10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
AI Score
Confidence
High
0.035 Low
EPSS
Percentile
91.5%
Multiple serious vulnerabilities have been found in Firefox and Firefox ESR. Malicious users can exploit these vulnerabilities to cause denial of service, privilege escalation, spoof user interface, bypass security restrictions, obtain sensitive information and execute arbitrary code.
Below is complete list of vulnerabilities:
Technical details
Vulnerability (1) occurs because of improper sanitization of the web page source code.
In case of vulnerability (12), denial of service occurs during at attempt of viewing a certificate in the certificate manager if the certificate has an extremely long object identifier (OID).
Vulnerability (13) allows malicious users to write arbitrary data to the special location in memory controlled by them.
Vulnerability (13), (15), (25), (26) affect Windows operating systems only.
Vulnerability (15) exists because of error which occurs because of violation of DEP protection – RWX (Read/Write/Execute) block is allocated but never protected.
Vulnerability (19) exists because an algorithm uses mixed Jacobian-affine coordinates which can return a result POINT_AT_INFINITY, which leads to an attacked party computing an incorrect shared secret.
Vulnerability (20) affects Linux-based operating systems only.
Vulnerability (20) exists because the sandbox broker will allow files to be truncated even though the sandbox explicitly only has read access to the local file system and no write permissions.
In case of vulnerability (21), data on about:webrtc page is supplied by WebRTC usage and is not under third-party control.
In case of vulnerability (24), if a server sends two Strict-Transport-Security (STS) headers for a single connection, they will be rejected as invalid and HTTP Strict Transport Security (HSTS) will not be enabled for the connection.
Vulnerabilities 1-16 are related to Mozilla Firefox ESR.
All vulnerabilities are related to Mozilla Firefox.
NB: These vulnerabilities do not have any public CVSS rating, so rating can be changed by the time.
NB: At this moment Mozilla has just reserved CVE numbers for these vulnerabilities. Information can be changed soon.
Public exploits exist for this vulnerability.
CVE-2017-7786 critical
CVE-2017-7753 high
CVE-2017-7787 warning
CVE-2017-7807 high
CVE-2017-7792 critical
CVE-2017-7804 warning
CVE-2017-7791 warning
CVE-2017-7782 warning
CVE-2017-7803 warning
CVE-2017-7779 critical
CVE-2017-7800 critical
CVE-2017-7801 critical
CVE-2017-7809 critical
CVE-2017-7784 critical
CVE-2017-7802 critical
CVE-2017-7785 critical
CVE-2017-7798 high
CVE-2017-7806 warning
CVE-2017-7808 warning
CVE-2017-7781 warning
CVE-2017-7794 warning
CVE-2017-7799 warning
CVE-2017-7783 warning
CVE-2017-7788 critical
CVE-2017-7789 warning
CVE-2017-7790 warning
CVE-2017-7796 warning
CVE-2017-7797 warning
CVE-2017-7780 critical
Update to the latest versionDownload Mozilla Firefox
Arbitrary code execution. Exploitation of vulnerabilities with this impact can lead to executing by abuser any code or commands at vulnerable machine or process.
Obtain sensitive information. Exploitation of vulnerabilities with this impact can lead to capturing by abuser information, critical for user or system.
Denial of service. Exploitation of vulnerabilities with this impact can lead to loss of system availability or critical functional fault.
Security bypass. Exploitation of vulnerabilities with this impact can lead to performing actions restricted by current security settings.
Privilege escalation. Exploitation of vulnerabilities with this impact can lead to performing by abuser actions, which are normally disallowed for current role.
Spoof user interface. Exploitation of vulnerabilities with this impact can lead to changes in user interface to beguile user into inaccurate behavior.
10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
AI Score
Confidence
High
0.035 Low
EPSS
Percentile
91.5%