TencentOS Server 3: firefox (TSSA-2025:0695)

🗓️ 21 Aug 2025 00:00:00Reported by TenableType

TencentOS Server 3 Firefox and Thunderbird TSSA-2025:0695 fixes CVEs 2025-8027 to 8031 below 141.

Reporter	Title	Published	Views	Family All 776
FreeBSD	Mozilla -- IonMonkey-JIT bad stack write	22 Jul 202500:00	–	freebsd
FreeBSD	Mozilla -- Incorrect computation of branch address	22 Jul 202500:00	–	freebsd
FreeBSD	Mozilla -- 'javascript:' URLs execution	22 Jul 202500:00	–	freebsd
FreeBSD	Mozilla -- Insufficient input escaping	22 Jul 202500:00	–	freebsd
FreeBSD	Mozilla -- HTTP Basic Authentication credentials leak	22 Jul 202500:00	–	freebsd
FreeBSD	Mozilla -- XSLT document CSP bypass	22 Jul 202500:00	–	freebsd
FreeBSD	Mozilla -- nullptr dereference	22 Jul 202500:00	–	freebsd
FreeBSD	Mozilla -- Memory safety bugs	22 Jul 202500:00	–	freebsd
FreeBSD	Mozilla -- Memory safety bugs	22 Jul 202500:00	–	freebsd
ATTACKERKB	CVE-2025-8030	22 Jul 202520:49	–	attackerkb

Source	Link
mirrors	www.mirrors.tencent.com/tlinux/errata/tssa-20250695.xml
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Tencent Linux Security Advisory TSSA-2025:0695.
##

include('compat.inc');

if (description)
{
  script_id(253463);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/12/04");

  script_cve_id(
    "CVE-2025-8027",
    "CVE-2025-8028",
    "CVE-2025-8029",
    "CVE-2025-8030",
    "CVE-2025-8031",
    "CVE-2025-8032",
    "CVE-2025-8033",
    "CVE-2025-8034",
    "CVE-2025-8035"
  );

  script_name(english:"TencentOS Server 3: firefox (TSSA-2025:0695)");

  script_set_attribute(attribute:"synopsis", value:
"The remote TencentOS Server 3 host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The version of Tencent Linux installed on the remote TencentOS Server 3 host is prior to tested version. It is,
therefore, affected by multiple vulnerabilities as referenced in the TSSA-2025:0695 advisory.

    Package updates are available for TencentOS Server 3 that fix the following vulnerabilities:

    CVE-2025-8027:
    On 64-bit platforms IonMonkey-JIT only wrote 32 bits of the 64-bit return value space on the stack.
    Baseline-JIT, however, read the entire 64 bits. This vulnerability affects Firefox < 141, Firefox ESR <
    115.26, Firefox ESR < 128.13, Firefox ESR < 140.1, Thunderbird < 141, Thunderbird < 128.13, and
    Thunderbird < 140.1.

    CVE-2025-8028:
    On arm64, a WASM br_table instruction with a lot of entries could lead to the label being too far from the
    instruction causing truncation and incorrect computation of the branch address. This vulnerability affects
    Firefox < 141, Firefox ESR < 115.26, Firefox ESR < 128.13, Firefox ESR < 140.1, Thunderbird < 141,
    Thunderbird < 128.13, and Thunderbird < 140.1.

    CVE-2025-8029:
    Firefox executed javascript: URLs when used in object and embed tags. This vulnerability affects Firefox <
    141, Firefox ESR < 128.13, Firefox ESR < 140.1, Thunderbird < 141, Thunderbird < 128.13, and Thunderbird <
    140.1.

    CVE-2025-8030:
    Insufficient escaping in the Copy as cURL feature could potentially be used to trick a user into
    executing unexpected code. This vulnerability affects Firefox < 141, Firefox ESR < 128.13, Firefox ESR <
    140.1, Thunderbird < 141, Thunderbird < 128.13, and Thunderbird < 140.1.

    CVE-2025-8031:
    The username:password part was not correctly stripped from URLs in CSP reports potentially leaking HTTP
    Basic Authentication credentials. This vulnerability affects Firefox < 141, Firefox ESR < 128.13, Firefox
    ESR < 140.1, Thunderbird < 141, Thunderbird < 128.13, and Thunderbird < 140.1.

    CVE-2025-8032:
    XSLT document loading did not correctly propagate the source document which bypassed its CSP. This
    vulnerability affects Firefox < 141, Firefox ESR < 128.13, Firefox ESR < 140.1, Thunderbird < 141,
    Thunderbird < 128.13, and Thunderbird < 140.1.

    CVE-2025-8033:
    The JavaScript engine did not handle closed generators correctly and it was possible to resume them
    leading to a nullptr deref. This vulnerability affects Firefox < 141, Firefox ESR < 115.26, Firefox ESR <
    128.13, Firefox ESR < 140.1, Thunderbird < 141, Thunderbird < 128.13, and Thunderbird < 140.1.

    CVE-2025-8034:
    Memory safety bugs present in Firefox ESR 115.25, Firefox ESR 128.12, Thunderbird ESR 128.12, Firefox ESR
    140.0, Thunderbird ESR 140.0, Firefox 140 and Thunderbird 140. Some of these bugs showed evidence of
    memory corruption and we presume that with enough effort some of these could have been exploited to run
    arbitrary code. This vulnerability affects Firefox < 141, Firefox ESR < 115.26, Firefox ESR < 128.13,
    Firefox ESR < 140.1, Thunderbird < 141, Thunderbird < 128.13, and Thunderbird < 140.1.

    CVE-2025-8035:
    Memory safety bugs present in Firefox ESR 128.12, Thunderbird ESR 128.12, Firefox ESR 140.0, Thunderbird
    ESR 140.0, Firefox 140 and Thunderbird 140. Some of these bugs showed evidence of memory corruption and we
    presume that with enough effort some of these could have been exploited to run arbitrary code. This
    vulnerability affects Firefox < 141, Firefox ESR < 128.13, Firefox ESR < 140.1, Thunderbird < 141,
    Thunderbird < 128.13, and Thunderbird < 140.1.

Tenable has extracted the preceding description block directly from the Tencent Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://mirrors.tencent.com/tlinux/errata/tssa-20250695.xml");
  script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-8035");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2025-8031");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2025/07/24");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/07/24");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/08/21");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:tencent:tencentos_server:3");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:tencent:tencentos_server:firefox");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Tencent Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/etc/os-release", "Host/TencentOS/rpm-list", "Host/cpu");

  exit(0);
}


include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'TencentOS' >!< os_product) audit(AUDIT_OS_NOT, 'TencentOS');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'TencentOS');
if (! preg(pattern:"^3([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'TencentOS 3.x', 'TencentOS ' + os_version);

if (!get_kb_item('Host/TencentOS/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'TencentOS', cpu);

var constraints = [
  {
    'release': '3',
    'pkgs': [
      {'reference':'firefox-128.13.0-1.tl3.ap.1', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE, 'allowmaj':TRUE},
      {'reference':'firefox-128.13.0-1.tl3.ap.1', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'allowmaj':TRUE},
      {'reference':'firefox-debuginfo-128.13.0-1.tl3.ap.1', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE, 'allowmaj':TRUE},
      {'reference':'firefox-debuginfo-128.13.0-1.tl3.ap.1', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'allowmaj':TRUE},
      {'reference':'firefox-debugsource-128.13.0-1.tl3.ap.1', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE, 'allowmaj':TRUE},
      {'reference':'firefox-debugsource-128.13.0-1.tl3.ap.1', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'allowmaj':TRUE}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}

if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'firefox / firefox-debuginfo / firefox-debugsource');
}

04 Dec 2025 00:00Current

8.4High risk

Vulners AI Score8.4

CVSS 3.19.8

EPSS0.00781

SSVC