Executive Summary
Informations | |||
---|---|---|---|
Name | MDVSA-2011:169 | First vendor Publication | 2011-11-09 |
Vendor | Mandriva | Last vendor Modification | 2011-11-09 |
Severity (Vendor) | N/A | Revision | N/A |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C) | |||
---|---|---|---|
Cvss Base Score | 10 | Attack Range | Network |
Cvss Impact Score | 10 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Security issues were identified and fixed in mozilla NSS, firefox and thunderbird: 22 weak 512-bit certificates issued by the DigiCert Sdn. Bhd certificate authority has been revoked from the root CA storage. This was fixed with rootcerts-20111103.00 and nss-3.13. DigiCert Sdn. Bhd is a Malaysian subordinate CA under Entrust and Verizon (GTE CyberTrust). It bears no affiliation whatsoever with the US-based corporation DigiCert, Inc., which is a member of Mozilla's root program. Untrusted search path vulnerability in Mozilla Network Security Services (NSS) might allow local users to gain privileges via a Trojan horse pkcs11.txt file in a top-level directory (CVE-2011-3640). Cross-site scripting (XSS) vulnerability in Mozilla Firefox before 3.6.24 and 4.x through 7.0 and Thunderbird before 3.1.6 and 5.0 through 7.0 allows remote attackers to inject arbitrary web script or HTML via crafted text with Shift JIS encoding (CVE-2011-3648). Mozilla Firefox before 3.6.24 and 4.x through 7.0 and Thunderbird before 3.1.6 and 5.0 through 7.0 do not properly handle JavaScript files that contain many functions, which allows user-assisted remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a crafted file that is accessed by debugging APIs, as demonstrated by Firebug (CVE-2011-3650). The following vulnerabilities affetst Mandriva Linux 2011 only: Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox 7.0 and Thunderbird 7.0 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors (CVE-2011-3651). The browser engine in Mozilla Firefox before 8.0 and Thunderbird before 8.0 does not properly allocate memory, which allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unspecified vectors (CVE-2011-3652). The browser engine in Mozilla Firefox before 8.0 and Thunderbird before 8.0 does not properly handle links from SVG mpath elements to non-SVG elements, which allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unspecified vectors (CVE-2011-3654). Mozilla Firefox 4.x through 7.0 and Thunderbird 5.0 through 7.0 perform access control without checking for use of the NoWaiverWrapper wrapper, which allows remote attackers to gain privileges via a crafted web site (CVE-2011-3655). The following vulnerabilities affects Mandriva Enterpriser Server 5.2 and Mandriva Linux 2010.2 only: The JSSubScriptLoader in Mozilla Firefox before 3.6.24 and Thunderbird before 3.1.6 does not properly handle XPCNativeWrappers during calls to the loadSubScript method in an add-on, which makes it easier for remote attackers to gain privileges via a crafted web site that leverages certain unwrapping behavior, a related issue to CVE-2011-3004 (CVE-2011-3647). Additionally, some packages which require so, have been rebuilt and are being provided as updates. |
Original Source
Url : http://www.mandriva.com/security/advisories?name=MDVSA-2011:169 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
38 % | CWE-119 | Failure to Constrain Operations within the Bounds of a Memory Buffer |
25 % | CWE-20 | Improper Input Validation |
12 % | CWE-426 | Untrusted Search Path |
12 % | CWE-94 | Failure to Control Generation of Code ('Code Injection') |
12 % | CWE-79 | Failure to Preserve Web Page Structure ('Cross-site Scripting') (CWE/SANS Top 25) |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:13414 | |||
Oval ID: | oval:org.mitre.oval:def:13414 | ||
Title: | ** DISPUTED ** Untrusted search path vulnerability in Mozilla Network Security Services (NSS), as used in Google Chrome before 17 on Windows and Mac OS X, might allow local users to gain privileges via a Trojan horse pkcs11.txt file in a top-level directory. NOTE: the vendor's response was "Strange behavior, but we're not treating this as a security bug." | ||
Description: | ** DISPUTED ** Untrusted search path vulnerability in Mozilla Network Security Services (NSS), as used in Google Chrome before 17 on Windows and Mac OS X, might allow local users to gain privileges via a Trojan horse pkcs11.txt file in a top-level directory. NOTE: the vendor's response was "Strange behavior, but we're not treating this as a security bug." | ||
Family: | windows | Class: | vulnerability |
Reference(s): | CVE-2011-3640 | Version: | 15 |
Platform(s): | Microsoft Windows 7 Microsoft Windows Server 2008 Microsoft Windows Vista Microsoft Windows Server 2003 Microsoft Windows XP Microsoft Windows 2000 | Product(s): | Google Chrome |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:13550 | |||
Oval ID: | oval:org.mitre.oval:def:13550 | ||
Title: | The JSSubScriptLoader in Mozilla Firefox before 3.6.24 and Thunderbird before 3.1.6 does not properly handle XPCNativeWrappers during calls to the loadSubScript method in an add-on, which makes it easier for remote attackers to gain privileges via a crafted web site that leverages certain unwrapping behavior, a related issue to CVE-2011-3004. | ||
Description: | The JSSubScriptLoader in Mozilla Firefox before 3.6.24 and Thunderbird before 3.1.6 does not properly handle XPCNativeWrappers during calls to the loadSubScript method in an add-on, which makes it easier for remote attackers to gain privileges via a crafted web site that leverages certain unwrapping behavior, a related issue to CVE-2011-3004. | ||
Family: | windows | Class: | vulnerability |
Reference(s): | CVE-2011-3647 | Version: | 17 |
Platform(s): | Microsoft Windows 7 Microsoft Windows Server 2008 Microsoft Windows Vista Microsoft Windows Server 2003 Microsoft Windows XP Microsoft Windows 2000 | Product(s): | Mozilla Firefox Mozilla Thunderbird |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:13830 | |||
Oval ID: | oval:org.mitre.oval:def:13830 | ||
Title: | The browser engine in Mozilla Firefox before 8.0 and Thunderbird before 8.0 does not properly handle links from SVG mpath elements to non-SVG elements, which allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unspecified vectors. | ||
Description: | The browser engine in Mozilla Firefox before 8.0 and Thunderbird before 8.0 does not properly handle links from SVG mpath elements to non-SVG elements, which allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unspecified vectors. | ||
Family: | windows | Class: | vulnerability |
Reference(s): | CVE-2011-3654 | Version: | 19 |
Platform(s): | Microsoft Windows 7 Microsoft Windows Server 2008 Microsoft Windows Vista Microsoft Windows Server 2003 Microsoft Windows XP Microsoft Windows 2000 | Product(s): | Mozilla Thunderbird Mozilla Firefox |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:13870 | |||
Oval ID: | oval:org.mitre.oval:def:13870 | ||
Title: | Mozilla Firefox before 3.6.24 and 4.x through 7.0 and Thunderbird before 3.1.6 and 5.0 through 7.0 do not properly handle JavaScript files that contain many functions, which allows user-assisted remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a crafted file that is accessed by debugging APIs, as demonstrated by Firebug. | ||
Description: | Mozilla Firefox before 3.6.24 and 4.x through 7.0 and Thunderbird before 3.1.6 and 5.0 through 7.0 do not properly handle JavaScript files that contain many functions, which allows user-assisted remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a crafted file that is accessed by debugging APIs, as demonstrated by Firebug. | ||
Family: | windows | Class: | vulnerability |
Reference(s): | CVE-2011-3650 | Version: | 19 |
Platform(s): | Microsoft Windows 7 Microsoft Windows Server 2008 Microsoft Windows Vista Microsoft Windows Server 2003 Microsoft Windows XP Microsoft Windows 2000 | Product(s): | Mozilla Thunderbird Mozilla Firefox |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:14121 | |||
Oval ID: | oval:org.mitre.oval:def:14121 | ||
Title: | The JSSubScriptLoader in Mozilla Firefox 4.x through 6 and SeaMonkey before 2.4 does not properly handle XPCNativeWrappers during calls to the loadSubScript method in an add-on, which makes it easier for remote attackers to gain privileges via a crafted web site that leverages certain unwrapping behavior. | ||
Description: | The JSSubScriptLoader in Mozilla Firefox 4.x through 6 and SeaMonkey before 2.4 does not properly handle XPCNativeWrappers during calls to the loadSubScript method in an add-on, which makes it easier for remote attackers to gain privileges via a crafted web site that leverages certain unwrapping behavior. | ||
Family: | windows | Class: | vulnerability |
Reference(s): | CVE-2011-3004 | Version: | 18 |
Platform(s): | Microsoft Windows 7 Microsoft Windows Server 2008 Microsoft Windows Vista Microsoft Windows Server 2003 Microsoft Windows XP Microsoft Windows 2000 | Product(s): | Mozilla Seamonkey Mozilla Firefox |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:14202 | |||
Oval ID: | oval:org.mitre.oval:def:14202 | ||
Title: | Mozilla Firefox 4.x through 7.0 and Thunderbird 5.0 through 7.0 perform access control without checking for use of the NoWaiverWrapper wrapper, which allows remote attackers to gain privileges via a crafted web site. | ||
Description: | Mozilla Firefox 4.x through 7.0 and Thunderbird 5.0 through 7.0 perform access control without checking for use of the NoWaiverWrapper wrapper, which allows remote attackers to gain privileges via a crafted web site. | ||
Family: | windows | Class: | vulnerability |
Reference(s): | CVE-2011-3655 | Version: | 19 |
Platform(s): | Microsoft Windows 7 Microsoft Windows Server 2008 Microsoft Windows Vista Microsoft Windows Server 2003 Microsoft Windows XP Microsoft Windows 2000 | Product(s): | Mozilla Firefox Mozilla Thunderbird |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:14212 | |||
Oval ID: | oval:org.mitre.oval:def:14212 | ||
Title: | Cross-site scripting (XSS) vulnerability in Mozilla Firefox before 3.6.24 and 4.x through 7.0 and Thunderbird before 3.1.6 and 5.0 through 7.0 allows remote attackers to inject arbitrary web script or HTML via crafted text with Shift JIS encoding. | ||
Description: | Cross-site scripting (XSS) vulnerability in Mozilla Firefox before 3.6.24 and 4.x through 7.0 and Thunderbird before 3.1.6 and 5.0 through 7.0 allows remote attackers to inject arbitrary web script or HTML via crafted text with Shift JIS encoding. | ||
Family: | windows | Class: | vulnerability |
Reference(s): | CVE-2011-3648 | Version: | 19 |
Platform(s): | Microsoft Windows 7 Microsoft Windows Server 2008 Microsoft Windows Vista Microsoft Windows Server 2003 Microsoft Windows XP Microsoft Windows 2000 | Product(s): | Mozilla Thunderbird Mozilla Firefox |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:14239 | |||
Oval ID: | oval:org.mitre.oval:def:14239 | ||
Title: | The browser engine in Mozilla Firefox before 8.0 and Thunderbird before 8.0 does not properly allocate memory, which allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unspecified vectors. | ||
Description: | The browser engine in Mozilla Firefox before 8.0 and Thunderbird before 8.0 does not properly allocate memory, which allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unspecified vectors. | ||
Family: | windows | Class: | vulnerability |
Reference(s): | CVE-2011-3652 | Version: | 19 |
Platform(s): | Microsoft Windows 7 Microsoft Windows Server 2008 Microsoft Windows Vista Microsoft Windows Server 2003 Microsoft Windows XP Microsoft Windows 2000 | Product(s): | Mozilla Thunderbird Mozilla Firefox |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:14364 | |||
Oval ID: | oval:org.mitre.oval:def:14364 | ||
Title: | Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox 7.0 and Thunderbird 7.0 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. | ||
Description: | Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox 7.0 and Thunderbird 7.0 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. | ||
Family: | windows | Class: | vulnerability |
Reference(s): | CVE-2011-3651 | Version: | 17 |
Platform(s): | Microsoft Windows 7 Microsoft Windows Server 2008 Microsoft Windows Vista Microsoft Windows Server 2003 Microsoft Windows XP Microsoft Windows 2000 | Product(s): | Mozilla Firefox Mozilla Thunderbird |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:14689 | |||
Oval ID: | oval:org.mitre.oval:def:14689 | ||
Title: | DSA-2339-1 nss -- several | ||
Description: | This update to the NSS cryptographic libraries revokes the trust in the "DigiCert Sdn. Bhd" certificate authority | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2339-1 CVE-2011-3640 | Version: | 5 |
Platform(s): | Debian GNU/Linux 5.0 Debian GNU/Linux 6.0 Debian GNU/kFreeBSD 6.0 | Product(s): | nss |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:14796 | |||
Oval ID: | oval:org.mitre.oval:def:14796 | ||
Title: | USN-1254-1 -- Thunderbird vulnerabilities | ||
Description: | thunderbird: Mozilla Open Source mail and newsgroup client Multiple vulnerabilities have been fixed in Thunderbird. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-1254-1 CVE-2011-3004 CVE-2011-3647 CVE-2011-3648 CVE-2011-3650 | Version: | 5 |
Platform(s): | Ubuntu 11.04 Ubuntu 10.04 Ubuntu 10.10 | Product(s): | Thunderbird |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:15154 | |||
Oval ID: | oval:org.mitre.oval:def:15154 | ||
Title: | DSA-2345-1 icedove -- several | ||
Description: | Several vulnerabilities have been discovered in Icedove, a mail client based on Thunderbird. CVE-2011-3647 The JSSubScriptLoader does not properly handle XPCNativeWrappers during calls to the loadSubScript method in an add-on, which makes it easier for remote attackers to gain privileges via a crafted web site that leverages certain unwrapping behavior. CVE-2011-3648 A cross-site scripting vulnerability allows remote attackers to inject arbitrary web script or HTML via crafted text with Shift JIS encoding. CVE-2011-3650 Iceweasel does not properly handle JavaScript files that contain many functions, which allows user-assisted remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted file that is accessed by debugging APIs, as demonstrated by Firebug. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2345-1 CVE-2011-3647 CVE-2011-3648 CVE-2011-3650 | Version: | 5 |
Platform(s): | Debian GNU/Linux 6.0 Debian GNU/kFreeBSD 6.0 | Product(s): | icedove |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:15170 | |||
Oval ID: | oval:org.mitre.oval:def:15170 | ||
Title: | USN-1277-2 -- Mozvoikko and ubufox update | ||
Description: | mozvoikko: Finnish spell-checker extension for Firefox - ubufox: Ubuntu Firefox specific configuration defaults and apt support Details: USN-1277-1 fixed vulnerabilities in Firefox. This update provides updated Mozvoikko and ubufox packages for use with Firefox 8. Original advisory This update provides packages compatible with Firefox 8. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-1277-2 CVE-2011-3648 CVE-2011-3650 CVE-2011-3651 CVE-2011-3652 CVE-2011-3654 CVE-2011-3655 | Version: | 5 |
Platform(s): | Ubuntu 11.04 Ubuntu 11.10 | Product(s): | Mozvoikko |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:15332 | |||
Oval ID: | oval:org.mitre.oval:def:15332 | ||
Title: | DSA-2342-1 iceape -- several | ||
Description: | Several vulnerabilities have been found in the Iceape internet suite, an unbranded version of Seamonkey: CVE-2011-3647 "moz_bug_r_a4" discovered a privilege escalation vulnerability in addon handling. CVE-2011-3648 Yosuke Hasegawa discovered that incorrect handling of Shift-JIS encodings could lead to cross-site scripting. CVE-2011-3650 Marc Schoenefeld discovered that profiling the Javascript code could lead to memory corruption. The oldstable distribution is not affected. The iceape package only provides the XPCOM code. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2342-1 CVE-2011-3647 CVE-2011-3648 CVE-2011-3650 | Version: | 5 |
Platform(s): | Debian GNU/Linux 6.0 Debian GNU/kFreeBSD 6.0 | Product(s): | iceape |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:15362 | |||
Oval ID: | oval:org.mitre.oval:def:15362 | ||
Title: | DSA-2341-1 iceweasel -- several | ||
Description: | Several vulnerabilities have been discovered in Iceweasel, a web browser based on Firefox. The included XULRunner library provides rendering services for several other applications included in Debian. CVE-2011-3647 "moz_bug_r_a4" discovered a privilege escalation vulnerability in addon handling. CVE-2011-3648 Yosuke Hasegawa discovered that incorrect handling of Shift-JIS encodings could lead to cross-site scripting. CVE-2011-3650 Marc Schoenefeld discovered that profiling the Javascript code could lead to memory corruption. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2341-1 CVE-2011-3647 CVE-2011-3648 CVE-2011-3650 | Version: | 5 |
Platform(s): | Debian GNU/Linux 5.0 Debian GNU/Linux 6.0 Debian GNU/kFreeBSD 6.0 | Product(s): | iceweasel |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:15371 | |||
Oval ID: | oval:org.mitre.oval:def:15371 | ||
Title: | USN-1251-1 -- Firefox and Xulrunner vulnerabilities | ||
Description: | firefox: Mozilla Open Source web browser - xulrunner-1.9.2: Mozilla Gecko runtime environment Multiple vulnerabilities have been fixed in Firefox and Xulrunner. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-1251-1 CVE-2011-3004 CVE-2011-3647 CVE-2011-3648 CVE-2011-3650 | Version: | 5 |
Platform(s): | Ubuntu 10.10 Ubuntu 10.04 | Product(s): | Firefox |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:15380 | |||
Oval ID: | oval:org.mitre.oval:def:15380 | ||
Title: | USN-1282-1 -- Thunderbird vulnerabilities | ||
Description: | thunderbird: Mozilla Open Source mail and newsgroup client Multiple vulnerabilities have been fixed in Thunderbird. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-1282-1 CVE-2011-3648 CVE-2011-3650 CVE-2011-3651 CVE-2011-3652 CVE-2011-3654 CVE-2011-3655 | Version: | 5 |
Platform(s): | Ubuntu 11.10 | Product(s): | Thunderbird |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:15383 | |||
Oval ID: | oval:org.mitre.oval:def:15383 | ||
Title: | USN-1277-1 -- Firefox vulnerabilities | ||
Description: | firefox: Mozilla Open Source web browser Multiple vulnerabilities have been fixed in Firefox. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-1277-1 CVE-2011-3648 CVE-2011-3650 CVE-2011-3651 CVE-2011-3652 CVE-2011-3654 CVE-2011-3655 | Version: | 5 |
Platform(s): | Ubuntu 11.04 Ubuntu 11.10 | Product(s): | Firefox |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:21221 | |||
Oval ID: | oval:org.mitre.oval:def:21221 | ||
Title: | USN-1222-1 -- Firefox vulnerabilities | ||
Description: | Firefox could be made to crash or possibly run programs as your login if it opened a malicious website. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-1222-1 CVE-2011-2995 CVE-2011-2997 CVE-2011-2999 CVE-2011-3000 CVE-2011-2372 CVE-2011-3001 CVE-2011-3002 CVE-2011-3003 CVE-2011-3005 CVE-2011-3232 CVE-2011-3004 | Version: | 5 |
Platform(s): | Ubuntu 11.04 | Product(s): | firefox |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:21620 | |||
Oval ID: | oval:org.mitre.oval:def:21620 | ||
Title: | RHSA-2011:1439: thunderbird security update (Critical) | ||
Description: | Mozilla Firefox before 3.6.24 and 4.x through 7.0 and Thunderbird before 3.1.6 and 5.0 through 7.0 do not properly handle JavaScript files that contain many functions, which allows user-assisted remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a crafted file that is accessed by debugging APIs, as demonstrated by Firebug. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2011:1439-01 CVE-2011-3647 CVE-2011-3648 CVE-2011-3650 | Version: | 42 |
Platform(s): | Red Hat Enterprise Linux 6 | Product(s): | thunderbird |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:21765 | |||
Oval ID: | oval:org.mitre.oval:def:21765 | ||
Title: | RHSA-2011:1437: firefox security update (Critical) | ||
Description: | Mozilla Firefox before 3.6.24 and 4.x through 7.0 and Thunderbird before 3.1.6 and 5.0 through 7.0 do not properly handle JavaScript files that contain many functions, which allows user-assisted remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a crafted file that is accessed by debugging APIs, as demonstrated by Firebug. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2011:1437-01 CESA-2011:1437 CVE-2011-3647 CVE-2011-3648 CVE-2011-3650 | Version: | 42 |
Platform(s): | Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 CentOS Linux 5 CentOS Linux 6 | Product(s): | firefox xulrunner |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:22013 | |||
Oval ID: | oval:org.mitre.oval:def:22013 | ||
Title: | RHSA-2011:1438: thunderbird security update (Moderate) | ||
Description: | Cross-site scripting (XSS) vulnerability in Mozilla Firefox before 3.6.24 and 4.x through 7.0 and Thunderbird before 3.1.6 and 5.0 through 7.0 allows remote attackers to inject arbitrary web script or HTML via crafted text with Shift JIS encoding. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2011:1438-01 CESA-2011:1438 CVE-2011-3648 | Version: | 4 |
Platform(s): | Red Hat Enterprise Linux 5 CentOS Linux 5 | Product(s): | thunderbird |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:22694 | |||
Oval ID: | oval:org.mitre.oval:def:22694 | ||
Title: | DEPRECATED: ELSA-2011:1437: firefox security update (Critical) | ||
Description: | Mozilla Firefox before 3.6.24 and 4.x through 7.0 and Thunderbird before 3.1.6 and 5.0 through 7.0 do not properly handle JavaScript files that contain many functions, which allows user-assisted remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a crafted file that is accessed by debugging APIs, as demonstrated by Firebug. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2011:1437-01 CVE-2011-3647 CVE-2011-3648 CVE-2011-3650 | Version: | 18 |
Platform(s): | Oracle Linux 5 Oracle Linux 6 | Product(s): | firefox xulrunner |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:23226 | |||
Oval ID: | oval:org.mitre.oval:def:23226 | ||
Title: | ELSA-2011:1438: thunderbird security update (Moderate) | ||
Description: | Cross-site scripting (XSS) vulnerability in Mozilla Firefox before 3.6.24 and 4.x through 7.0 and Thunderbird before 3.1.6 and 5.0 through 7.0 allows remote attackers to inject arbitrary web script or HTML via crafted text with Shift JIS encoding. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2011:1438-01 CVE-2011-3648 | Version: | 6 |
Platform(s): | Oracle Linux 5 | Product(s): | thunderbird |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:23410 | |||
Oval ID: | oval:org.mitre.oval:def:23410 | ||
Title: | ELSA-2011:1439: thunderbird security update (Critical) | ||
Description: | Mozilla Firefox before 3.6.24 and 4.x through 7.0 and Thunderbird before 3.1.6 and 5.0 through 7.0 do not properly handle JavaScript files that contain many functions, which allows user-assisted remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a crafted file that is accessed by debugging APIs, as demonstrated by Firebug. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2011:1439-01 CVE-2011-3647 CVE-2011-3648 CVE-2011-3650 | Version: | 17 |
Platform(s): | Oracle Linux 6 | Product(s): | thunderbird |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:23717 | |||
Oval ID: | oval:org.mitre.oval:def:23717 | ||
Title: | ELSA-2011:1437: firefox security update (Critical) | ||
Description: | Mozilla Firefox before 3.6.24 and 4.x through 7.0 and Thunderbird before 3.1.6 and 5.0 through 7.0 do not properly handle JavaScript files that contain many functions, which allows user-assisted remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a crafted file that is accessed by debugging APIs, as demonstrated by Firebug. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2011:1437-01 CVE-2011-3647 CVE-2011-3648 CVE-2011-3650 | Version: | 17 |
Platform(s): | Oracle Linux 5 Oracle Linux 6 | Product(s): | firefox xulrunner |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:28130 | |||
Oval ID: | oval:org.mitre.oval:def:28130 | ||
Title: | DEPRECATED: ELSA-2011-1439 -- thunderbird security update (critical) | ||
Description: | [3.1.16-2.0.1.el6_1] - Replaced thunderbird-redhat-default-prefs.js with thunderbird-oracle-default-prefs.js - Replace clean.gif in tarball [3.1.16-2] - Update to 3.1.16 | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2011-1439 CVE-2011-3647 CVE-2011-3648 CVE-2011-3650 | Version: | 4 |
Platform(s): | Oracle Linux 6 | Product(s): | thunderbird |
Definition Synopsis: | |||
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2012-07-30 | Name : CentOS Update for seamonkey CESA-2011:1440 centos4 x86_64 File : nvt/gb_CESA-2011_1440_seamonkey_centos4_x86_64.nasl |
2012-07-30 | Name : CentOS Update for thunderbird CESA-2011:1438 centos5 x86_64 File : nvt/gb_CESA-2011_1438_thunderbird_centos5_x86_64.nasl |
2012-07-30 | Name : CentOS Update for thunderbird CESA-2011:1438 centos4 x86_64 File : nvt/gb_CESA-2011_1438_thunderbird_centos4_x86_64.nasl |
2012-07-30 | Name : CentOS Update for firefox CESA-2011:1437 centos4 x86_64 File : nvt/gb_CESA-2011_1437_firefox_centos4_x86_64.nasl |
2012-07-30 | Name : CentOS Update for firefox CESA-2011:1437 centos5 x86_64 File : nvt/gb_CESA-2011_1437_firefox_centos5_x86_64.nasl |
2012-07-09 | Name : RedHat Update for thunderbird RHSA-2011:1439-01 File : nvt/gb_RHSA-2011_1439-01_thunderbird.nasl |
2012-03-16 | Name : Ubuntu Update for thunderbird USN-1282-1 File : nvt/gb_ubuntu_USN_1282_1.nasl |
2012-02-13 | Name : Debian Security Advisory DSA 2341-1 (iceweasel) File : nvt/deb_2341_1.nasl |
2012-02-11 | Name : Debian Security Advisory DSA 2339-1 (nss) File : nvt/deb_2339_1.nasl |
2012-02-11 | Name : Debian Security Advisory DSA 2342-1 (iceape) File : nvt/deb_2342_1.nasl |
2011-12-23 | Name : Ubuntu Update for thunderbird USN-1254-1 File : nvt/gb_ubuntu_USN_1254_1.nasl |
2011-11-25 | Name : Ubuntu Update for mozvoikko USN-1277-2 File : nvt/gb_ubuntu_USN_1277_2.nasl |
2011-11-25 | Name : Ubuntu Update for firefox USN-1277-1 File : nvt/gb_ubuntu_USN_1277_1.nasl |
2011-11-14 | Name : Mozilla Products XSS and Memory Corruption Vulnerabilities (Windows) File : nvt/gb_mozilla_prdts_xss_n_mem_crptn_vuln_win.nasl |
2011-11-14 | Name : Mozilla Products XSS and Memory Corruption Vulnerabilities (MAC OS X) File : nvt/gb_mozilla_prdts_xss_n_mem_crptn_vuln_macosx.nasl |
2011-11-14 | Name : Mozilla Products 'NoWaiverWrapper' Privilege Escalation Vulnerability (Mac OS X) File : nvt/gb_mozilla_prdts_wrapper_priv_esc_vuln_macosx.nasl |
2011-11-14 | Name : Mozilla Products Privilege Escalation Vulnerabily (MAC OS X) File : nvt/gb_mozilla_prdts_priv_esc_vuln_macosx.nasl |
2011-11-14 | Name : Mozilla Products Multiple Vulnerabilities (MAC OS X) File : nvt/gb_mozilla_prdts_mult_vuln_nov11_macosx.nasl |
2011-11-14 | Name : Mozilla Products Multiple Unspecified Vulnerabilities (MAC OS X) File : nvt/gb_mozilla_prdts_mult_unspecified_vuln_macosx.nasl |
2011-11-11 | Name : CentOS Update for thunderbird CESA-2011:1438 centos4 i386 File : nvt/gb_CESA-2011_1438_thunderbird_centos4_i386.nasl |
2011-11-11 | Name : Ubuntu Update for firefox USN-1251-1 File : nvt/gb_ubuntu_USN_1251_1.nasl |
2011-11-11 | Name : Mozilla Products 'NoWaiverWrapper' Privilege Escalation Vulnerability (Windows) File : nvt/gb_mozilla_prdts_wrapper_priv_esc_vuln_win.nasl |
2011-11-11 | Name : Mozilla Products Privilege Escalation Vulnerabily (Windows) File : nvt/gb_mozilla_prdts_priv_esc_vuln_win.nasl |
2011-11-11 | Name : Mozilla Products Multiple Vulnerabilities (Windows) File : nvt/gb_mozilla_prdts_mult_vuln_nov11_win.nasl |
2011-11-11 | Name : Mozilla Products Browser Engine Denial of Service Vulnerabilities (Windows) File : nvt/gb_mozilla_prdts_browser_engine_dos_vuln_win.nasl |
2011-11-11 | Name : Mandriva Update for mozilla MDVSA-2011:169 (mozilla) File : nvt/gb_mandriva_MDVSA_2011_169.nasl |
2011-11-11 | Name : RedHat Update for seamonkey RHSA-2011:1440-01 File : nvt/gb_RHSA-2011_1440-01_seamonkey.nasl |
2011-11-11 | Name : RedHat Update for thunderbird RHSA-2011:1438-01 File : nvt/gb_RHSA-2011_1438-01_thunderbird.nasl |
2011-11-11 | Name : RedHat Update for firefox RHSA-2011:1437-01 File : nvt/gb_RHSA-2011_1437-01_firefox.nasl |
2011-11-11 | Name : CentOS Update for seamonkey CESA-2011:1440 centos4 i386 File : nvt/gb_CESA-2011_1440_seamonkey_centos4_i386.nasl |
2011-11-11 | Name : CentOS Update for thunderbird CESA-2011:1438 centos5 i386 File : nvt/gb_CESA-2011_1438_thunderbird_centos5_i386.nasl |
2011-11-11 | Name : CentOS Update for firefox CESA-2011:1437 centos4 i386 File : nvt/gb_CESA-2011_1437_firefox_centos4_i386.nasl |
2011-11-11 | Name : CentOS Update for firefox CESA-2011:1437 centos5 i386 File : nvt/gb_CESA-2011_1437_firefox_centos5_i386.nasl |
2011-11-03 | Name : Google Chrome Mozilla Network Security Services Privilege Escalation Vulnerab... File : nvt/gb_google_chrome_nss_priv_escalation_vuln_win.nasl |
2011-11-03 | Name : Google Chrome Mozilla Network Security Services Privilege Escalation Vulnerab... File : nvt/gb_google_chrome_nss_priv_escalation_vuln_macosx.nasl |
2011-10-16 | Name : FreeBSD Ports: firefox File : nvt/freebsd_firefox59.nasl |
2011-10-14 | Name : Mozilla Firefox and SeaMonkey 'loadSubScript()' Security Bypass Vulnerability... File : nvt/gb_mozilla_prdts_load_subscript_sec_bypass_vuln_macosx.nasl |
2011-10-04 | Name : Mozilla Firefox and SeaMonkey 'loadSubScript()' Security Bypass Vulnerability File : nvt/gb_mozilla_prdts_load_subscript_sec_bypass_vuln_win.nasl |
2011-09-30 | Name : Ubuntu Update for firefox USN-1222-1 File : nvt/gb_ubuntu_USN_1222_1.nasl |
0000-00-00 | Name : FreeBSD Ports: firefox File : nvt/freebsd_firefox61.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
76955 | Mozilla Multiple Product NoWaiverWrappers Internal Privilege Check Weakness R... |
76952 | Mozilla Multiple Product Firebug JavaScript File Profiling Remote Memory Corr... |
76951 | Mozilla Multiple Product Multiple Unspecified Remote Memory Corruption (2011-... |
76950 | Mozilla Multiple Product Unchecked Allocation Failure Remote Memory Corruption |
76949 | Mozilla Multiple Product SVG <mpath> Non-SVG Link Remote Memory Corruption |
76948 | Mozilla Multiple Product Shift-JIS XSS |
76947 | Mozilla Multiple Product JSSubScriptLoader loadSubScript Method XPCNativeWrap... |
76858 | Mozilla Network Security Services (NSS) Trojaned pkcs11.txt File Local Privil... |
75845 | Mozilla Multiple Product loadSubScript Method XPCNativeWrappers Unwrapping Re... |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2015-01-19 | Name : The remote Solaris system is missing a security patch for third-party software. File : solaris11_thunderbird_20120404.nasl - Type : ACT_GATHER_INFO |
2015-01-19 | Name : The remote Solaris system is missing a security patch for third-party software. File : solaris11_firefox_20121210.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2012-254.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2011-34.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2011-9.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : suse_11_3_MozillaFirefox-111109.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : suse_11_3_libfreebl3-111108.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : suse_11_3_nss-201112-111220.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : suse_11_3_seamonkey-110928.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : suse_11_3_seamonkey-111130.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : suse_11_4_MozillaFirefox-110928.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : suse_11_4_MozillaFirefox-111110.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : suse_11_4_libfreebl3-111108.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : suse_11_4_nss-201112-111220.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : suse_11_4_seamonkey-110928.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : suse_11_4_seamonkey-111130.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2011-1437.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing a security update. File : oraclelinux_ELSA-2011-1438.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing a security update. File : oraclelinux_ELSA-2011-1439.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2011-1440.nasl - Type : ACT_GATHER_INFO |
2013-01-08 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201301-01.nasl - Type : ACT_GATHER_INFO |
2012-09-06 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2011-141.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20111108_firefox_on_SL4_x.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20111108_seamonkey_on_SL4_x.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20111108_thunderbird_on_SL4_x.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20111108_thunderbird_on_SL6_x.nasl - Type : ACT_GATHER_INFO |
2011-12-23 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-1254-1.nasl - Type : ACT_GATHER_INFO |
2011-12-13 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_MozillaFirefox-111114.nasl - Type : ACT_GATHER_INFO |
2011-11-29 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-1282-1.nasl - Type : ACT_GATHER_INFO |
2011-11-26 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-1277-1.nasl - Type : ACT_GATHER_INFO |
2011-11-26 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-1277-2.nasl - Type : ACT_GATHER_INFO |
2011-11-14 | Name : The remote CentOS host is missing a security update. File : centos_RHSA-2011-1438.nasl - Type : ACT_GATHER_INFO |
2011-11-14 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2011-1437.nasl - Type : ACT_GATHER_INFO |
2011-11-14 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2011-1440.nasl - Type : ACT_GATHER_INFO |
2011-11-14 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2345.nasl - Type : ACT_GATHER_INFO |
2011-11-11 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-1251-1.nasl - Type : ACT_GATHER_INFO |
2011-11-10 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2341.nasl - Type : ACT_GATHER_INFO |
2011-11-10 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2342.nasl - Type : ACT_GATHER_INFO |
2011-11-10 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_6c8ad3e80a3011e195804061862b8c22.nasl - Type : ACT_GATHER_INFO |
2011-11-10 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2011-169.nasl - Type : ACT_GATHER_INFO |
2011-11-09 | Name : The remote Mac OS X host contains an email client that is potentially affecte... File : macosx_thunderbird_8_0.nasl - Type : ACT_GATHER_INFO |
2011-11-09 | Name : The remote Mac OS X host contains a web browser that is potentially affected ... File : macosx_firefox_3_6_24.nasl - Type : ACT_GATHER_INFO |
2011-11-09 | Name : The remote Mac OS X host contains a web browser that is potentially affected ... File : macosx_firefox_8_0.nasl - Type : ACT_GATHER_INFO |
2011-11-09 | Name : The remote Mac OS X host contains an email client that is potentially affecte... File : macosx_thunderbird_3_1_16.nasl - Type : ACT_GATHER_INFO |
2011-11-09 | Name : The remote Windows host contains a web browser that is potentially affected b... File : mozilla_firefox_3624.nasl - Type : ACT_GATHER_INFO |
2011-11-09 | Name : The remote Windows host contains a web browser that is potentially affected b... File : mozilla_firefox_80.nasl - Type : ACT_GATHER_INFO |
2011-11-09 | Name : The remote Windows host contains a mail client that is potentially affected b... File : mozilla_thunderbird_3116.nasl - Type : ACT_GATHER_INFO |
2011-11-09 | Name : The remote Windows host contains a mail client that is potentially affected b... File : mozilla_thunderbird_80.nasl - Type : ACT_GATHER_INFO |
2011-11-09 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2011-1437.nasl - Type : ACT_GATHER_INFO |
2011-11-09 | Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2011-1438.nasl - Type : ACT_GATHER_INFO |
2011-11-09 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2011-1439.nasl - Type : ACT_GATHER_INFO |
2011-11-09 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2011-1440.nasl - Type : ACT_GATHER_INFO |
2011-11-08 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2339.nasl - Type : ACT_GATHER_INFO |
2011-10-03 | Name : The remote Mac OS X host contains a web browser that is affected by multiple ... File : macosx_firefox_7_0.nasl - Type : ACT_GATHER_INFO |
2011-09-30 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-1222-1.nasl - Type : ACT_GATHER_INFO |
2011-09-29 | Name : The remote Windows host contains a web browser that is affected by multiple v... File : seamonkey_24.nasl - Type : ACT_GATHER_INFO |
2011-09-29 | Name : The remote Windows host contains a web browser that is affected by multiple v... File : mozilla_firefox_70.nasl - Type : ACT_GATHER_INFO |
2011-09-29 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_1fade8a3e9e811e095804061862b8c22.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:42:33 |
|