Detections
Analytics
Mozilla Firefox < 62.0.3 Multiple Vulnerabilities
high Nessus Network Monitor Plugin ID 700409
Synopsis
The remote host has a web browser installed that is vulnerable to multiple attack vectors.Description
Versions of Mozilla Firefox prior to 62.0.3 are unpatched for the following vulnerabilities as referenced in the mfsa2018-24 advisory:- A vulnerability in register allocation in JavaScript can lead to type confusion, allowing for an arbitrary read and write. This leads to remote code execution inside the sandboxed content process when triggered. (CVE-2018-12386)
- A vulnerability where the JavaScript JIT compiler inlines 'Array.prototype.push' with multiple arguments that results in the stack pointer being off by 8 bytes after a bailout. This leaks a memory address to the calling function which can be used as part of an exploit inside the sandboxed content process. (CVE-2018-12387)
Solution
Upgrade to Firefox version 62.0.3 or later.See Also
https://www.mozilla.org/en-US/security/advisories/mfsa2018-24
Plugin Details
Severity: High
ID: 700409
Family: Web Clients
Published: 2/7/2019
Updated: 3/6/2019
Nessus ID: 117921
Risk Information
VPR
Risk Factor: Medium
Score: 6.0
CVSS v2
Risk Factor: Medium
Base Score: 5.8
Temporal Score: 5
Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSS v3
Risk Factor: High
Base Score: 8.1
Temporal Score: 7.7
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Temporal Vector: CVSS:3.0/E:X/RL:O/RC:C
Vulnerability Information
CPE: cpe:/a:mozilla:firefox
Patch Publication Date: 10/2/2018
Vulnerability Publication Date: 10/2/2018
Reference Information
CVE: CVE-2018-12386, CVE-2018-12387
BID: 105460