CVSS: 7.1EPSS: 4%CPEs: 33EXPL: 0CVE-2009-3385 – SeaMonkey scriptable plugin execution in mail (mfsa2010-06)
https://notcve.org/view.php?id=CVE-2009-3385
The mail component in Mozilla SeaMonkey before 1.1.19 does not properly restrict execution of scriptable plugin content, which allows user-assisted remote attackers to obtain sensitive information via crafted content in an IFRAME element in an HTML e-mail message, as demonstrated by a Flash object that sends arbitrary local files during a reply or forward operation. El componente mail en Mozilla SeaMonkey anteriores a v1.1.19 no restringe de forma adecuada la ejecuc´ión de contenidos de plugin ejecutable, lo que permite a usuarios asistidos por atacantes remotos obtener información sensible a través de contenido manipulado en un elemento IFRAME en un mensaje de correo HTML, como se demostró mediante un objeto Flash que enviaba ficheros locales de su elección mientras se ejecutaba una acción de avance o retroceso. • http://lists.opensuse.org/opensuse-security-announce/2010-06/msg00001.html http://secunia.com/advisories/39001 http://www.mozilla.org/security/announce/2010/mfsa2010-06.html http://www.securityfocus.com/bid/38830 http://www.vupen.com/english/advisories/2010/0648 https://bugzilla.mozilla.org/show_bug.cgi?id=371976 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10271 https://access.redhat.com/security/cve/CVE-2009-3385 https://bugzilla.redhat.com&#x • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 4.3EPSS: 1%CPEs: 91EXPL: 0CVE-2010-0161
https://notcve.org/view.php?id=CVE-2010-0161
The nsAuthSSPI::Unwrap function in extensions/auth/nsAuthSSPI.cpp in Mozilla Thunderbird before 2.0.0.24 and SeaMonkey before 1.1.19 on Windows Vista, Windows Server 2008 R2, and Windows 7 allows remote SMTP, IMAP, and POP servers to cause a denial of service (heap memory corruption and application crash) or possibly execute arbitrary code via crafted data in a session that uses SSPI. La función nsAuthSSPI::Unwrap en extensions/auth/nsAuthSSPI.cpp en Mozilla Thunderbird anteriores a v2.0.0.24 y SeaMonkey anteriores a v1.1.19 en Windows Vista, Windows Server 2008 R2, y Windows 7 permite a servidores SMTP, IMAP y POP, provocar una denegación de servicio (corrupción de memoria dinámica y caída de la aplicación) o posiblemente ejecución de código remoto a través de datos manipulados en una sesión que utiliza SSPI. • http://lists.opensuse.org/opensuse-security-announce/2010-06/msg00001.html http://secunia.com/advisories/39001 http://www.mozilla.org/security/announce/2010/mfsa2010-07.html http://www.securityfocus.com/bid/38831 http://www.vupen.com/english/advisories/2010/0648 https://bugzilla.mozilla.org/show_bug.cgi?id=511806 https://exchange.xforce.ibmcloud.com/vulnerabilities/56992 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14159 • CWE-399: Resource Management Errors •
CVSS: 6.8EPSS: 6%CPEs: 92EXPL: 0CVE-2010-0163 – seamonkey/thunderbird: crash when indexing certain messages with attachments
https://notcve.org/view.php?id=CVE-2010-0163
Mozilla Thunderbird before 2.0.0.24 and SeaMonkey before 1.1.19 process e-mail attachments with a parser that performs casts and line termination incorrectly, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted message, related to message indexing. Mozilla Thunderbird anteriores a la v2.0.0.24 y SeaMonkey anteriores a la v1.1.19 procesa ficheros adjuntos a correos electrónicos con un analizados sintáctico que realiza repartos y terminaciones de línea de forma incorrecta, lo que permite a atacantes remotos provocar una denegación de servicio (caída de aplicación) y posiblemente ejecución de código de su elección a través de un mensaje manipulado, relativo a la indexación de mensajes. • http://lists.opensuse.org/opensuse-security-announce/2010-06/msg00001.html http://secunia.com/advisories/38977 http://secunia.com/advisories/39001 http://www.mozilla.org/security/announce/2010/mfsa2010-07.html http://www.redhat.com/support/errata/RHSA-2010-0499.html http://www.securityfocus.com/bid/38831 http://www.ubuntu.com/usn/USN-915-1 http://www.vupen.com/english/advisories/2010/0648 http://www.vupen.com/english/advisories/2010/1556 https://bugzilla.mozilla.org/sh •
CVSS: 4.3EPSS: 0%CPEs: 71EXPL: 1CVE-2010-0654 – firefox: cross-domain information disclosure
https://notcve.org/view.php?id=CVE-2010-0654
Mozilla Firefox 3.5.x before 3.5.11 and 3.6.x before 3.6.7, Thunderbird 3.0.x before 3.0.6 and 3.1.x before 3.1.1, and SeaMonkey before 2.0.6 permit cross-origin loading of CSS stylesheets even when the stylesheet download has an incorrect MIME type and the stylesheet document is malformed, which allows remote attackers to obtain sensitive information via a crafted document. Mozilla Firefox versiones 3.5.x anteriores a 3.5.11 y versiones 3.6.x anteriores a 3.6.7, Thunderbird versiones 3.0.x anteriores a 3.0.6 y versiones 3.1.x anteriores a 3.1.1, y SeaMonkey anterior a versión 2.0.6, permiten la carga de hojas de estilo CSS de origen cruzado incluso cuando la descarga de hojas de estilo tiene un tipo MIME incorrecto y el documento de stylesheet está malformado, lo que permite a los atacantes remotos obtener información confidencial por medio de un documento especialmente diseñado. • http://code.google.com/p/chromium/issues/detail?id=9877 http://scarybeastsecurity.blogspot.com/2009/12/generic-cross-browser-cross-domain.html http://websec.sv.cmu.edu/css/css.pdf http://www.mozilla.org/security/announce/2010/mfsa2010-46.html https://bugzilla.mozilla.org/show_bug.cgi?id=524223 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11811 https://access.redhat.com/security/cve/CVE-2010-0654 https://bugzilla.redhat.com/show_bug.cgi?id&# • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.4EPSS: 1%CPEs: 33EXPL: 0CVE-2009-3988 – Mozilla Firefox showModalDialog Cross-Domain Scripting Vulnerability
https://notcve.org/view.php?id=CVE-2009-3988
Mozilla Firefox 3.0.x before 3.0.18 and 3.5.x before 3.5.8, and SeaMonkey before 2.0.3, does not properly restrict read access to object properties in showModalDialog, which allows remote attackers to bypass the Same Origin Policy and conduct cross-site scripting (XSS) attacks via crafted dialogArguments values. Mozilla Firefox v3.0.x anterior a la v3.0.18 y v3.5.x anterior a la v3.5.8, y SeaMonkey anterior a la v2.0.3, no restringen de forma adecuada el acceso a las propiedades del objeto en showModalDialog, lo que permite a atacantes remotos saltarse la Same Origin Policy y conducir un ataque de ejecución de secuencias de comandos en sitios cruzados a través de valores manipulados dialogArguments. This vulnerability allows remote attackers to bypass specific script execution enforcements on vulnerable installations of Mozilla Firefox. User interaction is required to exploit this vulnerability in that the target must visit a malicious page. The specific flaw exists in the lack of cross domain policy enforcement. Through usage of the showModalDialog() JavaScript method an attacker can gather sensitive information from another website. • http://lists.fedoraproject.org/pipermail/package-announce/2010-February/035346.html http://lists.fedoraproject.org/pipermail/package-announce/2010-February/035367.html http://lists.fedoraproject.org/pipermail/package-announce/2010-February/035426.html http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00001.html http://secunia.com/advisories/37242 http://secunia.com/advisories/38847 http://www.debian.org/security/2010/dsa-1999 http://www.mandriva.com/security/advisories?name=MDVSA-2010:042 • CWE-264: Permissions, Privileges, and Access Controls •