CVE-2014-1485
https://notcve.org/view.php?id=CVE-2014-1485
The Content Security Policy (CSP) implementation in Mozilla Firefox before 27.0 and SeaMonkey before 2.24 operates on XSLT stylesheets according to style-src directives instead of script-src directives, which might allow remote attackers to execute arbitrary XSLT code by leveraging insufficient style-src restrictions. La implementación de Content Security Policy (CSP) en Mozilla Firefox anterior a 27.0 y SeaMonkey anterior a 2.24 opera en hojas de estilo XSLT acorde con las directivas style-src en vez de las directivas script-src, lo que permitiría a atacantes remotos ejecutar código XSLT arbitrario mediante el aprovechamiento de las insuficientes restricciones style-src. • http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00004.html http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00010.html http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00017.html http://osvdb.org/102871 http://secunia.com/advisories/56706 http://secunia.com/advisories/56767 http://secunia.com/advisories/56787 http://secunia.com/advisories/56888 http://www.mozilla.org/security/announce/2014/mfsa2014-07.html http://www.oracle.com/technetwork •
CVE-2014-1478
https://notcve.org/view.php?id=CVE-2014-1478
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 27.0 and SeaMonkey before 2.24 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to the MPostWriteBarrier class in js/src/jit/MIR.h and stack alignment in js/src/jit/AsmJS.cpp in OdinMonkey, and unknown other vectors. Múltiples vulnerabilidades no especificadas en el motor de navegación en Mozilla Firefox anterior a 27.0 y SeaMonkey anterior a 2.24 permite a atacantes remotos causar una denegación de servicio (corrupción de memoria y caída de la aplicación) o posiblemente ejecutar un código arbitrario a través de vectores relacionados con la clase MPostWriteBarrier en js/src/jit/MIR.h y alineación de pila en js/src/jit/AsmJS.cpp en OdinMonkey y otros vectores desconocidos. • http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00004.html http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00005.html http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00017.html http://osvdb.org/102865 http://secunia.com/advisories/56706 http://secunia.com/advisories/56767 http://secunia.com/advisories/56787 http://secunia.com/advisories/56888 http://secunia.com/advisories/56922 http://www.mozilla.org/security/announce/2014/mfsa2014-01.html& • CWE-787: Out-of-bounds Write •
CVE-2014-1487 – Mozilla: Cross-origin information leak through web workers (MFSA 2014-09)
https://notcve.org/view.php?id=CVE-2014-1487
The Web workers implementation in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, and SeaMonkey before 2.24 allows remote attackers to bypass the Same Origin Policy and obtain sensitive authentication information via vectors involving error messages. La implementación de Web workers en Mozilla Firefox anterior a 27.0, Firefox ESR 24.x anterior a 24.3, Thunderbird anterior a 24.3 y SeaMonkey anterior a 2.24 permite a atacantes remotos evadir Same Origin Policy y obtener información sensible de autenticación a través de vectores que involucran mensajes de error. • http://download.novell.com/Download?buildid=VYQsgaFpQ2k http://download.novell.com/Download?buildid=Y2fux-JW1Qc http://lists.fedoraproject.org/pipermail/package-announce/2014-February/127966.html http://lists.fedoraproject.org/pipermail/package-announce/2014-February/129218.html http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00004.html http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00005.html http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00010.html http://lists • CWE-209: Generation of Error Message Containing Sensitive Information CWE-346: Origin Validation Error •
CVE-2014-1482 – Mozilla: Incorrect use of discarded images by RasterImage (MFSA 2014-04)
https://notcve.org/view.php?id=CVE-2014-1482
RasterImage.cpp in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, and SeaMonkey before 2.24 does not prevent access to discarded data, which allows remote attackers to execute arbitrary code or cause a denial of service (incorrect write operations) via crafted image data, as demonstrated by Goo Create. RasterImage.cpp en Mozilla Firefox anterior a 27.0, Firefox ESR 24.x anterior a 24.3, Thunderbird anterior a 24.3 y SeaMonkey anterior a 2.24 no previene el acceso a datos descartados, lo que permite a atacantes remotos ejecutar un código arbitrario o causar una denegación de servicio (operaciones de escritura incorrectas) a través de datos de imagen manipulados, como ha demostrado Goo Create. • http://download.novell.com/Download?buildid=VYQsgaFpQ2k http://download.novell.com/Download?buildid=Y2fux-JW1Qc http://lists.fedoraproject.org/pipermail/package-announce/2014-February/127966.html http://lists.fedoraproject.org/pipermail/package-announce/2014-February/129218.html http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00004.html http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00005.html http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00010.html http://lists • CWE-787: Out-of-bounds Write •
CVE-2014-1486 – Mozilla Firefox imgRequestProxy Use-After-Free Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2014-1486
Use-after-free vulnerability in the imgRequestProxy function in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, and SeaMonkey before 2.24 allows remote attackers to execute arbitrary code via vectors involving unspecified Content-Type values for image data. Vulnerabilidad de uso después de liberación en la función imgRequestProxy en Mozilla Firefox anterior a 27.0, Firefox ESR 24.x anterior a 24.3, Thunderbird anterior a 24.3 y SeaMonkey anterior a 2.24 permite a atacantes remotos ejecutar código arbitrario a través de vectores involucrando valores Content-Type no especificados para datos de imagen. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Mozilla Firefox. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of imgRequestProxy objects. By manipulating a document's elements an attacker can force a dangling pointer to be reused after it has been freed. • http://download.novell.com/Download?buildid=VYQsgaFpQ2k http://download.novell.com/Download?buildid=Y2fux-JW1Qc http://lists.fedoraproject.org/pipermail/package-announce/2014-February/127966.html http://lists.fedoraproject.org/pipermail/package-announce/2014-February/129218.html http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00004.html http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00005.html http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00010.html http://lists • CWE-416: Use After Free •