SeaMonkey < 2.24 Multiple Vulnerabilities

high Nessus Network Monitor Plugin ID 8099

Synopsis

The remote host has a web browser installed that is vulnerable to multiple attack vectors.

Description

Versions of SeaMonkey earlier than 2.24 are prone to the following vulnerabilities:

- Memory issues exist in the browser engine that could result in a denial of service or arbitrary code execution. (CVE-2014-1477, CVE-2014-1478)

- An error exists related to System Only Wrappers (SOW) and the XML Binding Language (XBL) that could allow XUL content to be disclosed. (CVE-2014-1479)

- An error exists related to the 'open file' dialog that could allow users to take unintended actions. (CVE-2014-1480)

- An error exists related to the JavaScript engine and 'window' object handling that has unspecified impact. (CVE-2014-1481)

- An error exists related to 'RasterImage' and image decoding that could allow application crashes and possibly arbitrary code execution. (CVE-2014-1482)

- Errors exist related to IFrames, 'document.caretPositionFromPoint' and 'document.elementFromPoint' that could allow cross-origin information disclosure. (CVE-2014-1483)

- An error exists related to the Content Security Policy (CSP) and XSLT stylesheets that could allow unintended script execution. (CVE-2014-1485)

- A use-after-free error exists related to image handling and 'imgRequestProxy' that could allow application crashes and possibly arbitrary code execution. (CVE-2014-1486)

- An error exists related to 'web workers' that could allow cross-origin information disclosure. (CVE-2014-1487)

- An error exists related to 'web workers' and 'asm.js' that could allow application crashes and possibly arbitrary code execution. (CVE-2014-1488)

- Errors exist related to the included Network Security Services (NSS) libraries, 'NewSessionTicket' handshakes and public Diffie-Hellman values that could allow application crashes and possibly arbitrary code execution. (CVE-2014-1490, CVE-2014-1491)

Solution

Upgrade to SeaMonkey 2.24, or later.

See Also

http://www.mozilla.org/security/announce/2014/mfsa2014-13.html

http://www.mozilla.org/security/announce/2014/mfsa2014-08.html

http://www.mozilla.org/security/announce/2014/mfsa2014-01.html

http://www.mozilla.org/security/announce/2014/mfsa2014-02.html

http://www.mozilla.org/security/announce/2014/mfsa2014-04.html

http://www.mozilla.org/security/announce/2014/mfsa2014-09.html

http://www.mozilla.org/security/announce/2014/mfsa2014-12.html

http://www.mozilla.org/security/announce/2014/mfsa2014-03.html

http://www.mozilla.org/security/announce/2014/mfsa2014-05.html

http://www.mozilla.org/security/announce/2014/mfsa2014-07.html

http://www.mozilla.org/security/announce/2014/mfsa2014-11.html

Plugin Details

Severity: High

ID: 8099

Family: Web Clients

Published: 2/5/2014

Updated: 3/6/2019

Nessus ID: 72331

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: High

Base Score: 9.3

Temporal Score: 8.1

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS v3

Risk Factor: High

Base Score: 8.1

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:mozilla:seamonkey

Patch Publication Date: 2/4/2014

Vulnerability Publication Date: 2/4/2014

Reference Information

CVE: CVE-2014-1477, CVE-2014-1478, CVE-2014-1479, CVE-2014-1480, CVE-2014-1481, CVE-2014-1482, CVE-2014-1483, CVE-2014-1485, CVE-2014-1486, CVE-2014-1487, CVE-2014-1488, CVE-2014-1490, CVE-2014-1491

BID: 65332, 65335, 65316, 65317, 65320, 65321, 65322, 65324, 65326, 65328, 65329, 65330, 65331, 65334