SeaMonkey < 2.23 Multiple Vulnerabilities

critical Nessus Network Monitor Plugin ID 8072

Synopsis

The remote host has a web browser installed that is vulnerable to multiple attack vectors.

Description

Versions of SeaMonkey earlier than 2.23 are prone to the following vulnerabilities:

- Miscellaneous memory safety hazards (CVE-2013-5609, CVE-2013-5610)

- Potential XSS vulnerability via cross-domain inheritance of charset (CVE-2013-5612)

- Sandbox restrictions are not properly applied to nested object elements, which could be leveraged to bypass restrictions (CVE-2013-5614)

- Use-after-free in event listeners, table editing user interface, synthetic mouse movement can lead to a potentially exploitable crash (CVE-2013-5616, CVE-2013-5613, CVE-2013-5618)

- Binary search algorithms in the Javascript engine are contain potential out-of-bounds array access, though these are not directly exploitable (CVE-2013-5619)

- Segmentation violation when replacing ordered list elements in a document via script can lead to a potentially exploitable crash (CVE-2013-6671)

- On Linux systems, clipboard content may be made accessible to web content when a user pastes a selection with a middle-click, which can lead to information disclosure (CVE-2013-6672)

- Extended validation root certificates remain trusted even if the user has explicitly removes the trust. (CVE-2013-6673)

- GetElementIC typed arrays can be generated outside observed typesets, with unknown security impact (CVE-2013-5615)

- Issues in the JPEG image processing library can allow arbitrary memory to be read, as well as cross-domain theft (CVE-2013-6629, CVE-2013-6630)

- An intermediary CA that is chained up to a root within Mozilla's root store was revoked for supplying an intermediate certificate that allowed a man-in-the-middle proxy to perform traffic management of domain names and IP addresses the certificate holder did not own or control.

Solution

Upgrade to SeaMonkey 2.23, or later.

See Also

http://www.mozilla.org/security/announce/2013/mfsa2013-104.html

http://www.mozilla.org/security/announce/2013/mfsa2013-106.html

http://www.mozilla.org/security/announce/2013/mfsa2013-107.html

http://www.mozilla.org/security/announce/2013/mfsa2013-108.html

http://www.mozilla.org/security/announce/2013/mfsa2013-109.html

http://www.mozilla.org/security/announce/2013/mfsa2013-110.html

http://www.mozilla.org/security/announce/2013/mfsa2013-111.html

http://www.mozilla.org/security/announce/2013/mfsa2013-112.html

http://www.mozilla.org/security/announce/2013/mfsa2013-113.html

http://www.mozilla.org/security/announce/2013/mfsa2013-114.html

http://www.mozilla.org/security/announce/2013/mfsa2013-115.html

http://www.mozilla.org/security/announce/2013/mfsa2013-116.html

http://www.mozilla.org/security/announce/2013/mfsa2013-117.html

Plugin Details

Severity: Critical

ID: 8072

Family: Web Clients

Published: 12/16/2013

Updated: 3/6/2019

Nessus ID: 71349

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:mozilla:seamonkey

Patch Publication Date: 12/10/2012

Vulnerability Publication Date: 12/10/2012

Reference Information

CVE: CVE-2013-5609, CVE-2013-5610, CVE-2013-5612, CVE-2013-5613, CVE-2013-5614, CVE-2013-5615, CVE-2013-5616, CVE-2013-5618, CVE-2013-5619, CVE-2013-6671, CVE-2013-6672, CVE-2013-6673

BID: 64216, 64215, 64213, 64212, 64211, 64210, 64209, 64207, 64206, 64205, 64204, 64203