CVE-2012-1962 – Mozilla: JSDependentString:: undepend string conversion results in memory corruption (MFSA 2012-52)
https://notcve.org/view.php?id=CVE-2012-1962
Use-after-free vulnerability in the JSDependentString::undepend function in Mozilla Firefox 4.x through 13.0, Firefox ESR 10.x before 10.0.6, Thunderbird 5.0 through 13.0, Thunderbird ESR 10.x before 10.0.6, and SeaMonkey before 2.11 allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via vectors involving strings with multiple dependencies. Una vulnerabilidad de uso después de liberación en la función JSDependentString::undepend en Mozilla Firefox v4.x a v13.0, Firefox ESR v10.x antes de v10.0.6, Thunderbird v5.0 a v13.0, Thunderbird ESR v10.x antes de v10.0.6, y SeaMonkey antes de v2.11 permite a atacantes remotos causar una denegación de servicio (corrupción de memoria) o posiblemente ejecutar código de su elección a través de vectores relacionados con cadenas con múltiples dependencias. • http://lists.opensuse.org/opensuse-security-announce/2012-07/msg00011.html http://lists.opensuse.org/opensuse-security-announce/2012-07/msg00012.html http://lists.opensuse.org/opensuse-security-announce/2012-07/msg00013.html http://lists.opensuse.org/opensuse-security-announce/2012-07/msg00016.html http://osvdb.org/84004 http://rhn.redhat.com/errata/RHSA-2012-1088.html http://secunia.com/advisories/49965 http://secunia.com/advisories/49968 http://secunia.com/advisories/49972 http:// • CWE-399: Resource Management Errors •
CVE-2012-1963 – Mozilla: Content Security Policy 1.0 implementation errors cause data leakage (MFSA 2012-53)
https://notcve.org/view.php?id=CVE-2012-1963
The Content Security Policy (CSP) functionality in Mozilla Firefox 4.x through 13.0, Firefox ESR 10.x before 10.0.6, Thunderbird 5.0 through 13.0, Thunderbird ESR 10.x before 10.0.6, and SeaMonkey before 2.11 does not properly restrict the strings placed into the blocked-uri parameter of a violation report, which allows remote web servers to capture OpenID credentials and OAuth 2.0 access tokens by triggering a violation. La Política de Seguridad de Contenidos (CSP) en Mozilla Firefox v4.x a v13.0, Firefox ESR v10.x antes de v10.0.6, Thunderbird v5.0 a v13.0, Thunderbird ESR v10.x antes de v10.0.6, y SeaMonkey antes de v2.11 no restringen adecuadamente las cadenas de texto que se colocan en el parámetro blocked-uri de un informe de violación, lo que permite capturar las credenciales de acceso OpenID y OAuth 2.0 a los servidores web remotos mediante la activación de una violación. • http://lists.opensuse.org/opensuse-security-announce/2012-07/msg00011.html http://lists.opensuse.org/opensuse-security-announce/2012-07/msg00012.html http://lists.opensuse.org/opensuse-security-announce/2012-07/msg00013.html http://lists.opensuse.org/opensuse-security-announce/2012-07/msg00016.html http://osvdb.org/84005 http://rhn.redhat.com/errata/RHSA-2012-1088.html http://secunia.com/advisories/49965 http://secunia.com/advisories/49968 http://secunia.com/advisories/49972 http:// • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2012-1967 – Mozilla: Code execution through javascript: URLs (MFSA 2012-56)
https://notcve.org/view.php?id=CVE-2012-1967
Mozilla Firefox 4.x through 13.0, Firefox ESR 10.x before 10.0.6, Thunderbird 5.0 through 13.0, Thunderbird ESR 10.x before 10.0.6, and SeaMonkey before 2.11 do not properly implement the JavaScript sandbox utility, which allows remote attackers to execute arbitrary JavaScript code with improper privileges via a javascript: URL. Mozilla Firefox v4.x a v13.0, Firefox ESR v10.x antes de v10.0.6, Thunderbird v5.0 a v13.0, Thunderbird ESR v10.x antes de v10.0.6 y SeaMonkey antes de v2.11 no implementan adecuadamente la utilidad de caja de arena (sandbox) de Javascript, lo que permite ejecutar código JavaScript de su elección con privilegios indebidos a atacantes remotos a través de una URL javascript: . • http://lists.opensuse.org/opensuse-security-announce/2012-07/msg00011.html http://lists.opensuse.org/opensuse-security-announce/2012-07/msg00012.html http://lists.opensuse.org/opensuse-security-announce/2012-07/msg00013.html http://lists.opensuse.org/opensuse-security-announce/2012-07/msg00016.html http://osvdb.org/84013 http://rhn.redhat.com/errata/RHSA-2012-1088.html http://secunia.com/advisories/49963 http://secunia.com/advisories/49964 http://secunia.com/advisories/49965 http:// •
CVE-2012-1937 – Mozilla: Miscellaneous memory safety hazards (rv:13.0/ rv:10.0.5) (MFSA 2012-34)
https://notcve.org/view.php?id=CVE-2012-1937
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox 4.x through 12.0, Firefox ESR 10.x before 10.0.5, Thunderbird 5.0 through 12.0, Thunderbird ESR 10.x before 10.0.5, and SeaMonkey before 2.10 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Múltiples vulnerabilidades no especificadas en el motor del navegador de Mozilla Firefox v4.x a v12.0, Firefox ESR v10.x antes de v10.0.5, Thunderbird v5.0 a v12.0, Thunderbird ESR v10.x antes de v10.0.5 y SeaMonkey antes v2.10 permite a atacantes remotos provocar una denegación de servicio (corrupción de memoria y caída de la aplicación) o posiblemente ejecutar código de su elección a través de vectores desconocidos. • http://lists.opensuse.org/opensuse-security-announce/2012-06/msg00012.html http://lists.opensuse.org/opensuse-security-announce/2012-06/msg00015.html http://rhn.redhat.com/errata/RHSA-2012-0710.html http://rhn.redhat.com/errata/RHSA-2012-0715.html http://www.debian.org/security/2012/dsa-2488 http://www.debian.org/security/2012/dsa-2489 http://www.debian.org/security/2012/dsa-2499 http://www.mandriva.com/security/advisories?name=MDVSA-2012:088 http://www.mozilla.org/securi •
CVE-2012-1938 – Mozilla: Miscellaneous memory safety hazards (rv:13.0/ rv:10.0.5) (MFSA 2012-34)
https://notcve.org/view.php?id=CVE-2012-1938
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 13.0, Thunderbird before 13.0, and SeaMonkey before 2.10 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to (1) methodjit/ImmutableSync.cpp, (2) the JSObject::makeDenseArraySlow function in js/src/jsarray.cpp, and unknown other components. Múltiples vulnerabilidades no especificadas en el motor del navegador de Mozilla Firefox antes de v13.0, Thunderbird antes de v13.0, y SeaMonkey antes de v2.10 permiten a atacantes remotos causar una denegación de servicio (corrupción de la memoria y caída de la aplicación) o posiblemente ejecutar código de su elección a través de vectores relacionados con (1) methodjit/ImmutableSync.cpp, y con la función (2) JSObject::makeDenseArraySlow en js/src/jsarray.cpp y otros componentes desconocidos. • http://lists.opensuse.org/opensuse-security-announce/2012-06/msg00012.html http://lists.opensuse.org/opensuse-security-announce/2012-06/msg00015.html http://rhn.redhat.com/errata/RHSA-2012-0710.html http://rhn.redhat.com/errata/RHSA-2012-0715.html http://www.mandriva.com/security/advisories?name=MDVSA-2012:088 http://www.mozilla.org/security/announce/2012/mfsa2012-34.html http://www.securityfocus.com/bid/53796 https://bugzilla.mozilla.org/show_bug.cgi?id=670317 https://bugzilla. •