Mozilla Firefox ESR < 52.8 Multiple Vulnerabilities

High Nessus Network Monitor Plugin ID 700337

Synopsis

The remote host has a web browser installed that is vulnerable to multiple attack vectors.

Description

Versions of Mozilla Firefox ESR earlier than 52.8 are unpatched for the following vulnerabilities :

- A use-after-free error exists that is triggered when enumerating attributes for SVG animations with clip paths. With a specially crafted SVG file, a context-dependent attacker can dereference already freed memory and potentially execute arbitrary code.
- A use-after-free error exists in 'layout/svg/SVGTextFrame.cpp' that is triggered when adjusting layouts for SVG animations with text paths. With a specially crafted SVG file, a context-dependent attacker can dereference already freed memory and potentially execute arbitrary code.
- An unspecified flaw exists in the PDF viewer that may allow a context-dependent attacker to bypass the same-origin policy and view restricted PDF files on a third-party website.
- A flaw exists that allows a cross-site scripting (XSS) attack. This flaw exists exists because the PDF viewer does not properly sanitize input to PostScript calculator functions before returning it to users. This may allow a context-dependent attacker to create a specially crafted request that executes arbitrary script code in a user's browser session within the trust relationship between their browser and the server.
- An integer overflow condition exists in 'include/private/SkTDArray.h' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the installation of themes. This may allow a context-dependent attacker to manipulate the baseURI property of a theme element to bypass intended user interaction checks, allowing for the installation of unintended themes. This may be used to 'e.g'. deface a page with content from unintended themes.
- A flaw exists that is triggered as the program sets the SEE_MASK_FLAG_NO_UI flag for Windows Defender SmartScreen when handling certain downloads. This may result in the download file prompt not displaying to the user, potentially causing files to be opened without the user's intent.
- An assertion flaw exists in the 'FilterNodeArithmeticCombineSoftware::SetAttribute()' function in 'gfx/2d/FilterNodeSoftware.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to cause an out-of-bounds read and potentially disclose memory contents.
- A flaw exists that is triggered when asynchronously calling methods from the CamerasChild class in 'dom/media/systemservices/CamerasChild.cpp'. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An overflow condition exists that is triggered as certain input is not properly validated when performing UTF8 to Unicode string conversion. This may allow a context-dependent attacker to cause a buffer overflow, potentially allowing the execution of arbitrary code.
- Multiple unspecified flaws exist exist related to the use of insecure versions of Skia that may allow an attacker to perform memory corruption attacks, or potentially have other impacts. No further details have been provided.

Solution

Upgrade to Firefox ESR version 52.8 or later.

See Also

http://www.nessus.org/u?0ba4b131

Plugin Details

Severity: High

ID: 700337

Family: Web Clients

Published: 2018/08/21

Updated: 2019/03/06

Dependencies: 9131

Nessus ID: 109868

Risk Information

Risk Factor: High

CVSS v2.0

Base Score: 9.3

Temporal Score: 7.7

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:F/RL:OF/RC:C

CVSS v3.0

Base Score: 8.1

Temporal Score: 7.5

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

Patch Publication Date: 2018/04/19

Vulnerability Publication Date: 2018/03/27

Reference Information

CVE: CVE-2018-5150, CVE-2018-5154, CVE-2018-5155, CVE-2018-5157, CVE-2018-5158, CVE-2018-5159, CVE-2018-5168, CVE-2018-5174, CVE-2018-5178, CVE-2018-5183

BID: 104136, 104138