97940

1038320

https://bugzilla.mozilla.org/show_bug.cgi?id=1338867

https://www.mozilla.org/security/advisories/mfsa2017-10/

Versions of Mozilla Firefox prior to 53 are unpatched for the following vulnerabilities :

 - A use-after-free error exists that is related to certain text input selections. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2017-5432)
 - A use-after-free error exists in the SMIL animation functions. The issue is triggered when handling animation elements. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2017-5433)
 - A use-after-free error exists that is triggered when redirecting focus handling. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2017-5434)
 - A use-after-free error exists that is triggered when processing transactions in the editor during design mode interactions. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2017-5435)
 - A use-after-free error exists in the 'nsAutoPtr()' function that is triggered during XSLT processing. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2017-5438)
 - A use-after-free error exists in the 'Length()' function in 'nsTArray' that is triggered when handling template parameters during XSLT processing. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2017-5439)
 - A use-after-free error exists in the 'txExecutionState' destructor that is triggered during the processing of XSLT content. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2017-5440)
 - A use-after-free error exists that is triggered when holding a selection during scroll events. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2017-5441)
 - A use-after-free error exists that is triggered when changing styles in DOM elements. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2017-5442)
 - An out-of-bounds write flaw exists that is triggered during the decoding of improperly formed BinHex format archives. This may allow a context-dependent attacker to potentially execute arbitrary code. (CVE-2017-5443)
 - An overflow condition exists that is triggered as certain input is not properly validated when parsing 'application/http-index-format' content. This may allow a context-dependent attacker to cause a buffer overflow, potentially allowing the execution of arbitrary code. (CVE-2017-5444)
 - A flaw exists in 'nsDirIndexParser.cpp' related to the use of uninitialized data. The issue is triggered when parsing 'application/http-index-format' content. This may allow a context-dependent attacker to disclose memory contents. (CVE-2017-5445)
 - An out-of-bounds read flaw exists that is triggered when handling HTTP/2 DATA connections that send DATA frames with incorrect data content. This may allow a context-dependent attacker to potentially disclose memory contents. (CVE-2017-5446)
 - An out-of-bounds read flaw exists that is triggered when processing glyph widths during text layouts. This may allow a context-dependent attacker to potentially disclose memory contents. (CVE-2017-5447)
 - An out-of-bounds write flaw exists in the 'ClearKeyDecryptor::Decrypt()' function in 'ClearKeyDecryptionManager.cpp' that is triggered when decrypting Clearkey-encrypted media content. This may allow a context-dependent attacker to potentially execute arbitrary code. (CVE-2017-5448)
 - A flaw exists that is triggered during the handling of bidirectional unicode text with CSS animations. This may allow a context-dependent attacker to potentially execute arbitrary code. (CVE-2017-5449)
 - A flaw exists that is triggered during the parsing of base domains that contain 'javascript: URI'. This may allow a context-dependent attacker to spoof a valid address bar. (CVE-2017-5450)
 - A flaw exists that is triggered during the handling of a specially crafted 'onblur' event. This may allow a context-dependent attacker to spoof a valid address bar. (CVE-2017-5451)
 - A flaw exists that is triggered when selecting an HTML editable page element while the existing location bar has been scrolled out of view. This may allow a context-dependent attacker to spoof a valid address bar. (CVE-2017-5452)
 - A flaw exists in the RSS reader preview page that is triggered as input supplied via URL parameters is not properly sanitized. This may allow a context-dependent attacker to spoof the 'TITLE' element. (CVE-2017-5453)
 - A flaw exists in the 'FileSystemSecurity::Forget()' function in 'FileSystemSecurity.cpp'. The issue is triggered as input containing path traversal style sequences (e.g. '../') is not properly sanitized when using the File Picker. This may allow a context-dependent attacker to bypass file system access protections and read arbitrary files from the local file system. (CVE-2017-5454)
 - An unspecified flaw exists in the internal feed reader APIs that is triggered when handling messages. This may allow a context-dependent attacker to bypass the sandbox. (CVE-2017-5455)
 - A flaw exists in the Entries API that is triggered when using a file system request constructor through an IPC message. This may allow a context-dependent attacker to bypass the file system access protections and gain read and write access to the local file system. (CVE-2017-5456)
 - A flaw exists that allows a reflected XSS attack. This flaw exists because the program does not validate input when dragging and dropping a 'javascript: URL' into the address bar. This may allow a context-dependent attacker to create a specially crafted request that will execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server. (CVE-2017-5458)
 - An overflow condition exists in WebGL. The issue is triggered as certain input is not properly validated when handling web content. This may allow a context-dependent attacker to cause a buffer overflow, potentially allowing the execution of arbitrary code. (CVE-2017-5459)
 - A use-after-free error exists in frame selection that is triggered when handling a combination of malicious script content and key presses. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2017-5460)
 - An overflow condition exists in Base64 decoding. The issue is triggered as certain input is not properly validated. This may allow a context-dependent attacker to cause a buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code. (CVE-2017-5461)
 - A flaw exists in the DRBG number generation that is triggered as internal state V does not correctly carry bits over. This may result in potentially predictable random number generation. (CVE-2017-5462)
 - A flaw exists that is triggered during the handling of a specially crafted URL with android intents. This may allow a context-dependent attacker to spoof a valid address bar. (CVE-2017-5463)
 - A flaw exists that is triggered as certain input is not properly validated when making changes to DOM content in the accessibility tree. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2017-5464)
 - An out-of-bounds read flaw exists in 'ConvolvePixel' that is triggered when processing specially crafted SVG content. This may allow a context-dependent attacker to potentially disclose memory contents. (CVE-2017-5465)
 - A flaw exists that allows a cross-site scripting (XSS) attack. This flaw exists because the program does not validate input when handling 'data:text/html' URL redirects before returning it to users. This may allow a context-dependent attacker to create a specially crafted request that will execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server. (CVE-2017-5466)
 - A flaw exists that is triggered as certain input is not properly validated when rendering Skia content outside of the bounds of a clipping region. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2017-5467)
 - A flaw exists in developer tools that is triggered as ownership models are incorrectly applied. This may allow a context-dependent attacker to cause a crash. (CVE-2017-5468)
 - Multiple overflow conditions exist in the FLEX generated code. The issue is triggered as certain input is not properly validated. This may allow a context-dependent attacker to cause a buffer overflow, potentially allowing the execution of arbitrary code. (CVE-2017-5469)
 - Multiple unspecified flaws exist that are triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2017-5429 ,CVE-2017-5430)

Mozilla Foundation reports :

Please reference CVE/URL list for details

ID	Name	Product	Family	Severity
700065	Mozilla Firefox < 53 Multiple Vulnerabilities	Nessus Network Monitor	Web Clients	high
99496	FreeBSD : mozilla -- multiple vulnerabilities (5e0a038a-ca30-416d-a2f5-38cbf5e7df33)	Nessus	FreeBSD Local Security Checks	high

CVE-2017-5463

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins