Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.MACOSX_FIREFOX_14_0.NASL
HistoryJul 19, 2012 - 12:00 a.m.

Firefox < 14.0 Multiple Vulnerabilities (Mac OS X)

2012-07-1900:00:00
This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
17
JSON

The installed version of Firefox is earlier than 14.0 and thus, is potentially affected by the following security issues :

  • Several memory safety issues exist, some of which could potentially allow arbitrary code execution.
    (CVE-2012-1948, CVE-2012-1949)

  • An error related to drag and drop can allow incorrect URLs to be displayed. (CVE-2012-1950)

  • Several memory safety issues exist related to the Gecko layout engine. (CVE-2012-1951, CVE-2012-1952, CVE-2012-1953, CVE-2012-1954)

  • An error related to JavaScript functions ‘history.forward’ and ‘history.back’ can allow incorrect URLs to be displayed. (CVE-2012-1955)

  • Cross-site scripting attacks are possible due to an error related to the ‘<embed>’ tag within an RSS ‘<description>’ element. (CVE-2012-1957)

  • A use-after-free error exists related to the method ‘nsGlobalWindow::PageHidden’. (CVE-2012-1958)

  • An error exists that can allow ‘same-compartment security wrappers’ (SCSW) to be bypassed.
    (CVE-2012-1959)

  • An out-of-bounds read error exists related to the color management library (QCMS). (CVE-2012-1960)

  • The ‘X-Frames-Options’ header is ignored if it is duplicated. (CVE-2012-1961)

  • A memory corruption error exists related to the method ‘JSDependentString::undepend’. (CVE-2012-1962)

  • An error related to the ‘Content Security Policy’ (CSP) implementation can allow the disclosure of OAuth 2.0 access tokens and OpenID credentials. (CVE-2012-1963)

  • An error exists related to the ‘feed:’ URL that can allow cross-site scripting attacks. (CVE-2012-1965)

  • Cross-site scripting attacks are possible due to an error related to the ‘data:’ URL and context menus.
    (CVE-2012-1966)

  • An error exists related to the ‘javascript:’ URL that can allow scripts to run at elevated privileges outside the sandbox. (CVE-2012-1967)

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(60039);
  script_version("1.14");
  script_cvs_date("Date: 2019/12/04");

  script_cve_id(
    "CVE-2012-1948",
    "CVE-2012-1949",
    "CVE-2012-1950",
    "CVE-2012-1951",
    "CVE-2012-1952",
    "CVE-2012-1953",
    "CVE-2012-1954",
    "CVE-2012-1955",
    "CVE-2012-1957",
    "CVE-2012-1958",
    "CVE-2012-1959",
    "CVE-2012-1960",
    "CVE-2012-1961",
    "CVE-2012-1962",
    "CVE-2012-1963",
    "CVE-2012-1965",
    "CVE-2012-1966",
    "CVE-2012-1967"
  );
  script_bugtraq_id(
    54572,
    54573,
    54574,
    54575,
    54576,
    54577,
    54578,
    54579,
    54580,
    54582,
    54583,
    54584,
    54585,
    54586
  );

  script_name(english:"Firefox < 14.0 Multiple Vulnerabilities (Mac OS X)");
  script_summary(english:"Checks version of Firefox");

  script_set_attribute(attribute:"synopsis", value:
"The remote Mac OS X host contains a web browser that is affected by
multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The installed version of Firefox is earlier than 14.0 and thus, is
potentially affected by the following security issues :

  - Several memory safety issues exist, some of which could
    potentially allow arbitrary code execution.
    (CVE-2012-1948, CVE-2012-1949)

  - An error related to drag and drop can allow incorrect
    URLs to be displayed. (CVE-2012-1950)

  - Several memory safety issues exist related to the Gecko
    layout engine. (CVE-2012-1951, CVE-2012-1952,
    CVE-2012-1953, CVE-2012-1954)

  - An error related to JavaScript functions
    'history.forward' and 'history.back' can allow
    incorrect URLs to be displayed. (CVE-2012-1955)

  - Cross-site scripting attacks are possible due to an
    error related to the '<embed>' tag within an RSS
    '<description>' element. (CVE-2012-1957)

  - A use-after-free error exists related to the method
    'nsGlobalWindow::PageHidden'. (CVE-2012-1958)

  - An error exists that can allow 'same-compartment
    security wrappers' (SCSW) to be bypassed.
    (CVE-2012-1959)

  - An out-of-bounds read error exists related to the color
    management library (QCMS). (CVE-2012-1960)
  
  - The 'X-Frames-Options' header is ignored if it is
    duplicated. (CVE-2012-1961)

  - A memory corruption error exists related to the method
    'JSDependentString::undepend'. (CVE-2012-1962)

  - An error related to the 'Content Security Policy' (CSP)
    implementation can allow the disclosure of OAuth 2.0
    access tokens and OpenID credentials. (CVE-2012-1963)

  - An error exists related to the 'feed:' URL that can
    allow cross-site scripting attacks. (CVE-2012-1965)

  - Cross-site scripting attacks are possible due to an
    error related to the 'data:' URL and context menus.
    (CVE-2012-1966)

  - An error exists related to the 'javascript:' URL that
    can allow scripts to run at elevated privileges outside
    the sandbox. (CVE-2012-1967)");
  script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-42/");
  script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-43/");
  script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-44/");
  script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-45/");
  script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-46/");
  script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-47/");
  script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-48/");
  script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-49/");
  script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-50/");
  script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-51/");
  script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-52/");
  script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-53/");
  script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-55/");
  script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-56/");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Firefox 14.0 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2012-1967");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);

  script_set_attribute(attribute:"vuln_publication_date", value:"2012/07/17");
  script_set_attribute(attribute:"patch_publication_date", value:"2012/07/17");
  script_set_attribute(attribute:"plugin_publication_date", value:"2012/07/19");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:mozilla:firefox");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"MacOS X Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("macosx_firefox_installed.nasl");
  script_require_keys("MacOSX/Firefox/Installed");

  exit(0);
}

include("mozilla_version.inc");
kb_base = "MacOSX/Firefox";
get_kb_item_or_exit(kb_base+"/Installed");

version = get_kb_item_or_exit(kb_base+"/Version", exit_code:1);
path = get_kb_item_or_exit(kb_base+"/Path", exit_code:1);

if (get_kb_item(kb_base + '/is_esr')) exit(0, 'The Mozilla Firefox installation is in the ESR branch.');

mozilla_check_version(product:'firefox', version:version, path:path, esr:FALSE, fix:'14.0', skippat:'^10\\.0\\.', severity:SECURITY_HOLE, xss:TRUE);
VendorProductVersionCPE
mozillafirefoxcpe:/a:mozilla:firefox

References

Related

nessus 36
ubuntu 3
openvas 65
suse 6
freebsd 1
oraclelinux 2
veracode 17
centos 2
redhat 2
securityvulns 1
osv 3
debian 3
mozilla 11
prion 16
ubuntucve 16
cve 14
checkpoint_advisories 1
nessus
nessus
Mozilla Firefox 13.x < 13 Multiple Vulnerabilities
2012-07-23 00:00:00
Firefox < 14.0 Multiple Vulnerabilities
2012-07-19 00:00:00
Mozilla Firefox < 14.0 Multiple Vulnerabilities
2012-07-23 00:00:00
ubuntu
ubuntu
Thunderbird vulnerabilities
2012-07-17 00:00:00
ubufox update
2012-07-18 00:00:00
Firefox vulnerabilities
2012-07-17 00:00:00
openvas
openvas
Ubuntu: Security Advisory (USN-1510-1)
2012-07-19 00:00:00
openSUSE: Security Advisory for seamonkey (openSUSE-SU-2012:0935-1)
2012-12-13 00:00:00
Ubuntu Update for thunderbird USN-1510-1
2012-07-19 00:00:00
suse
suse
seamonkey: Update to Seamonkey 2.11 (important)
2012-08-01 18:08:34
Security update for Mozilla Firefox (important)
2012-07-21 03:08:21
xulrunner to 14.0.1 (critical)
2012-07-30 17:08:56
freebsd
freebsd
mozilla -- multiple vulnerabilities
2012-07-17 00:00:00
oraclelinux
oraclelinux
firefox security update
2012-07-17 00:00:00
thunderbird security update
2012-07-17 00:00:00
veracode
veracode
Denial Of Service (DoS)
2019-05-02 04:42:24
Arbitrary Code Execution
2019-05-02 04:42:29
Spoofing Vulnerability
2019-05-02 04:42:24
centos
centos
firefox, xulrunner security update
2012-07-17 20:41:16
thunderbird security update
2012-07-17 21:25:02
redhat
redhat
(RHSA-2012:1088) Critical: firefox security update
2012-07-17 00:00:00
(RHSA-2012:1089) Critical: thunderbird security update
2012-07-17 00:00:00
securityvulns
securityvulns
Mozilla Firefox / Thunderbird / Seamonkey multiple security vulnerabilities
2012-08-13 00:00:00
osv
osv
iceweasel - several vulnerabilities
2012-07-17 00:00:00
icedove - several
2012-08-14 00:00:00
iceape - several vulnerabilities
2012-07-17 00:00:00
debian
debian
[SECURITY] [DSA 2514-1] iceweasel security update
2012-07-17 20:03:42
[SECURITY] [DSA 2528-1] icedove security update
2012-08-14 19:26:36
[SECURITY] [DSA 2513-1] iceape security update
2012-07-17 19:47:49
mozilla
mozilla
Gecko memory corruption — Mozilla
2012-07-17 00:00:00
Miscellaneous memory safety hazards (rv:14.0/ rv:10.0.6) — Mozilla
2012-07-17 00:00:00
Content Security Policy 1.0 implementation errors cause data leakage — Mozilla
2012-07-17 00:00:00
prion
prion
Design/Logic Flaw
2012-07-18 10:26:00
Heap overflow
2012-07-18 10:26:00
Design/Logic Flaw
2012-07-18 10:26:00
ubuntucve
ubuntucve
CVE-2012-1951
2012-07-17 00:00:00
CVE-2012-1963
2012-07-17 00:00:00
CVE-2012-1949
2012-07-17 00:00:00
cve
cve
CVE-2012-1963
2012-07-18 10:26:00
CVE-2012-1951
2012-07-18 10:26:00
CVE-2012-1965
2012-07-18 10:26:00
checkpoint_advisories
checkpoint_advisories
Mozilla Multiple Products Table Frames Memory Corruption (CVE-2012-1952)
2012-10-14 00:00:00
JSON
Related for MACOSX_FIREFOX_14_0.NASL
nessus36ubuntu3openvas65suse6freebsd1oraclelinux2veracode17centos2redhat2securityvulns1osv3debian3mozilla11prion16ubuntucve16cve14checkpoint_advisories1