Vulnerabilities > CVE-2011-3671 - Resource Management Errors vulnerability in Mozilla Firefox, Seamonkey and Thunderbird
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Use-after-free vulnerability in the nsHTMLSelectElement function in nsHTMLSelectElement.cpp in Mozilla Firefox 4.x through 8.0, Thunderbird 5.0 through 8.0, and SeaMonkey before 2.6 allows remote attackers to execute arbitrary code via vectors involving removal of the parent node of an element.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family Windows NASL id SEAMONKEY_26.NASL description The installed version of SeaMonkey is earlier than 2.6.0. Such versions are potentially affected by the following security issues : - An out-of-bounds memory access error exists in the last seen 2020-06-01 modified 2020-06-02 plugin id 57353 published 2011-12-20 reporter This script is Copyright (C) 2011-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/57353 title SeaMonkey < 2.6.0 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(57353); script_version("1.25"); script_cvs_date("Date: 2018/11/15 20:50:28"); script_cve_id( "CVE-2011-3658", "CVE-2011-3660", "CVE-2011-3661", "CVE-2011-3663", "CVE-2011-3665", "CVE-2011-3671" ); script_bugtraq_id( 51133, 51134, 51135, 51136, 51138, 54080 ); script_xref(name:"EDB-ID", value:"18847"); script_name(english:"SeaMonkey < 2.6.0 Multiple Vulnerabilities"); script_summary(english:"Checks version of SeaMonkey"); script_set_attribute(attribute:"synopsis",value: "The remote Windows host contains a web browser that is affected by several vulnerabilities."); script_set_attribute(attribute:"description",value: "The installed version of SeaMonkey is earlier than 2.6.0. Such versions are potentially affected by the following security issues : - An out-of-bounds memory access error exists in the 'SVG' implementation and can be triggered when 'SVG' elements are removed during a 'DOMAttrModified' event handler. (CVE-2011-3658) - Various memory safety errors exist that can lead to memory corruption and possible code execution. (CVE-2011-3660) - An error exists in the 'YARR' regular expression library that can cause application crashes when handling certain JavaScript statements. (CVE-2011-3661) - It is possible to detect keystrokes using 'SVG' animation 'accesskey' events even when JavaScript is disabled. (CVE-2011-3663) - It is possible to crash the application when 'OGG' 'video' elements are scaled to extreme sizes. (CVE-2011-3665) - A use-after-free error exists related to the function 'nsHTMLSelectElement' that can allow arbitrary code execution during operations such as removal of a parent node of an element. (CVE-2011-3671)" ); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-12-056/"); script_set_attribute(attribute:"see_also", value:"http://www.zerodayinitiative.com/advisories/ZDI-12-128/"); script_set_attribute(attribute:"see_also", value:"http://www.securityfocus.com/archive/1/523754/30/0/threaded"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2011-53/"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2011-54/"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2011-55/"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2011-56/"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2011-58/"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-41/"); script_set_attribute(attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=739343"); script_set_attribute(attribute:"solution", value:"Upgrade to SeaMonkey 2.6.0 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Firefox nsSVGValue Out-of-Bounds Access Vulnerability'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"vuln_publication_date", value:"2011/12/20"); script_set_attribute(attribute:"patch_publication_date", value:"2011/12/20"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/12/20"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:mozilla:seamonkey"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc."); script_dependencies("mozilla_org_installed.nasl"); script_require_keys("SeaMonkey/Version"); exit(0); } include("mozilla_version.inc"); port = get_kb_item("SMB/transport"); if (!port) port = 445; installs = get_kb_list("SMB/SeaMonkey/*"); if (isnull(installs)) audit(AUDIT_NOT_INST, "SeaMonkey"); mozilla_check_version(installs:installs, product:'seamonkey', fix:'2.6.0', severity:SECURITY_HOLE);
NASL family MacOS X Local Security Checks NASL id MACOSX_THUNDERBIRD_9_0.NASL description The installed version of Thunderbird 8.x is potentially affected by the following security issues : - An out-of-bounds memory access error exists in the last seen 2020-06-01 modified 2020-06-02 plugin id 57361 published 2011-12-21 reporter This script is Copyright (C) 2011-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/57361 title Thunderbird 8.x Multiple Vulnerabilities (Mac OS X) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(57361); script_version("1.20"); script_cvs_date("Date: 2018/07/16 12:48:31"); script_cve_id( "CVE-2011-3658", "CVE-2011-3660", "CVE-2011-3661", "CVE-2011-3663", "CVE-2011-3664", "CVE-2011-3665", "CVE-2011-3671" ); script_bugtraq_id(51133, 51134, 51135, 51136, 51137, 51138, 54080); script_name(english:"Thunderbird 8.x Multiple Vulnerabilities (Mac OS X)"); script_summary(english:"Checks version of Thunderbird"); script_set_attribute(attribute:"synopsis", value: "The remote Mac OS X host contains an email client that is potentially affected by several vulnerabilities."); script_set_attribute(attribute:"description", value: "The installed version of Thunderbird 8.x is potentially affected by the following security issues : - An out-of-bounds memory access error exists in the 'SVG' implementation and can be triggered when 'SVG' elements are removed during a 'DOMAttrModified' event handler. (CVE-2011-3658) - Various memory safety errors exist that can lead to memory corruption and possible code execution. (CVE-2011-3660) - An error exists in the 'YARR' regular expression library that can cause application crashes when handling certain JavaScript statements. (CVE-2011-3661) - It is possible to detect keystrokes using 'SVG' animation 'accesskey' events even when JavaScript is disabled. (CVE-2011-3663) - An error exists related to plugins that can allow a NULL pointer to be dereferenced when a plugin deletes its containing DOM frame during a call from that frame. It may be possible for a non-NULL pointer to be dereferenced thereby opening up the potential for further exploitation. (CVE-2011-3664) - It is possible to crash the application when 'OGG' 'video' elements are scaled to extreme sizes. (CVE-2011-3665) - A use-after-free error exists related to the function 'nsHTMLSelectElement' that can allow arbitrary code execution during operations such as removal of a parent node of an element. (CVE-2011-3671)"); script_set_attribute(attribute:"see_also", value:"http://www.zerodayinitiative.com/advisories/ZDI-12-128/"); script_set_attribute(attribute:"see_also", value:"http://www.securityfocus.com/archive/1/523754/30/0/threaded"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-41/"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2011-53/"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2011-54/"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2011-55/"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2011-56/"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2011-57/"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2011-58/"); script_set_attribute(attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=739343"); script_set_attribute(attribute:"solution", value:"Upgrade to Thunderbird 9.0 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Firefox nsSVGValue Out-of-Bounds Access Vulnerability'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"vuln_publication_date", value:"2011/12/20"); script_set_attribute(attribute:"patch_publication_date", value:"2011/12/20"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/12/21"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:mozilla:thunderbird"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"MacOS X Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc."); script_dependencies("macosx_thunderbird_installed.nasl"); script_require_keys("MacOSX/Thunderbird/Installed"); exit(0); } include("global_settings.inc"); include("misc_func.inc"); kb_base = "MacOSX/Thunderbird"; get_kb_item_or_exit(kb_base+"/Installed"); version = get_kb_item_or_exit(kb_base+"/Version", exit_code:1); ver = split(version, sep:".", keep:FALSE); for (i=0; i<max_index(ver); i++) ver[i] = int(ver[i]); if (ver[0] == 8) { if (report_verbosity > 0) { info += '\n Installed version : ' + version + '\n Fixed version : 9.0' + '\n'; security_hole(port:0, extra:info); } else security_hole(0); exit(0); } else exit(0, "Thunderbird 8.x is not installed.");
NASL family MacOS X Local Security Checks NASL id MACOSX_FIREFOX_9_0.NASL description The installed version of Firefox 8.x is potentially affected by the following security issues : - An out-of-bounds memory access error exists in the last seen 2020-06-01 modified 2020-06-02 plugin id 57359 published 2011-12-21 reporter This script is Copyright (C) 2011-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/57359 title Firefox 8.x Multiple Vulnerabilities (Mac OS X) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(57359); script_version("1.21"); script_cvs_date("Date: 2018/07/16 12:48:31"); script_cve_id( "CVE-2011-3658", "CVE-2011-3660", "CVE-2011-3661", "CVE-2011-3663", "CVE-2011-3664", "CVE-2011-3665", "CVE-2011-3671" ); script_bugtraq_id(51133, 51134, 51135, 51136, 51137, 51138, 54080); script_name(english:"Firefox 8.x Multiple Vulnerabilities (Mac OS X)"); script_summary(english:"Checks version of Firefox"); script_set_attribute(attribute:"synopsis", value: "The remote Mac OS X host contains a web browser that is potentially affected by several vulnerabilities."); script_set_attribute(attribute:"description", value: "The installed version of Firefox 8.x is potentially affected by the following security issues : - An out-of-bounds memory access error exists in the 'SVG' implementation and can be triggered when 'SVG' elements are removed during a 'DOMAttrModified' event handler. (CVE-2011-3658) - Various memory safety errors exist that can lead to memory corruption and possible code execution. (CVE-2011-3660) - An error exists in the 'YARR' regular expression library that can cause application crashes when handling certain JavaScript statements. (CVE-2011-3661) - It is possible to detect keystrokes using 'SVG' animation 'accesskey' events even when JavaScript is disabled. (CVE-2011-3663) - An error exists related to plugins that can allow a NULL pointer to be dereferenced when a plugin deletes its containing DOM frame during a call from that frame. It may be possible for a non-NULL pointer to be dereferenced thereby opening up the potential for further exploitation. (CVE-2011-3664) - It is possible to crash the application when 'OGG' 'video' elements are scaled to extreme sizes. (CVE-2011-3665) - A use-after-free error exists related to the function 'nsHTMLSelectElement' that can allow arbitrary code execution during operations such as removal of a parent node of an element. (CVE-2011-3671)"); script_set_attribute(attribute:"see_also", value:"http://www.zerodayinitiative.com/advisories/ZDI-12-128/"); script_set_attribute(attribute:"see_also", value:"http://www.securityfocus.com/archive/1/523754/30/0/threaded"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-41/"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2011-53/"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2011-54/"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2011-55/"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2011-56/"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2011-57/"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2011-58/"); script_set_attribute(attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=739343"); script_set_attribute(attribute:"solution", value:"Upgrade to Firefox 9.0 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Firefox nsSVGValue Out-of-Bounds Access Vulnerability'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"vuln_publication_date", value:"2011/12/20"); script_set_attribute(attribute:"patch_publication_date", value:"2011/12/20"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/12/21"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:mozilla:firefox"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"MacOS X Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc."); script_dependencies("macosx_firefox_installed.nasl"); script_require_keys("MacOSX/Firefox/Installed"); exit(0); } include("mozilla_version.inc"); kb_base = "MacOSX/Firefox"; get_kb_item_or_exit(kb_base+"/Installed"); version = get_kb_item_or_exit(kb_base+"/Version", exit_code:1); path = get_kb_item_or_exit(kb_base+"/Path", exit_code:1); mozilla_check_version(product:'firefox', version:version, path:path, esr:FALSE, fix:'9.0', skippat:'^3\\.6\\.', severity:SECURITY_HOLE);
NASL family Windows NASL id MOZILLA_THUNDERBIRD_90.NASL description The installed version of Thunderbird is earlier than 9.0 and thus, is potentially affected by the following security issues : - An out-of-bounds memory access error exists in the last seen 2020-06-01 modified 2020-06-02 plugin id 57352 published 2011-12-20 reporter This script is Copyright (C) 2011-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/57352 title Mozilla Thunderbird < 9.0 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(57352); script_version("1.25"); script_cvs_date("Date: 2018/11/15 20:50:27"); script_cve_id( "CVE-2011-3658", "CVE-2011-3660", "CVE-2011-3661", "CVE-2011-3663", "CVE-2011-3665", "CVE-2011-3671" ); script_bugtraq_id( 51133, 51134, 51135, 51136, 51138, 54080 ); script_xref(name:"EDB-ID", value:"18847"); script_name(english:"Mozilla Thunderbird < 9.0 Multiple Vulnerabilities"); script_summary(english:"Checks version of Thunderbird"); script_set_attribute(attribute:"synopsis", value: "The remote Windows host contains a mail client that is potentially affected by several vulnerabilities."); script_set_attribute(attribute:"description", value: "The installed version of Thunderbird is earlier than 9.0 and thus, is potentially affected by the following security issues : - An out-of-bounds memory access error exists in the 'SVG' implementation and can be triggered when 'SVG' elements are removed during a 'DOMAttrModified' event handler. (CVE-2011-3658) - Various memory safety errors exist that can lead to memory corruption and possible code execution. (CVE-2011-3660) - An error exists in the 'YARR' regular expression library that can cause application crashes when handling certain JavaScript statements. (CVE-2011-3661) - It is possible to detect keystrokes using 'SVG' animation 'accesskey' events even when JavaScript is disabled. (CVE-2011-3663) - It is possible to crash the application when 'OGG' 'video' elements are scaled to extreme sizes. (CVE-2011-3665) - A use-after-free error exists related to the function 'nsHTMLSelectElement' that can allow arbitrary code execution during operations such as removal of a parent node of an element. (CVE-2011-3671)" ); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-12-056/"); script_set_attribute(attribute:"see_also", value:"http://www.zerodayinitiative.com/advisories/ZDI-12-128/"); script_set_attribute(attribute:"see_also", value:"http://www.securityfocus.com/archive/1/523754/30/0/threaded"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-41/"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2011-53/"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2011-54/"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2011-55/"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2011-56/"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2011-58/"); script_set_attribute(attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=739343"); script_set_attribute(attribute:"solution", value:"Upgrade to Thunderbird 9 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Firefox nsSVGValue Out-of-Bounds Access Vulnerability'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"vuln_publication_date", value:"2011/12/20"); script_set_attribute(attribute:"patch_publication_date", value:"2011/12/20"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/12/20"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:mozilla:thunderbird"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc."); script_dependencies("mozilla_org_installed.nasl"); script_require_keys("Mozilla/Thunderbird/Version"); exit(0); } include("mozilla_version.inc"); port = get_kb_item_or_exit("SMB/transport"); installs = get_kb_list("SMB/Mozilla/Thunderbird/*"); if (isnull(installs)) audit(AUDIT_NOT_INST, "Thunderbird"); mozilla_check_version(installs:installs, product:'thunderbird', esr:FALSE, fix:'9.0', skippat:'^3\\.1\\.', severity:SECURITY_HOLE);
NASL family Windows NASL id MOZILLA_FIREFOX_90.NASL description The installed version of Firefox is earlier than 9.0 and thus, is potentially affected by the following security issues : - An out-of-bounds memory access error exists in the last seen 2020-06-01 modified 2020-06-02 plugin id 57351 published 2011-12-20 reporter This script is Copyright (C) 2011-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/57351 title Firefox < 9.0 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(57351); script_version("1.25"); script_cvs_date("Date: 2018/11/15 20:50:27"); script_cve_id( "CVE-2011-3658", "CVE-2011-3660", "CVE-2011-3661", "CVE-2011-3663", "CVE-2011-3665", "CVE-2011-3671" ); script_bugtraq_id( 51133, 51134, 51135, 51136, 51138, 54080 ); script_xref(name:"EDB-ID", value:"18847"); script_name(english:"Firefox < 9.0 Multiple Vulnerabilities"); script_summary(english:"Checks version of Firefox"); script_set_attribute(attribute:"synopsis", value: "The remote Windows host contains a web browser that is potentially affected by several vulnerabilities."); script_set_attribute(attribute:"description", value: "The installed version of Firefox is earlier than 9.0 and thus, is potentially affected by the following security issues : - An out-of-bounds memory access error exists in the 'SVG' implementation and can be triggered when 'SVG' elements are removed during a 'DOMAttrModified' event handler. (CVE-2011-3658) - Various memory safety errors exist that can lead to memory corruption and possible code execution. (CVE-2011-3660) - An error exists in the 'YARR' regular expression library that can cause application crashes when handling certain JavaScript statements. (CVE-2011-3661) - It is possible to detect keystrokes using 'SVG' animation 'accesskey' events even when JavaScript is disabled. (CVE-2011-3663) - It is possible to crash the application when 'OGG' 'video' elements are scaled to extreme sizes. (CVE-2011-3665) - A use-after-free error exists related to the function 'nsHTMLSelectElement' that can allow arbitrary code execution during operations such as removal of a parent node of an element. (CVE-2011-3671)" ); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-12-056/"); script_set_attribute(attribute:"see_also", value:"http://www.zerodayinitiative.com/advisories/ZDI-12-128/"); script_set_attribute(attribute:"see_also", value:"http://www.securityfocus.com/archive/1/523754/30/0/threaded"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2011-53/"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2011-54/"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2011-55/"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2011-56/"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2011-58/"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-41/"); script_set_attribute(attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=739343"); script_set_attribute(attribute:"solution", value:"Upgrade to Firefox 9 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Firefox nsSVGValue Out-of-Bounds Access Vulnerability'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"vuln_publication_date", value:"2011/12/20"); script_set_attribute(attribute:"patch_publication_date", value:"2011/12/20"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/12/20"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:mozilla:firefox"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc."); script_dependencies("mozilla_org_installed.nasl"); script_require_keys("Mozilla/Firefox/Version"); exit(0); } include("mozilla_version.inc"); port = get_kb_item_or_exit("SMB/transport"); installs = get_kb_list("SMB/Mozilla/Firefox/*"); if (isnull(installs)) audit(AUDIT_NOT_INST, "Firefox"); mozilla_check_version(installs:installs, product:'firefox', esr:FALSE, fix:'9.0', skippat:'^3\\.6\\.', severity:SECURITY_HOLE);