The remote Debian 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-3484 advisory.

  - An attacker could have triggered a use-after-free condition when creating a WebRTC connection over HTTPS.
    This vulnerability affects Firefox < 115, Firefox ESR < 102.13, and Thunderbird < 102.13. (CVE-2023-37201)

  - Cross-compartment wrappers wrapping a scripted proxy could have caused objects from other compartments to     be stored in the main compartment resulting in a use-after-free. This vulnerability affects Firefox < 115,     Firefox ESR < 102.13, and Thunderbird < 102.13. (CVE-2023-37202)

  - A website could have obscured the fullscreen notification by using a URL with a scheme handled by an     external program, such as a mailto URL. This could have led to user confusion and possible spoofing     attacks. This vulnerability affects Firefox < 115, Firefox ESR < 102.13, and Thunderbird < 102.13.
    (CVE-2023-37207)

  - When opening Diagcab files, Firefox did not warn the user that these files may contain malicious code.
    This vulnerability affects Firefox < 115, Firefox ESR < 102.13, and Thunderbird < 102.13. (CVE-2023-37208)

  - Memory safety bugs present in Firefox 114, Firefox ESR 102.12, and Thunderbird 102.12. Some of these bugs     showed evidence of memory corruption and we presume that with enough effort some of these could have been     exploited to run arbitrary code. This vulnerability affects Firefox < 115, Firefox ESR < 102.13, and     Thunderbird < 102.13. (CVE-2023-37211)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Detections

Analytics

Debian DLA-3484-1 : firefox-esr - LTS security update

high Nessus Plugin ID 178041

Version 1.3

Version 1.2

Version 1.1

Version 1.0

Version 1.3 Apr 8, 2024, 10:39 PM Detection (updated detection logic) Plugin metadata Plugin Feed: 202404082239
Version 1.2 Jul 12, 2023, 2:16 PM CVSS metrics ("CVSSv2 score" changed from 7.5 to 10.0. "CVSSv2 vector" changed from "CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P" to "CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C") Plugin Feed: 202307121416
Version 1.1 Jul 10, 2023, 4:14 PM CVSS metrics ("CVSSv3 score" changed from 9.8 to 8.8. "CVSSv3 vector" changed from "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" to "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H") CVSSv3 score source (set to "CVE-2023-37211") Plugin Feed: 202307101614
Version 1.0 Jul 8, 2023, 8:00 AM New Plugin Feed: 202307080800