Firefox 3.5.x < 3.5.11 Multiple Vulnerabilities
high Log Correlation Engine Plugin ID 800782
New! Plugin Severity Now Using CVSS v3
The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.
Synopsis
The remote host has a web browser installed that is vulnerable to multiple attack vectors.Description
Versions of Firefox 3.5.x earlier than 3.5.11 are potentially affected by multiple vulnerabilities :Multiple memory safety bugs could result in memory corruption, potentially resulting in arbitrary code execution. (MFSA 2010-34)
- An error in DOM attribute cloning could result in arbitrary code execution. (MFSA 2010-35)
- An error in Mozilla's 'NodeIterator' implementation could lead to arbitrary code execution. (MFSA 2010-36)
An error in the code to store the names and values of plugin parameters could lead to arbitrary code execution. (MFSA 2010-37)
- The array class used to store CSS values is affected by an integer overflow vulnerability. (MFSA 2010-39)
- An integer overflow vulnerability exists in the 'selection' attribute of the XUL tree element. (MFSA 2010-40)
- A buffer overflow exists in Mozilla graphics code could lead to arbitrary code execution. (MFSA 2010-41)
- It is possible to read and parse resources from other domains even when the content is not valid javascript leading to cross-domain data disclosure. (MFSA 2010-42)
- Multiple location bar spoofing vulnerabilities exist. (MFSA 2010-45)
- It is possible to read data across domains by injecting bogus CSS selectors into a target site. (MFSA 2010-46)
- Potentially sensitive URL parameters could be leaked across domains via script errors. (MFSA 2010-47)
Solution
Upgrade to Mozilla Firefox 3.5.11 or later.See Also
http://www.mozilla.org/security/known-vulnerabilities/firefox35.html#firefox3.5.11
http://www.mozilla.org/security/announce/2010/mfsa2010-34.html
http://www.mozilla.org/security/announce/2010/mfsa2010-35.html
http://www.mozilla.org/security/announce/2010/mfsa2010-36.html
http://www.mozilla.org/security/announce/2010/mfsa2010-37.html
http://www.mozilla.org/security/announce/2010/mfsa2010-39.html
http://www.mozilla.org/security/announce/2010/mfsa2010-40.html
http://www.mozilla.org/security/announce/2010/mfsa2010-41.html
http://www.mozilla.org/security/announce/2010/mfsa2010-42.html
http://www.mozilla.org/security/announce/2010/mfsa2010-45.html
http://www.mozilla.org/security/announce/2010/mfsa2010-46.html
http://www.mozilla.org/security/announce/2010/mfsa2010-47.html
Plugin Details
Severity: High
ID: 800782
Family: Web Clients
Published: 7/21/2010
Updated: 7/21/2010
Nessus ID: 47781
Risk Information
CVSS v2
Risk Factor: Medium
Base Score: 6.8
Temporal Score: 5.6
Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P
Temporal Vector: CVSS2#E:F/RL:OF/RC:C
Vulnerability Information
Patch Publication Date: 7/20/2010
Vulnerability Publication Date: 7/20/2010
Reference Information
CVE: CVE-2010-1211, CVE-2010-1214, CVE-2010-2753, CVE-2010-2754, CVE-2010-1205, CVE-2010-0654, CVE-2010-1206, CVE-2010-1208, CVE-2010-1209, CVE-2010-1213, CVE-2010-2751, CVE-2010-2752
BID: 41824, 41842, 41845, 41849, 41852, 41853, 41859, 41860, 41871, 41872, 41968