CVE-2013-6674 – Mozilla Thunderbird 17.0.6 - Input Validation Filter Bypass
https://notcve.org/view.php?id=CVE-2013-6674
Cross-site scripting (XSS) vulnerability in Mozilla Thunderbird 17.x through 17.0.8, Thunderbird ESR 17.x through 17.0.10, and SeaMonkey before 2.20 allows user-assisted remote attackers to inject arbitrary web script or HTML via an e-mail message containing a data: URL in an IFRAME element, a related issue to CVE-2014-2018. Vulnerabilidad de XSS en Mozilla Thunderbird 17.x hasta 17.0.8, Thunderbird ESR 17.x hasta 17.0.10 y SeaMonkey anterior a 2.20 permite a atacantes remotos asistidos por usuario inyectar script Web o HTML arbitrarios a través de un mensaje de e-mail que contiene un dato: URL en un elemento IFRAME, un problema relacionado con CVE-2014-2018. • https://www.exploit-db.com/exploits/31223 http://osvdb.org/102566 http://packetstormsecurity.com/files/124965/Mozilla-Thunderbird-Filter-Bypass.html http://seclists.org/fulldisclosure/2014/Jan/182 http://www.kb.cert.org/vuls/id/863369 http://www.mozilla.org/security/announce/2014/mfsa2014-14.html http://www.securitytracker.com/id/1029773 http://www.securitytracker.com/id/1029774 http://www.ubuntu.com/usn/USN-2119-1 https://bugzilla.mozilla.org/show_bug.cgi?id=868267 https • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2013-2566
https://notcve.org/view.php?id=CVE-2013-2566
The RC4 algorithm, as used in the TLS protocol and SSL protocol, has many single-byte biases, which makes it easier for remote attackers to conduct plaintext-recovery attacks via statistical analysis of ciphertext in a large number of sessions that use the same plaintext. El algoritmo RC4, tal como se usa en el protocolo TLS y protocolo SSL, tiene muchos "single-byte biases", lo que hace que sea más fácil para atacantes remotos realizar ataques de recuperación de texto claro a través de análisis estadístico de texto cifrado en un gran número de sesiones que utilizan el mismo texto claro. • http://blog.cryptographyengineering.com/2013/03/attack-of-week-rc4-is-kind-of-broken-in.html http://cr.yp.to/talks/2013.03.12/slides.pdf http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705 http://marc.info/?l=bugtraq&m=143039468003789&w=2 http://my.opera.com/securitygroup/blog/2013/03/20/on-the-precariousness-of-rc4 http://security.gentoo.org/glsa/glsa-201406-19.xml http://www.isg.rhul.ac.uk/tls http://www.mozilla.org/security/announce/2013/mfsa2013& • CWE-326: Inadequate Encryption Strength •