CVSS: 10.0EPSS: 15%CPEs: 11EXPL: 0CVE-2009-2662
https://notcve.org/view.php?id=CVE-2009-2662
The browser engine in Mozilla Firefox 3.5.x before 3.5.2 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to the TraceRecorder::snapshot function in js/src/jstracer.cpp, and unspecified other vectors. El motor de búsqueda en Mozilla Firefox anteriores v3.0.13 , y v3.5.x anteriores v3.5.2, permite a atacantes remotos causar una denegación de servicio (consumo de memoria y caída de aplicación) o probablemente ejecutar código a su elección a través de vectores relacionados con la función TraceRecorder::snapshot en js/src/jstracer.cpp, y otros vectores no especificados. • http://secunia.com/advisories/36126 http://sunsolve.sun.com/search/document.do?assetkey=1-66-266148-1 http://www.mozilla.org/security/announce/2009/mfsa2009-45.html http://www.securityfocus.com/bid/35927 http://www.vupen.com/english/advisories/2009/2142 https://bugzilla.mozilla.org/show_bug.cgi?id=502832 https://bugzilla.mozilla.org/show_bug.cgi?id=503144 https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00198.html https://www.redhat.com/archives/fedora-p • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 6.8EPSS: 16%CPEs: 103EXPL: 0CVE-2009-2664
https://notcve.org/view.php?id=CVE-2009-2664
The js_watch_set function in js/src/jsdbgapi.cpp in the JavaScript engine in Mozilla Firefox before 3.0.12 allows remote attackers to cause a denial of service (assertion failure and application exit) or possibly execute arbitrary code via a crafted .js file, related to a "memory safety bug." NOTE: this was originally reported as affecting versions before 3.0.13. la función js_watch_set en js/src/jsdbgapi.cpp en el motor JavaScript de Mozilla Firefox anterior a v3.0.13, y v3.5.x anterior a v3.5.2, permite a atacantes remotos provocar una denegación de servicio (fallo de aserción o salida de aplicación) o posiblemente la ejecución de código de su elección a través de un archivo .js manipulado, relacionado con "bug en la securización de la memoria". • http://secunia.com/advisories/36126 http://sunsolve.sun.com/search/document.do?assetkey=1-66-266148-1 http://www.mozilla.org/security/announce/2009/mfsa2009-45.html http://www.securityfocus.com/bid/35927 http://www.vupen.com/english/advisories/2009/2142 https://bugzilla.mozilla.org/show_bug.cgi?id=501270 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9806 https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00198.html https:/& • CWE-399: Resource Management Errors •
CVSS: 5.0EPSS: 2%CPEs: 103EXPL: 0CVE-2009-2470 – Mozilla data corruption with SOCKS5 reply
https://notcve.org/view.php?id=CVE-2009-2470
Mozilla Firefox before 3.0.12, and 3.5.x before 3.5.2, allows remote SOCKS5 proxy servers to cause a denial of service (data stream corruption) via a long domain name in a reply. Mozilla Firefox en versiones anteriores a la 3.0.12 y 3.5.x en versiones anteriores a la 3.5.2 permite a servidores proxy SOCKS5 remotos provocar una denegación de servicio (corrupción del flujo de datos) mediante un nombre de dominio largo en una respuesta. • http://secunia.com/advisories/36126 http://sunsolve.sun.com/search/document.do?assetkey=1-66-266148-1 http://www.mozilla.org/security/announce/2009/mfsa2009-38.html http://www.redhat.com/support/errata/RHSA-2010-0153.html http://www.redhat.com/support/errata/RHSA-2010-0154.html http://www.securityfocus.com/bid/35925 http://www.securitytracker.com/id?1022665 http://www.vupen.com/english/advisories/2009/2142 http://www.vupen.com/english/advisories/2010/0650 https://bug • CWE-20: Improper Input Validation •
CVSS: 5.8EPSS: 3%CPEs: 108EXPL: 3CVE-2009-2654 – Mozilla Firefox 3.5.1 - Error Page Address Bar URI Spoofing
https://notcve.org/view.php?id=CVE-2009-2654
Mozilla Firefox before 3.0.13, and 3.5.x before 3.5.2, allows remote attackers to spoof the address bar, and possibly conduct phishing attacks, via a crafted web page that calls window.open with an invalid character in the URL, makes document.write calls to the resulting object, and then calls the stop method during the loading of the error page. Firefox de Mozilla anterior a versión 3.0.13, y versiones 3.5.x anteriores a 3.5.2, permite a atacantes remotos falsificar la barra de direcciones y posiblemente realizar ataques de tipo phishing, por medio de una página web diseñada que llama a window.open con un carácter no válido en la URL, hace llamadas de document.write hacia el objeto resultante y luego llama al método stop durante la carga de la página de error. • https://www.exploit-db.com/exploits/33103 http://blog.mozilla.com/security/2009/07/28/url-bar-spoofing-vulnerability http://es.geocities.com/jplopezy/firefoxspoofing.html http://osvdb.org/56717 http://secunia.com/advisories/36001 http://secunia.com/advisories/36126 http://secunia.com/advisories/36141 http://secunia.com/advisories/36435 http://secunia.com/advisories/36669 http://secunia.com/advisories/36670 http://sunsolve.sun.com/search/document.do?assetkey=1-66-266148-1 ht • CWE-20: Improper Input Validation •
CVSS: 6.8EPSS: 0%CPEs: 12EXPL: 0CVE-2009-2408 – firefox/nss: doesn't handle NULL in Common Name properly
https://notcve.org/view.php?id=CVE-2009-2408
Mozilla Network Security Services (NSS) before 3.12.3, Firefox before 3.0.13, Thunderbird before 2.0.0.23, and SeaMonkey before 1.1.18 do not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority. NOTE: this was originally reported for Firefox before 3.5. Mozilla Firefox anterior a v3.5 y NSS anterior a v3.12.3 no tratan apropiadamente un carácter '\0' en un nombre de dominio en el campo nombre común (CN) del asunto de un certificado X.509, que permite a un atacante de hombre-en-el-medio suplantar servidores SSL arbitrarios a través de un certificado manipulado por una autoridad de certificación. • http://isc.sans.org/diary.html?storyid=7003 http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00004.html http://marc.info/?l=oss-security&m=125198917018936&w=2 http://osvdb.org/56723 http://secunia.com/advisories/36088 http://secunia.com/advisories/36125 http://secunia.com/advisories/36139 http://secunia.com/advisories/36157 http://secunia.com/advisories/36434 http://secunia.com/advisories/36669 http://secunia.com/advisories/37098 http://sunsolve.sun.com • CWE-295: Improper Certificate Validation •