The remote CentOS Linux 7 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2023:0812 advisory.

  - Mozilla: Content security policy leak in violation reports using iframes (CVE-2023-25728)

  - Permission prompts for opening external schemes were only shown for <code>ContentPrincipals</code>     resulting in extensions being able to open them without user interaction via     <code>ExpandedPrincipals</code>. This could lead to further malicious actions such as downloading files or     interacting with software already installed on the system. This vulnerability affects Firefox < 110,     Thunderbird < 102.8, and Firefox ESR < 102.8. (CVE-2023-25729)

  - Mozilla: Screen hijack via browser fullscreen mode (CVE-2023-25730)

  - When encoding data from an <code>inputStream</code> in <code>xpcom</code> the size of the input being     encoded was not correctly calculated potentially leading to an out of bounds memory write. This     vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8. (CVE-2023-25732)

  - Cross-compartment wrappers wrapping a scripted proxy could have caused objects from other compartments to     be stored in the main compartment resulting in a use-after-free after unwrapping the proxy. This     vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8. (CVE-2023-25735)

  - An invalid downcast from <code>nsTextNode</code> to <code>SVGElement</code> could have lead to undefined     behavior. This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8.
    (CVE-2023-25737)

  - Module load requests that failed were not being checked as to whether or not they were cancelled causing a     use-after-free in <code>ScriptLoadContext</code>. This vulnerability affects Firefox < 110, Thunderbird <     102.8, and Firefox ESR < 102.8. (CVE-2023-25739)

  - Mozilla: Web Crypto ImportKey crashes tab (CVE-2023-25742)

  - Mozilla: Fullscreen notification not shown in Firefox Focus (CVE-2023-25743)

  - Mmemory safety bugs present in Firefox 109 and Firefox ESR 102.7. Some of these bugs showed evidence of     memory corruption and we presume that with enough effort some of these could have been exploited to run     arbitrary code. This vulnerability affects Firefox < 110 and Firefox ESR < 102.8. (CVE-2023-25744)

  - Memory safety bugs present in Firefox ESR 102.7. Some of these bugs showed evidence of memory corruption     and we presume that with enough effort some of these could have been exploited to run arbitrary code. This     vulnerability affects Thunderbird < 102.8 and Firefox ESR < 102.8. (CVE-2023-25746)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Detections

Analytics

CentOS 7 : firefox (RHSA-2023:0812)

high Nessus Plugin ID 171793

Version 1.3

Version 1.2

Version 1.2

Version 1.1

Version 1.0

Version 1.3 Dec 22, 2023, 7:23 PM CVE (set "CVE" coverage to "CVE-2023-25728,CVE-2023-25729,CVE-2023-25730,CVE-2023-25732,CVE-2023-25735,CVE-2023-25737,CVE-2023-25739,CVE-2023-25742,CVE-2023-25743,CVE-2023-25744,CVE-2023-25746") Detection (updated detection logic) Plugin metadata Plugin Feed: 202312221923
Version 1.2 Sep 1, 2023, 2:16 PM CVSS metrics ("CVSSv2 score" changed from 7.6 to 10.0. "CVSSv3 vector" changed from "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H" to "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H". "CVSSv2 vector" changed from "CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C" to "CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C". "CVSSv3 score" changed from 7.5 to 8.8) CVSSv3 score source (set to "CVE-2023-25746") Plugin Feed: 202309011416
Version 1.2 Dec 22, 2023, 5:21 PM CVE (set "CVE" coverage to "CVE-2023-25728,CVE-2023-25729,CVE-2023-25730,CVE-2023-25732,CVE-2023-25735,CVE-2023-25737,CVE-2023-25739,CVE-2023-25742,CVE-2023-25743,CVE-2023-25744,CVE-2023-25746") Detection (updated detection logic) Plugin metadata Plugin Feed: 202312221721
Version 1.1 Mar 16, 2023, 4:17 PM IAVM reference Plugin Feed: 202303161617
Version 1.0 Feb 22, 2023, 11:59 PM New Plugin Feed: 202302222359