Mozilla Thunderbird < 24.1 Multiple Vulnerabilities

critical Nessus Network Monitor Plugin ID 8046

Synopsis

The remote host has an email client installed that is vulnerable to multiple attack vectors.

Description

Versions of Mozilla Thunderbird prior to version 24.1 are prone to the following vulnerabilities :

- Miscellaneous use-after-free issues in the browsing engine (CVE-2013-5599, CVE-2013-5600, CVE-2013-5601)
- Memory corruption in the Javascript engine when using workers with direct proxy (CVE-2013-5602)
- Use-after-free issues when interacting with HTML templates (CVE-2013-5603)
- Security bypass via iframe injection using PDF.js (CVE-2013-5598)
- Miscellaneous memory safety issues in the browser engine (CVE-2013-5590, CVE-2013-5591, CVE-2013-5592, CVE-2013-1739)
- Address spoofing in the addressbar via SELECT element, which can lead to clickjacking and other spoof attacks (CVE-2013-5593)
- Access violation due to uninitialized data in XSLT processing (CVE-2013-5604)
- Potential buffer/memory overflows in the Javascript engine (CVE-2013-5595)
- Race condition causing a crash on extremely large pages (CVE-2013-5596)
- A use-after-free issue during state change events when updating the offline cache (CVE-2013-5597)

Solution

Upgrade to Thunderbird 24.1, or later.

See Also

http://www.mozilla.org/security/announce/2013/mfsa2013-102.html

http://www.mozilla.org/security/announce/2013/mfsa2013-101.html

http://www.mozilla.org/security/announce/2013/mfsa2013-100.html

http://www.mozilla.org/security/announce/2013/mfsa2013-99.html

http://www.mozilla.org/security/announce/2013/mfsa2013-98.html

http://www.mozilla.org/security/announce/2013/mfsa2013-97.html

http://www.mozilla.org/security/announce/2013/mfsa2013-96.html

http://www.mozilla.org/security/announce/2013/mfsa2013-95.html

http://www.mozilla.org/security/announce/2013/mfsa2013-94.html

http://www.mozilla.org/security/announce/2013/mfsa2013-93.html

Plugin Details

Severity: Critical

ID: 8046

Family: SMTP Clients

Published: 10/31/2013

Updated: 11/6/2019

Nessus ID: 70702

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:mozilla:thunderbird

Patch Publication Date: 10/29/2012

Vulnerability Publication Date: 10/29/2012

Reference Information

CVE: CVE-2013-1739, CVE-2013-5590, CVE-2013-5591, CVE-2013-5592, CVE-2013-5593, CVE-2013-5595, CVE-2013-5596, CVE-2013-5597, CVE-2013-5598, CVE-2013-5599, CVE-2013-5600, CVE-2013-5601, CVE-2013-5602, CVE-2013-5603, CVE-2013-5604

BID: 62966, 63405, 63415, 63416, 63417, 63418, 63419, 63420, 63421, 63422, 63423, 63424, 63427, 63428, 63429, 63430