Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Mozilla Thunderbird < 17.0.7 Multiple Vulnerabilities

High

Synopsis

The remote host has a mail client installed that is vulnerable to multiple vulnerabilities

Description

Versions of Thunderbird prior to 17.0.7 are potentially affected by the following vulnerabilities :

- Various, unspecified memory safety issues exist.(CVE-2013-1682, CVE-2013-1683)\m\m - Heap-use-after-free errors exist related to 'LookupMediaElementURITable', 'nsIDocument::GetRootElement' and 'mozilla::ResetDir'. (CVE-2013-1684, CVE-2013-1685, CVE-2013-1686)

- An error exists related to 'XBL scope', 'System Only Wrappers' (SOW) and chrome-privileged pages that could allow cross-site scripting attacks. (CVE-2013-1687)

- An error exists related to the 'profiler' that could allow arbitrary code execution. (CVE-2013-1688)

- An error related to 'onreadystatechange' and unmapped memory could cause application crashes and allow arbitrary code execution. (CVE-2013-1690)

- The application sends data in the body of XMLHttpRequest (XHR) HEAD requests and could aid in cross-site request forgery attacks. (CVE-2013-1692)

- An error related to the processing of SVG content could allow a timing attack to disclose information across domains. (CVE-2013-1693)

- An error exists related to 'PreserveWrapper' and the 'preserved-wrapper' flag that could cause potentially exploitable application crashes. (CVE-2013-1694) - An error exists related to '<iframe sandbox>' restrictions that could allow a bypass of these restrictions. (CVE-2013-1695)

- The 'X-Frame-Options' header is ignored in certain situations and can aid in click-jacking attacks. (CVE-2013-1696)

- An error exists related to the 'toString' and 'valueOf' methods that could allow 'XrayWrappers' to be bypassed. (CVE-2013-1697)

- An error exists related to the 'getUserMedia' permission dialog that could allow a user to be tricked into giving access to unintended domains. (CVE-2013-1698)

- Homograph domain spoofing protection is incomplete and certain attacks are still possible using Internationalized Domain Names (IDN). (CVE-2013-1699)

- An error exists related to the 'Mozilla Maintenance Service' on Windows that could allow insecure updates. (CVE-2013-1700)

Solution

Upgrade to Thunderbird 17.0.7 or later.