Mozilla Firefox < 59 Multiple Vulnerabilities

high Nessus Network Monitor Plugin ID 700328
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The remote host has a web browser installed that is vulnerable to multiple attack vectors.

Description

Versions of Mozilla Firefox earlier than 59 are unpatched for the following vulnerabilities :

- An overflow condition exists that is triggered when handling SVG animatedPathSegList attributes. This may allow a context-dependent attacker to cause a buffer overflow, potentially allowing the execution of arbitrary code.
- A use-after-free error exists in 'dom/html/nsTextEditorState.cpp' that is triggered when handling elements, events, and selection ranges during editor operations. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A flaw exists in 'netwerk/protocol/http/HttpBaseChannel.cpp' that is triggered as local copies of resources that were sent with a no-store or no-cache header may be returned by the 'fetch()' API. This allows a local attacker to gain access to potentially sensitive information.
- An out-of-bounds write flaw exists that is triggered when handling plane widths and stride constraints in IPC messages. This may allow a context-dependent attacker to bypass sandbox restrictions.
- A flaw exists in the 'JsepTrack::NegotiateCodecs()' function in 'media/webrtc/signaling/src/jsep/JsepTrack.cpp' that is triggered when handling RTP payload types in WebRTC connections. With specially crafted packets, a context-dependent attacker can corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'runFindOperation()' function in 'browser/components/extensions/ext-find.js' that that is triggered as it permits using the Find API for WebExtensions to access privileged pages in open tabs. By tricking a user into installing a malicious web extension, a context-dependent attacker can gain access to potentially sensitive information.
- A flaw exists that is triggered as input to the ''app.support'.baseURL' preference is not properly sanitized. This may allow a local attacker to create specially crafted script code that is executed in user's browser session within the context of the preferences tab.
- A flaw exists in 'netwerk/protocol/viewsource/nsViewSourceHandler.cpp' that is triggered when handling view-source: URLs. By tricking a user into installing a malicious web extension, a context-dependent attacker can bypass content restrictions and view local 'file:' URL content or content stored in 'about:cache'.
- A flaw exists that is triggered when handling access restrictions for web extensions. By tricking a user into installing a malicious web extension, a context-dependent attacker can inject script code into pages from other web extensions or unprivileged 'about:' pages.
- A flaw exists in 'dom/workers/RuntimeService.cpp' that is triggered as a shared worker created from a data: URL can be shared by another tab with a different origin. This may allow a context-dependent attacker to bypass the same-origin policy.
- A flaw exists in the 'nsChromeRegistry::Canonify()' function in 'chrome/nsChromeRegistry.cpp' that is triggered as access to a legacy extension's 'non-contentaccessible' resource is not properly restricted. With a specially crafted web page, a context-dependent attacker to gain unauthorized access.
- A flaw exists in the 'ActionBarPresenter::updateCustomView()' function in 'customtabs/ActionBarPresenter.java' that is triggered when handling overly long domain names in an Android Custom Tab. This allows a context-dependent attacker to spoof the address bar.
- A flaw exists in the 'nsMozIconURI::SetSpec()' function in 'image/decoders/icon/nsIconURI.cpp' that is triggered as access to moz-images is not properly restricted when using the 'moz-icon:' protocol. With a specially crafted web page, a context-dependent attacker can gain information about application associations for certain MIME types.
- A flaw exists in the 'SendNotificationEventRunnable::WorkerRun()' function in 'dom/workers/ServiceWorkerPrivate.cpp' related to the Notifications Push API. This may allow a context-dependent attacker to open new tabs and display unwanted content from arbitrary URLs.
- A flaw exists that is due to the in the Media Capture and Streams API not properly displaying the originating domain when requested via 'data:' or 'blob:' URLs. This may result in user confusion about which site is asking for this permission.
- A flaw exists in the 'stripUnsafeProtocolOnPaste()' function in 'content/browser.js' that allows a cross-site scripting (Self-XSS) attack. This flaw exists exists because the application does not properly sanitize input to the address bar. This may allow a context-dependent attacker to create a specially crafted 'javascript:' URL containing an embedded tab character that executes arbitrary script code in their own browser.
- An unspecified flaw exists that is triggered as certain input is not properly validated when handling typed arrays. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the AccessiblCaret (Copy & Paste) feature that is triggered when handling flushing of pending notifications. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in 'jit/CacheIR.cpp' that is triggered when attaching argument stubs. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'JSCompartment::getOrCreateIterResultTemplateObject()' function in 'jsiter.cpp' that is triggered when updating type information of iter result object templates. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A signednes flaw exists in the StoreBuffer class that may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'MediaPipelineTransmit::SetDescription()' function in 'mediapipeline/MediaPipeline.cpp' that is triggered when handling media descriptions. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'nsHTMLDocument::Open()' function in 'dom/html/nsHTMLDocument.cpp' that is triggered when handling unload events. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'nsCSSFrameConstructor::ContentRemoved()' function in 'layout/base/nsCSSFrameConstructor.cpp' that is triggered when handling frames for content nodes. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'internal_ClearHistogramById()' function in 'toolkit/components/telemetry/TelemetryHistogram.cpp' that is triggered when handling expired histograms. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'CanAttachAddElement()' function in 'jit/CacheIR.cpp' that is triggered when handling shadowing indexed properties. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in 'mozglue/android/NSSBridge.cpp' that is triggered as certain input is not properly validated when decoding base64 data. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists that is triggered when handling HTTP/2 streams. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A type confusion flaw exists in the 'EventStateManager::NotifyMouseOver()' function in 'dom/events/EventStateManager.cpp' that is triggered when handling mouseover events. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'JSStructuredCloneReader::readHeader()' function in 'vm/StructuredClone.cpp' that is triggered when handling structured clone data. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'jit::MakeMRegExpHoistable()' function in 'jit/IonAnalysis.cpp' that is triggered when optimization for regular expressions. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A type confusion flaw exists in the 'JSObject::setFlags()' function in 'vm/Shape.cpp' that is triggered when checking for dictionary mode. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'vpx_codec_enc_init_multi_ver()' function in 'vpx_encoder.c' that is triggered when handling memory during early exits. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists that is related to document renderer handling. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An arithmetic flaw exists in the 'nsTextFrame::GetRenderedText()' function in 'layout/generic/nsTextFrame.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A use-after-free error exists in the EditorBase destructor in 'editor/libeditor/EditorBase.cpp' that is triggered when unlinking cycle collectors. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- An out-of-bounds write flaw exists in 'vp9/encoder/x86/vp9_quantize_ssse3_x86_64.asm' that is triggered when handling memory 'pointers.This' may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'nsDocumentEncoder::SerializeToStringRecursive()' function in 'dom/base/nsDocumentEncoder.cpp' that is triggered when serializing DOM nodes. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An out-of-bounds write flaw exists in the 'vorbis_book_decodevs_add()', 'vorbis_book_decodev_add()', and 'vorbis_book_decodevv_add()' functions in 'codebook.c' that is triggered when decoding codebooks from Vorbis audio data. This may allow a context-dependent attacker to corrupt memory and execute arbitrary code.

Solution

Upgrade to Firefox version 59 or later.

See Also

https://www.mozilla.org/en-US/security/advisories/mfsa2018-06

Plugin Details

Severity: High

ID: 700328

Family: Web Clients

Published: 8/21/2018

Updated: 3/6/2019

Dependencies: 9131

Nessus ID: 108377

Risk Information

CVSS v2

Risk Factor: High

Base Score: 9.3

Temporal Score: 8.1

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 8.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*

Patch Publication Date: 3/13/2018

Vulnerability Publication Date: 12/3/2017

Reference Information

CVE: CVE-2018-5146, CVE-2018-5125, CVE-2018-5127, CVE-2018-5129, CVE-2018-5130, CVE-2018-5131, CVE-2018-5147, CVE-2018-5126, CVE-2018-5128, CVE-2018-5132, CVE-2018-5133, CVE-2018-5134, CVE-2018-5135, CVE-2018-5136, CVE-2018-5137, CVE-2018-5140, CVE-2018-5141, CVE-2018-5142, CVE-2018-5143, CVE-2018-5138

BID: 103388, 103432, 103386