CVSS: 5.1EPSS: 14%CPEs: 173EXPL: 1CVE-2010-3770 – Mozilla Firefox/Thunderbird/SeaMonkey - Multiple HTML Injection Vulnerabilities
https://notcve.org/view.php?id=CVE-2010-3770
Multiple cross-site scripting (XSS) vulnerabilities in the rendering engine in Mozilla Firefox before 3.5.16 and 3.6.x before 3.6.13, and SeaMonkey before 2.0.11, allow remote attackers to inject arbitrary web script or HTML via (1) x-mac-arabic, (2) x-mac-farsi, or (3) x-mac-hebrew characters that may be converted to angle brackets during rendering. Múltiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en el motor de renderizado en Mozilla Firefox en versiones anteriores a la 3.5.16 y 3.6.x en versiones anteriores a la 3.6.13 y SeaMonkey en versiones anteriores a la 2.0.11, permiten a atacantes remotos inyectar secuencias de comandos web o HTML de su elección mediante caracteres (1) x-mac-arabic, (2) x-mac-farsi o (3) x-mac-hebrew. • https://www.exploit-db.com/exploits/35095 http://lists.fedoraproject.org/pipermail/package-announce/2010-December/052022.html http://lists.fedoraproject.org/pipermail/package-announce/2010-December/052032.html http://lists.fedoraproject.org/pipermail/package-announce/2010-December/052502.html http://lists.fedoraproject.org/pipermail/package-announce/2010-December/052504.html http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00002.html http://secunia.com/advisories/42716 http://secunia.com/advisori • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.8EPSS: 1%CPEs: 173EXPL: 0CVE-2010-3771 – Mozilla Chrome privilege escalation with window.open and <isindex> element (MFSA 2010-76)
https://notcve.org/view.php?id=CVE-2010-3771
Mozilla Firefox before 3.5.16 and 3.6.x before 3.6.13, and SeaMonkey before 2.0.11, does not properly handle injection of an ISINDEX element into an about:blank page, which allows remote attackers to execute arbitrary JavaScript code with chrome privileges via vectors related to redirection to a chrome: URI. Mozilla Firefox en versiones anteriores a la 3.5.16 y 3.6.x en versiones anteriores a la 3.6.13 y SeaMonkey en versiones anteriores a la 2.0.11, no manejan de manera apropiada la inyección de un elemento ISINDEX en una página about:blank, lo que permite a atacantes remotos ejecutar código JvaScript de su elección con privilegios chrome mediante vectores relacionados con una redirección a una URI chrome: • http://lists.fedoraproject.org/pipermail/package-announce/2010-December/052022.html http://lists.fedoraproject.org/pipermail/package-announce/2010-December/052032.html http://lists.fedoraproject.org/pipermail/package-announce/2010-December/052502.html http://lists.fedoraproject.org/pipermail/package-announce/2010-December/052504.html http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00002.html http://secunia.com/advisories/42716 http://secunia.com/advisories/42818 http://support.avaya.com/css/P8& •
CVSS: 9.3EPSS: 14%CPEs: 173EXPL: 0CVE-2010-3772 – Mozilla crash and remote code execution using HTML tags inside a XUL tree (MFSA 2010-77)
https://notcve.org/view.php?id=CVE-2010-3772
Mozilla Firefox before 3.5.16 and 3.6.x before 3.6.13, and SeaMonkey before 2.0.11, does not properly calculate index values for certain child content in a XUL tree, which allows remote attackers to execute arbitrary code via vectors involving a DIV element within a treechildren element. Mozilla Firefox en versiones anteriores a la 3.5.16 y 3.6.x en versiones anteriores a la 3.6.13 y SeaMonkey en versiones anteriores a la 2.0.11, no calculan adecuadamente los valores de los índices para ciertos contenidos hijos en un árbol XUL, lo que permite a atacantes remotos ejecutar código de su elección mediante vectores que involucran un elemento DIV dentro de un elemento treechildren. • http://lists.fedoraproject.org/pipermail/package-announce/2010-December/052022.html http://lists.fedoraproject.org/pipermail/package-announce/2010-December/052032.html http://lists.fedoraproject.org/pipermail/package-announce/2010-December/052502.html http://lists.fedoraproject.org/pipermail/package-announce/2010-December/052504.html http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00002.html http://secunia.com/advisories/42716 http://secunia.com/advisories/42818 http://support.avaya.com/css/P8& • CWE-189: Numeric Errors •
CVSS: 6.8EPSS: 1%CPEs: 173EXPL: 0CVE-2010-3773 – Mozilla incomplete fix for CVE-2010-0179 (MFSA 2010-82)
https://notcve.org/view.php?id=CVE-2010-3773
Mozilla Firefox before 3.5.16 and 3.6.x before 3.6.13, and SeaMonkey before 2.0.11, when the XMLHttpRequestSpy module in the Firebug add-on is used, does not properly handle interaction between the XMLHttpRequestSpy object and chrome privileged objects, which allows remote attackers to execute arbitrary JavaScript via a crafted HTTP response. NOTE: this vulnerability exists because of an incomplete fix for CVE-2010-0179. Mozilla Firefox en versiones anteriores a la 3.5.16 y 3.6.x en versiones anteriores a la 3.6.13 y SeaMonkey en versiones anteriores a la 2.0.11, cuanto se usa el módulo XMLHttpRequestSpy en el complemento Firebug, no maneja adecuadamente la interacción entre el objeto XMLHttpRequestSpy y objetos chrome privilegiados, lo que permite a atacantes remotos ejecutar código JavaScript de su elección mediante una respuesta HTTP debidamente modificada. NOTA: esta vulnerabilidad existe debido a un parche incompleto de la CVE-2010-0179. • http://lists.fedoraproject.org/pipermail/package-announce/2010-December/052022.html http://lists.fedoraproject.org/pipermail/package-announce/2010-December/052032.html http://lists.fedoraproject.org/pipermail/package-announce/2010-December/052502.html http://lists.fedoraproject.org/pipermail/package-announce/2010-December/052504.html http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00002.html http://secunia.com/advisories/42716 http://secunia.com/advisories/42818 http://support.avaya.com/css/P8& •
CVSS: 5.1EPSS: 0%CPEs: 173EXPL: 0CVE-2010-3774 – Mozilla location bar SSL spoofing using network error page (MFSA 2010-83)
https://notcve.org/view.php?id=CVE-2010-3774
The NS_SecurityCompareURIs function in netwerk/base/public/nsNetUtil.h in Mozilla Firefox before 3.5.16 and 3.6.x before 3.6.13, and SeaMonkey before 2.0.11, does not properly handle (1) about:neterror and (2) about:certerror pages, which allows remote attackers to spoof the location bar via a crafted web site. La función NS_SecurityCompareURIs en netwerk/base/public/nsNetUtil.h en Mozilla Firefox en versiones anteriores a la 3.5.16 y 3.6.x en versiones anteriores a la 3.6.13 y SeaMonkey en versiones anteriores a la 2.0.11, no maneja de manera apropiada páginas (1) about:neterror y (2) about:certerror, lo que permite a atacantes remotos falsificar la barra de direcciones mediante un sitio web preparado para tal fin. • http://lists.fedoraproject.org/pipermail/package-announce/2010-December/052022.html http://lists.fedoraproject.org/pipermail/package-announce/2010-December/052032.html http://lists.fedoraproject.org/pipermail/package-announce/2010-December/052502.html http://lists.fedoraproject.org/pipermail/package-announce/2010-December/052504.html http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00002.html http://secunia.com/advisories/42716 http://secunia.com/advisories/42818 http://support.avaya.com/css/P8& • CWE-20: Improper Input Validation •