icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons_061

Mozilla Firefox 13.x < 13 Multiple Vulnerabilities

High

Synopsis

The remote host has a web browser installed that is vulnerable to multiple vulnerabilities.

Description

Versions of Firefox 13.x are potentially affected by the following security issues :

- Several memory safety issues exist, some of which could potentially allow arbitrary code execution. (CVE-2012-1948, CVE-2012-1949)

- An error related to drag and drop can allow incorrect URLs to be displayed. (CVE-2012-1950)

- Several memory safety issues exist related to the Gecko layout engine. (CVE-2012-1951, CVE-2012-1952, CVE-2012-1953, CVE-2012-1954)

- An error related to JavaScript functions 'history.forward' and 'history.back' can allow incorrect URLs to be displayed. (CVE-2012-1955)

- Cross-site scripting attacks are possible due to an error related to the '<embed>' tag within an RSS '<description>' element. (CVE-2012-1957)

- A use-after-free error exists related to the method 'nsGlobalWindow::PageHidden'. (CVE-2012-1958)

- An error exists that can allow 'same-compartment security wrappers' (SCSW) to be bypassed. (CVE-2012-1959)

- An out-of-bounds read error exists related to the color management library (QCMS). (CVE-2012-1960)

- The 'X-Frames-Options' header is ignored if it is duplicated. (CVE-2012-1961)

- A memory corruption error exists related to the method 'JSDependentString::undepend'. (CVE-2012-1962)

- An error related to the 'Content Security Policy' (CSP) implementation can allow the disclosure of OAuth 2.0 access tokens and OpenID credentials. (CVE-2012-1963)

- An error exists related to the 'feed:' URL that can allow cross-site scripting attacks. (CVE-2012-1965)

- Cross-site scripting attacks are possible due to an error related to the 'data:' URL and context menus. (CVE-2012-1966)

- An error exists related to the 'javascript:' URL that can allow scripts to run at elevated privileges outside the sandbox. (CVE-2012-1967)

Solution

Upgrade to Firefox 14.0 or later.