Mozilla Firefox < 30.0 / Firefox ESR < 24.6 Multiple Vulnerabilities

Medium Nessus Network Monitor Plugin ID 8290

Synopsis

The remote host has a web browser installed that is vulnerable to multiple attack vectors.

Description

Versions of Mozilla Firefox earlier than 30.0 (or ESR version 24.6) are unpatched against the following vulnerabilities :

- Buffer overflows due to insufficient input validation in Gamepad API and Web Audio Speex resampler, which can be leveraged to execute arbitrary code or cause denial of service conditions (CVE-2014-1543, CVE-2014-1542)
- Use-after-free errors in SMIL Animation Controller, Event Listener Manager, and various other locations, which may be triggered via web content to cause a potentially exploitable crash (CVE-2014-1540, CVE-2014-1539, CVE-2014-1538; on non-ESR Firefox only: CVE-2014-1536, CVE-2014-1537)
- Clickjacking through cursor invisibility when the cursor leaves the embedded flash object (OS X platform only) (CVE-2014-1539)
- Miscellaneous memory safety hazards (CVE-2014-1533, CVE-2014-1534)

Solution

Upgrade to Firefox 30.0 (or Firefox ESR versions 24.6, as appropriate), or later.

See Also

http://www.mozilla.org/security/announce/2014/mfsa2014-48.html

http://www.mozilla.org/security/announce/2014/mfsa2014-49.html

http://www.mozilla.org/security/announce/2014/mfsa2014-50.html

http://www.mozilla.org/security/announce/2014/mfsa2014-51.html

http://www.mozilla.org/security/announce/2014/mfsa2014-52.html

http://www.mozilla.org/security/announce/2014/mfsa2014-53.html

http://www.mozilla.org/security/announce/2014/mfsa2014-54.html

http://www.mozilla.org/security/announce/2014/mfsa2014-55.html

Plugin Details

Severity: Medium

ID: 8290

Family: Web Clients

Published: 2014/06/10

Modified: 2018/09/16

Dependencies: 9131

Nessus ID: 74440

Risk Information

Risk Factor: Medium

CVSSv2

Base Score: 6.8

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

CVSSv3

Base Score: 5.6

Temporal Score: 5.4

Vector: CVSS3#AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS3#E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:mozilla:firefox

Patch Publication Date: 2014/06/10

Vulnerability Publication Date: 2014/06/10

Reference Information

CVE: CVE-2014-1533, CVE-2014-1534, CVE-2014-1536, CVE-2014-1537, CVE-2014-1538, CVE-2014-1539, CVE-2014-1540, CVE-2014-1541, CVE-2014-1542, CVE-2014-1543, CVE-2014-1545

BID: 67964, 67965, 67966, 67967, 67968, 67969, 67971, 67975, 67976, 67978, 67979

IAVA: 2016-A-0293