Weekly Vulnerabilities Reports > February 3 to 9, 2014

Overview

7 new vulnerabilities reported during this period, including 3 critical vulnerabilities and 4 high severity vulnerabilities. This weekly summary report vulnerabilities in 21 products from 9 vendors including Opensuse, Redhat, Suse, Debian, and Fedoraproject. Vulnerabilities are notably categorized as "Use After Free", "Out-of-bounds Write", "Origin Validation Error", and "Integer Underflow (Wrap or Wraparound)".

  • 7 reported vulnerabilities are remotely exploitables.
  • 2 reported vulnerabilities have public exploit available.
  • 7 reported vulnerabilities are exploitable by an anonymous user.
  • Opensuse has the most reported vulnerabilities, with 7 reported vulnerabilities.
  • Opensuse has the most reported critical vulnerabilities, with 3 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

3 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2014-02-06 CVE-2014-1486 Mozilla
Fedoraproject
Opensuse
Suse
Debian
Canonical
Redhat 		Use After Free vulnerability in multiple products

Use-after-free vulnerability in the imgRequestProxy function in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, and SeaMonkey before 2.24 allows remote attackers to execute arbitrary code via vectors involving unspecified Content-Type values for image data.
9.8
2014-02-06 CVE-2014-1477 Mozilla
Canonical
Debian
Redhat
Fedoraproject
Opensuse
Suse 		Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, and SeaMonkey before 2.24 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.
9.8
2014-02-05 CVE-2014-0497 Adobe
Google
Redhat
Suse
Opensuse 		Integer Underflow (Wrap or Wraparound) vulnerability in multiple products

Integer underflow in Adobe Flash Player before 11.7.700.261 and 11.8.x through 12.0.x before 12.0.0.44 on Windows and Mac OS X, and before 11.2.202.336 on Linux, allows remote attackers to execute arbitrary code via unspecified vectors.
9.8

4 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2014-02-06 CVE-2014-1482 Mozilla
Canonical
Debian
Redhat
Fedoraproject
Opensuse
Suse 		Out-of-bounds Write vulnerability in multiple products

RasterImage.cpp in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, and SeaMonkey before 2.24 does not prevent access to discarded data, which allows remote attackers to execute arbitrary code or cause a denial of service (incorrect write operations) via crafted image data, as demonstrated by Goo Create.
8.8
2014-02-06 CVE-2014-1487 Mozilla
Fedoraproject
Opensuse
Suse
Canonical
Debian
Redhat 		Origin Validation Error vulnerability in multiple products

The Web workers implementation in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, and SeaMonkey before 2.24 allows remote attackers to bypass the Same Origin Policy and obtain sensitive authentication information via vectors involving error messages.
7.5
2014-02-06 CVE-2014-1481 Mozilla
Fedoraproject
Opensuse
Suse
Redhat
Debian
Canonical 		Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, and SeaMonkey before 2.24 allow remote attackers to bypass intended restrictions on window objects by leveraging inconsistency in native getter methods across different JavaScript engines.
7.5
2014-02-06 CVE-2014-1479 Mozilla
Canonical
Debian
Redhat
Fedoraproject
Opensuse
Suse 		The System Only Wrapper (SOW) implementation in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, and SeaMonkey before 2.24 does not prevent certain cloning operations, which allows remote attackers to bypass intended restrictions on XUL content via vectors involving XBL content scopes.
7.5

0 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS

0 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS