Detections
Analytics
Mozilla Firefox ESR < 24.8 Multiple Vulnerabilities
medium Nessus Network Monitor Plugin ID 701247
Synopsis
The remote host has a web browser installed that is vulnerable to multiple attack vectors.Description
Versions of Mozilla Firefox ESR prior to 24.8 are unpatched for the following vulnerabilities :- Use-after-free vulnerabilities -- when setting text direction, and when interacting with SVG content through the DOM -- which can be leveraged for arbitrary code execution (CVE-2014-1567, CVE-2014-1563)
- Out-of-bounds read in the Web Audio audio timeline that can trigger a crash and potentially disclose memory content (CVE-2014-1565)
- Incomplete memory initialization when rendering a malformed GIF image could expose that memory to scripts via web content using the '<canvas>' feature, resulting in information disclosure (CVE-2014-1564)
- Other undisclosed memory issues that have since been patched (CVE-2014-1553, CVE-2014-1554, CVE-2014-1562)
Solution
Upgrade to Firefox ESR version 24.8 or later.See Also
https://www.mozilla.org/security/announce/2014/mfsa2014-67.html
https://www.mozilla.org/security/announce/2014/mfsa2014-68.html
https://www.mozilla.org/security/announce/2014/mfsa2014-69.html
https://www.mozilla.org/security/announce/2014/mfsa2014-70.html
https://www.mozilla.org/security/announce/2014/mfsa2014-72.html
Plugin Details
Severity: Medium
ID: 701247
Family: Web Clients
Published: 11/6/2019
Updated: 11/6/2019
Risk Information
VPR
Risk Factor: Medium
Score: 6.7
CVSS v2
Risk Factor: Medium
Base Score: 6.8
Temporal Score: 5.9
Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS v3
Risk Factor: Medium
Base Score: 5.6
Temporal Score: 5.4
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Temporal Vector: CVSS:3.0/E:X/RL:O/RC:C
Vulnerability Information
CPE: cpe:/a:mozilla:firefox_esr
Patch Publication Date: 9/2/2014
Vulnerability Publication Date: 9/2/2014
Reference Information
CVE: CVE-2014-1553, CVE-2014-1554, CVE-2014-1562, CVE-2014-1563, CVE-2014-1564, CVE-2014-1565, CVE-2014-1567