Mozilla Thunderbird < 8.0 Multiple Vulnerabilities

This script is Copyright (C) 2011-2017 Tenable Network Security, Inc.


Synopsis :

The remote Windows host contains a mail client that is potentially
affected by multiple vulnerabilities.

Description :

The installed version of Thunderbird is earlier than 8.0 and thus, is
potentially affected by the following security issues :

- Certain invalid sequences are not handled properly in
'Shift-JIS' encoding and can allow cross-site scripting
attacks. (CVE-2011-3648)

- The addition of the 'Azure' graphics functionality re-
introduced a cross-origin information disclosure issue
previously described in CVE-2011-2986. (CVE-2011-3649)

- Profiling JavaScript files with many functions can cause
the application to crash. It may be possible to trigger
this behavior even when the debugging APIs are not being
used. (CVE-2011-3650)

- Multiple memory safety issues exist. (CVE-2011-3651)

- An unchecked memory allocation failure can cause the
application to crash. (CVE-2011-3652)

- An issue with WebGL graphics and GPU drivers can allow
allow cross-origin image theft. (CVE-2011-3653)

- An error exists related to SVG 'mpath' linking to a
non-SVG element and can result in potentially
exploitable application crashes. (CVE-2011-3654)

- An error in internal privilege checking can allow
web content to obtain elevated privileges.
(CVE-2011-3655)

See also :

https://www.mozilla.org/en-US/security/advisories/mfsa2011-47/
https://www.mozilla.org/en-US/security/advisories/mfsa2011-48/
https://www.mozilla.org/en-US/security/advisories/mfsa2011-49/
https://www.mozilla.org/en-US/security/advisories/mfsa2011-50/
https://www.mozilla.org/en-US/security/advisories/mfsa2011-51/
https://www.mozilla.org/en-US/security/advisories/mfsa2011-52/

Solution :

Upgrade to Thunderbird 8 or later.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 8.1
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : true

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now