Mozilla Firefox before 36.0.4, Firefox ESR 31.x before 31.5.3, and SeaMonkey before 2.33.1 allow remote attackers to bypass the Same Origin Policy and execute arbitrary JavaScript code with chrome privileges via vectors involving SVG hash navigation.

Versions of Mozilla Firefox ESR prior to 31.5.3are affected by a privilege escalation vulnerability due to a flaw within 'docshell/base/nsDocShell.cpp', which relates to SVG format content navigation. A remote attacker can exploit this to bypass same-origin policy protections, allowing a possible execution of arbitrary scripts in a privileged context.  

Versions of SeaMonkey earlier than 2.33.1 are unpatched against the following vulnerabilities : 

 - A remote code execution vulnerability exists due to an out-of-bounds error in typed array bounds checking within 'asmjs/AsmJSValidate.cpp', which relates to just-in-time compilation for JavaScript. A remote attacker, using a specially crafted web page, can exploit this to execute arbitrary code by reading and writing to memory. (CVE-2015-0817)

 - A privilege escalation vulnerability exists due to a flaw within 'docshell/base/nsDocShell.cpp', which relates to SVG format content navigation. A remote attacker can exploit this to bypass same-origin policy protections, allowing a possible execution of arbitrary scripts in a privileged context. (CVE-2015-0818)

Versions of Mozilla Firefox earlier than 36.0.4 are affected by a privilege escalation vulnerability due to a flaw within 'docshell/base/nsDocShell.cpp', which relates to SVG format content navigation. A remote attacker can exploit this to bypass same-origin policy protections, allowing a possible execution of arbitrary scripts in a privileged context.  

The remote host is affected by the vulnerability described in GLSA-201504-01 (Mozilla Products: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Firefox, Thunderbird,       and SeaMonkey. Please review the CVE identifiers referenced below for       details.
  Impact :

    A remote attacker could entice a user to view a specially crafted web       page or email, possibly resulting in execution of arbitrary code or a       Denial of Service condition. Furthermore, a remote attacker may be able       to perform Man-in-the-Middle attacks, obtain sensitive information, spoof       the address bar, conduct clickjacking attacks, bypass security       restrictions and protection mechanisms,  or have other unspecified       impact.
  Workaround :

    There are no known workarounds at this time.

SeaMonkey was updated to 2.33.1 to fix several vulnerabilities.

The following vulnerabilities were fixed :

  - Privilege escalation through SVG navigation     (CVE-2015-0818)

  - Code execution through incorrect JavaScript bounds     checking elimination (CVE-2015-0817)

Two flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2015-0817, CVE-2015-0818)

After installing the update, Firefox must be restarted for the changes to take effect.

MozillaFirefox was updated to Firefox 36.0.4 to fix two critical security issues found during Pwn2Own :

  - MFSA 2015-28/CVE-2015-0818 (bmo#1144988) Privilege     escalation through SVG navigation

  - MFSA 2015-29/CVE-2015-0817 (bmo#1145255) Code execution     through incorrect JavaScript bounds checking elimination

Als fixed were the following bugs :

  - Copy the icons to /usr/share/icons instead of symlinking     them: in preparation for containerized apps (e.g.
    xdg-app) as well as AppStream metadata extraction, there     are a couple locations that need to be real files for     system integration (.desktop files, icons, mime-type     info).

  - update to Firefox 36.0.1 Bugfixes :

  - Disable the usage of the ANY DNS query type     (bmo#1093983)

  - Hello may become inactive until restart (bmo#1137469)

  - Print preferences may not be preserved (bmo#1136855)

  - Hello contact tabs may not be visible (bmo#1137141)

  - Accept hostnames that include an underscore character     ('_') (bmo#1136616)

  - WebGL may use significant memory with Canvas2d     (bmo#1137251)

  - Option -remote has been restored (bmo#1080319)

Updated firefox packages that fix two security issues are now available for Red Hat Enterprise Linux 5, 6, and 7.

Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox.

Two flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2015-0817, CVE-2015-0818)

Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges ilxu1a and Mariusz Mlynski as the original reporters of these issues.

All Firefox users should upgrade to these updated packages, which contain Firefox version 31.5.3 ESR, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect.

Mozilla Firefox was updated to the 31.5.3ESR release to fix two security vulnerabilities :

  - Security researcher ilxu1a reported, through HP Zero Day     Initiative's Pwn2Own contest, a flaw in Mozilla's     implementation of typed array bounds checking in     JavaScript just-in-time compilation (JIT) and its     management of bounds checking for heap access. This flaw     can be leveraged into the reading and writing of memory     allowing for arbitary code execution on the local     system. (MFSA 2015-29 / CVE-2015-0817)

  - Security researcher Mariusz Mlynski reported, through HP     Zero Day Initiative's Pwn2Own contest, a method to run     arbitrary scripts in a privileged context. This bypassed     the same-origin policy protections by using a flaw in     the processing of SVG format content navigation. (MFSA     2015-28 / CVE-2015-0818)

From Red Hat Security Advisory 2015:0718 :

Updated firefox packages that fix two security issues are now available for Red Hat Enterprise Linux 5, 6, and 7.

Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox.

Two flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2015-0817, CVE-2015-0818)

Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges ilxu1a and Mariusz Mlynski as the original reporters of these issues.

All Firefox users should upgrade to these updated packages, which contain Firefox version 31.5.3 ESR, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect.

The version of Mozilla SeaMonkey installed on the remote host is prior to 2.33.1. It is, therefore, affected by multiple vulnerabilities :

  - A remote code execution vulnerability exists due to an     out-of-bounds error in typed array bounds checking     within 'asmjs/AsmJSValidate.cpp', which relates to     just-in-time compilation for JavaScript. A remote     attacker, using a specially crafted web page, can     exploit this to execute arbitrary code by reading and     writing to memory. (CVE-2015-0817)

  - A privilege escalation vulnerability exists due to a     flaw within 'docshell/base/nsDocShell.cpp', which     relates to SVG format content navigation. A remote     attacker can exploit this to bypass same-origin policy     protections, allowing a possible execution of arbitrary     scripts in a privileged context. (CVE-2015-0818)

The version of Mozilla Firefox installed on the remote Windows host is prior to 36.0.4. It is, therefore, affected by a privilege escalation vulnerability due to a flaw within 'docshell/base/nsDocShell.cpp', which relates to SVG format content navigation. A remote attacker can exploit this to bypass same-origin policy protections, allowing a possible execution of arbitrary scripts in a privileged context.

The version of Mozilla Firefox ESR 31.x installed on the remote Windows host is prior to 31.5.3. It is, therefore, affected by a privilege escalation vulnerability due to a flaw within 'docshell/base/nsDocShell.cpp', which relates to SVG format content navigation. A remote attacker can exploit this to bypass same-origin policy protections, allowing a possible execution of arbitrary scripts in a privileged context.

The version of Mozilla Firefox installed on the remote Mac OS X host is prior to 36.0.4. It is, therefore, affected by a privilege escalation vulnerability due to a flaw within 'docshell/base/nsDocShell.cpp', which relates to SVG format content navigation. A remote attacker can exploit this to bypass same-origin policy protections, allowing a possible execution of arbitrary scripts in a privileged context.

The version of Mozilla Firefox ESR 31.x installed on the remote Mac OS X host is prior to 31.5.3. It is, therefore, affected by a privilege escalation vulnerability due to a flaw within 'docshell/base/nsDocShell.cpp', which relates to SVG format content navigation. A remote attacker can exploit this to bypass same-origin policy protections, allowing a possible execution of arbitrary scripts in a privileged context.

A flaw was discovered in the implementation of typed array bounds checking in the JavaScript just-in-time compilation. If a user were tricked in to opening a specially crafted website, an attacked could exploit this to execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2015-0817)

Mariusz Mlynski discovered a flaw in the processing of SVG format content navigation. If a user were tricked in to opening a specially crafted website, an attacker could exploit this to run arbitrary script in a privileged context. (CVE-2015-0818).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The Mozilla Project reports :

MFSA-2015-28 Privilege escalation through SVG navigation

MFSA-2015-29 Code execution through incorrect JavaScript bounds checking elimination

Multiple security issues have been found in Iceweasel, Debian's version of the Mozilla Firefox web browser. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2015-0817     ilxu1a reported a flaw in Mozilla's implementation of     typed array bounds checking in JavaScript just-in-time     compilation (JIT) and its management of bounds checking     for heap access. This flaw can be leveraged into the     reading and writing of memory allowing for arbitary code     execution on the local system.

  - CVE-2015-0818     Mariusz Mlynski discovered a method to run arbitrary     scripts in a privileged context. This bypassed the     same-origin policy protections by using a flaw in the     processing of SVG format content navigation.

ID	Name	Product	Family	Severity
701252	Mozilla Firefox ESR < 31.5.3 SVG Bypass Privilege Escalation	Nessus Network Monitor	Web Clients	high
8686	SeaMonkey < 2.33.1	Nessus Network Monitor	Web Clients	high
8685	Mozilla Firefox < 36.0.4 SVG Bypass Privilege Escalation	Nessus Network Monitor	Web Clients	high
82632	GLSA-201504-01 : Mozilla Products: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	critical
82463	openSUSE Security Update : seamonkey (openSUSE-2015-279)	Nessus	SuSE Local Security Checks	high
82264	Scientific Linux Security Update : firefox on SL5.x, SL6.x, SL7.x i386/x86_64 (20150324)	Nessus	Scientific Linux Local Security Checks	high
82247	openSUSE Security Update : MozillaFirefox (openSUSE-2015-263)	Nessus	SuSE Local Security Checks	high
82083	CentOS 5 / 6 / 7 : firefox (CESA-2015:0718)	Nessus	CentOS Local Security Checks	high
82068	SuSE 11.3 Security Update : Mozilla Firefox (SAT Patch Number 10524)	Nessus	SuSE Local Security Checks	high
82067	RHEL 5 / 6 / 7 : firefox (RHSA-2015:0718)	Nessus	Red Hat Local Security Checks	high
82065	Oracle Linux 5 / 6 / 7 : firefox (ELSA-2015-0718)	Nessus	Oracle Linux Local Security Checks	high
82042	SeaMonkey < 2.33.1 Multiple Vulnerabilities	Nessus	Windows	high
82041	Firefox < 36.0.4 SVG Bypass Privilege Escalation	Nessus	Windows	high
82039	Firefox ESR 31.x < 31.5.3 SVG Bypass Privilege Escalation	Nessus	Windows	high
82037	Firefox < 36.0.4 SVG Bypass Privilege Escalation (Mac OS X)	Nessus	MacOS X Local Security Checks	high
82035	Firefox ESR 31.x < 31.5.3 SVG Bypass Privilege Escalation (Mac OS X)	Nessus	MacOS X Local Security Checks	high
82022	Ubuntu 14.04 LTS : Firefox vulnerabilities (USN-2538-1)	Nessus	Ubuntu Local Security Checks	critical
82002	FreeBSD : mozilla -- multiple vulnerabilities (76ff65f4-17ca-4d3f-864a-a3d6026194fb)	Nessus	FreeBSD Local Security Checks	high
81999	Debian DSA-3201-1 : iceweasel - security update	Nessus	Debian Local Security Checks	high

Detections

Analytics

CVE-2015-0818

critical

Tenable Plugins

high

high

high

critical

high

high

high

high

high

high

high

high

high

high

high

high

critical

high

high