Multiple vulnerabilities in Mozilla Firefox ESR

Published: 2018-03-13 19:13:47 | Updated: 2018-03-13
Severity High
Patch available YES
Number of vulnerabilities 7
CVE ID CVE-2018-5127
CVE-2018-5129
CVE-2018-5130
CVE-2018-5131
CVE-2018-5144
CVE-2018-5125
CVE-2018-5145
CVSSv3 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
8.7 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
8.7 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
4.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
6.5 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CWE ID CWE-120
CWE-787
CWE-119
CWE-200
CWE-190
Exploitation vector Network
Public exploit N/A
Vulnerable software Mozilla Firefox
Vulnerable software versions Mozilla Firefox ESR 52.6
Vendor URL Mozilla

Security Advisory

1) Buffer overflow

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to buffer overflow when manipulating the SVg animatedPathSegList through script. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code.

Successful exploitation of the vulnerability may result in system compromise.

Remediation

Update to version ESR 52.7.

External links

https://www.mozilla.org/en-US/security/advisories/mfsa2018-07/

2) Out-of-bounds write

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to a lack of parameter validation on IPC messages. A remote attacker can supply specially crafted malformed IPC messages, trigger out-of-bounds write, escape sandbox and execute arbitrary code.

Successful exploitation of the vulnerability may result in system compromise.

Remediation

Update to version ESR 52.7.

External links

https://www.mozilla.org/en-US/security/advisories/mfsa2018-07/

3) Memory corruption

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to a lack of parameter validation on IPC messages. A remote attacker can send packets with a mismatched RTP payload type in WebRTC connections, trigger memory corruption and execute arbitrary code.

Successful exploitation of the vulnerability may result in system compromise.

Remediation

Update to version ESR 52.7.

External links

https://www.mozilla.org/en-US/security/advisories/mfsa2018-07/

4) Information disclosure

Description

The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.

The weakness exists due to the fetch() API can return transient local copies of resources that were sent with a no-store or no-cache cache header instead of downloading a copy from the network as it should. A remote attacker can share a common profile while browsing and access previously stored, locally cached data of a website.

Remediation

Update to version ESR 52.7.

External links

https://www.mozilla.org/en-US/security/advisories/mfsa2018-07/

5) Integer overflow

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to integer overflow during conversion of text to some Unicode character sets. A remote attacker can supply unchecked length parameter, trigger overflow and cause the service to crash.

Remediation

Update to version ESR 52.7.

External links

https://www.mozilla.org/en-US/security/advisories/mfsa2018-07/

6) Memory corruption

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error when handling malicious input. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code.

Successful exploitation of the vulnerability may result in system compromise.

Remediation

Update to version ESR 52.7.

External links

https://www.mozilla.org/en-US/security/advisories/mfsa2018-07/

7) Memory corruption

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error when handling malicious input. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code.

Successful exploitation of the vulnerability may result in system compromise.

Remediation

Update to version ESR 52.7.

External links

https://www.mozilla.org/en-US/security/advisories/mfsa2018-07/

Back to List