matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript. In versions prior to 24.0.0 events sent with special strings in key places can temporarily disrupt or impede the matrix-js-sdk from functioning properly, potentially impacting the consumer's ability to process data safely. Note that the matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to the consumer. This vulnerability is distinct from GHSA-rfv9-x7hh-xc32 which covers a similar issue. The issue has been patched in matrix-js-sdk 24.0.0 and users are advised to upgrade. There are no known workarounds for this vulnerability.

The remote CentOS Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the CESA-2023:1802 advisory.

  - OCSP revocation status of recipient certificates was not checked when sending S/Mime encrypted email, and     revoked certificates would be accepted. Thunderbird versions from 68 to 102.9.1 were affected by this bug.
    This vulnerability affects Thunderbird < 102.10. (CVE-2023-0547)

  - Unexpected data returned from the Safe Browsing API could have led to memory corruption and a potentially     exploitable crash. This vulnerability affects Thunderbird < 102.10 and Firefox ESR < 102.10.
    (CVE-2023-1945)

  - There exists a use after free/double free in libwebp. An attacker can use the ApplyFiltersAndEncode()     function and loop through to free best.bw and assign best = trial pointer. The second loop will then     return 0 because of an Out of memory error in VP8 encoder, the pointer is still assigned to trial and the     AddressSanitizer will attempt a double free. (CVE-2023-1999)

  - matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript. In versions prior to 24.0.0     events sent with special strings in key places can temporarily disrupt or impede the matrix-js-sdk from     functioning properly, potentially impacting the consumer's ability to process data safely. Note that the     matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to     the consumer. This vulnerability is distinct from GHSA-rfv9-x7hh-xc32 which covers a similar issue. The     issue has been patched in matrix-js-sdk 24.0.0 and users are advised to upgrade. There are no known     workarounds for this vulnerability. (CVE-2023-28427)

  - Ribose RNP before 0.16.3 may hang when the input is malformed. (CVE-2023-29479)

  - A website could have obscured the fullscreen notification by using a combination of     <code>window.open</code>, fullscreen requests, <code>window.name</code> assignments, and     <code>setInterval</code> calls. This could have led to user confusion and possible spoofing attacks. This     vulnerability affects Firefox < 112, Focus for Android < 112, Firefox ESR < 102.10, Firefox for Android <     112, and Thunderbird < 102.10. (CVE-2023-29533)

  - Following a Garbage Collector compaction, weak maps may have been accessed before they were correctly     traced. This resulted in memory corruption and a potentially exploitable crash. This vulnerability affects     Firefox < 112, Focus for Android < 112, Firefox ESR < 102.10, Firefox for Android < 112, and Thunderbird <     102.10. (CVE-2023-29535)

  - An attacker could cause the memory manager to incorrectly free a pointer that addresses attacker-     controlled memory, resulting in an assertion, memory corruption, or a potentially exploitable crash. This     vulnerability affects Firefox < 112, Focus for Android < 112, Firefox ESR < 102.10, Firefox for Android <     112, and Thunderbird < 102.10. (CVE-2023-29536)

  - When handling the filename directive in the Content-Disposition header, the filename would be truncated if     the filename contained a NULL character. This could have led to reflected file download attacks     potentially tricking users to install malware. This vulnerability affects Firefox < 112, Focus for Android     < 112, Firefox ESR < 102.10, Firefox for Android < 112, and Thunderbird < 102.10. (CVE-2023-29539)

  - Firefox did not properly handle downloads of files ending in <code>.desktop</code>, which can be     interpreted to run attacker-controlled commands. <br>*This bug only affects Firefox for Linux on certain     Distributions. Other operating systems are unaffected, and Mozilla is unable to enumerate all affected     Linux Distributions.*. This vulnerability affects Firefox < 112, Focus for Android < 112, Firefox ESR <     102.10, Firefox for Android < 112, and Thunderbird < 102.10. (CVE-2023-29541)

  - A wrong lowering instruction in the ARM64 Ion compiler resulted in a wrong optimization result. This     vulnerability affects Firefox < 112, Focus for Android < 112, Firefox ESR < 102.10, Firefox for Android <     112, and Thunderbird < 102.10. (CVE-2023-29548)

  - Memory safety bugs present in Firefox 111 and Firefox ESR 102.9. Some of these bugs showed evidence of     memory corruption and we presume that with enough effort some of these could have been exploited to run     arbitrary code. This vulnerability affects Firefox < 112, Focus for Android < 112, Firefox ESR < 102.10,     Firefox for Android < 112, and Thunderbird < 102.10. (CVE-2023-29550)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote host is affected by the vulnerability described in GLSA-202305-36 (Mozilla Thunderbird: Multiple Vulnerabilities)

  - matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript. In versions prior to 24.0.0     events sent with special strings in key places can temporarily disrupt or impede the matrix-js-sdk from     functioning properly, potentially impacting the consumer's ability to process data safely. Note that the     matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to     the consumer. This vulnerability is distinct from GHSA-rfv9-x7hh-xc32 which covers a similar issue. The     issue has been patched in matrix-js-sdk 24.0.0 and users are advised to upgrade. There are no known     workarounds for this vulnerability. (CVE-2023-28427)

  - Mozilla: User Interface lockup with messages combining S/MIME and OpenPGP (CVE-2023-0616)

  - An attacker could construct a PKCS 12 cert bundle in such a way that could allow for arbitrary memory     writes via PKCS 12 Safe Bag attributes being mishandled.  (CVE-2023-0767)

  - Unexpected data returned from the Safe Browsing API could have led to memory corruption and a potentially     exploitable crash.  (CVE-2023-1945)

  - A double-free in libwebp could have led to memory corruption and a potentially exploitable crash.
    (CVE-2023-1999)

  - Mozilla: Content security policy leak in violation reports using iframes (CVE-2023-25728)

  - Permission prompts for opening external schemes were only shown for <code>ContentPrincipals</code>     resulting in extensions being able to open them without user interaction via     <code>ExpandedPrincipals</code>. This could lead to further malicious actions such as downloading files or     interacting with software already installed on the system.  (CVE-2023-25729)

  - A background script invoking <code>requestFullscreen</code> and then blocking the main thread could force     the browser into fullscreen mode indefinitely, resulting in potential user confusion or spoofing attacks.
    (CVE-2023-25730)

  - When encoding data from an <code>inputStream</code> in <code>xpcom</code> the size of the input being     encoded was not correctly calculated potentially leading to an out of bounds memory write.
    (CVE-2023-25732)

  - After downloading a Windows <code>.url</code> shortcut from the local filesystem, an attacker could supply     a remote path that would lead to unexpected network requests from the operating system.  This also had the     potential to leak NTLM credentials to the resource. This bug only affects Thunderbird on Windows. Other     operating systems are unaffected.  (CVE-2023-25734)

  - Cross-compartment wrappers wrapping a scripted proxy could have caused objects from other compartments to     be stored in the main compartment resulting in a use-after-free after unwrapping the proxy.
    (CVE-2023-25735)

  - An invalid downcast from <code>nsTextNode</code> to <code>SVGElement</code> could have lead to undefined     behavior.  (CVE-2023-25737)

  - Members of the <code>DEVMODEW</code> struct set by the printer device driver weren't being validated and     could have resulted in invalid values which in turn would cause the browser to attempt out of bounds     access to related variables. This bug only affects Thunderbird on Windows. Other operating systems are     unaffected.  (CVE-2023-25738)

  - Module load requests that failed were not being checked as to whether or not they were cancelled causing a     use-after-free in <code>ScriptLoadContext</code>.  (CVE-2023-25739)

  - After downloading a Windows <code>.scf</code> script from the local filesystem, an attacker could supply a     remote path that would lead to unexpected network requests from the operating system. This also had the     potential to leak NTLM credentials to the resource. This bug only affects Firefox for Windows. Other     operating systems are unaffected.  (CVE-2023-25740)

  - When dragging and dropping an image cross-origin, the image's size could potentially be leaked. This     behavior was shipped in 109 and caused web compatibility problems as well as this security concern, so the     behavior was disabled until further review.  (CVE-2023-25741)

  - When importing a SPKI RSA public key as ECDSA P-256, the key would be handled incorrectly causing the tab     to crash.  (CVE-2023-25742)

  - Mozilla: Fullscreen notification not shown in Firefox Focus (CVE-2023-25743)

  - Mozilla developers Kershaw Chang and the Mozilla Fuzzing Team reported memory safety bugs present in     Firefox 109 and Firefox ESR 102.7. Some of these bugs showed evidence of memory corruption and we presume     that with enough effort some of these could have been exploited to run arbitrary code.  (CVE-2023-25744)

  - Mozilla developers Timothy Nikkel, Gabriele Svelto, Jeff Muizelaar and the Mozilla Fuzzing Team reported     memory safety bugs present in Firefox 109. Some of these bugs showed evidence of memory corruption and we     presume that with enough effort some of these could have been exploited to run arbitrary code.
    (CVE-2023-25745)

  - Mozilla developers Philipp and Gabriele Svelto reported memory safety bugs present in Thunderbird 102.7.
    Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of     these could have been exploited to run arbitrary code.  (CVE-2023-25746)

  - Mozilla: Incorrect code generation during JIT compilation (CVE-2023-25751)

  - Mozilla: Potential out-of-bounds when accessing throttled streams (CVE-2023-25752)

  - Mozilla: Invalid downcast in Worklets (CVE-2023-28162)

  - When downloading files through the Save As dialog on Windows with suggested filenames containing     environment variable names, Windows would have resolved those in the context of the current user.  This     bug only affects Firefox on Windows. Other versions of Firefox are unaffected.  (CVE-2023-28163)

  - Mozilla: URL being dragged from a removed cross-origin iframe into the same tab triggered navigation     (CVE-2023-28164)

  - Mozilla: Memory safety bugs fixed in Firefox 111 and Firefox ESR 102.9 (CVE-2023-28176)

  - A website could have obscured the fullscreen notification by using a combination of     <code>window.open</code>, fullscreen requests, <code>window.name</code> assignments, and     <code>setInterval</code> calls. This could have led to user confusion and possible spoofing attacks.
    (CVE-2023-29533)

  - Following a Garbage Collector compaction, weak maps may have been accessed before they were correctly     traced. This resulted in memory corruption and a potentially exploitable crash.  (CVE-2023-29535)

  - An attacker could cause the memory manager to incorrectly free a pointer that addresses attacker-     controlled memory, resulting in an assertion, memory corruption, or a potentially exploitable crash.
    (CVE-2023-29536)

  - When handling the filename directive in the Content-Disposition header, the filename would be truncated if     the filename contained a NULL character. This could have led to reflected file download attacks     potentially tricking users to install malware.  (CVE-2023-29539)

  - Thunderbird did not properly handle downloads of files ending in <code>.desktop</code>, which can be     interpreted to run attacker-controlled commands.  This bug only affects Thunderbird for Linux on certain     Distributions. Other operating systems are unaffected, and Mozilla is unable to enumerate all affected     Linux Distributions.  (CVE-2023-29541)

  - A wrong lowering instruction in the ARM64 Ion compiler resulted in a wrong optimization result.
    (CVE-2023-29548)

  - Mozilla developers Andrew Osmond, Sebastian Hengst, Andrew McCreight, and the Mozilla Fuzzing Team     reported memory safety bugs present in Thunderbird 102.9. Some of these bugs showed evidence of memory     corruption and we presume that with enough effort some of these could have been exploited to run arbitrary     code.  (CVE-2023-29550)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Rocky Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2023:1802 advisory.

  - matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript. In versions prior to 24.0.0     events sent with special strings in key places can temporarily disrupt or impede the matrix-js-sdk from     functioning properly, potentially impacting the consumer's ability to process data safely. Note that the     matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to     the consumer. This vulnerability is distinct from GHSA-rfv9-x7hh-xc32 which covers a similar issue. The     issue has been patched in matrix-js-sdk 24.0.0 and users are advised to upgrade. There are no known     workarounds for this vulnerability. (CVE-2023-28427)

  - Ribose RNP before 0.16.3 may hang when the input is malformed. (CVE-2023-29479)

  - OCSP revocation status of recipient certificates was not checked when sending S/Mime encrypted email, and     revoked certificates would be accepted. Thunderbird versions from 68 to 102.9.1 were affected by this bug.
    (CVE-2023-0547)

  - Unexpected data returned from the Safe Browsing API could have led to memory corruption and a potentially     exploitable crash.  (CVE-2023-1945)

  - A website could have obscured the fullscreen notification by using a combination of     <code>window.open</code>, fullscreen requests, <code>window.name</code> assignments, and     <code>setInterval</code> calls. This could have led to user confusion and possible spoofing attacks.
    (CVE-2023-29533)

  - Following a Garbage Collector compaction, weak maps may have been accessed before they were correctly     traced. This resulted in memory corruption and a potentially exploitable crash.  (CVE-2023-29535)

  - An attacker could cause the memory manager to incorrectly free a pointer that addresses attacker-     controlled memory, resulting in an assertion, memory corruption, or a potentially exploitable crash.
    (CVE-2023-29536)

  - When handling the filename directive in the Content-Disposition header, the filename would be truncated if     the filename contained a NULL character. This could have led to reflected file download attacks     potentially tricking users to install malware.  (CVE-2023-29539)

  - Thunderbird did not properly handle downloads of files ending in <code>.desktop</code>, which can be     interpreted to run attacker-controlled commands.  This bug only affects Thunderbird for Linux on certain     Distributions. Other operating systems are unaffected, and Mozilla is unable to enumerate all affected     Linux Distributions.  (CVE-2023-29541)

  - A wrong lowering instruction in the ARM64 Ion compiler resulted in a wrong optimization result.
    (CVE-2023-29548)

  - Mozilla developers Andrew Osmond, Sebastian Hengst, Andrew McCreight, and the Mozilla Fuzzing Team     reported memory safety bugs present in Thunderbird 102.9. Some of these bugs showed evidence of memory     corruption and we presume that with enough effort some of these could have been exploited to run arbitrary     code.  (CVE-2023-29550)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Rocky Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2023:1809 advisory.

  - matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript. In versions prior to 24.0.0     events sent with special strings in key places can temporarily disrupt or impede the matrix-js-sdk from     functioning properly, potentially impacting the consumer's ability to process data safely. Note that the     matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to     the consumer. This vulnerability is distinct from GHSA-rfv9-x7hh-xc32 which covers a similar issue. The     issue has been patched in matrix-js-sdk 24.0.0 and users are advised to upgrade. There are no known     workarounds for this vulnerability. (CVE-2023-28427)

  - Ribose RNP before 0.16.3 may hang when the input is malformed. (CVE-2023-29479)

  - OCSP revocation status of recipient certificates was not checked when sending S/Mime encrypted email, and     revoked certificates would be accepted. Thunderbird versions from 68 to 102.9.1 were affected by this bug.
    (CVE-2023-0547)

  - Unexpected data returned from the Safe Browsing API could have led to memory corruption and a potentially     exploitable crash.  (CVE-2023-1945)

  - A website could have obscured the fullscreen notification by using a combination of     <code>window.open</code>, fullscreen requests, <code>window.name</code> assignments, and     <code>setInterval</code> calls. This could have led to user confusion and possible spoofing attacks.
    (CVE-2023-29533)

  - Following a Garbage Collector compaction, weak maps may have been accessed before they were correctly     traced. This resulted in memory corruption and a potentially exploitable crash.  (CVE-2023-29535)

  - An attacker could cause the memory manager to incorrectly free a pointer that addresses attacker-     controlled memory, resulting in an assertion, memory corruption, or a potentially exploitable crash.
    (CVE-2023-29536)

  - When handling the filename directive in the Content-Disposition header, the filename would be truncated if     the filename contained a NULL character. This could have led to reflected file download attacks     potentially tricking users to install malware.  (CVE-2023-29539)

  - Thunderbird did not properly handle downloads of files ending in <code>.desktop</code>, which can be     interpreted to run attacker-controlled commands.  This bug only affects Thunderbird for Linux on certain     Distributions. Other operating systems are unaffected, and Mozilla is unable to enumerate all affected     Linux Distributions.  (CVE-2023-29541)

  - A wrong lowering instruction in the ARM64 Ion compiler resulted in a wrong optimization result.
    (CVE-2023-29548)

  - Mozilla developers Andrew Osmond, Sebastian Hengst, Andrew McCreight, and the Mozilla Fuzzing Team     reported memory safety bugs present in Thunderbird 102.9. Some of these bugs showed evidence of memory     corruption and we presume that with enough effort some of these could have been exploited to run arbitrary     code.  (CVE-2023-29550)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-5392 advisory.

  - matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript. In versions prior to 24.0.0     events sent with special strings in key places can temporarily disrupt or impede the matrix-js-sdk from     functioning properly, potentially impacting the consumer's ability to process data safely. Note that the     matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to     the consumer. This vulnerability is distinct from GHSA-rfv9-x7hh-xc32 which covers a similar issue. The     issue has been patched in matrix-js-sdk 24.0.0 and users are advised to upgrade. There are no known     workarounds for this vulnerability. (CVE-2023-28427)

  - OCSP revocation status of recipient certificates was not checked when sending S/Mime encrypted email, and     revoked certificates would be accepted. Thunderbird versions from 68 to 102.9.1 were affected by this bug.
    (CVE-2023-0547)

  - Unexpected data returned from the Safe Browsing API could have led to memory corruption and a potentially     exploitable crash.  (CVE-2023-1945)

  - Certain malformed OpenPGP messages could trigger incorrect parsing of PKESK/SKESK packets due to a bug in     the Ribose RNP library used by Thunderbird up to version 102.9.1, which would cause the Thunderbird user     interface to hang. The issue was discovered using Google's oss-fuzz.  (CVE-2023-29479)

  - A website could have obscured the fullscreen notification by using a combination of     <code>window.open</code>, fullscreen requests, <code>window.name</code> assignments, and     <code>setInterval</code> calls. This could have led to user confusion and possible spoofing attacks.
    (CVE-2023-29533)

  - Following a Garbage Collector compaction, weak maps may have been accessed before they were correctly     traced. This resulted in memory corruption and a potentially exploitable crash.  (CVE-2023-29535)

  - An attacker could cause the memory manager to incorrectly free a pointer that addresses attacker-     controlled memory, resulting in an assertion, memory corruption, or a potentially exploitable crash.
    (CVE-2023-29536)

  - When handling the filename directive in the Content-Disposition header, the filename would be truncated if     the filename contained a NULL character. This could have led to reflected file download attacks     potentially tricking users to install malware.  (CVE-2023-29539)

  - Thunderbird did not properly handle downloads of files ending in <code>.desktop</code>, which can be     interpreted to run attacker-controlled commands.  This bug only affects Thunderbird for Linux on certain     Distributions. Other operating systems are unaffected, and Mozilla is unable to enumerate all affected     Linux Distributions.  (CVE-2023-29541)

  - A wrong lowering instruction in the ARM64 Ion compiler resulted in a wrong optimization result.
    (CVE-2023-29548)

  - Mozilla developers Andrew Osmond, Sebastian Hengst, Andrew McCreight, and the Mozilla Fuzzing Team     reported memory safety bugs present in Thunderbird 102.9. Some of these bugs showed evidence of memory     corruption and we presume that with enough effort some of these could have been exploited to run arbitrary     code.  (CVE-2023-29550)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote CentOS Linux 7 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2023:1806 advisory.

  - OCSP revocation status of recipient certificates was not checked when sending S/Mime encrypted email, and     revoked certificates would be accepted. Thunderbird versions from 68 to 102.9.1 were affected by this bug.
    This vulnerability affects Thunderbird < 102.10. (CVE-2023-0547)

  - Unexpected data returned from the Safe Browsing API could have led to memory corruption and a potentially     exploitable crash. This vulnerability affects Thunderbird < 102.10 and Firefox ESR < 102.10.
    (CVE-2023-1945)

  - There exists a use after free/double free in libwebp. An attacker can use the ApplyFiltersAndEncode()     function and loop through to free best.bw and assign best = trial pointer. The second loop will then     return 0 because of an Out of memory error in VP8 encoder, the pointer is still assigned to trial and the     AddressSanitizer will attempt a double free. (CVE-2023-1999)

  - matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript. In versions prior to 24.0.0     events sent with special strings in key places can temporarily disrupt or impede the matrix-js-sdk from     functioning properly, potentially impacting the consumer's ability to process data safely. Note that the     matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to     the consumer. This vulnerability is distinct from GHSA-rfv9-x7hh-xc32 which covers a similar issue. The     issue has been patched in matrix-js-sdk 24.0.0 and users are advised to upgrade. There are no known     workarounds for this vulnerability. (CVE-2023-28427)

  - Ribose RNP before 0.16.3 may hang when the input is malformed. (CVE-2023-29479)

  - A website could have obscured the fullscreen notification by using a combination of     <code>window.open</code>, fullscreen requests, <code>window.name</code> assignments, and     <code>setInterval</code> calls. This could have led to user confusion and possible spoofing attacks. This     vulnerability affects Firefox < 112, Focus for Android < 112, Firefox ESR < 102.10, Firefox for Android <     112, and Thunderbird < 102.10. (CVE-2023-29533)

  - Following a Garbage Collector compaction, weak maps may have been accessed before they were correctly     traced. This resulted in memory corruption and a potentially exploitable crash. This vulnerability affects     Firefox < 112, Focus for Android < 112, Firefox ESR < 102.10, Firefox for Android < 112, and Thunderbird <     102.10. (CVE-2023-29535)

  - An attacker could cause the memory manager to incorrectly free a pointer that addresses attacker-     controlled memory, resulting in an assertion, memory corruption, or a potentially exploitable crash. This     vulnerability affects Firefox < 112, Focus for Android < 112, Firefox ESR < 102.10, Firefox for Android <     112, and Thunderbird < 102.10. (CVE-2023-29536)

  - When handling the filename directive in the Content-Disposition header, the filename would be truncated if     the filename contained a NULL character. This could have led to reflected file download attacks     potentially tricking users to install malware. This vulnerability affects Firefox < 112, Focus for Android     < 112, Firefox ESR < 102.10, Firefox for Android < 112, and Thunderbird < 102.10. (CVE-2023-29539)

  - Firefox did not properly handle downloads of files ending in <code>.desktop</code>, which can be     interpreted to run attacker-controlled commands. <br>*This bug only affects Firefox for Linux on certain     Distributions. Other operating systems are unaffected, and Mozilla is unable to enumerate all affected     Linux Distributions.*. This vulnerability affects Firefox < 112, Focus for Android < 112, Firefox ESR <     102.10, Firefox for Android < 112, and Thunderbird < 102.10. (CVE-2023-29541)

  - A wrong lowering instruction in the ARM64 Ion compiler resulted in a wrong optimization result. This     vulnerability affects Firefox < 112, Focus for Android < 112, Firefox ESR < 102.10, Firefox for Android <     112, and Thunderbird < 102.10. (CVE-2023-29548)

  - Memory safety bugs present in Firefox 111 and Firefox ESR 102.9. Some of these bugs showed evidence of     memory corruption and we presume that with enough effort some of these could have been exploited to run     arbitrary code. This vulnerability affects Firefox < 112, Focus for Android < 112, Firefox ESR < 102.10,     Firefox for Android < 112, and Thunderbird < 102.10. (CVE-2023-29550)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-3400 advisory.

  - matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript. In versions prior to 24.0.0     events sent with special strings in key places can temporarily disrupt or impede the matrix-js-sdk from     functioning properly, potentially impacting the consumer's ability to process data safely. Note that the     matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to     the consumer. This vulnerability is distinct from GHSA-rfv9-x7hh-xc32 which covers a similar issue. The     issue has been patched in matrix-js-sdk 24.0.0 and users are advised to upgrade. There are no known     workarounds for this vulnerability. (CVE-2023-28427)

  - Ribose RNP before 0.16.3 may hang when the input is malformed. (CVE-2023-29479)

  - OCSP revocation status of recipient certificates was not checked when sending S/Mime encrypted email, and     revoked certificates would be accepted. Thunderbird versions from 68 to 102.9.1 were affected by this bug.
    (CVE-2023-0547)

  - Unexpected data returned from the Safe Browsing API could have led to memory corruption and a potentially     exploitable crash.  (CVE-2023-1945)

  - A website could have obscured the fullscreen notification by using a combination of     <code>window.open</code>, fullscreen requests, <code>window.name</code> assignments, and     <code>setInterval</code> calls. This could have led to user confusion and possible spoofing attacks.
    (CVE-2023-29533)

  - Following a Garbage Collector compaction, weak maps may have been accessed before they were correctly     traced. This resulted in memory corruption and a potentially exploitable crash.  (CVE-2023-29535)

  - An attacker could cause the memory manager to incorrectly free a pointer that addresses attacker-     controlled memory, resulting in an assertion, memory corruption, or a potentially exploitable crash.
    (CVE-2023-29536)

  - When handling the filename directive in the Content-Disposition header, the filename would be truncated if     the filename contained a NULL character. This could have led to reflected file download attacks     potentially tricking users to install malware.  (CVE-2023-29539)

  - Thunderbird did not properly handle downloads of files ending in <code>.desktop</code>, which can be     interpreted to run attacker-controlled commands.  This bug only affects Thunderbird for Linux on certain     Distributions. Other operating systems are unaffected, and Mozilla is unable to enumerate all affected     Linux Distributions.  (CVE-2023-29541)

  - A wrong lowering instruction in the ARM64 Ion compiler resulted in a wrong optimization result.
    (CVE-2023-29548)

  - Mozilla developers Andrew Osmond, Sebastian Hengst, Andrew McCreight, and the Mozilla Fuzzing Team     reported memory safety bugs present in Thunderbird 102.9. Some of these bugs showed evidence of memory     corruption and we presume that with enough effort some of these could have been exploited to run arbitrary     code.  (CVE-2023-29550)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote AlmaLinux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the ALSA-2023:1802 advisory.

  - matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript. In versions prior to 24.0.0     events sent with special strings in key places can temporarily disrupt or impede the matrix-js-sdk from     functioning properly, potentially impacting the consumer's ability to process data safely. Note that the     matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to     the consumer. This vulnerability is distinct from GHSA-rfv9-x7hh-xc32 which covers a similar issue. The     issue has been patched in matrix-js-sdk 24.0.0 and users are advised to upgrade. There are no known     workarounds for this vulnerability. (CVE-2023-28427)

  - OCSP revocation status of recipient certificates was not checked when sending S/Mime encrypted email, and     revoked certificates would be accepted. Thunderbird versions from 68 to 102.9.1 were affected by this bug.
    (CVE-2023-0547)

  - Unexpected data returned from the Safe Browsing API could have led to memory corruption and a potentially     exploitable crash.  (CVE-2023-1945)

  - Certain malformed OpenPGP messages could trigger incorrect parsing of PKESK/SKESK packets due to a bug in     the Ribose RNP library used by Thunderbird up to version 102.9.1, which would cause the Thunderbird user     interface to hang. The issue was discovered using Google's oss-fuzz.  (CVE-2023-29479)

  - A website could have obscured the fullscreen notification by using a combination of     <code>window.open</code>, fullscreen requests, <code>window.name</code> assignments, and     <code>setInterval</code> calls. This could have led to user confusion and possible spoofing attacks.
    (CVE-2023-29533)

  - Following a Garbage Collector compaction, weak maps may have been accessed before they were correctly     traced. This resulted in memory corruption and a potentially exploitable crash.  (CVE-2023-29535)

  - An attacker could cause the memory manager to incorrectly free a pointer that addresses attacker-     controlled memory, resulting in an assertion, memory corruption, or a potentially exploitable crash.
    (CVE-2023-29536)

  - When handling the filename directive in the Content-Disposition header, the filename would be truncated if     the filename contained a NULL character. This could have led to reflected file download attacks     potentially tricking users to install malware.  (CVE-2023-29539)

  - Thunderbird did not properly handle downloads of files ending in <code>.desktop</code>, which can be     interpreted to run attacker-controlled commands.  This bug only affects Thunderbird for Linux on certain     Distributions. Other operating systems are unaffected, and Mozilla is unable to enumerate all affected     Linux Distributions.  (CVE-2023-29541)

  - A wrong lowering instruction in the ARM64 Ion compiler resulted in a wrong optimization result.
    (CVE-2023-29548)

  - Mozilla developers Andrew Osmond, Sebastian Hengst, Andrew McCreight, and the Mozilla Fuzzing Team     reported memory safety bugs present in Thunderbird 102.9. Some of these bugs showed evidence of memory     corruption and we presume that with enough effort some of these could have been exploited to run arbitrary     code.  (CVE-2023-29550)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote AlmaLinux 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the ALSA-2023:1809 advisory.

  - matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript. In versions prior to 24.0.0     events sent with special strings in key places can temporarily disrupt or impede the matrix-js-sdk from     functioning properly, potentially impacting the consumer's ability to process data safely. Note that the     matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to     the consumer. This vulnerability is distinct from GHSA-rfv9-x7hh-xc32 which covers a similar issue. The     issue has been patched in matrix-js-sdk 24.0.0 and users are advised to upgrade. There are no known     workarounds for this vulnerability. (CVE-2023-28427)

  - OCSP revocation status of recipient certificates was not checked when sending S/Mime encrypted email, and     revoked certificates would be accepted. Thunderbird versions from 68 to 102.9.1 were affected by this bug.
    (CVE-2023-0547)

  - Unexpected data returned from the Safe Browsing API could have led to memory corruption and a potentially     exploitable crash.  (CVE-2023-1945)

  - Certain malformed OpenPGP messages could trigger incorrect parsing of PKESK/SKESK packets due to a bug in     the Ribose RNP library used by Thunderbird up to version 102.9.1, which would cause the Thunderbird user     interface to hang. The issue was discovered using Google's oss-fuzz.  (CVE-2023-29479)

  - A website could have obscured the fullscreen notification by using a combination of     <code>window.open</code>, fullscreen requests, <code>window.name</code> assignments, and     <code>setInterval</code> calls. This could have led to user confusion and possible spoofing attacks.
    (CVE-2023-29533)

  - Following a Garbage Collector compaction, weak maps may have been accessed before they were correctly     traced. This resulted in memory corruption and a potentially exploitable crash.  (CVE-2023-29535)

  - An attacker could cause the memory manager to incorrectly free a pointer that addresses attacker-     controlled memory, resulting in an assertion, memory corruption, or a potentially exploitable crash.
    (CVE-2023-29536)

  - When handling the filename directive in the Content-Disposition header, the filename would be truncated if     the filename contained a NULL character. This could have led to reflected file download attacks     potentially tricking users to install malware.  (CVE-2023-29539)

  - Thunderbird did not properly handle downloads of files ending in <code>.desktop</code>, which can be     interpreted to run attacker-controlled commands.  This bug only affects Thunderbird for Linux on certain     Distributions. Other operating systems are unaffected, and Mozilla is unable to enumerate all affected     Linux Distributions.  (CVE-2023-29541)

  - A wrong lowering instruction in the ARM64 Ion compiler resulted in a wrong optimization result.
    (CVE-2023-29548)

  - Mozilla developers Andrew Osmond, Sebastian Hengst, Andrew McCreight, and the Mozilla Fuzzing Team     reported memory safety bugs present in Thunderbird 102.9. Some of these bugs showed evidence of memory     corruption and we presume that with enough effort some of these could have been exploited to run arbitrary     code.  (CVE-2023-29550)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the ELSA-2023-1809 advisory.

  - Unexpected data returned from the Safe Browsing API could have led to memory corruption and a potentially     exploitable crash.  (CVE-2023-1945)

  - matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript. In versions prior to 24.0.0     events sent with special strings in key places can temporarily disrupt or impede the matrix-js-sdk from     functioning properly, potentially impacting the consumer's ability to process data safely. Note that the     matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to     the consumer. This vulnerability is distinct from GHSA-rfv9-x7hh-xc32 which covers a similar issue. The     issue has been patched in matrix-js-sdk 24.0.0 and users are advised to upgrade. There are no known     workarounds for this vulnerability. (CVE-2023-28427)

  - Thunderbird did not properly handle downloads of files ending in <code>.desktop</code>, which can be     interpreted to run attacker-controlled commands.  This bug only affects Thunderbird for Linux on certain     Distributions. Other operating systems are unaffected, and Mozilla is unable to enumerate all affected     Linux Distributions.  (CVE-2023-29541)

  - Mozilla developers Andrew Osmond, Sebastian Hengst, Andrew McCreight, and the Mozilla Fuzzing Team     reported memory safety bugs present in Thunderbird 102.9. Some of these bugs showed evidence of memory     corruption and we presume that with enough effort some of these could have been exploited to run arbitrary     code.  (CVE-2023-29550)

  - A website could have obscured the fullscreen notification by using a combination of     <code>window.open</code>, fullscreen requests, <code>window.name</code> assignments, and     <code>setInterval</code> calls. This could have led to user confusion and possible spoofing attacks.
    (CVE-2023-29533)

  - When handling the filename directive in the Content-Disposition header, the filename would be truncated if     the filename contained a NULL character. This could have led to reflected file download attacks     potentially tricking users to install malware.  (CVE-2023-29539)

  - Following a Garbage Collector compaction, weak maps may have been accessed before they were correctly     traced. This resulted in memory corruption and a potentially exploitable crash.  (CVE-2023-29535)

  - Certain malformed OpenPGP messages could trigger incorrect parsing of PKESK/SKESK packets due to a bug in     the Ribose RNP library used by Thunderbird up to version 102.9.1, which would cause the Thunderbird user     interface to hang. The issue was discovered using Google's oss-fuzz.  (CVE-2023-29479)

  - OCSP revocation status of recipient certificates was not checked when sending S/Mime encrypted email, and     revoked certificates would be accepted. Thunderbird versions from 68 to 102.9.1 were affected by this bug.
    (CVE-2023-0547)

  - A wrong lowering instruction in the ARM64 Ion compiler resulted in a wrong optimization result.
    (CVE-2023-29548)

  - An attacker could cause the memory manager to incorrectly free a pointer that addresses attacker-     controlled memory, resulting in an assertion, memory corruption, or a potentially exploitable crash.
    (CVE-2023-29536)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the ELSA-2023-1802 advisory.

  - matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript. In versions prior to 24.0.0     events sent with special strings in key places can temporarily disrupt or impede the matrix-js-sdk from     functioning properly, potentially impacting the consumer's ability to process data safely. Note that the     matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to     the consumer. This vulnerability is distinct from GHSA-rfv9-x7hh-xc32 which covers a similar issue. The     issue has been patched in matrix-js-sdk 24.0.0 and users are advised to upgrade. There are no known     workarounds for this vulnerability. (CVE-2023-28427)

  - OCSP revocation status of recipient certificates was not checked when sending S/Mime encrypted email, and     revoked certificates would be accepted. Thunderbird versions from 68 to 102.9.1 were affected by this bug.
    (CVE-2023-0547)

  - Unexpected data returned from the Safe Browsing API could have led to memory corruption and a potentially     exploitable crash.  (CVE-2023-1945)

  - Certain malformed OpenPGP messages could trigger incorrect parsing of PKESK/SKESK packets due to a bug in     the Ribose RNP library used by Thunderbird up to version 102.9.1, which would cause the Thunderbird user     interface to hang. The issue was discovered using Google's oss-fuzz.  (CVE-2023-29479)

  - A website could have obscured the fullscreen notification by using a combination of     <code>window.open</code>, fullscreen requests, <code>window.name</code> assignments, and     <code>setInterval</code> calls. This could have led to user confusion and possible spoofing attacks.
    (CVE-2023-29533)

  - Following a Garbage Collector compaction, weak maps may have been accessed before they were correctly     traced. This resulted in memory corruption and a potentially exploitable crash.  (CVE-2023-29535)

  - An attacker could cause the memory manager to incorrectly free a pointer that addresses attacker-     controlled memory, resulting in an assertion, memory corruption, or a potentially exploitable crash.
    (CVE-2023-29536)

  - When handling the filename directive in the Content-Disposition header, the filename would be truncated if     the filename contained a NULL character. This could have led to reflected file download attacks     potentially tricking users to install malware.  (CVE-2023-29539)

  - A wrong lowering instruction in the ARM64 Ion compiler resulted in a wrong optimization result.
    (CVE-2023-29548)

  - Mozilla developers Andrew Osmond, Sebastian Hengst, Andrew McCreight, and the Mozilla Fuzzing Team     reported memory safety bugs present in Thunderbird 102.9. Some of these bugs showed evidence of memory     corruption and we presume that with enough effort some of these could have been exploited to run arbitrary     code.  (CVE-2023-29550)

  - Thunderbird did not properly handle downloads of files ending in <code>.desktop</code>, which can be     interpreted to run attacker-controlled commands.  This bug only affects Thunderbird for Linux on certain     Distributions. Other operating systems are unaffected, and Mozilla is unable to enumerate all affected     Linux Distributions.  (CVE-2023-29541)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 7 host has a package installed that is affected by multiple vulnerabilities as referenced in the ELSA-2023-1806 advisory.

  - Certain malformed OpenPGP messages could trigger incorrect parsing of PKESK/SKESK packets due to a bug in     the Ribose RNP library used by Thunderbird up to version 102.9.1, which would cause the Thunderbird user     interface to hang. The issue was discovered using Google's oss-fuzz.  (CVE-2023-29479)

  - An attacker could cause the memory manager to incorrectly free a pointer that addresses attacker-     controlled memory, resulting in an assertion, memory corruption, or a potentially exploitable crash.
    (CVE-2023-29536)

  - A wrong lowering instruction in the ARM64 Ion compiler resulted in a wrong optimization result.
    (CVE-2023-29548)

  - OCSP revocation status of recipient certificates was not checked when sending S/Mime encrypted email, and     revoked certificates would be accepted. Thunderbird versions from 68 to 102.9.1 were affected by this bug.
    (CVE-2023-0547)

  - Unexpected data returned from the Safe Browsing API could have led to memory corruption and a potentially     exploitable crash.  (CVE-2023-1945)

  - matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript. In versions prior to 24.0.0     events sent with special strings in key places can temporarily disrupt or impede the matrix-js-sdk from     functioning properly, potentially impacting the consumer's ability to process data safely. Note that the     matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to     the consumer. This vulnerability is distinct from GHSA-rfv9-x7hh-xc32 which covers a similar issue. The     issue has been patched in matrix-js-sdk 24.0.0 and users are advised to upgrade. There are no known     workarounds for this vulnerability. (CVE-2023-28427)

  - Thunderbird did not properly handle downloads of files ending in <code>.desktop</code>, which can be     interpreted to run attacker-controlled commands.  This bug only affects Thunderbird for Linux on certain     Distributions. Other operating systems are unaffected, and Mozilla is unable to enumerate all affected     Linux Distributions.  (CVE-2023-29541)

  - A website could have obscured the fullscreen notification by using a combination of     <code>window.open</code>, fullscreen requests, <code>window.name</code> assignments, and     <code>setInterval</code> calls. This could have led to user confusion and possible spoofing attacks.
    (CVE-2023-29533)

  - Following a Garbage Collector compaction, weak maps may have been accessed before they were correctly     traced. This resulted in memory corruption and a potentially exploitable crash.  (CVE-2023-29535)

  - When handling the filename directive in the Content-Disposition header, the filename would be truncated if     the filename contained a NULL character. This could have led to reflected file download attacks     potentially tricking users to install malware.  (CVE-2023-29539)

  - Mozilla developers Andrew Osmond, Sebastian Hengst, Andrew McCreight, and the Mozilla Fuzzing Team     reported memory safety bugs present in Thunderbird 102.9. Some of these bugs showed evidence of memory     corruption and we presume that with enough effort some of these could have been exploited to run arbitrary     code.  (CVE-2023-29550)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2023:1802 advisory.

  - Thunderbird: Revocation status of S/Mime recipient certificates was not checked (CVE-2023-0547)

  - Mozilla: Memory Corruption in Safe Browsing Code (CVE-2023-1945)

  - Mozilla: libwebp: Double-free in libwebp (CVE-2023-1999)

  - Mozilla: Matrix SDK bundled with Thunderbird vulnerable to denial-of-service attack (CVE-2023-28427)

  - Thunderbird: Hang when processing certain OpenPGP messages (CVE-2023-29479)

  - Mozilla: Fullscreen notification obscured (CVE-2023-29533)

  - Mozilla: Potential Memory Corruption following Garbage Collector compaction (CVE-2023-29535)

  - Mozilla: Invalid free from JavaScript code (CVE-2023-29536)

  - Mozilla: Content-Disposition filename truncation leads to Reflected File Download (CVE-2023-29539)

  - Mozilla: Files with malicious extensions could have been downloaded unsafely on Linux (CVE-2023-29541)

  - Mozilla: Incorrect optimization result on ARM64 (CVE-2023-29548)

  - Mozilla: Memory safety bugs fixed in Firefox 112 and Firefox ESR 102.10 (CVE-2023-29550)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2023:1806 advisory.

  - Thunderbird: Revocation status of S/Mime recipient certificates was not checked (CVE-2023-0547)

  - Mozilla: Memory Corruption in Safe Browsing Code (CVE-2023-1945)

  - Mozilla: libwebp: Double-free in libwebp (CVE-2023-1999)

  - Mozilla: Matrix SDK bundled with Thunderbird vulnerable to denial-of-service attack (CVE-2023-28427)

  - Thunderbird: Hang when processing certain OpenPGP messages (CVE-2023-29479)

  - Mozilla: Fullscreen notification obscured (CVE-2023-29533)

  - Mozilla: Potential Memory Corruption following Garbage Collector compaction (CVE-2023-29535)

  - Mozilla: Invalid free from JavaScript code (CVE-2023-29536)

  - Mozilla: Content-Disposition filename truncation leads to Reflected File Download (CVE-2023-29539)

  - Mozilla: Files with malicious extensions could have been downloaded unsafely on Linux (CVE-2023-29541)

  - Mozilla: Incorrect optimization result on ARM64 (CVE-2023-29548)

  - Mozilla: Memory safety bugs fixed in Firefox 112 and Firefox ESR 102.10 (CVE-2023-29550)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2023:1805 advisory.

  - Thunderbird: Revocation status of S/Mime recipient certificates was not checked (CVE-2023-0547)

  - Mozilla: Memory Corruption in Safe Browsing Code (CVE-2023-1945)

  - Mozilla: libwebp: Double-free in libwebp (CVE-2023-1999)

  - Mozilla: Matrix SDK bundled with Thunderbird vulnerable to denial-of-service attack (CVE-2023-28427)

  - Thunderbird: Hang when processing certain OpenPGP messages (CVE-2023-29479)

  - Mozilla: Fullscreen notification obscured (CVE-2023-29533)

  - Mozilla: Potential Memory Corruption following Garbage Collector compaction (CVE-2023-29535)

  - Mozilla: Invalid free from JavaScript code (CVE-2023-29536)

  - Mozilla: Content-Disposition filename truncation leads to Reflected File Download (CVE-2023-29539)

  - Mozilla: Files with malicious extensions could have been downloaded unsafely on Linux (CVE-2023-29541)

  - Mozilla: Incorrect optimization result on ARM64 (CVE-2023-29548)

  - Mozilla: Memory safety bugs fixed in Firefox 112 and Firefox ESR 102.10 (CVE-2023-29550)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2023:1804 advisory.

  - Thunderbird: Revocation status of S/Mime recipient certificates was not checked (CVE-2023-0547)

  - Mozilla: Memory Corruption in Safe Browsing Code (CVE-2023-1945)

  - Mozilla: libwebp: Double-free in libwebp (CVE-2023-1999)

  - Mozilla: Matrix SDK bundled with Thunderbird vulnerable to denial-of-service attack (CVE-2023-28427)

  - Thunderbird: Hang when processing certain OpenPGP messages (CVE-2023-29479)

  - Mozilla: Fullscreen notification obscured (CVE-2023-29533)

  - Mozilla: Potential Memory Corruption following Garbage Collector compaction (CVE-2023-29535)

  - Mozilla: Invalid free from JavaScript code (CVE-2023-29536)

  - Mozilla: Content-Disposition filename truncation leads to Reflected File Download (CVE-2023-29539)

  - Mozilla: Files with malicious extensions could have been downloaded unsafely on Linux (CVE-2023-29541)

  - Mozilla: Incorrect optimization result on ARM64 (CVE-2023-29548)

  - Mozilla: Memory safety bugs fixed in Firefox 112 and Firefox ESR 102.10 (CVE-2023-29550)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2023:1809 advisory.

  - Thunderbird: Revocation status of S/Mime recipient certificates was not checked (CVE-2023-0547)

  - Mozilla: Memory Corruption in Safe Browsing Code (CVE-2023-1945)

  - Mozilla: libwebp: Double-free in libwebp (CVE-2023-1999)

  - Mozilla: Matrix SDK bundled with Thunderbird vulnerable to denial-of-service attack (CVE-2023-28427)

  - Thunderbird: Hang when processing certain OpenPGP messages (CVE-2023-29479)

  - Mozilla: Fullscreen notification obscured (CVE-2023-29533)

  - Mozilla: Potential Memory Corruption following Garbage Collector compaction (CVE-2023-29535)

  - Mozilla: Invalid free from JavaScript code (CVE-2023-29536)

  - Mozilla: Content-Disposition filename truncation leads to Reflected File Download (CVE-2023-29539)

  - Mozilla: Files with malicious extensions could have been downloaded unsafely on Linux (CVE-2023-29541)

  - Mozilla: Incorrect optimization result on ARM64 (CVE-2023-29548)

  - Mozilla: Memory safety bugs fixed in Firefox 112 and Firefox ESR 102.10 (CVE-2023-29550)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2023:1803 advisory.

  - Thunderbird: Revocation status of S/Mime recipient certificates was not checked (CVE-2023-0547)

  - Mozilla: Memory Corruption in Safe Browsing Code (CVE-2023-1945)

  - Mozilla: libwebp: Double-free in libwebp (CVE-2023-1999)

  - Mozilla: Matrix SDK bundled with Thunderbird vulnerable to denial-of-service attack (CVE-2023-28427)

  - Thunderbird: Hang when processing certain OpenPGP messages (CVE-2023-29479)

  - Mozilla: Fullscreen notification obscured (CVE-2023-29533)

  - Mozilla: Potential Memory Corruption following Garbage Collector compaction (CVE-2023-29535)

  - Mozilla: Invalid free from JavaScript code (CVE-2023-29536)

  - Mozilla: Content-Disposition filename truncation leads to Reflected File Download (CVE-2023-29539)

  - Mozilla: Files with malicious extensions could have been downloaded unsafely on Linux (CVE-2023-29541)

  - Mozilla: Incorrect optimization result on ARM64 (CVE-2023-29548)

  - Mozilla: Memory safety bugs fixed in Firefox 112 and Firefox ESR 102.10 (CVE-2023-29550)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2023:1811 advisory.

  - Thunderbird: Revocation status of S/Mime recipient certificates was not checked (CVE-2023-0547)

  - Mozilla: Memory Corruption in Safe Browsing Code (CVE-2023-1945)

  - Mozilla: libwebp: Double-free in libwebp (CVE-2023-1999)

  - Mozilla: Matrix SDK bundled with Thunderbird vulnerable to denial-of-service attack (CVE-2023-28427)

  - Thunderbird: Hang when processing certain OpenPGP messages (CVE-2023-29479)

  - Mozilla: Fullscreen notification obscured (CVE-2023-29533)

  - Mozilla: Potential Memory Corruption following Garbage Collector compaction (CVE-2023-29535)

  - Mozilla: Invalid free from JavaScript code (CVE-2023-29536)

  - Mozilla: Content-Disposition filename truncation leads to Reflected File Download (CVE-2023-29539)

  - Mozilla: Files with malicious extensions could have been downloaded unsafely on Linux (CVE-2023-29541)

  - Mozilla: Incorrect optimization result on ARM64 (CVE-2023-29548)

  - Mozilla: Memory safety bugs fixed in Firefox 112 and Firefox ESR 102.10 (CVE-2023-29550)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2023:1810 advisory.

  - Thunderbird: Revocation status of S/Mime recipient certificates was not checked (CVE-2023-0547)

  - Mozilla: Memory Corruption in Safe Browsing Code (CVE-2023-1945)

  - Mozilla: libwebp: Double-free in libwebp (CVE-2023-1999)

  - Mozilla: Matrix SDK bundled with Thunderbird vulnerable to denial-of-service attack (CVE-2023-28427)

  - Thunderbird: Hang when processing certain OpenPGP messages (CVE-2023-29479)

  - Mozilla: Fullscreen notification obscured (CVE-2023-29533)

  - Mozilla: Potential Memory Corruption following Garbage Collector compaction (CVE-2023-29535)

  - Mozilla: Invalid free from JavaScript code (CVE-2023-29536)

  - Mozilla: Content-Disposition filename truncation leads to Reflected File Download (CVE-2023-29539)

  - Mozilla: Files with malicious extensions could have been downloaded unsafely on Linux (CVE-2023-29541)

  - Mozilla: Incorrect optimization result on ARM64 (CVE-2023-29548)

  - Mozilla: Memory safety bugs fixed in Firefox 112 and Firefox ESR 102.10 (CVE-2023-29550)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:1736-1 advisory.

  - Sometimes, when invalidating JIT code while following an iterator, the newly generated code could be     overwritten incorrectly. This could lead to a potentially exploitable crash. This vulnerability affects     Firefox < 111, Firefox ESR < 102.9, and Thunderbird < 102.9. (CVE-2023-25751)

  - When accessing throttled streams, the count of available bytes needed to be checked in the calling     function to be within bounds. This may have lead future code to be incorrect and vulnerable. This     vulnerability affects Firefox < 111, Firefox ESR < 102.9, and Thunderbird < 102.9. (CVE-2023-25752)

  - While implementing AudioWorklets, some code may have casted one type to another, invalid, dynamic type.
    This could have led to a potentially exploitable crash. This vulnerability affects Firefox < 111, Firefox     ESR < 102.9, and Thunderbird < 102.9. (CVE-2023-28162)

  - When downloading files through the Save As dialog on Windows with suggested filenames containing     environment variable names, Windows would have resolved those in the context of the current user.
    <br>*This bug only affects Firefox on Windows. Other versions of Firefox are unaffected.*. This     vulnerability affects Firefox < 111, Firefox ESR < 102.9, and Thunderbird < 102.9. (CVE-2023-28163)

  - Dragging a URL from a cross-origin iframe that was removed during the drag could have led to user     confusion and website spoofing attacks. This vulnerability affects Firefox < 111, Firefox ESR < 102.9, and     Thunderbird < 102.9. (CVE-2023-28164)

  - Mozilla developers Timothy Nikkel, Andrew McCreight, and the Mozilla Fuzzing Team reported memory safety     bugs present in Firefox 110 and Firefox ESR 102.8. Some of these bugs showed evidence of memory corruption     and we presume that with enough effort some of these could have been exploited to run arbitrary code. This     vulnerability affects Firefox < 111, Firefox ESR < 102.9, and Thunderbird < 102.9. (CVE-2023-28176)

  - matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript. In versions prior to 24.0.0     events sent with special strings in key places can temporarily disrupt or impede the matrix-js-sdk from     functioning properly, potentially impacting the consumer's ability to process data safely. Note that the     matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to     the consumer. This vulnerability is distinct from GHSA-rfv9-x7hh-xc32 which covers a similar issue. The     issue has been patched in matrix-js-sdk 24.0.0 and users are advised to upgrade. There are no known     workarounds for this vulnerability. (CVE-2023-28427)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of mozilla-thunderbird installed on the remote host is prior to 102.9.1. It is, therefore, affected by a vulnerability as referenced in the SSA:2023-088-01 advisory.

  - matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript. In versions prior to 24.0.0     events sent with special strings in key places can temporarily disrupt or impede the matrix-js-sdk from     functioning properly, potentially impacting the consumer's ability to process data safely. Note that the     matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to     the consumer. This vulnerability is distinct from GHSA-rfv9-x7hh-xc32 which covers a similar issue. The     issue has been patched in matrix-js-sdk 24.0.0 and users are advised to upgrade. There are no known     workarounds for this vulnerability. (CVE-2023-28427)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Thunderbird installed on the remote Windows host is prior to 102.9.1. It is, therefore, affected by a vulnerability as referenced in the mfsa2023-12 advisory.

  - Thunderbird users who use the Matrix chat protocol were vulnerable to a denial-of-service attack.
    (CVE-2023-28427)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Thunderbird installed on the remote macOS or Mac OS X host is prior to 102.9.1. It is, therefore, affected by a vulnerability as referenced in the mfsa2023-12 advisory.

  - Thunderbird users who use the Matrix chat protocol were vulnerable to a denial-of-service attack.
    (CVE-2023-28427)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the 5b0ae405-cdc7-11ed-bb39-901b0e9408dc advisory.

  - matrix-react-sdk is a Matrix chat protocol SDK for React Javascript. In certain configurations, data sent     by remote servers containing special strings in key locations could cause modifications of the     `Object.prototype`, disrupting matrix-react-sdk functionality, causing denial of service and potentially     affecting program logic. This is fixed in matrix-react-sdk 3.69.0 and users are advised to upgrade. There     are no known workarounds for this vulnerability. Note this advisory is distinct from GHSA-2x9c-qwgf-94xr     which refers to a similar issue. (CVE-2023-28103)

  - matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript. In versions prior to 24.0.0     events sent with special strings in key places can temporarily disrupt or impede the matrix-js-sdk from     functioning properly, potentially impacting the consumer's ability to process data safely. Note that the     matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to     the consumer. This vulnerability is distinct from GHSA-rfv9-x7hh-xc32 which covers a similar issue. The     issue has been patched in matrix-js-sdk 24.0.0 and users are advised to upgrade. There are no known     workarounds for this vulnerability. (CVE-2023-28427)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
190168	CentOS 8 : thunderbird (CESA-2023:1802)	Nessus	CentOS Local Security Checks	high
176468	GLSA-202305-36 : Mozilla Thunderbird: Multiple Vulnerabilities	Nessus	Gentoo Local Security Checks	high
174799	Rocky Linux 8 : thunderbird (RLSA-2023:1802)	Nessus	Rocky Linux Local Security Checks	high
174797	Rocky Linux 9 : thunderbird (RLSA-2023:1809)	Nessus	Rocky Linux Local Security Checks	high
174701	Debian DSA-5392-1 : thunderbird - security update	Nessus	Debian Local Security Checks	high
174681	CentOS 7 : thunderbird (RHSA-2023:1806)	Nessus	CentOS Local Security Checks	high
174677	Debian DLA-3400-1 : thunderbird - LTS security update	Nessus	Debian Local Security Checks	high
174593	AlmaLinux 8 : thunderbird (ALSA-2023:1802)	Nessus	Alma Linux Local Security Checks	high
174582	AlmaLinux 9 : thunderbird (ALSA-2023:1809)	Nessus	Alma Linux Local Security Checks	high
174433	Oracle Linux 9 : thunderbird (ELSA-2023-1809)	Nessus	Oracle Linux Local Security Checks	high
174432	Oracle Linux 8 : thunderbird (ELSA-2023-1802)	Nessus	Oracle Linux Local Security Checks	high
174431	Oracle Linux 7 : thunderbird (ELSA-2023-1806)	Nessus	Oracle Linux Local Security Checks	high
174420	RHEL 8 : thunderbird (RHSA-2023:1802)	Nessus	Red Hat Local Security Checks	high
174415	RHEL 7 : thunderbird (RHSA-2023:1806)	Nessus	Red Hat Local Security Checks	high
174414	RHEL 8 : thunderbird (RHSA-2023:1805)	Nessus	Red Hat Local Security Checks	high
174412	RHEL 8 : thunderbird (RHSA-2023:1804)	Nessus	Red Hat Local Security Checks	high
174411	RHEL 9 : thunderbird (RHSA-2023:1809)	Nessus	Red Hat Local Security Checks	high
174408	RHEL 8 : thunderbird (RHSA-2023:1803)	Nessus	Red Hat Local Security Checks	high
174407	RHEL 8 : thunderbird (RHSA-2023:1811)	Nessus	Red Hat Local Security Checks	high
174406	RHEL 9 : thunderbird (RHSA-2023:1810)	Nessus	Red Hat Local Security Checks	high
173824	SUSE SLED15 / SLES15 / openSUSE 15 Security Update : MozillaThunderbird (SUSE-SU-2023:1736-1)	Nessus	SuSE Local Security Checks	high
173709	Slackware Linux 15.0 / current mozilla-thunderbird Vulnerability (SSA:2023-088-01)	Nessus	Slackware Local Security Checks	high
173624	Mozilla Thunderbird < 102.9.1	Nessus	Windows	high
173623	Mozilla Thunderbird < 102.9.1	Nessus	MacOS X Local Security Checks	high
173613	FreeBSD : Matrix clients -- Prototype pollution in matrix-js-sdk (5b0ae405-cdc7-11ed-bb39-901b0e9408dc)	Nessus	FreeBSD Local Security Checks	high

Detections

Analytics

CVE-2023-28427

high

Tenable Plugins

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high