Detections
Analytics
NewStart CGSL MAIN 7.02 : firefox Multiple Vulnerabilities (NS-SA-2025-0109)
critical Nessus Plugin ID 242713
Synopsis
The remote NewStart CGSL host is affected by multiple vulnerabilities.Description
The remote NewStart CGSL host, running version MAIN 7.02, has firefox packages installed that are affected by multiple vulnerabilities:- Integer overflow in libaom internal function img_alloc_helper can lead to heap buffer overflow. This function can be reached via 3 callers: * Calling aom_img_alloc() with a large value of the d_w, d_h, or align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned aom_image_t struct may be invalid. * Calling aom_img_wrap() with a large value of the d_w, d_h, or align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned aom_image_t struct may be invalid. * Calling aom_img_alloc_with_border() with a large value of the d_w, d_h, align, size_align, or border parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned aom_image_t struct may be invalid. (CVE-2024-5171)
- A type checking bug would have led to invalid code being compiled. This vulnerability affects Firefox < 113, Firefox ESR < 102.11, and Thunderbird < 102.11. (CVE-2023-32211)
- An attacker could have positioned a `datalist` element to obscure the address bar. This vulnerability affects Firefox < 113, Firefox ESR < 102.11, and Thunderbird < 102.11. (CVE-2023-32212)
- When reading a file, an uninitialized value could have been used as read limit. This vulnerability affects Firefox < 113, Firefox ESR < 102.11, and Thunderbird < 102.11. (CVE-2023-32213)
- During the worker lifecycle, a use-after-free condition could have occured, which could have led to a potentially exploitable crash. This vulnerability affects Firefox < 115.0.2, Firefox ESR < 115.0.2, and Thunderbird < 115.0.1. (CVE-2023-3600)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Upgrade the vulnerable CGSL firefox packages. Note that updated packages may not be available yet. Please contact ZTE for more information.See Also
https://security.gd-linux.com/notice/NS-SA-2025-0109
https://security.gd-linux.com/info/CVE-2023-32211
https://security.gd-linux.com/info/CVE-2023-32212
https://security.gd-linux.com/info/CVE-2023-32213
https://security.gd-linux.com/info/CVE-2023-3600
https://security.gd-linux.com/info/CVE-2023-4046
https://security.gd-linux.com/info/CVE-2023-4049
https://security.gd-linux.com/info/CVE-2023-4051
https://security.gd-linux.com/info/CVE-2023-4053
https://security.gd-linux.com/info/CVE-2023-4054
https://security.gd-linux.com/info/CVE-2023-4055
https://security.gd-linux.com/info/CVE-2023-4056
https://security.gd-linux.com/info/CVE-2023-4057
https://security.gd-linux.com/info/CVE-2023-5217
https://security.gd-linux.com/info/CVE-2023-5721
https://security.gd-linux.com/info/CVE-2023-5724
https://security.gd-linux.com/info/CVE-2023-5725
https://security.gd-linux.com/info/CVE-2023-5726
https://security.gd-linux.com/info/CVE-2023-5727
https://security.gd-linux.com/info/CVE-2023-5728
https://security.gd-linux.com/info/CVE-2023-5730
https://security.gd-linux.com/info/CVE-2023-5732
https://security.gd-linux.com/info/CVE-2024-5171
Plugin Details
Severity: Critical
ID: 242713
File Name: newstart_cgsl_NS-SA-2025-0109_firefox.nasl
Version: 1.1
Type: local
Published: 7/25/2025
Updated: 7/25/2025
Supported Sensors: Nessus
Risk Information
VPR
Risk Factor: High
Score: 8.4
CVSS v2
Risk Factor: Critical
Base Score: 10
Temporal Score: 8.3
Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS Score Source: CVE-2024-5171
CVSS v3
Risk Factor: Critical
Base Score: 9.8
Temporal Score: 9.1
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C
CVSS v4
Risk Factor: Critical
Base Score: 10
Threat Score: 10
Threat Vector: CVSS:4.0/E:A
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Vulnerability Information
CPE: cpe:/o:zte:cgsl_main:7, p-cpe:/a:zte:cgsl_main:firefox
Required KB Items: Host/local_checks_enabled, Host/ZTE-CGSL/release, Host/ZTE-CGSL/rpm-list, Host/cpu
Exploit Available: true
Exploit Ease: Exploits are available
Patch Publication Date: 7/25/2025
Vulnerability Publication Date: 5/9/2023
CISA Known Exploited Vulnerability Due Dates: 10/23/2023
Reference Information
CVE: CVE-2023-32211, CVE-2023-32212, CVE-2023-32213, CVE-2023-3600, CVE-2023-4046, CVE-2023-4049, CVE-2023-4051, CVE-2023-4053, CVE-2023-4054, CVE-2023-4055, CVE-2023-4056, CVE-2023-4057, CVE-2023-5217, CVE-2023-5721, CVE-2023-5724, CVE-2023-5725, CVE-2023-5726, CVE-2023-5727, CVE-2023-5728, CVE-2023-5730, CVE-2023-5732, CVE-2024-5171, CVE-2024-6602, CVE-2024-6606
IAVA: 2023-A-0242-S, 2023-A-0337-S, 2023-A-0388-S, 2023-A-0522-S, 2023-A-0585-S, 2024-A-0386-S