Mozilla Firefox ESR < 24.8 Multiple Vulnerabilities

Medium Nessus Network Monitor Plugin ID 701247


The remote host has a web browser installed that is vulnerable to multiple attack vectors.


Versions of Mozilla Firefox ESR prior to 24.8 are unpatched for the following vulnerabilities :

- Use-after-free vulnerabilities -- when setting text direction, and when interacting with SVG content through the DOM -- which can be leveraged for arbitrary code execution (CVE-2014-1567, CVE-2014-1563)
- Out-of-bounds read in the Web Audio audio timeline that can trigger a crash and potentially disclose memory content (CVE-2014-1565)
- Incomplete memory initialization when rendering a malformed GIF image could expose that memory to scripts via web content using the '<canvas>' feature, resulting in information disclosure (CVE-2014-1564)
- Other undisclosed memory issues that have since been patched (CVE-2014-1553, CVE-2014-1554, CVE-2014-1562)


Upgrade to Firefox ESR version 24.8 or later.

See Also

Plugin Details

Severity: Medium

ID: 701247

Family: Web Clients

Published: 2019/11/06

Updated: 2019/11/06

Dependencies: 9131

Nessus ID: 77495, 77500

Risk Information

Risk Factor: Medium

CVSS v2.0

Base Score: 6.8

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

CVSS v3.0

Base Score: 5.6

Temporal Score: 5.4

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS:3.0/E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:mozilla:firefox_esr

Patch Publication Date: 2014/09/02

Vulnerability Publication Date: 2014/09/02

Reference Information

CVE: CVE-2014-1567, CVE-2014-1563, CVE-2014-1565, CVE-2014-1564, CVE-2014-1553, CVE-2014-1554, CVE-2014-1562

BID: 69519, 69520, 69521, 69523, 69524, 69525, 69526