Detections
Analytics
Mozilla Firefox ESR < 24.5 Multiple Vulnerabilities
high Nessus Network Monitor Plugin ID 701244
Synopsis
The remote host has a web browser installed that is vulnerable to multiple attack vectors.Description
Versions of Mozilla Firefox ESR prior to 24.5 are unpatched against the following vulnerabilities :- Use-after-free vulnerabilities in nsHostResolver, imgLoader, and Text Track Manager (for HTML video), which can crash with a potentially exploitable condition (CVE-2014-1532, CVE-2014-1531, CVE-2014-1525)
- A potentially exploitable out-of-bounds write in Cairo, a potentially exploitable out-of-bounds read issue with Web Audio, and a non-exploitable out-of-bounds read when decoding JPG images (CVE-2014-1528, CVE-2014-1522, CVE-2014-1523)
- Improper wildcard matching of domains in the Network Security Services (NSS library), which has since been fixed by updating to version 3.16 (CVE-2014-1492)
- Potential privilege escalation via Xray Wrappers bypass, which can occur if a user used the debugger to interact with a malicious page (CVE-2014-1526)
- Privilege escalation for scripts when sites that have been granted notification permissions by a user can bypass security checks on source components for the Web Notification API (CVE-2014-1529)
- Privilege escalation via the Mozilla Maintenance Service Installer, which writes to a globally writeable temporary directory during the update process (Windows only) (CVE-2014-1520)
- A potentially exploitable buffer overflow when a script uses a non-XBL object as an XBL object (CVE-2014-1524)
- A cross-site scripting vulnerability using browser navigations through history to load a website with the page's base URI pointing to a different site (CVE-2014-1530)
- Various memory safety hazards (CVE-2014-1518, CVE-2014-1519)
Solution
Upgrade to Firefox ESR versions 24.5, or later.See Also
http://www.mozilla.org/security/announce/2014/mfsa2014-47.html
http://www.mozilla.org/security/announce/2014/mfsa2014-46.html
http://www.mozilla.org/security/announce/2014/mfsa2014-45.html
http://www.mozilla.org/security/announce/2014/mfsa2014-44.html
http://www.mozilla.org/security/announce/2014/mfsa2014-43.html
http://www.mozilla.org/security/announce/2014/mfsa2014-42.html
http://www.mozilla.org/security/announce/2014/mfsa2014-41.html
http://www.mozilla.org/security/announce/2014/mfsa2014-40.html
http://www.mozilla.org/security/announce/2014/mfsa2014-39.html
http://www.mozilla.org/security/announce/2014/mfsa2014-38.html
http://www.mozilla.org/security/announce/2014/mfsa2014-37.html
http://www.mozilla.org/security/announce/2014/mfsa2014-36.html
http://www.mozilla.org/security/announce/2014/mfsa2014-35.html
http://www.mozilla.org/security/announce/2014/mfsa2014-34.html
Plugin Details
Severity: High
ID: 701244
Family: Web Clients
Published: 11/6/2019
Updated: 11/6/2019
Nessus ID: 73769
Risk Information
VPR
Risk Factor: Medium
Score: 6.7
CVSS v2
Risk Factor: High
Base Score: 9.3
Temporal Score: 8.1
Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSS v3
Risk Factor: High
Base Score: 8.1
Temporal Score: 7.7
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:X/RL:O/RC:C
Vulnerability Information
CPE: cpe:/a:mozilla:firefox_esr
Patch Publication Date: 4/29/2014
Vulnerability Publication Date: 4/29/2014
Reference Information
CVE: CVE-2014-1492, CVE-2014-1518, CVE-2014-1519, CVE-2014-1520, CVE-2014-1522, CVE-2014-1523, CVE-2014-1524, CVE-2014-1525, CVE-2014-1526, CVE-2014-1528, CVE-2014-1529, CVE-2014-1530, CVE-2014-1531, CVE-2014-1532
BID: 66356, 67123, 67129, 67130, 67131, 67134, 67135, 67137, 67125, 67127, 67132, 67133, 67136, 67126