CVSS: 4.3EPSS: 0%CPEs: 154EXPL: 0CVE-2013-1711
https://notcve.org/view.php?id=CVE-2013-1711
The XrayWrapper implementation in Mozilla Firefox before 23.0 and SeaMonkey before 2.20 does not properly address the possibility of an XBL scope bypass resulting from non-native arguments in XBL function calls, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks by leveraging access to an unprivileged object. La implementación XrayWrapper en Mozilla Firefox anterior a v23.0 y SeaMonkey anterior a v2.20 no responde adecuadamente a la posibilidad de una derivación en el ámbito XBL resultante de argumentos no nativos en las llamadas a funciones XBL, lo que hace que sea más fácil para los atacantes remotos realizar ataques de cross-site scripting (XSS), aprovechando el acceso a un objeto sin privilegios. • http://www.mozilla.org/security/announce/2013/mfsa2013-70.html https://bugzilla.mozilla.org/show_bug.cgi?id=843829 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18830 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.9EPSS: 0%CPEs: 36EXPL: 0CVE-2013-1712
https://notcve.org/view.php?id=CVE-2013-1712
Multiple untrusted search path vulnerabilities in updater.exe in Mozilla Updater in Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, and Thunderbird ESR 17.x before 17.0.8 on Windows 7, Windows Server 2008 R2, Windows 8, and Windows Server 2012 allow local users to gain privileges via a Trojan horse DLL in (1) the update directory or (2) the current working directory. Múltiples vulnerabilidades de path de búsqueda inseguro en updater.exe en Mozilla Firefox anterior a v23.0, Firefox ESR v17.x anterior a v 17.0.8, Thunderbird anterior a v 17.0.8, Thunderbird ESR v17.x anterior a v 17.0.8 en Windows 7, Windows Server 2008 R2, Windows 8, y Windows Server 2012 permiten a los usuarios locales conseguir privilegios a través de una DLL caballo de Troya en (1) el directorio de actualización o (2) el directorio de trabajo actual. • http://www.mozilla.org/security/announce/2013/mfsa2013-71.html https://bugzilla.mozilla.org/show_bug.cgi?id=859072 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18014 •
CVSS: 7.2EPSS: 0%CPEs: 31EXPL: 0CVE-2013-1706
https://notcve.org/view.php?id=CVE-2013-1706
Stack-based buffer overflow in maintenanceservice.exe in the Mozilla Maintenance Service in Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, and Thunderbird ESR 17.x before 17.0.8 allows local users to gain privileges via a long pathname on the command line. Desbordamiento de búfer basado en pila en maintenanceservice.exe en el servicio Mozilla Maintenance en Mozilla Firefox anterior a v23.0, Firefox ESR v17.x anterior a v17.0.8, Thunderbird anterior a v17.0.8, y Thunderbird ESR v17.x anterior a v17.0.8 permite a usuarios locales conseguir privilegios a través de una larga ruta en la línea de comandos. • http://www.mozilla.org/security/announce/2013/mfsa2013-66.html https://bugzilla.mozilla.org/show_bug.cgi?id=888361 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18930 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 4.3EPSS: 0%CPEs: 178EXPL: 0CVE-2013-1713 – Mozilla: Wrong principal used for validating URI for some Javascript components (MFSA 2013-72)
https://notcve.org/view.php?id=CVE-2013-1713
Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, Thunderbird ESR 17.x before 17.0.8, and SeaMonkey before 2.20 use an incorrect URI within unspecified comparisons during enforcement of the Same Origin Policy, which allows remote attackers to conduct cross-site scripting (XSS) attacks or install arbitrary add-ons via a crafted web site. Mozilla Firefox anterior a v23.0, Firefox ESR v17.x anterior a v 17.0.8, Thunderbird anterior a v 17.0.8, Thunderbird ESR v17.x anterior a v 17.0.8, y SeaMonkey anterior a v 2.20 utiliza un URI incorrecto dentro comparaciones no especificados durante la ejecución de la Same Origin Policy, lo que permite a atacantes remotos realizar ataques de cross-site scripting (XSS) o instalar complementos arbitrarios a través de un sitio web diseñado. • http://www.debian.org/security/2013/dsa-2735 http://www.debian.org/security/2013/dsa-2746 http://www.mozilla.org/security/announce/2013/mfsa2013-72.html http://www.securityfocus.com/bid/61876 https://bugzilla.mozilla.org/show_bug.cgi?id=887098 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18884 https://access.redhat.com/security/cve/CVE-2013-1713 https://bugzilla.redhat.com/show_bug.cgi?id=993603 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 10.0EPSS: 92%CPEs: 178EXPL: 3CVE-2013-1710 – Firefox toString console.time Privileged Javascript Injection
https://notcve.org/view.php?id=CVE-2013-1710
The crypto.generateCRMFRequest function in Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, Thunderbird ESR 17.x before 17.0.8, and SeaMonkey before 2.20 allows remote attackers to execute arbitrary JavaScript code or conduct cross-site scripting (XSS) attacks via vectors related to Certificate Request Message Format (CRMF) request generation. La función crypto.generateCRMFRequest en Mozilla Firefox anterior a v23.0, Firefox ESR v17.x anterior a v 17.0.8, Thunderbird anterior a v 17.0.8, Thunderbird ESR v17.x anterior a v 17.0.8, y SeaMonkey anterior a v 2.20 permite a atacantes remotos ejecutar código JavaScript arbitrario o realizar ataques de cross-site scripting (XSS) a través de vectores relacionados con una solicitud de Certificate Request Message Format (CRMF). On versions of Firefox from 5.0 to 15.0.1, the InstallTrigger global, when given invalid input, would throw an exception that did not have an __exposedProps__ property set. By re-setting this property on the exception object's prototype, the chrome-based defineProperty method is made available. With the defineProperty method, functions belonging to window and document can be overriden with a function that gets called from chrome-privileged context. • https://www.exploit-db.com/exploits/30474 http://www.debian.org/security/2013/dsa-2735 http://www.debian.org/security/2013/dsa-2746 http://www.mozilla.org/security/announce/2013/mfsa2013-69.html http://www.securityfocus.com/bid/61900 https://bugzilla.mozilla.org/show_bug.cgi?id=871368 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18773 https://access.redhat.com/security/cve/CVE-2013-1710 https://bugzilla.redhat.com/show_bug.cgi?id= • CWE-20: Improper Input Validation CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •