CVSS: 7.2EPSS: 0%CPEs: 31EXPL: 0CVE-2013-1706
https://notcve.org/view.php?id=CVE-2013-1706
Stack-based buffer overflow in maintenanceservice.exe in the Mozilla Maintenance Service in Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, and Thunderbird ESR 17.x before 17.0.8 allows local users to gain privileges via a long pathname on the command line. Desbordamiento de búfer basado en pila en maintenanceservice.exe en el servicio Mozilla Maintenance en Mozilla Firefox anterior a v23.0, Firefox ESR v17.x anterior a v17.0.8, Thunderbird anterior a v17.0.8, y Thunderbird ESR v17.x anterior a v17.0.8 permite a usuarios locales conseguir privilegios a través de una larga ruta en la línea de comandos. • http://www.mozilla.org/security/announce/2013/mfsa2013-66.html https://bugzilla.mozilla.org/show_bug.cgi?id=888361 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18930 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 4.3EPSS: 0%CPEs: 178EXPL: 0CVE-2013-1709 – Mozilla: Document URI misrepresentation and masquerading (MFSA 2013-68)
https://notcve.org/view.php?id=CVE-2013-1709
Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, Thunderbird ESR 17.x before 17.0.8, and SeaMonkey before 2.20 do not properly handle the interaction between FRAME elements and history, which allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors involving spoofing a relative location in a previously visited document. Mozilla Firefox anterior a v23.0, Firefox ESR v17.x anterior a v 17.0.8, Thunderbird anterior a v 17.0.8, Thunderbird ESR v17.x anterior a v 17.0.8, y SeaMonkey anterior a v 2.20 no maneja adecuadamente la interacción entre los elementos FRAME y el historial, lo que permite a atacantes remotos realicen ataques de cross-site scripting (XSS) a través de vectores relacionados con la suplantación de una ubicación relativa en un documento previamente visitado. • http://www.debian.org/security/2013/dsa-2735 http://www.debian.org/security/2013/dsa-2746 http://www.mozilla.org/security/announce/2013/mfsa2013-68.html http://www.securityfocus.com/bid/61867 https://bugzilla.mozilla.org/show_bug.cgi?id=848253 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18531 https://access.redhat.com/security/cve/CVE-2013-1709 https://bugzilla.redhat.com/show_bug.cgi?id=993600 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 8%CPEs: 27EXPL: 0CVE-2013-1686 – Mozilla: Memory corruption found using Address Sanitizer (MFSA 2013-50)
https://notcve.org/view.php?id=CVE-2013-1686
Use-after-free vulnerability in the mozilla::ResetDir function in Mozilla Firefox before 22.0, Firefox ESR 17.x before 17.0.7, Thunderbird before 17.0.7, and Thunderbird ESR 17.x before 17.0.7 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors. Vulnerabilidad de usar-despues-de-liberar en la función mozilla::ResetDir en Mozilla Firefox anterior a v22.0, Firefox ESR v17.x anterior a v17.0.7, Thunderbird anterior a v17.0.7, y Thunderbird ESR v17.x anterior a v17.0.7 permite a atacantes remotos ejecutar código arbitrario o causar una denegación de servicio (corrupción de memoria dinámica) mediantes vectores desconocidos. • http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00003.html http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00004.html http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00005.html http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00006.html http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00010.html http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00011.html http://rhn.redhat.com/errata/RHSA-2013-0981.html http:&# • CWE-399: Resource Management Errors •
CVSS: 9.3EPSS: 0%CPEs: 27EXPL: 0CVE-2013-1687 – Mozilla: Privileged content access and execution via XBL (MFSA 2013-51)
https://notcve.org/view.php?id=CVE-2013-1687
The System Only Wrapper (SOW) and Chrome Object Wrapper (COW) implementations in Mozilla Firefox before 22.0, Firefox ESR 17.x before 17.0.7, Thunderbird before 17.0.7, and Thunderbird ESR 17.x before 17.0.7 do not properly restrict XBL user-defined functions, which allows remote attackers to execute arbitrary JavaScript code with chrome privileges, or conduct cross-site scripting (XSS) attacks, via a crafted web site. Las implementaciones System Only Wrapper (SOW) y Chrome Object Wrapper (COW) en Mozilla Firefox anterior a v22.0, Firefox ESR v17.x anterior a v17.0.7, Thunderbird anterior a v17.0.7, y Thunderbird ESR v17.x anterior a v17.0.7 no restringen adecuadamente las funciones XBL definidas por el usuario lo que permite a atacantes remotos ejecutar código JavaScript con privilegios de chrome, o llevar a cabo ataques de ejecución de secuencias de comandos en sitios cruzados (XSS) a través de un sitios web manipulado. • http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00003.html http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00004.html http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00005.html http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00006.html http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00010.html http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00011.html http://rhn.redhat.com/errata/RHSA-2013-0981.html http:&# • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 9.3EPSS: 1%CPEs: 27EXPL: 0CVE-2013-1697 – Mozilla: XrayWrappers can be bypassed to run user defined methods in a privileged context (MFSA 2013-59)
https://notcve.org/view.php?id=CVE-2013-1697
The XrayWrapper implementation in Mozilla Firefox before 22.0, Firefox ESR 17.x before 17.0.7, Thunderbird before 17.0.7, and Thunderbird ESR 17.x before 17.0.7 does not properly restrict use of DefaultValue for method calls, which allows remote attackers to execute arbitrary JavaScript code with chrome privileges via a crafted web site that triggers use of a user-defined (1) toString or (2) valueOf method. La implementación XrayWrapper en Mozilla Firefox anterior a v22.0, Firefox ESR v17.x antes de v17.0.7, Thunderbird anterior a v17.0.7 no restringe correctamente el uso de DefaultValue para las llamadas a métodos, lo que permite a atacantes remotos ejecutar código JavaScript con privilegios de chrome a través de sitios web manipulados que dispara el uso de los métodos user-defined (1) toString o (2) valueOf • http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00003.html http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00004.html http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00005.html http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00006.html http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00010.html http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00011.html http://rhn.redhat.com/errata/RHSA-2013-0981.html http:&# • CWE-264: Permissions, Privileges, and Access Controls •