Page 10 of 228 results (0.012 seconds)

CVSS: 4.3EPSS: 0%CPEs: 178EXPL: 0

Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, Thunderbird ESR 17.x before 17.0.8, and SeaMonkey before 2.20 do not properly handle the interaction between FRAME elements and history, which allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors involving spoofing a relative location in a previously visited document. Mozilla Firefox anterior a v23.0, Firefox ESR v17.x anterior a v 17.0.8, Thunderbird anterior a v 17.0.8, Thunderbird ESR v17.x anterior a v 17.0.8, y SeaMonkey anterior a v 2.20 no maneja adecuadamente la interacción entre los elementos FRAME y el historial, lo que permite a atacantes remotos realicen ataques de cross-site scripting (XSS) a través de vectores relacionados con la suplantación de una ubicación relativa en un documento previamente visitado. • http://www.debian.org/security/2013/dsa-2735 http://www.debian.org/security/2013/dsa-2746 http://www.mozilla.org/security/announce/2013/mfsa2013-68.html http://www.securityfocus.com/bid/61867 https://bugzilla.mozilla.org/show_bug.cgi?id=848253 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18531 https://access.redhat.com/security/cve/CVE-2013-1709 https://bugzilla.redhat.com/show_bug.cgi?id=993600 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 9.3EPSS: 0%CPEs: 27EXPL: 0

The System Only Wrapper (SOW) and Chrome Object Wrapper (COW) implementations in Mozilla Firefox before 22.0, Firefox ESR 17.x before 17.0.7, Thunderbird before 17.0.7, and Thunderbird ESR 17.x before 17.0.7 do not properly restrict XBL user-defined functions, which allows remote attackers to execute arbitrary JavaScript code with chrome privileges, or conduct cross-site scripting (XSS) attacks, via a crafted web site. Las implementaciones System Only Wrapper (SOW) y Chrome Object Wrapper (COW) en Mozilla Firefox anterior a v22.0, Firefox ESR v17.x anterior a v17.0.7, Thunderbird anterior a v17.0.7, y Thunderbird ESR v17.x anterior a v17.0.7 no restringen adecuadamente las funciones XBL definidas por el usuario lo que permite a atacantes remotos ejecutar código JavaScript con privilegios de chrome, o llevar a cabo ataques de ejecución de secuencias de comandos en sitios cruzados (XSS) a través de un sitios web manipulado. • http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00003.html http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00004.html http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00005.html http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00006.html http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00010.html http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00011.html http://rhn.redhat.com/errata/RHSA-2013-0981.html http:&# • CWE-264: Permissions, Privileges, and Access Controls •

CVSS: 9.3EPSS: 1%CPEs: 27EXPL: 0

The XrayWrapper implementation in Mozilla Firefox before 22.0, Firefox ESR 17.x before 17.0.7, Thunderbird before 17.0.7, and Thunderbird ESR 17.x before 17.0.7 does not properly restrict use of DefaultValue for method calls, which allows remote attackers to execute arbitrary JavaScript code with chrome privileges via a crafted web site that triggers use of a user-defined (1) toString or (2) valueOf method. La implementación XrayWrapper en Mozilla Firefox anterior a v22.0, Firefox ESR v17.x antes de v17.0.7, Thunderbird anterior a v17.0.7 no restringe correctamente el uso de DefaultValue para las llamadas a métodos, lo que permite a atacantes remotos ejecutar código JavaScript con privilegios de chrome a través de sitios web manipulados que dispara el uso de los métodos user-defined (1) toString o (2) valueOf • http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00003.html http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00004.html http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00005.html http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00006.html http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00010.html http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00011.html http://rhn.redhat.com/errata/RHSA-2013-0981.html http:&# • CWE-264: Permissions, Privileges, and Access Controls •

CVSS: 7.5EPSS: 13%CPEs: 27EXPL: 0

The PreserveWrapper implementation in Mozilla Firefox before 22.0, Firefox ESR 17.x before 17.0.7, Thunderbird before 17.0.7, and Thunderbird ESR 17.x before 17.0.7 does not properly handle the lack of a wrapper, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code by leveraging unintended clearing of the wrapper cache's preserved-wrapper flag. La implementación PreserveWrapper en Mozilla Firefox antes de v22.0, Firefox ESR 17.x antes de v17.0.7, Thunderbird antes de v17.0.7, y Thunderbird ESR v17.x antes de v17.0.7 no maneja correctamente la pérdida del envoltorio, lo que permite a atacantes remotos causar una denegación del servicio (caída de la aplicación) o posiblemente ejecutar código arbitrario aprovechando la limpieza de la caché del envoltorio. • http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00003.html http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00004.html http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00005.html http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00006.html http://rhn.redhat.com/errata/RHSA-2013-0981.html http://rhn.redhat.com/errata/RHSA-2013-0982.html http://www.debian.org/security/2013/dsa-2716 http://www.debian.org/security/2013/dsa-2720 • CWE-20: Improper Input Validation •

CVSS: 9.3EPSS: 22%CPEs: 34EXPL: 1

Mozilla Firefox before 22.0, Firefox ESR 17.x before 17.0.7, Thunderbird before 17.0.7, and Thunderbird ESR 17.x before 17.0.7 do not properly handle onreadystatechange events in conjunction with page reloading, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted web site that triggers an attempt to execute data at an unmapped memory location. Mozilla Firefox anterior a 22.0, Firefox ESR 17.x anterior a 17.0.7, Thunderbird anterior a 17.0.7, y Thunderbird ESR 17.x anterior a 17.0.7 no manejan adecuadamente los eventos "onreadystatechange" en conjunción con las recargas de página, lo que permite a atacantes remotos provocar una denegación de servicio (caída de aplicación) o posiblemente la ejecución arbitraria de código a través de un sitio web manipulado que provoca un intento de ejecución de datos y una asignación de memoria sin mapear. Mozilla Firefox and Thunderbird do not properly handle onreadystatechange events in conjunction with page reloading, which allows remote attackers to cause a denial-of-service (DoS) or possibly execute malicious code via a crafted web site. • https://www.exploit-db.com/exploits/27429 http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00003.html http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00004.html http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00005.html http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00006.html http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00010.html http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00011.html http://rhn&# • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •