openSUSE-SU-2020:0983

openSUSE-SU-2020:1017

https://bugzilla.mozilla.org/show_bug.cgi?id=1634738

GLSA-202007-10

https://www.mozilla.org/security/advisories/mfsa2020-24/

The remote SUSE Linux SLES11 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2020:14421-1 advisory.

  - During RSA key generation, bignum implementations used a variation of the Binary Extended Euclidean     Algorithm which entailed significantly input-dependent flow. This allowed an attacker able to perform     electromagnetic-based side channel attacks to record traces leading to the recovery of the secret primes.
    *Note:* An unmodified Firefox browser does not generate RSA keys in normal operation and is not affected,     but products built on top of it might. This vulnerability affects Firefox < 78. (CVE-2020-12402)

  - When %2F was present in a manifest URL, Firefox's AppCache behavior may have become confused and allowed     a manifest to be served from a subdirectory. This could cause the appcache to be used to service requests     for the top level directory. This vulnerability affects Firefox < 78. (CVE-2020-12415)

  - A VideoStreamEncoder may have been freed in a race condition with VideoBroadcaster::AddOrUpdateSink,     resulting in a use-after-free, memory corruption, and a potentially exploitable crash. This vulnerability     affects Firefox < 78. (CVE-2020-12416)

  - Due to confusion about ValueTags on JavaScript Objects, an object may pass through the type barrier,     resulting in memory corruption and a potentially exploitable crash. *Note: this issue only affects Firefox     on ARM64 platforms.* This vulnerability affects Firefox ESR < 68.10, Firefox < 78, and Thunderbird <     68.10.0. (CVE-2020-12417)

  - Manipulating individual parts of a URL object could have caused an out-of-bounds read, leaking process     memory to malicious JavaScript. This vulnerability affects Firefox ESR < 68.10, Firefox < 78, and     Thunderbird < 68.10.0. (CVE-2020-12418)

  - When processing callbacks that occurred during window flushing in the parent process, the associated     window may die; causing a use-after-free condition. This could have led to memory corruption and a     potentially exploitable crash. This vulnerability affects Firefox ESR < 68.10, Firefox < 78, and     Thunderbird < 68.10.0. (CVE-2020-12419)

  - When trying to connect to a STUN server, a race condition could have caused a use-after-free of a pointer,     leading to memory corruption and a potentially exploitable crash. This vulnerability affects Firefox ESR <     68.10, Firefox < 78, and Thunderbird < 68.10.0. (CVE-2020-12420)

  - When performing add-on updates, certificate chains terminating in non-built-in-roots were rejected (even     if they were legitimately added by an administrator.) This could have caused add-ons to become out-of-date     silently without notification to the user. This vulnerability affects Firefox ESR < 68.10, Firefox < 78,     and Thunderbird < 68.10.0. (CVE-2020-12421)

  - In non-standard configurations, a JPEG image created by JavaScript could have caused an internal variable     to overflow, resulting in an out of bounds write, memory corruption, and a potentially exploitable crash.
    This vulnerability affects Firefox < 78. (CVE-2020-12422)

  - When the Windows DLL webauthn.dll was missing from the Operating System, and a malicious one was placed     in a folder in the user's %PATH%, Firefox may have loaded the DLL, leading to arbitrary code execution.
    *Note: This issue only affects the Windows operating system; other operating systems are unaffected.* This     vulnerability affects Firefox < 78. (CVE-2020-12423)

  - When constructing a permission prompt for WebRTC, a URI was supplied from the content process. This URI     was untrusted, and could have been the URI of an origin that was previously granted permission; bypassing     the prompt. This vulnerability affects Firefox < 78. (CVE-2020-12424)

  - Due to confusion processing a hyphen character in Date.parse(), a one-byte out of bounds read could have     occurred, leading to potential information disclosure. This vulnerability affects Firefox < 78.
    (CVE-2020-12425)

  - Mozilla developers and community members reported memory safety bugs present in Firefox 77. Some of these     bugs showed evidence of memory corruption and we presume that with enough effort some of these could have     been exploited to run arbitrary code. This vulnerability affects Firefox < 78. (CVE-2020-12426)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has firefox packages installed that are affected by multiple vulnerabilities:

  - In certain circumstances, the MCallGetProperty opcode can be emitted with unmet assumptions resulting in     an exploitable use-after-free condition. This vulnerability affects Firefox < 82.0.3, Firefox ESR <     78.4.1, and Thunderbird < 78.4.2. (CVE-2020-26950)

  - Using object or embed tags, it was possible to frame other websites, even if they disallowed framing using     the X-Frame-Options header. This vulnerability affects Thunderbird < 78 and Firefox < 78.0.2.
    (CVE-2020-15648)

  - In non-standard configurations, a JPEG image created by JavaScript could have caused an internal variable     to overflow, resulting in an out of bounds write, memory corruption, and a potentially exploitable crash.
    This vulnerability affects Firefox < 78. (CVE-2020-12422)

  - When constructing a permission prompt for WebRTC, a URI was supplied from the content process. This URI     was untrusted, and could have been the URI of an origin that was previously granted permission; bypassing     the prompt. This vulnerability affects Firefox < 78. (CVE-2020-12424)

  - Due to confusion processing a hyphen character in Date.parse(), a one-byte out of bounds read could have     occurred, leading to potential information disclosure. This vulnerability affects Firefox < 78.
    (CVE-2020-12425)

  - An iframe sandbox element with the allow-popups flag could be bypassed when using noopener links. This     could have led to security issues for websites relying on sandbox configurations that allowed popups and     hosted arbitrary content. This vulnerability affects Firefox ESR < 78.1, Firefox < 79, and Thunderbird <     78.1. (CVE-2020-15653)

  - JIT optimizations involving the Javascript arguments object could confuse later optimizations. This risk     was already mitigated by various precautions in the code, resulting in this bug rated at only moderate     severity. This vulnerability affects Firefox ESR < 78.1, Firefox < 79, and Thunderbird < 78.1.
    (CVE-2020-15656)

  - The code for downloading files did not properly take care of special characters, which led to an attacker     being able to cut off the file ending at an earlier position, leading to a different file type being     downloaded than shown in the dialog. This vulnerability affects Firefox ESR < 78.1, Firefox < 79, and     Thunderbird < 78.1. (CVE-2020-15658)

  - When in an endless loop, a website specifying a custom cursor using CSS could make it look like the user     is interacting with the user interface, when they are not. This could lead to a perceived broken state,     especially when interactions with existing browser dialogs and warnings do not work. This vulnerability     affects Firefox ESR < 78.1, Firefox < 79, and Thunderbird < 78.1. (CVE-2020-15654)

  - By exploiting an Open Redirect vulnerability on a website, an attacker could have spoofed the site     displayed in the download file dialog to show the original site (the one suffering from the open redirect)     rather than the site the file was actually downloaded from. This vulnerability affects Firefox < 81,     Thunderbird < 78.3, and Firefox ESR < 78.3. (CVE-2020-15677)

  - Firefox sometimes ran the onload handler for SVG elements that the DOM sanitizer decided to remove,     resulting in JavaScript being executed after pasting attacker-controlled data into a contenteditable     element. This vulnerability affects Firefox < 81, Thunderbird < 78.3, and Firefox ESR < 78.3.
    (CVE-2020-15676)

  - When recursing through graphical layers while scrolling, an iterator may have become invalid, resulting in     a potential use-after-free. This occurs because the function     APZCTreeManager::ComputeClippedCompositionBounds did not follow iterator invalidation rules. This     vulnerability affects Firefox < 81, Thunderbird < 78.3, and Firefox ESR < 78.3. (CVE-2020-15678)

  - Mozilla developers reported memory safety bugs present in Firefox 80 and Firefox ESR 78.2. Some of these     bugs showed evidence of memory corruption and we presume that with enough effort some of these could have     been exploited to run arbitrary code. This vulnerability affects Firefox < 81, Thunderbird < 78.3, and     Firefox ESR < 78.3. (CVE-2020-15673)

  - Mozilla developers and community members reported memory safety bugs present in Firefox 81 and Firefox ESR     78.3. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some     of these could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 78.4,     Firefox < 82, and Thunderbird < 78.4. (CVE-2020-15683)

  - Use after free in WebRTC in Google Chrome prior to 86.0.4240.75 allowed a remote attacker to potentially     exploit heap corruption via a crafted HTML page. (CVE-2020-15969)

  - A parsing and event loading mismatch in Firefox's SVG code could have allowed load events to fire, even     after sanitization. An attacker already capable of exploiting an XSS vulnerability in privileged internal     pages could have used this attack to bypass our built-in sanitizer. This vulnerability affects Firefox <     83, Firefox ESR < 78.5, and Thunderbird < 78.5. (CVE-2020-26951)

  - Side-channel information leakage in graphics in Google Chrome prior to 87.0.4280.66 allowed a remote     attacker to leak cross-origin data via a crafted HTML page. (CVE-2020-16012)

  - It was possible to cause the browser to enter fullscreen mode without displaying the security UI; thus     making it possible to attempt a phishing attack or otherwise confuse the user. This vulnerability affects     Firefox < 83, Firefox ESR < 78.5, and Thunderbird < 78.5. (CVE-2020-26953)

  - In some cases, removing HTML elements during sanitization would keep existing SVG event handlers and     therefore lead to XSS. This vulnerability affects Firefox < 83, Firefox ESR < 78.5, and Thunderbird <     78.5. (CVE-2020-26956)

  - Firefox did not block execution of scripts with incorrect MIME types when the response was intercepted and     cached through a ServiceWorker. This could lead to a cross-site script inclusion vulnerability, or a     Content Security Policy bypass. This vulnerability affects Firefox < 83, Firefox ESR < 78.5, and     Thunderbird < 78.5. (CVE-2020-26958)

  - During browser shutdown, reference decrementing could have occured on a previously freed object, resulting     in a use-after-free, memory corruption, and a potentially exploitable crash. This vulnerability affects     Firefox < 83, Firefox ESR < 78.5, and Thunderbird < 78.5. (CVE-2020-26959)

  - If the Compact() method was called on an nsTArray, the array could have been reallocated without updating     other pointers, leading to a potential use-after-free and exploitable crash. This vulnerability affects     Firefox < 83, Firefox ESR < 78.5, and Thunderbird < 78.5. (CVE-2020-26960)

  - When DNS over HTTPS is in use, it intentionally filters RFC1918 and related IP ranges from the responses     as these do not make sense coming from a DoH resolver. However when an IPv4 address was mapped through     IPv6, these addresses were erroneously let through, leading to a potential DNS Rebinding attack. This     vulnerability affects Firefox < 83, Firefox ESR < 78.5, and Thunderbird < 78.5. (CVE-2020-26961)

  - Mozilla developers reported memory safety bugs present in Firefox 82 and Firefox ESR 78.4. Some of these     bugs showed evidence of memory corruption and we presume that with enough effort some of these could have     been exploited to run arbitrary code. This vulnerability affects Firefox < 83, Firefox ESR < 78.5, and     Thunderbird < 78.5. (CVE-2020-26968)

  - Some websites have a feature Show Password where clicking a button will change a password field into a     textbook field, revealing the typed password. If, when using a software keyboard that remembers user     input, a user typed their password and used that feature, the type of the password field was changed,     resulting in a keyboard layout change and the possibility for the software keyboard to remember the typed     password. This vulnerability affects Firefox < 83, Firefox ESR < 78.5, and Thunderbird < 78.5.
    (CVE-2020-26965)

  - Certain blit values provided by the user were not properly constrained leading to a heap buffer overflow     on some video drivers. This vulnerability affects Firefox < 84, Thunderbird < 78.6, and Firefox ESR <     78.6. (CVE-2020-26971)

  - Certain input to the CSS Sanitizer confused it, resulting in incorrect components being removed. This     could have been used as a sanitizer bypass. This vulnerability affects Firefox < 84, Thunderbird < 78.6,     and Firefox ESR < 78.6. (CVE-2020-26973)

  - When flex-basis was used on a table wrapper, a StyleGenericFlexBasis object could have been incorrectly     cast to the wrong type. This resulted in a heap user-after-free, memory corruption, and a potentially     exploitable crash. This vulnerability affects Firefox < 84, Thunderbird < 78.6, and Firefox ESR < 78.6.
    (CVE-2020-26974)

  - Using techniques that built on the slipstream research, a malicious webpage could have exposed both an     internal network's hosts as well as services running on the user's local machine. This vulnerability     affects Firefox < 84, Thunderbird < 78.6, and Firefox ESR < 78.6. (CVE-2020-26978)

  - Uninitialized Use in V8 in Google Chrome prior to 87.0.4280.88 allowed a remote attacker to obtain     potentially sensitive information from process memory via a crafted HTML page. (CVE-2020-16042)

  - When an extension with the proxy permission registered to receive , the proxy.onRequest callback     was not triggered for view-source URLs. While web content cannot navigate to such URLs, a user opening     View Source could have inadvertently leaked their IP address. This vulnerability affects Firefox < 84,     Thunderbird < 78.6, and Firefox ESR < 78.6. (CVE-2020-35111)

  - Mozilla developers reported memory safety bugs present in Firefox 83 and Firefox ESR 78.5. Some of these     bugs showed evidence of memory corruption and we presume that with enough effort some of these could have     been exploited to run arbitrary code. This vulnerability affects Firefox < 84, Thunderbird < 78.6, and     Firefox ESR < 78.6. (CVE-2020-35113)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote NewStart CGSL host, running version MAIN 6.02, has firefox packages installed that are affected by multiple vulnerabilities:

  - Use after free in ANGLE in Google Chrome prior to 81.0.4044.122 allowed a remote attacker to potentially     exploit heap corruption via a crafted HTML page. (CVE-2020-6463)

  - Inappropriate implementation in WebRTC in Google Chrome prior to 84.0.4147.89 allowed an attacker in a     privileged network position to potentially exploit heap corruption via a crafted SCTP stream.
    (CVE-2020-6514)

  - By observing the stack trace for JavaScript errors in web workers, it was possible to leak the result of a     cross-origin redirect. This applied only to content that can be parsed as script. This vulnerability     affects Firefox < 79, Firefox ESR < 68.11, Firefox ESR < 78.1, Thunderbird < 68.11, and Thunderbird <     78.1. (CVE-2020-15652)

  - Mozilla developers and community members reported memory safety bugs present in Firefox 78 and Firefox ESR     78.0. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some     of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 79, Firefox     ESR < 68.11, Firefox ESR < 78.1, Thunderbird < 68.11, and Thunderbird < 78.1. (CVE-2020-15659)

  - Using object or embed tags, it was possible to frame other websites, even if they disallowed framing using     the X-Frame-Options header. This vulnerability affects Thunderbird < 78 and Firefox < 78.0.2.
    (CVE-2020-15648)

  - In non-standard configurations, a JPEG image created by JavaScript could have caused an internal variable     to overflow, resulting in an out of bounds write, memory corruption, and a potentially exploitable crash.
    This vulnerability affects Firefox < 78. (CVE-2020-12422)

  - When constructing a permission prompt for WebRTC, a URI was supplied from the content process. This URI     was untrusted, and could have been the URI of an origin that was previously granted permission; bypassing     the prompt. This vulnerability affects Firefox < 78. (CVE-2020-12424)

  - Due to confusion processing a hyphen character in Date.parse(), a one-byte out of bounds read could have     occurred, leading to potential information disclosure. This vulnerability affects Firefox < 78.
    (CVE-2020-12425)

  - An iframe sandbox element with the allow-popups flag could be bypassed when using noopener links. This     could have led to security issues for websites relying on sandbox configurations that allowed popups and     hosted arbitrary content. This vulnerability affects Firefox ESR < 78.1, Firefox < 79, and Thunderbird <     78.1. (CVE-2020-15653)

  - JIT optimizations involving the Javascript arguments object could confuse later optimizations. This risk     was already mitigated by various precautions in the code, resulting in this bug rated at only moderate     severity. This vulnerability affects Firefox ESR < 78.1, Firefox < 79, and Thunderbird < 78.1.
    (CVE-2020-15656)

  - The code for downloading files did not properly take care of special characters, which led to an attacker     being able to cut off the file ending at an earlier position, leading to a different file type being     downloaded than shown in the dialog. This vulnerability affects Firefox ESR < 78.1, Firefox < 79, and     Thunderbird < 78.1. (CVE-2020-15658)

  - When in an endless loop, a website specifying a custom cursor using CSS could make it look like the user     is interacting with the user interface, when they are not. This could lead to a perceived broken state,     especially when interactions with existing browser dialogs and warnings do not work. This vulnerability     affects Firefox ESR < 78.1, Firefox < 79, and Thunderbird < 78.1. (CVE-2020-15654)

  - By holding a reference to the eval() function from an about:blank window, a malicious webpage could have     gained access to the InstallTrigger object which would allow them to prompt the user to install an     extension. Combined with user confusion, this could result in an unintended or malicious extension being     installed. This vulnerability affects Firefox < 80, Thunderbird < 78.2, Thunderbird < 68.12, Firefox ESR <     68.12, Firefox ESR < 78.2, and Firefox for Android < 80. (CVE-2020-15664)

  - When aborting an operation, such as a fetch, an abort signal may be deleted while alerting the objects to     be notified. This results in a use-after-free and we presume that with enough effort it could have been     exploited to run arbitrary code. This vulnerability affects Firefox ESR < 68.12 and Thunderbird < 68.12.
    (CVE-2020-15669)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote CentOS Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the CESA-2020:3557 advisory.

  - Mozilla: Integer overflow in nsJPEGEncoder::emptyOutputBuffer (CVE-2020-12422)

  - Mozilla: WebRTC permission prompt could have been bypassed by a compromised content process     (CVE-2020-12424)

  - Mozilla: Out of bound read in Date.parse() (CVE-2020-12425)

  - Mozilla: X-Frame-Options bypass using object or embed tags (CVE-2020-15648)

  - Mozilla: Bypassing iframe sandbox when allowing popups (CVE-2020-15653)

  - Mozilla: Custom cursor can overlay user interface (CVE-2020-15654)

  - Mozilla: Type confusion for special arguments in IonMonkey (CVE-2020-15656)

  - Mozilla: Overriding file type when saving to disk (CVE-2020-15658)

  - Mozilla: Attacker-induced prompt for extension installation (CVE-2020-15664)

  - Mozilla: Use-After-Free when aborting an operation (CVE-2020-15669)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2020:4080 advisory.

  - Mozilla: Integer overflow in nsJPEGEncoder::emptyOutputBuffer (CVE-2020-12422)

  - Mozilla: WebRTC permission prompt could have been bypassed by a compromised content process     (CVE-2020-12424)

  - Mozilla: Out of bound read in Date.parse() (CVE-2020-12425)

  - Mozilla: X-Frame-Options bypass using object or embed tags (CVE-2020-15648)

  - Mozilla: Bypassing iframe sandbox when allowing popups (CVE-2020-15653)

  - Mozilla: Custom cursor can overlay user interface (CVE-2020-15654)

  - Mozilla: Type confusion for special arguments in IonMonkey (CVE-2020-15656)

  - Mozilla: Overriding file type when saving to disk (CVE-2020-15658)

  - Mozilla: Memory safety bugs fixed in Firefox 81 and Firefox ESR 78.3 (CVE-2020-15673)

  - Mozilla: XSS when pasting attacker-controlled data into a contenteditable element (CVE-2020-15676)

  - Mozilla: Download origin spoofing via redirect (CVE-2020-15677)

  - Mozilla: When recursing through layers while scrolling, an iterator may have become invalid, resulting in     a potential use-after-free scenario (CVE-2020-15678)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Security Fix(es) :

  - Mozilla: Memory safety bugs fixed in Firefox 81 and     Firefox ESR 78.3 (CVE-2020-15673)

  - Mozilla: Integer overflow in     nsJPEGEncoder::emptyOutputBuffer (CVE-2020-12422)

  - Mozilla: X-Frame-Options bypass using object or embed     tags (CVE-2020-15648)

  - Mozilla: Bypassing iframe sandbox when allowing popups     (CVE-2020-15653)

  - Mozilla: Type confusion for special arguments in     IonMonkey (CVE-2020-15656)

  - Mozilla: XSS when pasting attacker-controlled data into     a contenteditable element (CVE-2020-15676)

  - Mozilla: Download origin spoofing via redirect     (CVE-2020-15677)

  - Mozilla: When recursing through layers while scrolling,     an iterator may have become invalid, resulting in a     potential use-after-free scenario (CVE-2020-15678)

  - Mozilla: WebRTC permission prompt could have been     bypassed by a compromised content process     (CVE-2020-12424)

  - Mozilla: Out of bound read in Date.parse()     (CVE-2020-12425)

  - Mozilla: Custom cursor can overlay user interface     (CVE-2020-15654)

  - Mozilla: Overriding file type when saving to disk     (CVE-2020-15658)

The remote Oracle Linux 7 host has a package installed that is affected by multiple vulnerabilities as referenced in the ELSA-2020-4080 advisory.

  - In non-standard configurations, a JPEG image created by JavaScript could have caused an internal variable     to overflow, resulting in an out of bounds write, memory corruption, and a potentially exploitable crash.
    This vulnerability affects Firefox < 78. (CVE-2020-12422)

  - When constructing a permission prompt for WebRTC, a URI was supplied from the content process. This URI     was untrusted, and could have been the URI of an origin that was previously granted permission; bypassing     the prompt. This vulnerability affects Firefox < 78. (CVE-2020-12424)

  - Due to confusion processing a hyphen character in Date.parse(), a one-byte out of bounds read could have     occurred, leading to potential information disclosure. This vulnerability affects Firefox < 78.
    (CVE-2020-12425)

  - Using object or embed tags, it was possible to frame other websites, even if they disallowed framing using     the X-Frame-Options header. This vulnerability affects Thunderbird < 78 and Firefox < 78.0.2.
    (CVE-2020-15648)

  - An iframe sandbox element with the allow-popups flag could be bypassed when using noopener links. This     could have led to security issues for websites relying on sandbox configurations that allowed popups and     hosted arbitrary content. This vulnerability affects Firefox ESR < 78.1, Firefox < 79, and Thunderbird <     78.1. (CVE-2020-15653)

  - When in an endless loop, a website specifying a custom cursor using CSS could make it look like the user     is interacting with the user interface, when they are not. This could lead to a perceived broken state,     especially when interactions with existing browser dialogs and warnings do not work. This vulnerability     affects Firefox ESR < 78.1, Firefox < 79, and Thunderbird < 78.1. (CVE-2020-15654)

  - JIT optimizations involving the Javascript arguments object could confuse later optimizations. This risk     was already mitigated by various precautions in the code, resulting in this bug rated at only moderate     severity. This vulnerability affects Firefox ESR < 78.1, Firefox < 79, and Thunderbird < 78.1.
    (CVE-2020-15656)

  - The code for downloading files did not properly take care of special characters, which led to an attacker     being able to cut off the file ending at an earlier position, leading to a different file type being     downloaded than shown in the dialog. This vulnerability affects Firefox ESR < 78.1, Firefox < 79, and     Thunderbird < 78.1. (CVE-2020-15658)

  - Mozilla developers reported memory safety bugs present in Firefox 80 and Firefox ESR 78.2. Some of these     bugs showed evidence of memory corruption and we presume that with enough effort some of these could have     been exploited to run arbitrary code. This vulnerability affects Firefox < 81, Thunderbird < 78.3, and     Firefox ESR < 78.3. (CVE-2020-15673)

  - Firefox sometimes ran the onload handler for SVG elements that the DOM sanitizer decided to remove,     resulting in JavaScript being executed after pasting attacker-controlled data into a contenteditable     element. This vulnerability affects Firefox < 81, Thunderbird < 78.3, and Firefox ESR < 78.3.
    (CVE-2020-15676)

  - By exploiting an Open Redirect vulnerability on a website, an attacker could have spoofed the site     displayed in the download file dialog to show the original site (the one suffering from the open redirect)     rather than the site the file was actually downloaded from. This vulnerability affects Firefox < 81,     Thunderbird < 78.3, and Firefox ESR < 78.3. (CVE-2020-15677)

  - When recursing through graphical layers while scrolling, an iterator may have become invalid, resulting in     a potential use-after-free. This occurs because the function     APZCTreeManager::ComputeClippedCompositionBounds did not follow iterator invalidation rules. This     vulnerability affects Firefox < 81, Thunderbird < 78.3, and Firefox ESR < 78.3. (CVE-2020-15678)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the ELSA-2020-3557 advisory.

  - In non-standard configurations, a JPEG image created by JavaScript could have caused an internal variable     to overflow, resulting in an out of bounds write, memory corruption, and a potentially exploitable crash.
    This vulnerability affects Firefox < 78. (CVE-2020-12422)

  - When constructing a permission prompt for WebRTC, a URI was supplied from the content process. This URI     was untrusted, and could have been the URI of an origin that was previously granted permission; bypassing     the prompt. This vulnerability affects Firefox < 78. (CVE-2020-12424)

  - Due to confusion processing a hyphen character in Date.parse(), a one-byte out of bounds read could have     occurred, leading to potential information disclosure. This vulnerability affects Firefox < 78.
    (CVE-2020-12425)

  - Using object or embed tags, it was possible to frame other websites, even if they disallowed framing using     the X-Frame-Options header. This vulnerability affects Thunderbird < 78 and Firefox < 78.0.2.
    (CVE-2020-15648)

  - An iframe sandbox element with the allow-popups flag could be bypassed when using noopener links. This     could have led to security issues for websites relying on sandbox configurations that allowed popups and     hosted arbitrary content. This vulnerability affects Firefox ESR < 78.1, Firefox < 79, and Thunderbird <     78.1. (CVE-2020-15653)

  - When in an endless loop, a website specifying a custom cursor using CSS could make it look like the user     is interacting with the user interface, when they are not. This could lead to a perceived broken state,     especially when interactions with existing browser dialogs and warnings do not work. This vulnerability     affects Firefox ESR < 78.1, Firefox < 79, and Thunderbird < 78.1. (CVE-2020-15654)

  - JIT optimizations involving the Javascript arguments object could confuse later optimizations. This risk     was already mitigated by various precautions in the code, resulting in this bug rated at only moderate     severity. This vulnerability affects Firefox ESR < 78.1, Firefox < 79, and Thunderbird < 78.1.
    (CVE-2020-15656)

  - The code for downloading files did not properly take care of special characters, which led to an attacker     being able to cut off the file ending at an earlier position, leading to a different file type being     downloaded than shown in the dialog. This vulnerability affects Firefox ESR < 78.1, Firefox < 79, and     Thunderbird < 78.1. (CVE-2020-15658)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2020:3557 advisory.

  - Mozilla: Integer overflow in nsJPEGEncoder::emptyOutputBuffer (CVE-2020-12422)

  - Mozilla: WebRTC permission prompt could have been bypassed by a compromised content process     (CVE-2020-12424)

  - Mozilla: Out of bound read in Date.parse() (CVE-2020-12425)

  - Mozilla: X-Frame-Options bypass using object or embed tags (CVE-2020-15648)

  - Mozilla: Bypassing iframe sandbox when allowing popups (CVE-2020-15653)

  - Mozilla: Custom cursor can overlay user interface (CVE-2020-15654)

  - Mozilla: Type confusion for special arguments in IonMonkey (CVE-2020-15656)

  - Mozilla: Overriding file type when saving to disk (CVE-2020-15658)

  - Mozilla: Attacker-induced prompt for extension installation (CVE-2020-15664)

  - Mozilla: Use-After-Free when aborting an operation (CVE-2020-15669)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2020:3559 advisory.

  - Mozilla: Integer overflow in nsJPEGEncoder::emptyOutputBuffer (CVE-2020-12422)

  - Mozilla: WebRTC permission prompt could have been bypassed by a compromised content process     (CVE-2020-12424)

  - Mozilla: Out of bound read in Date.parse() (CVE-2020-12425)

  - Mozilla: X-Frame-Options bypass using object or embed tags (CVE-2020-15648)

  - Mozilla: Bypassing iframe sandbox when allowing popups (CVE-2020-15653)

  - Mozilla: Custom cursor can overlay user interface (CVE-2020-15654)

  - Mozilla: Type confusion for special arguments in IonMonkey (CVE-2020-15656)

  - Mozilla: Overriding file type when saving to disk (CVE-2020-15658)

  - Mozilla: Attacker-induced prompt for extension installation (CVE-2020-15664)

  - Mozilla: Use-After-Free when aborting an operation (CVE-2020-15669)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2020:3555 advisory.

  - Mozilla: Integer overflow in nsJPEGEncoder::emptyOutputBuffer (CVE-2020-12422)

  - Mozilla: WebRTC permission prompt could have been bypassed by a compromised content process     (CVE-2020-12424)

  - Mozilla: Out of bound read in Date.parse() (CVE-2020-12425)

  - Mozilla: X-Frame-Options bypass using object or embed tags (CVE-2020-15648)

  - Mozilla: Bypassing iframe sandbox when allowing popups (CVE-2020-15653)

  - Mozilla: Custom cursor can overlay user interface (CVE-2020-15654)

  - Mozilla: Type confusion for special arguments in IonMonkey (CVE-2020-15656)

  - Mozilla: Overriding file type when saving to disk (CVE-2020-15658)

  - Mozilla: Attacker-induced prompt for extension installation (CVE-2020-15664)

  - Mozilla: Use-After-Free when aborting an operation (CVE-2020-15669)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote host is affected by the vulnerability described in GLSA-202007-10 (Mozilla Firefox: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Mozilla Firefox. Please       review the CVE identifiers referenced below for details.
  Impact :

    Please review the referenced CVE identifiers for details.
  Workaround :

    There is no known workaround at this time.

This update for MozillaFirefox to version 78.0.1 ESR fixes the following issues :

Security issues fixed :

  - CVE-2020-12415: AppCache manifest poisoning due to url     encoded character processing (bsc#1173576).

  - CVE-2020-12416: Use-after-free in WebRTC     VideoBroadcaster (bsc#1173576).

  - CVE-2020-12417: Memory corruption due to missing     sign-extension for ValueTags on ARM64 (bsc#1173576).

  - CVE-2020-12418: Information disclosure due to     manipulated URL object (bsc#1173576).

  - CVE-2020-12419: Use-after-free in nsGlobalWindowInner     (bsc#1173576).

  - CVE-2020-12420: Use-After-Free when trying to connect to     a STUN server (bsc#1173576).

  - CVE-2020-12402: RSA Key Generation vulnerable to     side-channel attack (bsc#1173576).

  - CVE-2020-12421: Add-On updates did not respect the same     certificate trust rules as software updates     (bsc#1173576).

  - CVE-2020-12422: Integer overflow in     nsJPEGEncoder::emptyOutputBuffer (bsc#1173576).

  - CVE-2020-12423: DLL Hijacking due to searching %PATH%     for a library (bsc#1173576).

  - CVE-2020-12424: WebRTC permission prompt could have been     bypassed by a compromised content process (bsc#1173576).

  - CVE-2020-12425: Out of bound read in Date.parse()     (bsc#1173576).

  - CVE-2020-12426: Memory safety bugs fixed in Firefox 78     (bsc#1173576).

  - FIPS: MozillaFirefox: allow     /proc/sys/crypto/fips_enabled (bsc#1167231).

Non-security issues fixed :

  - Fixed interaction with freetype6 (bsc#1173613).

This update was imported from the SUSE:SLE-15:Update update project.

The version of Thunderbird installed on the remote Windows host is prior to 78.0. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2020-29 advisory.

  - When %2F was present in a manifest URL, Firefox's     AppCache behavior may have become confused and allowed a     manifest to be served from a subdirectory. This could     cause the appcache to be used to service requests for     the top level directory. This vulnerability affects     Firefox < 78. (CVE-2020-12415)

  - A VideoStreamEncoder may have been freed in a race     condition with VideoBroadcaster::AddOrUpdateSink,     resulting in a use-after-free, memory corruption, and a     potentially exploitable crash. This vulnerability     affects Firefox < 78. (CVE-2020-12416)

  - Due to confusion about ValueTags on JavaScript Objects,     an object may pass through the type barrier, resulting     in memory corruption and a potentially exploitable     crash. *Note: this issue only affects Firefox on ARM64     platforms.* This vulnerability affects Firefox ESR <     68.10, Firefox < 78, and Thunderbird < 68.10.0.
    (CVE-2020-12417)

  - Manipulating individual parts of a URL object could have     caused an out-of-bounds read, leaking process memory to     malicious JavaScript. This vulnerability affects Firefox     ESR < 68.10, Firefox < 78, and Thunderbird < 68.10.0.
    (CVE-2020-12418)

  - When processing callbacks that occurred during window     flushing in the parent process, the associated window     may die; causing a use-after-free condition. This could     have led to memory corruption and a potentially     exploitable crash. This vulnerability affects Firefox     ESR < 68.10, Firefox < 78, and Thunderbird < 68.10.0.
    (CVE-2020-12419)

  - When trying to connect to a STUN server, a race     condition could have caused a use-after-free of a     pointer, leading to memory corruption and a potentially     exploitable crash. This vulnerability affects Firefox     ESR < 68.10, Firefox < 78, and Thunderbird < 68.10.0.
    (CVE-2020-12420)

  - During RSA key generation, bignum implementations used a     variation of the Binary Extended Euclidean Algorithm     which entailed significantly input-dependent flow. This     allowed an attacker able to perform electromagnetic-     based side channel attacks to record traces leading to     the recovery of the secret primes. *Note:* An unmodified     Firefox browser does not generate RSA keys in normal     operation and is not affected, but products built on top     of it might. This vulnerability affects Firefox < 78.
    (CVE-2020-12402)

  - When performing add-on updates, certificate chains     terminating in non-built-in-roots were rejected (even if     they were legitimately added by an administrator.) This     could have caused add-ons to become out-of-date silently     without notification to the user. This vulnerability     affects Firefox ESR < 68.10, Firefox < 78, and     Thunderbird < 68.10.0. (CVE-2020-12421)

  - In non-standard configurations, a JPEG image created by     JavaScript could have caused an internal variable to     overflow, resulting in an out of bounds write, memory     corruption, and a potentially exploitable crash. This     vulnerability affects Firefox < 78. (CVE-2020-12422)

  - When the Windows DLL webauthn.dll was missing from the     Operating System, and a malicious one was placed in a     folder in the user's %PATH%, Firefox may have loaded the     DLL, leading to arbitrary code execution. *Note: This     issue only affects the Windows operating system; other     operating systems are unaffected.* This vulnerability     affects Firefox < 78. (CVE-2020-12423)

  - When constructing a permission prompt for WebRTC, a URI     was supplied from the content process. This URI was     untrusted, and could have been the URI of an origin that     was previously granted permission; bypassing the prompt.
    This vulnerability affects Firefox < 78.
    (CVE-2020-12424)

  - Due to confusion processing a hyphen character in     Date.parse(), a one-byte out of bounds read could have     occurred, leading to potential information disclosure.
    This vulnerability affects Firefox < 78.
    (CVE-2020-12425)

  - Mozilla developers and community members reported memory     safety bugs present in Firefox 77. Some of these bugs     showed evidence of memory corruption and we presume that     with enough effort some of these could have been     exploited to run arbitrary code. This vulnerability     affects Firefox < 78. (CVE-2020-12426)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Thunderbird installed on the remote macOS or Mac OS X host is prior to 78.0. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2020-29 advisory.

  - When %2F was present in a manifest URL, Firefox's     AppCache behavior may have become confused and allowed a     manifest to be served from a subdirectory. This could     cause the appcache to be used to service requests for     the top level directory. This vulnerability affects     Firefox < 78. (CVE-2020-12415)

  - A VideoStreamEncoder may have been freed in a race     condition with VideoBroadcaster::AddOrUpdateSink,     resulting in a use-after-free, memory corruption, and a     potentially exploitable crash. This vulnerability     affects Firefox < 78. (CVE-2020-12416)

  - Due to confusion about ValueTags on JavaScript Objects,     an object may pass through the type barrier, resulting     in memory corruption and a potentially exploitable     crash. *Note: this issue only affects Firefox on ARM64     platforms.* This vulnerability affects Firefox ESR <     68.10, Firefox < 78, and Thunderbird < 68.10.0.
    (CVE-2020-12417)

  - Manipulating individual parts of a URL object could have     caused an out-of-bounds read, leaking process memory to     malicious JavaScript. This vulnerability affects Firefox     ESR < 68.10, Firefox < 78, and Thunderbird < 68.10.0.
    (CVE-2020-12418)

  - When processing callbacks that occurred during window     flushing in the parent process, the associated window     may die; causing a use-after-free condition. This could     have led to memory corruption and a potentially     exploitable crash. This vulnerability affects Firefox     ESR < 68.10, Firefox < 78, and Thunderbird < 68.10.0.
    (CVE-2020-12419)

  - When trying to connect to a STUN server, a race     condition could have caused a use-after-free of a     pointer, leading to memory corruption and a potentially     exploitable crash. This vulnerability affects Firefox     ESR < 68.10, Firefox < 78, and Thunderbird < 68.10.0.
    (CVE-2020-12420)

  - During RSA key generation, bignum implementations used a     variation of the Binary Extended Euclidean Algorithm     which entailed significantly input-dependent flow. This     allowed an attacker able to perform electromagnetic-     based side channel attacks to record traces leading to     the recovery of the secret primes. *Note:* An unmodified     Firefox browser does not generate RSA keys in normal     operation and is not affected, but products built on top     of it might. This vulnerability affects Firefox < 78.
    (CVE-2020-12402)

  - When performing add-on updates, certificate chains     terminating in non-built-in-roots were rejected (even if     they were legitimately added by an administrator.) This     could have caused add-ons to become out-of-date silently     without notification to the user. This vulnerability     affects Firefox ESR < 68.10, Firefox < 78, and     Thunderbird < 68.10.0. (CVE-2020-12421)

  - In non-standard configurations, a JPEG image created by     JavaScript could have caused an internal variable to     overflow, resulting in an out of bounds write, memory     corruption, and a potentially exploitable crash. This     vulnerability affects Firefox < 78. (CVE-2020-12422)

  - When the Windows DLL webauthn.dll was missing from the     Operating System, and a malicious one was placed in a     folder in the user's %PATH%, Firefox may have loaded the     DLL, leading to arbitrary code execution. *Note: This     issue only affects the Windows operating system; other     operating systems are unaffected.* This vulnerability     affects Firefox < 78. (CVE-2020-12423)

  - When constructing a permission prompt for WebRTC, a URI     was supplied from the content process. This URI was     untrusted, and could have been the URI of an origin that     was previously granted permission; bypassing the prompt.
    This vulnerability affects Firefox < 78.
    (CVE-2020-12424)

  - Due to confusion processing a hyphen character in     Date.parse(), a one-byte out of bounds read could have     occurred, leading to potential information disclosure.
    This vulnerability affects Firefox < 78.
    (CVE-2020-12425)

  - Mozilla developers and community members reported memory     safety bugs present in Firefox 77. Some of these bugs     showed evidence of memory corruption and we presume that     with enough effort some of these could have been     exploited to run arbitrary code. This vulnerability     affects Firefox < 78. (CVE-2020-12426)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

This update for MozillaFirefox to version 78.0.1 ESR fixes the following issues :

Security issues fixed :

CVE-2020-12415: AppCache manifest poisoning due to url encoded character processing (bsc#1173576).

CVE-2020-12416: Use-after-free in WebRTC VideoBroadcaster (bsc#1173576).

CVE-2020-12417: Memory corruption due to missing sign-extension for ValueTags on ARM64 (bsc#1173576).

CVE-2020-12418: Information disclosure due to manipulated URL object (bsc#1173576).

CVE-2020-12419: Use-after-free in nsGlobalWindowInner (bsc#1173576).

CVE-2020-12420: Use-After-Free when trying to connect to a STUN server (bsc#1173576).

CVE-2020-12402: RSA Key Generation vulnerable to side-channel attack (bsc#1173576).

CVE-2020-12421: Add-On updates did not respect the same certificate trust rules as software updates (bsc#1173576).

CVE-2020-12422: Integer overflow in nsJPEGEncoder::emptyOutputBuffer (bsc#1173576).

CVE-2020-12423: DLL Hijacking due to searching %PATH% for a library (bsc#1173576).

CVE-2020-12424: WebRTC permission prompt could have been bypassed by a compromised content process (bsc#1173576).

CVE-2020-12425: Out of bound read in Date.parse() (bsc#1173576).

CVE-2020-12426: Memory safety bugs fixed in Firefox 78 (bsc#1173576).

FIPS: MozillaFirefox: allow /proc/sys/crypto/fips_enabled (bsc#1167231).

Non-security issues fixed :

Fixed interaction with freetype6 (bsc#1173613).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information, bypass permission prompts, or execute arbitrary code. (CVE-2020-12415, CVE-2020-12416, CVE-2020-12417, CVE-2020-12418, CVE-2020-12419, CVE-2020-12420, CVE-2020-12422, CVE-2020-12424, CVE-2020-12425, CVE-2020-12426) It was discovered that when performing add-on updates, certificate chains not terminating with built-in roots were silently rejected. This could result in add-ons becoming outdated. (CVE-2020-12421).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The version of Firefox installed on the remote Windows host is prior to 78.0. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2020-24 advisory. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Firefox installed on the remote macOS or Mac OS X host is prior to 78.0. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2020-24 advisory. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
150683	SUSE SLES11 Security Update : MozillaFirefox (SUSE-SU-2020:14421-1)	Nessus	SuSE Local Security Checks	high
147399	NewStart CGSL CORE 5.04 / MAIN 5.04 : firefox Multiple Vulnerabilities (NS-SA-2021-0018)	Nessus	NewStart CGSL Local Security Checks	high
147247	NewStart CGSL MAIN 6.02 : firefox Multiple Vulnerabilities (NS-SA-2021-0052)	Nessus	NewStart CGSL Local Security Checks	high
145857	CentOS 8 : firefox (CESA-2020:3557)	Nessus	CentOS Local Security Checks	high
143085	RHEL 7 : firefox (RHSA-2020:4080)	Nessus	Red Hat Local Security Checks	high
141760	Scientific Linux Security Update : firefox on SL7.x x86_64 (20201001)	Nessus	Scientific Linux Local Security Checks	high
141414	Oracle Linux 7 : firefox (ELSA-2020-4080)	Nessus	Oracle Linux Local Security Checks	high
140042	Oracle Linux 8 : firefox (ELSA-2020-3557)	Nessus	Oracle Linux Local Security Checks	high
139854	RHEL 8 : firefox (RHSA-2020:3557)	Nessus	Red Hat Local Security Checks	high
139851	RHEL 8 : firefox (RHSA-2020:3559)	Nessus	Red Hat Local Security Checks	high
139811	RHEL 8 : firefox (RHSA-2020:3555)	Nessus	Red Hat Local Security Checks	high
138933	GLSA-202007-10 : Mozilla Firefox: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
138786	openSUSE Security Update : MozillaFirefox (openSUSE-2020-1017)	Nessus	SuSE Local Security Checks	high
138747	openSUSE Security Update : MozillaFirefox (openSUSE-2020-983)	Nessus	SuSE Local Security Checks	high
138589	Mozilla Thunderbird < 78.0	Nessus	Windows	high
138588	Mozilla Thunderbird < 78.0	Nessus	MacOS X Local Security Checks	high
138494	SUSE SLES12 Security Update : MozillaFirefox (SUSE-SU-2020:1899-1)	Nessus	SuSE Local Security Checks	high
138493	SUSE SLED15 / SLES15 Security Update : MozillaFirefox (SUSE-SU-2020:1898-1)	Nessus	SuSE Local Security Checks	high
138133	Ubuntu 16.04 LTS / 18.04 LTS / 19.10 / 20.04 : Firefox vulnerabilities (USN-4408-1)	Nessus	Ubuntu Local Security Checks	high
138085	Mozilla Firefox < 78.0	Nessus	Windows	high
138084	Mozilla Firefox < 78.0	Nessus	MacOS X Local Security Checks	high

CVE-2020-12425

medium

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Tenable Plugins

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high