NASLDB: Debian DSA-810-1 : mozilla - several vulnerabilities
General
ID: 19685
Name: Debian DSA-810-1 : mozilla – several vulnerabilities
Summary: Checks dpkg output for the updated package
Credits: –
Classification
Risk: –
CVSS: –
CVSS Base Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS Temporal Vector: CVSS2#E:H/RL:OF/RC:C
Port: 0
Family: Debian Local Security Checks
Type: Local
Description
Several problems have been discovered in Mozilla, the web browser of
the Mozilla suite. Since the usual praxis of backporting apparently
does not work for this package, this update is basically version
1.7.10 with the version number rolled back, and hence still named
1.7.8. The Common Vulnerabilities and Exposures project identifies the
following problems :
– CAN-2004-0718, CAN-2005-1937
A vulnerability has been discovered in Mozilla that
allows remote attackers to inject arbitrary Javascript
from one page into the frameset of another site.
– CAN-2005-2260
The browser user interface does not properly distinguish
between user-generated events and untrusted synthetic
events, which makes it easier for remote attackers to
perform dangerous actions that normally could only be
performed manually by the user.
– CAN-2005-2261
XML scripts ran even when Javascript disabled.
– CAN-2005-2263
It is possible for a remote attacker to execute a
callback function in the context of another domain (i.e.
frame).
– CAN-2005-2265
Missing input sanitising of InstallVersion.compareTo()
can cause the application to crash.
– CAN-2005-2266
Remote attackers could steal sensitive information such
as cookies and passwords from web sites by accessing
data in alien frames.
– CAN-2005-2268
It is possible for a Javascript dialog box to spoof a
dialog box from a trusted site and facilitates phishing
attacks.
– CAN-2005-2269
Remote attackers could modify certain tag properties of
DOM nodes that could lead to the execution of arbitrary
script or code.
– CAN-2005-2270
The Mozilla browser family does not properly clone base
objects, which allows remote attackers to execute
arbitrary code.
Exploiting
Exploit Available: True
Exploitability Ease: Exploits are available
Sources
CVE: CVE-2004-0718
OSVDB: –
Bugtraq: –
scipID: –
Timeline
Vulnerability Disclosure: 2005/04/11
Patch Release: 2005/09/13
Plugin Release: 2005/09/13
Plugin
Version: 1.20
Filename: debian_DSA-810.nasl
Filesize: 6227 bytes
MD5 Hash: 3f539b2dfdde3781e7a2d7c37695b66d
Identification: Host/local_checks_enabled
Require Keys: Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l
Dependencies: "ssh_get_info.nasl"
Copyright: This script is© 2005-2012 Tenable Network Security, Inc.
- Latest Plugins
- USN-1611-1 : thunderbird vulnerabilities
- USN-1610-1 : linux vulnerability
- USN-1609-1 : linux-ti-omap4 vulnerability
- SuSE 10 Security Update : PostgreSQL
- RHSA-2012-1364: bind97
- RHSA-2012-1363: bind
- RHSA-2012-1362: thunderbird
- RHSA-2012-1361: xulrunner
- Mandriva Linux Security Advisory : graphicsmagick
- FreeBSD : phpMyAdmin — Multiple XSS due to unescaped HTML output in Trigger, Procedure and Event pages and Fetching the version information from a non-SSL site is vulnerable to a MITM attack