| VID |
28871 |
| Severity |
40 |
| Port |
139,445 |
| Protocol |
TCP |
| Class |
SMB |
| Detailed Description |
A version of Mozilla Firefox which is 21.x before 22.0 has been installed on the host. Mozilla Firefox is an open-source based Web browser, developed by the Mozilla project. Mozilla Firefox 21.x before 22.0 versions are multiple vulnerable to vulnerability.
- Various, unspecified memory safety issues exist. (CVE-2013-1682, CVE-2013-1683)
- Heap-use-after-free errors exist related to 'LookupMediaElementURITable', 'nsIDocument::GetRootElement' and 'mozilla::ResetDir'. (CVE-2013-1684, CVE-2013-1685, CVE-2013-1686)
- An error exists related to 'XBL scope', 'System Only Wrappers' (SOW) and chrome-privileged pages that could allow cross-site scripting attacks. (CVE-2013-1687)
- An error exists related to the 'profiler' that could allow arbitrary code execution. (CVE-2013-1688)
- An error related to 'onreadystatechange' and unmapped memory could cause application crashes and allow arbitrary code execution. (CVE-2013-1690)
- The application sends data in the body of XMLHttpRequest (XHR) HEAD requests and could aid in cross-site request forgery attacks. (CVE-2013-1692)
- An error related to the processing of SVG content could allow a timing attack to disclose information across domains. (CVE-2013-1693)
- An error exists related to 'PreserveWrapper' and the 'preserved-wrapper' flag that could cause potentially exploitable application crashes. (CVE-2013-1694)
- An error exists related to '<iframe sandbox>' restrictions that could allow a bypass of these restrictions. (CVE-2013-1695)
- The 'X-Frame-Options' header is ignored in certain situations and can aid in click-jacking attacks. (CVE-2013-1696)
- An error exists related to the 'toString' and 'valueOf' methods that could allow 'XrayWrappers' to be bypassed. (CVE-2013-1697)
- An error exists related to the 'getUserMedia' permission dialog that could allow a user to be tricked into giving access to unintended domains. (CVE-2013-1698)
- Homograph domain spoofing protection is incomplete and certain attacks are still possible using Internationalized Domain Names (IDN). (CVE-2013-1699)
- An error exists related to the 'Mozilla Maintenance Service' on Windows that could allow insecure updates. (CVE-2013-1700)
* Note: This check requires an account with Guest or upper privileges which can access the registry of the remote host to scan. Absence of this condition will result in the check not being performed and a False Negative for all vulnerable hosts.
* References:
http://www.mozilla.org/security/announce/2013/mfsa2013-49.html
http://www.mozilla.org/security/announce/2013/mfsa2013-50.html
http://www.mozilla.org/security/announce/2013/mfsa2013-51.html
http://www.mozilla.org/security/announce/2013/mfsa2013-52.html
http://www.mozilla.org/security/announce/2013/mfsa2013-53.html
http://www.mozilla.org/security/announce/2013/mfsa2013-54.html
http://www.mozilla.org/security/announce/2013/mfsa2013-55.html
http://www.mozilla.org/security/announce/2013/mfsa2013-56.html
http://www.mozilla.org/security/announce/2013/mfsa2013-57.html
http://www.mozilla.org/security/announce/2013/mfsa2013-58.html
http://www.mozilla.org/security/announce/2013/mfsa2013-59.html
http://www.mozilla.org/security/announce/2013/mfsa2013-60.html
http://www.mozilla.org/security/announce/2013/mfsa2013-61.html
http://www.mozilla.org/security/announce/2013/mfsa2013-62.html
* Platforms Affected:
Mozilla Foundation, Firefox versions 21.x prior to 22.0
Any operating system Any version |
| Recommendation |
Upgrade to the latest version of Firefox (22.0 or later), available from the Mozilla Web site at http://www.mozilla.com/firefox/ |
| Related URL |
CVE-2013-1682,CVE-2013-1683,CVE-2013-1684,CVE-2013-1685,CVE-2013-1686,CVE-2013-1687,CVE-2013-1688,CVE-2013-1690,CVE-2013-1692,CVE-2013-1693 (CVE) |
| Related URL |
60765,60766,60768,60773,60774,60776,60777,60778,60779,60783,60784,60785,60787,60688,60789,60790,60791 (SecurityFocus) |
| Related URL |
(ISS) |
|
