Mozilla Firefox < 26.0 / 24.2 (ESR version) Multiple Vulnerabilities
PVS ID: 8070 FAMILY: Web Clients RISK: HIGH NESSUS ID:71349
Description: Synopsis :\n\nThe remote host has a web browser installed that is vulnerable to multiple attack vectors.\n\nVersions of Mozilla Firefox earlier than 26.0 (or ESR versions earlier than 24.2) are prone to the following vulnerabilities:\n\n - Miscellaneous memory safety hazards (CVE-2013-5609, CVE-2013-5610)\n\n - Application Installation doorhanger does not get properly dismissed, which can be leveraged to trick a user into installing an application from one site while thinking it originated from another (CVE-2013-5611)\n\n - Potential XSS vulnerability via cross-domain inheritance of charset (CVE-2013-5612)\n\n - Sandbox restrictions are not properly applied to nested object elements, which could be leveraged to bypass restrictions (CVE-2013-5614)\n\n - Use-after-free in event listeners, table editing user interface, synthetic mouse movement can lead to a potentially exploitable crash (CVE-2013-5616, CVE-2013-5613, CVE-2013-5618)\n\n - Binary search algorithms in the Javascript engine are contain potential out-of-bounds array access, though these are not directly exploitable (CVE-2013-5619)\n\n - Segmentation violation when replacing ordered list elements in a document via script can lead to a potentially exploitable crash (CVE-2013-6671)\n\n - On Linux systems, clipboard content may be made accessible to web content when a user pastes a selection with a middle-click, which can lead to information disclosure (CVE-2013-6672)\n\n - Extended validation root certificates remain trusted even if the user has explicitly removes the trust. (CVE-2013-6673)\n\n - GetElementIC typed arrays can be generated outside observed typesets, with unknown security impact (CVE-2013-5615)\n\n - Issues in the JPEG image processing library can allow arbitrary memory to be read, as well as cross-domain theft (CVE-2013-6629, CVE-2013-6630)\n\n - An intermediary CA that is chained up to a root within Mozilla's root store was revoked for supplying an intermediate certificate that allowed a man-in-the-middle proxy to perform traffic management of domain names and IP addresses the certificate holder did not own or control.\n\nThe detected version from the remote host was :\n %L

Solution: Upgrade to Firefox 26.0 (or Firefox ESR versions 24.2, as appropriate), or later.


Copyright Tenable Network Security Inc. 2014