FreeBSD : mozilla -- scripting vulnerabilities (b2e6d1d6-1339-11d9-bc4a-000c41e2cdad)

This script is Copyright (C) 2005-2014 Tenable Network Security, Inc.


Synopsis :

The remote FreeBSD host is missing one or more security-related
updates.

Description :

Several scripting vulnerabilities were discovered and corrected in
Mozilla : CVE-2004-0905 JavaScript; links dragged onto another frame
or page allows an attacker to steal or modify sensitive information
from other sites. The user could be convinced to drag obscurred links
in the context of a game or even a fake scrollbar. If the user could
be convinced to drag two links in sequence into a separate window (not
frame) the attacker would be able to run arbitrary programs.
CVE-2004-0908 Untrusted JavaScript code can read and write to the
clipboard, stealing any sensitive data the user might have copied.
Workaround: disable JavaScript CVE-2004-0909 Signed scripts requesting
enhanced abilities could construct the request in a way that led to a
confusing grant dialog, possibly fooling the user into thinking the
privilege requested was inconsequential while actually obtaining
explicit permission to run and install software. Workaround: Never
grant enhanced abilities of any kind to untrusted web pages.

See also :

http://bugzilla.mozilla.org/show_bug.cgi?id=250862
http://bugzilla.mozilla.org/show_bug.cgi?id=257523
http://bugzilla.mozilla.org/show_bug.cgi?id=253942
http://www.nessus.org/u?5c807165

Solution :

Update the affected packages.

Risk factor :

Medium / CVSS Base Score : 5.1
(CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P)

Family: FreeBSD Local Security Checks

Nessus Plugin ID: 19087 (freebsd_pkg_b2e6d1d6133911d9bc4a000c41e2cdad.nasl)

Bugtraq ID:

CVE ID: CVE-2004-0905
CVE-2004-0908
CVE-2004-0909

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now