CVSS: 4.3EPSS: 0%CPEs: 178EXPL: 0CVE-2013-1714 – Mozilla: Same-origin bypass with web workers and XMLHttpRequest (MFSA 2013-73)
https://notcve.org/view.php?id=CVE-2013-1714
The Web Workers implementation in Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, Thunderbird ESR 17.x before 17.0.8, and SeaMonkey before 2.20 does not properly restrict XMLHttpRequest calls, which allows remote attackers to bypass the Same Origin Policy and conduct cross-site scripting (XSS) attacks via unspecified vectors. La implementación Web Workers en Mozilla Firefox anterior a v23.0, Firefox ESR v17.x anterior a v 17.0.8, Thunderbird anterior a v 17.0.8, Thunderbird ESR v17.x anterior a v 17.0.8, y SeaMonkey anterior a v 2.20 no restringe adecuadamente las llamadas XMLHttpRequest, lo que permite a atacantes remotos evitar la Same Origin Policy y realizar ataques de cross-site scripting (XSS) a través de vectores no especificados. • http://www.debian.org/security/2013/dsa-2735 http://www.debian.org/security/2013/dsa-2746 http://www.mozilla.org/security/announce/2013/mfsa2013-73.html http://www.securityfocus.com/bid/61882 https://bugzilla.mozilla.org/show_bug.cgi?id=879787 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18002 https://access.redhat.com/security/cve/CVE-2013-1714 https://bugzilla.redhat.com/show_bug.cgi?id=993604 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 10.0EPSS: 91%CPEs: 178EXPL: 1CVE-2013-1710 – Mozilla Firefox 5.0 < 15.0.1 - __exposedProps__ XCS Code Execution
https://notcve.org/view.php?id=CVE-2013-1710
The crypto.generateCRMFRequest function in Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, Thunderbird ESR 17.x before 17.0.8, and SeaMonkey before 2.20 allows remote attackers to execute arbitrary JavaScript code or conduct cross-site scripting (XSS) attacks via vectors related to Certificate Request Message Format (CRMF) request generation. La función crypto.generateCRMFRequest en Mozilla Firefox anterior a v23.0, Firefox ESR v17.x anterior a v 17.0.8, Thunderbird anterior a v 17.0.8, Thunderbird ESR v17.x anterior a v 17.0.8, y SeaMonkey anterior a v 2.20 permite a atacantes remotos ejecutar código JavaScript arbitrario o realizar ataques de cross-site scripting (XSS) a través de vectores relacionados con una solicitud de Certificate Request Message Format (CRMF). On versions of Firefox from 5.0 to 15.0.1, the InstallTrigger global, when given invalid input, would throw an exception that did not have an __exposedProps__ property set. By re-setting this property on the exception object's prototype, the chrome-based defineProperty method is made available. With the defineProperty method, functions belonging to window and document can be overriden with a function that gets called from chrome-privileged context. • https://www.exploit-db.com/exploits/30474 http://www.debian.org/security/2013/dsa-2735 http://www.debian.org/security/2013/dsa-2746 http://www.mozilla.org/security/announce/2013/mfsa2013-69.html http://www.securityfocus.com/bid/61900 https://bugzilla.mozilla.org/show_bug.cgi?id=871368 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18773 https://access.redhat.com/security/cve/CVE-2013-1710 https://bugzilla.redhat.com/show_bug.cgi?id= • CWE-20: Improper Input Validation CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: 31EXPL: 0CVE-2013-1707
https://notcve.org/view.php?id=CVE-2013-1707
Stack-based buffer overflow in Mozilla Updater in Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, and Thunderbird ESR 17.x before 17.0.8 allows local users to gain privileges via a long pathname on the command line to the Mozilla Maintenance Service. Desbordamiento de búfer basado en pila en Mozilla Updater en Mozilla Firefox anterior a v23.0, Firefox ESR v17.x anterior a v17.0.8, Thunderbird anterior a v17.0.8, y Thunderbird ESR v17.x anterior a v17.0.8 permite a usuarios locales conseguir privilegios a través de una larga ruta en la línea de comandos para el servicio de Mozilla Maintenance. • http://www.mozilla.org/security/announce/2013/mfsa2013-66.html https://bugzilla.mozilla.org/show_bug.cgi?id=888314 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18871 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 10.0EPSS: 6%CPEs: 178EXPL: 0CVE-2013-1701 – Mozilla: Miscellaneous memory safety hazards (rv:17.0.8) (MFSA 2013-63)
https://notcve.org/view.php?id=CVE-2013-1701
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, Thunderbird ESR 17.x before 17.0.8, and SeaMonkey before 2.20 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Múltiples vulnerabilidades no especificadas en el motor del navegador de Mozilla Firefox anterior a v23.0, Firefox ESR v17.x anterior a v17.0.8, Thunderbird anterior a v17.0.8, Thunderbird ESR v17.x anterior a v17.0.8, y SeaMonkey anterior a v2.20 permite a atacantes remotos provocar una denegación de servicio (corrupción de memoria y caída de la aplicación) o posiblemente ejecutar código arbitrario a través de vectores desconocidos. • http://www.debian.org/security/2013/dsa-2735 http://www.debian.org/security/2013/dsa-2746 http://www.mozilla.org/security/announce/2013/mfsa2013-63.html http://www.securityfocus.com/bid/61874 https://bugzilla.mozilla.org/show_bug.cgi?id=880734 https://bugzilla.mozilla.org/show_bug.cgi?id=888107 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18514 https://access.redhat.com/security/cve/CVE-2013-1701 https://bugzilla.redhat.com/show_bug&# •
CVSS: 6.9EPSS: 0%CPEs: 36EXPL: 0CVE-2013-1712
https://notcve.org/view.php?id=CVE-2013-1712
Multiple untrusted search path vulnerabilities in updater.exe in Mozilla Updater in Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, and Thunderbird ESR 17.x before 17.0.8 on Windows 7, Windows Server 2008 R2, Windows 8, and Windows Server 2012 allow local users to gain privileges via a Trojan horse DLL in (1) the update directory or (2) the current working directory. Múltiples vulnerabilidades de path de búsqueda inseguro en updater.exe en Mozilla Firefox anterior a v23.0, Firefox ESR v17.x anterior a v 17.0.8, Thunderbird anterior a v 17.0.8, Thunderbird ESR v17.x anterior a v 17.0.8 en Windows 7, Windows Server 2008 R2, Windows 8, y Windows Server 2012 permiten a los usuarios locales conseguir privilegios a través de una DLL caballo de Troya en (1) el directorio de actualización o (2) el directorio de trabajo actual. • http://www.mozilla.org/security/announce/2013/mfsa2013-71.html https://bugzilla.mozilla.org/show_bug.cgi?id=859072 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18014 •