Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

SeaMonkey < 2.20 Multiple Vulnerabilities

High

Synopsis

The remote host has a web browser installed that is vulnerable to multiple attack vectors.

Description

Versions of SeaMonkey earlier than version 2.20 are prone to the following vulnerabilities :

- Multiple memory-corruption vulnerabilities exist in the browser engine that could lead to arbitrary code execution. (CVE-2013-1701, CVE-2013-1702) - A use-after-free vulnerability occurs when the Document Object Model is modified during a SetBody mutation event. (CVE-2013-1704) - A use-after-free vulnerability occurs when generating a Certificate Request Message Format (CRMF) request with certain parameters. (CVE-2013-1705) - Multiple stack-based buffer overflow vulnerabilities occur in both the Maintenance Service and the Mozilla Updater when unexpectedly long paths were encountered. (CVE-2013-1706, CVE-2013-1707) - A denial-of-service vulnerability occurs when decoding of 'WAV' format audio files. (CVE-2013-1708) - A cross-site scripting vulnerability affects the application. An attacker can exploit this issue through an interaction of frames and browser history. (CVE-2013-1709) - A remote code execution and cross-site scripting vulnerability occurs when generating a Certificate Request Message Format (CRMF) request. (CVE-2013-1710) - A cross-site scripting vulnerability occurs by bypassing XrayWrappers from within the Chrome on unprivileged objects, using XBL Scopes. (CVE-2013-1711) - A privilege-escalation vulnerability occurs due to an error when using Mozilla Updater. An attacker can exploit this issue to load a specific malicious DLL file from the local system using the Mozilla Updater, and can able to execute the DLL in a privileged context through the Mozilla Maintenance Service's privileges. (CVE-2013-1712) - A same-origin security-bypass vulnerability exists because wrong principal is used for validating URI for some Javascript components. (CVE-2013-1713) - A same-origin security-bypass vulnerability occurs due to an error with web workers and XMLHttpRequest. (CVE-2013-1714) - An information-disclosure vulnerability occurs due to an unspecified error with Java applets. This issue leads to disclose contents of local file system when loaded using the a 'file:/// URI'. (CVE-2013-1717) - Stored cross-site scripting vulnerability due to insufficient input validation of 'data:' URLs in iframe elements. (CVE-2013-6674)

Solution

Upgrade to SeaMonkey 2.20 or later.