CVSS: 7.5EPSS: 35%CPEs: 4EXPL: 0CVE-2008-0304 – thunderbird/seamonkey: MIME External-Body Heap Overflow Vulnerability
https://notcve.org/view.php?id=CVE-2008-0304
Heap-based buffer overflow in Mozilla Thunderbird before 2.0.0.12 and SeaMonkey before 1.1.8 might allow remote attackers to execute arbitrary code via a crafted external-body MIME type in an e-mail message, related to an incorrect memory allocation during message preview. Desbordamiento de búfer basado en montículo en Mozilla Thunderbird antes de 2.0.0.12 y SeaMonkey antes de 1.1.8 podrían permitir a atacantes remotos ejecutar código de su elección a través de un tipo MIME "message/external-body" manipulado en un e-mail, relacionado a una reserva de memoria incorrecta durante la previsualización del mensaje. • http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=668 http://secunia.com/advisories/29098 http://secunia.com/advisories/29133 http://secunia.com/advisories/29167 http://secunia.com/advisories/29211 http://secunia.com/advisories/30327 http://secunia.com/advisories/31043 http://secunia.com/advisories/31253 http://secunia.com/advisories/33433 http://securitytracker.com/id?1019504 http://slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.445 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 9.3EPSS: 11%CPEs: 3EXPL: 0CVE-2008-0412 – Mozilla layout engine crashes
https://notcve.org/view.php?id=CVE-2008-0412
The browser engine in Mozilla Firefox before 2.0.0.12, Thunderbird before 2.0.0.12, and SeaMonkey before 1.1.8 allows remote attackers to cause a denial of service (crash) and possibly trigger memory corruption via vectors related to the (1) nsTableFrame::GetFrameAtOrBefore, (2) nsAccessibilityService::GetAccessible, (3) nsBindingManager::GetNestedInsertionPoint, (4) nsXBLPrototypeBinding::AttributeChanged, (5) nsColumnSetFrame::GetContentInsertionFrame, and (6) nsLineLayout::TrimTrailingWhiteSpaceIn methods, and other vectors. El motor de búsqueda en Mozilla Firefox versiones anteriores a la 2.0.0.12, Thunderbird versiones anteriores a la 2.0.0.12 y SeaMonkey versiones anteriores a la 1.1.8 permite a atacantes remotos provocar una denegación de servicio (caída) y posiblemente disparar una corrupción de memoria a través de vectores relacionados con los métodos (1) nsTableFrame::GetFrameAtOrBefore, (2) nsAccessibilityService::GetAccessible, (3) nsBindingManager::GetNestedInsertionPoint, (4) nsXBLPrototypeBinding::AttributeChanged, (5) nsColumnSetFrame::GetContentInsertionFrame y (6) nsLineLayout::TrimTrailingWhiteSpaceIn y con otros vectores. • http://browser.netscape.com/releasenotes http://lists.opensuse.org/opensuse-security-announce/2008-02/msg00006.html http://secunia.com/advisories/28754 http://secunia.com/advisories/28758 http://secunia.com/advisories/28766 http://secunia.com/advisories/28808 http://secunia.com/advisories/28815 http://secunia.com/advisories/28818 http://secunia.com/advisories/28839 http://secunia.com/advisories/28864 http://secunia.com/advisories/28865 http://secunia.com/advisories/28877 http:/& • CWE-399: Resource Management Errors •
CVSS: 9.3EPSS: 34%CPEs: 3EXPL: 0CVE-2008-0413 – Mozilla javascript engine crashes
https://notcve.org/view.php?id=CVE-2008-0413
The JavaScript engine in Mozilla Firefox before 2.0.0.12, Thunderbird before 2.0.0.12, and SeaMonkey before 1.1.8 allows remote attackers to cause a denial of service (crash) and possibly trigger memory corruption via (1) a large switch statement, (2) certain uses of watch and eval, (3) certain uses of the mousedown event listener, and other vectors. El motor JavaScript de Mozilla Firefox versiones anteriores a 2.0.0.12, Thunderbird versiones anteriores a 2.0.0.12, y SeaMonkey versiones anteriores a 1.1.8 permite a atacantes remotos provocar una denegación de servicio (caída) y posiblemente disparar una corrupción de memoria a través de (1) sentencia switch larga (2) determinados usos de watch y eval, (3) determinados usos del evento de escucha mousedown y otros vectores. • http://browser.netscape.com/releasenotes http://lists.opensuse.org/opensuse-security-announce/2008-02/msg00006.html http://secunia.com/advisories/28754 http://secunia.com/advisories/28758 http://secunia.com/advisories/28766 http://secunia.com/advisories/28808 http://secunia.com/advisories/28815 http://secunia.com/advisories/28818 http://secunia.com/advisories/28839 http://secunia.com/advisories/28864 http://secunia.com/advisories/28865 http://secunia.com/advisories/28877 http:/& • CWE-399: Resource Management Errors •
CVSS: 4.3EPSS: 1%CPEs: 2EXPL: 0CVE-2008-0414 – mozilla: multiple file input focus stealing vulnerabilities
https://notcve.org/view.php?id=CVE-2008-0414
Mozilla Firefox before 2.0.0.12 and SeaMonkey before 1.1.8 allows user-assisted remote attackers to trick the user into uploading arbitrary files via label tags that shift focus to a file input field, aka "focus spoofing." Mozilla Firefox versiones anteriores a 2.0.0.12 y SeaMonkey versiones anteriores a 1.1.8, permiten a atacantes remotos con la intervención del usuario engañarle enviando archivos de su elección a través de etiquetas label que cambian el foco a un campo de entrada de archivo, también conocido como "focus spoofing." • http://browser.netscape.com/releasenotes http://lists.opensuse.org/opensuse-security-announce/2008-02/msg00006.html http://secunia.com/advisories/28758 http://secunia.com/advisories/28815 http://secunia.com/advisories/28839 http://secunia.com/advisories/28864 http://secunia.com/advisories/28865 http://secunia.com/advisories/28877 http://secunia.com/advisories/28879 http://secunia.com/advisories/28924 http://secunia.com/advisories/28939 http://secunia.com/advisories/28958 http:/& • CWE-20: Improper Input Validation •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2008-0415 – Mozilla arbitrary code execution
https://notcve.org/view.php?id=CVE-2008-0415
Mozilla Firefox before 2.0.0.12, Thunderbird before 2.0.0.12, and SeaMonkey before 1.1.8 allows remote attackers to execute script outside of the sandbox and conduct cross-site scripting (XSS) attacks via multiple vectors including the XMLDocument.load function, aka "JavaScript privilege escalation bugs." Mozilla Firefox versiones anteriores a 2.0.0.12, Thunderbird versiones anteriores a 2.0.0.12, y SeaMonkey versiones anteriores a 1.1.8, permiten a atacantes remotos ejecutar scripts fuera de la caja de arena (sandbox) y realizar ataques de secuencias de comandos en sitios cruzados (XSS) a través de múltiples vectores incluyendo la función XMLDocument.load, también conocidos como "bugs de escalado de privilegios en JavaScript".< • http://browser.netscape.com/releasenotes http://lists.opensuse.org/opensuse-security-announce/2008-02/msg00006.html http://secunia.com/advisories/28754 http://secunia.com/advisories/28758 http://secunia.com/advisories/28766 http://secunia.com/advisories/28808 http://secunia.com/advisories/28815 http://secunia.com/advisories/28818 http://secunia.com/advisories/28839 http://secunia.com/advisories/28864 http://secunia.com/advisories/28865 http://secunia.com/advisories/28877 http:/& • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •