Due to large allocation checks in Angle for glsl shaders being too lenient a buffer overflow could have occured when allocating too much private shader memory on mac OS. *This bug only affects Firefox on macOS. Other operating systems are unaffected.* This vulnerability affects Firefox < 117, Firefox ESR < 115.2, and Thunderbird < 115.2.

The remote Fedora 39 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2023-c92eb29264 advisory.

    - New upstream version (117.0)

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:3664-1 advisory.

  - A website could have obscured the full screen notification by using the file open dialog. This could have     led to user confusion and possible spoofing attacks. This vulnerability affects Firefox < 116, Firefox ESR     < 115.2, and Thunderbird < 115.2. (CVE-2023-4051)

  - A website could have obscured the full screen notification by using a URL with a scheme handled by an     external program, such as a mailto URL. This could have led to user confusion and possible spoofing     attacks. This vulnerability affects Firefox < 116, Firefox ESR < 115.2, and Thunderbird < 115.2.
    (CVE-2023-4053)

  - When receiving rendering data over IPC `mStream` could have been destroyed when initialized, which could     have led to a use-after-free causing a potentially exploitable crash. This vulnerability affects Firefox <     117, Firefox ESR < 102.15, Firefox ESR < 115.2, Thunderbird < 102.15, and Thunderbird < 115.2.
    (CVE-2023-4573)

  - When creating a callback over IPC for showing the Color Picker window, multiple of the same callbacks     could have been created at a time and eventually all simultaneously destroyed as soon as one of the     callbacks finished. This could have led to a use-after-free causing a potentially exploitable crash. This     vulnerability affects Firefox < 117, Firefox ESR < 102.15, Firefox ESR < 115.2, Thunderbird < 102.15, and     Thunderbird < 115.2. (CVE-2023-4574)

  - When creating a callback over IPC for showing the File Picker window, multiple of the same callbacks could     have been created at a time and eventually all simultaneously destroyed as soon as one of the callbacks     finished. This could have led to a use-after-free causing a potentially exploitable crash. This     vulnerability affects Firefox < 117, Firefox ESR < 102.15, Firefox ESR < 115.2, Thunderbird < 102.15, and     Thunderbird < 115.2. (CVE-2023-4575)

  - On Windows, an integer overflow could occur in `RecordedSourceSurfaceCreation` which resulted in a heap     buffer overflow potentially leaking sensitive data that could have led to a sandbox escape. *This bug only     affects Firefox on Windows. Other operating systems are unaffected.* This vulnerability affects Firefox <     117, Firefox ESR < 102.15, Firefox ESR < 115.2, Thunderbird < 102.15, and Thunderbird < 115.2.
    (CVE-2023-4576)

  - When `UpdateRegExpStatics` attempted to access `initialStringHeap` it could already have been garbage     collected prior to entering the function, which could potentially have led to an exploitable crash. This     vulnerability affects Firefox < 117, Firefox ESR < 115.2, and Thunderbird < 115.2. (CVE-2023-4577)

  - When calling `JS::CheckRegExpSyntax` a Syntax Error could have been set which would end in calling     `convertToRuntimeErrorAndClear`. A path in the function could attempt to allocate memory when none is     available which would have caused a newly created Out of Memory exception to be mishandled as a Syntax     Error. This vulnerability affects Firefox < 117, Firefox ESR < 115.2, and Thunderbird < 115.2.
    (CVE-2023-4578)

  - Push notifications stored on disk in private browsing mode were not being encrypted potentially allowing     the leak of sensitive information. This vulnerability affects Firefox < 117, Firefox ESR < 115.2, and     Thunderbird < 115.2. (CVE-2023-4580)

  - Excel `.xll` add-in files did not have a blocklist entry in Firefox's executable blocklist which allowed     them to be downloaded without any warning of their potential harm. This vulnerability affects Firefox <     117, Firefox ESR < 102.15, Firefox ESR < 115.2, Thunderbird < 102.15, and Thunderbird < 115.2.
    (CVE-2023-4581)

  - Due to large allocation checks in Angle for glsl shaders being too lenient a buffer overflow could have     occured when allocating too much private shader memory on mac OS. *This bug only affects Firefox on macOS.
    Other operating systems are unaffected.* This vulnerability affects Firefox < 117, Firefox ESR < 115.2,     and Thunderbird < 115.2. (CVE-2023-4582)

  - When checking if the Browsing Context had been discarded in `HttpBaseChannel`, if the load group was not     available then it was assumed to have already been discarded which was not always the case for private     channels after the private session had ended. This vulnerability affects Firefox < 117, Firefox ESR <     115.2, and Thunderbird < 115.2. (CVE-2023-4583)

  - Memory safety bugs present in Firefox 116, Firefox ESR 102.14, Firefox ESR 115.1, Thunderbird 102.14, and     Thunderbird 115.1. Some of these bugs showed evidence of memory corruption and we presume that with enough     effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox <     117, Firefox ESR < 102.15, Firefox ESR < 115.2, Thunderbird < 102.15, and Thunderbird < 115.2.
    (CVE-2023-4584)

  - Memory safety bugs present in Firefox 116, Firefox ESR 115.1, and Thunderbird 115.1. Some of these bugs     showed evidence of memory corruption and we presume that with enough effort some of these could have been     exploited to run arbitrary code. This vulnerability affects Firefox < 117, Firefox ESR < 115.2, and     Thunderbird < 115.2. (CVE-2023-4585)

  - Heap buffer overflow in WebP in Google Chrome prior to 116.0.5845.187 allowed a remote attacker to perform     an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical)     (CVE-2023-4863)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:3562-1 advisory.

  - A website could have obscured the full screen notification by using the file open dialog. This could have     led to user confusion and possible spoofing attacks. This vulnerability affects Firefox < 116, Firefox ESR     < 115.2, and Thunderbird < 115.2. (CVE-2023-4051)

  - A website could have obscured the full screen notification by using a URL with a scheme handled by an     external program, such as a mailto URL. This could have led to user confusion and possible spoofing     attacks. This vulnerability affects Firefox < 116, Firefox ESR < 115.2, and Thunderbird < 115.2.
    (CVE-2023-4053)

  - When creating a callback over IPC for showing the Color Picker window, multiple of the same callbacks     could have been created at a time and eventually all simultaneously destroyed as soon as one of the     callbacks finished. This could have led to a use-after-free causing a potentially exploitable crash. This     vulnerability affects Firefox < 117, Firefox ESR < 102.15, Firefox ESR < 115.2, and Thunderbird < 115.2.
    (CVE-2023-4574)

  - When creating a callback over IPC for showing the File Picker window, multiple of the same callbacks could     have been created at a time and eventually all simultaneously destroyed as soon as one of the callbacks     finished. This could have led to a use-after-free causing a potentially exploitable crash. This     vulnerability affects Firefox < 117, Firefox ESR < 102.15, Firefox ESR < 115.2, and Thunderbird < 115.2.
    (CVE-2023-4575)

  - On Windows, an integer overflow could occur in `RecordedSourceSurfaceCreation` which resulted in a heap     buffer overflow potentially leaking sensitive data that could have led to a sandbox escape. *This bug only     affects Firefox on Windows. Other operating systems are unaffected.* This vulnerability affects Firefox <     117, Firefox ESR < 102.15, Firefox ESR < 115.2, and Thunderbird < 115.2. (CVE-2023-4576)

  - When `UpdateRegExpStatics` attempted to access `initialStringHeap` it could already have been garbage     collected prior to entering the function, which could potentially have led to an exploitable crash. This     vulnerability affects Firefox < 117, Firefox ESR < 115.2, and Thunderbird < 115.2. (CVE-2023-4577)

  - When calling `JS::CheckRegExpSyntax` a Syntax Error could have been set which would end in calling     `convertToRuntimeErrorAndClear`. A path in the function could attempt to allocate memory when none is     available which would have caused a newly created Out of Memory exception to be mishandled as a Syntax     Error. This vulnerability affects Firefox < 117, Firefox ESR < 115.2, and Thunderbird < 115.2.
    (CVE-2023-4578)

  - Push notifications stored on disk in private browsing mode were not being encrypted potentially allowing     the leak of sensitive information. This vulnerability affects Firefox < 117, Firefox ESR < 115.2, and     Thunderbird < 115.2. (CVE-2023-4580)

  - Excel `.xll` add-in files did not have a blocklist entry in Firefox's executable blocklist which allowed     them to be downloaded without any warning of their potential harm. This vulnerability affects Firefox <     117, Firefox ESR < 102.15, Firefox ESR < 115.2, and Thunderbird < 115.2. (CVE-2023-4581)

  - Due to large allocation checks in Angle for glsl shaders being too lenient a buffer overflow could have     occured when allocating too much private shader memory on mac OS. *This bug only affects Firefox on macOS.
    Other operating systems are unaffected.* This vulnerability affects Firefox < 117, Firefox ESR < 115.2,     and Thunderbird < 115.2. (CVE-2023-4582)

  - When checking if the Browsing Context had been discarded in `HttpBaseChannel`, if the load group was not     available then it was assumed to have already been discarded which was not always the case for private     channels after the private session had ended. This vulnerability affects Firefox < 117, Firefox ESR <     115.2, and Thunderbird < 115.2. (CVE-2023-4583)

  - Memory safety bugs present in Firefox 116, Firefox ESR 102.14, Firefox ESR 115.1, Thunderbird 102.14, and     Thunderbird 115.1. Some of these bugs showed evidence of memory corruption and we presume that with enough     effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox <     117, Firefox ESR < 102.15, Firefox ESR < 115.2, and Thunderbird < 115.2. (CVE-2023-4584)

  - Memory safety bugs present in Firefox 116, Firefox ESR 115.1, and Thunderbird 115.1. Some of these bugs     showed evidence of memory corruption and we presume that with enough effort some of these could have been     exploited to run arbitrary code. This vulnerability affects Firefox < 117, Firefox ESR < 115.2, and     Thunderbird < 115.2. (CVE-2023-4585)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES12 / SLES_SAP12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:3559-1 advisory.

  - A website could have obscured the full screen notification by using the file open dialog. This could have     led to user confusion and possible spoofing attacks. This vulnerability affects Firefox < 116, Firefox ESR     < 115.2, and Thunderbird < 115.2. (CVE-2023-4051)

  - A website could have obscured the full screen notification by using a URL with a scheme handled by an     external program, such as a mailto URL. This could have led to user confusion and possible spoofing     attacks. This vulnerability affects Firefox < 116, Firefox ESR < 115.2, and Thunderbird < 115.2.
    (CVE-2023-4053)

  - When creating a callback over IPC for showing the Color Picker window, multiple of the same callbacks     could have been created at a time and eventually all simultaneously destroyed as soon as one of the     callbacks finished. This could have led to a use-after-free causing a potentially exploitable crash. This     vulnerability affects Firefox < 117, Firefox ESR < 102.15, Firefox ESR < 115.2, and Thunderbird < 115.2.
    (CVE-2023-4574)

  - When creating a callback over IPC for showing the File Picker window, multiple of the same callbacks could     have been created at a time and eventually all simultaneously destroyed as soon as one of the callbacks     finished. This could have led to a use-after-free causing a potentially exploitable crash. This     vulnerability affects Firefox < 117, Firefox ESR < 102.15, Firefox ESR < 115.2, and Thunderbird < 115.2.
    (CVE-2023-4575)

  - On Windows, an integer overflow could occur in `RecordedSourceSurfaceCreation` which resulted in a heap     buffer overflow potentially leaking sensitive data that could have led to a sandbox escape. *This bug only     affects Firefox on Windows. Other operating systems are unaffected.* This vulnerability affects Firefox <     117, Firefox ESR < 102.15, Firefox ESR < 115.2, and Thunderbird < 115.2. (CVE-2023-4576)

  - When `UpdateRegExpStatics` attempted to access `initialStringHeap` it could already have been garbage     collected prior to entering the function, which could potentially have led to an exploitable crash. This     vulnerability affects Firefox < 117, Firefox ESR < 115.2, and Thunderbird < 115.2. (CVE-2023-4577)

  - When calling `JS::CheckRegExpSyntax` a Syntax Error could have been set which would end in calling     `convertToRuntimeErrorAndClear`. A path in the function could attempt to allocate memory when none is     available which would have caused a newly created Out of Memory exception to be mishandled as a Syntax     Error. This vulnerability affects Firefox < 117, Firefox ESR < 115.2, and Thunderbird < 115.2.
    (CVE-2023-4578)

  - Push notifications stored on disk in private browsing mode were not being encrypted potentially allowing     the leak of sensitive information. This vulnerability affects Firefox < 117, Firefox ESR < 115.2, and     Thunderbird < 115.2. (CVE-2023-4580)

  - Excel `.xll` add-in files did not have a blocklist entry in Firefox's executable blocklist which allowed     them to be downloaded without any warning of their potential harm. This vulnerability affects Firefox <     117, Firefox ESR < 102.15, Firefox ESR < 115.2, and Thunderbird < 115.2. (CVE-2023-4581)

  - Due to large allocation checks in Angle for glsl shaders being too lenient a buffer overflow could have     occured when allocating too much private shader memory on mac OS. *This bug only affects Firefox on macOS.
    Other operating systems are unaffected.* This vulnerability affects Firefox < 117, Firefox ESR < 115.2,     and Thunderbird < 115.2. (CVE-2023-4582)

  - When checking if the Browsing Context had been discarded in `HttpBaseChannel`, if the load group was not     available then it was assumed to have already been discarded which was not always the case for private     channels after the private session had ended. This vulnerability affects Firefox < 117, Firefox ESR <     115.2, and Thunderbird < 115.2. (CVE-2023-4583)

  - Memory safety bugs present in Firefox 116, Firefox ESR 102.14, Firefox ESR 115.1, Thunderbird 102.14, and     Thunderbird 115.1. Some of these bugs showed evidence of memory corruption and we presume that with enough     effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox <     117, Firefox ESR < 102.15, Firefox ESR < 115.2, and Thunderbird < 115.2. (CVE-2023-4584)

  - Memory safety bugs present in Firefox 116, Firefox ESR 115.1, and Thunderbird 115.1. Some of these bugs     showed evidence of memory corruption and we presume that with enough effort some of these could have been     exploited to run arbitrary code. This vulnerability affects Firefox < 117, Firefox ESR < 115.2, and     Thunderbird < 115.2. (CVE-2023-4585)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:3519-1 advisory.

  - A website could have obscured the full screen notification by using the file open dialog. This could have     led to user confusion and possible spoofing attacks. This vulnerability affects Firefox < 116.
    (CVE-2023-4051)

  - A website could have obscured the full screen notification by using a URL with a scheme handled by an     external program, such as a mailto URL. This could have led to user confusion and possible spoofing     attacks. This vulnerability affects Firefox < 116. (CVE-2023-4053)

  - When creating a callback over IPC for showing the Color Picker window, multiple of the same callbacks     could have been created at a time and eventually all simultaneously destroyed as soon as one of the     callbacks finished. This could have led to a use-after-free causing a potentially exploitable crash.
    (CVE-2023-4574)

  - When creating a callback over IPC for showing the File Picker window, multiple of the same callbacks could     have been created at a time and eventually all simultaneously destroyed as soon as one of the callbacks     finished. This could have led to a use-after-free causing a potentially exploitable crash.
    (CVE-2023-4575)

  - On Windows, an integer overflow could occur in <code>RecordedSourceSurfaceCreation</code> which resulted     in a heap buffer overflow potentially leaking sensitive data that could have led to a sandbox escape. This     bug only affects Firefox on Windows. Other operating systems are unaffected.  (CVE-2023-4576)

  - When <code>UpdateRegExpStatics</code> attempted to access <code>initialStringHeap</code> it could already     have been garbage collected prior to entering the function, which could potentially have led to an     exploitable crash.  (CVE-2023-4577)

  - When calling <code>JS::CheckRegExpSyntax</code> a Syntax Error could have been set which would end in     calling <code>convertToRuntimeErrorAndClear</code>. A path in the function could attempt to allocate     memory when none is available which would have caused a newly created Out of Memory exception to be     mishandled as a Syntax Error.  (CVE-2023-4578)

  - Push notifications stored on disk in private browsing mode were not being encrypted potentially allowing     the leak of sensitive information.  (CVE-2023-4580)

  - Excel <code>.xll</code> add-in files did not have a blocklist entry in Firefox's executable blocklist     which allowed them to be downloaded without any warning of their potential harm.  (CVE-2023-4581)

  - Due to large allocation checks in Angle for glsl shaders being too lenient a buffer overflow could have     occured when allocating too much private shader memory on mac OS.  This bug only affects Firefox on macOS.
    Other operating systems are unaffected.  (CVE-2023-4582)

  - When checking if the Browsing Context had been discarded in <code>HttpBaseChannel</code>, if the load     group was not available then it was assumed to have already been discarded which was not always the case     for private channels after the private session had ended.  (CVE-2023-4583)

  - Memory safety bugs present in Firefox 116, Firefox ESR 102.14, Firefox ESR 115.1, Thunderbird 102.14, and     Thunderbird 115.1. Some of these bugs showed evidence of memory corruption and we presume that with enough     effort some of these could have been exploited to run arbitrary code.  (CVE-2023-4584)

  - Memory safety bugs present in Firefox 116, Firefox ESR 115.1, and Thunderbird 115.1. Some of these bugs     showed evidence of memory corruption and we presume that with enough effort some of these could have been     exploited to run arbitrary code.  (CVE-2023-4585)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 37 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2023-80549d73b9 advisory.

    - New upstream version (117.0)

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 38 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2023-c679c55cf8 advisory.

    - New upstream version (117.0)

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Thunderbird installed on the remote Windows host is prior to 115.2. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2023-38 advisory.

  - When receiving rendering data over IPC <code>mStream</code> could have been destroyed when initialized,     which could have led to a use-after-free causing a potentially exploitable crash. (CVE-2023-4573)

  - When creating a callback over IPC for showing the Color Picker window, multiple of the same callbacks     could have been created at a time and eventually all simultaneously destroyed as soon as one of the     callbacks finished. This could have led to a use-after-free causing a potentially exploitable crash.
    (CVE-2023-4574)

  - When creating a callback over IPC for showing the File Picker window, multiple of the same callbacks could     have been created at a time and eventually all simultaneously destroyed as soon as one of the callbacks     finished. This could have led to a use-after-free causing a potentially exploitable crash. (CVE-2023-4575)

  - On Windows, an integer overflow could occur in <code>RecordedSourceSurfaceCreation</code> which resulted     in a heap buffer overflow potentially leaking sensitive data that could have led to a sandbox escape. This     bug only affects Firefox on Windows. Other operating systems are unaffected. (CVE-2023-4576)

  - When <code>UpdateRegExpStatics</code> attempted to access <code>initialStringHeap</code> it could already     have been garbage collected prior to entering the function, which could potentially have led to an     exploitable crash. (CVE-2023-4577)

  - A website could have obscured the full screen notification by using the file open dialog. This could have     led to user confusion and possible spoofing attacks. (CVE-2023-4051)

  - When calling <code>JS::CheckRegExpSyntax</code> a Syntax Error could have been set which would end in     calling <code>convertToRuntimeErrorAndClear</code>. A path in the function could attempt to allocate     memory when none is available which would have caused a newly created Out of Memory exception to be     mishandled as a Syntax Error. (CVE-2023-4578)

  - A website could have obscured the full screen notification by using a URL with a scheme handled by an     external program, such as a mailto URL. This could have led to user confusion and possible spoofing     attacks. (CVE-2023-4053)

  - Push notifications stored on disk in private browsing mode were not being encrypted potentially allowing     the leak of sensitive information. (CVE-2023-4580)

  - Excel <code>.xll</code> add-in files did not have a blocklist entry in Firefox's executable blocklist     which allowed them to be downloaded without any warning of their potential harm. (CVE-2023-4581)

  - Due to large allocation checks in Angle for glsl shaders being too lenient a buffer overflow could have     occured when allocating too much private shader memory on mac OS.  This bug only affects Firefox on macOS.
    Other operating systems are unaffected. (CVE-2023-4582)

  - When checking if the Browsing Context had been discarded in <code>HttpBaseChannel</code>, if the load     group was not available then it was assumed to have already been discarded which was not always the case     for private channels after the private session had ended. (CVE-2023-4583)

  - Memory safety bugs present in Firefox 116, Firefox ESR 102.14, Firefox ESR 115.1, Thunderbird 102.14, and     Thunderbird 115.1. Some of these bugs showed evidence of memory corruption and we presume that with enough     effort some of these could have been exploited to run arbitrary code. (CVE-2023-4584)

  - Memory safety bugs present in Firefox 116, Firefox ESR 115.1, and Thunderbird 115.1. Some of these bugs     showed evidence of memory corruption and we presume that with enough effort some of these could have been     exploited to run arbitrary code. (CVE-2023-4585)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Thunderbird installed on the remote macOS or Mac OS X host is prior to 115.2. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2023-38 advisory.

  - When receiving rendering data over IPC <code>mStream</code> could have been destroyed when initialized,     which could have led to a use-after-free causing a potentially exploitable crash. (CVE-2023-4573)

  - When creating a callback over IPC for showing the Color Picker window, multiple of the same callbacks     could have been created at a time and eventually all simultaneously destroyed as soon as one of the     callbacks finished. This could have led to a use-after-free causing a potentially exploitable crash.
    (CVE-2023-4574)

  - When creating a callback over IPC for showing the File Picker window, multiple of the same callbacks could     have been created at a time and eventually all simultaneously destroyed as soon as one of the callbacks     finished. This could have led to a use-after-free causing a potentially exploitable crash. (CVE-2023-4575)

  - On Windows, an integer overflow could occur in <code>RecordedSourceSurfaceCreation</code> which resulted     in a heap buffer overflow potentially leaking sensitive data that could have led to a sandbox escape. This     bug only affects Firefox on Windows. Other operating systems are unaffected. (CVE-2023-4576)

  - When <code>UpdateRegExpStatics</code> attempted to access <code>initialStringHeap</code> it could already     have been garbage collected prior to entering the function, which could potentially have led to an     exploitable crash. (CVE-2023-4577)

  - A website could have obscured the full screen notification by using the file open dialog. This could have     led to user confusion and possible spoofing attacks. (CVE-2023-4051)

  - When calling <code>JS::CheckRegExpSyntax</code> a Syntax Error could have been set which would end in     calling <code>convertToRuntimeErrorAndClear</code>. A path in the function could attempt to allocate     memory when none is available which would have caused a newly created Out of Memory exception to be     mishandled as a Syntax Error. (CVE-2023-4578)

  - A website could have obscured the full screen notification by using a URL with a scheme handled by an     external program, such as a mailto URL. This could have led to user confusion and possible spoofing     attacks. (CVE-2023-4053)

  - Push notifications stored on disk in private browsing mode were not being encrypted potentially allowing     the leak of sensitive information. (CVE-2023-4580)

  - Excel <code>.xll</code> add-in files did not have a blocklist entry in Firefox's executable blocklist     which allowed them to be downloaded without any warning of their potential harm. (CVE-2023-4581)

  - Due to large allocation checks in Angle for glsl shaders being too lenient a buffer overflow could have     occured when allocating too much private shader memory on mac OS.  This bug only affects Firefox on macOS.
    Other operating systems are unaffected. (CVE-2023-4582)

  - When checking if the Browsing Context had been discarded in <code>HttpBaseChannel</code>, if the load     group was not available then it was assumed to have already been discarded which was not always the case     for private channels after the private session had ended. (CVE-2023-4583)

  - Memory safety bugs present in Firefox 116, Firefox ESR 102.14, Firefox ESR 115.1, Thunderbird 102.14, and     Thunderbird 115.1. Some of these bugs showed evidence of memory corruption and we presume that with enough     effort some of these could have been exploited to run arbitrary code. (CVE-2023-4584)

  - Memory safety bugs present in Firefox 116, Firefox ESR 115.1, and Thunderbird 115.1. Some of these bugs     showed evidence of memory corruption and we presume that with enough effort some of these could have been     exploited to run arbitrary code. (CVE-2023-4585)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of mozilla-firefox installed on the remote host is prior to 115.2.0esr. It is, therefore, affected by multiple vulnerabilities as referenced in the SSA:2023-242-01 advisory.

  - A website could have obscured the full screen notification by using the file open dialog. This could have     led to user confusion and possible spoofing attacks. This vulnerability affects Firefox < 116.
    (CVE-2023-4051)

  - A website could have obscured the full screen notification by using a URL with a scheme handled by an     external program, such as a mailto URL. This could have led to user confusion and possible spoofing     attacks. This vulnerability affects Firefox < 116. (CVE-2023-4053)

  - When receiving rendering data over IPC <code>mStream</code> could have been destroyed when initialized,     which could have led to a use-after-free causing a potentially exploitable crash.  (CVE-2023-4573)

  - When creating a callback over IPC for showing the Color Picker window, multiple of the same callbacks     could have been created at a time and eventually all simultaneously destroyed as soon as one of the     callbacks finished. This could have led to a use-after-free causing a potentially exploitable crash.
    (CVE-2023-4574)

  - When creating a callback over IPC for showing the File Picker window, multiple of the same callbacks could     have been created at a time and eventually all simultaneously destroyed as soon as one of the callbacks     finished. This could have led to a use-after-free causing a potentially exploitable crash.
    (CVE-2023-4575)

  - On Windows, an integer overflow could occur in <code>RecordedSourceSurfaceCreation</code> which resulted     in a heap buffer overflow potentially leaking sensitive data that could have led to a sandbox escape. This     bug only affects Firefox on Windows. Other operating systems are unaffected.  (CVE-2023-4576)

  - When <code>UpdateRegExpStatics</code> attempted to access <code>initialStringHeap</code> it could already     have been garbage collected prior to entering the function, which could potentially have led to an     exploitable crash.  (CVE-2023-4577)

  - When calling <code>JS::CheckRegExpSyntax</code> a Syntax Error could have been set which would end in     calling <code>convertToRuntimeErrorAndClear</code>. A path in the function could attempt to allocate     memory when none is available which would have caused a newly created Out of Memory exception to be     mishandled as a Syntax Error.  (CVE-2023-4578)

  - Push notifications stored on disk in private browsing mode were not being encrypted potentially allowing     the leak of sensitive information.  (CVE-2023-4580)

  - Excel <code>.xll</code> add-in files did not have a blocklist entry in Firefox's executable blocklist     which allowed them to be downloaded without any warning of their potential harm.  (CVE-2023-4581)

  - Due to large allocation checks in Angle for glsl shaders being too lenient a buffer overflow could have     occured when allocating too much private shader memory on mac OS.  This bug only affects Firefox on macOS.
    Other operating systems are unaffected.  (CVE-2023-4582)

  - When checking if the Browsing Context had been discarded in <code>HttpBaseChannel</code>, if the load     group was not available then it was assumed to have already been discarded which was not always the case     for private channels after the private session had ended.  (CVE-2023-4583)

  - Memory safety bugs present in Firefox 116, Firefox ESR 102.14, Firefox ESR 115.1, Thunderbird 102.14, and     Thunderbird 115.1. Some of these bugs showed evidence of memory corruption and we presume that with enough     effort some of these could have been exploited to run arbitrary code.  (CVE-2023-4584)

  - Memory safety bugs present in Firefox 116, Firefox ESR 115.1, and Thunderbird 115.1. Some of these bugs     showed evidence of memory corruption and we presume that with enough effort some of these could have been     exploited to run arbitrary code.  (CVE-2023-4585)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Firefox installed on the remote macOS or Mac OS X host is prior to 117.0. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2023-34 advisory.

  - When receiving rendering data over IPC <code>mStream</code> could have been destroyed when initialized,     which could have led to a use-after-free causing a potentially exploitable crash. (CVE-2023-4573)

  - When creating a callback over IPC for showing the Color Picker window, multiple of the same callbacks     could have been created at a time and eventually all simultaneously destroyed as soon as one of the     callbacks finished. This could have led to a use-after-free causing a potentially exploitable crash.
    (CVE-2023-4574)

  - When creating a callback over IPC for showing the File Picker window, multiple of the same callbacks could     have been created at a time and eventually all simultaneously destroyed as soon as one of the callbacks     finished. This could have led to a use-after-free causing a potentially exploitable crash. (CVE-2023-4575)

  - On Windows, an integer overflow could occur in <code>RecordedSourceSurfaceCreation</code> which resulted     in a heap buffer overflow potentially leaking sensitive data that could have led to a sandbox escape. This     bug only affects Firefox on Windows. Other operating systems are unaffected. (CVE-2023-4576)

  - When <code>UpdateRegExpStatics</code> attempted to access <code>initialStringHeap</code> it could already     have been garbage collected prior to entering the function, which could potentially have led to an     exploitable crash. (CVE-2023-4577)

  - When calling <code>JS::CheckRegExpSyntax</code> a Syntax Error could have been set which would end in     calling <code>convertToRuntimeErrorAndClear</code>. A path in the function could attempt to allocate     memory when none is available which would have caused a newly created Out of Memory exception to be     mishandled as a Syntax Error. (CVE-2023-4578)

  - Search queries in the default search engine could appear to have been the currently navigated URL if the     search query itself was a well formed URL. This could have led to a site spoofing another if it had been     maliciously set as the default search engine. (CVE-2023-4579)

  - Push notifications stored on disk in private browsing mode were not being encrypted potentially allowing     the leak of sensitive information. (CVE-2023-4580)

  - Excel <code>.xll</code> add-in files did not have a blocklist entry in Firefox's executable blocklist     which allowed them to be downloaded without any warning of their potential harm. (CVE-2023-4581)

  - Due to large allocation checks in Angle for glsl shaders being too lenient a buffer overflow could have     occured when allocating too much private shader memory on mac OS.  This bug only affects Firefox on macOS.
    Other operating systems are unaffected. (CVE-2023-4582)

  - When checking if the Browsing Context had been discarded in <code>HttpBaseChannel</code>, if the load     group was not available then it was assumed to have already been discarded which was not always the case     for private channels after the private session had ended. (CVE-2023-4583)

  - Memory safety bugs present in Firefox 116, Firefox ESR 102.14, Firefox ESR 115.1, Thunderbird 102.14, and     Thunderbird 115.1. Some of these bugs showed evidence of memory corruption and we presume that with enough     effort some of these could have been exploited to run arbitrary code. (CVE-2023-4584)

  - Memory safety bugs present in Firefox 116, Firefox ESR 115.1, and Thunderbird 115.1. Some of these bugs     showed evidence of memory corruption and we presume that with enough effort some of these could have been     exploited to run arbitrary code. (CVE-2023-4585)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Firefox installed on the remote Windows host is prior to 117.0. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2023-34 advisory.

  - When receiving rendering data over IPC <code>mStream</code> could have been destroyed when initialized,     which could have led to a use-after-free causing a potentially exploitable crash. (CVE-2023-4573)

  - When creating a callback over IPC for showing the Color Picker window, multiple of the same callbacks     could have been created at a time and eventually all simultaneously destroyed as soon as one of the     callbacks finished. This could have led to a use-after-free causing a potentially exploitable crash.
    (CVE-2023-4574)

  - When creating a callback over IPC for showing the File Picker window, multiple of the same callbacks could     have been created at a time and eventually all simultaneously destroyed as soon as one of the callbacks     finished. This could have led to a use-after-free causing a potentially exploitable crash. (CVE-2023-4575)

  - On Windows, an integer overflow could occur in <code>RecordedSourceSurfaceCreation</code> which resulted     in a heap buffer overflow potentially leaking sensitive data that could have led to a sandbox escape. This     bug only affects Firefox on Windows. Other operating systems are unaffected. (CVE-2023-4576)

  - When <code>UpdateRegExpStatics</code> attempted to access <code>initialStringHeap</code> it could already     have been garbage collected prior to entering the function, which could potentially have led to an     exploitable crash. (CVE-2023-4577)

  - When calling <code>JS::CheckRegExpSyntax</code> a Syntax Error could have been set which would end in     calling <code>convertToRuntimeErrorAndClear</code>. A path in the function could attempt to allocate     memory when none is available which would have caused a newly created Out of Memory exception to be     mishandled as a Syntax Error. (CVE-2023-4578)

  - Search queries in the default search engine could appear to have been the currently navigated URL if the     search query itself was a well formed URL. This could have led to a site spoofing another if it had been     maliciously set as the default search engine. (CVE-2023-4579)

  - Push notifications stored on disk in private browsing mode were not being encrypted potentially allowing     the leak of sensitive information. (CVE-2023-4580)

  - Excel <code>.xll</code> add-in files did not have a blocklist entry in Firefox's executable blocklist     which allowed them to be downloaded without any warning of their potential harm. (CVE-2023-4581)

  - Due to large allocation checks in Angle for glsl shaders being too lenient a buffer overflow could have     occured when allocating too much private shader memory on mac OS.  This bug only affects Firefox on macOS.
    Other operating systems are unaffected. (CVE-2023-4582)

  - When checking if the Browsing Context had been discarded in <code>HttpBaseChannel</code>, if the load     group was not available then it was assumed to have already been discarded which was not always the case     for private channels after the private session had ended. (CVE-2023-4583)

  - Memory safety bugs present in Firefox 116, Firefox ESR 102.14, Firefox ESR 115.1, Thunderbird 102.14, and     Thunderbird 115.1. Some of these bugs showed evidence of memory corruption and we presume that with enough     effort some of these could have been exploited to run arbitrary code. (CVE-2023-4584)

  - Memory safety bugs present in Firefox 116, Firefox ESR 115.1, and Thunderbird 115.1. Some of these bugs     showed evidence of memory corruption and we presume that with enough effort some of these could have been     exploited to run arbitrary code. (CVE-2023-4585)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Firefox ESR installed on the remote Windows host is prior to 115.2. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2023-36 advisory.

  - When receiving rendering data over IPC <code>mStream</code> could have been destroyed when initialized,     which could have led to a use-after-free causing a potentially exploitable crash. (CVE-2023-4573)

  - When creating a callback over IPC for showing the Color Picker window, multiple of the same callbacks     could have been created at a time and eventually all simultaneously destroyed as soon as one of the     callbacks finished. This could have led to a use-after-free causing a potentially exploitable crash.
    (CVE-2023-4574)

  - When creating a callback over IPC for showing the File Picker window, multiple of the same callbacks could     have been created at a time and eventually all simultaneously destroyed as soon as one of the callbacks     finished. This could have led to a use-after-free causing a potentially exploitable crash. (CVE-2023-4575)

  - On Windows, an integer overflow could occur in <code>RecordedSourceSurfaceCreation</code> which resulted     in a heap buffer overflow potentially leaking sensitive data that could have led to a sandbox escape. This     bug only affects Firefox on Windows. Other operating systems are unaffected. (CVE-2023-4576)

  - When <code>UpdateRegExpStatics</code> attempted to access <code>initialStringHeap</code> it could already     have been garbage collected prior to entering the function, which could potentially have led to an     exploitable crash. (CVE-2023-4577)

  - A website could have obscured the full screen notification by using the file open dialog. This could have     led to user confusion and possible spoofing attacks. (CVE-2023-4051)

  - When calling <code>JS::CheckRegExpSyntax</code> a Syntax Error could have been set which would end in     calling <code>convertToRuntimeErrorAndClear</code>. A path in the function could attempt to allocate     memory when none is available which would have caused a newly created Out of Memory exception to be     mishandled as a Syntax Error. (CVE-2023-4578)

  - A website could have obscured the full screen notification by using a URL with a scheme handled by an     external program, such as a mailto URL. This could have led to user confusion and possible spoofing     attacks. (CVE-2023-4053)

  - Push notifications stored on disk in private browsing mode were not being encrypted potentially allowing     the leak of sensitive information. (CVE-2023-4580)

  - Excel <code>.xll</code> add-in files did not have a blocklist entry in Firefox's executable blocklist     which allowed them to be downloaded without any warning of their potential harm. (CVE-2023-4581)

  - Due to large allocation checks in Angle for glsl shaders being too lenient a buffer overflow could have     occured when allocating too much private shader memory on mac OS.  This bug only affects Firefox on macOS.
    Other operating systems are unaffected. (CVE-2023-4582)

  - When checking if the Browsing Context had been discarded in <code>HttpBaseChannel</code>, if the load     group was not available then it was assumed to have already been discarded which was not always the case     for private channels after the private session had ended. (CVE-2023-4583)

  - Memory safety bugs present in Firefox 116, Firefox ESR 102.14, Firefox ESR 115.1, Thunderbird 102.14, and     Thunderbird 115.1. Some of these bugs showed evidence of memory corruption and we presume that with enough     effort some of these could have been exploited to run arbitrary code. (CVE-2023-4584)

  - Memory safety bugs present in Firefox 116, Firefox ESR 115.1, and Thunderbird 115.1. Some of these bugs     showed evidence of memory corruption and we presume that with enough effort some of these could have been     exploited to run arbitrary code. (CVE-2023-4585)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Firefox ESR installed on the remote macOS or Mac OS X host is prior to 115.2. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2023-36 advisory.

  - When receiving rendering data over IPC <code>mStream</code> could have been destroyed when initialized,     which could have led to a use-after-free causing a potentially exploitable crash. (CVE-2023-4573)

  - When creating a callback over IPC for showing the Color Picker window, multiple of the same callbacks     could have been created at a time and eventually all simultaneously destroyed as soon as one of the     callbacks finished. This could have led to a use-after-free causing a potentially exploitable crash.
    (CVE-2023-4574)

  - When creating a callback over IPC for showing the File Picker window, multiple of the same callbacks could     have been created at a time and eventually all simultaneously destroyed as soon as one of the callbacks     finished. This could have led to a use-after-free causing a potentially exploitable crash. (CVE-2023-4575)

  - On Windows, an integer overflow could occur in <code>RecordedSourceSurfaceCreation</code> which resulted     in a heap buffer overflow potentially leaking sensitive data that could have led to a sandbox escape. This     bug only affects Firefox on Windows. Other operating systems are unaffected. (CVE-2023-4576)

  - When <code>UpdateRegExpStatics</code> attempted to access <code>initialStringHeap</code> it could already     have been garbage collected prior to entering the function, which could potentially have led to an     exploitable crash. (CVE-2023-4577)

  - A website could have obscured the full screen notification by using the file open dialog. This could have     led to user confusion and possible spoofing attacks. (CVE-2023-4051)

  - When calling <code>JS::CheckRegExpSyntax</code> a Syntax Error could have been set which would end in     calling <code>convertToRuntimeErrorAndClear</code>. A path in the function could attempt to allocate     memory when none is available which would have caused a newly created Out of Memory exception to be     mishandled as a Syntax Error. (CVE-2023-4578)

  - A website could have obscured the full screen notification by using a URL with a scheme handled by an     external program, such as a mailto URL. This could have led to user confusion and possible spoofing     attacks. (CVE-2023-4053)

  - Push notifications stored on disk in private browsing mode were not being encrypted potentially allowing     the leak of sensitive information. (CVE-2023-4580)

  - Excel <code>.xll</code> add-in files did not have a blocklist entry in Firefox's executable blocklist     which allowed them to be downloaded without any warning of their potential harm. (CVE-2023-4581)

  - Due to large allocation checks in Angle for glsl shaders being too lenient a buffer overflow could have     occured when allocating too much private shader memory on mac OS.  This bug only affects Firefox on macOS.
    Other operating systems are unaffected. (CVE-2023-4582)

  - When checking if the Browsing Context had been discarded in <code>HttpBaseChannel</code>, if the load     group was not available then it was assumed to have already been discarded which was not always the case     for private channels after the private session had ended. (CVE-2023-4583)

  - Memory safety bugs present in Firefox 116, Firefox ESR 102.14, Firefox ESR 115.1, Thunderbird 102.14, and     Thunderbird 115.1. Some of these bugs showed evidence of memory corruption and we presume that with enough     effort some of these could have been exploited to run arbitrary code. (CVE-2023-4584)

  - Memory safety bugs present in Firefox 116, Firefox ESR 115.1, and Thunderbird 115.1. Some of these bugs     showed evidence of memory corruption and we presume that with enough effort some of these could have been     exploited to run arbitrary code. (CVE-2023-4585)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
190759	GLSA-202402-25 : Mozilla Thunderbird: Multiple Vulnerabilities	Nessus	Gentoo Local Security Checks	critical
185301	Fedora 39 : firefox (2023-c92eb29264)	Nessus	Fedora Local Security Checks	high
181580	SUSE SLED15 / SLES15 / openSUSE 15 Security Update : MozillaThunderbird (SUSE-SU-2023:3664-1)	Nessus	SuSE Local Security Checks	high
181264	SUSE SLES15 Security Update : MozillaFirefox (SUSE-SU-2023:3562-1)	Nessus	SuSE Local Security Checks	high
181257	SUSE SLES12 Security Update : MozillaFirefox (SUSE-SU-2023:3559-1)	Nessus	SuSE Local Security Checks	high
180533	SUSE SLED15 / SLES15 / openSUSE 15 Security Update : MozillaFirefox (SUSE-SU-2023:3519-1)	Nessus	SuSE Local Security Checks	high
180460	Fedora 37 : firefox (2023-80549d73b9)	Nessus	Fedora Local Security Checks	high
180433	Fedora 38 : firefox (2023-c679c55cf8)	Nessus	Fedora Local Security Checks	high
180324	Mozilla Thunderbird < 115.2	Nessus	Windows	high
180323	Mozilla Thunderbird < 115.2	Nessus	MacOS X Local Security Checks	high
180319	Slackware Linux 15.0 / current mozilla-firefox Multiple Vulnerabilities (SSA:2023-242-01)	Nessus	Slackware Local Security Checks	high
180233	Mozilla Firefox < 117.0	Nessus	MacOS X Local Security Checks	high
180232	Mozilla Firefox < 117.0	Nessus	Windows	high
180231	Mozilla Firefox ESR < 115.2	Nessus	Windows	high
180230	Mozilla Firefox ESR < 115.2	Nessus	MacOS X Local Security Checks	high

Detections

Analytics

CVE-2023-4582

high

Tenable Plugins

critical

high

high

high

high

high

high

high

high

high

high

high

high

high

high