CentOS Update for thunderbird CESA-2011:1438 centos5 x86_64
2012-07-30T00:00:00
ID OPENVAS:881378 Type openvas Reporter Copyright (c) 2012 Greenbone Networks GmbH Modified 2018-01-01T00:00:00
Description
Check for the Version of thunderbird
###############################################################################
# OpenVAS Vulnerability Test
#
# CentOS Update for thunderbird CESA-2011:1438 centos5 x86_64
#
# Authors:
# System Generated Check
#
# Copyright:
# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################
include("revisions-lib.inc");
tag_insight = "Mozilla Thunderbird is a standalone mail and newsgroup client.
A cross-site scripting (XSS) flaw was found in the way Thunderbird handled
certain multibyte character sets. Malicious, remote content could cause
Thunderbird to run JavaScript code with the permissions of different remote
content. (CVE-2011-3648)
Note: This issue cannot be exploited by a specially-crafted HTML mail
message as JavaScript is disabled by default for mail messages. It could be
exploited another way in Thunderbird, for example, when viewing the full
remote content of an RSS feed.
All Thunderbird users should upgrade to this updated package, which
resolves this issue. All running instances of Thunderbird must be restarted
for the update to take effect.";
tag_affected = "thunderbird on CentOS 5";
tag_solution = "Please Install the Updated Packages.";
if(description)
{
script_xref(name : "URL" , value : "http://lists.centos.org/pipermail/centos-announce/2011-November/018190.html");
script_id(881378);
script_version("$Revision: 8265 $");
script_tag(name:"last_modification", value:"$Date: 2018-01-01 07:29:23 +0100 (Mon, 01 Jan 2018) $");
script_tag(name:"creation_date", value:"2012-07-30 17:37:41 +0530 (Mon, 30 Jul 2012)");
script_cve_id("CVE-2011-3648");
script_tag(name:"cvss_base", value:"4.3");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:M/Au:N/C:N/I:P/A:N");
script_xref(name: "CESA", value: "2011:1438");
script_name("CentOS Update for thunderbird CESA-2011:1438 centos5 x86_64");
script_tag(name: "summary" , value: "Check for the Version of thunderbird");
script_category(ACT_GATHER_INFO);
script_copyright("Copyright (c) 2012 Greenbone Networks GmbH");
script_family("CentOS Local Security Checks");
script_dependencies("gather-package-list.nasl");
script_mandatory_keys("ssh/login/centos", "ssh/login/rpms");
script_tag(name : "affected" , value : tag_affected);
script_tag(name : "solution" , value : tag_solution);
script_tag(name : "insight" , value : tag_insight);
script_tag(name:"qod_type", value:"package");
script_tag(name:"solution_type", value:"VendorFix");
exit(0);
}
include("pkg-lib-rpm.inc");
release = get_kb_item("ssh/login/release");
res = "";
if(release == NULL){
exit(0);
}
if(release == "CentOS5")
{
if ((res = isrpmvuln(pkg:"thunderbird", rpm:"thunderbird~2.0.0.24~27.el5.centos", rls:"CentOS5")) != NULL)
{
security_message(data:res);
exit(0);
}
if (__pkg_match) exit(99); # Not vulnerable.
exit(0);
}
{"bulletinFamily": "scanner", "viewCount": 0, "naslFamily": "CentOS Local Security Checks", "reporter": "Copyright (c) 2012 Greenbone Networks GmbH", "references": ["http://lists.centos.org/pipermail/centos-announce/2011-November/018190.html", "2011:1438"], "description": "Check for the Version of thunderbird", "hashmap": [{"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "cvelist", "hash": "2890e79b4a0af941367a38fd8bbad348"}, {"key": "cvss", "hash": "6e9bdd2021503689a2ad9254c9cdf2b3"}, {"key": "description", "hash": "a84f074c0278ce5cd1dcc6ef560341e6"}, {"key": "href", "hash": "c2a90d0974b9b7660ee26fff679feb0b"}, {"key": "modified", "hash": "c674c9e37d1c5d89439ad8b31faf82b3"}, {"key": "naslFamily", "hash": "8f8213e8b86855939d5beea715ce3045"}, {"key": "pluginID", "hash": "18a07e38f44019042304edc4ba19a109"}, {"key": "published", "hash": "6ea70a7d389257fd5f5b73e33ed85e78"}, {"key": "references", "hash": "77918e6f481f9364676c05185db999c2"}, {"key": "reporter", "hash": "a282f166ddc6c378940071a6b738e1a3"}, {"key": "sourceData", "hash": "0f3ae558750d0ad4cdcb3871844b5f6e"}, {"key": "title", "hash": "50a6d889bacaa211d2d2ebf623d0a296"}, {"key": "type", "hash": "47c1f692ea47a21f716dad07043ade01"}], "href": "http://plugins.openvas.org/nasl.php?oid=881378", "modified": "2018-01-01T00:00:00", "objectVersion": "1.3", "enchantments": {"vulnersScore": 4.3}, "id": "OPENVAS:881378", "title": "CentOS Update for thunderbird CESA-2011:1438 centos5 x86_64", "hash": "af1e1278ceb3b99e7dd0d0b588e42edbb9222c868fadb95ae3d9b1cc8bd9a8d3", "edition": 3, "published": "2012-07-30T00:00:00", "type": "openvas", "history": [{"lastseen": "2017-07-25T10:51:20", "bulletin": {"hash": "349e426b91c9e0763d269846577b763cb2356a4642db8c56981768b78249af9f", "viewCount": 0, "reporter": "Copyright (c) 2012 Greenbone Networks GmbH", "references": ["http://lists.centos.org/pipermail/centos-announce/2011-November/018190.html", "2011:1438"], "description": "Check for the Version of thunderbird", "hashmap": [{"key": "title", "hash": "50a6d889bacaa211d2d2ebf623d0a296"}, {"key": "cvss", "hash": "6e9bdd2021503689a2ad9254c9cdf2b3"}, {"key": "sourceData", "hash": "9c93af07f60f07c402ce714a049dc22d"}, {"key": "description", "hash": "a84f074c0278ce5cd1dcc6ef560341e6"}, {"key": "naslFamily", "hash": "8f8213e8b86855939d5beea715ce3045"}, {"key": "cvelist", "hash": "2890e79b4a0af941367a38fd8bbad348"}, {"key": "references", "hash": "77918e6f481f9364676c05185db999c2"}, {"key": "type", "hash": "47c1f692ea47a21f716dad07043ade01"}, {"key": "href", "hash": "c2a90d0974b9b7660ee26fff679feb0b"}, {"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "reporter", "hash": "a282f166ddc6c378940071a6b738e1a3"}, {"key": "pluginID", "hash": "18a07e38f44019042304edc4ba19a109"}, {"key": "published", "hash": "6ea70a7d389257fd5f5b73e33ed85e78"}, {"key": "modified", "hash": "0d134bf170d66438eb1e01173ee0187f"}], "naslFamily": "CentOS Local Security Checks", "modified": "2017-07-10T00:00:00", "objectVersion": "1.3", "href": "http://plugins.openvas.org/nasl.php?oid=881378", "published": "2012-07-30T00:00:00", "enchantments": {"score": {"value": 4.3, "modified": "2017-07-25T10:51:20"}}, "id": "OPENVAS:881378", "title": "CentOS Update for thunderbird CESA-2011:1438 centos5 x86_64", "bulletinFamily": "scanner", "edition": 2, "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for thunderbird CESA-2011:1438 centos5 x86_64\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Mozilla Thunderbird is a standalone mail and newsgroup client.\n\n A cross-site scripting (XSS) flaw was found in the way Thunderbird handled\n certain multibyte character sets. Malicious, remote content could cause\n Thunderbird to run JavaScript code with the permissions of different remote\n content. (CVE-2011-3648)\n \n Note: This issue cannot be exploited by a specially-crafted HTML mail\n message as JavaScript is disabled by default for mail messages. It could be\n exploited another way in Thunderbird, for example, when viewing the full\n remote content of an RSS feed.\n \n All Thunderbird users should upgrade to this updated package, which\n resolves this issue. All running instances of Thunderbird must be restarted\n for the update to take effect.\";\n\ntag_affected = \"thunderbird on CentOS 5\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.centos.org/pipermail/centos-announce/2011-November/018190.html\");\n script_id(881378);\n script_version(\"$Revision: 6654 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 13:48:17 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2012-07-30 17:37:41 +0530 (Mon, 30 Jul 2012)\");\n script_cve_id(\"CVE-2011-3648\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_xref(name: \"CESA\", value: \"2011:1438\");\n script_name(\"CentOS Update for thunderbird CESA-2011:1438 centos5 x86_64\");\n\n script_summary(\"Check for the Version of thunderbird\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"CentOS5\")\n{\n\n if ((res = isrpmvuln(pkg:\"thunderbird\", rpm:\"thunderbird~2.0.0.24~27.el5.centos\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "type": "openvas", "history": [], "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "cvelist": ["CVE-2011-3648"], "lastseen": "2017-07-25T10:51:20", "pluginID": "881378"}, "differentElements": ["modified", "sourceData"], "edition": 2}, {"lastseen": "2017-07-02T21:10:55", "bulletin": {"hash": "c0012cbc1c464da97972e3fe4129f4b127720699bdd421387852556acc249d04", "viewCount": 0, "reporter": "Copyright (c) 2012 Greenbone Networks GmbH", "references": ["http://lists.centos.org/pipermail/centos-announce/2011-November/018190.html", "2011:1438"], "description": "Check for the Version of thunderbird", "hashmap": [{"key": "title", "hash": "50a6d889bacaa211d2d2ebf623d0a296"}, {"key": "cvss", "hash": "6e9bdd2021503689a2ad9254c9cdf2b3"}, {"key": "description", "hash": "a84f074c0278ce5cd1dcc6ef560341e6"}, {"key": "naslFamily", "hash": "8f8213e8b86855939d5beea715ce3045"}, {"key": "cvelist", "hash": "2890e79b4a0af941367a38fd8bbad348"}, {"key": "references", "hash": "77918e6f481f9364676c05185db999c2"}, {"key": "type", "hash": "47c1f692ea47a21f716dad07043ade01"}, {"key": "sourceData", "hash": "792b6e3888c536df0876268583c55124"}, {"key": "href", "hash": "c2a90d0974b9b7660ee26fff679feb0b"}, {"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "reporter", "hash": "a282f166ddc6c378940071a6b738e1a3"}, {"key": "pluginID", "hash": "18a07e38f44019042304edc4ba19a109"}, {"key": "published", "hash": "6ea70a7d389257fd5f5b73e33ed85e78"}, {"key": "modified", "hash": "4b12e77cf198e92cf370a790f8532543"}], "naslFamily": "CentOS Local Security Checks", "modified": "2016-04-07T00:00:00", "objectVersion": "1.3", "href": "http://plugins.openvas.org/nasl.php?oid=881378", "published": "2012-07-30T00:00:00", "enchantments": {}, "id": "OPENVAS:881378", "title": "CentOS Update for thunderbird CESA-2011:1438 centos5 x86_64", "bulletinFamily": "scanner", "edition": 1, "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for thunderbird CESA-2011:1438 centos5 x86_64\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Mozilla Thunderbird is a standalone mail and newsgroup client.\n\n A cross-site scripting (XSS) flaw was found in the way Thunderbird handled\n certain multibyte character sets. Malicious, remote content could cause\n Thunderbird to run JavaScript code with the permissions of different remote\n content. (CVE-2011-3648)\n \n Note: This issue cannot be exploited by a specially-crafted HTML mail\n message as JavaScript is disabled by default for mail messages. It could be\n exploited another way in Thunderbird, for example, when viewing the full\n remote content of an RSS feed.\n \n All Thunderbird users should upgrade to this updated package, which\n resolves this issue. All running instances of Thunderbird must be restarted\n for the update to take effect.\";\n\ntag_affected = \"thunderbird on CentOS 5\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.centos.org/pipermail/centos-announce/2011-November/018190.html\");\n script_id(881378);\n script_version(\"$Revision: 3007 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2016-04-07 14:44:10 +0200 (Thu, 07 Apr 2016) $\");\n script_tag(name:\"creation_date\", value:\"2012-07-30 17:37:41 +0530 (Mon, 30 Jul 2012)\");\n script_cve_id(\"CVE-2011-3648\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_xref(name: \"CESA\", value: \"2011:1438\");\n script_name(\"CentOS Update for thunderbird CESA-2011:1438 centos5 x86_64\");\n\n script_summary(\"Check for the Version of thunderbird\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"HostDetails/OS/cpe:/o:centos:centos\", \"login/SSH/success\", \"ssh/login/release\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"CentOS5\")\n{\n\n if ((res = isrpmvuln(pkg:\"thunderbird\", rpm:\"thunderbird~2.0.0.24~27.el5.centos\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "type": "openvas", "history": [], "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "cvelist": ["CVE-2011-3648"], "lastseen": "2017-07-02T21:10:55", "pluginID": "881378"}, "differentElements": ["modified", "sourceData"], "edition": 1}], "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "cvelist": ["CVE-2011-3648"], "lastseen": "2018-01-02T10:58:17", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for thunderbird CESA-2011:1438 centos5 x86_64\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Mozilla Thunderbird is a standalone mail and newsgroup client.\n\n A cross-site scripting (XSS) flaw was found in the way Thunderbird handled\n certain multibyte character sets. Malicious, remote content could cause\n Thunderbird to run JavaScript code with the permissions of different remote\n content. (CVE-2011-3648)\n \n Note: This issue cannot be exploited by a specially-crafted HTML mail\n message as JavaScript is disabled by default for mail messages. It could be\n exploited another way in Thunderbird, for example, when viewing the full\n remote content of an RSS feed.\n \n All Thunderbird users should upgrade to this updated package, which\n resolves this issue. All running instances of Thunderbird must be restarted\n for the update to take effect.\";\n\ntag_affected = \"thunderbird on CentOS 5\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.centos.org/pipermail/centos-announce/2011-November/018190.html\");\n script_id(881378);\n script_version(\"$Revision: 8265 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-01 07:29:23 +0100 (Mon, 01 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2012-07-30 17:37:41 +0530 (Mon, 30 Jul 2012)\");\n script_cve_id(\"CVE-2011-3648\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_xref(name: \"CESA\", value: \"2011:1438\");\n script_name(\"CentOS Update for thunderbird CESA-2011:1438 centos5 x86_64\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of thunderbird\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"CentOS5\")\n{\n\n if ((res = isrpmvuln(pkg:\"thunderbird\", rpm:\"thunderbird~2.0.0.24~27.el5.centos\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "pluginID": "881378"}
{"result": {"cve": [{"id": "CVE-2011-3648", "type": "cve", "title": "CVE-2011-3648", "description": "Cross-site scripting (XSS) vulnerability in Mozilla Firefox before 3.6.24 and 4.x through 7.0 and Thunderbird before 3.1.6 and 5.0 through 7.0 allows remote attackers to inject arbitrary web script or HTML via crafted text with Shift JIS encoding.", "published": "2011-11-09T06:55:03", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3648", "cvelist": ["CVE-2011-3648"], "lastseen": "2017-09-19T13:37:55"}], "openvas": [{"id": "OPENVAS:881041", "type": "openvas", "title": "CentOS Update for thunderbird CESA-2011:1438 centos4 i386", "description": "Check for the Version of thunderbird", "published": "2011-11-11T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=881041", "cvelist": ["CVE-2011-3648"], "lastseen": "2017-07-25T10:55:27"}, {"id": "OPENVAS:1361412562310881041", "type": "openvas", "title": "CentOS Update for thunderbird CESA-2011:1438 centos4 i386", "description": "Check for the Version of thunderbird", "published": "2011-11-11T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310881041", "cvelist": ["CVE-2011-3648"], "lastseen": "2018-04-09T11:35:55"}, {"id": "OPENVAS:881280", "type": "openvas", "title": "CentOS Update for seamonkey CESA-2011:1440 centos4 x86_64", "description": "Check for the Version of seamonkey", "published": "2012-07-30T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=881280", "cvelist": ["CVE-2011-3648"], "lastseen": "2018-01-08T12:56:40"}, {"id": "OPENVAS:881262", "type": "openvas", "title": "CentOS Update for thunderbird CESA-2011:1438 centos4 x86_64", "description": "Check for the Version of thunderbird", "published": "2012-07-30T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=881262", "cvelist": ["CVE-2011-3648"], "lastseen": "2018-01-02T10:57:25"}, {"id": "OPENVAS:1361412562310881262", "type": "openvas", "title": "CentOS Update for thunderbird CESA-2011:1438 centos4 x86_64", "description": "Check for the Version of thunderbird", "published": "2012-07-30T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310881262", "cvelist": ["CVE-2011-3648"], "lastseen": "2018-04-06T11:18:34"}, {"id": "OPENVAS:1361412562310870514", "type": "openvas", "title": "RedHat Update for thunderbird RHSA-2011:1438-01", "description": "Check for the Version of thunderbird", "published": "2011-11-11T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310870514", "cvelist": ["CVE-2011-3648"], "lastseen": "2018-04-09T11:37:46"}, {"id": "OPENVAS:870514", "type": "openvas", "title": "RedHat Update for thunderbird RHSA-2011:1438-01", "description": "Check for the Version of thunderbird", "published": "2011-11-11T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=870514", "cvelist": ["CVE-2011-3648"], "lastseen": "2017-07-27T10:55:28"}, {"id": "OPENVAS:1361412562310870512", "type": "openvas", "title": "RedHat Update for seamonkey RHSA-2011:1440-01", "description": "Check for the Version of seamonkey", "published": "2011-11-11T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310870512", "cvelist": ["CVE-2011-3648"], "lastseen": "2018-04-09T11:36:44"}, {"id": "OPENVAS:881034", "type": "openvas", "title": "CentOS Update for thunderbird CESA-2011:1438 centos5 i386", "description": "Check for the Version of thunderbird", "published": "2011-11-11T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=881034", "cvelist": ["CVE-2011-3648"], "lastseen": "2017-07-25T10:55:32"}, {"id": "OPENVAS:870512", "type": "openvas", "title": "RedHat Update for seamonkey RHSA-2011:1440-01", "description": "Check for the Version of seamonkey", "published": "2011-11-11T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=870512", "cvelist": ["CVE-2011-3648"], "lastseen": "2017-07-27T10:55:16"}], "centos": [{"id": "CESA-2011:1438", "type": "centos", "title": "thunderbird security update", "description": "**CentOS Errata and Security Advisory** CESA-2011:1438\n\n\nMozilla Thunderbird is a standalone mail and newsgroup client.\n\nA cross-site scripting (XSS) flaw was found in the way Thunderbird handled\ncertain multibyte character sets. Malicious, remote content could cause\nThunderbird to run JavaScript code with the permissions of different remote\ncontent. (CVE-2011-3648)\n\nNote: This issue cannot be exploited by a specially-crafted HTML mail\nmessage as JavaScript is disabled by default for mail messages. It could be\nexploited another way in Thunderbird, for example, when viewing the full\nremote content of an RSS feed.\n\nAll Thunderbird users should upgrade to this updated package, which\nresolves this issue. All running instances of Thunderbird must be restarted\nfor the update to take effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2011-November/018183.html\nhttp://lists.centos.org/pipermail/centos-announce/2011-November/018184.html\nhttp://lists.centos.org/pipermail/centos-announce/2011-November/018189.html\nhttp://lists.centos.org/pipermail/centos-announce/2011-November/018190.html\n\n**Affected packages:**\nthunderbird\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2011-1438.html", "published": "2011-11-09T15:49:13", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2011-November/018183.html", "cvelist": ["CVE-2011-3648"], "lastseen": "2017-10-03T18:25:07"}, {"id": "CESA-2011:1440", "type": "centos", "title": "seamonkey security update", "description": "**CentOS Errata and Security Advisory** CESA-2011:1440\n\n\nSeaMonkey is an open source web browser, email and newsgroup client, IRC\nchat client, and HTML editor.\n\nA cross-site scripting (XSS) flaw was found in the way SeaMonkey handled\ncertain multibyte character sets. A web page containing malicious content\ncould cause SeaMonkey to run JavaScript code with the permissions of a\ndifferent website. (CVE-2011-3648)\n \nAll SeaMonkey users should upgrade to these updated packages, which correct\nthis issue. After installing the update, SeaMonkey must be restarted for\nthe changes to take effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2011-November/018181.html\nhttp://lists.centos.org/pipermail/centos-announce/2011-November/018182.html\n\n**Affected packages:**\nseamonkey\nseamonkey-chat\nseamonkey-devel\nseamonkey-dom-inspector\nseamonkey-js-debugger\nseamonkey-mail\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2011-1440.html", "published": "2011-11-09T15:48:43", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2011-November/018181.html", "cvelist": ["CVE-2011-3648"], "lastseen": "2017-10-03T18:25:12"}, {"id": "CESA-2011:1437", "type": "centos", "title": "firefox, xulrunner security update", "description": "**CentOS Errata and Security Advisory** CESA-2011:1437\n\n\nMozilla Firefox is an open source web browser. XULRunner provides the XUL\nRuntime environment for Mozilla Firefox.\n\nA flaw was found in the way Firefox handled certain add-ons. A web page\ncontaining malicious content could cause an add-on to grant itself full\nbrowser privileges, which could lead to arbitrary code execution with the\nprivileges of the user running Firefox. (CVE-2011-3647)\n\nA cross-site scripting (XSS) flaw was found in the way Firefox handled\ncertain multibyte character sets. A web page containing malicious content\ncould cause Firefox to run JavaScript code with the permissions of a\ndifferent website. (CVE-2011-3648)\n\nA flaw was found in the way Firefox handled large JavaScript scripts. A web\npage containing malicious JavaScript could cause Firefox to crash or,\npotentially, execute arbitrary code with the privileges of the user running\nFirefox. (CVE-2011-3650)\n\nFor technical details regarding these flaws, refer to the Mozilla security\nadvisories for Firefox 3.6.24. You can find a link to the Mozilla\nadvisories in the References section of this erratum.\n\nAll Firefox users should upgrade to these updated packages, which contain\nFirefox version 3.6.24, which corrects these issues. After installing the\nupdate, Firefox must be restarted for the changes to take effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2011-November/018179.html\nhttp://lists.centos.org/pipermail/centos-announce/2011-November/018180.html\nhttp://lists.centos.org/pipermail/centos-announce/2011-November/018187.html\nhttp://lists.centos.org/pipermail/centos-announce/2011-November/018188.html\n\n**Affected packages:**\nfirefox\nxulrunner\nxulrunner-devel\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2011-1437.html", "published": "2011-11-09T15:48:22", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2011-November/018179.html", "cvelist": ["CVE-2011-3648", "CVE-2011-3650", "CVE-2011-3647"], "lastseen": "2017-10-03T18:24:32"}], "nessus": [{"id": "REDHAT-RHSA-2011-1440.NASL", "type": "nessus", "title": "RHEL 4 : seamonkey (RHSA-2011:1440)", "description": "Updated SeaMonkey packages that fix one security issue are now available for Red Hat Enterprise Linux 4.\n\nThe Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.\n\nSeaMonkey is an open source web browser, email and newsgroup client, IRC chat client, and HTML editor.\n\nA cross-site scripting (XSS) flaw was found in the way SeaMonkey handled certain multibyte character sets. A web page containing malicious content could cause SeaMonkey to run JavaScript code with the permissions of a different website. (CVE-2011-3648)\n\nAll SeaMonkey users should upgrade to these updated packages, which correct this issue. After installing the update, SeaMonkey must be restarted for the changes to take effect.", "published": "2011-11-09T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=56744", "cvelist": ["CVE-2011-3648"], "lastseen": "2017-10-29T13:35:30"}, {"id": "REDHAT-RHSA-2011-1438.NASL", "type": "nessus", "title": "RHEL 4 / 5 : thunderbird (RHSA-2011:1438)", "description": "An updated thunderbird package that fixes one security issue is now available for Red Hat Enterprise Linux 4 and 5.\n\nThe Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.\n\nMozilla Thunderbird is a standalone mail and newsgroup client.\n\nA cross-site scripting (XSS) flaw was found in the way Thunderbird handled certain multibyte character sets. Malicious, remote content could cause Thunderbird to run JavaScript code with the permissions of different remote content. (CVE-2011-3648)\n\nNote: This issue cannot be exploited by a specially crafted HTML mail message as JavaScript is disabled by default for mail messages. It could be exploited another way in Thunderbird, for example, when viewing the full remote content of an RSS feed.\n\nAll Thunderbird users should upgrade to this updated package, which resolves this issue. All running instances of Thunderbird must be restarted for the update to take effect.", "published": "2011-11-09T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=56742", "cvelist": ["CVE-2011-3648"], "lastseen": "2017-10-29T13:36:49"}, {"id": "CENTOS_RHSA-2011-1438.NASL", "type": "nessus", "title": "CentOS 4 / 5 : thunderbird (CESA-2011:1438)", "description": "An updated thunderbird package that fixes one security issue is now available for Red Hat Enterprise Linux 4 and 5.\n\nThe Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.\n\nMozilla Thunderbird is a standalone mail and newsgroup client.\n\nA cross-site scripting (XSS) flaw was found in the way Thunderbird handled certain multibyte character sets. Malicious, remote content could cause Thunderbird to run JavaScript code with the permissions of different remote content. (CVE-2011-3648)\n\nNote: This issue cannot be exploited by a specially crafted HTML mail message as JavaScript is disabled by default for mail messages. It could be exploited another way in Thunderbird, for example, when viewing the full remote content of an RSS feed.\n\nAll Thunderbird users should upgrade to this updated package, which resolves this issue. All running instances of Thunderbird must be restarted for the update to take effect.", "published": "2011-11-14T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=56782", "cvelist": ["CVE-2011-3648"], "lastseen": "2017-10-29T13:33:16"}, {"id": "ORACLELINUX_ELSA-2011-1438.NASL", "type": "nessus", "title": "Oracle Linux 4 : thunderbird (ELSA-2011-1438)", "description": "From Red Hat Security Advisory 2011:1438 :\n\nAn updated thunderbird package that fixes one security issue is now available for Red Hat Enterprise Linux 4 and 5.\n\nThe Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.\n\nMozilla Thunderbird is a standalone mail and newsgroup client.\n\nA cross-site scripting (XSS) flaw was found in the way Thunderbird handled certain multibyte character sets. Malicious, remote content could cause Thunderbird to run JavaScript code with the permissions of different remote content. (CVE-2011-3648)\n\nNote: This issue cannot be exploited by a specially crafted HTML mail message as JavaScript is disabled by default for mail messages. It could be exploited another way in Thunderbird, for example, when viewing the full remote content of an RSS feed.\n\nAll Thunderbird users should upgrade to this updated package, which resolves this issue. All running instances of Thunderbird must be restarted for the update to take effect.", "published": "2013-07-12T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=68385", "cvelist": ["CVE-2011-3648"], "lastseen": "2017-10-29T13:35:39"}, {"id": "CENTOS_RHSA-2011-1440.NASL", "type": "nessus", "title": "CentOS 4 : seamonkey (CESA-2011:1440)", "description": "Updated SeaMonkey packages that fix one security issue are now available for Red Hat Enterprise Linux 4.\n\nThe Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.\n\nSeaMonkey is an open source web browser, email and newsgroup client, IRC chat client, and HTML editor.\n\nA cross-site scripting (XSS) flaw was found in the way SeaMonkey handled certain multibyte character sets. A web page containing malicious content could cause SeaMonkey to run JavaScript code with the permissions of a different website. (CVE-2011-3648)\n\nAll SeaMonkey users should upgrade to these updated packages, which correct this issue. After installing the update, SeaMonkey must be restarted for the changes to take effect.", "published": "2011-11-14T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=56783", "cvelist": ["CVE-2011-3648"], "lastseen": "2017-10-29T13:42:51"}, {"id": "SL_20111108_SEAMONKEY_ON_SL4_X.NASL", "type": "nessus", "title": "Scientific Linux Security Update : seamonkey on SL4.x i386/x86_64", "description": "SeaMonkey is an open source web browser, email and newsgroup client, IRC chat client, and HTML editor.\n\nA cross-site scripting (XSS) flaw was found in the way SeaMonkey handled certain multibyte character sets. A web page containing malicious content could cause SeaMonkey to run JavaScript code with the permissions of a different website. (CVE-2011-3648) All SeaMonkey users should upgrade to these updated packages, which correct this issue. After installing the update, SeaMonkey must be restarted for the changes to take effect.", "published": "2012-08-01T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=61172", "cvelist": ["CVE-2011-3648"], "lastseen": "2017-10-29T13:45:57"}, {"id": "ORACLELINUX_ELSA-2011-1440.NASL", "type": "nessus", "title": "Oracle Linux 4 : seamonkey (ELSA-2011-1440)", "description": "From Red Hat Security Advisory 2011:1440 :\n\nUpdated SeaMonkey packages that fix one security issue are now available for Red Hat Enterprise Linux 4.\n\nThe Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.\n\nSeaMonkey is an open source web browser, email and newsgroup client, IRC chat client, and HTML editor.\n\nA cross-site scripting (XSS) flaw was found in the way SeaMonkey handled certain multibyte character sets. A web page containing malicious content could cause SeaMonkey to run JavaScript code with the permissions of a different website. (CVE-2011-3648)\n\nAll SeaMonkey users should upgrade to these updated packages, which correct this issue. After installing the update, SeaMonkey must be restarted for the changes to take effect.", "published": "2013-07-12T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=68387", "cvelist": ["CVE-2011-3648"], "lastseen": "2017-10-29T13:37:57"}, {"id": "SL_20111108_THUNDERBIRD_ON_SL4_X.NASL", "type": "nessus", "title": "Scientific Linux Security Update : thunderbird on SL4.x, SL5.x i386/x86_64", "description": "Mozilla Thunderbird is a standalone mail and newsgroup client.\n\nA cross-site scripting (XSS) flaw was found in the way Thunderbird handled certain multibyte character sets. Malicious, remote content could cause Thunderbird to run JavaScript code with the permissions of different remote content. (CVE-2011-3648)\n\nNote: This issue cannot be exploited by a specially crafted HTML mail message as JavaScript is disabled by default for mail messages. It could be exploited another way in Thunderbird, for example, when viewing the full remote content of an RSS feed.\n\nAll Thunderbird users should upgrade to this updated package, which resolves this issue. All running instances of Thunderbird must be restarted for the update to take effect.", "published": "2012-08-01T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=61173", "cvelist": ["CVE-2011-3648"], "lastseen": "2017-10-29T13:40:09"}, {"id": "REDHAT-RHSA-2011-1437.NASL", "type": "nessus", "title": "RHEL 4 / 5 / 6 : firefox (RHSA-2011:1437)", "description": "Updated firefox packages that fix multiple security issues are now available for Red Hat Enterprise Linux 4, 5, and 6.\n\nThe Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nMozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox.\n\nA flaw was found in the way Firefox handled certain add-ons. A web page containing malicious content could cause an add-on to grant itself full browser privileges, which could lead to arbitrary code execution with the privileges of the user running Firefox.\n(CVE-2011-3647)\n\nA cross-site scripting (XSS) flaw was found in the way Firefox handled certain multibyte character sets. A web page containing malicious content could cause Firefox to run JavaScript code with the permissions of a different website. (CVE-2011-3648)\n\nA flaw was found in the way Firefox handled large JavaScript scripts.\nA web page containing malicious JavaScript could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2011-3650)\n\nFor technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 3.6.24. You can find a link to the Mozilla advisories in the References section of this erratum.\n\nAll Firefox users should upgrade to these updated packages, which contain Firefox version 3.6.24, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect.", "published": "2011-11-09T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=56741", "cvelist": ["CVE-2011-3648", "CVE-2011-3650", "CVE-2011-3647"], "lastseen": "2017-10-29T13:44:34"}, {"id": "ORACLELINUX_ELSA-2011-1439.NASL", "type": "nessus", "title": "Oracle Linux 6 : thunderbird (ELSA-2011-1439)", "description": "From Red Hat Security Advisory 2011:1439 :\n\nAn updated thunderbird package that fixes multiple security issues is now available for Red Hat Enterprise Linux 6.\n\nThe Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nMozilla Thunderbird is a standalone mail and newsgroup client.\n\nA flaw was found in the way Thunderbird handled certain add-ons.\nMalicious, remote content could cause an add-on to elevate its privileges, which could lead to arbitrary code execution with the privileges of the user running Thunderbird. (CVE-2011-3647)\n\nA cross-site scripting (XSS) flaw was found in the way Thunderbird handled certain multibyte character sets. Malicious, remote content could cause Thunderbird to run JavaScript code with the permissions of different remote content. (CVE-2011-3648)\n\nA flaw was found in the way Thunderbird handled large JavaScript scripts. Malicious, remote content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2011-3650)\n\nAll Thunderbird users should upgrade to this updated package, which resolves these issues. All running instances of Thunderbird must be restarted for the update to take effect.", "published": "2013-07-12T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=68386", "cvelist": ["CVE-2011-3648", "CVE-2011-3650", "CVE-2011-3647"], "lastseen": "2017-10-29T13:35:54"}], "oraclelinux": [{"id": "ELSA-2011-1438", "type": "oraclelinux", "title": "thunderbird security update", "description": "[1.5.0.12-45.0.1.el4]\n- Add thunderbird-oracle-default-prefs.js for errata rebuild and\n remove thunderbird-redhat-default-prefs.js\n- Replaced clean.gif in tarball\n[1.5.0.12-45]\n- Added fixes from 1.9.2.24", "published": "2011-11-09T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://linux.oracle.com/errata/ELSA-2011-1438.html", "cvelist": ["CVE-2011-3648"], "lastseen": "2016-09-04T11:16:42"}, {"id": "ELSA-2011-1440", "type": "oraclelinux", "title": "seamonkey security update", "description": "[1.0.9-77.0.1.el4]\n- Add mozilla-oracle-default-prefs.js and mozilla-oracle-default-bookmarks.html\n and remove corresponding RedHat ones\n[1.0.9-77.el4]\n- Added fixes from 1.9.2.24", "published": "2011-11-09T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://linux.oracle.com/errata/ELSA-2011-1440.html", "cvelist": ["CVE-2011-3648"], "lastseen": "2016-09-04T11:15:54"}, {"id": "ELSA-2011-1439", "type": "oraclelinux", "title": "thunderbird security update", "description": "[3.1.16-2.0.1.el6_1]\n- Replaced thunderbird-redhat-default-prefs.js with\n thunderbird-oracle-default-prefs.js\n- Replace clean.gif in tarball\n[3.1.16-2]\n- Update to 3.1.16", "published": "2011-11-09T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://linux.oracle.com/errata/ELSA-2011-1439.html", "cvelist": ["CVE-2011-3648", "CVE-2011-3650", "CVE-2011-3647"], "lastseen": "2016-09-04T11:16:49"}, {"id": "ELSA-2011-1437", "type": "oraclelinux", "title": "firefox security update", "description": "firefox:\n[3.6.24-3.0.1.el6_1]\n- Add firefox-oracle-default-prefs.js and remove the corresponding Red Hat ones\n[3.6.24-3]\n- Update to 3.6.24\nxulrunner:\n[1.9.2.24-2.0.1.el6_1.1]\n- Replace xulrunner-redhat-default-prefs.js with\n xulrunner-oracle-default-prefs.js\n[1.9.2.24-2]\n- Update to 1.9.2.24", "published": "2011-11-09T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://linux.oracle.com/errata/ELSA-2011-1437.html", "cvelist": ["CVE-2011-3648", "CVE-2011-3650", "CVE-2011-3647"], "lastseen": "2016-09-04T11:16:14"}], "redhat": [{"id": "RHSA-2011:1440", "type": "redhat", "title": "(RHSA-2011:1440) Moderate: seamonkey security update", "description": "SeaMonkey is an open source web browser, email and newsgroup client, IRC\nchat client, and HTML editor.\n\nA cross-site scripting (XSS) flaw was found in the way SeaMonkey handled\ncertain multibyte character sets. A web page containing malicious content\ncould cause SeaMonkey to run JavaScript code with the permissions of a\ndifferent website. (CVE-2011-3648)\n \nAll SeaMonkey users should upgrade to these updated packages, which correct\nthis issue. After installing the update, SeaMonkey must be restarted for\nthe changes to take effect.\n", "published": "2011-11-08T05:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://access.redhat.com/errata/RHSA-2011:1440", "cvelist": ["CVE-2011-3648"], "lastseen": "2017-09-09T07:20:35"}, {"id": "RHSA-2011:1438", "type": "redhat", "title": "(RHSA-2011:1438) Moderate: thunderbird security update", "description": "Mozilla Thunderbird is a standalone mail and newsgroup client.\n\nA cross-site scripting (XSS) flaw was found in the way Thunderbird handled\ncertain multibyte character sets. Malicious, remote content could cause\nThunderbird to run JavaScript code with the permissions of different remote\ncontent. (CVE-2011-3648)\n\nNote: This issue cannot be exploited by a specially-crafted HTML mail\nmessage as JavaScript is disabled by default for mail messages. It could be\nexploited another way in Thunderbird, for example, when viewing the full\nremote content of an RSS feed.\n\nAll Thunderbird users should upgrade to this updated package, which\nresolves this issue. All running instances of Thunderbird must be restarted\nfor the update to take effect.\n", "published": "2011-11-08T05:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://access.redhat.com/errata/RHSA-2011:1438", "cvelist": ["CVE-2011-3648"], "lastseen": "2017-09-09T07:19:51"}, {"id": "RHSA-2011:1437", "type": "redhat", "title": "(RHSA-2011:1437) Critical: firefox security update", "description": "Mozilla Firefox is an open source web browser. XULRunner provides the XUL\nRuntime environment for Mozilla Firefox.\n\nA flaw was found in the way Firefox handled certain add-ons. A web page\ncontaining malicious content could cause an add-on to grant itself full\nbrowser privileges, which could lead to arbitrary code execution with the\nprivileges of the user running Firefox. (CVE-2011-3647)\n\nA cross-site scripting (XSS) flaw was found in the way Firefox handled\ncertain multibyte character sets. A web page containing malicious content\ncould cause Firefox to run JavaScript code with the permissions of a\ndifferent website. (CVE-2011-3648)\n\nA flaw was found in the way Firefox handled large JavaScript scripts. A web\npage containing malicious JavaScript could cause Firefox to crash or,\npotentially, execute arbitrary code with the privileges of the user running\nFirefox. (CVE-2011-3650)\n\nFor technical details regarding these flaws, refer to the Mozilla security\nadvisories for Firefox 3.6.24. You can find a link to the Mozilla\nadvisories in the References section of this erratum.\n\nAll Firefox users should upgrade to these updated packages, which contain\nFirefox version 3.6.24, which corrects these issues. After installing the\nupdate, Firefox must be restarted for the changes to take effect.\n", "published": "2011-11-08T05:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2011:1437", "cvelist": ["CVE-2011-3647", "CVE-2011-3648", "CVE-2011-3650"], "lastseen": "2018-06-06T18:05:38"}, {"id": "RHSA-2011:1439", "type": "redhat", "title": "(RHSA-2011:1439) Critical: thunderbird security update", "description": "Mozilla Thunderbird is a standalone mail and newsgroup client.\n\nA flaw was found in the way Thunderbird handled certain add-ons. Malicious,\nremote content could cause an add-on to elevate its privileges, which could\nlead to arbitrary code execution with the privileges of the user running\nThunderbird. (CVE-2011-3647)\n\nA cross-site scripting (XSS) flaw was found in the way Thunderbird handled\ncertain multibyte character sets. Malicious, remote content could cause\nThunderbird to run JavaScript code with the permissions of different\nremote content. (CVE-2011-3648)\n\nA flaw was found in the way Thunderbird handled large JavaScript scripts.\nMalicious, remote content could cause Thunderbird to crash or, potentially,\nexecute arbitrary code with the privileges of the user running Thunderbird.\n(CVE-2011-3650)\n\nAll Thunderbird users should upgrade to this updated package, which\nresolves these issues. All running instances of Thunderbird must be\nrestarted for the update to take effect.\n", "published": "2011-11-08T05:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2011:1439", "cvelist": ["CVE-2011-3647", "CVE-2011-3648", "CVE-2011-3650"], "lastseen": "2018-06-06T18:04:43"}], "debian": [{"id": "DSA-2342", "type": "debian", "title": "iceape -- several vulnerabilities", "description": "Several vulnerabilities have been found in the Iceape internet suite, an unbranded version of Seamonkey:\n\n * [CVE-2011-3647](<https://security-tracker.debian.org/tracker/CVE-2011-3647>)\n\nmoz_bug_r_a4 discovered a privilege escalation vulnerability in addon handling.\n\n * [CVE-2011-3648](<https://security-tracker.debian.org/tracker/CVE-2011-3648>)\n\nYosuke Hasegawa discovered that incorrect handling of Shift-JIS encodings could lead to cross-site scripting.\n\n * [CVE-2011-3650](<https://security-tracker.debian.org/tracker/CVE-2011-3650>)\n\nMarc Schoenefeld discovered that profiling the JavaScript code could lead to memory corruption.\n\nThe oldstable distribution (lenny) is not affected. The iceape package only provides the XPCOM code.\n\nFor the stable distribution (squeeze), this problem has been fixed in version 2.0.11-9.\n\nFor the unstable distribution (sid), this problem has been fixed in version 2.0.14-9.\n\nWe recommend that you upgrade your iceape packages.", "published": "2011-11-09T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://www.debian.org/security/dsa-2342", "cvelist": ["CVE-2011-3648", "CVE-2011-3650", "CVE-2011-3647"], "lastseen": "2016-09-02T18:34:14"}, {"id": "DSA-2345", "type": "debian", "title": "icedove -- several vulnerabilities", "description": "Several vulnerabilities have been discovered in Icedove, a mail client based on Thunderbird.\n\n * [CVE-2011-3647](<https://security-tracker.debian.org/tracker/CVE-2011-3647>)\n\nThe JSSubScriptLoader does not properly handle XPCNativeWrappers during calls to the loadSubScript method in an add-on, which makes it easier for remote attackers to gain privileges via a crafted web site that leverages certain unwrapping behavior.\n\n * [CVE-2011-3648](<https://security-tracker.debian.org/tracker/CVE-2011-3648>)\n\nA cross-site scripting (XSS) vulnerability allows remote attackers to inject arbitrary web script or HTML via crafted text with Shift JIS encoding.\n\n * [CVE-2011-3650](<https://security-tracker.debian.org/tracker/CVE-2011-3650>)\n\nIceweasel does not properly handle JavaScript files that contain many functions, which allows user-assisted remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a crafted file that is accessed by debugging APIs, as demonstrated by Firebug.\n\nFor the stable distribution (squeeze), these problems have been fixed in version 3.0.11-1+squeeze6.\n\nFor the testing distribution (wheezy) and the unstable distribution (sid), these problems have been fixed in version 3.1.15-1.\n\nWe recommend that you upgrade your icedove packages.", "published": "2011-11-11T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://www.debian.org/security/dsa-2345", "cvelist": ["CVE-2011-3648", "CVE-2011-3650", "CVE-2011-3647"], "lastseen": "2016-09-02T18:27:19"}, {"id": "DSA-2341", "type": "debian", "title": "iceweasel -- several vulnerabilities", "description": "Several vulnerabilities have been discovered in Iceweasel, a web browser based on Firefox. The included XULRunner library provides rendering services for several other applications included in Debian.\n\n * [CVE-2011-3647](<https://security-tracker.debian.org/tracker/CVE-2011-3647>)\n\nmoz_bug_r_a4 discovered a privilege escalation vulnerability in addon handling.\n\n * [CVE-2011-3648](<https://security-tracker.debian.org/tracker/CVE-2011-3648>)\n\nYosuke Hasegawa discovered that incorrect handling of Shift-JIS encodings could lead to cross-site scripting.\n\n * [CVE-2011-3650](<https://security-tracker.debian.org/tracker/CVE-2011-3650>)\n\nMarc Schoenefeld discovered that profiling the JavaScript code could lead to memory corruption.\n\nFor the oldstable distribution (lenny), this problem has been fixed in version 1.9.0.19-15 of the xulrunner source package.\n\nFor the stable distribution (squeeze), this problem has been fixed in version 3.5.16-11.\n\nFor the unstable distribution (sid), this problem has been fixed in version 8.0-1.\n\nWe recommend that you upgrade your iceweasel packages.", "published": "2011-11-09T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://www.debian.org/security/dsa-2341", "cvelist": ["CVE-2011-3648", "CVE-2011-3650", "CVE-2011-3647"], "lastseen": "2016-09-02T18:36:31"}], "suse": [{"id": "SUSE-SU-2011:1266-1", "type": "suse", "title": "Security update for MozillaFirefox (critical)", "description": "MozillaFirefox has been updated to version 3.6.24 to fix\n the following security issues:\n\n * MFSA 2011-46 loadSubScript unwraps XPCNativeWrapper\n scope parameter ( CVE-2011-3647\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3647\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3647</a>\n > )\n * MFSA 2011-47 Potential XSS against sites using\n Shift-JIS ( CVE-2011-3648\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3648\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3648</a>\n > )\n * MFSA 2011-49 Memory corruption while profiling using\n Firebug ( CVE-2011-3650\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3650\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3650</a>\n > )\n\n\n", "published": "2011-11-18T22:08:45", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2011-11/msg00024.html", "cvelist": ["CVE-2011-3648", "CVE-2011-3650", "CVE-2011-3647"], "lastseen": "2016-09-04T12:08:03"}, {"id": "OPENSUSE-SU-2011:1242-1", "type": "suse", "title": "MozillaFirefox (critical)", "description": "MozillaFirefox has been updated to version 3.6.24 to fix\n the following security issues:\n\n * MFSA 2011-46/CVE-2011-3647 (bmo#680880) loadSubScript\n unwraps XPCNativeWrapper scope parameter\n * MFSA 2011-47/CVE-2011-3648 (bmo#690225) Potential XSS\n against sites using Shift-JIS\n * MFSA 2011-49/CVE-2011-3650 (bmo#674776) Memory corruption\n while profiling using Firebug\n\n", "published": "2011-11-15T15:08:31", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2011-11/msg00015.html", "cvelist": ["CVE-2011-3648", "CVE-2011-3650", "CVE-2011-3647"], "lastseen": "2016-09-04T11:50:18"}, {"id": "OPENSUSE-SU-2011:1243-1", "type": "suse", "title": "MozillaFirefox secuirty update (critical)", "description": "MozillaFirefox was updated to version 8 (bnc#728520) to fix\n the following security issues:\n\n * MFSA 2011-47/CVE-2011-3648 (bmo#690225) Potential XSS\n against sites using Shift-JIS\n * MFSA 2011-48/CVE-2011-3651/CVE-2011-3652/CVE-2011-3654\n Miscellaneous memory safety hazards\n * MFSA 2011-49/CVE-2011-3650 (bmo#674776) Memory\n corruption while profiling using Firebug\n * MFSA 2011-52/CVE-2011-3655 (bmo#672182) Code execution\n via NoWaiverWrapper\n - rebased patches\n\n", "published": "2011-11-15T15:08:39", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2011-11/msg00016.html", "cvelist": ["CVE-2011-3648", "CVE-2011-3654", "CVE-2011-3652", "CVE-2011-3650", "CVE-2011-3651", "CVE-2011-3655"], "lastseen": "2016-09-04T12:03:49"}, {"id": "SUSE-SU-2011:1256-1", "type": "suse", "title": "Security update for Mozilla Firefox (critical)", "description": "MozillaFirefox has been updated to version 1.9.2.24\n (bnc#728520) to fix the following security issues:\n\n * MFSA 2011-46/CVE-2011-3647 (bmo#680880) loadSubScript\n unwraps XPCNativeWrapper scope parameter\n * MFSA 2011-47/CVE-2011-3648 (bmo#690225) Potential XSS\n against sites using Shift-JIS\n * MFSA 2011-49/CVE-2011-3650 (bmo#674776) Memory\n corruption while profiling using Firebug\n", "published": "2011-11-17T23:08:23", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2011-11/msg00020.html", "cvelist": ["CVE-2011-3648", "CVE-2011-2998", "CVE-2011-2372", "CVE-2011-3650", "CVE-2011-3647", "CVE-2011-3653", "CVE-2011-3649", "CVE-2011-2996", "CVE-2011-3651", "CVE-2011-3000", "CVE-2011-3655", "CVE-2011-2999", "CVE-2011-3001"], "lastseen": "2016-09-04T11:56:41"}, {"id": "OPENSUSE-SU-2011:1290-1", "type": "suse", "title": "Seamonkey update (critical)", "description": "Seamonkey was upgraded to version 2.5 in order to fix the\n following security problems:\n\n * MFSA 2011-47/CVE-2011-3648 (bmo#690225) Potential XSS\n against sites using Shift-JIS\n\n * MFSA 2011-48/CVE-2011-3651/CVE-2011-3652/CVE-2011-3654\n Miscellaneous memory safety hazards\n\n * MFSA 2011-49/CVE-2011-3650 (bmo#674776) Memory corruption\n while profiling using Firebug\n\n * MFSA 2011-52/CVE-2011-3655 (bmo#672182) Code execution\n via NoWaiverWrapper\n\n", "published": "2011-12-01T15:08:20", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2011-12/msg00001.html", "cvelist": ["CVE-2011-3648", "CVE-2011-3640", "CVE-2011-2998", "CVE-2011-3654", "CVE-2011-3652", "CVE-2011-2372", "CVE-2011-3650", "CVE-2011-3647", "CVE-2011-3653", "CVE-2011-3649", "CVE-2011-2996", "CVE-2011-3651", "CVE-2011-3000", "CVE-2011-3655", "CVE-2011-2999", "CVE-2011-3001"], "lastseen": "2016-09-04T12:45:07"}, {"id": "SUSE-SU-2011:1256-2", "type": "suse", "title": "Security update for mozilla-nss (critical)", "description": "This update to version 3.13.1 of mozilla-nss fixes the\n following issues:\n\n * Explicitly distrust DigiCert Sdn. Bhd (bmo#698753)\n * Better SHA-224 support (bmo#647706)\n * Fix a regression (causing hangs in some situations)\n introduced in 3.13 (bmo#693228)\n * SSL 2.0 is disabled by default\n * A defense against the SSL 3.0 and TLS 1.0 CBC chosen\n plaintext attack demonstrated by Rizzo and Duong\n (CVE-2011-3389) has been enabled by default. Set the\n SSL_CBC_RANDOM_IV SSL option to PR_FALSE to disable it.\n * Support SHA-224\n * Add PORT_ErrorToString and PORT_ErrorToName to return\n the error message and symbolic name of an NSS error code\n * Add NSS_GetVersion to return the NSS version string\n * Add experimental support of RSA-PSS to the softoken\n only\n * NSS_NoDB_Init does not try to open /pkcs11.txt and\n /secmod.db anymore (bmo#641052)\n\n Security Issues:\n\n * CVE-2011-3648\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3648\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3648</a>\n >\n * CVE-2011-3000\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3000\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3000</a>\n >\n * CVE-2011-3001\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3001\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3001</a>\n >\n * CVE-2011-3647\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3647\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3647</a>\n >\n * CVE-2011-2372\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2372\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2372</a>\n >\n * CVE-2011-2999\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2999\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2999</a>\n >\n * CVE-2011-3650\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3650\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3650</a>\n >\n * CVE-2011-2998\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2998\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2998</a>\n >\n * CVE-2011-2996\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2996\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2996</a>\n >\n * CVE-2011-3655\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3655\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3655</a>\n >\n * CVE-2011-3653\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3653\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3653</a>\n >\n * CVE-2011-3649\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3649\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3649</a>\n >\n * CVE-2011-3651\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3651\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3651</a>\n >\n", "published": "2011-11-18T22:08:26", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2011-11/msg00023.html", "cvelist": ["CVE-2011-3648", "CVE-2011-2998", "CVE-2011-2372", "CVE-2011-3389", "CVE-2011-3650", "CVE-2011-3647", "CVE-2011-3653", "CVE-2011-3649", "CVE-2011-2996", "CVE-2011-3651", "CVE-2011-3000", "CVE-2011-3655", "CVE-2011-2999", "CVE-2011-3001"], "lastseen": "2016-09-04T12:23:19"}, {"id": "OPENSUSE-SU-2014:1100-1", "type": "suse", "title": "Firefox update to 31.1esr (important)", "description": "This patch contains security updates for\n\n * mozilla-nss 3.16.4\n - The following 1024-bit root CA certificate was restored to allow more\n time to develop a better transition strategy for affected sites. It\n was removed in NSS 3.16.3, but discussion in the\n mozilla.dev.security.policy forum led to the decision to keep this\n root included longer in order to give website administrators more time\n to update their web servers.\n - CN = GTE CyberTrust Global Root\n * In NSS 3.16.3, the 1024-bit "Entrust.net Secure Server Certification\n Authority" root CA certificate was removed. In NSS 3.16.4, a 2048-bit\n intermediate CA certificate has been included, without explicit trust.\n The intention is to mitigate the effects of the previous removal of\n the 1024-bit Entrust.net root certificate, because many public\n Internet sites still use the "USERTrust Legacy Secure Server CA"\n intermediate certificate that is signed by the 1024-bit Entrust.net\n root certificate. The inclusion of the intermediate certificate is a\n temporary measure to allow those sites to function, by allowing them\n to find a trust path to another 2048-bit root CA certificate. The\n temporarily included intermediate certificate expires November 1, 2015.\n\n * Firefox 31.1esr Firefox is updated from 24esr to 31esr as maintenance\n for version 24 stopped\n\n", "published": "2014-09-09T18:04:16", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00004.html", "cvelist": ["CVE-2012-1945", "CVE-2011-3648", "CVE-2014-1505", "CVE-2014-1536", "CVE-2011-0061", "CVE-2011-0077", "CVE-2014-1513", "CVE-2012-0478", "CVE-2012-4193", "CVE-2012-0442", "CVE-2013-5601", "CVE-2013-1687", "CVE-2013-5612", "CVE-2013-1692", "CVE-2010-0654", "CVE-2012-1962", "CVE-2013-0743", "CVE-2012-0443", "CVE-2012-5842", "CVE-2012-4212", "CVE-2013-5595", "CVE-2010-0176", "CVE-2014-1530", "CVE-2011-0083", "CVE-2010-1203", "CVE-2013-1737", "CVE-2012-4214", "CVE-2008-1236", "CVE-2013-5611", "CVE-2012-1970", "CVE-2008-3835", "CVE-2013-1709", "CVE-2007-3738", "CVE-2012-3989", "CVE-2013-5616", "CVE-2013-1678", "CVE-2010-2762", "CVE-2012-5830", "CVE-2013-0763", "CVE-2014-1510", "CVE-2011-3026", "CVE-2012-0460", "CVE-2013-5613", "CVE-2012-1973", "CVE-2014-1522", "CVE-2011-3654", "CVE-2014-1567", "CVE-2012-1974", "CVE-2010-2766", "CVE-2012-4195", "CVE-2012-3986", "CVE-2013-0783", "CVE-2007-3734", "CVE-2011-2371", "CVE-2014-1481", "CVE-2013-1670", "CVE-2012-4185", "CVE-2010-3777", "CVE-2012-3991", "CVE-2013-1719", "CVE-2012-3968", "CVE-2013-1725", "CVE-2012-3963", "CVE-2014-1539", "CVE-2010-0174", "CVE-2012-0452", "CVE-2013-1735", "CVE-2012-1956", "CVE-2014-1487", "CVE-2012-3978", "CVE-2012-3985", "CVE-2013-0746", "CVE-2012-5829", "CVE-2009-1571", "CVE-2012-1944", "CVE-2012-5838", "CVE-2011-2986", "CVE-2010-1205", "CVE-2014-1538", "CVE-2012-4213", "CVE-2013-1685", "CVE-2012-0479", "CVE-2013-5609", "CVE-2007-3737", "CVE-2013-0766", "CVE-2007-3736", "CVE-2012-1940", "CVE-2013-1697", "CVE-2014-1484", "CVE-2014-1525", "CVE-2012-3993", "CVE-2013-5619", "CVE-2012-5837", "CVE-2008-5500", "CVE-2012-5836", "CVE-2014-1509", "CVE-2009-0772", "CVE-2013-0787", "CVE-2012-3995", "CVE-2012-4201", "CVE-2010-0159", "CVE-2009-0773", "CVE-2011-3659", "CVE-2011-3663", "CVE-2014-1494", "CVE-2014-1559", "CVE-2013-0747", "CVE-2012-0470", "CVE-2012-0446", "CVE-2008-4063", "CVE-2014-1537", "CVE-2013-1694", "CVE-2014-1523", "CVE-2012-1972", "CVE-2010-1200", "CVE-2010-0175", "CVE-2012-3988", "CVE-2012-0457", "CVE-2010-3778", "CVE-2012-3994", "CVE-2013-5615", "CVE-2013-1680", "CVE-2012-3962", "CVE-2012-0459", "CVE-2011-2362", "CVE-2014-1529", "CVE-2013-1724", "CVE-2010-1213", "CVE-2013-5597", "CVE-2012-5843", "CVE-2014-1543", "CVE-2014-1486", "CVE-2011-0085", "CVE-2013-5590", "CVE-2008-5510", "CVE-2011-0080", "CVE-2013-0780", "CVE-2008-5502", "CVE-2010-3765", "CVE-2013-1732", "CVE-2013-0744", "CVE-2013-0795", "CVE-2008-1237", "CVE-2013-1720", "CVE-2008-4070", "CVE-2013-0748", "CVE-2012-4183", "CVE-2010-3178", "CVE-2013-1679", "CVE-2007-3285", "CVE-2013-5610", "CVE-2013-0768", "CVE-2011-3661", "CVE-2012-4181", "CVE-2014-1532", "CVE-2013-6671", "CVE-2009-0040", "CVE-2011-3652", "CVE-2013-0755", "CVE-2008-4067", "CVE-2014-1548", "CVE-2011-2364", "CVE-2014-1531", "CVE-2013-0752", "CVE-2012-4186", "CVE-2014-1508", "CVE-2012-1948", "CVE-2008-5012", "CVE-2012-1938", "CVE-2013-0796", "CVE-2012-0449", "CVE-2010-3769", "CVE-2012-3969", "CVE-2014-1502", "CVE-2013-1723", "CVE-2013-0782", "CVE-2012-1953", "CVE-2012-1949", "CVE-2014-1542", "CVE-2012-0456", "CVE-2011-2372", "CVE-2010-3169", "CVE-2012-3970", "CVE-2011-0053", "CVE-2012-5840", "CVE-2010-3176", "CVE-2012-4191", "CVE-2010-3174", "CVE-2010-3768", "CVE-2014-1477", "CVE-2013-0800", "CVE-2010-1212", "CVE-2013-1681", "CVE-2010-1211", "CVE-2010-1121", "CVE-2013-0773", "CVE-2013-0754", "CVE-2010-3167", "CVE-2012-4202", "CVE-2010-3180", "CVE-2012-3957", "CVE-2011-3660", "CVE-2014-1540", "CVE-2014-1534", "CVE-2012-1941", "CVE-2013-1738", "CVE-2014-1482", "CVE-2014-1479", "CVE-2008-4066", "CVE-2008-5018", "CVE-2012-3984", "CVE-2014-1504", "CVE-2012-0444", "CVE-2011-3650", "CVE-2014-1511", "CVE-2010-2753", "CVE-2012-1946", "CVE-2010-3776", "CVE-2012-4182", "CVE-2008-1233", "CVE-2012-4187", "CVE-2012-3983", "CVE-2011-0062", "CVE-2008-0016", "CVE-2011-3101", "CVE-2010-3168", "CVE-2013-0788", "CVE-2013-1728", "CVE-2014-1545", "CVE-2010-0173", "CVE-2012-0472", "CVE-2013-5592", "CVE-2013-1730", "CVE-2008-4059", "CVE-2010-2764", "CVE-2014-1492", "CVE-2011-0081", "CVE-2009-0771", "CVE-2007-3670", "CVE-2012-1954", "CVE-2009-0774", "CVE-2014-1556", "CVE-2012-0461", "CVE-2011-2376", "CVE-2012-3958", "CVE-2012-0469", "CVE-2014-1563", "CVE-2014-1524", "CVE-2014-1512", "CVE-2012-1975", "CVE-2011-0075", "CVE-2013-1690", "CVE-2012-0464", "CVE-2013-0775", "CVE-2012-1967", "CVE-2013-5604", "CVE-2014-1514", "CVE-2010-3166", "CVE-2011-0074", "CVE-2013-0801", "CVE-2012-3956", "CVE-2010-2769", "CVE-2012-3982", "CVE-2009-3555", "CVE-2013-1714", "CVE-2011-2989", "CVE-2010-1196", "CVE-2008-5021", "CVE-2008-5017", "CVE-2013-0769", "CVE-2012-3966", "CVE-2013-0771", "CVE-2014-1490", "CVE-2012-5839", "CVE-2013-0757", "CVE-2014-1498", "CVE-2012-1961", "CVE-2010-3173", "CVE-2012-4216", "CVE-2008-4062", "CVE-2010-3179", "CVE-2010-0182", "CVE-2014-1565", "CVE-2012-3967", "CVE-2013-0749", "CVE-2011-3651", "CVE-2008-4060", "CVE-2007-3656", "CVE-2008-1234", "CVE-2012-1951", "CVE-2012-0475", "CVE-2014-1555", "CVE-2014-1564", "CVE-2012-1952", "CVE-2010-1201", "CVE-2013-0761", "CVE-2013-1669", "CVE-2010-1585", "CVE-2012-3959", "CVE-2012-0455", "CVE-2014-1558", "CVE-2011-0084", "CVE-2012-0759", "CVE-2007-3089", "CVE-2014-1519", "CVE-2013-1701", "CVE-2012-0474", "CVE-2012-3975", "CVE-2010-2768", "CVE-2008-5014", "CVE-2013-1684", "CVE-2008-4058", "CVE-2012-4184", "CVE-2012-0447", "CVE-2014-1547", "CVE-2011-3232", "CVE-2012-4205", "CVE-2014-1480", "CVE-2014-1500", "CVE-2011-0069", "CVE-2013-6630", "CVE-2008-5022", "CVE-2008-5512", "CVE-2014-1497", "CVE-2013-5596", "CVE-2012-3992", "CVE-2008-1235", "CVE-2013-1676", "CVE-2013-0789", "CVE-2008-5501", "CVE-2008-4068", "CVE-2008-5016", "CVE-2013-1675", "CVE-2014-1478", "CVE-2012-3980", "CVE-2008-5503", "CVE-2011-2374", "CVE-2012-1955", "CVE-2012-1960", "CVE-2012-0445", "CVE-2012-0462", "CVE-2012-4217", "CVE-2013-1686", "CVE-2013-0745", "CVE-2013-0756", "CVE-2012-4218", "CVE-2013-0760", "CVE-2011-2377", "CVE-2014-1485", "CVE-2014-1493", "CVE-2007-3735", "CVE-2011-3000", "CVE-2010-2765", "CVE-2014-1544", "CVE-2010-2767", "CVE-2011-0078", "CVE-2012-3960", "CVE-2010-3175", "CVE-2012-0451", "CVE-2011-3655", "CVE-2012-4180", "CVE-2013-0767", "CVE-2010-3182", "CVE-2009-0776", "CVE-2013-5603", "CVE-2012-1959", "CVE-2011-2363", "CVE-2011-0070", "CVE-2013-1682", "CVE-2012-1947", "CVE-2013-6673", "CVE-2013-1674", "CVE-2013-0762", "CVE-2014-1562", "CVE-2010-3170", "CVE-2011-3005", "CVE-2012-4208", "CVE-2011-3658", "CVE-2014-1541", "CVE-2011-2373", "CVE-2008-5511", "CVE-2011-2992", "CVE-2014-1488", "CVE-2012-1957", "CVE-2012-1958", "CVE-2008-4064", "CVE-2012-1976", "CVE-2011-1187", "CVE-2012-5835", "CVE-2014-1552", "CVE-2010-3183", "CVE-2010-1202", "CVE-2012-0468", "CVE-2013-5599", "CVE-2014-1553", "CVE-2014-1549", "CVE-2013-1713", "CVE-2008-5508", "CVE-2012-3972", "CVE-2012-4207", "CVE-2011-2988", "CVE-2008-4061", "CVE-2013-5591", "CVE-2010-1199", "CVE-2012-4204", "CVE-2013-5602", "CVE-2011-2985", "CVE-2012-4192", "CVE-2011-2987", "CVE-2012-4188", "CVE-2012-0441", "CVE-2013-0774", "CVE-2008-5024", "CVE-2013-0753", "CVE-2012-5833", "CVE-2014-1557", "CVE-2013-1736", "CVE-2014-1526", "CVE-2013-0776", "CVE-2012-3964", "CVE-2013-5593", "CVE-2014-1550", "CVE-2013-1718", "CVE-2012-5841", "CVE-2014-1533", "CVE-2013-1717", "CVE-2010-2754", "CVE-2008-5507", "CVE-2012-3990", "CVE-2014-1491", "CVE-2013-6672", "CVE-2013-5614", "CVE-2008-4065", "CVE-2013-1693", "CVE-2010-2760", "CVE-2013-0750", "CVE-2012-1937", "CVE-2014-1560", "CVE-2012-4215", "CVE-2013-6629", "CVE-2012-0463", "CVE-2013-1677", "CVE-2011-2991", "CVE-2013-0770", "CVE-2013-0793", "CVE-2012-4179", "CVE-2011-3001", "CVE-2014-1483", "CVE-2014-1489", "CVE-2011-3062", "CVE-2012-0477", "CVE-2013-1722", "CVE-2012-0473", "CVE-2012-4194", "CVE-2011-2365", "CVE-2012-4209", "CVE-2012-1963", "CVE-2012-4196", "CVE-2008-5506", "CVE-2013-1710", "CVE-2012-0467", "CVE-2012-0458", "CVE-2013-0758", "CVE-2013-5600", "CVE-2010-2752", "CVE-2014-1499", "CVE-2014-1518", "CVE-2012-0471", "CVE-2012-3961", "CVE-2014-1561", "CVE-2012-3971", "CVE-2013-0764", "CVE-2014-1528", "CVE-2013-5618", "CVE-2011-0072"], "lastseen": "2016-09-04T12:21:58"}], "ubuntu": [{"id": "USN-1251-1", "type": "ubuntu", "title": "Firefox and Xulrunner vulnerabilities", "description": "It was discovered that CVE-2011-3004, which addressed possible privilege escalation in addons, also affected Firefox 3.6. An attacker could potentially exploit Firefox when an add-on was installed that used loadSubscript in vulnerable ways. (CVE-2011-3647)\n\nYosuke Hasegawa discovered that the Mozilla browser engine mishandled invalid sequences in the Shift-JIS encoding. A malicious website could possibly use this flaw this to steal data or inject malicious scripts into web content. (CVE-2011-3648)\n\nMarc Schoenefeld discovered that using Firebug to profile a JavaScript file with many functions would cause Firefox to crash. An attacker might be able to exploit this without using the debugging APIs which would potentially allow an attacker to remotely crash the browser. (CVE-2011-3650)", "published": "2011-11-10T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://usn.ubuntu.com/1251-1/", "cvelist": ["CVE-2011-3648", "CVE-2011-3650", "CVE-2011-3647", "CVE-2011-3004"], "lastseen": "2018-03-29T18:17:29"}, {"id": "USN-1254-1", "type": "ubuntu", "title": "Thunderbird vulnerabilities", "description": "It was discovered that CVE-2011-3004, which addressed possible privilege escalation in addons, also affected Thunderbird 3.1. An attacker could potentially exploit a user who had installed an add-on that used loadSubscript in vulnerable ways. (CVE-2011-3647)\n\nYosuke Hasegawa discovered that the Mozilla browser engine mishandled invalid sequences in the Shift-JIS encoding. It may be possible to trigger this crash without the use of debugging APIs, which might allow malicious websites to exploit this vulnerability. An attacker could possibly use this flaw this to steal data or inject malicious scripts into web content. (CVE-2011-3648)\n\nMarc Schoenefeld discovered that using Firebug to profile a JavaScript file with many functions would cause Firefox to crash. An attacker might be able to exploit this without using the debugging APIs which would potentially allow an attacker to remotely crash Thunderbird. (CVE-2011-3650)", "published": "2011-12-22T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://usn.ubuntu.com/1254-1/", "cvelist": ["CVE-2011-3648", "CVE-2011-3650", "CVE-2011-3647", "CVE-2011-3004"], "lastseen": "2018-03-29T18:17:17"}, {"id": "USN-1277-1", "type": "ubuntu", "title": "Firefox vulnerabilities", "description": "Yosuke Hasegawa discovered that the Mozilla browser engine mishandled invalid sequences in the Shift-JIS encoding. It may be possible to trigger this crash without the use of debugging APIs, which might allow malicious websites to exploit this vulnerability. An attacker could possibly use this flaw this to steal data or inject malicious scripts into web content. (CVE-2011-3648)\n\nMarc Schoenefeld discovered that using Firebug to profile a JavaScript file with many functions would cause Firefox to crash. An attacker might be able to exploit this without using the debugging APIs, which could potentially remotely crash the browser, resulting in a denial of service. (CVE-2011-3650)\n\nJason Orendorff, Boris Zbarsky, Gregg Tavares, Mats Palmgren, Christian Holler, Jesse Ruderman, Simona Marcu, Bob Clary, and William McCloskey discovered multiple memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. An attacker might be able to use these flaws to execute arbitrary code with the privileges of the user invoking Firefox or possibly crash the browser resulting in a denial of service. (CVE-2011-3651)\n\nIt was discovered that Firefox could be caused to crash under certain conditions, due to an unchecked allocation failure, resulting in a denial of service. It might also be possible to execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2011-3652)\n\nAki Helin discovered that Firefox does not properly handle links from SVG mpath elements to non-SVG elements. An attacker could use this vulnerability to crash Firefox, resulting in a denial of service, or possibly execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2011-3654)\n\nIt was discovered that an internal privilege check failed to respect the NoWaiverWrappers introduced with Firefox 4. An attacker could possibly use this to gain elevated privileges within the browser for web content. (CVE-2011-3655)", "published": "2011-11-23T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://usn.ubuntu.com/1277-1/", "cvelist": ["CVE-2011-3648", "CVE-2011-3654", "CVE-2011-3652", "CVE-2011-3650", "CVE-2011-3651", "CVE-2011-3655"], "lastseen": "2018-03-29T18:21:08"}, {"id": "USN-1282-1", "type": "ubuntu", "title": "Thunderbird vulnerabilities", "description": "Yosuke Hasegawa discovered that the Mozilla browser engine mishandled invalid sequences in the Shift-JIS encoding. It may be possible to trigger this crash without the use of debugging APIs, which might allow malicious websites to exploit this vulnerability. An attacker could possibly use this flaw this to steal data or inject malicious scripts into web content. (CVE-2011-3648)\n\nMarc Schoenefeld discovered that using Firebug to profile a JavaScript file with many functions would cause Firefox to crash. An attacker might be able to exploit this without using the debugging APIs, which could potentially remotely crash Thunderbird, resulting in a denial of service. (CVE-2011-3650)\n\nJason Orendorff, Boris Zbarsky, Gregg Tavares, Mats Palmgren, Christian Holler, Jesse Ruderman, Simona Marcu, Bob Clary, and William McCloskey discovered multiple memory safety bugs in the browser engine used in Thunderbird and other Mozilla-based products. An attacker might be able to use these flaws to execute arbitrary code with the privileges of the user invoking Thunderbird or possibly crash Thunderbird resulting in a denial of service. (CVE-2011-3651)\n\nIt was discovered that Thunderbird could be caused to crash under certain conditions, due to an unchecked allocation failure, resulting in a denial of service. It might also be possible to execute arbitrary code with the privileges of the user invoking Thunderbird. (CVE-2011-3652)\n\nAki Helin discovered that Thunderbird does not properly handle links from SVG mpath elements to non-SVG elements. An attacker could use this vulnerability to crash Thunderbird, resulting in a denial of service, or possibly execute arbitrary code with the privileges of the user invoking Thunderbird. (CVE-2011-3654)\n\nIt was discovered that an internal privilege check failed to respect the NoWaiverWrappers introduced with Thunderbird 5. An attacker could possibly use this to gain elevated privileges within Thunderbird for web content. (CVE-2011-3655)", "published": "2011-11-28T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://usn.ubuntu.com/1282-1/", "cvelist": ["CVE-2011-3648", "CVE-2011-3654", "CVE-2011-3652", "CVE-2011-3650", "CVE-2011-3651", "CVE-2011-3655"], "lastseen": "2018-03-29T18:19:06"}, {"id": "USN-1277-2", "type": "ubuntu", "title": "Mozvoikko and ubufox update", "description": "USN-1277-1 fixed vulnerabilities in Firefox. This update provides updated Mozvoikko and ubufox packages for use with Firefox 8.\n\nOriginal advisory details:\n\nYosuke Hasegawa discovered that the Mozilla browser engine mishandled invalid sequences in the Shift-JIS encoding. It may be possible to trigger this crash without the use of debugging APIs, which might allow malicious websites to exploit this vulnerability. An attacker could possibly use this flaw this to steal data or inject malicious scripts into web content. (CVE-2011-3648)\n\nMarc Schoenefeld discovered that using Firebug to profile a JavaScript file with many functions would cause Firefox to crash. An attacker might be able to exploit this without using the debugging APIs, which could potentially remotely crash the browser, resulting in a denial of service. (CVE-2011-3650)\n\nJason Orendorff, Boris Zbarsky, Gregg Tavares, Mats Palmgren, Christian Holler, Jesse Ruderman, Simona Marcu, Bob Clary, and William McCloskey discovered multiple memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. An attacker might be able to use these flaws to execute arbitrary code with the privileges of the user invoking Firefox or possibly crash the browser resulting in a denial of service. (CVE-2011-3651)\n\nIt was discovered that Firefox could be caused to crash under certain conditions, due to an unchecked allocation failure, resulting in a denial of service. It might also be possible to execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2011-3652)\n\nAki Helin discovered that Firefox does not properly handle links from SVG mpath elements to non-SVG elements. An attacker could use this vulnerability to crash Firefox, resulting in a denial of service, or possibly execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2011-3654)\n\nIt was discovered that an internal privilege check failed to respect the NoWaiverWrappers introduced with Firefox 4. An attacker could possibly use this to gain elevated privileges within the browser for web content. (CVE-2011-3655)", "published": "2011-11-23T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://usn.ubuntu.com/1277-2/", "cvelist": ["CVE-2011-3648", "CVE-2011-3654", "CVE-2011-3652", "CVE-2011-3650", "CVE-2011-3651", "CVE-2011-3655"], "lastseen": "2018-03-29T18:19:28"}], "freebsd": [{"id": "6C8AD3E8-0A30-11E1-9580-4061862B8C22", "type": "freebsd", "title": "mozilla -- multiple vulnerabilities", "description": "\nThe Mozilla Project reports:\n\nMFSA 2011-46 loadSubScript unwraps XPCNativeWrapper scope\n\t parameter (1.9.2 branch)\nMFSA 2011-47 Potential XSS against sites using Shift-JIS\nMFSA 2011-48 Miscellaneous memory safety hazards (rv:8.0)\nMFSA 2011-49 Memory corruption while profiling using Firebug\nMFSA 2011-50 Cross-origin data theft using canvas and Windows\n\t D2D\nMFSA 2011-51 Cross-origin image theft on Mac with integrated\n\t Intel GPU\nMFSA 2011-52 Code execution via NoWaiverWrapper\n\n", "published": "2011-11-08T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://vuxml.freebsd.org/freebsd/6c8ad3e8-0a30-11e1-9580-4061862b8c22.html", "cvelist": ["CVE-2011-3648", "CVE-2011-3654", "CVE-2011-3652", "CVE-2011-3650", "CVE-2011-3647", "CVE-2011-3653", "CVE-2011-3649", "CVE-2011-3651", "CVE-2011-3655"], "lastseen": "2016-09-26T17:24:42"}], "gentoo": [{"id": "GLSA-201301-01", "type": "gentoo", "title": "Mozilla Products: Multiple vulnerabilities", "description": "### Background\n\nMozilla Firefox is an open-source web browser and Mozilla Thunderbird an open-source email client, both from the Mozilla Project. The SeaMonkey project is a community effort to deliver production-quality releases of code derived from the application formerly known as the \u2018Mozilla Application Suite\u2019. XULRunner is a Mozilla runtime package that can be used to bootstrap XUL+XPCOM applications such as Firefox and Thunderbird. NSS is Mozilla\u2019s Network Security Services library that implements PKI support. IceCat is the GNU version of Firefox. \n\n### Description\n\nMultiple vulnerabilities have been discovered in Mozilla Firefox, Thunderbird, SeaMonkey, NSS, GNU IceCat, and XULRunner. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nA remote attacker could entice a user to view a specially crafted web page or email, possibly resulting in execution of arbitrary code or a Denial of Service condition. Furthermore, a remote attacker may be able to perform Man-in-the-Middle attacks, obtain sensitive information, bypass restrictions and protection mechanisms, force file downloads, conduct XML injection attacks, conduct XSS attacks, bypass the Same Origin Policy, spoof URL\u2019s for phishing attacks, trigger a vertical scroll, spoof the location bar, spoof an SSL indicator, modify the browser\u2019s font, conduct clickjacking attacks, or have other unspecified impact. \n\nA local attacker could gain escalated privileges, obtain sensitive information, or replace an arbitrary downloaded file. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll Mozilla Firefox users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=www-client/firefox-10.0.11\"\n \n\nAll users of the Mozilla Firefox binary package should upgrade to the latest version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=www-client/firefox-bin-10.0.11\"\n \n\nAll Mozilla Thunderbird users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=mail-client/thunderbird-10.0.11\"\n \n\nAll users of the Mozilla Thunderbird binary package should upgrade to the latest version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose\n \">=mail-client/thunderbird-bin-10.0.11\"\n \n\nAll Mozilla SeaMonkey users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=www-client/seamonkey-2.14-r1\"\n \n\nAll users of the Mozilla SeaMonkey binary package should upgrade to the latest version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=www-client/seamonkey-bin-2.14\"\n \n\nAll NSS users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-libs/nss-3.14\"\n \n\nThe \u201cwww-client/mozilla-firefox\u201d package has been merged into the \u201cwww-client/firefox\u201d package. To upgrade, please unmerge \u201cwww-client/mozilla-firefox\u201d and then emerge the latest \u201cwww-client/firefox\u201d package: \n \n \n # emerge --sync\n # emerge --unmerge \"www-client/mozilla-firefox\"\n # emerge --ask --oneshot --verbose \">=www-client/firefox-10.0.11\"\n \n\nThe \u201cwww-client/mozilla-firefox-bin\u201d package has been merged into the \u201cwww-client/firefox-bin\u201d package. To upgrade, please unmerge \u201cwww-client/mozilla-firefox-bin\u201d and then emerge the latest \u201cwww-client/firefox-bin\u201d package: \n \n \n # emerge --sync\n # emerge --unmerge \"www-client/mozilla-firefox-bin\"\n # emerge --ask --oneshot --verbose \">=www-client/firefox-bin-10.0.11\"\n \n\nThe \u201cmail-client/mozilla-thunderbird\u201d package has been merged into the \u201cmail-client/thunderbird\u201d package. To upgrade, please unmerge \u201cmail-client/mozilla-thunderbird\u201d and then emerge the latest \u201cmail-client/thunderbird\u201d package: \n \n \n # emerge --sync\n # emerge --unmerge \"mail-client/mozilla-thunderbird\"\n # emerge --ask --oneshot --verbose \">=mail-client/thunderbird-10.0.11\"\n \n\nThe \u201cmail-client/mozilla-thunderbird-bin\u201d package has been merged into the \u201cmail-client/thunderbird-bin\u201d package. To upgrade, please unmerge \u201cmail-client/mozilla-thunderbird-bin\u201d and then emerge the latest \u201cmail-client/thunderbird-bin\u201d package: \n \n \n # emerge --sync\n # emerge --unmerge \"mail-client/mozilla-thunderbird-bin\"\n # emerge --ask --oneshot --verbose\n \">=mail-client/thunderbird-bin-10.0.11\"\n \n\nGentoo discontinued support for GNU IceCat. We recommend that users unmerge GNU IceCat: \n \n \n # emerge --unmerge \"www-client/icecat\"\n \n\nGentoo discontinued support for XULRunner. We recommend that users unmerge XULRunner: \n \n \n # emerge --unmerge \"net-libs/xulrunner\"\n \n\nGentoo discontinued support for the XULRunner binary package. We recommend that users unmerge XULRunner: \n \n \n # emerge --unmerge \"net-libs/xulrunner-bin\"", "published": "2013-01-08T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://security.gentoo.org/glsa/201301-01", "cvelist": ["CVE-2012-1945", "CVE-2011-3648", "CVE-2009-0355", "CVE-2011-0061", "CVE-2011-0077", "CVE-2012-0478", "CVE-2012-4193", "CVE-2011-1202", "CVE-2012-0442", "CVE-2010-3772", "CVE-2011-0071", "CVE-2009-2470", "CVE-2010-0654", "CVE-2009-3388", "CVE-2012-1962", "CVE-2012-0443", "CVE-2011-3866", "CVE-2011-0068", "CVE-2012-5842", "CVE-2012-4212", "CVE-2009-2477", "CVE-2009-1563", "CVE-2010-0176", "CVE-2011-3640", "CVE-2011-0083", "CVE-2010-1203", "CVE-2009-3076", "CVE-2012-1970", "CVE-2009-3389", "CVE-2008-3835", "CVE-2012-3989", "CVE-2010-2762", "CVE-2012-5830", "CVE-2012-4210", "CVE-2009-1305", "CVE-2011-3026", "CVE-2009-3979", "CVE-2011-2370", "CVE-2012-0460", "CVE-2012-1973", "CVE-2009-3376", "CVE-2011-2369", "CVE-2011-2998", "CVE-2011-3654", "CVE-2011-2605", "CVE-2009-1833", "CVE-2010-0165", "CVE-2012-1974", "CVE-2010-0220", "CVE-2010-2766", "CVE-2011-2993", "CVE-2012-4195", "CVE-2010-0168", "CVE-2012-3986", "CVE-2010-0160", "CVE-2009-1169", "CVE-2011-2371", "CVE-2009-3379", "CVE-2012-4185", "CVE-2010-3777", "CVE-2012-3991", "CVE-2012-5354", "CVE-2012-4206", "CVE-2009-3071", "CVE-2012-3968", "CVE-2010-1214", "CVE-2012-3963", "CVE-2010-0174", "CVE-2010-0172", "CVE-2009-2535", "CVE-2012-0452", "CVE-2009-1312", "CVE-2012-1956", "CVE-2012-3978", "CVE-2012-3985", "CVE-2011-2995", "CVE-2012-5829", "CVE-2009-1571", "CVE-2008-5505", "CVE-2012-5838", "CVE-2011-2986", "CVE-2010-1205", "CVE-2009-2210", "CVE-2009-2478", "CVE-2008-6961", "CVE-2012-0479", "CVE-2012-0450", "CVE-2012-1940", "CVE-2012-3993", "CVE-2008-5500", "CVE-2012-5836", "CVE-2009-3274", "CVE-2010-1125", "CVE-2009-0772", "CVE-2012-3995", "CVE-2012-4201", "CVE-2010-0159", "CVE-2009-0773", "CVE-2011-3659", "CVE-2011-3663", "CVE-2010-3131", "CVE-2012-0470", "CVE-2012-0446", "CVE-2008-4063", "CVE-2012-3976", "CVE-2012-1972", "CVE-2010-1200", "CVE-2010-0175", "CVE-2010-0170", "CVE-2012-3988", "CVE-2012-0457", "CVE-2010-3778", "CVE-2012-3994", "CVE-2007-2436", "CVE-2012-3962", "CVE-2010-2770", "CVE-2010-3774", "CVE-2012-0459", "CVE-2011-2362", "CVE-2009-1304", "CVE-2010-1213", "CVE-2010-3177", "CVE-2012-5843", "CVE-2009-1835", "CVE-2011-0085", "CVE-2009-0352", "CVE-2009-3984", "CVE-2009-3380", "CVE-2008-5510", "CVE-2011-0080", "CVE-2012-1950", "CVE-2008-5502", "CVE-2009-3981", "CVE-2010-3765", "CVE-2010-0167", "CVE-2009-3373", "CVE-2009-3980", "CVE-2008-4070", "CVE-2012-4183", "CVE-2010-3178", "CVE-2012-1994", "CVE-2011-3661", "CVE-2009-3383", "CVE-2012-4181", "CVE-2011-3652", "CVE-2009-1311", "CVE-2011-1712", "CVE-2008-4067", "CVE-2010-1210", "CVE-2011-2364", "CVE-2009-2469", "CVE-2011-0073", "CVE-2010-1197", "CVE-2010-1207", "CVE-2009-0652", "CVE-2012-4186", "CVE-2012-1948", "CVE-2008-5012", "CVE-2011-2982", "CVE-2012-1938", "CVE-2012-0449", "CVE-2010-3769", "CVE-2012-3969", "CVE-2009-1838", "CVE-2012-1953", "CVE-2008-5013", "CVE-2012-1949", "CVE-2012-0456", "CVE-2011-2372", "CVE-2010-3773", "CVE-2009-1309", "CVE-2011-0079", "CVE-2010-3169", "CVE-2009-2662", "CVE-2012-3970", "CVE-2011-2997", "CVE-2011-0053", "CVE-2009-1832", "CVE-2012-5840", "CVE-2010-3176", "CVE-2012-4191", "CVE-2010-3174", "CVE-2012-1966", "CVE-2010-3768", "CVE-2009-3372", "CVE-2010-2763", "CVE-2011-0066", "CVE-2010-1212", "CVE-2009-1837", "CVE-2010-1206", "CVE-2010-1211", "CVE-2009-2464", "CVE-2011-2990", "CVE-2010-1121", "CVE-2009-0356", "CVE-2011-3389", "CVE-2010-0164", "CVE-2008-3836", "CVE-2010-3167", "CVE-2012-4202", "CVE-2007-2671", "CVE-2011-2984", "CVE-2010-3180", "CVE-2012-3957", "CVE-2011-3660", "CVE-2009-3986", "CVE-2012-1941", "CVE-2009-2408", "CVE-2010-3399", "CVE-2009-2665", "CVE-2008-4066", "CVE-2008-5018", "CVE-2009-3978", "CVE-2012-3984", "CVE-2009-0354", "CVE-2009-3079", "CVE-2011-0056", "CVE-2012-0444", "CVE-2011-3650", "CVE-2010-2753", "CVE-2012-1946", "CVE-2010-3776", "CVE-2010-1215", "CVE-2012-4182", "CVE-2011-2980", "CVE-2012-4187", "CVE-2008-4069", "CVE-2010-0166", "CVE-2011-3647", "CVE-2011-0065", "CVE-2011-0062", "CVE-2008-0016", "CVE-2009-0358", "CVE-2011-3101", "CVE-2010-3168", "CVE-2010-0173", "CVE-2009-1044", "CVE-2008-5513", "CVE-2008-4059", "CVE-2010-2764", "CVE-2011-0081", "CVE-2009-0771", "CVE-2009-1392", "CVE-2008-5504", "CVE-2008-5019", "CVE-2012-1954", "CVE-2009-0774", "CVE-2009-3375", "CVE-2012-0461", "CVE-2011-2376", "CVE-2009-2472", "CVE-2012-3958", "CVE-2009-0071", "CVE-2008-5023", "CVE-2012-0469", "CVE-2010-3171", "CVE-2009-3072", "CVE-2012-3973", "CVE-2008-5822", "CVE-2012-1975", "CVE-2011-0075", "CVE-2012-0464", "CVE-2012-1967", "CVE-2011-3653", "CVE-2010-0648", "CVE-2010-0178", "CVE-2010-3166", "CVE-2010-0177", "CVE-2011-0074", "CVE-2012-3956", "CVE-2010-2769", "CVE-2011-3649", "CVE-2012-3982", "CVE-2009-3555", "CVE-2011-2989", "CVE-2010-1196", "CVE-2008-3837", "CVE-2009-0357", "CVE-2008-5021", "CVE-2008-5017", "CVE-2012-3966", "CVE-2012-5839", "CVE-2011-2378", "CVE-2009-1308", "CVE-2010-3775", "CVE-2009-2467", "CVE-2012-1961", "CVE-2010-5074", "CVE-2011-2996", "CVE-2010-3173", "CVE-2012-4216", "CVE-2008-4062", "CVE-2010-3179", "CVE-2010-0182", "CVE-2012-3967", "CVE-2011-3651", "CVE-2008-4060", "CVE-2010-0181", "CVE-2012-1951", "CVE-2012-0475", "CVE-2012-3965", "CVE-2012-1952", "CVE-2010-1201", "CVE-2011-4688", "CVE-2009-1306", "CVE-2010-1585", "CVE-2009-2479", "CVE-2012-3959", "CVE-2012-0455", "CVE-2009-0777", "CVE-2010-2755", "CVE-2011-0084", "CVE-2011-0051", "CVE-2010-3767", "CVE-2012-1939", "CVE-2009-1834", "CVE-2010-3771", "CVE-2010-0183", "CVE-2012-0474", "CVE-2012-3975", "CVE-2010-2768", "CVE-2008-5014", "CVE-2008-0367", "CVE-2008-4058", "CVE-2011-3002", "CVE-2012-4184", "CVE-2011-0057", "CVE-2012-0447", "CVE-2011-3232", "CVE-2008-5913", "CVE-2007-3073", "CVE-2012-4205", "CVE-2010-2751", "CVE-2009-1836", "CVE-2011-0069", "CVE-2008-5022", "CVE-2008-5512", "CVE-2012-3992", "CVE-2009-3374", "CVE-2008-5501", "CVE-2008-4068", "CVE-2008-5016", "CVE-2011-3004", "CVE-2012-3980", "CVE-2008-5503", "CVE-2011-2374", "CVE-2012-1955", "CVE-2009-1839", "CVE-2012-1960", "CVE-2012-0445", "CVE-2009-3074", "CVE-2012-1965", "CVE-2011-3670", "CVE-2012-0462", "CVE-2010-1028", "CVE-2010-0162", "CVE-2011-2377", "CVE-2009-2463", "CVE-2009-2061", "CVE-2009-3070", "CVE-2012-3977", "CVE-2011-3000", "CVE-2010-2765", "CVE-2009-3069", "CVE-2010-0171", "CVE-2010-2767", "CVE-2009-0353", "CVE-2011-0078", "CVE-2012-3960", "CVE-2010-3175", "CVE-2009-0775", "CVE-2012-0451", "CVE-2011-3655", "CVE-2012-4180", "CVE-2009-2044", "CVE-2010-3182", "CVE-2009-0776", "CVE-2009-3371", "CVE-2009-3377", "CVE-2012-1959", "CVE-2011-2363", "CVE-2009-3075", "CVE-2010-0163", "CVE-2010-1208", "CVE-2011-0070", "CVE-2012-1947", "CVE-2009-1841", "CVE-2010-3170", "CVE-2011-3005", "CVE-2011-0059", "CVE-2012-1971", "CVE-2009-3983", "CVE-2012-4208", "CVE-2009-3987", "CVE-2011-3658", "CVE-2011-2373", "CVE-2008-5511", "CVE-2012-1957", "CVE-2012-1958", "CVE-2011-0054", "CVE-2012-4190", "CVE-2008-4064", "CVE-2012-1976", "CVE-2011-1187", "CVE-2012-5835", "CVE-2010-3183", "CVE-2009-2654", "CVE-2010-1202", "CVE-2012-0468", "CVE-2009-3982", "CVE-2009-3985", "CVE-2009-2065", "CVE-2009-1313", "CVE-2009-3382", "CVE-2008-5508", "CVE-2012-3972", "CVE-2012-4207", "CVE-2011-2988", "CVE-2010-3770", "CVE-2008-4061", "CVE-2010-1199", "CVE-2012-4204", "CVE-2008-0017", "CVE-2009-3988", "CVE-2010-3400", "CVE-2009-1302", "CVE-2011-2985", "CVE-2009-2466", "CVE-2012-4192", "CVE-2011-0058", "CVE-2011-2987", "CVE-2012-4188", "CVE-2012-0441", "CVE-2008-5024", "CVE-2011-0076", "CVE-2007-2437", "CVE-2012-5833", "CVE-2011-2999", "CVE-2012-3964", "CVE-2012-5841", "CVE-2010-0179", "CVE-2010-1209", "CVE-2010-2754", "CVE-2008-5507", "CVE-2009-2471", "CVE-2012-3990", "CVE-2011-2375", "CVE-2010-1198", "CVE-2008-4065", "CVE-2009-1840", "CVE-2011-3665", "CVE-2009-3381", "CVE-2011-0067", "CVE-2010-2760", "CVE-2012-1937", "CVE-2012-4215", "CVE-2009-2043", "CVE-2009-1307", "CVE-2009-2664", "CVE-2012-0463", "CVE-2010-4508", "CVE-2009-1310", "CVE-2009-3077", "CVE-2011-3003", "CVE-2011-2991", "CVE-2008-5015", "CVE-2011-0082", "CVE-2011-2983", "CVE-2012-4179", "CVE-2008-4582", "CVE-2011-3001", "CVE-2012-1964", "CVE-2009-2462", "CVE-2009-3378", "CVE-2011-3062", "CVE-2009-1303", "CVE-2012-0477", "CVE-2012-0473", "CVE-2012-4194", "CVE-2011-2365", "CVE-2012-4209", "CVE-2012-1963", "CVE-2012-4196", "CVE-2008-5506", "CVE-2009-2404", "CVE-2009-2465", "CVE-2012-0467", "CVE-2011-2981", "CVE-2012-0458", "CVE-2010-0169", "CVE-2010-2752", "CVE-2009-3078", "CVE-2012-0471", "CVE-2012-3961", "CVE-2010-3766", "CVE-2012-3971", "CVE-2008-5052", "CVE-2011-0055", "CVE-2009-1828", "CVE-2011-0072"], "lastseen": "2016-09-06T19:46:13"}]}}
