#VU33973 Input validation error in XULRunner - CVE-2011-0081
Vulnerability identifier: #VU33973
Vulnerability risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID:
CWE-ID:
CWE-20
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
XULRunner
Universal components / Libraries /
Programming Languages & Components
Vendor: Mozilla
Description
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
Unspecified vulnerability in the browser engine in Mozilla Firefox 3.6.x before 3.6.17 and 4.x before 4.0.1, and Thunderbird 3.1.x before 3.1.10, allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.
Mitigation
Install update from vendor's website.
Vulnerable software versions
XULRunner: 3.6.20 - 3.6.28
External links
https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_thunderbird
https://downloads.avaya.com/css/P8/documents/100144158
https://www.debian.org/security/2011/dsa-2227
https://www.debian.org/security/2011/dsa-2228
https://www.debian.org/security/2011/dsa-2235
https://www.mandriva.com/security/advisories?name=MDVSA-2011:079
https://www.mandriva.com/security/advisories?name=MDVSA-2011:080
https://www.mozilla.org/security/announce/2011/mfsa2011-12.html
https://www.securityfocus.com/bid/47653
https://bugzilla.mozilla.org/show_bug.cgi?id=645289
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A13993
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
