SeaMonkey 2.1 and newer were not affected by
these issues. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
CVE-2011-0083
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-s27c-6ahy-gbgd |
|
| 397 |
| url |
VCID-s4v8-msj6-j3dw |
| vulnerability_id |
VCID-s4v8-msj6-j3dw |
| summary |
Security researcher regenrecht reported via
TippingPoint's Zero Day Initiative that removed child nodes of nsDOMAttribute
can be accessed under certain circumstances because of a premature notification
of AttributeChildRemoved. This use-after-free of the child nodes could possibly
allow for remote code execution. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
|
| fixed_packages |
|
| aliases |
CVE-2011-3659
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-s4v8-msj6-j3dw |
|
| 398 |
| url |
VCID-s4x4-jhdq-efan |
| vulnerability_id |
VCID-s4x4-jhdq-efan |
| summary |
Mozilla developers identified and fixed several stability bugs in
the browser engine used in Firefox and other Mozilla-based
products. Some of these crashes showed evidence of memory corruption
under certain circumstances and we presume that with enough effort at
least some of these could be exploited to run arbitrary code.Thunderbird shares the browser engine with Firefox and
could be vulnerable if JavaScript were to be enabled in mail. This is
not the default setting and we strongly discourage users from running
JavaScript in mail. Without further investigation we cannot rule out
the possibility that for some of these an attacker might be able to
prepare memory for exploitation through some means other than
JavaScript such as large images. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
CVE-2009-1303
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-s4x4-jhdq-efan |
|
| 399 |
| url |
VCID-s6mw-fa6n-wyeh |
| vulnerability_id |
VCID-s6mw-fa6n-wyeh |
| summary |
Security researcher Luke Bryan reported that file:
URIs are given chrome privileges when opened in the same tab as a
chrome page or privileged about: page. This vulnerability could be
used by an attacker to run arbitrary JavaScript with chrome
privileges. The severity of this issue was determined to be moderate
as it requires an attacker to have malicious code saved locally, then
have a user open a chrome: document or privileged about: URI, and then
open the malicious file in the same privileged tab.Firefox 2 is not affected by this issue. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2008-5015
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-s6mw-fa6n-wyeh |
|
| 400 |
| url |
VCID-s9rz-eera-tbhz |
| vulnerability_id |
VCID-s9rz-eera-tbhz |
| summary |
Security researcher Abhishek Arya of Google used the Address
Sanitizer tool to uncover several issues: two heap buffer overflow bugs and a
use-after-free problem. The first heap buffer overflow was found in conversion
from unicode to native character sets when the function fails. The
use-after-free occurs in nsFrameList when working with column layout with
absolute positioning in a container that changes size. The second buffer
overflow occurs in nsHTMLReflowState when a window is resized on a page with
nested columns and a combination of absolute and relative positioning. All three
of these issues are potentially exploitable. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-1947
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-s9rz-eera-tbhz |
|
| 401 |
| url |
VCID-sf66-zf27-cugn |
| vulnerability_id |
VCID-sf66-zf27-cugn |
| summary |
Mozilla developer Tim Abraldes reported that when encoding
images as image/vnd.microsoft.icon the resulting data was always a
fixed size, with uninitialized memory appended as padding beyond the size of the
actual image. This is the result of mImageBufferSize in the encoder being
initialized with a value different than the size of the source image. There is
the possibility of sensitive data from uninitialized memory being appended to a
PNG image when converted from an ICO format image. This sensitive data may then
be disclosed in the resulting image.
Firefox 3.6 and Thunderbird 3.1 are not affected by this
vulnerability. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-0447
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-sf66-zf27-cugn |
|
| 402 |
| url |
VCID-sgvb-u7qc-57bx |
| vulnerability_id |
VCID-sgvb-u7qc-57bx |
| summary |
Security researcher regenrecht reported via
TippingPoint's Zero Day Initiative that the implementation of XUL
<tree>'s content view contains a dangling pointer vulnerability.
One of the content view's methods for accessing the internal structure
of the tree could be manipulated into removing a node prior to
accessing it, resulting in the accessing of deleted memory. If an
attacker can control the contents of the deleted memory prior to its
access they could use this vulnerability to run arbitrary code on a
victim's machine. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2010-3167
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-sgvb-u7qc-57bx |
|
| 403 |
| url |
VCID-sh8a-1d68-mudt |
| vulnerability_id |
VCID-sh8a-1d68-mudt |
| summary |
Mozilla developer Wladimir Palant reported that
stylesheets used in remote XUL documents can wind up in the XUL cache
where it can later be accessed by browser chrome for use in styling
the user interface. A malicious website could use this issue to
pollute a user's XUL cache and change style attributes of their
browser such as font size and color. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2010-0169
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-sh8a-1d68-mudt |
|
| 404 |
| url |
VCID-shxn-m14n-7far |
| vulnerability_id |
VCID-shxn-m14n-7far |
| summary |
Security research Nicolas Grégoire used the Address
Sanitizer tool to discover an out-of-bounds read in the format-number feature of
XSLT, which can cause inaccurate formatting of numbers and information leakage.
This is not directly exploitable. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-3972
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-shxn-m14n-7far |
|
| 405 |
| url |
VCID-snem-pp9z-aqb9 |
| vulnerability_id |
VCID-snem-pp9z-aqb9 |
| summary |
Security researcher regenrecht reported via
TippingPoint's Zero Day Initiative that there was a remaining dangling
pointer issue leftover from the fix
to CVE-2010-2753.
Under certain circumstances one of the pointers held by a XUL tree
selection could be freed and then later reused, potentially resulting
in the execution of attacker-controlled memory. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2010-2760
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-snem-pp9z-aqb9 |
|
| 406 |
| url |
VCID-sq7j-me19-fyey |
| vulnerability_id |
VCID-sq7j-me19-fyey |
| summary |
Security researchers Yosuke Hasegawa
and Masatoshi Kimura reported that the x-mac-arabic,
x-mac-farsi and x-mac-hebrew character encodings are vulnerable to XSS
attacks due to some characters being converted to angle brackets when
displayed by the rendering engine. Sites using these character
encodings would thus be potentially vulnerable to script injection
attacks if their script filtering code fails to strip out these
specific characters. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2010-3770
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-sq7j-me19-fyey |
|
| 407 |
|
| 408 |
| url |
VCID-stqg-mham-5bbj |
| vulnerability_id |
VCID-stqg-mham-5bbj |
| summary |
Security researcher Mario Heiderich reported that javascript
could be executed in the HTML feed-view using <embed> tag
within the RSS <description>. This problem is due to
<embed> tags not being filtered out during parsing and can
lead to a potential cross-site scripting (XSS) attack. The flaw existed in a
parser utility class and could affect other parts of the browser or add-ons
which rely on that class to sanitize untrusted input. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-1957
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-stqg-mham-5bbj |
|
| 409 |
| url |
VCID-sw5m-vvtd-tfb6 |
| vulnerability_id |
VCID-sw5m-vvtd-tfb6 |
| summary |
Mozilla developers and community members identified and fixed
several stability bugs in the browser engine used in Firefox and other
Mozilla-based products. Some of these crashes showed evidence of
memory corruption under certain circumstances and we presume that with
enough effort at least some of these could be exploited to run
arbitrary code. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2009-2662
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-sw5m-vvtd-tfb6 |
|
| 410 |
| url |
VCID-swze-ac2f-43bp |
| vulnerability_id |
VCID-swze-ac2f-43bp |
| summary |
Mozilla security researcher moz_bug_r_a4 reported a
series of vulnerabilities by which page content can pollute
XPCNativeWrappers and have arbitrary code run with chrome privileges.
One variant reported by moz_bug_r_a4 only affected Firefox 2.Mozilla developer Olli Pettay reported that XSLT can
create documents which do not have script handling objects. moz_bug_r_a4
also reported that document.loadBindingDocument() returns a
document that does not have a script handling object. These issues could
also be used by an attacker to run arbitrary script with chrome privileges.Thunderbird shares the browser engine with Firefox and
could be vulnerable if JavaScript were to be enabled in mail. This is not
the default setting and we strongly discourage users from running
JavaScript in mail. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2008-4059
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-swze-ac2f-43bp |
|
| 411 |
| url |
VCID-szd6-wdgm-rqhb |
| vulnerability_id |
VCID-szd6-wdgm-rqhb |
| summary |
Mozilla developers identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code.Drew Yao of Apple Product Security reported two crashes in Mozilla image rendering code. This vulnerability only affected Firefox 3.David Maciejak of Fortinet's FortiGuard Global Security
Research Team also reported a crash in graphics rendering which only
affected Firefox 3.Thunderbird shares the browser engine with Firefox and could be vulnerable if JavaScript were to be enabled in mail. This is not the default setting and we strongly discourage users from running JavaScript in mail. Without further investigation we cannot rule out the possibility that for some of these an attacker might be able to prepare memory for exploitation through some means other than JavaScript such as large images. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
CVE-2008-4061
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-szd6-wdgm-rqhb |
|
| 412 |
| url |
VCID-t4u8-8ysj-tbhh |
| vulnerability_id |
VCID-t4u8-8ysj-tbhh |
| summary |
Security researcher Abhishek Arya (Inferno) of the Google Chrome Security Team discovered a series of use-after-free issues using the Address Sanitizer tool. Many of these issues are potentially exploitable, allowing for remote code execution. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-3964
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-t4u8-8ysj-tbhh |
|
| 413 |
| url |
VCID-t4vh-sf1x-d3dj |
| vulnerability_id |
VCID-t4vh-sf1x-d3dj |
| summary |
OUSPG researcher Aki Helin reported a buffer
overflow in Mozilla graphics code which consumes image data processed
by libpng. A malformed PNG file could be created which would cause
libpng to incorrectly report the size of the image to downstream
consumers. When the dimensions of such images are underreported, the
Mozilla code responsible for displaying the graphic will allocate too
small a memory buffer to contain the image data and will wind up
writing data past the end of the buffer. This could result in the
execution of attacker-controlled memory. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
|
| fixed_packages |
|
| aliases |
CVE-2010-1205
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-t4vh-sf1x-d3dj |
|
| 414 |
| url |
VCID-t82b-wx66-hbbx |
| vulnerability_id |
VCID-t82b-wx66-hbbx |
| summary |
Mozilla developers identified and fixed several stability bugs in the browser
engine used in Firefox and other Mozilla-based products. Some of these crashes
showed evidence of memory corruption under certain circumstances and we presume
that with enough effort at least some of these could be exploited to run
arbitrary code.Thunderbird shares the browser engine with Firefox and could be
vulnerable if JavaScript were to be enabled in mail. This is not the default
setting and we strongly discourage users from running JavaScript in
mail. Without further investigation we cannot rule out the possibility that for
some of these an attacker might be able to prepare memory for exploitation
through some means other than JavaScript such as large images. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
|
| fixed_packages |
|
| aliases |
CVE-2008-5500
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-t82b-wx66-hbbx |
|
| 415 |
| url |
VCID-t8xj-n8m2-kbfg |
| vulnerability_id |
VCID-t8xj-n8m2-kbfg |
| summary |
Mozilla developers identified and fixed several memory safety bugs in the
browser engine used in Firefox and other Mozilla-based products. Some of these
bugs showed evidence of memory corruption under certain circumstances, and we
presume that with enough effort at least some of these could be exploited to run
arbitrary code.In general these flaws cannot be exploited through email in the Thunderbird
and SeaMonkey products because scripting is disabled, but are potentially a risk
in browser or browser-like contexts in those products. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-1971
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-t8xj-n8m2-kbfg |
|
| 416 |
|
| 417 |
| url |
VCID-tcfs-yn97-zfhw |
| vulnerability_id |
VCID-tcfs-yn97-zfhw |
| summary |
Mozilla security researcher Jesse Ruderman reported
that when security modules were added or removed
via pkcs11.addmodule or pkcs11.deletemodule,
the resulting dialog was not sufficiently informative. Without
sufficient warning, an attacker could entice a victim to install a
malicious PKCS11 module and affect the cryptographic integrity of the
victim's browser.Security researcher Dan Kaminsky reported that
this issue had not been fixed in Firefox 3.0 and that under certain
circumstances pkcs11 modules could be installed from a
remote location.Firefox 3.5 releases are not affected. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
|
| fixed_packages |
|
| aliases |
CVE-2009-3076
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-tcfs-yn97-zfhw |
|
| 418 |
|
| 419 |
| url |
VCID-tguh-s9wb-buey |
| vulnerability_id |
VCID-tguh-s9wb-buey |
| summary |
Mozilla developers identified and fixed several memory safety bugs
in the browser engine used in Firefox and other Mozilla-based
products. Some of these bugs showed evidence of memory corruption
under certain circumstances, and we presume that with enough effort at
least some of these could be exploited to run arbitrary code. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
|
| fixed_packages |
|
| aliases |
CVE-2011-0053
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-tguh-s9wb-buey |
|
| 420 |
| url |
VCID-trw6-z25m-nucy |
| vulnerability_id |
VCID-trw6-z25m-nucy |
| summary |
Mozilla security researcher moz_bug_r_a4 reported
a vulnerability which allows scripts from page content to run with
elevated privileges. Using this vulnerability, an attacker could
cause a chrome privileged object, such as the browser sidebar or the
FeedWriter, to interact with web content in such a way that attacker
controlled code may be executed with the object's chrome
privileges.Thunderbird supports neither the sidebar nor
BrowserFeedWriter objects and is not vulnerable in its default
configuration. Thunderbird might be vulnerable if the user has installed
any add-on which adds a similarly implemented feature and then enables
JavaScript in mail messages. This is not the default setting and we
strongly discourage users from running JavaScript in mail. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2009-1841
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-trw6-z25m-nucy |
|
| 421 |
| url |
VCID-ttpz-dknd-2qey |
| vulnerability_id |
VCID-ttpz-dknd-2qey |
| summary |
Mozilla developers identified and fixed several stability bugs in
the browser engine used in Firefox and other Mozilla-based
products. Some of these crashes showed evidence of memory corruption
under certain circumstances, and we presume that with enough effort at
least some of these could be exploited to run arbitrary code. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2010-0173
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ttpz-dknd-2qey |
|
| 422 |
| url |
VCID-tw6y-cy6t-x7by |
| vulnerability_id |
VCID-tw6y-cy6t-x7by |
| summary |
Claus Wahlers reported that random images from GPU memory
were showing up in WebGL textures. Once incorporated into the WebGL graphics it
is possible for a site to programmatically read the image data and potentially
gain sensitive data from other things that had been displayed earlier. This
problem is due to a bug in the driver for Intel integrated GPUs on recent
Mac OS X hardware, and the problem can be seen in WebGL implementations from
other vendors. Mozilla has implemented a work-around to prevent this from
happening with this hardware-driver combination. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2011-3653
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-tw6y-cy6t-x7by |
|
| 423 |
| url |
VCID-u2ea-zsxx-6khx |
| vulnerability_id |
VCID-u2ea-zsxx-6khx |
| summary |
Security researcher Daniel Divricean reported that a defect
in the error handling of javascript errors can leak the file names and location
of javascript files on a server, leading to inadvertent information disclosure
and a vector for further attacks. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2011-1187
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-u2ea-zsxx-6khx |
|
| 424 |
| url |
VCID-u636-v3x8-6fft |
| vulnerability_id |
VCID-u636-v3x8-6fft |
| summary |
Multiple vulnerabilities have been found in Mozilla Firefox,
Thunderbird, SeaMonkey, NSS, GNU IceCat, and XULRunner, some of which may
allow execution of arbitrary code or local privilege escalation. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2011-3866
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-u636-v3x8-6fft |
|
| 425 |
| url |
VCID-u714-aeta-j7by |
| vulnerability_id |
VCID-u714-aeta-j7by |
| summary |
Mozilla developers identified and fixed several stability bugs in
the browser engine used in Firefox and other Mozilla-based
products. Some of these crashes showed evidence of memory corruption
under certain circumstances and we presume that with enough effort at
least some of these could be exploited to run arbitrary code.Thunderbird shares the browser engine with Firefox and
could be vulnerable if JavaScript were to be enabled in mail. This is
not the default setting and we strongly discourage users from running
JavaScript in mail. Without further investigation we cannot rule out
the possibility that for some of these an attacker might be able to
prepare memory for exploitation through some means other than
JavaScript such as large images. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2009-1302
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-u714-aeta-j7by |
|
| 426 |
| url |
VCID-u7um-16ay-eqhd |
| vulnerability_id |
VCID-u7um-16ay-eqhd |
| summary |
Security researcher miaubiz used the Address Sanitizer tool
to discover a series critically rated of use-after-free, buffer overflow, and memory corruption issues in shipped software. These issues are potentially exploitable, allowing for remote code execution. We would also like to thank miaubiz for reporting two additional use-after-free and memory corruption issues introduced during Firefox development that were fixed before general release.
In general these flaws cannot be exploited through email in the
Thunderbird and SeaMonkey products because scripting is disabled, but are
potentially a risk in browser or browser-like contexts in those products. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-5833
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-u7um-16ay-eqhd |
|
| 427 |
| url |
VCID-u829-rqhq-afdu |
| vulnerability_id |
VCID-u829-rqhq-afdu |
| summary |
Security researcher Colby Russell discovered that eval in
the web console can execute injected code with chrome privileges, leading to the
running of malicious code in a privileged context. This allows for arbitrary
code execution through a malicious web page if the web console is invoked by the
user. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-3980
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-u829-rqhq-afdu |
|
| 428 |
| url |
VCID-uesh-b969-pfa6 |
| vulnerability_id |
VCID-uesh-b969-pfa6 |
| summary |
Mozilla developer Jesse Ruderman demonstrated that
by tampering with the window.__proto__.__proto__ object,
one can cause the browser to place a lock on a non-native object,
leading to a crash. Although we have not demonstrated such control, a
determined attacker might be able to exploit this crash to run
arbitrary code on a victim's computer.Thunderbird shares the browser engine with Firefox and
could be vulnerable if JavaScript were to be enabled in mail. This is
not the default setting and we strongly discourage users from running
JavaScript in mail. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2008-5014
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-uesh-b969-pfa6 |
|
| 429 |
| url |
VCID-ugzh-a5w2-cbee |
| vulnerability_id |
VCID-ugzh-a5w2-cbee |
| summary |
Mariusz Mlynski reported that if you could convince
a user to hold down the Enter key--as part of a game or test,
perhaps--a malicious page could pop up a download dialog where the held
key would then activate the default Open action. For some file types this
would be merely annoying (the equivalent of a pop-up) but other file
types have powerful scripting capabilities. And this would provide an
avenue for an attacker to exploit a vulnerability in applications not
normally exposed to potentially hostile internet content.
Mariusz also reported a similar flaw with manual plugin installation
using the PLUGINSPAGE attribute. It was possible to create
an internal error that suppressed a confirmation dialog, such that holding
enter would lead to the installation of an arbitrary add-on. (This variant
did not affect Firefox 3.6) |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2011-3001
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ugzh-a5w2-cbee |
|
| 430 |
| url |
VCID-um8y-xkv9-zya9 |
| vulnerability_id |
VCID-um8y-xkv9-zya9 |
| summary |
Mozilla developers identified and fixed several memory safety bugs
in the browser engine used in Firefox and other Mozilla-based
products. Some of these bugs showed evidence of memory corruption
under certain circumstances, and we presume that with enough effort at
least some of these could be exploited to run arbitrary code. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2010-3174
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-um8y-xkv9-zya9 |
|
| 431 |
| url |
VCID-umhg-zxkd-bkh5 |
| vulnerability_id |
VCID-umhg-zxkd-bkh5 |
| summary |
Mozilla security researcher moz_bug_r_a4 reported
that the wrapper class XPCSafeJSObjectWrapper (SJOW) on
the Mozilla 1.9.1 development branch has a logical error in its
scripted function implementation that allows the caller to run the
function within the context of another site. This is a violation of
the same-origin policy and could be used to mount an XSS attack. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2010-2763
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-umhg-zxkd-bkh5 |
|
| 432 |
| url |
VCID-ut68-z785-9kaw |
| vulnerability_id |
VCID-ut68-z785-9kaw |
| summary |
Security researchers Chris Rohlf and Yan
Ivnitskiy of Matasano Security reported that when a
JavaScript Array object had its length set to an
extremely large value, the iteration of array elements that occurs
when its reduceRight method was subsequently called could
result in the execution of attacker controlled memory due to an
invalid index value being used to access element properties. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
|
| fixed_packages |
|
| aliases |
CVE-2011-2371
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ut68-z785-9kaw |
|
| 433 |
| url |
VCID-uzx7-1bns-h7cx |
| vulnerability_id |
VCID-uzx7-1bns-h7cx |
| summary |
Security researcher Orlando Barrera II of SecTheory reported,
via TippingPoint's Zero Day Initiative, that Mozilla's implementation
of Web Workers contained an error in its handling of array data types
when processing posted messages. This error could be used by an
attacker to corrupt heap memory and crash the browser, potentially
running arbitrary code on a victim's computer.Web Workers were introduced in Firefox 3.5; Firefox 3.0
and earlier versions were not affected. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2010-0160
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-uzx7-1bns-h7cx |
|
| 434 |
| url |
VCID-vae5-ym3t-3fd1 |
| vulnerability_id |
VCID-vae5-ym3t-3fd1 |
| summary |
Security research firm iDefense reported that
researcher regenrecht discovered a heap-based buffer
overflow in Mozilla's GIF image parser. This vulnerability could
potentially be used by an attacker to crash a victim's browser and run
arbitrary code on their computer. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2009-3373
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-vae5-ym3t-3fd1 |
|
| 435 |
| url |
VCID-vc3j-t6ae-yqf9 |
| vulnerability_id |
VCID-vc3j-t6ae-yqf9 |
| summary |
Mozilla developers identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code.Drew Yao of Apple Product Security reported two crashes in Mozilla image rendering code. This vulnerability only affected Firefox 3.David Maciejak of Fortinet's FortiGuard Global Security
Research Team also reported a crash in graphics rendering which only
affected Firefox 3.Thunderbird shares the browser engine with Firefox and could be vulnerable if JavaScript were to be enabled in mail. This is not the default setting and we strongly discourage users from running JavaScript in mail. Without further investigation we cannot rule out the possibility that for some of these an attacker might be able to prepare memory for exploitation through some means other than JavaScript such as large images. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
CVE-2008-4062
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-vc3j-t6ae-yqf9 |
|
| 436 |
| url |
VCID-vcz4-mpqz-k7dn |
| vulnerability_id |
VCID-vcz4-mpqz-k7dn |
| summary |
Mozilla developer Blake Kaplan reported that the
wrapper class XPCSafeJSObjectWrapper (SJOW), a security
wrapper that allows content-defined objects to be safely accessed by
privileged code, creates scope chains ending in outer objects. Users
of SJOWs which expect the scope chain to end on an inner object may be
handed a chrome privileged object which could be leveraged to run
arbitrary JavaScript with chrome privileges.Michal Zalewski's recent contributions helped to
identify this architectural weakness. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2010-2762
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-vcz4-mpqz-k7dn |
|
| 437 |
| url |
VCID-vekg-epcv-cqgd |
| vulnerability_id |
VCID-vekg-epcv-cqgd |
| summary |
Security researcher Hidetake Jo of Microsoft
Vulnerability Research reported that the properties set on an object
passed to showModalDialog were readable by the document
contained in the dialog, even when the document was from a different
domain. This is a violation of the same-origin policy and could
result in a website running untrusted JavaScript if it assumed
the dialogArguments could not be initialized by another
site.An anonymous security researcher, via TippingPoint's Zero Day
Initiative, also independently reported this issue to Mozilla. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2009-3988
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-vekg-epcv-cqgd |
|
| 438 |
| url |
VCID-vjbh-dhuh-cyaj |
| vulnerability_id |
VCID-vjbh-dhuh-cyaj |
| summary |
Security researcher Christian Holler reported that
the JavaScript engine's internal memory mapping of non-local JS
variables contained a buffer overflow which could potentially be used
by an attacker to run arbitrary code on a victim's computer. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2011-0054
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-vjbh-dhuh-cyaj |
|
| 439 |
| url |
VCID-vk71-ur84-2kgz |
| vulnerability_id |
VCID-vk71-ur84-2kgz |
| summary |
Mozilla developers identified and fixed several memory safety bugs
in the browser engine used in Firefox and other Mozilla-based
products. Some of these bugs showed evidence of memory corruption
under certain circumstances, and we presume that with enough effort at
least some of these could be exploited to run arbitrary code.In general these flaws cannot be exploited through email in the Thunderbird
and SeaMonkey products because scripting is disabled, but are potentially a risk
in browser or browser-like contexts in those products. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-0463
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-vk71-ur84-2kgz |
|
| 440 |
| url |
VCID-vnmm-3sby-y7hk |
| vulnerability_id |
VCID-vnmm-3sby-y7hk |
| summary |
Mozilla developers identified and fixed several memory safety bugs
in the browser engine used in Firefox and other Mozilla-based
products. Some of these bugs showed evidence of memory corruption
under certain circumstances, and we presume that with enough effort at
least some of these could be exploited to run arbitrary code. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
|
| fixed_packages |
|
| aliases |
CVE-2011-2374
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-vnmm-3sby-y7hk |
|
| 441 |
| url |
VCID-vnu6-2tzh-5kab |
| vulnerability_id |
VCID-vnu6-2tzh-5kab |
| summary |
Security researcher Abhishek Arya (Inferno) of the Google Chrome Security Team discovered a series of use-after-free issues using the Address Sanitizer tool. Many of these issues are potentially exploitable, allowing for remote code execution. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-3963
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-vnu6-2tzh-5kab |
|
| 442 |
|
| 443 |
| url |
VCID-vr3a-xs8t-4qap |
| vulnerability_id |
VCID-vr3a-xs8t-4qap |
| summary |
Security researcher Atte Kettunen from OUSPG reported
several heap memory corruption issues found using the Address Sanitizer tool.
These issues are potentially exploitable, allowing for remote code execution.
In general these flaws cannot be exploited through email in the
Thunderbird and SeaMonkey products because scripting is disabled, but are
potentially a risk in browser or browser-like contexts in those products. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-4185
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-vr3a-xs8t-4qap |
|
| 444 |
| url |
VCID-vt1n-t5vm-67cc |
| vulnerability_id |
VCID-vt1n-t5vm-67cc |
| summary |
Mozilla developers identified and fixed several memory safety bugs
in the browser engine used in Firefox and other Mozilla-based
products. Some of these bugs showed evidence of memory corruption
under certain circumstances, and we presume that with enough effort at
least some of these could be exploited to run arbitrary code.In general these flaws cannot be exploited through email in the Thunderbird
and SeaMonkey products because scripting is disabled,, but are potentially a risk
in browser or browser-like contexts in those products. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2011-2995
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-vt1n-t5vm-67cc |
|
| 445 |
| url |
VCID-vugt-cer6-sfhd |
| vulnerability_id |
VCID-vugt-cer6-sfhd |
| summary |
Security researcher regenrecht reported via
TippingPoint's Zero Day Initiative that JavaScript arrays were
vulnerable to an integer overflow vulnerability. The report
demonstrated that an array could be constructed containing a very
large number of items such that when memory was allocated to store the
array items, the integer value used to calculate the buffer size would
overflow resulting in too small a buffer being allocated. Subsequent
use of the array object could then result in data being written past
the end of the buffer and causing memory corruption. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2010-3767
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-vugt-cer6-sfhd |
|
| 446 |
| url |
VCID-vuq7-9gsu-sbfc |
| vulnerability_id |
VCID-vuq7-9gsu-sbfc |
| summary |
Mozilla developers identified and fixed several memory safety bugs
in the browser engine used in Firefox and other Mozilla-based
products. Some of these bugs showed evidence of memory corruption
under certain circumstances, and we presume that with enough effort at
least some of these could be exploited to run arbitrary code.In general these flaws cannot be exploited through email in the Thunderbird
and SeaMonkey products because scripting is disabled, but are potentially a risk
in browser or browser-like contexts in those products. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
CVE-2012-0464
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-vuq7-9gsu-sbfc |
|
| 447 |
|
| 448 |
| url |
VCID-wbbj-pv5p-nuaa |
| vulnerability_id |
VCID-wbbj-pv5p-nuaa |
| summary |
Security researcher Abhishek Arya (Inferno) of the Google Chrome Security Team discovered a series of use-after-free issues using the Address Sanitizer tool. Many of these issues are potentially exploitable, allowing for remote code execution. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-3956
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-wbbj-pv5p-nuaa |
|
| 449 |
| url |
VCID-wesw-ctff-bfff |
| vulnerability_id |
VCID-wesw-ctff-bfff |
| summary |
Mozilla developers identified and fixed several memory safety bugs
in the browser engine used in Firefox and other Mozilla-based
products. Some of these bugs showed evidence of memory corruption
under certain circumstances, and we presume that with enough effort at
least some of these could be exploited to run arbitrary code.In general these flaws cannot be exploited through email in the Thunderbird
and SeaMonkey products because scripting is disabled, but are potentially a risk
in browser or browser-like contexts in those products. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-1949
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-wesw-ctff-bfff |
|
| 450 |
| url |
VCID-wk8j-jx5v-g7g3 |
| vulnerability_id |
VCID-wk8j-jx5v-g7g3 |
| summary |
Mozilla security researcher moz_bug_r_a4 reported that
a form input control's type could be changed during the restoration of a
closed tab. An attacker could set an input control's text value to the
path of a local file whose location was known to the attacker. If the tab
was then closed and the victim persuaded to re-open it, upon restoring the
tab the attacker could use this vulnerability to change the input type to
file. Scripts in the page could then automatically submit
the form and steal the contents of the user's local file. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2009-0355
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-wk8j-jx5v-g7g3 |
|
| 451 |
|
| 452 |
| url |
VCID-wtyd-jcnh-2bhq |
| vulnerability_id |
VCID-wtyd-jcnh-2bhq |
| summary |
Security researcher Dan Kaminsky reported an
integer overflow in the Theora video library. A video's dimensions
were being multiplied together and used in particular memory
allocations. When the video dimensions were sufficiently large, the
multiplication could overflow a 32-bit integer resulting in too small
a memory buffer being allocated for the video. An attacker could use
a specially crafted video to write data past the bounds of this
buffer, causing a crash and potentially running arbitrary code on a
victim's computer.Mozilla intern David Keeler also independently
reported this issue as well as an additional crash which was
determined to be a denial-of-service.Video capabilities were added to the Mozilla browser engine
in Firefox 3.5, SeaMonkey 2.0, and Thunderbird 3.0; prior releases of these
products were not affected.These bugs were fixed upstream in Theora version 1.1
("Thusnelda") but the older version used in Firefox 3.5 needed this
patch. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2009-3389
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-wtyd-jcnh-2bhq |
|
| 453 |
| url |
VCID-wwk8-bpv8-zyhh |
| vulnerability_id |
VCID-wwk8-bpv8-zyhh |
| summary |
Mozilla developer Ehsan Akhgari reported that a
function used to load external libraries on Windows platforms was
using a relative path to a DLL-loading application and was thus
vulnerable to binary planting if an attacker was able to place an
executable of the same name in the current working directory or any of
the other locations that Windows searches for executables.Dmitri Gribenko reported that the script used to
launch Mozilla applications on Linux was effectively including the
current working directory in the LD_LIBRARY_PATH
environment variable. If an attacker was able to place into the
current working directory a malicious shared library with the same
name as a library that the bootstrapping script depends on the
attacker could have their library loaded instead of the legitimate
library. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
|
| fixed_packages |
|
| aliases |
CVE-2010-3182
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-wwk8-bpv8-zyhh |
|
| 454 |
| url |
VCID-x444-96ea-pfc4 |
| vulnerability_id |
VCID-x444-96ea-pfc4 |
| summary |
Security researcher Mariusz Mlynski reported that an
attacker able to convince a potential victim to set a new home page by dragging
a link to the "home" button can set that user's home page to a
javascript: URL. Once this is done the attacker's page can cause
repeated crashes of the browser, eventually getting the script URL loaded in the
privileged about:sessionrestore context. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
CVE-2012-0458
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-x444-96ea-pfc4 |
|
| 455 |
|
| 456 |
| url |
VCID-x7qs-rmew-4qe3 |
| vulnerability_id |
VCID-x7qs-rmew-4qe3 |
| summary |
Mozilla security researcher David Chan reported
that cookies set for example.com. (note the trailing dot)
and example.com were treated as interchangeable. This is
a violation of same-origin conventions and could potentially lead to
leakage of cookie data to the wrong party.This issue did not affect Firefox 4, SeaMonkey 2.1, or newer
Mozilla-based products. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
CVE-2011-2362
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-x7qs-rmew-4qe3 |
|
| 457 |
| url |
VCID-xe95-tcad-cyhu |
| vulnerability_id |
VCID-xe95-tcad-cyhu |
| summary |
Mozilla security researcher Georgi Guninski reported
that the fix for an earlier vulnerability reported by Liu Die Yu using local
internet shortcut files to access other sites
(MFSA 2008-47) could be bypassed
by redirecting to a privileged about: URI such as
about:plugins.
If an attacker could get a victim to
download two files, a malicious HTML file and a .desktop shortcut
file, they could have the HTML document load a privileged chrome document
via the shortcut and both documents would be treated as same origin.
This vulnerability could potentially be used by an attacker to inject
arbitrary code into the chrome document and execute with chrome
privileges. Because this attack has relatively high complexity, the
severity of this issue was determined to be moderate. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2009-0356
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-xe95-tcad-cyhu |
|
| 458 |
| url |
VCID-xh5q-bfkr-guep |
| vulnerability_id |
VCID-xh5q-bfkr-guep |
| summary |
Security researcher Collin Jackson reported that
the -moz-binding CSS property can be used to bypass security checks
which validate codebase principals. Similar to the issue reported
in MFSA 2008-23, Jackson demonstrated
that an attacker can replace a stylesheet in a signed JAR which uses
relative paths, and can then use the -moz-binding property to inject
malicious script into the JAR. The injected script will be executed
with the privileges of the signed JAR. This vulnerability can thus
allow an attacker to run arbitrary JavaScript within the context of
another site. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2008-5023
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-xh5q-bfkr-guep |
|
| 459 |
| url |
VCID-xhfm-9dtr-63cj |
| vulnerability_id |
VCID-xhfm-9dtr-63cj |
| summary |
Security researcher Atte Kettunen from OUSPG found two
issues with Firefox's handling of SVG using the Address Sanitizer tool. The
first issue, critically rated, is a use-after-free in SVG animation that could
potentially lead to arbitrary code execution. The second issue is rated moderate
and is an out of bounds read in SVG Filters. This could potentially incorporate
data from the user's memory, making it accessible to the page content. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
CVE-2012-0457
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-xhfm-9dtr-63cj |
|
| 460 |
| url |
VCID-xj7k-fek3-gbhh |
| vulnerability_id |
VCID-xj7k-fek3-gbhh |
| summary |
Mozilla developer Vladimir Vukicevic reported that
a canvas element can be used to read data from another site, violating
the same-origin policy. The read restriction placed on a canvas
element which has had cross-origin data rendered into it can be
bypassed by retaining a reference to the canvas element's context and
deleting the associated canvas node from the DOM. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2010-1207
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-xj7k-fek3-gbhh |
|
| 461 |
| url |
VCID-xt9w-ahy8-bfb6 |
| vulnerability_id |
VCID-xt9w-ahy8-bfb6 |
| summary |
Georgi Guninski reported a buffer overflow in the handling of cancelled newsgroup messages. The error was caused by too small a heap buffer being allocated to store message header information. This buffer could be overrun by an attacker using a specially crafted message which could crash the mail reader and potentially be used to run arbitrary code on the victim's computer. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2008-4070
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-xt9w-ahy8-bfb6 |
|
| 462 |
| url |
VCID-xtst-5kbr-fba9 |
| vulnerability_id |
VCID-xtst-5kbr-fba9 |
| summary |
Mozilla developers identified and fixed several memory safety bugs
in the browser engine used in Firefox and other Mozilla-based
products. Some of these bugs showed evidence of memory corruption
under certain circumstances, and we presume that with enough effort at
least some of these could be exploited to run arbitrary code.In general these flaws cannot be exploited through email in the Thunderbird
and SeaMonkey products because scripting is disabled,, but are potentially a risk
in browser or browser-like contexts in those products. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2011-2997
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-xtst-5kbr-fba9 |
|
| 463 |
| url |
VCID-xvw5-jd6a-9ff3 |
| vulnerability_id |
VCID-xvw5-jd6a-9ff3 |
| summary |
Security researcher miaubiz used the Address Sanitizer tool
to discover two WebGL issues. The first issue is a use-after-free when WebGL
shaders are called after being destroyed. The second issue exposes a problem
with Mesa drivers on Linux, leading to a potentially exploitable crash. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-3968
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-xvw5-jd6a-9ff3 |
|
| 464 |
| url |
VCID-xwn1-qre7-k7cc |
| vulnerability_id |
VCID-xwn1-qre7-k7cc |
| summary |
Security researcher Jonathan Morgan reported that
when a page loaded over an insecure protocol, such as http: or file:,
sets its document.location to a https: URL which
responds with a 204 status and empty response body, the insecure page
will receive SSL indicators near the location bar, but will not have
its page content modified in any way. This could lead to a user
believing they were on a secure page when in fact they were not.Security researcher Jordi Chancel reported an
issue similar to one fixed
in mfsa2009-44 in which a web page can
set document.location to a URL that can't be displayed
properly and then inject content into the resulting blank page. An
attacker could use this vulnerability to place a legitimate-looking
but invalid URL in the location bar and inject HTML and JavaScript
into the body of the page, resulting in a spoofing attack. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2009-3985
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-xwn1-qre7-k7cc |
|
| 465 |
| url |
VCID-xyfx-jjk2-3bff |
| vulnerability_id |
VCID-xyfx-jjk2-3bff |
| summary |
Security researcher regenrecht reported via
TippingPoint's Zero Day Initiative an error in the implementation of
the window.navigator.plugins object. When a page
reloads, the plugins array would reallocate all of its members without
checking for existing references to each member. This could result in
the deletion of objects for which valid pointers still exist. An
attacker could use this vulnerability to crash a victim's browser and
run arbitrary code on the victim's machine. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
CVE-2010-0177
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-xyfx-jjk2-3bff |
|
| 466 |
| url |
VCID-y2ky-dg41-yqfe |
| vulnerability_id |
VCID-y2ky-dg41-yqfe |
| summary |
Mozilla developers identified and fixed several memory safety bugs
in the browser engine used in Firefox and other Mozilla-based
products. Some of these bugs showed evidence of memory corruption
under certain circumstances, and we presume that with enough effort at
least some of these could be exploited to run arbitrary code. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2010-1212
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-y2ky-dg41-yqfe |
|
| 467 |
|
| 468 |
| url |
VCID-y5e5-wa84-j3bz |
| vulnerability_id |
VCID-y5e5-wa84-j3bz |
| summary |
Mozilla developers identified and fixed several stability bugs in
the browser engine used in Firefox and other Mozilla-based
products. Some of these crashes showed evidence of memory corruption
under certain circumstances and we presume that with enough effort at
least some of these could be exploited to run arbitrary code. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2010-0165
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-y5e5-wa84-j3bz |
|
| 469 |
| url |
VCID-y5rs-pd7w-m3ce |
| vulnerability_id |
VCID-y5rs-pd7w-m3ce |
| summary |
Mozilla has fixed a number of issues related to the Location object in order to enhance overall security. Details for each of the current fixed issues are below.
Thunderbird is only affected by window.location issues through RSS feeds and extensions that load web content.Security researcher Mariusz Mlynski reported that the true value of window.location could be shadowed by user content through the use of the valueOf method, which can be combined with some plugins to perform a cross-site scripting (XSS) attack on users. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-4194
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-y5rs-pd7w-m3ce |
|
| 470 |
| url |
VCID-y6rz-xqjf-wfdn |
| vulnerability_id |
VCID-y6rz-xqjf-wfdn |
| summary |
Security researcher Soroush Dalili reported that
potentially sensitive URL parameters could be leaked across domains
upon script errors when the script filename and line number is
included in the error message. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
|
| fixed_packages |
|
| aliases |
CVE-2010-2754
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-y6rz-xqjf-wfdn |
|
| 471 |
| url |
VCID-y6vr-xak2-5ufg |
| vulnerability_id |
VCID-y6vr-xak2-5ufg |
| summary |
Mozilla developers identified and fixed several stability bugs in
the browser engine used in Firefox and other Mozilla-based
products. Some of these crashes showed evidence of memory corruption
under certain circumstances, and we presume that with enough effort at
least some of these could be exploited to run arbitrary code. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2010-1203
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-y6vr-xak2-5ufg |
|
| 472 |
| url |
VCID-y8wr-ds4z-gfc2 |
| vulnerability_id |
VCID-y8wr-ds4z-gfc2 |
| summary |
Mozilla security researcher moz_bug_r_a4 reported
that the owner document of an element can become null after garbage
collection. In such cases, event listeners may be executed within the
wrong JavaScript context. An attacker could potentially use this
vulnerability to have a malicious event handler execute arbitrary
JavaScript with chrome privileges.Thunderbird shares the browser engine with Firefox and
could be vulnerable if JavaScript were to be enabled in mail. This is
not the default setting and we strongly discourage users from running
JavaScript in mail. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
CVE-2009-1838
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-y8wr-ds4z-gfc2 |
|
| 473 |
| url |
VCID-ycjq-pc6z-b7d2 |
| vulnerability_id |
VCID-ycjq-pc6z-b7d2 |
| summary |
IOActive security researcher Dan Kaminsky reported a
mismatch in the treatment of domain names in SSL certificates between SSL
clients and the Certificate Authorities (CA) which issue server certificates.
In particular, if a malicious person requested a certificate for a host name
with an invalid null character in it most CAs would issue the
certificate if the requester owned the domain specified after the null, while
most SSL clients (browsers) ignored that part of the name and used the
unvalidated part in front of the null. This made it possible for attackers to
obtain certificates that would function for any site they wished to target.
These certificates could be used to intercept and potentially alter encrypted
communication between the client and a server such as sensitive bank
account transactions.This vulnerability was independently reported to us by researcher
Moxie Marlinspike who also noted that since Firefox
relies on SSL to protect the integrity of security updates this attack
could be used to serve malicious updates. Mozilla would like to thank Dan and the Microsoft Vulnerability
Research team for coordinating a multiple-vendor response to this problem. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
|
| fixed_packages |
|
| aliases |
CVE-2009-2408
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ycjq-pc6z-b7d2 |
|
| 474 |
| url |
VCID-yd45-93fw-13df |
| vulnerability_id |
VCID-yd45-93fw-13df |
| summary |
Mozilla security researcher Georgi Guninski
reported that when a SVG document which is served
with Content-Type: application/octet-stream is embedded
into another document via an <embed> tag
with type="image/svg+xml", the Content-Type is ignored
and the SVG document is processed normally. A website which allows
arbitrary binary data to be uploaded but which relies
on Content-Type: application/octet-stream to prevent
script execution could have such protection bypassed. An attacker
could upload a SVG document containing JavaScript as a binary file to
a website, embed the SVG document into a malicious page on another
site, and gain access to the script environment from the SVG-serving
site, bypassing the same-origin policy. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2010-0162
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-yd45-93fw-13df |
|
| 475 |
| url |
VCID-ye7n-9kgr-mqc9 |
| vulnerability_id |
VCID-ye7n-9kgr-mqc9 |
| summary |
One of the security fixes in Firefox 3.0.9 introduced a
regression that caused some users to experience frequent crashes.
Users of the HTML Validator add-on were particularly affected, but
other users also experienced this crash in some situations.
In analyzing this crash we discovered that it was due to memory
corruption similar to cases that have been identified as security
vulnerabilities in the past. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2009-1313
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ye7n-9kgr-mqc9 |
|
| 476 |
|
| 477 |
| url |
VCID-yh2k-hmgj-c3h8 |
| vulnerability_id |
VCID-yh2k-hmgj-c3h8 |
| summary |
Security researcher Gregory Fleischer reported
that text within a selection on a web page can be read by JavaScript
in a different domain using the document.getSelection
function, violating the same-origin policy. Since this vulnerability
requires user interaction to exploit, its severity was determined to
be moderate. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2009-3375
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-yh2k-hmgj-c3h8 |
|
| 478 |
| url |
VCID-yh3u-9dtq-4qeu |
| vulnerability_id |
VCID-yh3u-9dtq-4qeu |
| summary |
Mozilla security researcher moz_bug_r_a4 reported
that the XMLHttpRequestSpy module in the Firebug add-on was exposing
an underlying chrome privilege escalation vulnerability. When the
XMLHttpRequestSpy object was created, it would attach various
properties of itself to objects defined in web content, which were not
being properly wrapped to prevent their exposure to chrome privileged
objects. This could result in an attacker running arbitrary
JavaScript on a victim's machine, though it required the victim to
have Firebug installed, so the overall severity of the issue was
determined to be High.This vulnerability does not affect Firefox 3.6 |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2010-0179
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-yh3u-9dtq-4qeu |
|
| 479 |
| url |
VCID-yn1g-pbm8-mybp |
| vulnerability_id |
VCID-yn1g-pbm8-mybp |
| summary |
Multiple vulnerabilities have been found in Mozilla Firefox,
Thunderbird, SeaMonkey, NSS, GNU IceCat, and XULRunner, some of which may
allow execution of arbitrary code or local privilege escalation. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2010-4508
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-yn1g-pbm8-mybp |
|
| 480 |
| url |
VCID-yn2w-7p56-y7fe |
| vulnerability_id |
VCID-yn2w-7p56-y7fe |
| summary |
Mozilla developers identified and fixed several stability bugs in
the browser engine used in Firefox and other Mozilla-based
products. Some of these crashes showed evidence of memory corruption
under certain circumstances, and we presume that with enough effort at
least some of these could be exploited to run arbitrary code. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2010-1201
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-yn2w-7p56-y7fe |
|
| 481 |
| url |
VCID-yrjj-qpxp-hfbv |
| vulnerability_id |
VCID-yrjj-qpxp-hfbv |
| summary |
Mozilla developers identified and fixed several memory safety bugs
in the browser engine used in Firefox and other Mozilla-based
products. Some of these bugs showed evidence of memory corruption
under certain circumstances, and we presume that with enough effort at
least some of these could be exploited to run arbitrary code.Update (March 1, 2011): CVE-2010-3777 was
fixed in Firefox 3.5.17 |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2010-3778
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-yrjj-qpxp-hfbv |
|
| 482 |
| url |
VCID-ywsg-yvdy-wkb6 |
| vulnerability_id |
VCID-ywsg-yvdy-wkb6 |
| summary |
Security researcher Attila Suszter reported that
when a page contains a Flash object which presents a slow script
dialog, and the page is navigated while the dialog is still visible to
the user, the Flash plugin is unloaded resulting in a crash due to a
call to the deleted object. This crash could potentially be used by
an attacker to run arbitrary code on a victim's computer. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2009-2467
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ywsg-yvdy-wkb6 |
|
| 483 |
| url |
VCID-yy1m-2bvc-hbc1 |
| vulnerability_id |
VCID-yy1m-2bvc-hbc1 |
| summary |
Mozilla security researcher moz_bug_r_a4 reported a
series of vulnerabilities in feedWriter which allow scripts from page
content to run with chrome privileges.Firefox 3 is not affected by this issue |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2008-3836
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-yy1m-2bvc-hbc1 |
|
| 484 |
| url |
VCID-yy5w-b7b7-ybd1 |
| vulnerability_id |
VCID-yy5w-b7b7-ybd1 |
| summary |
Mozilla developers fixed several memory safety bugs
in the browser engine used in Firefox and other Mozilla-based
products. Some of these bugs showed evidence of memory corruption
under certain circumstances, and we presume that with enough effort at
least some of these could be exploited to run arbitrary code.In general these flaws cannot be exploited through email in the Thunderbird
and SeaMonkey products because scripting is disabled, but are potentially a risk
in browser or browser-like contexts in those products. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2011-3651
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-yy5w-b7b7-ybd1 |
|
| 485 |
| url |
VCID-z5zp-5nv7-gkgp |
| vulnerability_id |
VCID-z5zp-5nv7-gkgp |
| summary |
Kojima Hajime reported that unlike literal null
characters which were handled correctly, the escaped form '\0'
was ignored by the CSS parser and treated as if it was not present in
the CSS input string. This issue could potentially be used to bypass
script sanitization routines in web applications. The severity of
this issue was determined to be low. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2008-5510
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-z5zp-5nv7-gkgp |
|
| 486 |
| url |
VCID-z6en-1gzy-6ffc |
| vulnerability_id |
VCID-z6en-1gzy-6ffc |
| summary |
phpBB developer Henry Sudhof reported that when an
image tag points to a resource that redirects to
a mailto: URL, the external mail handler application is
launched. This issue poses no security threat to users but could
create an annoyance when browsing a site that allows users to post
arbitrary images.This issue has not been fixed in Firefox 3.0 |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2010-0181
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-z6en-1gzy-6ffc |
|
| 487 |
| url |
VCID-z7p6-x5jx-97cr |
| vulnerability_id |
VCID-z7p6-x5jx-97cr |
| summary |
Multiple vulnerabilities have been found in Mozilla Firefox,
Thunderbird, SeaMonkey, NSS, GNU IceCat, and XULRunner, some of which may
allow execution of arbitrary code or local privilege escalation. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2009-2061
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-z7p6-x5jx-97cr |
|
| 488 |
| url |
VCID-zbug-3a8h-tfbv |
| vulnerability_id |
VCID-zbug-3a8h-tfbv |
| summary |
Developer and Mozilla community member Paolo
Amadini reported that when saving the inner frame of a web
page as a file when the outer page has POST data associated with it,
the POST data will be incorrectly sent to the URL of the inner frame.
This could potentially result in a user's sensitive data being sent to
a site for which it was not intended. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2009-1311
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-zbug-3a8h-tfbv |
|
| 489 |
| url |
VCID-zdjb-aut8-rbeb |
| vulnerability_id |
VCID-zdjb-aut8-rbeb |
| summary |
Multiple vulnerabilities have been found in Mozilla Firefox,
Thunderbird, SeaMonkey, NSS, GNU IceCat, and XULRunner, some of which may
allow execution of arbitrary code or local privilege escalation. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2008-0367
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-zdjb-aut8-rbeb |
|
| 490 |
| url |
VCID-zee6-uc6n-4kck |
| vulnerability_id |
VCID-zee6-uc6n-4kck |
| summary |
Security Researcher Mike Brooks of Sitewatch reported that
if multiple Content Security Policy (CSP) headers are present on a page, they
have an additive effect page policy. Using carriage return line feed (CRLF)
injection, a new CSP rule can be introduced which allows for cross-site
scripting (XSS) on sites with a separate header injection vulnerability.
Firefox 3.6 and Thunderbird 3.1 are not affected by this
vulnerability. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-0451
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-zee6-uc6n-4kck |
|
| 491 |
| url |
VCID-zejg-gepa-yqaf |
| vulnerability_id |
VCID-zejg-gepa-yqaf |
| summary |
Security researcher Mariusz Mlynski reported that the location property can be accessed by binary plugins through top.location with a frame whose name attribute's value is set to "top". This can allow for possible cross-site scripting (XSS) attacks through plugins.
In general these flaws cannot be exploited through email in the
Thunderbird and SeaMonkey products because scripting is disabled, but are
potentially a risk in browser or browser-like contexts in those products. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-4209
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-zejg-gepa-yqaf |
|
| 492 |
| url |
VCID-zey8-rnp8-7yh9 |
| vulnerability_id |
VCID-zey8-rnp8-7yh9 |
| summary |
David Rees reported that the JSSubScriptLoader (a
feature used by some add-ons) was "unwrapping" XPCNativeWrappers when they
were used as the scope parameter to loadSubScript(). Without
the protection of the wrappers the add-on could be vulnerable to privilege
escalation attacks from malicious web content. Whether any given add-on
were vulnerable would depend on how the add-on used the feature
and whether it interacted directly with web content, but we did find
at least one vulnerable add-on and presume there are more.
The unwrapping behavior was a change introduced during Firefox 4
development. Firefox 3.6 and earlier versions are not affected. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2011-3004
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-zey8-rnp8-7yh9 |
|
| 493 |
| url |
VCID-zgcc-resp-k3h5 |
| vulnerability_id |
VCID-zgcc-resp-k3h5 |
| summary |
For historical reasons Firefox has been generous in its interpretation of web
addresses containing square brackets around the host. If this host was not a
valid IPv6 literal address, Firefox attempted to interpret the host as a regular
domain name. Gregory Fleischer reported that requests made
using IPv6 syntax using XMLHttpRequest objects through a proxy may generate
errors depending on proxy configuration for IPv6. The resulting error messages
from the proxy may disclose sensitive data because Same-Origin Policy (SOP) will
allow the XMLHttpRequest object to read these error messages, allowing user
privacy to be eroded. Firefox now enforces RFC 3986 IPv6 literal syntax and that
may break links written using the non-standard Firefox-only forms that were
previously accepted.
This was fixed previously for Firefox 7.0, Thunderbird 7.0, and
SeaMonkey 2.4 but only fixed in Firefox 3.6.26 and Thunderbird 3.1.18 during
2012. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
CVE-2011-3670
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-zgcc-resp-k3h5 |
|
| 494 |
| url |
VCID-zhdz-2jas-bbaj |
| vulnerability_id |
VCID-zhdz-2jas-bbaj |
| summary |
Google security researcher Chris Evans reported that a
website could access a limited amount of data from a different domain by
loading a same-domain JavaScript URL which redirects to an off-domain
target resource containing data
which is not parsable as JavaScript. Upon attempting to load the data as
JavaScript a syntax error is generated that can reveal some of the file
context via the window.onerror DOM API.This issue could be used by a malicious website to steal private data
from users who are authenticated on the redirected website. How much
data could be at risk would depend on the format of the data and how
the JavaScript parser attempts to interpret it. For most files the
amount of data that can be recovered would be limited to the first
word or two. Some data files might allow deeper probing with
repeated loads.Thunderbird shares the browser engine with Firefox and
could be vulnerable if JavaScript were to be enabled in mail. This is
not the default setting and we strongly discourage users from running
JavaScript in mail.Update December 18, 2008: The Windows version of Firefox
2.0.0.19 was shipped without the fix for this issue (other platforms
were correctly patched). Firefox 2.0.0.20 has been released on Windows
to correct this oversight. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
|
| fixed_packages |
|
| aliases |
CVE-2008-5507
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-zhdz-2jas-bbaj |
|
| 495 |
| url |
VCID-znvx-aqbr-2yck |
| vulnerability_id |
VCID-znvx-aqbr-2yck |
| summary |
Mozilla developers added support in the Network Security Services
module for preventing a type of man-in-the-middle attack against TLS
using forced renegotiation.Note that to benefit from the fix, Firefox 3.6 and
Firefox 3.5 users will need to set
their security.ssl.require_safe_negotiation preference to
true. Firefox 3 does not contain the fix for this issue. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
http://clicky.me/tlsvuln |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
9.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 2 |
| value |
Track* |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-27T15:38:52Z/ |
|
|
| url |
http://clicky.me/tlsvuln |
|
| 5 |
| reference_url |
http://extendedsubset.com/?p=8 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
9.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 2 |
| value |
Track* |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-27T15:38:52Z/ |
|
|
| url |
http://extendedsubset.com/?p=8 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
| 30 |
|
| 31 |
|
| 32 |
|
| 33 |
|
| 34 |
|
| 35 |
|
| 36 |
|
| 37 |
|
| 38 |
|
| 39 |
|
| 40 |
|
| 41 |
|
| 42 |
|
| 43 |
|
| 44 |
|
| 45 |
|
| 46 |
|
| 47 |
|
| 48 |
|
| 49 |
|
| 50 |
|
| 51 |
|
| 52 |
|
| 53 |
|
| 54 |
|
| 55 |
|
| 56 |
|
| 57 |
|
| 58 |
|
| 59 |
|
| 60 |
|
| 61 |
|
| 62 |
|
| 63 |
|
| 64 |
|
| 65 |
|
| 66 |
|
| 67 |
|
| 68 |
|
| 69 |
|
| 70 |
|
| 71 |
|
| 72 |
|
| 73 |
|
| 74 |
|
| 75 |
|
| 76 |
|
| 77 |
|
| 78 |
|
| 79 |
|
| 80 |
|
| 81 |
|
| 82 |
|
| 83 |
|
| 84 |
|
| 85 |
|
| 86 |
|
| 87 |
|
| 88 |
|
| 89 |
|
| 90 |
|
| 91 |
|
| 92 |
|
| 93 |
|
| 94 |
|
| 95 |
|
| 96 |
|
| 97 |
|
| 98 |
|
| 99 |
|
| 100 |
|
| 101 |
|
| 102 |
|
| 103 |
|
| 104 |
|
| 105 |
|
| 106 |
|
| 107 |
|
| 108 |
|
| 109 |
|
| 110 |
|
| 111 |
|
| 112 |
|
| 113 |
|
| 114 |
|
| 115 |
|
| 116 |
|
| 117 |
|
| 118 |
|
| 119 |
|
| 120 |
|
| 121 |
|
| 122 |
|
| 123 |
|
| 124 |
| reference_url |
http://support.apple.com/kb/HT4004 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
9.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 2 |
| value |
Track* |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-27T15:38:52Z/ |
|
|
| url |
http://support.apple.com/kb/HT4004 |
|
| 125 |
| reference_url |
http://support.apple.com/kb/HT4170 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
9.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 2 |
| value |
Track* |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-27T15:38:52Z/ |
|
|
| url |
http://support.apple.com/kb/HT4170 |
|
| 126 |
| reference_url |
http://support.apple.com/kb/HT4171 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
9.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 2 |
| value |
Track* |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-27T15:38:52Z/ |
|
|
| url |
http://support.apple.com/kb/HT4171 |
|
| 127 |
|
| 128 |
|
| 129 |
|
| 130 |
|
| 131 |
|
| 132 |
|
| 133 |
|
| 134 |
|
| 135 |
|
| 136 |
|
| 137 |
|
| 138 |
|
| 139 |
|
| 140 |
|
| 141 |
|
| 142 |
|
| 143 |
|
| 144 |
| reference_url |
http://ubuntu.com/usn/usn-923-1 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
9.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 2 |
| value |
Track* |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-27T15:38:52Z/ |
|
|
| url |
http://ubuntu.com/usn/usn-923-1 |
|
| 145 |
|
| 146 |
|
| 147 |
|
| 148 |
|
| 149 |
|
| 150 |
|
| 151 |
|
| 152 |
|
| 153 |
|
| 154 |
|
| 155 |
|
| 156 |
|
| 157 |
|
| 158 |
|
| 159 |
|
| 160 |
|
| 161 |
|
| 162 |
|
| 163 |
|
| 164 |
|
| 165 |
|
| 166 |
|
| 167 |
| reference_url |
http://www.kb.cert.org/vuls/id/120541 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
9.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 2 |
| value |
Track* |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-27T15:38:52Z/ |
|
|
| url |
http://www.kb.cert.org/vuls/id/120541 |
|
| 168 |
| reference_url |
http://www.links.org/?p=780 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
9.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 2 |
| value |
Track* |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-27T15:38:52Z/ |
|
|
| url |
http://www.links.org/?p=780 |
|
| 169 |
| reference_url |
http://www.links.org/?p=786 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
9.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 2 |
| value |
Track* |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-27T15:38:52Z/ |
|
|
| url |
http://www.links.org/?p=786 |
|
| 170 |
| reference_url |
http://www.links.org/?p=789 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
9.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 2 |
| value |
Track* |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-27T15:38:52Z/ |
|
|
| url |
http://www.links.org/?p=789 |
|
| 171 |
|
| 172 |
|
| 173 |
|
| 174 |
|
| 175 |
|
| 176 |
|
| 177 |
|
| 178 |
|
| 179 |
|
| 180 |
|
| 181 |
|
| 182 |
|
| 183 |
|
| 184 |
|
| 185 |
|
| 186 |
|
| 187 |
|
| 188 |
|
| 189 |
|
| 190 |
|
| 191 |
|
| 192 |
|
| 193 |
|
| 194 |
|
| 195 |
|
| 196 |
|
| 197 |
|
| 198 |
|
| 199 |
|
| 200 |
|
| 201 |
|
| 202 |
|
| 203 |
|
| 204 |
|
| 205 |
|
| 206 |
| reference_url |
http://www.tombom.co.uk/blog/?p=85 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
9.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 2 |
| value |
Track* |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-27T15:38:52Z/ |
|
|
| url |
http://www.tombom.co.uk/blog/?p=85 |
|
| 207 |
| reference_url |
http://www.ubuntu.com/usn/USN-1010-1 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
9.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 2 |
| value |
Track* |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-27T15:38:52Z/ |
|
|
| url |
http://www.ubuntu.com/usn/USN-1010-1 |
|
| 208 |
| reference_url |
http://www.ubuntu.com/usn/USN-927-1 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
9.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 2 |
| value |
Track* |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-27T15:38:52Z/ |
|
|
| url |
http://www.ubuntu.com/usn/USN-927-1 |
|
| 209 |
| reference_url |
http://www.ubuntu.com/usn/USN-927-4 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
9.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 2 |
| value |
Track* |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-27T15:38:52Z/ |
|
|
| url |
http://www.ubuntu.com/usn/USN-927-4 |
|
| 210 |
| reference_url |
http://www.ubuntu.com/usn/USN-927-5 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
9.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 2 |
| value |
Track* |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-27T15:38:52Z/ |
|
|
| url |
http://www.ubuntu.com/usn/USN-927-5 |
|
| 211 |
|
| 212 |
|
| 213 |
|
| 214 |
|
| 215 |
|
| 216 |
|
| 217 |
|
| 218 |
|
| 219 |
|
| 220 |
|
| 221 |
|
| 222 |
|
| 223 |
|
| 224 |
|
| 225 |
|
| 226 |
|
| 227 |
|
| 228 |
|
| 229 |
|
| 230 |
|
| 231 |
|
| 232 |
|
| 233 |
|
| 234 |
|
| 235 |
|
| 236 |
|
| 237 |
|
| 238 |
|
| 239 |
|
| 240 |
|
| 241 |
|
| 242 |
|
| 243 |
|
| 244 |
|
| 245 |
|
| 246 |
|
| 247 |
|
| 248 |
|
| 249 |
|
| 250 |
|
| 251 |
|
| 252 |
|
| 253 |
|
| 254 |
|
| 255 |
|
| 256 |
|
| 257 |
|
| 258 |
|
| 259 |
|
| 260 |
|
| 261 |
|
| 262 |
|
| 263 |
|
| 264 |
|
| 265 |
|
| 266 |
|
| 267 |
|
| 268 |
|
| 269 |
|
| 270 |
|
| 271 |
|
| 272 |
|
| 273 |
|
| 274 |
|
| 275 |
|
| 276 |
|
| 277 |
|
| 278 |
|
| 279 |
|
| 280 |
|
| 281 |
|
| 282 |
|
| 283 |
|
| 284 |
|
| 285 |
|
| 286 |
|
| 287 |
|
| 288 |
|
| 289 |
|
| 290 |
|
| 291 |
|
| 292 |
|
| 293 |
|
| 294 |
|
| 295 |
|
| 296 |
|
| 297 |
|
| 298 |
|
| 299 |
|
| 300 |
|
| 301 |
|
| 302 |
|
| 303 |
|
| 304 |
|
| 305 |
| reference_url |
http://osvdb.org/60521 |
| reference_id |
60521 |
| reference_type |
|
| scores |
| 0 |
| value |
9.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
Track* |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-27T15:38:52Z/ |
|
|
| url |
http://osvdb.org/60521 |
|
| 306 |
| reference_url |
http://osvdb.org/60972 |
| reference_id |
60972 |
| reference_type |
|
| scores |
| 0 |
| value |
9.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
Track* |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-27T15:38:52Z/ |
|
|
| url |
http://osvdb.org/60972 |
|
| 307 |
| reference_url |
http://osvdb.org/62210 |
| reference_id |
62210 |
| reference_type |
|
| scores |
| 0 |
| value |
9.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
Track* |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-27T15:38:52Z/ |
|
|
| url |
http://osvdb.org/62210 |
|
| 308 |
| reference_url |
http://osvdb.org/65202 |
| reference_id |
65202 |
| reference_type |
|
| scores |
| 0 |
| value |
9.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
Track* |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-27T15:38:52Z/ |
|
|
| url |
http://osvdb.org/65202 |
|
| 309 |
|
| 310 |
|
| 311 |
|
| 312 |
|
| 313 |
|
| 314 |
|
| 315 |
|
| 316 |
|
| 317 |
|
| 318 |
|
| 319 |
|
| 320 |
|
| 321 |
|
| 322 |
|
| 323 |
|
| 324 |
|
| 325 |
|
| 326 |
|
| 327 |
|
| 328 |
|
| 329 |
|
| 330 |
|
| 331 |
|
| 332 |
|
| 333 |
|
| 334 |
|
| 335 |
|
| 336 |
|
| 337 |
|
| 338 |
|
| 339 |
|
| 340 |
|
| 341 |
|
| 342 |
|
| 343 |
|
| 344 |
|
| 345 |
|
| 346 |
|
| 347 |
|
| 348 |
|
| 349 |
|
| 350 |
|
| 351 |
|
| 352 |
|
| 353 |
|
| 354 |
|
| 355 |
|
| 356 |
|
| 357 |
|
| 358 |
|
| 359 |
|
| 360 |
|
| 361 |
|
| 362 |
|
| 363 |
|
| 364 |
|
| 365 |
|
| 366 |
|
| 367 |
|
| 368 |
|
| 369 |
|
| 370 |
|
| 371 |
|
| 372 |
|
| 373 |
|
| 374 |
|
| 375 |
|
| 376 |
|
| 377 |
|
| 378 |
|
| 379 |
|
| 380 |
|
|
| fixed_packages |
|
| aliases |
CVE-2009-3555, GHSA-f7w7-6pjc-wwm6, VU#120541
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-znvx-aqbr-2yck |
|
| 496 |
| url |
VCID-zp33-mbkb-aydv |
| vulnerability_id |
VCID-zp33-mbkb-aydv |
| summary |
Security researcher J23 reported via
TippingPoint's Zero Day Initiative an error in the code used to store
the names and values of plugin parameter elements. A malicious page
could embed plugin content containing a very large number of parameter
elements which would cause an overflow in the integer value counting
them. This integer is later used in allocating a memory buffer used
to store the plugin parameters. Under such conditions, too small a
buffer would be created and attacker-controlled data could be written
past the end of the buffer, potentially resulting in code
execution. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
|
| fixed_packages |
|
| aliases |
CVE-2010-1214
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-zp33-mbkb-aydv |
|
| 497 |
| url |
VCID-ztea-k4bh-bug9 |
| vulnerability_id |
VCID-ztea-k4bh-bug9 |
| summary |
Security researchers David Huang
and Collin Jackson of Carnegie Mellon University
CyLab (Silicon Valley campus) reported that the type
attribute of an <object> tag can override the charset of a
framed HTML document, even when the document is included across
origins. A page could be constructed containing such an
<object> tag which sets the charset of the framed document to
UTF-7. This could potentially allow an attacker to inject UTF-7
encoded JavaScript into a site, bypassing the site's XSS filters, and
then executing the code using the above technique. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2010-2768
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ztea-k4bh-bug9 |
|
| 498 |
| url |
VCID-zxps-xjq5-qyha |
| vulnerability_id |
VCID-zxps-xjq5-qyha |
| summary |
Security researcher Paul Stone reported that a
Java applet could be used to mimic interaction with form autocomplete
controls and steal entries from the form history.Firefox 4 was not affected by this issue. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2011-0067
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-zxps-xjq5-qyha |
|
| 499 |
| url |
VCID-zy16-tskh-aka5 |
| vulnerability_id |
VCID-zy16-tskh-aka5 |
| summary |
Developer and Mozilla community member Wladimir Palant
reported that cookies marked HTTPOnly were readable by JavaScript via
the XMLHttpRequest.getResponseHeader and
XMLHttpRequest.getAllResponseHeaders APIs. This vulnerability
bypasses the security mechanism provided by the HTTPOnly flag which
intends to restrict JavaScript access to document.cookie.The fix prevents the XMLHttpRequest feature from accessing the
Set-Cookie and Set-Cookie2 headers of any response
whether or not the HTTPOnly flag was set for those cookies. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2009-0357
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-zy16-tskh-aka5 |
|