The remote Redhat Enterprise Linux 5 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.
Mozilla: Sandbox escape with improperly separated process types (CVE-2020-12389)
Mozilla: Memory safety bugs fixed in Firefox 76 and Firefox ESR 68.8 (CVE-2020-12395)
Memory safety bugs were reported in Firefox 52, Firefox ESR 45.8, Firefox ESR 52, and Thunderbird 52. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. (CVE-2017-5429)
Memory safety bugs were reported in Firefox 52, Firefox ESR 52, and Thunderbird 52. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 52.1, and Firefox < 53. (CVE-2017-5430)
A use-after-free vulnerability occurs during certain text input selection resulting in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. (CVE-2017-5432)
A use-after-free vulnerability in SMIL animation functions occurs when pointers to animation elements in an array are dropped from the animation controller while still in use. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. (CVE-2017-5433)
A use-after-free vulnerability occurs when redirecting focus handling which results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. (CVE-2017-5434)
A use-after-free vulnerability occurs during transaction processing in the editor during design mode interactions. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. (CVE-2017-5435)
An out-of-bounds write in the Graphite 2 library triggered with a maliciously crafted Graphite font. This results in a potentially exploitable crash. This issue was fixed in the Graphite 2 library as well as Mozilla products. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. (CVE-2017-5436)
A use-after-free vulnerability during XSLT processing due to the result handler being held by a freed handler during handling. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. (CVE-2017-5438)
A use-after-free vulnerability during XSLT processing due to poor handling of template parameters. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. (CVE-2017-5439)
A use-after-free vulnerability during XSLT processing due to a failure to propagate error conditions during matching while evaluating context, leading to objects being used when they no longer exist. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. (CVE-2017-5440)
A use-after-free vulnerability when holding a selection during scroll events. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. (CVE-2017-5441)
A use-after-free vulnerability during changes in style when manipulating DOM elements. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. (CVE-2017-5442)
An out-of-bounds write vulnerability while decoding improperly formed BinHex format archives. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53.
(CVE-2017-5443)
A buffer overflow vulnerability while parsing application/http-index-format format content when the header contains improperly formatted data. This allows for an out-of-bounds read of data from memory. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53.
(CVE-2017-5444)
A vulnerability while parsing application/http-index-format format content where uninitialized values are used to create an array. This could allow the reading of uninitialized memory into the arrays affected. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. (CVE-2017-5445)
An out-of-bounds read when an HTTP/2 connection to a servers sends DATA frames with incorrect data content. This leads to a potentially exploitable crash. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. (CVE-2017-5446)
An out-of-bounds read during the processing of glyph widths during text layout. This results in a potentially exploitable crash and could allow an attacker to read otherwise inaccessible memory. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53.
(CVE-2017-5447)
An out-of-bounds write in ClearKeyDecryptor while decrypting some Clearkey-encrypted media content. The ClearKeyDecryptor code runs within the Gecko Media Plugin (GMP) sandbox. If a second mechanism is found to escape the sandbox, this vulnerability allows for the writing of arbitrary data within memory, resulting in a potentially exploitable crash. This vulnerability affects Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. (CVE-2017-5448)
A possibly exploitable crash triggered during layout and manipulation of bidirectional unicode text in concert with CSS animations. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 52.1, and Firefox < 53. (CVE-2017-5449)
A mechanism to spoof the addressbar through the user interaction on the addressbar and the onblur event.
The event could be used by script to affect text display to make the loaded site appear to be different from the one actually loaded within the addressbar. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 52.1, and Firefox < 53. (CVE-2017-5451)
A mechanism to bypass file system access protections in the sandbox to use the file picker to access different files than those selected in the file picker through the use of relative paths. This allows for read only access to the local file system. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 52.1, and Firefox < 53. (CVE-2017-5454)
The internal feed reader APIs that crossed the sandbox barrier allowed for a sandbox escape and escalation of privilege if combined with another vulnerability that resulted in remote code execution inside the sandboxed process. This vulnerability affects Firefox ESR < 52.1 and Firefox < 53. (CVE-2017-5455)
A mechanism to bypass file system access protections in the sandbox using the file system request constructor through an IPC message. This allows for read and write access to the local file system. This vulnerability affects Firefox ESR < 52.1 and Firefox < 53. (CVE-2017-5456)
A buffer overflow in WebGL triggerable by web content, resulting in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53.
(CVE-2017-5459)
A use-after-free vulnerability in frame selection triggered by a combination of malicious script content and key presses by a user. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. (CVE-2017-5460)
During DOM manipulations of the accessibility tree through script, the DOM tree can become out of sync with the accessibility tree, leading to memory corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53.
(CVE-2017-5464)
An out-of-bounds read while processing SVG content in ConvolvePixel. This results in a crash and also allows for otherwise inaccessible memory being copied into SVG graphic content, which could then displayed. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. (CVE-2017-5465)
If a page is loaded from an original site through a hyperlink and contains a redirect to a data:text/html URL, triggering a reload will run the reloaded data:text/html page with its origin set incorrectly. This allows for a cross-site scripting (XSS) attack. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 52.1, and Firefox < 53. (CVE-2017-5466)
A potential memory corruption and crash when using Skia content when drawing content outside of the bounds of a clipping region. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 52.1, and Firefox < 53.
(CVE-2017-5467)
Fixed potential buffer overflows in generated Firefox code due to CVE-2016-6354 issue in Flex. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53.
(CVE-2017-5469)
An error occurs in the elliptic curve point addition algorithm that uses mixed Jacobian-affine coordinates where it can yield a result POINT_AT_INFINITY when it should not. A man-in-the-middle attacker could use this to interfere with a connection, resulting in an attacked party computing an incorrect shared secret.
This vulnerability affects Firefox < 55. (CVE-2017-7781)
A same-origin policy violation allowing the theft of cross-origin URL entries when using a meta http- equiv=refresh on a page to cause a redirection to another site using performance.getEntries(). This is a same-origin policy violation and could allow for data theft. This vulnerability affects Firefox < 62, Firefox ESR < 60.2, and Thunderbird < 60.2.1. (CVE-2018-18499)
An out of bounds memory write while processing Vorbis audio data was reported through the Pwn2Own contest.
This vulnerability affects Firefox < 59.0.1, Firefox ESR < 52.7.2, and Thunderbird < 52.7. (CVE-2018-5146)
Mozilla developers and community members reported memory safety bugs present in Firefox 67 and Firefox ESR 60.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. (CVE-2019-11709)
Mozilla developers and community members reported memory safety bugs present in Firefox 67. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Firefox < 68. (CVE-2019-11710)
When an inner window is reused, it does not consider the use of document.domain for cross-origin protections. If pages on different subdomains ever cooperatively use document.domain, then either page can abuse this to inject script into arbitrary pages on the other subdomain, even those that did not use document.domain to relax their origin security. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. (CVE-2019-11711)
POST requests made by NPAPI plugins, such as Flash, that receive a status 308 redirect response can bypass CORS requirements. This can allow an attacker to perform Cross-Site Request Forgery (CSRF) attacks. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. (CVE-2019-11712)
A use-after-free vulnerability can occur in HTTP/2 when a cached HTTP/2 stream is closed while still in use, resulting in a potentially exploitable crash. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. (CVE-2019-11713)
Necko can access a child on the wrong thread during UDP connections, resulting in a potentially exploitable crash in some instances. This vulnerability affects Firefox < 68. (CVE-2019-11714)
Due to an error while parsing page content, it is possible for properly sanitized user input to be misinterpreted and lead to XSS hazards on web sites in certain circumstances. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. (CVE-2019-11715)
Until explicitly accessed by script, window.globalThis is not enumerable and, as a result, is not visible to code such as Object.getOwnPropertyNames(window). Sites that deploy a sandboxing that depends on enumerating and freezing access to the window object may miss this, allowing their sandboxes to be bypassed. This vulnerability affects Firefox < 68. (CVE-2019-11716)
A vulnerability exists where the caret (^) character is improperly escaped constructing some URIs due to it being used as a separator, allowing for possible spoofing of origin attributes. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. (CVE-2019-11717)
Activity Stream can display content from sent from the Snippet Service website. This content is written to innerHTML on the Activity Stream page without sanitization, allowing for a potential access to other information available to the Activity Stream, such as browsing history, if the Snipper Service were compromised. This vulnerability affects Firefox < 68. (CVE-2019-11718)
Some unicode characters are incorrectly treated as whitespace during the parsing of web content instead of triggering parsing errors. This allows malicious code to then be processed, evading cross-site scripting (XSS) filtering. This vulnerability affects Firefox < 68. (CVE-2019-11720)
The unicode latin ‘kra’ character can be used to spoof a standard ‘k’ character in the addressbar. This allows for domain spoofing attacks as do not display as punycode text, allowing for user confusion. This vulnerability affects Firefox < 68. (CVE-2019-11721)
A vulnerability exists during the installation of add-ons where the initial fetch ignored the origin attributes of the browsing context. This could leak cookies in private browsing mode or across different containers for people who use the Firefox Multi-Account Containers Web Extension. This vulnerability affects Firefox < 68. (CVE-2019-11723)
Application permissions give additional remote troubleshooting permission to the site input.mozilla.org, which has been retired and now redirects to another site. This additional permission is unnecessary and is a potential vector for malicious attacks. This vulnerability affects Firefox < 68. (CVE-2019-11724)
When a user navigates to site marked as unsafe by the Safebrowsing API, warning messages are displayed and navigation is interrupted but resources from the same site loaded through websockets are not blocked, leading to the loading of unsafe resources and bypassing safebrowsing protections. This vulnerability affects Firefox < 68. (CVE-2019-11725)
The HTTP Alternative Services header, Alt-Svc, can be used by a malicious site to scan all TCP ports of any host that the accessible to a user when web content is loaded. This vulnerability affects Firefox < 68. (CVE-2019-11728)
A vulnerability exists where if a user opens a locally saved HTML file, this file can use file: URIs to access other files in the same directory or sub-directories if the names are known or guessed. The Fetch API can then be used to read the contents of any files stored in these directories and they may uploaded to a server. It was demonstrated that in combination with a popular Android messaging app, if a malicious HTML attachment is sent to a user and they opened that attachment in Firefox, due to that app’s predictable pattern for locally-saved file names, it is possible to read attachments the victim received from other correspondents. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. (CVE-2019-11730)
Mozilla developers and community members reported memory safety bugs present in Firefox 68. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Firefox < 69. (CVE-2019-11734)
Mozilla developers and community members reported memory safety bugs present in Firefox 68 and Firefox ESR 68. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Firefox < 69 and Firefox ESR < 68.1. (CVE-2019-11735)
The Mozilla Maintenance Service does not guard against files being hardlinked to another file in the updates directory, allowing for the replacement of local files, including the Maintenance Service executable, which is run with privileged access. Additionally, there was a race condition during checks for junctions and symbolic links by the Maintenance Service, allowing for potential local file and directory manipulation to be undetected in some circumstances. This allows for potential privilege escalation by a user with unprivileged local access. <br>Note: These attacks requires local system access and only affects Windows. Other operating systems are not affected.. This vulnerability affects Firefox < 69 and Firefox ESR < 68.1. (CVE-2019-11736)
If a wildcard (‘*’) is specified for the host in Content Security Policy (CSP) directives, any port or path restriction of the directive will be ignored, leading to CSP directives not being properly applied to content. This vulnerability affects Firefox < 69. (CVE-2019-11737)
If a Content Security Policy (CSP) directive is defined that uses a hash-based source that takes the empty string as input, execution of any javascript: URIs will be allowed. This could allow for malicious JavaScript content to be run, bypassing CSP permissions. This vulnerability affects Firefox < 69 and Firefox ESR < 68.1. (CVE-2019-11738)
Encrypted S/MIME parts in a crafted multipart/alternative message can leak plaintext when included in a a HTML reply/forward. This vulnerability affects Thunderbird < 68.1 and Thunderbird < 60.9. (CVE-2019-11739)
Mozilla developers and community members reported memory safety bugs present in Firefox 68, Firefox ESR 68, and Firefox 60.8. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Firefox < 69, Thunderbird < 68.1, Thunderbird < 60.9, Firefox ESR < 60.9, and Firefox ESR < 68.1.
(CVE-2019-11740)
A compromised sandboxed content process can perform a Universal Cross-site Scripting (UXSS) attack on content from any site it can cause to be loaded in the same process. Because addons.mozilla.org and accounts.firefox.com have close ties to the Firefox product, malicious manipulation of these sites within the browser can potentially be used to modify a user’s Firefox configuration. These two sites will now be isolated into their own process and not allowed to be loaded in a standard content process. This vulnerability affects Firefox < 69. (CVE-2019-11741)
A same-origin policy violation occurs allowing the theft of cross-origin images through a combination of SVG filters and a <canvas> element due to an error in how same-origin policy is applied to cached image content. The resulting same-origin policy violation could allow for data theft. This vulnerability affects Firefox < 69, Thunderbird < 68.1, Thunderbird < 60.9, Firefox ESR < 60.9, and Firefox ESR < 68.1.
(CVE-2019-11742)
Navigation events were not fully adhering to the W3C’s Navigation-Timing Level 2 draft specification in some instances for the unload event, which restricts access to detailed timing attributes to only be same- origin. This resulted in potential cross-origin information exposure of history through timing side- channel attacks. This vulnerability affects Firefox < 69, Thunderbird < 68.1, Thunderbird < 60.9, Firefox ESR < 60.9, and Firefox ESR < 68.1. (CVE-2019-11743)
Some HTML elements, such as <title> and <textarea>, can contain literal angle brackets without treating them as markup. It is possible to pass a literal closing tag to .innerHTML on these elements, and subsequent content after that will be parsed as if it were outside the tag. This can lead to XSS if a site does not filter user input as strictly for these elements as it does for other elements. This vulnerability affects Firefox < 69, Thunderbird < 68.1, Thunderbird < 60.9, Firefox ESR < 60.9, and Firefox ESR < 68.1. (CVE-2019-11744)
A use-after-free vulnerability can occur while manipulating video elements if the body is freed while still in use. This results in a potentially exploitable crash. This vulnerability affects Firefox < 69, Thunderbird < 68.1, Thunderbird < 60.9, Firefox ESR < 60.9, and Firefox ESR < 68.1. (CVE-2019-11746)
The Forget about this site feature in the History pane is intended to remove all saved user data that indicates a user has visited a site. This includes removing any HTTP Strict Transport Security (HSTS) settings received from sites that use it. Due to a bug, sites on the pre-load list also have their HSTS setting removed. On the next visit to that site if the user specifies an http: URL rather than secure https: they will not be protected by the pre-loaded HSTS setting. After that visit the site’s HSTS setting will be restored. This vulnerability affects Firefox < 69 and Firefox ESR < 68.1. (CVE-2019-11747)
WebRTC in Firefox will honor persisted permissions given to sites for access to microphone and camera resources even when in a third-party context. In light of recent high profile vulnerabilities in other software, a decision was made to no longer persist these permissions. This avoids the possibility of trusted WebRTC resources being invisibly embedded in web content and abusing permissions previously given by users. Users will now be prompted for permissions on each use. This vulnerability affects Firefox < 69 and Firefox ESR < 68.1. (CVE-2019-11748)
A vulnerability exists in WebRTC where malicious web content can use probing techniques on the getUserMedia API using constraints to reveal device properties of cameras on the system without triggering a user prompt or notification. This allows for the potential fingerprinting of users. This vulnerability affects Firefox < 69 and Firefox ESR < 68.1. (CVE-2019-11749)
A type confusion vulnerability exists in Spidermonkey, which results in a non-exploitable crash. This vulnerability affects Firefox < 69 and Firefox ESR < 68.1. (CVE-2019-11750)
Logging-related command line parameters are not properly sanitized when Firefox is launched by another program, such as when a user clicks on malicious links in a chat application. This can be used to write a log file to an arbitrary location such as the Windows ‘Startup’ folder. <br>Note: this issue only affects Firefox on Windows operating systems.. This vulnerability affects Firefox < 69 and Firefox ESR < 68.1.
(CVE-2019-11751)
It is possible to delete an IndexedDB key value and subsequently try to extract it during conversion. This results in a use-after-free and a potentially exploitable crash. This vulnerability affects Firefox < 69, Thunderbird < 68.1, Thunderbird < 60.9, Firefox ESR < 60.9, and Firefox ESR < 68.1. (CVE-2019-11752)
The Firefox installer allows Firefox to be installed to a custom user writable location, leaving it unprotected from manipulation by unprivileged users or malware. If the Mozilla Maintenance Service is manipulated to update this unprotected location and the updated maintenance service in the unprotected location has been altered, the altered maintenance service can run with elevated privileges during the update process due to a lack of integrity checks. This allows for privilege escalation if the executable has been replaced locally. <br>Note: This attack requires local system access and only affects Windows.
Other operating systems are not affected.. This vulnerability affects Firefox < 69, Firefox ESR < 60.9, and Firefox ESR < 68.1. (CVE-2019-11753)
When the pointer lock is enabled by a website though requestPointerLock(), no user notification is given.
This could allow a malicious website to hijack the mouse pointer and confuse users. This vulnerability affects Firefox < 69.0.1. (CVE-2019-11754)
When following the value’s prototype chain, it was possible to retain a reference to a locale, delete it, and subsequently reference it. This resulted in a use-after-free and a potentially exploitable crash. This vulnerability affects Firefox < 70, Thunderbird < 68.2, and Firefox ESR < 68.2. (CVE-2019-11757)
Mozilla community member Philipp reported a memory safety bug present in Firefox 68 when 360 Total Security was installed. This bug showed evidence of memory corruption in the accessibility engine and we presume that with enough effort that it could be exploited to run arbitrary code. This vulnerability affects Firefox < 69, Thunderbird < 68.2, and Firefox ESR < 68.2. (CVE-2019-11758)
An attacker could have caused 4 bytes of HMAC output to be written past the end of a buffer stored on the stack. This could be used by an attacker to execute arbitrary code or more likely lead to a crash. This vulnerability affects Firefox < 70, Thunderbird < 68.2, and Firefox ESR < 68.2. (CVE-2019-11759)
A fixed-size stack buffer could overflow in nrappkit when doing WebRTC signaling. This resulted in a potentially exploitable crash in some instances. This vulnerability affects Firefox < 70, Thunderbird < 68.2, and Firefox ESR < 68.2. (CVE-2019-11760)
By using a form with a data URI it was possible to gain access to the privileged JSONView object that had been cloned into content. Impact from exposing this object appears to be minimal, however it was a bypass of existing defense in depth mechanisms. This vulnerability affects Firefox < 70, Thunderbird < 68.2, and Firefox ESR < 68.2. (CVE-2019-11761)
If two same-origin documents set document.domain differently to become cross-origin, it was possible for them to call arbitrary DOM methods/getters/setters on the now-cross-origin window. This vulnerability affects Firefox < 70, Thunderbird < 68.2, and Firefox ESR < 68.2. (CVE-2019-11762)
Failure to correctly handle null bytes when processing HTML entities resulted in Firefox incorrectly parsing these entities. This could have led to HTML comment text being treated as HTML which could have led to XSS in a web application under certain conditions. It could have also led to HTML entities being masked from filters - enabling the use of entities to mask the actual characters of interest from filters.
This vulnerability affects Firefox < 70, Thunderbird < 68.2, and Firefox ESR < 68.2. (CVE-2019-11763)
Mozilla developers and community members reported memory safety bugs present in Firefox 69 and Firefox ESR 68.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could be exploited to run arbitrary code. This vulnerability affects Firefox < 70, Thunderbird < 68.2, and Firefox ESR < 68.2. (CVE-2019-11764)
Inappropriate implementation in WebRTC in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (CVE-2019-13722)
The plain text serializer used a fixed-size array for the number of <ol> elements it could process;
however it was possible to overflow the static-sized array leading to memory corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 68.3, Firefox ESR < 68.3, and Firefox < 71.
(CVE-2019-17005)
When using nested workers, a use-after-free could occur during worker destruction. This resulted in a potentially exploitable crash. This vulnerability affects Thunderbird < 68.3, Firefox ESR < 68.3, and Firefox < 71. (CVE-2019-17008)
When running, the updater service wrote status and log files to an unrestricted location; potentially allowing an unprivileged process to locate and exploit a vulnerability in file handling in the updater service. Note: This attack requires local system access and only affects Windows. Other operating systems are not affected.. This vulnerability affects Thunderbird < 68.3, Firefox ESR < 68.3, and Firefox < 71.
(CVE-2019-17009)
Under certain conditions, when checking the Resist Fingerprinting preference during device orientation checks, a race condition could have caused a use-after-free and a potentially exploitable crash. This vulnerability affects Thunderbird < 68.3, Firefox ESR < 68.3, and Firefox < 71. (CVE-2019-17010)
Under certain conditions, when retrieving a document from a DocShell in the antitracking code, a race condition could cause a use-after-free condition and a potentially exploitable crash. This vulnerability affects Thunderbird < 68.3, Firefox ESR < 68.3, and Firefox < 71. (CVE-2019-17011)
Mozilla developers reported memory safety bugs present in Firefox 70 and Firefox ESR 68.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Thunderbird < 68.3, Firefox ESR < 68.3, and Firefox < 71. (CVE-2019-17012)
Mozilla developers reported memory safety bugs present in Firefox 70. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 71. (CVE-2019-17013)
If an image had not loaded correctly (such as when it is not actually an image), it could be dragged and dropped cross-domain, resulting in a cross-origin information leak. This vulnerability affects Firefox < 71. (CVE-2019-17014)
When pasting a <style> tag from the clipboard into a rich text editor, the CSS sanitizer incorrectly rewrites a @namespace rule. This could allow for injection into certain types of websites resulting in data exfiltration. This vulnerability affects Firefox ESR < 68.4 and Firefox < 72. (CVE-2019-17016)
Due to a missing case handling object types, a type confusion vulnerability could occur, resulting in a crash. We presume that with enough effort that it could be exploited to run arbitrary code. This vulnerability affects Firefox ESR < 68.4 and Firefox < 72. (CVE-2019-17017)
When pasting a <style> tag from the clipboard into a rich text editor, the CSS sanitizer does not escape < and > characters. Because the resulting string is pasted directly into the text node of the element this does not result in a direct injection into the webpage; however, if a webpage subsequently copies the node’s innerHTML, assigning it to another innerHTML, this would result in an XSS vulnerability.
Two WYSIWYG editors were identified with this behavior, more may exist. This vulnerability affects Firefox ESR < 68.4 and Firefox < 72. (CVE-2019-17022)
Mozilla developers reported memory safety bugs present in Firefox 71 and Firefox ESR 68.3. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 68.4 and Firefox < 72.
(CVE-2019-17024)
Incorrect alias information in IonMonkey JIT compiler for setting array elements could lead to a type confusion. We are aware of targeted attacks in the wild abusing this flaw. This vulnerability affects Firefox ESR < 68.4.1, Thunderbird < 68.4.1, and Firefox < 72.0.1. (CVE-2019-17026)
Out of bounds read in Skia in Google Chrome prior to 75.0.3770.80 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (CVE-2019-5849)
As part of a winning Pwn2Own entry, a researcher demonstrated a sandbox escape by installing a malicious language pack and then opening a browser feature that used the compromised translation. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. (CVE-2019-9811)
Given a compromised sandboxed content process due to a separate vulnerability, it is possible to escape that sandbox by loading accounts.firefox.com in that process and forcing a log-in to a malicious Firefox Sync account. Preference settings that disable the sandbox are then synchronized to the local machine and the compromised browser would restart without the sandbox if a crash is triggered. This vulnerability affects Firefox ESR < 60.9, Firefox ESR < 68.1, and Firefox < 69. (CVE-2019-9812)
A race condition when running shutdown code for Web Worker led to a use-after-free vulnerability. This resulted in a potentially exploitable crash. This vulnerability affects Firefox ESR < 68.8, Firefox < 76, and Thunderbird < 68.8.0. (CVE-2020-12387)
The Firefox content processes did not sufficiently lockdown access control which could result in a sandbox escape. Note: this issue only affects Firefox on Windows operating systems.. This vulnerability affects Firefox ESR < 68.8 and Firefox < 76. (CVE-2020-12388)
Incorrect origin serialization of URLs with IPv6 addresses could lead to incorrect security checks. This vulnerability affects Firefox < 76. (CVE-2020-12390)
Documents formed using data: URLs in an OBJECT element failed to inherit the CSP of the creating context.
This allowed the execution of scripts that should have been blocked, albeit with a unique opaque origin.
This vulnerability affects Firefox < 76. (CVE-2020-12391)
The ‘Copy as cURL’ feature of Devtools’ network tab did not properly escape the HTTP POST data of a request, which can be controlled by the website. If a user used the ‘Copy as cURL’ feature and pasted the command into a terminal, it could have resulted in the disclosure of local files. This vulnerability affects Firefox ESR < 68.8, Firefox < 76, and Thunderbird < 68.8.0. (CVE-2020-12392)
The ‘Copy as cURL’ feature of Devtools’ network tab did not properly escape the HTTP method of a request, which can be controlled by the website. If a user used the ‘Copy as cURL’ feature and pasted the command into a terminal, it could have resulted in command injection and arbitrary command execution. Note: this issue only affects Firefox on Windows operating systems.. This vulnerability affects Firefox ESR < 68.8, Firefox < 76, and Thunderbird < 68.8.0. (CVE-2020-12393)
A logic flaw in our location bar implementation could have allowed a local attacker to spoof the current location by selecting a different origin and removing focus from the input element. This vulnerability affects Firefox < 76. (CVE-2020-12394)
Mozilla developers and community members reported memory safety bugs present in Firefox 75. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 76. (CVE-2020-12396)
By encoding Unicode whitespace characters within the From email header, an attacker can spoof the sender email address that Thunderbird displays. This vulnerability affects Thunderbird < 68.8.0. (CVE-2020-12397)
If Thunderbird is configured to use STARTTLS for an IMAP server, and the server sends a PREAUTH response, then Thunderbird will continue with an unencrypted connection, causing email data to be sent without protection. This vulnerability affects Thunderbird < 68.9.0. (CVE-2020-12398)
When browsing a malicious page, a race condition in our SharedWorkerService could occur and lead to a potentially exploitable crash. This vulnerability affects Thunderbird < 68.9.0, Firefox < 77, and Firefox ESR < 68.9. (CVE-2020-12405)
Mozilla Developer Iain Ireland discovered a missing type check during unboxed objects removal, resulting in a crash. We presume that with enough effort that it could be exploited to run arbitrary code. This vulnerability affects Thunderbird < 68.9.0, Firefox < 77, and Firefox ESR < 68.9. (CVE-2020-12406)
Mozilla developers reported memory safety bugs present in Firefox 76 and Firefox ESR 68.8. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Thunderbird < 68.9.0, Firefox < 77, and Firefox ESR < 68.9. (CVE-2020-12410)
Manipulating individual parts of a URL object could have caused an out-of-bounds read, leaking process memory to malicious JavaScript. This vulnerability affects Firefox ESR < 68.10, Firefox < 78, and Thunderbird < 68.10.0. (CVE-2020-12418)
When processing callbacks that occurred during window flushing in the parent process, the associated window may die; causing a use-after-free condition. This could have led to memory corruption and a potentially exploitable crash. This vulnerability affects Firefox ESR < 68.10, Firefox < 78, and Thunderbird < 68.10.0. (CVE-2020-12419)
When trying to connect to a STUN server, a race condition could have caused a use-after-free of a pointer, leading to memory corruption and a potentially exploitable crash. This vulnerability affects Firefox ESR < 68.10, Firefox < 78, and Thunderbird < 68.10.0. (CVE-2020-12420)
When performing add-on updates, certificate chains terminating in non-built-in-roots were rejected (even if they were legitimately added by an administrator.) This could have caused add-ons to become out-of-date silently without notification to the user. This vulnerability affects Firefox ESR < 68.10, Firefox < 78, and Thunderbird < 68.10.0. (CVE-2020-12421)
In non-standard configurations, a JPEG image created by JavaScript could have caused an internal variable to overflow, resulting in an out of bounds write, memory corruption, and a potentially exploitable crash.
This vulnerability affects Firefox < 78. (CVE-2020-12422)
When constructing a permission prompt for WebRTC, a URI was supplied from the content process. This URI was untrusted, and could have been the URI of an origin that was previously granted permission; bypassing the prompt. This vulnerability affects Firefox < 78. (CVE-2020-12424)
Due to confusion processing a hyphen character in Date.parse(), a one-byte out of bounds read could have occurred, leading to potential information disclosure. This vulnerability affects Firefox < 78.
(CVE-2020-12425)
If an attacker intercepts Thunderbird’s initial attempt to perform automatic account setup using the Microsoft Exchange autodiscovery mechanism, and the attacker sends a crafted response, then Thunderbird sends username and password over https to a server controlled by the attacker. This vulnerability affects Thunderbird < 68.10.0. (CVE-2020-15646)
Using object or embed tags, it was possible to frame other websites, even if they disallowed framing using the X-Frame-Options header. This vulnerability affects Thunderbird < 78 and Firefox < 78.0.2.
(CVE-2020-15648)
By observing the stack trace for JavaScript errors in web workers, it was possible to leak the result of a cross-origin redirect. This applied only to content that can be parsed as script. This vulnerability affects Firefox < 79, Firefox ESR < 68.11, Firefox ESR < 78.1, Thunderbird < 68.11, and Thunderbird < 78.1. (CVE-2020-15652)
An iframe sandbox element with the allow-popups flag could be bypassed when using noopener links. This could have led to security issues for websites relying on sandbox configurations that allowed popups and hosted arbitrary content. This vulnerability affects Firefox ESR < 78.1, Firefox < 79, and Thunderbird < 78.1. (CVE-2020-15653)
When in an endless loop, a website specifying a custom cursor using CSS could make it look like the user is interacting with the user interface, when they are not. This could lead to a perceived broken state, especially when interactions with existing browser dialogs and warnings do not work. This vulnerability affects Firefox ESR < 78.1, Firefox < 79, and Thunderbird < 78.1. (CVE-2020-15654)
JIT optimizations involving the Javascript arguments object could confuse later optimizations. This risk was already mitigated by various precautions in the code, resulting in this bug rated at only moderate severity. This vulnerability affects Firefox ESR < 78.1, Firefox < 79, and Thunderbird < 78.1.
(CVE-2020-15656)
Firefox could be made to load attacker-supplied DLL files from the installation directory. This required an attacker that is already capable of placing files in the installation directory. Note: This issue only affected Windows operating systems. Other operating systems are unaffected.. This vulnerability affects Firefox ESR < 78.1, Firefox < 79, and Thunderbird < 78.1. (CVE-2020-15657)
The code for downloading files did not properly take care of special characters, which led to an attacker being able to cut off the file ending at an earlier position, leading to a different file type being downloaded than shown in the dialog. This vulnerability affects Firefox ESR < 78.1, Firefox < 79, and Thunderbird < 78.1. (CVE-2020-15658)
Mozilla developers and community members reported memory safety bugs present in Firefox 78 and Firefox ESR 78.0. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 79, Firefox ESR < 68.11, Firefox ESR < 78.1, Thunderbird < 68.11, and Thunderbird < 78.1. (CVE-2020-15659)
By holding a reference to the eval() function from an about:blank window, a malicious webpage could have gained access to the InstallTrigger object which would allow them to prompt the user to install an extension. Combined with user confusion, this could result in an unintended or malicious extension being installed. This vulnerability affects Firefox < 80, Thunderbird < 78.2, Thunderbird < 68.12, Firefox ESR < 68.12, Firefox ESR < 78.2, and Firefox for Android < 80. (CVE-2020-15664)
When aborting an operation, such as a fetch, an abort signal may be deleted while alerting the objects to be notified. This results in a use-after-free and we presume that with enough effort it could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 68.12 and Thunderbird < 68.12.
(CVE-2020-15669)
Mozilla developers reported memory safety bugs present in Firefox 80 and Firefox ESR 78.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 81, Thunderbird < 78.3, and Firefox ESR < 78.3. (CVE-2020-15673)
Firefox sometimes ran the onload handler for SVG elements that the DOM sanitizer decided to remove, resulting in JavaScript being executed after pasting attacker-controlled data into a contenteditable element. This vulnerability affects Firefox < 81, Thunderbird < 78.3, and Firefox ESR < 78.3.
(CVE-2020-15676)
By exploiting an Open Redirect vulnerability on a website, an attacker could have spoofed the site displayed in the download file dialog to show the original site (the one suffering from the open redirect) rather than the site the file was actually downloaded from. This vulnerability affects Firefox < 81, Thunderbird < 78.3, and Firefox ESR < 78.3. (CVE-2020-15677)
When recursing through graphical layers while scrolling, an iterator may have become invalid, resulting in a potential use-after-free. This occurs because the function APZCTreeManager::ComputeClippedCompositionBounds did not follow iterator invalidation rules. This vulnerability affects Firefox < 81, Thunderbird < 78.3, and Firefox ESR < 78.3. (CVE-2020-15678)
Mozilla developers and community members reported memory safety bugs present in Firefox 81 and Firefox ESR 78.3. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 78.4, Firefox < 82, and Thunderbird < 78.4. (CVE-2020-15683)
Side-channel information leakage in graphics in Google Chrome prior to 87.0.4280.66 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (CVE-2020-16012)
In certain circumstances, the MCallGetProperty opcode can be emitted with unmet assumptions resulting in an exploitable use-after-free condition. This vulnerability affects Firefox < 82.0.3, Firefox ESR < 78.4.1, and Thunderbird < 78.4.2. (CVE-2020-26950)
A parsing and event loading mismatch in Firefox’s SVG code could have allowed load events to fire, even after sanitization. An attacker already capable of exploiting an XSS vulnerability in privileged internal pages could have used this attack to bypass our built-in sanitizer. This vulnerability affects Firefox < 83, Firefox ESR < 78.5, and Thunderbird < 78.5. (CVE-2020-26951)
It was possible to cause the browser to enter fullscreen mode without displaying the security UI; thus making it possible to attempt a phishing attack or otherwise confuse the user. This vulnerability affects Firefox < 83, Firefox ESR < 78.5, and Thunderbird < 78.5. (CVE-2020-26953)
In some cases, removing HTML elements during sanitization would keep existing SVG event handlers and therefore lead to XSS. This vulnerability affects Firefox < 83, Firefox ESR < 78.5, and Thunderbird < 78.5. (CVE-2020-26956)
Firefox did not block execution of scripts with incorrect MIME types when the response was intercepted and cached through a ServiceWorker. This could lead to a cross-site script inclusion vulnerability, or a Content Security Policy bypass. This vulnerability affects Firefox < 83, Firefox ESR < 78.5, and Thunderbird < 78.5. (CVE-2020-26958)
During browser shutdown, reference decrementing could have occured on a previously freed object, resulting in a use-after-free, memory corruption, and a potentially exploitable crash. This vulnerability affects Firefox < 83, Firefox ESR < 78.5, and Thunderbird < 78.5. (CVE-2020-26959)
If the Compact() method was called on an nsTArray, the array could have been reallocated without updating other pointers, leading to a potential use-after-free and exploitable crash. This vulnerability affects Firefox < 83, Firefox ESR < 78.5, and Thunderbird < 78.5. (CVE-2020-26960)
When DNS over HTTPS is in use, it intentionally filters RFC1918 and related IP ranges from the responses as these do not make sense coming from a DoH resolver. However when an IPv4 address was mapped through IPv6, these addresses were erroneously let through, leading to a potential DNS Rebinding attack. This vulnerability affects Firefox < 83, Firefox ESR < 78.5, and Thunderbird < 78.5. (CVE-2020-26961)
Some websites have a feature Show Password where clicking a button will change a password field into a textbook field, revealing the typed password. If, when using a software keyboard that remembers user input, a user typed their password and used that feature, the type of the password field was changed, resulting in a keyboard layout change and the possibility for the software keyboard to remember the typed password. This vulnerability affects Firefox < 83, Firefox ESR < 78.5, and Thunderbird < 78.5.
(CVE-2020-26965)
Mozilla developers reported memory safety bugs present in Firefox 82 and Firefox ESR 78.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 83, Firefox ESR < 78.5, and Thunderbird < 78.5. (CVE-2020-26968)
When reading SMTP server status codes, Thunderbird writes an integer value to a position on the stack that is intended to contain just one byte. Depending on processor architecture and stack layout, this leads to stack corruption that may be exploitable. This vulnerability affects Thunderbird < 78.5.1.
(CVE-2020-26970)
Certain blit values provided by the user were not properly constrained leading to a heap buffer overflow on some video drivers. This vulnerability affects Firefox < 84, Thunderbird < 78.6, and Firefox ESR < 78.6. (CVE-2020-26971)
Certain input to the CSS Sanitizer confused it, resulting in incorrect components being removed. This could have been used as a sanitizer bypass. This vulnerability affects Firefox < 84, Thunderbird < 78.6, and Firefox ESR < 78.6. (CVE-2020-26973)
When flex-basis was used on a table wrapper, a StyleGenericFlexBasis object could have been incorrectly cast to the wrong type. This resulted in a heap user-after-free, memory corruption, and a potentially exploitable crash. This vulnerability affects Firefox < 84, Thunderbird < 78.6, and Firefox ESR < 78.6.
(CVE-2020-26974)
Using techniques that built on the slipstream research, a malicious webpage could have exposed both an internal network’s hosts as well as services running on the user’s local machine. This vulnerability affects Firefox < 84, Thunderbird < 78.6, and Firefox ESR < 78.6. (CVE-2020-26978)
When an extension with the proxy permission registered to receive <all_urls>, the proxy.onRequest callback was not triggered for view-source URLs. While web content cannot navigate to such URLs, a user opening View Source could have inadvertently leaked their IP address. This vulnerability affects Firefox < 84, Thunderbird < 78.6, and Firefox ESR < 78.6. (CVE-2020-35111)
Mozilla developers reported memory safety bugs present in Firefox 83 and Firefox ESR 78.5. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 84, Thunderbird < 78.6, and Firefox ESR < 78.6. (CVE-2020-35113)
When deriving an identifier for an email message, uninitialized memory was used in addition to the message contents. This vulnerability affects Thunderbird < 68.5. (CVE-2020-6792)
When processing an email message with an ill-formed envelope, Thunderbird could read data from a random memory location. This vulnerability affects Thunderbird < 68.5. (CVE-2020-6793)
If a user saved passwords before Thunderbird 60 and then later set a master password, an unencrypted copy of these passwords is still accessible. This is because the older stored password file was not deleted when the data was copied to a new format starting in Thunderbird 60. The new master password is added only on the new file. This could allow the exposure of stored password data outside of user expectations. This vulnerability affects Thunderbird < 68.5. (CVE-2020-6794)
When processing a message that contains multiple S/MIME signatures, a bug in the MIME processing code caused a null pointer dereference, leading to an unexploitable crash. This vulnerability affects Thunderbird < 68.5. (CVE-2020-6795)
A content process could have modified shared memory relating to crash reporting information, crash itself, and cause an out-of-bound write. This could have caused memory corruption and a potentially exploitable crash. This vulnerability affects Firefox < 73 and Firefox < ESR68.5. (CVE-2020-6796)
If a template tag was used in a select tag, the parser could be confused and allow JavaScript parsing and execution when it should not be allowed. A site that relied on the browser behaving correctly could suffer a cross-site scripting vulnerability as a result. In general, this flaw cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but is potentially a risk in browser or browser-like contexts. This vulnerability affects Thunderbird < 68.5, Firefox < 73, and Firefox < ESR68.5. (CVE-2020-6798)
Mozilla developers and community members reported memory safety bugs present in Firefox 72 and Firefox ESR 68.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts. This vulnerability affects Thunderbird < 68.5, Firefox < 73, and Firefox < ESR68.5. (CVE-2020-6800)
Mozilla developers reported memory safety bugs present in Firefox 72. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 73. (CVE-2020-6801)
When removing data about an origin whose tab was recently closed, a use-after-free could occur in the Quota manager, resulting in a potentially exploitable crash. This vulnerability affects Thunderbird < 68.6, Firefox < 74, Firefox < ESR68.6, and Firefox ESR < 68.6. (CVE-2020-6805)
By carefully crafting promise resolutions, it was possible to cause an out-of-bounds read off the end of an array resized during script execution. This could have led to memory corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 68.6, Firefox < 74, Firefox < ESR68.6, and Firefox ESR < 68.6. (CVE-2020-6806)
When a device was changed while a stream was about to be destroyed, the <code>stream-reinit</code> task may have been executed after the stream was destroyed, causing a use-after-free and a potentially exploitable crash. This vulnerability affects Thunderbird < 68.6, Firefox < 74, Firefox < ESR68.6, and Firefox ESR < 68.6. (CVE-2020-6807)
When a JavaScript URL (javascript:) is evaluated and the result is a string, this string is parsed to create an HTML document, which is then presented. Previously, this document’s URL (as reported by the document.location property, for example) was the originating javascript: URL which could lead to spoofing attacks; it is now correctly the URL of the originating document. This vulnerability affects Firefox < 74.
(CVE-2020-6808)
When a Web Extension had the all-urls permission and made a fetch request with a mode set to ‘same- origin’, it was possible for the Web Extension to read local files. This vulnerability affects Firefox < 74. (CVE-2020-6809)
After a website had entered fullscreen mode, it could have used a previously opened popup to obscure the notification that indicates the browser is in fullscreen mode. Combined with spoofing the browser chrome, this could have led to confusing the user about the current origin of the page and credential theft or other attacks. This vulnerability affects Firefox < 74. (CVE-2020-6810)
The ‘Copy as cURL’ feature of Devtools’ network tab did not properly escape the HTTP method of a request, which can be controlled by the website. If a user used the ‘Copy as Curl’ feature and pasted the command into a terminal, it could have resulted in command injection and arbitrary command execution. This vulnerability affects Thunderbird < 68.6, Firefox < 74, Firefox < ESR68.6, and Firefox ESR < 68.6.
(CVE-2020-6811)
The first time AirPods are connected to an iPhone, they become named after the user’s name by default (e.g. Jane Doe’s AirPods.) Websites with camera or microphone permission are able to enumerate device names, disclosing the user’s name. To resolve this issue, Firefox added a special case that renames devices containing the substring ‘AirPods’ to simply ‘AirPods’. This vulnerability affects Thunderbird < 68.6, Firefox < 74, Firefox < ESR68.6, and Firefox ESR < 68.6. (CVE-2020-6812)
When protecting CSS blocks with the nonce feature of Content Security Policy, the @import statement in the CSS block could allow an attacker to inject arbitrary styles, bypassing the intent of the Content Security Policy. This vulnerability affects Firefox < 74. (CVE-2020-6813)
Mozilla developers reported memory safety bugs present in Firefox and Thunderbird 68.5. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Thunderbird < 68.6, Firefox < 74, Firefox < ESR68.6, and Firefox ESR < 68.6. (CVE-2020-6814)
Mozilla developers reported memory safety and script safety bugs present in Firefox 73. Some of these bugs showed evidence of memory corruption or escalation of privilege and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 74.
(CVE-2020-6815)
Under certain conditions, when running the nsDocShell destructor, a race condition can cause a use-after- free. We are aware of targeted attacks in the wild abusing this flaw. This vulnerability affects Thunderbird < 68.7.0, Firefox < 74.0.1, and Firefox ESR < 68.6.1. (CVE-2020-6819)
Under certain conditions, when handling a ReadableStream, a race condition can cause a use-after-free. We are aware of targeted attacks in the wild abusing this flaw. This vulnerability affects Thunderbird < 68.7.0, Firefox < 74.0.1, and Firefox ESR < 68.6.1. (CVE-2020-6820)
When reading from areas partially or fully outside the source resource with WebGL’s <code>copyTexSubImage</code> method, the specification requires the returned values be zero. Previously, this memory was uninitialized, leading to potentially sensitive data disclosure. This vulnerability affects Thunderbird < 68.7.0, Firefox ESR < 68.7, and Firefox < 75. (CVE-2020-6821)
On 32-bit builds, an out of bounds write could have occurred when processing an image larger than 4 GB in <code>GMPDecodeData</code>. It is possible that with enough effort this could have been exploited to run arbitrary code. This vulnerability affects Thunderbird < 68.7.0, Firefox ESR < 68.7, and Firefox < 75.
(CVE-2020-6822)
A malicious extension could have called <code>browser.identity.launchWebAuthFlow</code>, controlling the redirect_uri, and through the Promise returned, obtain the Auth code and gain access to the user’s account at the service provider. This vulnerability affects Firefox < 75. (CVE-2020-6823)
Initially, a user opens a Private Browsing Window and generates a password for a site, then closes the Private Browsing Window but leaves Firefox open. Subsequently, if the user had opened a new Private Browsing Window, revisited the same site, and generated a new password - the generated passwords would have been identical, rather than independent. This vulnerability affects Firefox < 75. (CVE-2020-6824)
Mozilla developers and community members Tyson Smith and Christian Holler reported memory safety bugs present in Firefox 74 and Firefox ESR 68.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Thunderbird < 68.7.0, Firefox ESR < 68.7, and Firefox < 75. (CVE-2020-6825)
Note that Nessus has not tested for these issues but has instead relied on the package manager’s report that the package is installed.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Red Hat Security Advisory mozilla. The text
# itself is copyright (C) Red Hat, Inc.
##
include('compat.inc');
if (description)
{
script_id(196782);
script_version("1.2");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/05/13");
script_cve_id(
"CVE-2017-5429",
"CVE-2017-5430",
"CVE-2017-5432",
"CVE-2017-5433",
"CVE-2017-5434",
"CVE-2017-5435",
"CVE-2017-5436",
"CVE-2017-5438",
"CVE-2017-5439",
"CVE-2017-5440",
"CVE-2017-5441",
"CVE-2017-5442",
"CVE-2017-5443",
"CVE-2017-5444",
"CVE-2017-5445",
"CVE-2017-5446",
"CVE-2017-5447",
"CVE-2017-5448",
"CVE-2017-5449",
"CVE-2017-5451",
"CVE-2017-5454",
"CVE-2017-5455",
"CVE-2017-5456",
"CVE-2017-5459",
"CVE-2017-5460",
"CVE-2017-5464",
"CVE-2017-5465",
"CVE-2017-5466",
"CVE-2017-5467",
"CVE-2017-5469",
"CVE-2017-7781",
"CVE-2018-5146",
"CVE-2018-18499",
"CVE-2019-5849",
"CVE-2019-9811",
"CVE-2019-9812",
"CVE-2019-11709",
"CVE-2019-11710",
"CVE-2019-11711",
"CVE-2019-11712",
"CVE-2019-11713",
"CVE-2019-11714",
"CVE-2019-11715",
"CVE-2019-11716",
"CVE-2019-11717",
"CVE-2019-11718",
"CVE-2019-11720",
"CVE-2019-11721",
"CVE-2019-11723",
"CVE-2019-11724",
"CVE-2019-11725",
"CVE-2019-11728",
"CVE-2019-11730",
"CVE-2019-11734",
"CVE-2019-11735",
"CVE-2019-11736",
"CVE-2019-11737",
"CVE-2019-11738",
"CVE-2019-11739",
"CVE-2019-11740",
"CVE-2019-11741",
"CVE-2019-11742",
"CVE-2019-11743",
"CVE-2019-11744",
"CVE-2019-11746",
"CVE-2019-11747",
"CVE-2019-11748",
"CVE-2019-11749",
"CVE-2019-11750",
"CVE-2019-11751",
"CVE-2019-11752",
"CVE-2019-11753",
"CVE-2019-11754",
"CVE-2019-11757",
"CVE-2019-11758",
"CVE-2019-11759",
"CVE-2019-11760",
"CVE-2019-11761",
"CVE-2019-11762",
"CVE-2019-11763",
"CVE-2019-11764",
"CVE-2019-13722",
"CVE-2019-17005",
"CVE-2019-17008",
"CVE-2019-17009",
"CVE-2019-17010",
"CVE-2019-17011",
"CVE-2019-17012",
"CVE-2019-17013",
"CVE-2019-17014",
"CVE-2019-17016",
"CVE-2019-17017",
"CVE-2019-17022",
"CVE-2019-17024",
"CVE-2019-17026",
"CVE-2020-6792",
"CVE-2020-6793",
"CVE-2020-6794",
"CVE-2020-6795",
"CVE-2020-6796",
"CVE-2020-6798",
"CVE-2020-6800",
"CVE-2020-6801",
"CVE-2020-6805",
"CVE-2020-6806",
"CVE-2020-6807",
"CVE-2020-6808",
"CVE-2020-6809",
"CVE-2020-6810",
"CVE-2020-6811",
"CVE-2020-6812",
"CVE-2020-6813",
"CVE-2020-6814",
"CVE-2020-6815",
"CVE-2020-6819",
"CVE-2020-6820",
"CVE-2020-6821",
"CVE-2020-6822",
"CVE-2020-6823",
"CVE-2020-6824",
"CVE-2020-6825",
"CVE-2020-12387",
"CVE-2020-12388",
"CVE-2020-12389",
"CVE-2020-12390",
"CVE-2020-12391",
"CVE-2020-12392",
"CVE-2020-12393",
"CVE-2020-12394",
"CVE-2020-12395",
"CVE-2020-12396",
"CVE-2020-12397",
"CVE-2020-12398",
"CVE-2020-12405",
"CVE-2020-12406",
"CVE-2020-12410",
"CVE-2020-12418",
"CVE-2020-12419",
"CVE-2020-12420",
"CVE-2020-12421",
"CVE-2020-12422",
"CVE-2020-12424",
"CVE-2020-12425",
"CVE-2020-15646",
"CVE-2020-15648",
"CVE-2020-15652",
"CVE-2020-15653",
"CVE-2020-15654",
"CVE-2020-15656",
"CVE-2020-15657",
"CVE-2020-15658",
"CVE-2020-15659",
"CVE-2020-15664",
"CVE-2020-15669",
"CVE-2020-15673",
"CVE-2020-15676",
"CVE-2020-15677",
"CVE-2020-15678",
"CVE-2020-15683",
"CVE-2020-16012",
"CVE-2020-26950",
"CVE-2020-26951",
"CVE-2020-26953",
"CVE-2020-26956",
"CVE-2020-26958",
"CVE-2020-26959",
"CVE-2020-26960",
"CVE-2020-26961",
"CVE-2020-26965",
"CVE-2020-26968",
"CVE-2020-26970",
"CVE-2020-26971",
"CVE-2020-26973",
"CVE-2020-26974",
"CVE-2020-26978",
"CVE-2020-35111",
"CVE-2020-35113"
);
script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/05/03");
script_xref(name:"CEA-ID", value:"CEA-2020-0007");
script_xref(name:"CEA-ID", value:"CEA-2020-0032");
script_name(english:"RHEL 5 : mozilla (Unpatched Vulnerability)");
script_set_attribute(attribute:"synopsis", value:
"The remote Red Hat 5 host is affected by multiple vulnerabilities that will not be patched.");
script_set_attribute(attribute:"description", value:
"The remote Redhat Enterprise Linux 5 host has one or more packages installed that are affected by multiple
vulnerabilities that have been acknowledged by the vendor but will not be patched.
- Mozilla: Sandbox escape with improperly separated process types (CVE-2020-12389)
- Mozilla: Memory safety bugs fixed in Firefox 76 and Firefox ESR 68.8 (CVE-2020-12395)
- Memory safety bugs were reported in Firefox 52, Firefox ESR 45.8, Firefox ESR 52, and Thunderbird 52. Some
of these bugs showed evidence of memory corruption and we presume that with enough effort that some of
these could be exploited to run arbitrary code. This vulnerability affects Thunderbird < 52.1, Firefox ESR
< 45.9, Firefox ESR < 52.1, and Firefox < 53. (CVE-2017-5429)
- Memory safety bugs were reported in Firefox 52, Firefox ESR 52, and Thunderbird 52. Some of these bugs
showed evidence of memory corruption and we presume that with enough effort that some of these could be
exploited to run arbitrary code. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 52.1, and
Firefox < 53. (CVE-2017-5430)
- A use-after-free vulnerability occurs during certain text input selection resulting in a potentially
exploitable crash. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1,
and Firefox < 53. (CVE-2017-5432)
- A use-after-free vulnerability in SMIL animation functions occurs when pointers to animation elements in
an array are dropped from the animation controller while still in use. This results in a potentially
exploitable crash. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1,
and Firefox < 53. (CVE-2017-5433)
- A use-after-free vulnerability occurs when redirecting focus handling which results in a potentially
exploitable crash. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1,
and Firefox < 53. (CVE-2017-5434)
- A use-after-free vulnerability occurs during transaction processing in the editor during design mode
interactions. This results in a potentially exploitable crash. This vulnerability affects Thunderbird <
52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. (CVE-2017-5435)
- An out-of-bounds write in the Graphite 2 library triggered with a maliciously crafted Graphite font. This
results in a potentially exploitable crash. This issue was fixed in the Graphite 2 library as well as
Mozilla products. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1,
and Firefox < 53. (CVE-2017-5436)
- A use-after-free vulnerability during XSLT processing due to the result handler being held by a freed
handler during handling. This results in a potentially exploitable crash. This vulnerability affects
Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. (CVE-2017-5438)
- A use-after-free vulnerability during XSLT processing due to poor handling of template parameters. This
results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.1, Firefox ESR <
45.9, Firefox ESR < 52.1, and Firefox < 53. (CVE-2017-5439)
- A use-after-free vulnerability during XSLT processing due to a failure to propagate error conditions
during matching while evaluating context, leading to objects being used when they no longer exist. This
results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.1, Firefox ESR <
45.9, Firefox ESR < 52.1, and Firefox < 53. (CVE-2017-5440)
- A use-after-free vulnerability when holding a selection during scroll events. This results in a
potentially exploitable crash. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox
ESR < 52.1, and Firefox < 53. (CVE-2017-5441)
- A use-after-free vulnerability during changes in style when manipulating DOM elements. This results in a
potentially exploitable crash. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox
ESR < 52.1, and Firefox < 53. (CVE-2017-5442)
- An out-of-bounds write vulnerability while decoding improperly formed BinHex format archives. This
vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53.
(CVE-2017-5443)
- A buffer overflow vulnerability while parsing application/http-index-format format content when the
header contains improperly formatted data. This allows for an out-of-bounds read of data from memory. This
vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53.
(CVE-2017-5444)
- A vulnerability while parsing application/http-index-format format content where uninitialized values
are used to create an array. This could allow the reading of uninitialized memory into the arrays
affected. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and
Firefox < 53. (CVE-2017-5445)
- An out-of-bounds read when an HTTP/2 connection to a servers sends DATA frames with incorrect data
content. This leads to a potentially exploitable crash. This vulnerability affects Thunderbird < 52.1,
Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. (CVE-2017-5446)
- An out-of-bounds read during the processing of glyph widths during text layout. This results in a
potentially exploitable crash and could allow an attacker to read otherwise inaccessible memory. This
vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53.
(CVE-2017-5447)
- An out-of-bounds write in ClearKeyDecryptor while decrypting some Clearkey-encrypted media content. The
ClearKeyDecryptor code runs within the Gecko Media Plugin (GMP) sandbox. If a second mechanism is found
to escape the sandbox, this vulnerability allows for the writing of arbitrary data within memory,
resulting in a potentially exploitable crash. This vulnerability affects Firefox ESR < 45.9, Firefox ESR <
52.1, and Firefox < 53. (CVE-2017-5448)
- A possibly exploitable crash triggered during layout and manipulation of bidirectional unicode text in
concert with CSS animations. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 52.1, and
Firefox < 53. (CVE-2017-5449)
- A mechanism to spoof the addressbar through the user interaction on the addressbar and the onblur event.
The event could be used by script to affect text display to make the loaded site appear to be different
from the one actually loaded within the addressbar. This vulnerability affects Thunderbird < 52.1, Firefox
ESR < 52.1, and Firefox < 53. (CVE-2017-5451)
- A mechanism to bypass file system access protections in the sandbox to use the file picker to access
different files than those selected in the file picker through the use of relative paths. This allows for
read only access to the local file system. This vulnerability affects Thunderbird < 52.1, Firefox ESR <
52.1, and Firefox < 53. (CVE-2017-5454)
- The internal feed reader APIs that crossed the sandbox barrier allowed for a sandbox escape and escalation
of privilege if combined with another vulnerability that resulted in remote code execution inside the
sandboxed process. This vulnerability affects Firefox ESR < 52.1 and Firefox < 53. (CVE-2017-5455)
- A mechanism to bypass file system access protections in the sandbox using the file system request
constructor through an IPC message. This allows for read and write access to the local file system. This
vulnerability affects Firefox ESR < 52.1 and Firefox < 53. (CVE-2017-5456)
- A buffer overflow in WebGL triggerable by web content, resulting in a potentially exploitable crash. This
vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53.
(CVE-2017-5459)
- A use-after-free vulnerability in frame selection triggered by a combination of malicious script content
and key presses by a user. This results in a potentially exploitable crash. This vulnerability affects
Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. (CVE-2017-5460)
- During DOM manipulations of the accessibility tree through script, the DOM tree can become out of sync
with the accessibility tree, leading to memory corruption and a potentially exploitable crash. This
vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53.
(CVE-2017-5464)
- An out-of-bounds read while processing SVG content in ConvolvePixel. This results in a crash and also
allows for otherwise inaccessible memory being copied into SVG graphic content, which could then
displayed. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and
Firefox < 53. (CVE-2017-5465)
- If a page is loaded from an original site through a hyperlink and contains a redirect to a
data:text/html URL, triggering a reload will run the reloaded data:text/html page with its origin set
incorrectly. This allows for a cross-site scripting (XSS) attack. This vulnerability affects Thunderbird <
52.1, Firefox ESR < 52.1, and Firefox < 53. (CVE-2017-5466)
- A potential memory corruption and crash when using Skia content when drawing content outside of the bounds
of a clipping region. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 52.1, and Firefox < 53.
(CVE-2017-5467)
- Fixed potential buffer overflows in generated Firefox code due to CVE-2016-6354 issue in Flex. This
vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53.
(CVE-2017-5469)
- An error occurs in the elliptic curve point addition algorithm that uses mixed Jacobian-affine coordinates
where it can yield a result POINT_AT_INFINITY when it should not. A man-in-the-middle attacker could use
this to interfere with a connection, resulting in an attacked party computing an incorrect shared secret.
This vulnerability affects Firefox < 55. (CVE-2017-7781)
- A same-origin policy violation allowing the theft of cross-origin URL entries when using a meta http-
equiv=refresh on a page to cause a redirection to another site using performance.getEntries(). This is a
same-origin policy violation and could allow for data theft. This vulnerability affects Firefox < 62,
Firefox ESR < 60.2, and Thunderbird < 60.2.1. (CVE-2018-18499)
- An out of bounds memory write while processing Vorbis audio data was reported through the Pwn2Own contest.
This vulnerability affects Firefox < 59.0.1, Firefox ESR < 52.7.2, and Thunderbird < 52.7. (CVE-2018-5146)
- Mozilla developers and community members reported memory safety bugs present in Firefox 67 and Firefox ESR
60.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that
some of these could be exploited to run arbitrary code. This vulnerability affects Firefox ESR < 60.8,
Firefox < 68, and Thunderbird < 60.8. (CVE-2019-11709)
- Mozilla developers and community members reported memory safety bugs present in Firefox 67. Some of these
bugs showed evidence of memory corruption and we presume that with enough effort that some of these could
be exploited to run arbitrary code. This vulnerability affects Firefox < 68. (CVE-2019-11710)
- When an inner window is reused, it does not consider the use of document.domain for cross-origin
protections. If pages on different subdomains ever cooperatively use document.domain, then either page can
abuse this to inject script into arbitrary pages on the other subdomain, even those that did not use
document.domain to relax their origin security. This vulnerability affects Firefox ESR < 60.8, Firefox <
68, and Thunderbird < 60.8. (CVE-2019-11711)
- POST requests made by NPAPI plugins, such as Flash, that receive a status 308 redirect response can bypass
CORS requirements. This can allow an attacker to perform Cross-Site Request Forgery (CSRF) attacks. This
vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. (CVE-2019-11712)
- A use-after-free vulnerability can occur in HTTP/2 when a cached HTTP/2 stream is closed while still in
use, resulting in a potentially exploitable crash. This vulnerability affects Firefox ESR < 60.8, Firefox
< 68, and Thunderbird < 60.8. (CVE-2019-11713)
- Necko can access a child on the wrong thread during UDP connections, resulting in a potentially
exploitable crash in some instances. This vulnerability affects Firefox < 68. (CVE-2019-11714)
- Due to an error while parsing page content, it is possible for properly sanitized user input to be
misinterpreted and lead to XSS hazards on web sites in certain circumstances. This vulnerability affects
Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. (CVE-2019-11715)
- Until explicitly accessed by script, window.globalThis is not enumerable and, as a result, is not visible
to code such as Object.getOwnPropertyNames(window). Sites that deploy a sandboxing that depends on
enumerating and freezing access to the window object may miss this, allowing their sandboxes to be
bypassed. This vulnerability affects Firefox < 68. (CVE-2019-11716)
- A vulnerability exists where the caret (^) character is improperly escaped constructing some URIs due to
it being used as a separator, allowing for possible spoofing of origin attributes. This vulnerability
affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. (CVE-2019-11717)
- Activity Stream can display content from sent from the Snippet Service website. This content is written to
innerHTML on the Activity Stream page without sanitization, allowing for a potential access to other
information available to the Activity Stream, such as browsing history, if the Snipper Service were
compromised. This vulnerability affects Firefox < 68. (CVE-2019-11718)
- Some unicode characters are incorrectly treated as whitespace during the parsing of web content instead of
triggering parsing errors. This allows malicious code to then be processed, evading cross-site scripting
(XSS) filtering. This vulnerability affects Firefox < 68. (CVE-2019-11720)
- The unicode latin 'kra' character can be used to spoof a standard 'k' character in the addressbar. This
allows for domain spoofing attacks as do not display as punycode text, allowing for user confusion. This
vulnerability affects Firefox < 68. (CVE-2019-11721)
- A vulnerability exists during the installation of add-ons where the initial fetch ignored the origin
attributes of the browsing context. This could leak cookies in private browsing mode or across different
containers for people who use the Firefox Multi-Account Containers Web Extension. This vulnerability
affects Firefox < 68. (CVE-2019-11723)
- Application permissions give additional remote troubleshooting permission to the site input.mozilla.org,
which has been retired and now redirects to another site. This additional permission is unnecessary and is
a potential vector for malicious attacks. This vulnerability affects Firefox < 68. (CVE-2019-11724)
- When a user navigates to site marked as unsafe by the Safebrowsing API, warning messages are displayed and
navigation is interrupted but resources from the same site loaded through websockets are not blocked,
leading to the loading of unsafe resources and bypassing safebrowsing protections. This vulnerability
affects Firefox < 68. (CVE-2019-11725)
- The HTTP Alternative Services header, Alt-Svc, can be used by a malicious site to scan all TCP ports of
any host that the accessible to a user when web content is loaded. This vulnerability affects Firefox <
68. (CVE-2019-11728)
- A vulnerability exists where if a user opens a locally saved HTML file, this file can use file: URIs to
access other files in the same directory or sub-directories if the names are known or guessed. The Fetch
API can then be used to read the contents of any files stored in these directories and they may uploaded
to a server. It was demonstrated that in combination with a popular Android messaging app, if a malicious
HTML attachment is sent to a user and they opened that attachment in Firefox, due to that app's
predictable pattern for locally-saved file names, it is possible to read attachments the victim received
from other correspondents. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird <
60.8. (CVE-2019-11730)
- Mozilla developers and community members reported memory safety bugs present in Firefox 68. Some of these
bugs showed evidence of memory corruption and we presume that with enough effort that some of these could
be exploited to run arbitrary code. This vulnerability affects Firefox < 69. (CVE-2019-11734)
- Mozilla developers and community members reported memory safety bugs present in Firefox 68 and Firefox ESR
68. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that
some of these could be exploited to run arbitrary code. This vulnerability affects Firefox < 69 and
Firefox ESR < 68.1. (CVE-2019-11735)
- The Mozilla Maintenance Service does not guard against files being hardlinked to another file in the
updates directory, allowing for the replacement of local files, including the Maintenance Service
executable, which is run with privileged access. Additionally, there was a race condition during checks
for junctions and symbolic links by the Maintenance Service, allowing for potential local file and
directory manipulation to be undetected in some circumstances. This allows for potential privilege
escalation by a user with unprivileged local access. <br>*Note: These attacks requires local system access
and only affects Windows. Other operating systems are not affected.*. This vulnerability affects Firefox <
69 and Firefox ESR < 68.1. (CVE-2019-11736)
- If a wildcard ('*') is specified for the host in Content Security Policy (CSP) directives, any port or
path restriction of the directive will be ignored, leading to CSP directives not being properly applied to
content. This vulnerability affects Firefox < 69. (CVE-2019-11737)
- If a Content Security Policy (CSP) directive is defined that uses a hash-based source that takes the empty
string as input, execution of any javascript: URIs will be allowed. This could allow for malicious
JavaScript content to be run, bypassing CSP permissions. This vulnerability affects Firefox < 69 and
Firefox ESR < 68.1. (CVE-2019-11738)
- Encrypted S/MIME parts in a crafted multipart/alternative message can leak plaintext when included in a a
HTML reply/forward. This vulnerability affects Thunderbird < 68.1 and Thunderbird < 60.9. (CVE-2019-11739)
- Mozilla developers and community members reported memory safety bugs present in Firefox 68, Firefox ESR
68, and Firefox 60.8. Some of these bugs showed evidence of memory corruption and we presume that with
enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects
Firefox < 69, Thunderbird < 68.1, Thunderbird < 60.9, Firefox ESR < 60.9, and Firefox ESR < 68.1.
(CVE-2019-11740)
- A compromised sandboxed content process can perform a Universal Cross-site Scripting (UXSS) attack on
content from any site it can cause to be loaded in the same process. Because addons.mozilla.org and
accounts.firefox.com have close ties to the Firefox product, malicious manipulation of these sites within
the browser can potentially be used to modify a user's Firefox configuration. These two sites will now be
isolated into their own process and not allowed to be loaded in a standard content process. This
vulnerability affects Firefox < 69. (CVE-2019-11741)
- A same-origin policy violation occurs allowing the theft of cross-origin images through a combination of
SVG filters and a <canvas> element due to an error in how same-origin policy is applied to cached
image content. The resulting same-origin policy violation could allow for data theft. This vulnerability
affects Firefox < 69, Thunderbird < 68.1, Thunderbird < 60.9, Firefox ESR < 60.9, and Firefox ESR < 68.1.
(CVE-2019-11742)
- Navigation events were not fully adhering to the W3C's Navigation-Timing Level 2 draft specification in
some instances for the unload event, which restricts access to detailed timing attributes to only be same-
origin. This resulted in potential cross-origin information exposure of history through timing side-
channel attacks. This vulnerability affects Firefox < 69, Thunderbird < 68.1, Thunderbird < 60.9, Firefox
ESR < 60.9, and Firefox ESR < 68.1. (CVE-2019-11743)
- Some HTML elements, such as <title> and <textarea>, can contain literal angle brackets without
treating them as markup. It is possible to pass a literal closing tag to .innerHTML on these elements, and
subsequent content after that will be parsed as if it were outside the tag. This can lead to XSS if a site
does not filter user input as strictly for these elements as it does for other elements. This
vulnerability affects Firefox < 69, Thunderbird < 68.1, Thunderbird < 60.9, Firefox ESR < 60.9, and
Firefox ESR < 68.1. (CVE-2019-11744)
- A use-after-free vulnerability can occur while manipulating video elements if the body is freed while
still in use. This results in a potentially exploitable crash. This vulnerability affects Firefox < 69,
Thunderbird < 68.1, Thunderbird < 60.9, Firefox ESR < 60.9, and Firefox ESR < 68.1. (CVE-2019-11746)
- The Forget about this site feature in the History pane is intended to remove all saved user data that
indicates a user has visited a site. This includes removing any HTTP Strict Transport Security (HSTS)
settings received from sites that use it. Due to a bug, sites on the pre-load list also have their HSTS
setting removed. On the next visit to that site if the user specifies an http: URL rather than secure
https: they will not be protected by the pre-loaded HSTS setting. After that visit the site's HSTS setting
will be restored. This vulnerability affects Firefox < 69 and Firefox ESR < 68.1. (CVE-2019-11747)
- WebRTC in Firefox will honor persisted permissions given to sites for access to microphone and camera
resources even when in a third-party context. In light of recent high profile vulnerabilities in other
software, a decision was made to no longer persist these permissions. This avoids the possibility of
trusted WebRTC resources being invisibly embedded in web content and abusing permissions previously given
by users. Users will now be prompted for permissions on each use. This vulnerability affects Firefox < 69
and Firefox ESR < 68.1. (CVE-2019-11748)
- A vulnerability exists in WebRTC where malicious web content can use probing techniques on the
getUserMedia API using constraints to reveal device properties of cameras on the system without triggering
a user prompt or notification. This allows for the potential fingerprinting of users. This vulnerability
affects Firefox < 69 and Firefox ESR < 68.1. (CVE-2019-11749)
- A type confusion vulnerability exists in Spidermonkey, which results in a non-exploitable crash. This
vulnerability affects Firefox < 69 and Firefox ESR < 68.1. (CVE-2019-11750)
- Logging-related command line parameters are not properly sanitized when Firefox is launched by another
program, such as when a user clicks on malicious links in a chat application. This can be used to write a
log file to an arbitrary location such as the Windows 'Startup' folder. <br>*Note: this issue only affects
Firefox on Windows operating systems.*. This vulnerability affects Firefox < 69 and Firefox ESR < 68.1.
(CVE-2019-11751)
- It is possible to delete an IndexedDB key value and subsequently try to extract it during conversion. This
results in a use-after-free and a potentially exploitable crash. This vulnerability affects Firefox < 69,
Thunderbird < 68.1, Thunderbird < 60.9, Firefox ESR < 60.9, and Firefox ESR < 68.1. (CVE-2019-11752)
- The Firefox installer allows Firefox to be installed to a custom user writable location, leaving it
unprotected from manipulation by unprivileged users or malware. If the Mozilla Maintenance Service is
manipulated to update this unprotected location and the updated maintenance service in the unprotected
location has been altered, the altered maintenance service can run with elevated privileges during the
update process due to a lack of integrity checks. This allows for privilege escalation if the executable
has been replaced locally. <br>*Note: This attack requires local system access and only affects Windows.
Other operating systems are not affected.*. This vulnerability affects Firefox < 69, Firefox ESR < 60.9,
and Firefox ESR < 68.1. (CVE-2019-11753)
- When the pointer lock is enabled by a website though requestPointerLock(), no user notification is given.
This could allow a malicious website to hijack the mouse pointer and confuse users. This vulnerability
affects Firefox < 69.0.1. (CVE-2019-11754)
- When following the value's prototype chain, it was possible to retain a reference to a locale, delete it,
and subsequently reference it. This resulted in a use-after-free and a potentially exploitable crash. This
vulnerability affects Firefox < 70, Thunderbird < 68.2, and Firefox ESR < 68.2. (CVE-2019-11757)
- Mozilla community member Philipp reported a memory safety bug present in Firefox 68 when 360 Total
Security was installed. This bug showed evidence of memory corruption in the accessibility engine and we
presume that with enough effort that it could be exploited to run arbitrary code. This vulnerability
affects Firefox < 69, Thunderbird < 68.2, and Firefox ESR < 68.2. (CVE-2019-11758)
- An attacker could have caused 4 bytes of HMAC output to be written past the end of a buffer stored on the
stack. This could be used by an attacker to execute arbitrary code or more likely lead to a crash. This
vulnerability affects Firefox < 70, Thunderbird < 68.2, and Firefox ESR < 68.2. (CVE-2019-11759)
- A fixed-size stack buffer could overflow in nrappkit when doing WebRTC signaling. This resulted in a
potentially exploitable crash in some instances. This vulnerability affects Firefox < 70, Thunderbird <
68.2, and Firefox ESR < 68.2. (CVE-2019-11760)
- By using a form with a data URI it was possible to gain access to the privileged JSONView object that had
been cloned into content. Impact from exposing this object appears to be minimal, however it was a bypass
of existing defense in depth mechanisms. This vulnerability affects Firefox < 70, Thunderbird < 68.2, and
Firefox ESR < 68.2. (CVE-2019-11761)
- If two same-origin documents set document.domain differently to become cross-origin, it was possible for
them to call arbitrary DOM methods/getters/setters on the now-cross-origin window. This vulnerability
affects Firefox < 70, Thunderbird < 68.2, and Firefox ESR < 68.2. (CVE-2019-11762)
- Failure to correctly handle null bytes when processing HTML entities resulted in Firefox incorrectly
parsing these entities. This could have led to HTML comment text being treated as HTML which could have
led to XSS in a web application under certain conditions. It could have also led to HTML entities being
masked from filters - enabling the use of entities to mask the actual characters of interest from filters.
This vulnerability affects Firefox < 70, Thunderbird < 68.2, and Firefox ESR < 68.2. (CVE-2019-11763)
- Mozilla developers and community members reported memory safety bugs present in Firefox 69 and Firefox ESR
68.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some
of these could be exploited to run arbitrary code. This vulnerability affects Firefox < 70, Thunderbird <
68.2, and Firefox ESR < 68.2. (CVE-2019-11764)
- Inappropriate implementation in WebRTC in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to
potentially exploit heap corruption via a crafted HTML page. (CVE-2019-13722)
- The plain text serializer used a fixed-size array for the number of <ol> elements it could process;
however it was possible to overflow the static-sized array leading to memory corruption and a potentially
exploitable crash. This vulnerability affects Thunderbird < 68.3, Firefox ESR < 68.3, and Firefox < 71.
(CVE-2019-17005)
- When using nested workers, a use-after-free could occur during worker destruction. This resulted in a
potentially exploitable crash. This vulnerability affects Thunderbird < 68.3, Firefox ESR < 68.3, and
Firefox < 71. (CVE-2019-17008)
- When running, the updater service wrote status and log files to an unrestricted location; potentially
allowing an unprivileged process to locate and exploit a vulnerability in file handling in the updater
service. *Note: This attack requires local system access and only affects Windows. Other operating systems
are not affected.*. This vulnerability affects Thunderbird < 68.3, Firefox ESR < 68.3, and Firefox < 71.
(CVE-2019-17009)
- Under certain conditions, when checking the Resist Fingerprinting preference during device orientation
checks, a race condition could have caused a use-after-free and a potentially exploitable crash. This
vulnerability affects Thunderbird < 68.3, Firefox ESR < 68.3, and Firefox < 71. (CVE-2019-17010)
- Under certain conditions, when retrieving a document from a DocShell in the antitracking code, a race
condition could cause a use-after-free condition and a potentially exploitable crash. This vulnerability
affects Thunderbird < 68.3, Firefox ESR < 68.3, and Firefox < 71. (CVE-2019-17011)
- Mozilla developers reported memory safety bugs present in Firefox 70 and Firefox ESR 68.2. Some of these
bugs showed evidence of memory corruption and we presume that with enough effort some of these could have
been exploited to run arbitrary code. This vulnerability affects Thunderbird < 68.3, Firefox ESR < 68.3,
and Firefox < 71. (CVE-2019-17012)
- Mozilla developers reported memory safety bugs present in Firefox 70. Some of these bugs showed evidence
of memory corruption and we presume that with enough effort some of these could have been exploited to run
arbitrary code. This vulnerability affects Firefox < 71. (CVE-2019-17013)
- If an image had not loaded correctly (such as when it is not actually an image), it could be dragged and
dropped cross-domain, resulting in a cross-origin information leak. This vulnerability affects Firefox <
71. (CVE-2019-17014)
- When pasting a <style> tag from the clipboard into a rich text editor, the CSS sanitizer incorrectly
rewrites a @namespace rule. This could allow for injection into certain types of websites resulting in
data exfiltration. This vulnerability affects Firefox ESR < 68.4 and Firefox < 72. (CVE-2019-17016)
- Due to a missing case handling object types, a type confusion vulnerability could occur, resulting in a
crash. We presume that with enough effort that it could be exploited to run arbitrary code. This
vulnerability affects Firefox ESR < 68.4 and Firefox < 72. (CVE-2019-17017)
- When pasting a <style> tag from the clipboard into a rich text editor, the CSS sanitizer does not
escape < and > characters. Because the resulting string is pasted directly into the text node of the
element this does not result in a direct injection into the webpage; however, if a webpage subsequently
copies the node's innerHTML, assigning it to another innerHTML, this would result in an XSS vulnerability.
Two WYSIWYG editors were identified with this behavior, more may exist. This vulnerability affects Firefox
ESR < 68.4 and Firefox < 72. (CVE-2019-17022)
- Mozilla developers reported memory safety bugs present in Firefox 71 and Firefox ESR 68.3. Some of these
bugs showed evidence of memory corruption and we presume that with enough effort some of these could have
been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 68.4 and Firefox < 72.
(CVE-2019-17024)
- Incorrect alias information in IonMonkey JIT compiler for setting array elements could lead to a type
confusion. We are aware of targeted attacks in the wild abusing this flaw. This vulnerability affects
Firefox ESR < 68.4.1, Thunderbird < 68.4.1, and Firefox < 72.0.1. (CVE-2019-17026)
- Out of bounds read in Skia in Google Chrome prior to 75.0.3770.80 allowed a remote attacker to obtain
potentially sensitive information from process memory via a crafted HTML page. (CVE-2019-5849)
- As part of a winning Pwn2Own entry, a researcher demonstrated a sandbox escape by installing a malicious
language pack and then opening a browser feature that used the compromised translation. This vulnerability
affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. (CVE-2019-9811)
- Given a compromised sandboxed content process due to a separate vulnerability, it is possible to escape
that sandbox by loading accounts.firefox.com in that process and forcing a log-in to a malicious Firefox
Sync account. Preference settings that disable the sandbox are then synchronized to the local machine and
the compromised browser would restart without the sandbox if a crash is triggered. This vulnerability
affects Firefox ESR < 60.9, Firefox ESR < 68.1, and Firefox < 69. (CVE-2019-9812)
- A race condition when running shutdown code for Web Worker led to a use-after-free vulnerability. This
resulted in a potentially exploitable crash. This vulnerability affects Firefox ESR < 68.8, Firefox < 76,
and Thunderbird < 68.8.0. (CVE-2020-12387)
- The Firefox content processes did not sufficiently lockdown access control which could result in a sandbox
escape. *Note: this issue only affects Firefox on Windows operating systems.*. This vulnerability affects
Firefox ESR < 68.8 and Firefox < 76. (CVE-2020-12388)
- Incorrect origin serialization of URLs with IPv6 addresses could lead to incorrect security checks. This
vulnerability affects Firefox < 76. (CVE-2020-12390)
- Documents formed using data: URLs in an OBJECT element failed to inherit the CSP of the creating context.
This allowed the execution of scripts that should have been blocked, albeit with a unique opaque origin.
This vulnerability affects Firefox < 76. (CVE-2020-12391)
- The 'Copy as cURL' feature of Devtools' network tab did not properly escape the HTTP POST data of a
request, which can be controlled by the website. If a user used the 'Copy as cURL' feature and pasted the
command into a terminal, it could have resulted in the disclosure of local files. This vulnerability
affects Firefox ESR < 68.8, Firefox < 76, and Thunderbird < 68.8.0. (CVE-2020-12392)
- The 'Copy as cURL' feature of Devtools' network tab did not properly escape the HTTP method of a request,
which can be controlled by the website. If a user used the 'Copy as cURL' feature and pasted the command
into a terminal, it could have resulted in command injection and arbitrary command execution. *Note: this
issue only affects Firefox on Windows operating systems.*. This vulnerability affects Firefox ESR < 68.8,
Firefox < 76, and Thunderbird < 68.8.0. (CVE-2020-12393)
- A logic flaw in our location bar implementation could have allowed a local attacker to spoof the current
location by selecting a different origin and removing focus from the input element. This vulnerability
affects Firefox < 76. (CVE-2020-12394)
- Mozilla developers and community members reported memory safety bugs present in Firefox 75. Some of these
bugs showed evidence of memory corruption and we presume that with enough effort some of these could have
been exploited to run arbitrary code. This vulnerability affects Firefox < 76. (CVE-2020-12396)
- By encoding Unicode whitespace characters within the From email header, an attacker can spoof the sender
email address that Thunderbird displays. This vulnerability affects Thunderbird < 68.8.0. (CVE-2020-12397)
- If Thunderbird is configured to use STARTTLS for an IMAP server, and the server sends a PREAUTH response,
then Thunderbird will continue with an unencrypted connection, causing email data to be sent without
protection. This vulnerability affects Thunderbird < 68.9.0. (CVE-2020-12398)
- When browsing a malicious page, a race condition in our SharedWorkerService could occur and lead to a
potentially exploitable crash. This vulnerability affects Thunderbird < 68.9.0, Firefox < 77, and Firefox
ESR < 68.9. (CVE-2020-12405)
- Mozilla Developer Iain Ireland discovered a missing type check during unboxed objects removal, resulting
in a crash. We presume that with enough effort that it could be exploited to run arbitrary code. This
vulnerability affects Thunderbird < 68.9.0, Firefox < 77, and Firefox ESR < 68.9. (CVE-2020-12406)
- Mozilla developers reported memory safety bugs present in Firefox 76 and Firefox ESR 68.8. Some of these
bugs showed evidence of memory corruption and we presume that with enough effort some of these could have
been exploited to run arbitrary code. This vulnerability affects Thunderbird < 68.9.0, Firefox < 77, and
Firefox ESR < 68.9. (CVE-2020-12410)
- Manipulating individual parts of a URL object could have caused an out-of-bounds read, leaking process
memory to malicious JavaScript. This vulnerability affects Firefox ESR < 68.10, Firefox < 78, and
Thunderbird < 68.10.0. (CVE-2020-12418)
- When processing callbacks that occurred during window flushing in the parent process, the associated
window may die; causing a use-after-free condition. This could have led to memory corruption and a
potentially exploitable crash. This vulnerability affects Firefox ESR < 68.10, Firefox < 78, and
Thunderbird < 68.10.0. (CVE-2020-12419)
- When trying to connect to a STUN server, a race condition could have caused a use-after-free of a pointer,
leading to memory corruption and a potentially exploitable crash. This vulnerability affects Firefox ESR <
68.10, Firefox < 78, and Thunderbird < 68.10.0. (CVE-2020-12420)
- When performing add-on updates, certificate chains terminating in non-built-in-roots were rejected (even
if they were legitimately added by an administrator.) This could have caused add-ons to become out-of-date
silently without notification to the user. This vulnerability affects Firefox ESR < 68.10, Firefox < 78,
and Thunderbird < 68.10.0. (CVE-2020-12421)
- In non-standard configurations, a JPEG image created by JavaScript could have caused an internal variable
to overflow, resulting in an out of bounds write, memory corruption, and a potentially exploitable crash.
This vulnerability affects Firefox < 78. (CVE-2020-12422)
- When constructing a permission prompt for WebRTC, a URI was supplied from the content process. This URI
was untrusted, and could have been the URI of an origin that was previously granted permission; bypassing
the prompt. This vulnerability affects Firefox < 78. (CVE-2020-12424)
- Due to confusion processing a hyphen character in Date.parse(), a one-byte out of bounds read could have
occurred, leading to potential information disclosure. This vulnerability affects Firefox < 78.
(CVE-2020-12425)
- If an attacker intercepts Thunderbird's initial attempt to perform automatic account setup using the
Microsoft Exchange autodiscovery mechanism, and the attacker sends a crafted response, then Thunderbird
sends username and password over https to a server controlled by the attacker. This vulnerability affects
Thunderbird < 68.10.0. (CVE-2020-15646)
- Using object or embed tags, it was possible to frame other websites, even if they disallowed framing using
the X-Frame-Options header. This vulnerability affects Thunderbird < 78 and Firefox < 78.0.2.
(CVE-2020-15648)
- By observing the stack trace for JavaScript errors in web workers, it was possible to leak the result of a
cross-origin redirect. This applied only to content that can be parsed as script. This vulnerability
affects Firefox < 79, Firefox ESR < 68.11, Firefox ESR < 78.1, Thunderbird < 68.11, and Thunderbird <
78.1. (CVE-2020-15652)
- An iframe sandbox element with the allow-popups flag could be bypassed when using noopener links. This
could have led to security issues for websites relying on sandbox configurations that allowed popups and
hosted arbitrary content. This vulnerability affects Firefox ESR < 78.1, Firefox < 79, and Thunderbird <
78.1. (CVE-2020-15653)
- When in an endless loop, a website specifying a custom cursor using CSS could make it look like the user
is interacting with the user interface, when they are not. This could lead to a perceived broken state,
especially when interactions with existing browser dialogs and warnings do not work. This vulnerability
affects Firefox ESR < 78.1, Firefox < 79, and Thunderbird < 78.1. (CVE-2020-15654)
- JIT optimizations involving the Javascript arguments object could confuse later optimizations. This risk
was already mitigated by various precautions in the code, resulting in this bug rated at only moderate
severity. This vulnerability affects Firefox ESR < 78.1, Firefox < 79, and Thunderbird < 78.1.
(CVE-2020-15656)
- Firefox could be made to load attacker-supplied DLL files from the installation directory. This required
an attacker that is already capable of placing files in the installation directory. *Note: This issue only
affected Windows operating systems. Other operating systems are unaffected.*. This vulnerability affects
Firefox ESR < 78.1, Firefox < 79, and Thunderbird < 78.1. (CVE-2020-15657)
- The code for downloading files did not properly take care of special characters, which led to an attacker
being able to cut off the file ending at an earlier position, leading to a different file type being
downloaded than shown in the dialog. This vulnerability affects Firefox ESR < 78.1, Firefox < 79, and
Thunderbird < 78.1. (CVE-2020-15658)
- Mozilla developers and community members reported memory safety bugs present in Firefox 78 and Firefox ESR
78.0. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some
of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 79, Firefox
ESR < 68.11, Firefox ESR < 78.1, Thunderbird < 68.11, and Thunderbird < 78.1. (CVE-2020-15659)
- By holding a reference to the eval() function from an about:blank window, a malicious webpage could have
gained access to the InstallTrigger object which would allow them to prompt the user to install an
extension. Combined with user confusion, this could result in an unintended or malicious extension being
installed. This vulnerability affects Firefox < 80, Thunderbird < 78.2, Thunderbird < 68.12, Firefox ESR <
68.12, Firefox ESR < 78.2, and Firefox for Android < 80. (CVE-2020-15664)
- When aborting an operation, such as a fetch, an abort signal may be deleted while alerting the objects to
be notified. This results in a use-after-free and we presume that with enough effort it could have been
exploited to run arbitrary code. This vulnerability affects Firefox ESR < 68.12 and Thunderbird < 68.12.
(CVE-2020-15669)
- Mozilla developers reported memory safety bugs present in Firefox 80 and Firefox ESR 78.2. Some of these
bugs showed evidence of memory corruption and we presume that with enough effort some of these could have
been exploited to run arbitrary code. This vulnerability affects Firefox < 81, Thunderbird < 78.3, and
Firefox ESR < 78.3. (CVE-2020-15673)
- Firefox sometimes ran the onload handler for SVG elements that the DOM sanitizer decided to remove,
resulting in JavaScript being executed after pasting attacker-controlled data into a contenteditable
element. This vulnerability affects Firefox < 81, Thunderbird < 78.3, and Firefox ESR < 78.3.
(CVE-2020-15676)
- By exploiting an Open Redirect vulnerability on a website, an attacker could have spoofed the site
displayed in the download file dialog to show the original site (the one suffering from the open redirect)
rather than the site the file was actually downloaded from. This vulnerability affects Firefox < 81,
Thunderbird < 78.3, and Firefox ESR < 78.3. (CVE-2020-15677)
- When recursing through graphical layers while scrolling, an iterator may have become invalid, resulting in
a potential use-after-free. This occurs because the function
APZCTreeManager::ComputeClippedCompositionBounds did not follow iterator invalidation rules. This
vulnerability affects Firefox < 81, Thunderbird < 78.3, and Firefox ESR < 78.3. (CVE-2020-15678)
- Mozilla developers and community members reported memory safety bugs present in Firefox 81 and Firefox ESR
78.3. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some
of these could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 78.4,
Firefox < 82, and Thunderbird < 78.4. (CVE-2020-15683)
- Side-channel information leakage in graphics in Google Chrome prior to 87.0.4280.66 allowed a remote
attacker to leak cross-origin data via a crafted HTML page. (CVE-2020-16012)
- In certain circumstances, the MCallGetProperty opcode can be emitted with unmet assumptions resulting in
an exploitable use-after-free condition. This vulnerability affects Firefox < 82.0.3, Firefox ESR <
78.4.1, and Thunderbird < 78.4.2. (CVE-2020-26950)
- A parsing and event loading mismatch in Firefox's SVG code could have allowed load events to fire, even
after sanitization. An attacker already capable of exploiting an XSS vulnerability in privileged internal
pages could have used this attack to bypass our built-in sanitizer. This vulnerability affects Firefox <
83, Firefox ESR < 78.5, and Thunderbird < 78.5. (CVE-2020-26951)
- It was possible to cause the browser to enter fullscreen mode without displaying the security UI; thus
making it possible to attempt a phishing attack or otherwise confuse the user. This vulnerability affects
Firefox < 83, Firefox ESR < 78.5, and Thunderbird < 78.5. (CVE-2020-26953)
- In some cases, removing HTML elements during sanitization would keep existing SVG event handlers and
therefore lead to XSS. This vulnerability affects Firefox < 83, Firefox ESR < 78.5, and Thunderbird <
78.5. (CVE-2020-26956)
- Firefox did not block execution of scripts with incorrect MIME types when the response was intercepted and
cached through a ServiceWorker. This could lead to a cross-site script inclusion vulnerability, or a
Content Security Policy bypass. This vulnerability affects Firefox < 83, Firefox ESR < 78.5, and
Thunderbird < 78.5. (CVE-2020-26958)
- During browser shutdown, reference decrementing could have occured on a previously freed object, resulting
in a use-after-free, memory corruption, and a potentially exploitable crash. This vulnerability affects
Firefox < 83, Firefox ESR < 78.5, and Thunderbird < 78.5. (CVE-2020-26959)
- If the Compact() method was called on an nsTArray, the array could have been reallocated without updating
other pointers, leading to a potential use-after-free and exploitable crash. This vulnerability affects
Firefox < 83, Firefox ESR < 78.5, and Thunderbird < 78.5. (CVE-2020-26960)
- When DNS over HTTPS is in use, it intentionally filters RFC1918 and related IP ranges from the responses
as these do not make sense coming from a DoH resolver. However when an IPv4 address was mapped through
IPv6, these addresses were erroneously let through, leading to a potential DNS Rebinding attack. This
vulnerability affects Firefox < 83, Firefox ESR < 78.5, and Thunderbird < 78.5. (CVE-2020-26961)
- Some websites have a feature Show Password where clicking a button will change a password field into a
textbook field, revealing the typed password. If, when using a software keyboard that remembers user
input, a user typed their password and used that feature, the type of the password field was changed,
resulting in a keyboard layout change and the possibility for the software keyboard to remember the typed
password. This vulnerability affects Firefox < 83, Firefox ESR < 78.5, and Thunderbird < 78.5.
(CVE-2020-26965)
- Mozilla developers reported memory safety bugs present in Firefox 82 and Firefox ESR 78.4. Some of these
bugs showed evidence of memory corruption and we presume that with enough effort some of these could have
been exploited to run arbitrary code. This vulnerability affects Firefox < 83, Firefox ESR < 78.5, and
Thunderbird < 78.5. (CVE-2020-26968)
- When reading SMTP server status codes, Thunderbird writes an integer value to a position on the stack that
is intended to contain just one byte. Depending on processor architecture and stack layout, this leads to
stack corruption that may be exploitable. This vulnerability affects Thunderbird < 78.5.1.
(CVE-2020-26970)
- Certain blit values provided by the user were not properly constrained leading to a heap buffer overflow
on some video drivers. This vulnerability affects Firefox < 84, Thunderbird < 78.6, and Firefox ESR <
78.6. (CVE-2020-26971)
- Certain input to the CSS Sanitizer confused it, resulting in incorrect components being removed. This
could have been used as a sanitizer bypass. This vulnerability affects Firefox < 84, Thunderbird < 78.6,
and Firefox ESR < 78.6. (CVE-2020-26973)
- When flex-basis was used on a table wrapper, a StyleGenericFlexBasis object could have been incorrectly
cast to the wrong type. This resulted in a heap user-after-free, memory corruption, and a potentially
exploitable crash. This vulnerability affects Firefox < 84, Thunderbird < 78.6, and Firefox ESR < 78.6.
(CVE-2020-26974)
- Using techniques that built on the slipstream research, a malicious webpage could have exposed both an
internal network's hosts as well as services running on the user's local machine. This vulnerability
affects Firefox < 84, Thunderbird < 78.6, and Firefox ESR < 78.6. (CVE-2020-26978)
- When an extension with the proxy permission registered to receive <all_urls>, the proxy.onRequest callback
was not triggered for view-source URLs. While web content cannot navigate to such URLs, a user opening
View Source could have inadvertently leaked their IP address. This vulnerability affects Firefox < 84,
Thunderbird < 78.6, and Firefox ESR < 78.6. (CVE-2020-35111)
- Mozilla developers reported memory safety bugs present in Firefox 83 and Firefox ESR 78.5. Some of these
bugs showed evidence of memory corruption and we presume that with enough effort some of these could have
been exploited to run arbitrary code. This vulnerability affects Firefox < 84, Thunderbird < 78.6, and
Firefox ESR < 78.6. (CVE-2020-35113)
- When deriving an identifier for an email message, uninitialized memory was used in addition to the message
contents. This vulnerability affects Thunderbird < 68.5. (CVE-2020-6792)
- When processing an email message with an ill-formed envelope, Thunderbird could read data from a random
memory location. This vulnerability affects Thunderbird < 68.5. (CVE-2020-6793)
- If a user saved passwords before Thunderbird 60 and then later set a master password, an unencrypted copy
of these passwords is still accessible. This is because the older stored password file was not deleted
when the data was copied to a new format starting in Thunderbird 60. The new master password is added only
on the new file. This could allow the exposure of stored password data outside of user expectations. This
vulnerability affects Thunderbird < 68.5. (CVE-2020-6794)
- When processing a message that contains multiple S/MIME signatures, a bug in the MIME processing code
caused a null pointer dereference, leading to an unexploitable crash. This vulnerability affects
Thunderbird < 68.5. (CVE-2020-6795)
- A content process could have modified shared memory relating to crash reporting information, crash itself,
and cause an out-of-bound write. This could have caused memory corruption and a potentially exploitable
crash. This vulnerability affects Firefox < 73 and Firefox < ESR68.5. (CVE-2020-6796)
- If a template tag was used in a select tag, the parser could be confused and allow JavaScript parsing and
execution when it should not be allowed. A site that relied on the browser behaving correctly could suffer
a cross-site scripting vulnerability as a result. In general, this flaw cannot be exploited through email
in the Thunderbird product because scripting is disabled when reading mail, but is potentially a risk in
browser or browser-like contexts. This vulnerability affects Thunderbird < 68.5, Firefox < 73, and Firefox
< ESR68.5. (CVE-2020-6798)
- Mozilla developers and community members reported memory safety bugs present in Firefox 72 and Firefox ESR
68.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some
of these could have been exploited to run arbitrary code. In general, these flaws cannot be exploited
through email in the Thunderbird product because scripting is disabled when reading mail, but are
potentially risks in browser or browser-like contexts. This vulnerability affects Thunderbird < 68.5,
Firefox < 73, and Firefox < ESR68.5. (CVE-2020-6800)
- Mozilla developers reported memory safety bugs present in Firefox 72. Some of these bugs showed evidence
of memory corruption and we presume that with enough effort some of these could have been exploited to run
arbitrary code. This vulnerability affects Firefox < 73. (CVE-2020-6801)
- When removing data about an origin whose tab was recently closed, a use-after-free could occur in the
Quota manager, resulting in a potentially exploitable crash. This vulnerability affects Thunderbird <
68.6, Firefox < 74, Firefox < ESR68.6, and Firefox ESR < 68.6. (CVE-2020-6805)
- By carefully crafting promise resolutions, it was possible to cause an out-of-bounds read off the end of
an array resized during script execution. This could have led to memory corruption and a potentially
exploitable crash. This vulnerability affects Thunderbird < 68.6, Firefox < 74, Firefox < ESR68.6, and
Firefox ESR < 68.6. (CVE-2020-6806)
- When a device was changed while a stream was about to be destroyed, the <code>stream-reinit</code> task
may have been executed after the stream was destroyed, causing a use-after-free and a potentially
exploitable crash. This vulnerability affects Thunderbird < 68.6, Firefox < 74, Firefox < ESR68.6, and
Firefox ESR < 68.6. (CVE-2020-6807)
- When a JavaScript URL (javascript:) is evaluated and the result is a string, this string is parsed to
create an HTML document, which is then presented. Previously, this document's URL (as reported by the
document.location property, for example) was the originating javascript: URL which could lead to spoofing
attacks; it is now correctly the URL of the originating document. This vulnerability affects Firefox < 74.
(CVE-2020-6808)
- When a Web Extension had the all-urls permission and made a fetch request with a mode set to 'same-
origin', it was possible for the Web Extension to read local files. This vulnerability affects Firefox <
74. (CVE-2020-6809)
- After a website had entered fullscreen mode, it could have used a previously opened popup to obscure the
notification that indicates the browser is in fullscreen mode. Combined with spoofing the browser chrome,
this could have led to confusing the user about the current origin of the page and credential theft or
other attacks. This vulnerability affects Firefox < 74. (CVE-2020-6810)
- The 'Copy as cURL' feature of Devtools' network tab did not properly escape the HTTP method of a request,
which can be controlled by the website. If a user used the 'Copy as Curl' feature and pasted the command
into a terminal, it could have resulted in command injection and arbitrary command execution. This
vulnerability affects Thunderbird < 68.6, Firefox < 74, Firefox < ESR68.6, and Firefox ESR < 68.6.
(CVE-2020-6811)
- The first time AirPods are connected to an iPhone, they become named after the user's name by default
(e.g. Jane Doe's AirPods.) Websites with camera or microphone permission are able to enumerate device
names, disclosing the user's name. To resolve this issue, Firefox added a special case that renames
devices containing the substring 'AirPods' to simply 'AirPods'. This vulnerability affects Thunderbird <
68.6, Firefox < 74, Firefox < ESR68.6, and Firefox ESR < 68.6. (CVE-2020-6812)
- When protecting CSS blocks with the nonce feature of Content Security Policy, the @import statement in the
CSS block could allow an attacker to inject arbitrary styles, bypassing the intent of the Content Security
Policy. This vulnerability affects Firefox < 74. (CVE-2020-6813)
- Mozilla developers reported memory safety bugs present in Firefox and Thunderbird 68.5. Some of these bugs
showed evidence of memory corruption and we presume that with enough effort some of these could have been
exploited to run arbitrary code. This vulnerability affects Thunderbird < 68.6, Firefox < 74, Firefox <
ESR68.6, and Firefox ESR < 68.6. (CVE-2020-6814)
- Mozilla developers reported memory safety and script safety bugs present in Firefox 73. Some of these bugs
showed evidence of memory corruption or escalation of privilege and we presume that with enough effort
some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 74.
(CVE-2020-6815)
- Under certain conditions, when running the nsDocShell destructor, a race condition can cause a use-after-
free. We are aware of targeted attacks in the wild abusing this flaw. This vulnerability affects
Thunderbird < 68.7.0, Firefox < 74.0.1, and Firefox ESR < 68.6.1. (CVE-2020-6819)
- Under certain conditions, when handling a ReadableStream, a race condition can cause a use-after-free. We
are aware of targeted attacks in the wild abusing this flaw. This vulnerability affects Thunderbird <
68.7.0, Firefox < 74.0.1, and Firefox ESR < 68.6.1. (CVE-2020-6820)
- When reading from areas partially or fully outside the source resource with WebGL's
<code>copyTexSubImage</code> method, the specification requires the returned values be zero. Previously,
this memory was uninitialized, leading to potentially sensitive data disclosure. This vulnerability
affects Thunderbird < 68.7.0, Firefox ESR < 68.7, and Firefox < 75. (CVE-2020-6821)
- On 32-bit builds, an out of bounds write could have occurred when processing an image larger than 4 GB in
<code>GMPDecodeData</code>. It is possible that with enough effort this could have been exploited to run
arbitrary code. This vulnerability affects Thunderbird < 68.7.0, Firefox ESR < 68.7, and Firefox < 75.
(CVE-2020-6822)
- A malicious extension could have called <code>browser.identity.launchWebAuthFlow</code>, controlling the
redirect_uri, and through the Promise returned, obtain the Auth code and gain access to the user's account
at the service provider. This vulnerability affects Firefox < 75. (CVE-2020-6823)
- Initially, a user opens a Private Browsing Window and generates a password for a site, then closes the
Private Browsing Window but leaves Firefox open. Subsequently, if the user had opened a new Private
Browsing Window, revisited the same site, and generated a new password - the generated passwords would
have been identical, rather than independent. This vulnerability affects Firefox < 75. (CVE-2020-6824)
- Mozilla developers and community members Tyson Smith and Christian Holler reported memory safety bugs
present in Firefox 74 and Firefox ESR 68.6. Some of these bugs showed evidence of memory corruption and we
presume that with enough effort some of these could have been exploited to run arbitrary code. This
vulnerability affects Thunderbird < 68.7.0, Firefox ESR < 68.7, and Firefox < 75. (CVE-2020-6825)
Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package
is installed.");
script_set_attribute(attribute:"solution", value:
"The vendor has acknowledged the vulnerabilities but no solution has been provided. Refer to the vendor for remediation
guidance.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-12395");
script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2020-12389");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploited_by_malware", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'Firefox MCallGetProperty Write Side Effects Use After Free Exploit');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"vendor_unpatched", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2017/04/19");
script_set_attribute(attribute:"plugin_publication_date", value:"2024/05/11");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5");
script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6");
script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7");
script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:8");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:firefox");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libvorbis");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:nss");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:nss-softokn");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:thunderbird");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:xulrunner");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Red Hat Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl", "redhat_repos.nasl");
script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
exit(0);
}
include('rpm.inc');
include('rhel.inc');
if (!get_kb_item("global_settings/vendor_unpatched"))
exit(0, "Unpatched Vulnerabilities Detection not active.");
if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/RedHat/release');
if (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');
var os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');
os_ver = os_ver[1];
if (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '5')) audit(AUDIT_OS_NOT, 'Red Hat 5.x', 'Red Hat ' + os_ver);
if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);
var constraints = [
{
'pkgs': [
{'reference':'firefox', 'release':'5', 'rpm_spec_vers_cmp':TRUE, 'allowmaj':TRUE, 'unpatched_pkg':'firefox', 'cves':['CVE-2017-5429', 'CVE-2017-5430', 'CVE-2017-5432', 'CVE-2017-5433', 'CVE-2017-5434', 'CVE-2017-5435', 'CVE-2017-5436', 'CVE-2017-5438', 'CVE-2017-5439', 'CVE-2017-5440', 'CVE-2017-5441', 'CVE-2017-5442', 'CVE-2017-5443', 'CVE-2017-5444', 'CVE-2017-5445', 'CVE-2017-5446', 'CVE-2017-5447', 'CVE-2017-5448', 'CVE-2017-5449', 'CVE-2017-5451', 'CVE-2017-5454', 'CVE-2017-5455', 'CVE-2017-5456', 'CVE-2017-5459', 'CVE-2017-5460', 'CVE-2017-5464', 'CVE-2017-5465', 'CVE-2017-5466', 'CVE-2017-5467', 'CVE-2017-5469', 'CVE-2018-18499', 'CVE-2019-5849', 'CVE-2019-9811', 'CVE-2019-9812', 'CVE-2019-11709', 'CVE-2019-11710', 'CVE-2019-11711', 'CVE-2019-11712', 'CVE-2019-11713', 'CVE-2019-11714', 'CVE-2019-11715', 'CVE-2019-11716', 'CVE-2019-11717', 'CVE-2019-11718', 'CVE-2019-11720', 'CVE-2019-11721', 'CVE-2019-11723', 'CVE-2019-11724', 'CVE-2019-11725', 'CVE-2019-11728', 'CVE-2019-11730', 'CVE-2019-11734', 'CVE-2019-11735', 'CVE-2019-11736', 'CVE-2019-11737', 'CVE-2019-11738', 'CVE-2019-11740', 'CVE-2019-11741', 'CVE-2019-11742', 'CVE-2019-11743', 'CVE-2019-11744', 'CVE-2019-11746', 'CVE-2019-11747', 'CVE-2019-11748', 'CVE-2019-11749', 'CVE-2019-11750', 'CVE-2019-11751', 'CVE-2019-11752', 'CVE-2019-11753', 'CVE-2019-11754', 'CVE-2019-11757', 'CVE-2019-11758', 'CVE-2019-11759', 'CVE-2019-11760', 'CVE-2019-11761', 'CVE-2019-11762', 'CVE-2019-11763', 'CVE-2019-11764', 'CVE-2019-17005', 'CVE-2019-17008', 'CVE-2019-17009', 'CVE-2019-17010', 'CVE-2019-17011', 'CVE-2019-17012', 'CVE-2019-17013', 'CVE-2019-17014', 'CVE-2019-17016', 'CVE-2019-17017', 'CVE-2019-17022', 'CVE-2019-17024', 'CVE-2019-17026', 'CVE-2020-6796', 'CVE-2020-6798', 'CVE-2020-6800', 'CVE-2020-6801', 'CVE-2020-6805', 'CVE-2020-6806', 'CVE-2020-6807', 'CVE-2020-6808', 'CVE-2020-6809', 'CVE-2020-6810', 'CVE-2020-6811', 'CVE-2020-6812', 'CVE-2020-6813', 'CVE-2020-6814', 'CVE-2020-6815', 'CVE-2020-6819', 'CVE-2020-6820', 'CVE-2020-6821', 'CVE-2020-6822', 'CVE-2020-6823', 'CVE-2020-6824', 'CVE-2020-6825', 'CVE-2020-12387', 'CVE-2020-12388', 'CVE-2020-12389', 'CVE-2020-12390', 'CVE-2020-12391', 'CVE-2020-12392', 'CVE-2020-12393', 'CVE-2020-12394', 'CVE-2020-12395', 'CVE-2020-12396', 'CVE-2020-12405', 'CVE-2020-12406', 'CVE-2020-12410', 'CVE-2020-12418', 'CVE-2020-12419', 'CVE-2020-12420', 'CVE-2020-12421', 'CVE-2020-12422', 'CVE-2020-12424', 'CVE-2020-12425', 'CVE-2020-15648', 'CVE-2020-15652', 'CVE-2020-15659', 'CVE-2020-15664', 'CVE-2020-15669', 'CVE-2020-15673', 'CVE-2020-15676', 'CVE-2020-15677', 'CVE-2020-15678', 'CVE-2020-15683', 'CVE-2020-16012', 'CVE-2020-26950', 'CVE-2020-26951', 'CVE-2020-26953', 'CVE-2020-26956', 'CVE-2020-26958', 'CVE-2020-26959', 'CVE-2020-26960', 'CVE-2020-26961', 'CVE-2020-26965', 'CVE-2020-26968']},
{'reference':'libvorbis', 'release':'5', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'libvorbis', 'cves':['CVE-2018-5146']},
{'reference':'nss', 'release':'5', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'nss', 'cves':['CVE-2017-7781']},
{'reference':'thunderbird', 'release':'5', 'rpm_spec_vers_cmp':TRUE, 'allowmaj':TRUE, 'unpatched_pkg':'thunderbird', 'cves':['CVE-2017-5429', 'CVE-2017-5430', 'CVE-2017-5432', 'CVE-2017-5433', 'CVE-2017-5434', 'CVE-2017-5435', 'CVE-2017-5436', 'CVE-2017-5438', 'CVE-2017-5439', 'CVE-2017-5440', 'CVE-2017-5441', 'CVE-2017-5442', 'CVE-2017-5443', 'CVE-2017-5444', 'CVE-2017-5445', 'CVE-2017-5446', 'CVE-2017-5447', 'CVE-2017-5449', 'CVE-2017-5451', 'CVE-2017-5454', 'CVE-2017-5455', 'CVE-2017-5459', 'CVE-2017-5460', 'CVE-2017-5464', 'CVE-2017-5465', 'CVE-2017-5466', 'CVE-2017-5467', 'CVE-2017-5469', 'CVE-2018-18499', 'CVE-2019-11739', 'CVE-2019-11740', 'CVE-2019-11742', 'CVE-2019-11743', 'CVE-2019-11744', 'CVE-2019-11746', 'CVE-2019-11752', 'CVE-2019-11757', 'CVE-2019-11758', 'CVE-2019-11759', 'CVE-2019-11760', 'CVE-2019-11761', 'CVE-2019-11762', 'CVE-2019-11763', 'CVE-2019-11764', 'CVE-2019-13722', 'CVE-2019-17005', 'CVE-2019-17008', 'CVE-2019-17009', 'CVE-2019-17010', 'CVE-2019-17011', 'CVE-2019-17012', 'CVE-2019-17016', 'CVE-2019-17017', 'CVE-2019-17022', 'CVE-2019-17024', 'CVE-2019-17026', 'CVE-2020-6792', 'CVE-2020-6793', 'CVE-2020-6794', 'CVE-2020-6795', 'CVE-2020-6798', 'CVE-2020-6800', 'CVE-2020-6805', 'CVE-2020-6806', 'CVE-2020-6807', 'CVE-2020-6811', 'CVE-2020-6812', 'CVE-2020-6814', 'CVE-2020-6819', 'CVE-2020-6820', 'CVE-2020-6821', 'CVE-2020-6822', 'CVE-2020-6825', 'CVE-2020-12387', 'CVE-2020-12392', 'CVE-2020-12393', 'CVE-2020-12395', 'CVE-2020-12397', 'CVE-2020-12398', 'CVE-2020-12405', 'CVE-2020-12406', 'CVE-2020-12410', 'CVE-2020-12418', 'CVE-2020-12419', 'CVE-2020-12420', 'CVE-2020-12421', 'CVE-2020-15646', 'CVE-2020-15652', 'CVE-2020-15653', 'CVE-2020-15654', 'CVE-2020-15656', 'CVE-2020-15657', 'CVE-2020-15658', 'CVE-2020-15659', 'CVE-2020-15664', 'CVE-2020-15669', 'CVE-2020-15673', 'CVE-2020-15676', 'CVE-2020-15677', 'CVE-2020-15678', 'CVE-2020-15683', 'CVE-2020-26950', 'CVE-2020-26970', 'CVE-2020-26971', 'CVE-2020-26973', 'CVE-2020-26974', 'CVE-2020-26978', 'CVE-2020-35111', 'CVE-2020-35113']},
{'reference':'xulrunner', 'release':'5', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'xulrunner', 'cves':['CVE-2018-5146']}
]
}
];
var flag = 0;
foreach var constraint_array ( constraints ) {
var repo_relative_urls = NULL;
var enterprise_linux_flag = rhel_repo_urls_has_content_dist_rhel(repo_urls:repo_relative_urls);
foreach var pkg ( constraint_array['pkgs'] ) {
var unpatched_pkg = NULL;
var _release = NULL;
var sp = NULL;
var el_string = NULL;
var rpm_spec_vers_cmp = NULL;
var exists_check = NULL;
var cves = NULL;
if (!empty_or_null(pkg['unpatched_pkg'])) unpatched_pkg = pkg['unpatched_pkg'];
if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];
if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
if (unpatched_pkg &&
_release &&
(!exists_check || rpm_exists(release:_release, rpm:exists_check)) &&
unpatched_package_exists(release:_release, package:unpatched_pkg, cves: cves)) flag++;
}
}
if (flag)
{
var extra = NULL;
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : unpatched_packages_report()
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'firefox / libvorbis / nss / thunderbird / xulrunner');
}
Vendor | Product | Version | CPE |
---|---|---|---|
redhat | enterprise_linux | 5 | cpe:/o:redhat:enterprise_linux:5 |
redhat | enterprise_linux | 6 | cpe:/o:redhat:enterprise_linux:6 |
redhat | enterprise_linux | 7 | cpe:/o:redhat:enterprise_linux:7 |
redhat | enterprise_linux | 8 | cpe:/o:redhat:enterprise_linux:8 |
redhat | enterprise_linux | firefox | p-cpe:/a:redhat:enterprise_linux:firefox |
redhat | enterprise_linux | libvorbis | p-cpe:/a:redhat:enterprise_linux:libvorbis |
redhat | enterprise_linux | nss | p-cpe:/a:redhat:enterprise_linux:nss |
redhat | enterprise_linux | nss-softokn | p-cpe:/a:redhat:enterprise_linux:nss-softokn |
redhat | enterprise_linux | thunderbird | p-cpe:/a:redhat:enterprise_linux:thunderbird |
redhat | enterprise_linux | xulrunner | p-cpe:/a:redhat:enterprise_linux:xulrunner |
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5429
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5430
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5432
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5433
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5434
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5435
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5436
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5438
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5439
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5440
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5441
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5442
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5443
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5444
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5445
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5446
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5447
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5448
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5449
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5451
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5454
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5455
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5456
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5459
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5460
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5464
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5465
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5466
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5467
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5469
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7781
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18499
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5146
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11709
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11710
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11711
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11712
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11713
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11714
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11715
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11716
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11717
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11718
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11720
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11721
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11723
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11724
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11725
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11728
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11730
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11734
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11735
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11736
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11737
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11738
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11739
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11740
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11741
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11742
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11743
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11744
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11746
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11747
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11748
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11749
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11750
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11751
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11752
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11753
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11754
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11757
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11758
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11759
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11760
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11761
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11762
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11763
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11764
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13722
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17005
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17008
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17009
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17010
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17011
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17012
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17013
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17014
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17016
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17017
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17022
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17024
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17026
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5849
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9811
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9812
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12387
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12388
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12389
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12390
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12391
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12392
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12393
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12394
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12395
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12396
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12397
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12398
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12405
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12406
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12410
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12418
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12419
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12420
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12421
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12422
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12424
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12425
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15646
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15648
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15652
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15653
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15654
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15656
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15657
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15658
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15659
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15664
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15669
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15673
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15676
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15677
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15678
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15683
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16012
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26950
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26951
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26953
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26956
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26958
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26959
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26960
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26961
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26965
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26968
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26970
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26971
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26973
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26974
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26978
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35111
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35113
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6792
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6793
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6794
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6795
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6796
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6798
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6800
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6801
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6805
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6806
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6807
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6808
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6809
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6810
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6811
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6812
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6813
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6814
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6815
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6819
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6820
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6821
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6822
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6823
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6824
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6825