FreeBSD : mozilla -- scripting vulnerabilities (b2e6d1d6-1339-11d9-bc4a-000c41e2cdad)

medium Nessus Plugin ID 19087

Synopsis

The remote FreeBSD host is missing one or more security-related updates.

Description

Several scripting vulnerabilities were discovered and corrected in Mozilla : CVE-2004-0905 JavaScript; links dragged onto another frame or page allows an attacker to steal or modify sensitive information from other sites. The user could be convinced to drag obscurred links in the context of a game or even a fake scrollbar. If the user could be convinced to drag two links in sequence into a separate window (not frame) the attacker would be able to run arbitrary programs.
CVE-2004-0908 Untrusted JavaScript code can read and write to the clipboard, stealing any sensitive data the user might have copied.
Workaround: disable JavaScript CVE-2004-0909 Signed scripts requesting enhanced abilities could construct the request in a way that led to a confusing grant dialog, possibly fooling the user into thinking the privilege requested was inconsequential while actually obtaining explicit permission to run and install software. Workaround: Never grant enhanced abilities of any kind to untrusted web pages.

Solution

Update the affected packages.

See Also

https://bugzilla.mozilla.org/show_bug.cgi?id=250862

https://bugzilla.mozilla.org/show_bug.cgi?id=257523

https://bugzilla.mozilla.org/show_bug.cgi?id=253942

http://www.nessus.org/u?f22c46a5

Plugin Details

Severity: Medium

ID: 19087

File Name: freebsd_pkg_b2e6d1d6133911d9bc4a000c41e2cdad.nasl

Version: 1.18

Type: local

Published: 7/13/2005

Updated: 1/6/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.0

CVSS v2

Risk Factor: Medium

Base Score: 5.1

Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:de-linux-mozillafirebird, p-cpe:/a:freebsd:freebsd:de-linux-netscape, p-cpe:/a:freebsd:freebsd:de-netscape7, p-cpe:/a:freebsd:freebsd:el-linux-mozillafirebird, p-cpe:/a:freebsd:freebsd:firefox, p-cpe:/a:freebsd:freebsd:fr-linux-netscape, p-cpe:/a:freebsd:freebsd:fr-netscape7, p-cpe:/a:freebsd:freebsd:ja-linux-mozillafirebird-gtk1, p-cpe:/a:freebsd:freebsd:ja-linux-netscape, p-cpe:/a:freebsd:freebsd:ja-mozillafirebird-gtk2, p-cpe:/a:freebsd:freebsd:ja-netscape7, p-cpe:/a:freebsd:freebsd:linux-mozilla, p-cpe:/a:freebsd:freebsd:linux-mozilla-devel, p-cpe:/a:freebsd:freebsd:linux-mozillafirebird, p-cpe:/a:freebsd:freebsd:linux-netscape, p-cpe:/a:freebsd:freebsd:linux-phoenix, p-cpe:/a:freebsd:freebsd:mozilla, p-cpe:/a:freebsd:freebsd:mozilla%2bipv6, p-cpe:/a:freebsd:freebsd:mozilla-embedded, p-cpe:/a:freebsd:freebsd:mozilla-firebird, p-cpe:/a:freebsd:freebsd:mozilla-gtk, p-cpe:/a:freebsd:freebsd:mozilla-gtk1, p-cpe:/a:freebsd:freebsd:mozilla-gtk2, p-cpe:/a:freebsd:freebsd:mozilla-thunderbird, p-cpe:/a:freebsd:freebsd:netscape7, p-cpe:/a:freebsd:freebsd:phoenix, p-cpe:/a:freebsd:freebsd:pt_br-netscape7, p-cpe:/a:freebsd:freebsd:ru-linux-mozillafirebird, p-cpe:/a:freebsd:freebsd:thunderbird, p-cpe:/a:freebsd:freebsd:zhcn-linux-mozillafirebird, p-cpe:/a:freebsd:freebsd:zhtw-linux-mozillafirebird, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 9/30/2004

Vulnerability Publication Date: 9/13/2004

Reference Information

CVE: CVE-2004-0905, CVE-2004-0908, CVE-2004-0909