Mozilla Firefox < 61 Multiple Vulnerabilities

high Nessus Network Monitor Plugin ID 700330

Synopsis

The remote host has a web browser installed that is vulnerable to multiple attack vectors.

Description

Versions of Mozilla Firefox earlier than 61 are unpatched for the following vulnerabilities :

- An out-of-bounds read flaw exists in the 'qcms_modular_transform_data()' function in 'chain.c' that is triggered when handling an invalid grid size during QCMS transformations. This may allow a context-dependent attacker to potentially disclose memory contents.
- A flaw exists in 'dom/performance/PerformanceNavigationTiming.cpp' that is triggered as the Navigation APIs can be used as a precision timer. This may allow a context-dependent attacker to conduct timing attacks.
- A flaw exists in the 'nsLocalFile::IsExecutable()' function in 'xpcom/io/nsLocalFileWin.cpp', as 'settingcontent-ms' is not recognized as an executable file extension. This may allow a context-dependent attacker to more easily trick a user into opening a malicious file without a warning prompt being presented.
- A flaw exists in the WebExtension that is triggered as embedded experiments are not properly checked. This may allow a context-dependent attacker to bypass authorization mechanisms.
- An integer overflow flaw exists that is triggered as uninitialized memory is used when allocating memory for edge builders. This may allow a context-dependent attacker to potentially execute arbitrary code.
- A flaw exists in the 'ContentParent::RecvGetFilesRequest()' function in 'dom/ipc/ContentParent.cpp'. Combined with another vulnerability this may allow a context-dependent attacker to bypass the sandbox and enumerate file names.
- An overflow condition exists in the 'CanvasRenderingContext2D::SetDimensions()' function in 'dom/canvas/CanvasRenderingContext2D.cpp' that is triggered when handling '<canvas>' element dimensions. This may allow a context-dependent attacker to cause a buffer overflow and potentially execute arbitrary code.
- A use-after-free error exists in the 'HTMLInputElement::Focus()' function in 'dom/html/HTMLInputElement.cpp' that is triggered when deleting input elements during a mutation event handler. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A flaw exists that is triggered during the handling of a redirection initiated by a service worker. This may allow a context-dependent attacker to bypass the same-origin policy.
- An integer overflow condition exists in 'gfx/2d/ssse3-scaler.c' within the Supplemental Streaming SIMD Extensions 3 (SSSE3) scaler that is triggered when handling graphics operations. This may allow a context-dependent attacker to potentially execute arbitrary code.
- A flaw exists that is triggered when capturing a media stream and the media source type is changed. This may allow a context-dependent attacker to potentially execute arbitrary code.
- A use-after-free error exists that is triggered when using scripts to perform mutations to move DOM nodes between documents. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A flaw exists when handling 307 redirects as HTTP requests to NPAPI plugins do not require multiple steps, explicit confirmation, or a unique token when performing certain sensitive actions. By tricking a user into following a specially crafted link, a context-dependent attacker can perform a Cross-Site Request Forgery (CSRF / XSRF) attack causing the victim to perform unspecified actions.
- A flaw exists in 'toolkit/components/reader/ReaderMode.jsm' that is triggered as SameSite cookie protections are not properly checked when exiting Reader View. This may allow a context-dependent attacker to bypass CSRF protection mechanisms.
- A use-after-free error exists in the 'Debugger::findZoneEdges()' function in 'js/src/vm/Debugger.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- An unspecified flaw exists in 'gfx/vr/ipc/VRManagerChild.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists in the 'gfxFontUtils::MapCharToGlyphFormat4()' function in 'gfx/thebes/gfxFontUtils.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists in the 'ExecuteServiceCommand()' function in 'toolkit/components/maintenanceservice/workmonitor.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists in 'netwerk/sctp/datachannel/DataChannel.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An out-of-bounds access flaw exists in 'webrtc/modules/video_coding/rtp_frame_reference_finder.cc' that is triggered as certain input is not properly validated when handling VP9 missing frame processing. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A race condition exists in 'js/src/gc/GC.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists in 'xpcom/ds/Observer.h' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists in 'js/src/frontend/BytecodeEmitter.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'GCMarker::markDelayedChildren()' function in 'js/src/gc/Marking.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists in the 'nsMozIconURI::Deserialize()' function in 'image/decoders/icon/nsIconURI.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists that is triggered when managing physical audio devices. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'FromIPCSegment()' function in 'netwerk/base/nsStandardURL.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists in 'dom/base/StructuredCloneHolder.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists in the 'JS::Rooted()' function in 'dom/xbl/nsXBLBinding.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists in 'dom/canvas/WebGLContextDraw.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists in 'dom/media/PeerConnection.js' that is triggered when handling ICE connection state changes. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists in 'hal/Hal.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.

Solution

Upgrade to Firefox version 61 or later.

See Also

http://www.nessus.org/u?cf08db1a

Plugin Details

Severity: High

ID: 700330

Family: Web Clients

Published: 8/21/2018

Updated: 3/6/2019

Nessus ID: 110811

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 9.3

Temporal Score: 7.7

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS v3

Risk Factor: High

Base Score: 8.1

Temporal Score: 7.5

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

Patch Publication Date: 6/26/2018

Vulnerability Publication Date: 5/31/2018

Reference Information

CVE: CVE-2018-12358, CVE-2018-12359, CVE-2018-12360, CVE-2018-12362, CVE-2018-12363, CVE-2018-12364, CVE-2018-12365, CVE-2018-12366, CVE-2018-12367, CVE-2018-12368, CVE-2018-12369, CVE-2018-12370, CVE-2018-12371, CVE-2018-5156, CVE-2018-5186, CVE-2018-5187, CVE-2018-5188

BID: 104246, 104555, 104556, 104557, 104558, 104560, 104561, 104562