Weekly Vulnerabilities Reports > December 9 to 15, 2013
Overview
8 new vulnerabilities reported during this period, including 6 critical vulnerabilities and 1 high severity vulnerabilities. This weekly summary report vulnerabilities in 35 products from 7 vendors including Fedoraproject, Opensuse, Mozilla, Suse, and Canonical. Vulnerabilities are notably categorized as "Use After Free", "Improper Verification of Cryptographic Signature", "Code Injection", and "Cryptographic Issues".
- 8 reported vulnerabilities are remotely exploitables.
- 8 reported vulnerabilities are exploitable by an anonymous user.
- Fedoraproject has the most reported vulnerabilities, with 7 reported vulnerabilities.
- Fedoraproject has the most reported critical vulnerabilities, with 6 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
6 Critical Vulnerabilities
| DATE | CVE | VENDOR | VULNERABILITY | CVSS |
|---|---|---|---|---|
| 2013-12-11 | CVE-2013-6671 | Mozilla Canonical Redhat Opensuse Suse Fedoraproject | Code Injection vulnerability in multiple products The nsGfxScrollFrameInner::IsLTR function in Mozilla Firefox before 26.0, Firefox ESR 24.x before 24.2, Thunderbird before 24.2, and SeaMonkey before 2.23 allows remote attackers to execute arbitrary code via crafted use of JavaScript code for ordered list elements. | 9.8 |
| 2013-12-11 | CVE-2013-5618 | Mozilla Fedoraproject Opensuse Suse Canonical Redhat | Use After Free vulnerability in multiple products Use-after-free vulnerability in the nsNodeUtils::LastRelease function in the table-editing user interface in the editor component in Mozilla Firefox before 26.0, Firefox ESR 24.x before 24.2, Thunderbird before 24.2, and SeaMonkey before 2.23 allows remote attackers to execute arbitrary code by triggering improper garbage collection. | 9.8 |
| 2013-12-11 | CVE-2013-5616 | Mozilla Fedoraproject Opensuse Suse Redhat Canonical | Use After Free vulnerability in multiple products Use-after-free vulnerability in the nsEventListenerManager::HandleEventSubType function in Mozilla Firefox before 26.0, Firefox ESR 24.x before 24.2, Thunderbird before 24.2, and SeaMonkey before 2.23 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via vectors related to mListeners event listeners. | 9.8 |
| 2013-12-11 | CVE-2013-5615 | Mozilla Canonical Opensuse Suse Fedoraproject | The JavaScript implementation in Mozilla Firefox before 26.0, Firefox ESR 24.x before 24.2, Thunderbird before 24.2, and SeaMonkey before 2.23 does not properly enforce certain typeset restrictions on the generation of GetElementIC typed array stubs, which has unspecified impact and remote attack vectors. | 9.8 |
| 2013-12-11 | CVE-2013-5613 | Mozilla Fedoraproject Opensuse Suse Redhat Canonical | Use After Free vulnerability in multiple products Use-after-free vulnerability in the PresShell::DispatchSynthMouseMove function in Mozilla Firefox before 26.0, Firefox ESR 24.x before 24.2, Thunderbird before 24.2, and SeaMonkey before 2.23 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via vectors involving synthetic mouse movement, related to the RestyleManager::GetHoverGeneration function. | 9.8 |
| 2013-12-11 | CVE-2013-5609 | Mozilla Fedoraproject Opensuse Suse Canonical Redhat | Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 26.0, Firefox ESR 24.x before 24.2, Thunderbird before 24.2, and SeaMonkey before 2.23 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. | 9.8 |
1 High Vulnerabilities
| DATE | CVE | VENDOR | VULNERABILITY | CVSS |
|---|---|---|---|---|
| 2013-12-11 | CVE-2013-3900 | Microsoft | Improper Verification of Cryptographic Signature vulnerability in Microsoft products Why is Microsoft republishing a CVE from 2013? We are republishing CVE-2013-3900 in the Security Update Guide to update the Security Updates table and to inform customers that the EnableCertPaddingCheck is available in all currently supported versions of Windows 10 and Windows 11. | 8.8 |
1 Medium Vulnerabilities
| DATE | CVE | VENDOR | VULNERABILITY | CVSS |
|---|---|---|---|---|
| 2013-12-11 | CVE-2013-6673 | Fedoraproject Mozilla Suse Opensuse Canonical | Cryptographic Issues vulnerability in multiple products Mozilla Firefox before 26.0, Firefox ESR 24.x before 24.2, Thunderbird before 24.2, and SeaMonkey before 2.23 do not recognize a user's removal of trust from an EV X.509 certificate, which makes it easier for man-in-the-middle attackers to spoof SSL servers in opportunistic circumstances via a valid certificate that is unacceptable to the user. | 5.9 |
0 Low Vulnerabilities
| DATE | CVE | VENDOR | VULNERABILITY | CVSS |
|---|