Mozilla Firefox ESR < 24.1 Multiple Vulnerabilities

critical Nessus Network Monitor Plugin ID 701256

Synopsis

The remote host has a web browser installed that is vulnerable to multiple attack vectors.

Description

Versions of Mozilla Firefox ESR versions earlier than 24.1 are affected by the following vulnerabilities :

- Miscellaneous use-after-free issues in the browsing engine (CVE-2013-5599, CVE-2013-5600, CVE-2013-5601)
- Memory corruption in the Javascript engine when using workers with direct proxy (CVE-2013-5602)
- Use-after-free issues when interacting with HTML templates (CVE-2013-5603)
- Security bypass via iframe injection using PDF.js (CVE-2013-5598)
- Miscellaneous memory safety issues in the browser engine (CVE-2013-5590, CVE-2013-5591, CVE-2013-5592, CVE-2013-1739)
- Address spoofing in the addressbar via SELECT element, which can lead to clickjacking and other spoof attacks (CVE-2013-5593)
- Access violation due to uninitialized data in XSLT processing (CVE-2013-5604)
- Potential buffer/memory overflows in the Javascript engine (CVE-2013-5595)
- Race condition causing a crash on extremely large pages (CVE-2013-5596)
- A use-after-free issue during state change events when updating the offline cache (CVE-2013-5597)

Solution

Upgrade to Firefox ESR versions 24.1, or later.

See Also

http://www.mozilla.org/security/announce/2013/mfsa2013-102.html

http://www.mozilla.org/security/announce/2013/mfsa2013-101.html

http://www.mozilla.org/security/announce/2013/mfsa2013-100.html

http://www.mozilla.org/security/announce/2013/mfsa2013-99.html

http://www.mozilla.org/security/announce/2013/mfsa2013-98.html

http://www.mozilla.org/security/announce/2013/mfsa2013-97.html

http://www.mozilla.org/security/announce/2013/mfsa2013-96.html

http://www.mozilla.org/security/announce/2013/mfsa2013-95.html

http://www.mozilla.org/security/announce/2013/mfsa2013-94.html

http://www.mozilla.org/security/announce/2013/mfsa2013-93.html

Plugin Details

Severity: Critical

ID: 701256

Family: Web Clients

Published: 11/6/2019

Updated: 11/6/2019

Nessus ID: 70702

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:mozilla:firefox_esr

Patch Publication Date: 10/29/2012

Vulnerability Publication Date: 10/29/2012

Reference Information

CVE: CVE-2013-1739, CVE-2013-5590, CVE-2013-5591, CVE-2013-5592, CVE-2013-5593, CVE-2013-5595, CVE-2013-5596, CVE-2013-5597, CVE-2013-5598, CVE-2013-5599, CVE-2013-5600, CVE-2013-5601, CVE-2013-5602, CVE-2013-5603, CVE-2013-5604

BID: 62966, 63405, 63415, 63416, 63417, 63418, 63419, 63420, 63421, 63422, 63423, 63424, 63427, 63428, 63429, 63430