Mozilla Firefox < 59 Multiple Vulnerabilities

High Nessus Network Monitor Plugin ID 700328

Synopsis

The remote host has a web browser installed that is vulnerable to multiple attack vectors.

Description

Versions of Mozilla Firefox earlier than 59 are unpatched for the following vulnerabilities :

- An overflow condition exists that is triggered when handling SVG animatedPathSegList attributes. This may allow a context-dependent attacker to cause a buffer overflow, potentially allowing the execution of arbitrary code.
- A use-after-free error exists in 'dom/html/nsTextEditorState.cpp' that is triggered when handling elements, events, and selection ranges during editor operations. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A flaw exists in 'netwerk/protocol/http/HttpBaseChannel.cpp' that is triggered as local copies of resources that were sent with a no-store or no-cache header may be returned by the 'fetch()' API. This allows a local attacker to gain access to potentially sensitive information.
- An out-of-bounds write flaw exists that is triggered when handling plane widths and stride constraints in IPC messages. This may allow a context-dependent attacker to bypass sandbox restrictions.
- A flaw exists in the 'JsepTrack::NegotiateCodecs()' function in 'media/webrtc/signaling/src/jsep/JsepTrack.cpp' that is triggered when handling RTP payload types in WebRTC connections. With specially crafted packets, a context-dependent attacker can corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'runFindOperation()' function in 'browser/components/extensions/ext-find.js' that that is triggered as it permits using the Find API for WebExtensions to access privileged pages in open tabs. By tricking a user into installing a malicious web extension, a context-dependent attacker can gain access to potentially sensitive information.
- A flaw exists that is triggered as input to the ''app.support'.baseURL' preference is not properly sanitized. This may allow a local attacker to create specially crafted script code that is executed in user's browser session within the context of the preferences tab.
- A flaw exists in 'netwerk/protocol/viewsource/nsViewSourceHandler.cpp' that is triggered when handling view-source: URLs. By tricking a user into installing a malicious web extension, a context-dependent attacker can bypass content restrictions and view local 'file:' URL content or content stored in 'about:cache'.
- A flaw exists that is triggered when handling access restrictions for web extensions. By tricking a user into installing a malicious web extension, a context-dependent attacker can inject script code into pages from other web extensions or unprivileged 'about:' pages.
- A flaw exists in 'dom/workers/RuntimeService.cpp' that is triggered as a shared worker created from a data: URL can be shared by another tab with a different origin. This may allow a context-dependent attacker to bypass the same-origin policy.
- A flaw exists in the 'nsChromeRegistry::Canonify()' function in 'chrome/nsChromeRegistry.cpp' that is triggered as access to a legacy extension's 'non-contentaccessible' resource is not properly restricted. With a specially crafted web page, a context-dependent attacker to gain unauthorized access.
- A flaw exists in the 'ActionBarPresenter::updateCustomView()' function in 'customtabs/ActionBarPresenter.java' that is triggered when handling overly long domain names in an Android Custom Tab. This allows a context-dependent attacker to spoof the address bar.
- A flaw exists in the 'nsMozIconURI::SetSpec()' function in 'image/decoders/icon/nsIconURI.cpp' that is triggered as access to moz-images is not properly restricted when using the 'moz-icon:' protocol. With a specially crafted web page, a context-dependent attacker can gain information about application associations for certain MIME types.
- A flaw exists in the 'SendNotificationEventRunnable::WorkerRun()' function in 'dom/workers/ServiceWorkerPrivate.cpp' related to the Notifications Push API. This may allow a context-dependent attacker to open new tabs and display unwanted content from arbitrary URLs.
- A flaw exists that is due to the in the Media Capture and Streams API not properly displaying the originating domain when requested via 'data:' or 'blob:' URLs. This may result in user confusion about which site is asking for this permission.
- A flaw exists in the 'stripUnsafeProtocolOnPaste()' function in 'content/browser.js' that allows a cross-site scripting (Self-XSS) attack. This flaw exists exists because the application does not properly sanitize input to the address bar. This may allow a context-dependent attacker to create a specially crafted 'javascript:' URL containing an embedded tab character that executes arbitrary script code in their own browser.
- An unspecified flaw exists that is triggered as certain input is not properly validated when handling typed arrays. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the AccessiblCaret (Copy & Paste) feature that is triggered when handling flushing of pending notifications. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in 'jit/CacheIR.cpp' that is triggered when attaching argument stubs. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'JSCompartment::getOrCreateIterResultTemplateObject()' function in 'jsiter.cpp' that is triggered when updating type information of iter result object templates. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A signednes flaw exists in the StoreBuffer class that may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'MediaPipelineTransmit::SetDescription()' function in 'mediapipeline/MediaPipeline.cpp' that is triggered when handling media descriptions. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'nsHTMLDocument::Open()' function in 'dom/html/nsHTMLDocument.cpp' that is triggered when handling unload events. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'nsCSSFrameConstructor::ContentRemoved()' function in 'layout/base/nsCSSFrameConstructor.cpp' that is triggered when handling frames for content nodes. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'internal_ClearHistogramById()' function in 'toolkit/components/telemetry/TelemetryHistogram.cpp' that is triggered when handling expired histograms. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'CanAttachAddElement()' function in 'jit/CacheIR.cpp' that is triggered when handling shadowing indexed properties. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in 'mozglue/android/NSSBridge.cpp' that is triggered as certain input is not properly validated when decoding base64 data. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists that is triggered when handling HTTP/2 streams. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A type confusion flaw exists in the 'EventStateManager::NotifyMouseOver()' function in 'dom/events/EventStateManager.cpp' that is triggered when handling mouseover events. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'JSStructuredCloneReader::readHeader()' function in 'vm/StructuredClone.cpp' that is triggered when handling structured clone data. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'jit::MakeMRegExpHoistable()' function in 'jit/IonAnalysis.cpp' that is triggered when optimization for regular expressions. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A type confusion flaw exists in the 'JSObject::setFlags()' function in 'vm/Shape.cpp' that is triggered when checking for dictionary mode. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'vpx_codec_enc_init_multi_ver()' function in 'vpx_encoder.c' that is triggered when handling memory during early exits. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists that is related to document renderer handling. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An arithmetic flaw exists in the 'nsTextFrame::GetRenderedText()' function in 'layout/generic/nsTextFrame.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A use-after-free error exists in the EditorBase destructor in 'editor/libeditor/EditorBase.cpp' that is triggered when unlinking cycle collectors. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- An out-of-bounds write flaw exists in 'vp9/encoder/x86/vp9_quantize_ssse3_x86_64.asm' that is triggered when handling memory 'pointers.This' may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'nsDocumentEncoder::SerializeToStringRecursive()' function in 'dom/base/nsDocumentEncoder.cpp' that is triggered when serializing DOM nodes. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An out-of-bounds write flaw exists in the 'vorbis_book_decodevs_add()', 'vorbis_book_decodev_add()', and 'vorbis_book_decodevv_add()' functions in 'codebook.c' that is triggered when decoding codebooks from Vorbis audio data. This may allow a context-dependent attacker to corrupt memory and execute arbitrary code.

Solution

Upgrade to Firefox version 59 or later.

See Also

https://www.mozilla.org/en-US/security/advisories/mfsa2018-06

Plugin Details

Severity: High

ID: 700328

Family: Web Clients

Published: 2018/08/21

Updated: 2019/03/06

Dependencies: 9131

Nessus ID: 108377

Risk Information

Risk Factor: High

CVSS v2.0

Base Score: 9.3

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

CVSS v3.0

Base Score: 8.8

Temporal Score: 5.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:mozilla:firefox

Patch Publication Date: 2018/03/13

Vulnerability Publication Date: 2017/12/03

Reference Information

CVE: CVE-2018-5125, CVE-2018-5126, CVE-2018-5127, CVE-2018-5128, CVE-2018-5129, CVE-2018-5130, CVE-2018-5131, CVE-2018-5132, CVE-2018-5133, CVE-2018-5134, CVE-2018-5135, CVE-2018-5136, CVE-2018-5137, CVE-2018-5138, CVE-2018-5140, CVE-2018-5141, CVE-2018-5142, CVE-2018-5143, CVE-2018-5146, CVE-2018-5147

BID: 103386, 103388, 103432