Vulnerabilities > CVE-2015-4505 - Permissions, Privileges, and Access Controls vulnerability in Mozilla Firefox
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
updater.exe in Mozilla Firefox before 41.0 and Firefox ESR 38.x before 38.3 on Windows allows local users to write to arbitrary files by conducting a junction attack and waiting for an update operation by the Mozilla Maintenance Service.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Accessing, Modifying or Executing Executable Files An attack of this type exploits a system's configuration that allows an attacker to either directly access an executable file, for example through shell access; or in a possible worst case allows an attacker to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
- Leverage Executable Code in Non-Executable Files An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
- Blue Boxing This type of attack against older telephone switches and trunks has been around for decades. A tone is sent by an adversary to impersonate a supervisor signal which has the effect of rerouting or usurping command of the line. While the US infrastructure proper may not contain widespread vulnerabilities to this type of attack, many companies are connected globally through call centers and business process outsourcing. These international systems may be operated in countries which have not upgraded Telco infrastructure and so are vulnerable to Blue boxing. Blue boxing is a result of failure on the part of the system to enforce strong authorization for administrative functions. While the infrastructure is different than standard current applications like web applications, there are historical lessons to be learned to upgrade the access control for administrative functions.
- Restful Privilege Elevation Rest uses standard HTTP (Get, Put, Delete) style permissions methods, but these are not necessarily correlated generally with back end programs. Strict interpretation of HTTP get methods means that these HTTP Get services should not be used to delete information on the server, but there is no access control mechanism to back up this logic. This means that unless the services are properly ACL'd and the application's service implementation are following these guidelines then an HTTP request can easily execute a delete or update on the server side. The attacker identifies a HTTP Get URL such as http://victimsite/updateOrder, which calls out to a program to update orders on a database or other resource. The URL is not idempotent so the request can be submitted multiple times by the attacker, additionally, the attacker may be able to exploit the URL published as a Get method that actually performs updates (instead of merely retrieving data). This may result in malicious or inadvertent altering of data on the server.
- Target Programs with Elevated Privileges This attack targets programs running with elevated privileges. The attacker would try to leverage a bug in the running program and get arbitrary code to execute with elevated privileges. For instance an attacker would look for programs that write to the system directories or registry keys (such as HKLM, which stores a number of critical Windows environment variables). These programs are typically running with elevated privileges and have usually not been designed with security in mind. Such programs are excellent exploit targets because they yield lots of power when they break. The malicious user try to execute its code at the same level as a privileged system call.
Nessus
NASL family SuSE Local Security Checks NASL id OPENSUSE-2015-619.NASL description MozillaFirefox was updated to Firefox 41.0 (bnc#947003) Security issues fixed : - MFSA 2015-96/CVE-2015-4500/CVE-2015-4501 Miscellaneous memory safety hazards - MFSA 2015-97/CVE-2015-4503 (bmo#994337) Memory leak in mozTCPSocket to servers - MFSA 2015-98/CVE-2015-4504 (bmo#1132467) Out of bounds read in QCMS library with ICC V4 profile attributes - MFSA 2015-99/CVE-2015-4476 (bmo#1162372) (Android only) Site attribute spoofing on Android by pasting URL with unknown scheme - MFSA 2015-100/CVE-2015-4505 (bmo#1177861) (Windows only) Arbitrary file manipulation by local user through Mozilla updater - MFSA 2015-101/CVE-2015-4506 (bmo#1192226) Buffer overflow in libvpx while parsing vp9 format video - MFSA 2015-102/CVE-2015-4507 (bmo#1192401) Crash when using debugger with SavedStacks in JavaScript - MFSA 2015-103/CVE-2015-4508 (bmo#1195976) URL spoofing in reader mode - MFSA 2015-104/CVE-2015-4510 (bmo#1200004) Use-after-free with shared workers and IndexedDB - MFSA 2015-105/CVE-2015-4511 (bmo#1200148) Buffer overflow while decoding WebM video - MFSA 2015-106/CVE-2015-4509 (bmo#1198435) Use-after-free while manipulating HTML media content - MFSA 2015-107/CVE-2015-4512 (bmo#1170390) Out-of-bounds read during 2D canvas display on Linux 16-bit color depth systems - MFSA 2015-108/CVE-2015-4502 (bmo#1105045) Scripted proxies can access inner window - MFSA 2015-109/CVE-2015-4516 (bmo#904886) JavaScript immutable property enforcement can be bypassed - MFSA 2015-110/CVE-2015-4519 (bmo#1189814) Dragging and dropping images exposes final URL after redirects - MFSA 2015-111/CVE-2015-4520 (bmo#1200856, bmo#1200869) Errors in the handling of CORS preflight request headers - MFSA 2015-112/CVE-2015-4517/CVE-2015-4521/CVE-2015-4522/ CVE-2015-7174/CVE-2015-7175/CVE-2015-7176/CVE-2015-7177/ CVE-2015-7180 Vulnerabilities found through code inspection - MFSA 2015-113/CVE-2015-7178/CVE-2015-7179 (bmo#1189860, bmo#1190526) (Windows only) Memory safety errors in libGLES in the ANGLE graphics library - MFSA 2015-114 (bmo#1167498, bmo#1153672) (Windows only) Information disclosure via the High Resolution Time API last seen 2020-06-05 modified 2015-10-02 plugin id 86238 published 2015-10-02 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/86238 title openSUSE Security Update : MozillaFirefox (openSUSE-2015-619) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openSUSE-2015-619. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(86238); script_version("2.5"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2015-4476", "CVE-2015-4500", "CVE-2015-4501", "CVE-2015-4502", "CVE-2015-4503", "CVE-2015-4504", "CVE-2015-4505", "CVE-2015-4506", "CVE-2015-4507", "CVE-2015-4508", "CVE-2015-4509", "CVE-2015-4510", "CVE-2015-4511", "CVE-2015-4512", "CVE-2015-4516", "CVE-2015-4517", "CVE-2015-4519", "CVE-2015-4520", "CVE-2015-4521", "CVE-2015-4522", "CVE-2015-7174", "CVE-2015-7175", "CVE-2015-7176", "CVE-2015-7177", "CVE-2015-7178", "CVE-2015-7179", "CVE-2015-7180"); script_name(english:"openSUSE Security Update : MozillaFirefox (openSUSE-2015-619)"); script_summary(english:"Check for the openSUSE-2015-619 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "MozillaFirefox was updated to Firefox 41.0 (bnc#947003) Security issues fixed : - MFSA 2015-96/CVE-2015-4500/CVE-2015-4501 Miscellaneous memory safety hazards - MFSA 2015-97/CVE-2015-4503 (bmo#994337) Memory leak in mozTCPSocket to servers - MFSA 2015-98/CVE-2015-4504 (bmo#1132467) Out of bounds read in QCMS library with ICC V4 profile attributes - MFSA 2015-99/CVE-2015-4476 (bmo#1162372) (Android only) Site attribute spoofing on Android by pasting URL with unknown scheme - MFSA 2015-100/CVE-2015-4505 (bmo#1177861) (Windows only) Arbitrary file manipulation by local user through Mozilla updater - MFSA 2015-101/CVE-2015-4506 (bmo#1192226) Buffer overflow in libvpx while parsing vp9 format video - MFSA 2015-102/CVE-2015-4507 (bmo#1192401) Crash when using debugger with SavedStacks in JavaScript - MFSA 2015-103/CVE-2015-4508 (bmo#1195976) URL spoofing in reader mode - MFSA 2015-104/CVE-2015-4510 (bmo#1200004) Use-after-free with shared workers and IndexedDB - MFSA 2015-105/CVE-2015-4511 (bmo#1200148) Buffer overflow while decoding WebM video - MFSA 2015-106/CVE-2015-4509 (bmo#1198435) Use-after-free while manipulating HTML media content - MFSA 2015-107/CVE-2015-4512 (bmo#1170390) Out-of-bounds read during 2D canvas display on Linux 16-bit color depth systems - MFSA 2015-108/CVE-2015-4502 (bmo#1105045) Scripted proxies can access inner window - MFSA 2015-109/CVE-2015-4516 (bmo#904886) JavaScript immutable property enforcement can be bypassed - MFSA 2015-110/CVE-2015-4519 (bmo#1189814) Dragging and dropping images exposes final URL after redirects - MFSA 2015-111/CVE-2015-4520 (bmo#1200856, bmo#1200869) Errors in the handling of CORS preflight request headers - MFSA 2015-112/CVE-2015-4517/CVE-2015-4521/CVE-2015-4522/ CVE-2015-7174/CVE-2015-7175/CVE-2015-7176/CVE-2015-7177/ CVE-2015-7180 Vulnerabilities found through code inspection - MFSA 2015-113/CVE-2015-7178/CVE-2015-7179 (bmo#1189860, bmo#1190526) (Windows only) Memory safety errors in libGLES in the ANGLE graphics library - MFSA 2015-114 (bmo#1167498, bmo#1153672) (Windows only) Information disclosure via the High Resolution Time API" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=947003" ); script_set_attribute( attribute:"solution", value:"Update the affected MozillaFirefox packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox-branding-upstream"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox-buildsymbols"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox-translations-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox-translations-other"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:13.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:13.2"); script_set_attribute(attribute:"patch_publication_date", value:"2015/09/23"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/10/02"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2015-2020 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE13\.1|SUSE13\.2)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "13.1 / 13.2", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE13.1", reference:"MozillaFirefox-41.0-88.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"MozillaFirefox-branding-upstream-41.0-88.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"MozillaFirefox-buildsymbols-41.0-88.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"MozillaFirefox-debuginfo-41.0-88.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"MozillaFirefox-debugsource-41.0-88.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"MozillaFirefox-devel-41.0-88.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"MozillaFirefox-translations-common-41.0-88.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"MozillaFirefox-translations-other-41.0-88.1") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"MozillaFirefox-41.0-44.1") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"MozillaFirefox-branding-upstream-41.0-44.1") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"MozillaFirefox-buildsymbols-41.0-44.1") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"MozillaFirefox-debuginfo-41.0-44.1") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"MozillaFirefox-debugsource-41.0-44.1") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"MozillaFirefox-devel-41.0-44.1") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"MozillaFirefox-translations-common-41.0-44.1") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"MozillaFirefox-translations-other-41.0-44.1") ) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "MozillaFirefox / MozillaFirefox-branding-upstream / etc"); }NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_2D56C7F4B354428F8F4838150C607A05.NASL description The Mozilla Project reports : MFSA 2015-96 Miscellaneous memory safety hazards (rv:41.0 / rv:38.3) MFSA 2015-97 Memory leak in mozTCPSocket to servers MFSA 2015-98 Out of bounds read in QCMS library with ICC V4 profile attributes MFSA 2015-99 Site attribute spoofing on Android by pasting URL with unknown scheme MFSA 2015-100 Arbitrary file manipulation by local user through Mozilla updater MFSA 2015-101 Buffer overflow in libvpx while parsing vp9 format video MFSA 2015-102 Crash when using debugger with SavedStacks in JavaScript MFSA 2015-103 URL spoofing in reader mode MFSA 2015-104 Use-after-free with shared workers and IndexedDB MFSA 2015-105 Buffer overflow while decoding WebM video MFSA 2015-106 Use-after-free while manipulating HTML media content MFSA 2015-107 Out-of-bounds read during 2D canvas display on Linux 16-bit color depth systems MFSA 2015-108 Scripted proxies can access inner window MFSA 2015-109 JavaScript immutable property enforcement can be bypassed MFSA 2015-110 Dragging and dropping images exposes final URL after redirects MFSA 2015-111 Errors in the handling of CORS preflight request headers MFSA 2015-112 Vulnerabilities found through code inspection MFSA 2015-113 Memory safety errors in libGLES in the ANGLE graphics library MFSA 2015-114 Information disclosure via the High Resolution Time API last seen 2020-06-01 modified 2020-06-02 plugin id 86079 published 2015-09-23 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/86079 title FreeBSD : mozilla -- multiple vulnerabilities (2d56c7f4-b354-428f-8f48-38150c607a05) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from the FreeBSD VuXML database : # # Copyright 2003-2019 Jacques Vidrine and contributors # # Redistribution and use in source (VuXML) and 'compiled' forms (SGML, # HTML, PDF, PostScript, RTF and so forth) with or without modification, # are permitted provided that the following conditions are met: # 1. Redistributions of source code (VuXML) must retain the above # copyright notice, this list of conditions and the following # disclaimer as the first lines of this file unmodified. # 2. Redistributions in compiled form (transformed to other DTDs, # published online in any format, converted to PDF, PostScript, # RTF and other formats) must reproduce the above copyright # notice, this list of conditions and the following disclaimer # in the documentation and/or other materials provided with the # distribution. # # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS" # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # include("compat.inc"); if (description) { script_id(86079); script_version("2.8"); script_cvs_date("Date: 2019/07/10 16:04:13"); script_cve_id("CVE-2015-4476", "CVE-2015-4500", "CVE-2015-4501", "CVE-2015-4502", "CVE-2015-4503", "CVE-2015-4504", "CVE-2015-4505", "CVE-2015-4506", "CVE-2015-4507", "CVE-2015-4508", "CVE-2015-4509", "CVE-2015-4510", "CVE-2015-4512", "CVE-2015-4516", "CVE-2015-4517", "CVE-2015-4519", "CVE-2015-4520", "CVE-2015-4521", "CVE-2015-4522", "CVE-2015-7174", "CVE-2015-7175", "CVE-2015-7176", "CVE-2015-7177", "CVE-2015-7178", "CVE-2015-7179", "CVE-2015-7180"); script_name(english:"FreeBSD : mozilla -- multiple vulnerabilities (2d56c7f4-b354-428f-8f48-38150c607a05)"); script_summary(english:"Checks for updated packages in pkg_info output"); script_set_attribute( attribute:"synopsis", value: "The remote FreeBSD host is missing one or more security-related updates." ); script_set_attribute( attribute:"description", value: "The Mozilla Project reports : MFSA 2015-96 Miscellaneous memory safety hazards (rv:41.0 / rv:38.3) MFSA 2015-97 Memory leak in mozTCPSocket to servers MFSA 2015-98 Out of bounds read in QCMS library with ICC V4 profile attributes MFSA 2015-99 Site attribute spoofing on Android by pasting URL with unknown scheme MFSA 2015-100 Arbitrary file manipulation by local user through Mozilla updater MFSA 2015-101 Buffer overflow in libvpx while parsing vp9 format video MFSA 2015-102 Crash when using debugger with SavedStacks in JavaScript MFSA 2015-103 URL spoofing in reader mode MFSA 2015-104 Use-after-free with shared workers and IndexedDB MFSA 2015-105 Buffer overflow while decoding WebM video MFSA 2015-106 Use-after-free while manipulating HTML media content MFSA 2015-107 Out-of-bounds read during 2D canvas display on Linux 16-bit color depth systems MFSA 2015-108 Scripted proxies can access inner window MFSA 2015-109 JavaScript immutable property enforcement can be bypassed MFSA 2015-110 Dragging and dropping images exposes final URL after redirects MFSA 2015-111 Errors in the handling of CORS preflight request headers MFSA 2015-112 Vulnerabilities found through code inspection MFSA 2015-113 Memory safety errors in libGLES in the ANGLE graphics library MFSA 2015-114 Information disclosure via the High Resolution Time API" ); # https://www.mozilla.org/security/advisories/mfsa2015-96/ script_set_attribute( attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2015-96/" ); # https://www.mozilla.org/security/advisories/mfsa2015-97/ script_set_attribute( attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2015-97/" ); # https://www.mozilla.org/security/advisories/mfsa2015-98/ script_set_attribute( attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2015-98/" ); # https://www.mozilla.org/security/advisories/mfsa2015-99/ script_set_attribute( attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2015-99/" ); # https://www.mozilla.org/security/advisories/mfsa2015-100/ script_set_attribute( attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2015-100/" ); # https://www.mozilla.org/security/advisories/mfsa2015-101/ script_set_attribute( attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2015-101/" ); # https://www.mozilla.org/security/advisories/mfsa2015-102/ script_set_attribute( attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2015-102/" ); # https://www.mozilla.org/security/advisories/mfsa2015-103/ script_set_attribute( attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2015-103/" ); # https://www.mozilla.org/security/advisories/mfsa2015-104/ script_set_attribute( attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2015-104/" ); # https://www.mozilla.org/security/advisories/mfsa2015-105/ script_set_attribute( attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2015-105/" ); # https://www.mozilla.org/security/advisories/mfsa2015-106/ script_set_attribute( attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2015-106/" ); # https://www.mozilla.org/security/advisories/mfsa2015-107/ script_set_attribute( attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2015-107/" ); # https://www.mozilla.org/security/advisories/mfsa2015-108/ script_set_attribute( attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2015-108/" ); # https://www.mozilla.org/security/advisories/mfsa2015-109/ script_set_attribute( attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2015-109/" ); # https://www.mozilla.org/security/advisories/mfsa2015-110/ script_set_attribute( attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2015-110/" ); # https://www.mozilla.org/security/advisories/mfsa2015-111/ script_set_attribute( attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2015-111/" ); # https://www.mozilla.org/security/advisories/mfsa2015-112/ script_set_attribute( attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2015-112/" ); # https://www.mozilla.org/security/advisories/mfsa2015-113/ script_set_attribute( attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2015-113/" ); # https://www.mozilla.org/security/advisories/mfsa2015-114/ script_set_attribute( attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2015-114/" ); # https://vuxml.freebsd.org/freebsd/2d56c7f4-b354-428f-8f48-38150c607a05.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?ae1ba50a" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:firefox"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:firefox-esr"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:libxul"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:linux-firefox"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:linux-seamonkey"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:linux-thunderbird"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:seamonkey"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:thunderbird"); script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd"); script_set_attribute(attribute:"vuln_publication_date", value:"2015/09/22"); script_set_attribute(attribute:"patch_publication_date", value:"2015/09/22"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/09/23"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"FreeBSD Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info"); exit(0); } include("audit.inc"); include("freebsd_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD"); if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (pkg_test(save_report:TRUE, pkg:"firefox<41.0,1")) flag++; if (pkg_test(save_report:TRUE, pkg:"linux-firefox<41.0,1")) flag++; if (pkg_test(save_report:TRUE, pkg:"seamonkey<2.38")) flag++; if (pkg_test(save_report:TRUE, pkg:"linux-seamonkey<2.38")) flag++; if (pkg_test(save_report:TRUE, pkg:"firefox-esr<38.3.0,1")) flag++; if (pkg_test(save_report:TRUE, pkg:"libxul<38.3.0")) flag++; if (pkg_test(save_report:TRUE, pkg:"thunderbird<38.3.0")) flag++; if (pkg_test(save_report:TRUE, pkg:"linux-thunderbird<38.3.0")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family SuSE Local Security Checks NASL id OPENSUSE-2015-632.NASL description seamonkey was updated to fix 25 security issues. These security issues were fixed : - CVE-2015-4520: Mozilla Firefox before 41.0 and Firefox ESR 38.x before 38.3 allowed remote attackers to bypass CORS preflight protection mechanisms by leveraging (1) duplicate cache-key generation or (2) retrieval of a value from an incorrect HTTP Access-Control-* response header (bsc#947003). - CVE-2015-4521: The ConvertDialogOptions function in Mozilla Firefox before 41.0 and Firefox ESR 38.x before 38.3 might allowed remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via unknown vectors (bsc#947003). - CVE-2015-4522: The nsUnicodeToUTF8::GetMaxLength function in Mozilla Firefox before 41.0 and Firefox ESR 38.x before 38.3 might allowed remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via unknown vectors, related to an last seen 2020-06-05 modified 2015-10-06 plugin id 86282 published 2015-10-06 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/86282 title openSUSE Security Update : seamonkey (openSUSE-2015-632) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openSUSE-2015-632. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(86282); script_version("2.5"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2015-4500", "CVE-2015-4501", "CVE-2015-4502", "CVE-2015-4503", "CVE-2015-4504", "CVE-2015-4505", "CVE-2015-4506", "CVE-2015-4507", "CVE-2015-4509", "CVE-2015-4510", "CVE-2015-4511", "CVE-2015-4512", "CVE-2015-4516", "CVE-2015-4517", "CVE-2015-4519", "CVE-2015-4520", "CVE-2015-4521", "CVE-2015-4522", "CVE-2015-7174", "CVE-2015-7175", "CVE-2015-7176", "CVE-2015-7177", "CVE-2015-7178", "CVE-2015-7179", "CVE-2015-7180"); script_name(english:"openSUSE Security Update : seamonkey (openSUSE-2015-632)"); script_summary(english:"Check for the openSUSE-2015-632 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "seamonkey was updated to fix 25 security issues. These security issues were fixed : - CVE-2015-4520: Mozilla Firefox before 41.0 and Firefox ESR 38.x before 38.3 allowed remote attackers to bypass CORS preflight protection mechanisms by leveraging (1) duplicate cache-key generation or (2) retrieval of a value from an incorrect HTTP Access-Control-* response header (bsc#947003). - CVE-2015-4521: The ConvertDialogOptions function in Mozilla Firefox before 41.0 and Firefox ESR 38.x before 38.3 might allowed remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via unknown vectors (bsc#947003). - CVE-2015-4522: The nsUnicodeToUTF8::GetMaxLength function in Mozilla Firefox before 41.0 and Firefox ESR 38.x before 38.3 might allowed remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via unknown vectors, related to an 'overflow (bsc#947003). - CVE-2015-4502: js/src/proxy/Proxy.cpp in Mozilla Firefox before 41.0 mishandled certain receiver arguments, which allowed remote attackers to bypass intended window access restrictions via a crafted website (bsc#947003). - CVE-2015-4503: The TCP Socket API implementation in Mozilla Firefox before 41.0 mishandled array boundaries that were established with a navigator.mozTCPSocket.open method call and send method calls, which allowed remote TCP servers to obtain sensitive information from process memory by reading packet data, as demonstrated by availability of this API in a Firefox OS application (bsc#947003). - CVE-2015-4500: Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 41.0 and Firefox ESR 38.x before 38.3 allowed remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors (bsc#947003). - CVE-2015-4501: Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 41.0 allowed remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors (bsc#947003). - CVE-2015-4506: Buffer overflow in the vp9_init_context_buffers function in libvpx, as used in Mozilla Firefox before 41.0 and Firefox ESR 38.x before 38.3, allowed remote attackers to execute arbitrary code via a crafted VP9 file (bsc#947003). - CVE-2015-4507: The SavedStacks class in the JavaScript implementation in Mozilla Firefox before 41.0, when the Debugger API is enabled, allowed remote attackers to cause a denial of service (getSlotRef assertion failure and application exit) or possibly execute arbitrary code via a crafted website (bsc#947003). - CVE-2015-4504: The lut_inverse_interp16 function in the QCMS library in Mozilla Firefox before 41.0 allowed remote attackers to obtain sensitive information or cause a denial of service (buffer over-read and application crash) via crafted attributes in the ICC 4 profile of an image (bsc#947003). - CVE-2015-4505: updater.exe in Mozilla Firefox before 41.0 and Firefox ESR 38.x before 38.3 on Windows allowed local users to write to arbitrary files by conducting a junction attack and waiting for an update operation by the Mozilla Maintenance Service (bsc#947003). - CVE-2015-7180: The ReadbackResultWriterD3D11::Run function in Mozilla Firefox before 41.0 and Firefox ESR 38.x before 38.3 misinterprets the return value of a function call, which might allowed remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via unknown vectors (bsc#947003). - CVE-2015-4509: Use-after-free vulnerability in the HTMLVideoElement interface in Mozilla Firefox before 41.0 and Firefox ESR 38.x before 38.3 allowed remote attackers to execute arbitrary code via crafted JavaScript code that modifies the URI table of a media element, aka ZDI-CAN-3176 (bsc#947003). - CVE-2015-7178: The ProgramBinary::linkAttributes function in libGLES in ANGLE, as used in Mozilla Firefox before 41.0 and Firefox ESR 38.x before 38.3 on Windows, mishandles shader access, which allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via crafted (1) OpenGL or (2) WebGL content (bsc#947003). - CVE-2015-7179: The VertexBufferInterface::reserveVertexSpace function in libGLES in ANGLE, as used in Mozilla Firefox before 41.0 and Firefox ESR 38.x before 38.3 on Windows, incorrectly allocates memory for shader attribute arrays, which allowed remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) via crafted (1) OpenGL or (2) WebGL content (bsc#947003). - CVE-2015-7176: The AnimationThread function in Mozilla Firefox before 41.0 and Firefox ESR 38.x before 38.3 used an incorrect argument to the sscanf function, which might allowed remote attackers to cause a denial of service (stack-based buffer overflow and application crash) or possibly have unspecified other impact via unknown vectors (bsc#947003). - CVE-2015-7177: The InitTextures function in Mozilla Firefox before 41.0 and Firefox ESR 38.x before 38.3 might allowed remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via unknown vectors (bsc#947003). - CVE-2015-7174: The nsAttrAndChildArray::GrowBy function in Mozilla Firefox before 41.0 and Firefox ESR 38.x before 38.3 might allowed remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via unknown vectors, related to an 'overflow (bsc#947003). - CVE-2015-7175: The XULContentSinkImpl::AddText function in Mozilla Firefox before 41.0 and Firefox ESR 38.x before 38.3 might allowed remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via unknown vectors, related to an 'overflow (bsc#947003). - CVE-2015-4511: Heap-based buffer overflow in the nestegg_track_codec_data function in Mozilla Firefox before 41.0 and Firefox ESR 38.x before 38.3 allowed remote attackers to execute arbitrary code via a crafted header in a WebM video (bsc#947003). - CVE-2015-4510: Race condition in the WorkerPrivate::NotifyFeatures function in Mozilla Firefox before 41.0 allowed remote attackers to execute arbitrary code or cause a denial of service (use-after-free and application crash) by leveraging improper interaction between shared workers and the IndexedDB implementation (bsc#947003). - CVE-2015-4512: gfx/2d/DataSurfaceHelpers.cpp in Mozilla Firefox before 41.0 on Linux improperly attempts to use the Cairo library with 32-bit color-depth surface creation followed by 16-bit color-depth surface display, which allowed remote attackers to obtain sensitive information from process memory or cause a denial of service (out-of-bounds read) by using a CANVAS element to trigger 2D rendering (bsc#947003). - CVE-2015-4517: NetworkUtils.cpp in Mozilla Firefox before 41.0 and Firefox ESR 38.x before 38.3 might allowed remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via unknown vectors (bsc#947003). - CVE-2015-4516: Mozilla Firefox before 41.0 allowed remote attackers to bypass certain ECMAScript 5 (aka ES5) API protection mechanisms and modify immutable properties, and consequently execute arbitrary JavaScript code with chrome privileges, via a crafted web page that did not use ES5 APIs (bsc#947003). - CVE-2015-4519: Mozilla Firefox before 41.0 and Firefox ESR 38.x before 38.3 allowed user-assisted remote attackers to bypass intended access restrictions and discover a redirect's target URL via crafted JavaScript code that executes after a drag-and-drop action of an image into a TEXTBOX element (bsc#947003)." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=935979" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=947003" ); script_set_attribute( attribute:"solution", value:"Update the affected seamonkey packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:seamonkey"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:seamonkey-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:seamonkey-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:seamonkey-dom-inspector"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:seamonkey-irc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:seamonkey-translations-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:seamonkey-translations-other"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:13.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:13.2"); script_set_attribute(attribute:"patch_publication_date", value:"2015/10/02"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/10/06"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2015-2020 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE13\.1|SUSE13\.2)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "13.1 / 13.2", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE13.1", reference:"seamonkey-2.38-56.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"seamonkey-debuginfo-2.38-56.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"seamonkey-debugsource-2.38-56.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"seamonkey-dom-inspector-2.38-56.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"seamonkey-irc-2.38-56.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"seamonkey-translations-common-2.38-56.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"seamonkey-translations-other-2.38-56.1") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"seamonkey-2.38-20.2") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"seamonkey-debuginfo-2.38-20.2") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"seamonkey-debugsource-2.38-20.2") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"seamonkey-dom-inspector-2.38-20.2") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"seamonkey-irc-2.38-20.2") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"seamonkey-translations-common-2.38-20.2") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"seamonkey-translations-other-2.38-20.2") ) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "seamonkey / seamonkey-debuginfo / seamonkey-debugsource / etc"); }NASL family Windows NASL id MOZILLA_FIREFOX_41_0_0.NASL description The version of Firefox installed on the remote Windows host is prior to 41. It is, therefore, affected by the following vulnerabilities : - Multiple unspecified memory corruption issues exist due to improper validation of user-supplied input. A remote attacker can exploit these issues to corrupt memory and execute arbitrary code. (CVE-2015-4500) - Multiple unspecified memory corruption issues exist due to improper validation of user-supplied input. A remote attacker can exploit these issues to corrupt memory and execute arbitrary code. (CVE-2015-4501) - A flaw exists that allows scripted proxies to access the inner window. (CVE-2015-4502) - An out-of-bounds read issue exists in TCPSocket.js related to the sending of strings over TCPSocket. A remote attacker can exploit this disclose memory contents. (CVE-2015-4503) - An out-of-bounds read error exists in the QCMS color management library that is triggered when manipulating an image with specific attributes in its ICC V4 profile. A remote attacker can exploit this to cause a denial of service condition or to disclose sensitive information. (CVE-2015-4504) - A flaw exists in the Mozilla updater that allows a local attacker to replace arbitrary files on the system, resulting in the execution of arbitrary code. (CVE-2015-4505) - A buffer overflow condition exists in the libvpx component when parsing vp9 format video. A remote attacker can exploit this, via a specially crafted vp9 format video, to execute arbitrary code. (CVE-2015-4506) - A flaw exists in the debugger API that is triggered when using the debugger with SavedStacks in JavaScript. An attacker can exploit this to cause a denial of service condition. (CVE-2015-4507) - A flaw exists in reader mode that allows an attacker to spoof the URL displayed in the address bar. (CVE-2015-4508) - A user-after-free error exists when manipulating HTML media elements on a page during script manipulation of the URI table of these elements. An attacker can exploit this to cause a denial of service condition. (CVE-2015-4509) - A use-after-free error exists when using a shared worker with IndexedDB due to a race condition with the worker. A remote attacker can exploit this, via specially crafted content, to cause a denial of service condition. (CVE-2015-4510) - A buffer overflow condition exists in the nestegg library when decoding a WebM format video with maliciously formatted headers. An attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2015-4511) - An out-of-bounds read error exists during 2D canvas rendering due to an issue in the cairo graphics library. An attacker can exploit this to read random memory, resulting in the disclosure of sensitive information. (CVE-2015-4512) - A security bypass vulnerability exists due to a flaw in Gecko last seen 2020-06-01 modified 2020-06-02 plugin id 86071 published 2015-09-22 reporter This script is Copyright (C) 2015-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/86071 title Firefox < 41 Multiple Vulnerabilities NASL family Windows NASL id MOZILLA_FIREFOX_38_3_ESR.NASL description The version of Firefox ESR installed on the remote Windows host is prior to 38.3. It is, therefore, affected by the following vulnerabilities : - Multiple unspecified memory corruption issues exist due to improper validation of user-supplied input. A remote attacker can exploit these issues to corrupt memory and execute arbitrary code. (CVE-2015-4500) - Multiple unspecified memory corruption issues exist due to improper validation of user-supplied input. A remote attacker can exploit these issues to corrupt memory and execute arbitrary code. (CVE-2015-4501) - A flaw exists in the Mozilla updater that allows a local attacker to replace arbitrary files on the system, resulting in the execution of arbitrary code. (CVE-2015-4505) - A buffer overflow condition exists in the libvpx component when parsing vp9 format video. A remote attacker can exploit this, via a specially crafted vp9 format video, to execute arbitrary code. (CVE-2015-4506) - A user-after-free error exists when manipulating HTML media elements on a page during script manipulation of the URI table of these elements. An attacker can exploit this to cause a denial of service condition. (CVE-2015-4509) - A buffer overflow condition exists in the nestegg library when decoding a WebM format video with maliciously formatted headers. An attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2015-4511) - A memory corruption issue exists in NetworkUtils.cpp. An attacker can potentially exploit this issue to cause a denial of service condition or to execute arbitrary code. (CVE-2015-4517) - An information disclosure vulnerability exists due to a flaw that occurs when a previously loaded image on a page is dropped into content after a redirect, resulting in the redirected URL being available to scripts. (CVE-2015-4519) - Multiple security bypass vulnerabilities exist due to errors in the handling of CORS preflight request headers. (CVE-2015-4520) - A memory corruption issue exists in the ConvertDialogOptions() function. An attacker can potentially exploit this issue to cause a denial of service condition or to execute arbitrary code. (CVE-2015-4521) - An overflow condition exists in the GetMaxLength() function. An attacker can potentially exploit this to cause a denial of service condition or to execute arbitrary code. (CVE-2015-4522) - An overflow condition exists in the GrowBy() function. An attacker can potentially exploit this to cause a denial of service condition or to execute arbitrary code. (CVE-2015-7174) - An overflow condition exists in the AddText() function. An attacker can potentially exploit this to cause a denial of service condition or to execute arbitrary code. (CVE-2015-7175) - A stack overflow condition exists in the AnimationThread() function due to a bad sscanf argument. An attacker can potentially exploit this to cause a denial of service condition or to execute arbitrary code. (CVE-2015-7176) - A memory corruption issue exists in the InitTextures() function. An attacker can potentially exploit this issue to cause a denial of service condition or to execute arbitrary code. (CVE-2015-7177) - An out-of-bounds memory error exists in the linkAttributes() function when manipulating shaders. An attacker can potentially exploit this issue to cause a denial of service condition or to execute arbitrary code. (CVE-2015-7178) - An overflow condition exists in the reserveVertexSpace() function due to an insufficient allocation of memory for a shader attribute array. An attacker can potentially exploit this issue to cause a denial of service condition or to execute arbitrary code. (CVE-2015-7179) - A memory corruption issue exists in ReadbackResultWriterD3D11::Run due to mishandling of the return status. An attacker can potentially exploit this issue to cause a denial of service condition or to execute arbitrary code. (CVE-2015-7180) last seen 2020-06-01 modified 2020-06-02 plugin id 86070 published 2015-09-22 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/86070 title Firefox ESR < 38.3 Multiple Vulnerabilities NASL family SuSE Local Security Checks NASL id OPENSUSE-2015-631.NASL description MozillaThunderbird was updated to fix 17 security issues. These security issues were fixed : - CVE-2015-4509: Use-after-free vulnerability in the HTMLVideoElement interface in Mozilla Firefox before 41.0 and Firefox ESR 38.x before 38.3 allowed remote attackers to execute arbitrary code via crafted JavaScript code that modifies the URI table of a media element, aka ZDI-CAN-3176 (bsc#947003). - CVE-2015-4520: Mozilla Firefox before 41.0 and Firefox ESR 38.x before 38.3 allowed remote attackers to bypass CORS preflight protection mechanisms by leveraging (1) duplicate cache-key generation or (2) retrieval of a value from an incorrect HTTP Access-Control-* response header (bsc#947003). - CVE-2015-4521: The ConvertDialogOptions function in Mozilla Firefox before 41.0 and Firefox ESR 38.x before 38.3 might allowed remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via unknown vectors (bsc#947003). - CVE-2015-4522: The nsUnicodeToUTF8::GetMaxLength function in Mozilla Firefox before 41.0 and Firefox ESR 38.x before 38.3 might allowed remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via unknown vectors, related to an last seen 2020-06-05 modified 2015-10-06 plugin id 86281 published 2015-10-06 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/86281 title openSUSE Security Update : MozillaThunderbird (openSUSE-2015-631)
References
- http://lists.opensuse.org/opensuse-security-announce/2015-10/msg00000.html
- http://lists.opensuse.org/opensuse-security-announce/2015-10/msg00000.html
- http://lists.opensuse.org/opensuse-security-announce/2015-10/msg00003.html
- http://lists.opensuse.org/opensuse-security-announce/2015-10/msg00003.html
- http://lists.opensuse.org/opensuse-security-announce/2015-10/msg00005.html
- http://lists.opensuse.org/opensuse-security-announce/2015-10/msg00005.html
- http://www.mozilla.org/security/announce/2015/mfsa2015-100.html
- http://www.mozilla.org/security/announce/2015/mfsa2015-100.html
- http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
- http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
- http://www.securitytracker.com/id/1033640
- http://www.securitytracker.com/id/1033640
- https://bugzilla.mozilla.org/show_bug.cgi?id=1177861
- https://bugzilla.mozilla.org/show_bug.cgi?id=1177861