Executive Summary
Summary | |
---|---|
Title | firefox security update |
Informations | |||
---|---|---|---|
Name | RHSA-2007:0724 | First vendor Publication | 2007-07-18 |
Vendor | RedHat | Last vendor Modification | 2007-07-18 |
Severity (Vendor) | Critical | Revision | 01 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C) | |||
---|---|---|---|
Cvss Base Score | 9.3 | Attack Range | Network |
Cvss Impact Score | 10 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Problem Description: Updated firefox packages that fix several security bugs are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having critical security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 3. Problem description: Mozilla Firefox is an open source Web browser. Several flaws were found in the way Firefox processed certain malformed JavaScript code. A web page containing malicious JavaScript code could cause Firefox to crash or potentially execute arbitrary code as the user running Firefox. (CVE-2007-3734, CVE-2007-3735, CVE-2007-3737, CVE-2007-3738) Several content injection flaws were found in the way Firefox handled certain JavaScript code. A web page containing malicious JavaScript code could inject arbitrary content into other web pages. (CVE-2007-3736, CVE-2007-3089) A flaw was found in the way Firefox cached web pages on the local disk. A malicious web page may be able to inject arbitrary HTML into a browsing session if the user reloads a targeted site. (CVE-2007-3656) Users of Firefox are advised to upgrade to these erratum packages, which contain backported patches that correct these issues. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 5. Bug IDs fixed (http://bugzilla.redhat.com/): 248518 - CVE-2007-3089 various flaws in mozilla products (CVE-2007-3734 CVE-2007-3735 CVE-2007-3736 CVE-2007-3737 CVE-2007-3656 CVE-2007-3738) |
Original Source
Url : https://rhn.redhat.com/errata/RHSA-2007-0724.html |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-200 | Information Exposure |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:11122 | |||
Oval ID: | oval:org.mitre.oval:def:11122 | ||
Title: | Mozilla Firefox before 2.0.0.5 does not prevent use of document.write to replace an IFRAME (1) during the load stage or (2) in the case of an about:blank frame, which allows remote attackers to display arbitrary HTML or execute certain JavaScript code, as demonstrated by code that intercepts keystroke values from window.event, aka the "promiscuous IFRAME access bug," a related issue to CVE-2006-4568. | ||
Description: | Mozilla Firefox before 2.0.0.5 does not prevent use of document.write to replace an IFRAME (1) during the load stage or (2) in the case of an about:blank frame, which allows remote attackers to display arbitrary HTML or execute certain JavaScript code, as demonstrated by code that intercepts keystroke values from window.event, aka the "promiscuous IFRAME access bug," a related issue to CVE-2006-4568. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2007-3089 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 3 CentOS Linux 3 Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 Red Hat Enterprise Linux 5 CentOS Linux 5 Oracle Linux 5 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:11749 | |||
Oval ID: | oval:org.mitre.oval:def:11749 | ||
Title: | Cross-site scripting (XSS) vulnerability in Mozilla Firefox before 2.0.0.5 allows remote attackers to inject arbitrary web script "into another site's context" via a "timing issue" involving the (1) addEventListener or (2) setTimeout function, probably by setting events that activate after the context has changed. | ||
Description: | Cross-site scripting (XSS) vulnerability in Mozilla Firefox before 2.0.0.5 allows remote attackers to inject arbitrary web script "into another site's context" via a "timing issue" involving the (1) addEventListener or (2) setTimeout function, probably by setting events that activate after the context has changed. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2007-3736 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 3 CentOS Linux 3 Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 Red Hat Enterprise Linux 5 CentOS Linux 5 Oracle Linux 5 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:18981 | |||
Oval ID: | oval:org.mitre.oval:def:18981 | ||
Title: | DSA-1338-1 iceweasel | ||
Description: | Several remote vulnerabilities have been discovered in the Iceweasel web browser, an unbranded version of the Firefox browser. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-1338-1 CVE-2007-3089 CVE-2007-3656 CVE-2007-3734 CVE-2007-3735 CVE-2007-3736 CVE-2007-3737 CVE-2007-3738 | Version: | 7 |
Platform(s): | Debian GNU/Linux 4.0 | Product(s): | iceweasel |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:19992 | |||
Oval ID: | oval:org.mitre.oval:def:19992 | ||
Title: | DSA-1337-1 xulrunner | ||
Description: | Several remote vulnerabilities have been discovered in Xulrunner, a runtime environment for XUL applications. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-1337-1 CVE-2007-3089 CVE-2007-3285 CVE-2007-3656 CVE-2007-3734 CVE-2007-3735 CVE-2007-3736 CVE-2007-3737 CVE-2007-3738 | Version: | 5 |
Platform(s): | Debian GNU/Linux 4.0 | Product(s): | xulrunner |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:21817 | |||
Oval ID: | oval:org.mitre.oval:def:21817 | ||
Title: | ELSA-2007:0724: firefox security update (Critical) | ||
Description: | Multiple unspecified vulnerabilities in Mozilla Firefox before 2.0.0.5 allow remote attackers to execute arbitrary code via a crafted XPCNativeWrapper. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2007:0724-02 CVE-2007-3089 CVE-2007-3656 CVE-2007-3734 CVE-2007-3735 CVE-2007-3736 CVE-2007-3737 CVE-2007-3738 | Version: | 33 |
Platform(s): | Oracle Linux 5 | Product(s): | firefox |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:21880 | |||
Oval ID: | oval:org.mitre.oval:def:21880 | ||
Title: | ELSA-2007:0723: thunderbird security update (Moderate) | ||
Description: | Multiple unspecified vulnerabilities in Mozilla Firefox before 2.0.0.5 allow remote attackers to execute arbitrary code via a crafted XPCNativeWrapper. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2007:0723-01 CVE-2007-3089 CVE-2007-3734 CVE-2007-3735 CVE-2007-3736 CVE-2007-3737 CVE-2007-3738 | Version: | 29 |
Platform(s): | Oracle Linux 5 | Product(s): | thunderbird |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:9105 | |||
Oval ID: | oval:org.mitre.oval:def:9105 | ||
Title: | Mozilla Firefox before 1.8.0.13 and 1.8.1.x before 1.8.1.5 does not perform a security zone check when processing a wyciwyg URI, which allows remote attackers to obtain sensitive information, poison the browser cache, and possibly enable further attack vectors via (1) HTTP 302 redirect controls, (2) XMLHttpRequest, or (3) view-source URIs. | ||
Description: | Mozilla Firefox before 1.8.0.13 and 1.8.1.x before 1.8.1.5 does not perform a security zone check when processing a wyciwyg URI, which allows remote attackers to obtain sensitive information, poison the browser cache, and possibly enable further attack vectors via (1) HTTP 302 redirect controls, (2) XMLHttpRequest, or (3) view-source URIs. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2007-3656 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 3 CentOS Linux 3 Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 Red Hat Enterprise Linux 5 CentOS Linux 5 Oracle Linux 5 | Product(s): | |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2009-10-10 | Name : SLES9: Security update for Mozilla File : nvt/sles9p5011293.nasl |
2009-05-05 | Name : HP-UX Update for Thunderbird HPSBUX02156 File : nvt/gb_hp_ux_HPSBUX02156.nasl |
2009-04-09 | Name : Mandriva Update for mozilla-thunderbird MDVSA-2007:047 (mozilla-thunderbird) File : nvt/gb_mandriva_MDVSA_2007_047.nasl |
2009-04-09 | Name : Mandriva Update for mozilla-firefox MDKSA-2007:152 (mozilla-firefox) File : nvt/gb_mandriva_MDKSA_2007_152.nasl |
2009-03-23 | Name : Ubuntu Update for mozilla-thunderbird vulnerabilities USN-503-1 File : nvt/gb_ubuntu_USN_503_1.nasl |
2009-03-23 | Name : Ubuntu Update for firefox vulnerabilities USN-490-1 File : nvt/gb_ubuntu_USN_490_1.nasl |
2009-02-27 | Name : Fedora Update for epiphany-extensions FEDORA-2007-1155 File : nvt/gb_fedora_2007_1155_epiphany-extensions_fc7.nasl |
2009-02-27 | Name : Fedora Update for firefox FEDORA-2007-642 File : nvt/gb_fedora_2007_642_firefox_fc6.nasl |
2009-02-27 | Name : Fedora Update for thunderbird FEDORA-2007-641 File : nvt/gb_fedora_2007_641_thunderbird_fc6.nasl |
2009-02-27 | Name : Fedora Update for seamonkey FEDORA-2007-1181 File : nvt/gb_fedora_2007_1181_seamonkey_fc7.nasl |
2009-02-27 | Name : Fedora Update for thunderbird FEDORA-2007-1180 File : nvt/gb_fedora_2007_1180_thunderbird_fc7.nasl |
2009-02-27 | Name : Fedora Update for blam FEDORA-2007-1157 File : nvt/gb_fedora_2007_1157_blam_fc7.nasl |
2009-02-27 | Name : Fedora Update for yelp FEDORA-2007-1144 File : nvt/gb_fedora_2007_1144_yelp_fc7.nasl |
2009-02-27 | Name : Fedora Update for devhelp FEDORA-2007-1143 File : nvt/gb_fedora_2007_1143_devhelp_fc7.nasl |
2009-02-27 | Name : Fedora Update for firefox FEDORA-2007-1142 File : nvt/gb_fedora_2007_1142_firefox_fc7.nasl |
2009-02-27 | Name : Fedora Update for epiphany FEDORA-2007-1138 File : nvt/gb_fedora_2007_1138_epiphany_fc7.nasl |
2009-01-28 | Name : SuSE Update for MozillaFirefox,MozillaThunderbird,Seamonkey SUSE-SA:2007:049 File : nvt/gb_suse_2007_049.nasl |
2008-09-24 | Name : Gentoo Security Advisory GLSA 200708-09 (mozilla/thunderbird/firefox/xulrunner) File : nvt/glsa_200708_09.nasl |
2008-09-04 | Name : FreeBSD Ports: firefox File : nvt/freebsd_firefox29.nasl |
2008-05-27 | Name : Debian Security Advisory DSA 1574-1 (icedove) File : nvt/deb_1574_1.nasl |
2008-04-30 | Name : Debian Security Advisory DSA 1534-2 (iceape) File : nvt/deb_1534_2.nasl |
2008-04-07 | Name : Debian Security Advisory DSA 1535-1 (iceweasel) File : nvt/deb_1535_1.nasl |
2008-04-07 | Name : Debian Security Advisory DSA 1534-1 (iceape) File : nvt/deb_1534_1.nasl |
2008-04-07 | Name : Debian Security Advisory DSA 1532-1 (xulrunner) File : nvt/deb_1532_1.nasl |
2008-01-17 | Name : Debian Security Advisory DSA 1337-1 (xulrunner) File : nvt/deb_1337_1.nasl |
2008-01-17 | Name : Debian Security Advisory DSA 1391-1 (icedove) File : nvt/deb_1391_1.nasl |
2008-01-17 | Name : Debian Security Advisory DSA 1339-1 (iceape) File : nvt/deb_1339_1.nasl |
2008-01-17 | Name : Debian Security Advisory DSA 1338-1 (iceweasel) File : nvt/deb_1338_1.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
38028 | Mozilla Firefox wyciwyg:// Handler Cache Zone Bypass |
38024 | Mozilla Firefox document.write IFRAME Replacement XSS |
38016 | Mozilla Firefox Crafted XPCNativeWrapper Arbitrary Code Execution (moz_bug_r_a4) |
38015 | Mozilla Firefox Crafted XPCNativeWrapper Arbitrary Code Execution (shutdown) |
38010 | Mozilla Firefox Event Handler Unspecified Element Arbitrary Code Execution |
38002 | Mozilla Firefox addEventListener / setTimeout Function Cross Site Context XSS |
38001 | Mozilla Multiple Products JavaScript Engine Multiple Unspecified Memory Corru... |
38000 | Mozilla Multiple Products Browser Engine Multiple Unspecified Memory Corruption |
Snort® IPS/IDS
Date | Description |
---|---|
2018-01-23 | Mozilla Firefox DOM event handler privilege escalation attempt RuleID : 45247 - Revision : 2 - Type : BROWSER-FIREFOX |
2018-01-23 | Mozilla Firefox DOM event handler privilege escalation attempt RuleID : 45246 - Revision : 2 - Type : BROWSER-FIREFOX |
2017-08-29 | Mozilla Firefox wyciwgy domain forgery attempt RuleID : 43761 - Revision : 2 - Type : BROWSER-FIREFOX |
2017-08-23 | Mozilla Firefox display moz-deck style memory corruption attempt RuleID : 43644 - Revision : 2 - Type : BROWSER-FIREFOX |
2017-08-23 | Mozilla Firefox design mode deleted style memory corruption attempt RuleID : 43643 - Revision : 2 - Type : BROWSER-FIREFOX |
2017-08-23 | Mozilla Firefox multiple vulnerabilities memory corruption attempt RuleID : 43642 - Revision : 4 - Type : BROWSER-FIREFOX |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2007-0724.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing a security update. File : oraclelinux_ELSA-2007-0723.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2007-0722.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20070718_firefox_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20070718_seamonkey_on_SL4_x.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing a security update. File : sl_20070718_thunderbird_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
2010-02-22 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2010-042.nasl - Type : ACT_GATHER_INFO |
2009-04-23 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2008-047.nasl - Type : ACT_GATHER_INFO |
2008-05-13 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1574.nasl - Type : ACT_GATHER_INFO |
2008-04-11 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1535.nasl - Type : ACT_GATHER_INFO |
2008-03-31 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1532.nasl - Type : ACT_GATHER_INFO |
2008-03-31 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1534.nasl - Type : ACT_GATHER_INFO |
2007-12-13 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_MozillaFirefox-3932.nasl - Type : ACT_GATHER_INFO |
2007-11-10 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-503-1.nasl - Type : ACT_GATHER_INFO |
2007-11-10 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-490-1.nasl - Type : ACT_GATHER_INFO |
2007-11-06 | Name : The remote Fedora host is missing a security update. File : fedora_2007-1155.nasl - Type : ACT_GATHER_INFO |
2007-11-06 | Name : The remote Fedora host is missing a security update. File : fedora_2007-1157.nasl - Type : ACT_GATHER_INFO |
2007-11-06 | Name : The remote Fedora host is missing a security update. File : fedora_2007-1180.nasl - Type : ACT_GATHER_INFO |
2007-11-06 | Name : The remote Fedora host is missing a security update. File : fedora_2007-1181.nasl - Type : ACT_GATHER_INFO |
2007-11-06 | Name : The remote Fedora host is missing a security update. File : fedora_2007-1143.nasl - Type : ACT_GATHER_INFO |
2007-11-06 | Name : The remote Fedora host is missing a security update. File : fedora_2007-1144.nasl - Type : ACT_GATHER_INFO |
2007-11-06 | Name : The remote Fedora host is missing a security update. File : fedora_2007-1142.nasl - Type : ACT_GATHER_INFO |
2007-11-06 | Name : The remote Fedora host is missing a security update. File : fedora_2007-1138.nasl - Type : ACT_GATHER_INFO |
2007-10-25 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1391.nasl - Type : ACT_GATHER_INFO |
2007-10-17 | Name : The remote openSUSE host is missing a security update. File : suse_MozillaFirefox-3935.nasl - Type : ACT_GATHER_INFO |
2007-10-17 | Name : The remote openSUSE host is missing a security update. File : suse_MozillaFirefox-3933.nasl - Type : ACT_GATHER_INFO |
2007-10-17 | Name : The remote openSUSE host is missing a security update. File : suse_MozillaThunderbird-3973.nasl - Type : ACT_GATHER_INFO |
2007-10-17 | Name : The remote openSUSE host is missing a security update. File : suse_seamonkey-3984.nasl - Type : ACT_GATHER_INFO |
2007-10-17 | Name : The remote openSUSE host is missing a security update. File : suse_seamonkey-3986.nasl - Type : ACT_GATHER_INFO |
2007-08-15 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200708-09.nasl - Type : ACT_GATHER_INFO |
2007-08-02 | Name : The remote Mandrake Linux host is missing one or more security updates. File : mandrake_MDKSA-2007-152.nasl - Type : ACT_GATHER_INFO |
2007-07-30 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1339.nasl - Type : ACT_GATHER_INFO |
2007-07-27 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1338.nasl - Type : ACT_GATHER_INFO |
2007-07-27 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1337.nasl - Type : ACT_GATHER_INFO |
2007-07-25 | Name : A web browser on the remote host is prone to multiple flaws. File : seamonkey_113.nasl - Type : ACT_GATHER_INFO |
2007-07-23 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2007-0722.nasl - Type : ACT_GATHER_INFO |
2007-07-23 | Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2007-0723.nasl - Type : ACT_GATHER_INFO |
2007-07-23 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2007-0724.nasl - Type : ACT_GATHER_INFO |
2007-07-23 | Name : The remote Windows host contains a mail client that is affected by multiple v... File : mozilla_thunderbird_2005.nasl - Type : ACT_GATHER_INFO |
2007-07-23 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2007-0722.nasl - Type : ACT_GATHER_INFO |
2007-07-23 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_e190ca65363611dca697000c6ec775d9.nasl - Type : ACT_GATHER_INFO |
2007-07-23 | Name : The remote Fedora Core host is missing a security update. File : fedora_2007-642.nasl - Type : ACT_GATHER_INFO |
2007-07-23 | Name : The remote Fedora Core host is missing a security update. File : fedora_2007-641.nasl - Type : ACT_GATHER_INFO |
2007-07-23 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2007-0724.nasl - Type : ACT_GATHER_INFO |
2007-07-23 | Name : The remote CentOS host is missing a security update. File : centos_RHSA-2007-0723.nasl - Type : ACT_GATHER_INFO |
2007-07-19 | Name : The remote Windows host contains a web browser that is affected by multiple v... File : mozilla_firefox_2005.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:50:54 |
|