9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
8.2 High
AI Score
Confidence
Low
10 High
CVSS2
Access Vector
Access Complexity
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.956 High
EPSS
Percentile
99.4%
The remote host is missing an update for the
# Copyright (C) 2015 Greenbone Networks GmbH
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-or-later
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
if(description)
{
script_oid("1.3.6.1.4.1.25623.1.0.850803");
script_version("2021-10-15T12:51:02+0000");
script_tag(name:"last_modification", value:"2021-10-15 12:51:02 +0000 (Fri, 15 Oct 2021)");
script_tag(name:"creation_date", value:"2015-10-13 18:35:01 +0530 (Tue, 13 Oct 2015)");
script_cve_id("CVE-2014-1493", "CVE-2014-1494", "CVE-2014-1496", "CVE-2014-1497",
"CVE-2014-1498", "CVE-2014-1499", "CVE-2014-1500", "CVE-2014-1501",
"CVE-2014-1502", "CVE-2014-1504", "CVE-2014-1508", "CVE-2014-1509",
"CVE-2014-1505", "CVE-2014-1510", "CVE-2014-1511", "CVE-2014-1512",
"CVE-2014-1513", "CVE-2014-1514");
script_tag(name:"cvss_base", value:"10.0");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_tag(name:"severity_vector", value:"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_tag(name:"severity_origin", value:"NVD");
script_tag(name:"severity_date", value:"2020-08-11 13:48:00 +0000 (Tue, 11 Aug 2020)");
script_tag(name:"qod_type", value:"package");
script_name("SUSE: Security Advisory for MozillaFirefox (SUSE-SU-2014:0418-1)");
script_tag(name:"summary", value:"The remote host is missing an update for the 'MozillaFirefox'
package(s) announced via the referenced advisory.");
script_tag(name:"vuldetect", value:"Checks if a vulnerable package version is present on the target host.");
script_tag(name:"insight", value:"Mozilla Firefox was updated to 24.4.0ESR release, fixing
various security issues and bugs:
*
MFSA 2014-15: Mozilla developers and community
identified identified and fixed several memory safety bugs
in the browser engine used in Firefox and other
Mozilla-based products. Some of these bugs showed evidence
of memory corruption under certain circumstances, and we
presume that with enough effort at least some of these
could be exploited to run arbitrary code.
*
Benoit Jacob, Olli Pettay, Jan Varga, Jan de Mooij,
Jesse Ruderman, Dan Gohman, and Christoph Diehl reported
memory safety problems and crashes that affect Firefox ESR
24.3 and Firefox 27. (CVE-2014-1493)
*
Gregor Wagner, Olli Pettay, Gary Kwong, Jesse
Ruderman, Luke Wagner, Rob Fletcher, and Makoto Kato
reported memory safety problems and crashes that affect
Firefox 27. (CVE-2014-1494)
*
MFSA 2014-16 / CVE-2014-1496: Security researcher Ash
reported an issue where the extracted files for updates to
existing files are not read only during the update process.
This allows for the potential replacement or modification
of these files during the update process if a malicious
application is present on the local system.
*
MFSA 2014-17 / CVE-2014-1497: Security researcher
Atte Kettunen from OUSPG reported an out of bounds read
during the decoding of WAV format audio files for playback.
This could allow web content access to heap data as well as
causing a crash.
*
MFSA 2014-18 / CVE-2014-1498: Mozilla developer David
Keeler reported that the crypto.generateCRFMRequest method
did not correctly validate the key type of the KeyParams
argument when generating ec-dual-use requests. This could
lead to a crash and a denial of service (DOS) attack.
*
MFSA 2014-19 / CVE-2014-1499: Mozilla developer Ehsan
Akhgari reported a spoofing attack where the permission
prompt for a WebRTC session can appear to be from a
different site than its actual originating site if a timed
navigation occurs during the prompt generation. This allows
an attacker to potentially gain access to the webcam or
microphone by masquerading as another site and gaining user
permission through spoofing.
*
MFSA 2014-20 / CVE-2014-1500: Security researchers
Tim Philipp Schaefers and Sebastian Neef, the team of
Internetwache.org, reported a mechanism using JavaScript
onbeforeunload events with page navigation to prevent users
from closing a malicious page's tab and causing the browser
to become unresponsive. This allows for a denial of service ...
Description truncated, please see the referenced URL(s) for more information.");
script_tag(name:"affected", value:"MozillaFirefox on SUSE Linux Enterprise Server 11 SP3");
script_tag(name:"solution", value:"Please install the updated package(s).");
script_xref(name:"SUSE-SU", value:"2014:0418-1");
script_tag(name:"solution_type", value:"VendorFix");
script_category(ACT_GATHER_INFO);
script_copyright("Copyright (C) 2015 Greenbone Networks GmbH");
script_family("SuSE Local Security Checks");
script_dependencies("gather-package-list.nasl");
script_mandatory_keys("ssh/login/suse", "ssh/login/rpms", re:"ssh/login/release=SLES11\.0SP3");
exit(0);
}
include("revisions-lib.inc");
include("pkg-lib-rpm.inc");
release = rpm_get_ssh_release();
if(!release)
exit(0);
res = "";
report = "";
if(release == "SLES11.0SP3") {
if(!isnull(res = isrpmvuln(pkg:"MozillaFirefox", rpm:"MozillaFirefox~24.4.0esr~0.8.1", rls:"SLES11.0SP3"))) {
report += res;
}
if(!isnull(res = isrpmvuln(pkg:"MozillaFirefox-branding-SLED", rpm:"MozillaFirefox-branding-SLED~24~0.7.23", rls:"SLES11.0SP3"))) {
report += res;
}
if(!isnull(res = isrpmvuln(pkg:"MozillaFirefox-translations", rpm:"MozillaFirefox-translations~24.4.0esr~0.8.1", rls:"SLES11.0SP3"))) {
report += res;
}
if(!isnull(res = isrpmvuln(pkg:"mozilla-nspr", rpm:"mozilla-nspr~4.10.4~0.3.1", rls:"SLES11.0SP3"))) {
report += res;
}
if(!isnull(res = isrpmvuln(pkg:"mozilla-nspr-32bit", rpm:"mozilla-nspr-32bit~4.10.4~0.3.1", rls:"SLES11.0SP3"))) {
report += res;
}
if(!isnull(res = isrpmvuln(pkg:"mozilla-nspr-x86", rpm:"mozilla-nspr-x86~4.10.4~0.3.1", rls:"SLES11.0SP3"))) {
report += res;
}
if(report != "") {
security_message(data:report);
} else if(__pkg_match) {
exit(99);
}
exit(0);
}
exit(0);
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
8.2 High
AI Score
Confidence
Low
10 High
CVSS2
Access Vector
Access Complexity
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.956 High
EPSS
Percentile
99.4%