Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
kasperskyKaspersky LabKLA11271
HistoryJun 26, 2018 - 12:00 a.m.

KLA11271 Multiple vulnerabilities in Mozilla Firefox and Mozilla Firefox ESR

2018-06-2600:00:00
Kaspersky Lab
threats.kaspersky.com
187

9.3 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

9.5 High

AI Score

Confidence

High

0.33 Low

EPSS

Percentile

97.1%

JSON

Multiple serious vulnerabilities have been found in Mozilla Firefox and Mozilla Firefox ESR. Malicious users can exploit these vulnerabilities to bypass security restrictions, execute arbitrary code, cause denial of service and obtain sensitive information.

Below is a complete list of vulnerabilities:

  1. Incorrect redirect handling in Mozilla Firefox can be exploited remotely via specially designed website to obtain sensitive information;
  2. Buffer overflow vulnerability occurring in canvas rendering can be exploited remotely via specially designed website to cause denial of service;
  3. Use-after-free vulnerability occurring in element deleting can be exploited remotely via specially designed website to cause denial of service;
  4. Integer overflow vulnerability in SwizzleData can be exploited remotely via specially designed website to cause denial of service;
  5. Integer overflow vulnerability in SSSE3 scaler can be exploited remotely via specially designed website to cause denial of service;
  6. Use-after-free vulnerability occurring in moving DOM nodes between documents can be exploited remotely via specially designed website to cause denial of service;
  7. incorrect requests handling in NPAPI plugins can be exploited remotely via specially designed website to obtain sensitive information;
  8. Vulnerability in IPC sandbox security policy can be exploited remotely via specially designed website to obtain sensitive information;
  9. Out-of-bounds read vulnerability in QCMS can be exploited remotely via specially designed website to obtain sensitive information;
  10. Vulnerability related to the PerformanceNavigationTiming method can be exploited to bypass Spectre mitigations;
  11. Vulnerability related to the browser does not warn users when opening executable files with the SettingContent-ms extension;
  12. Improper authorization process handling in WebExtensions can be exploited to gain privileges;
  13. Improper default security settings vulnerability in SameSite can be exploited to obtain sensitive information;
  14. Integer overflow vulnerability in Skia library can be exploited remotely to cause denial of service;

Technical details

Vulnerabilities (1,13,14) only affects Mozilla Firefox.

Vulnerabilities (4,12) only affects Mozilla Firefox and Mozilla Firefox ESR 60.

Vulnerability (11) only affects Mozilla Firefox ESR.

Vulnerability (12) only affects Windows 10 users.

Original advisories

Mozilla Foundation Security Advisory 2018-16

Mozilla Foundation Security Advisory 2018-15

Mozilla Foundation Security Advisory 2018-17

Related products

Mozilla-Firefox

Mozilla-Firefox-ESR

CVE list

CVE-2018-12358 warning

CVE-2018-12359 high

CVE-2018-12360 high

CVE-2018-12361 high

CVE-2018-12362 high

CVE-2018-12363 high

CVE-2018-12364 high

CVE-2018-12365 warning

CVE-2018-12366 warning

CVE-2018-12367 warning

CVE-2018-12368 critical

CVE-2018-12369 critical

CVE-2018-12370 high

CVE-2018-12371 high

CVE-2018-5156 critical

CVE-2018-5186 critical

CVE-2018-5187 critical

CVE-2018-5188 critical

Solution

Update to the latest versionDownload Mozilla Firefox

Download Mozilla Firefox ESR

Impacts

  • ACE

Arbitrary code execution. Exploitation of vulnerabilities with this impact can lead to executing by abuser any code or commands at vulnerable machine or process.

  • OSI

Obtain sensitive information. Exploitation of vulnerabilities with this impact can lead to capturing by abuser information, critical for user or system.

  • DoS

Denial of service. Exploitation of vulnerabilities with this impact can lead to loss of system availability or critical functional fault.

  • SB

Security bypass. Exploitation of vulnerabilities with this impact can lead to performing actions restricted by current security settings.

  • PE

Privilege escalation. Exploitation of vulnerabilities with this impact can lead to performing by abuser actions, which are normally disallowed for current role.

  • SUI

Spoof user interface. Exploitation of vulnerabilities with this impact can lead to changes in user interface to beguile user into inaccurate behavior.

Affected Products

  • Mozilla Firefox earlier than 61Mozilla Firefox ESR 52 earlier than 52.9Mozilla Firefox ESR 60 earlier than 60.1

Related

nessus 54
freebsd 1
openvas 37
ubuntu 3
mozilla 5
altlinux 3
suse 8
archlinux 3
kaspersky 2
osv 6
mageia 4
debian 6
ibm 1
centos 4
redhat 4
oraclelinux 3
amazon 1
gentoo 2
debiancve 7
cve 7
nvd 7
prion 6
redhatcve 7
ubuntucve 8
cvelist 6
checkpoint_advisories 1
veracode 3
nessus
nessus
Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS : Firefox regressions (USN-3705-2)
2018-07-11 00:00:00
FreeBSD : mozilla -- multiple vulnerabilities (cd81806c-26e7-4d4a-8425-02724a2f48af)
2018-06-27 00:00:00
Mozilla Firefox ESR < 60.1 Multiple Critical Vulnerabilities
2018-06-29 00:00:00
freebsd
freebsd
mozilla -- multiple vulnerabilities
2018-06-26 00:00:00
openvas
openvas
Mozilla Firefox Security Advisories (MFSA2018-15, MFSA2018-17) - Mac OS X
2018-06-27 00:00:00
Mozilla Firefox ESR Security Advisories (MFSA2018-15, MFSA2018-17) - Windows
2018-06-27 00:00:00
Ubuntu: Security Advisory (USN-3705-2)
2018-07-11 00:00:00
ubuntu
ubuntu
Firefox vulnerabilities
2018-07-05 00:00:00
Firefox regressions
2018-07-10 00:00:00
Thunderbird vulnerabilities
2018-07-12 00:00:00
mozilla
mozilla
Security vulnerabilities fixed in Firefox ESR 60.1 — Mozilla
2018-06-26 00:00:00
Security vulnerabilities fixed in Firefox 61 — Mozilla
2018-06-26 00:00:00
Security vulnerabilities fixed in Thunderbird 60 — Mozilla
2018-08-21 00:00:00
altlinux
altlinux
Security fix for the ALT Linux 10 package firefox-esr version 60.1.0-alt1
2018-06-26 00:00:00
Security fix for the ALT Linux 10 package thunderbird version 60.0-alt1
2018-08-13 00:00:00
Security fix for the ALT Linux 10 package thunderbird version July
2018-07-04 00:00:00
suse
suse
Security update for MozillaThunderbird (important)
2018-09-08 12:10:25
Security update for MozillaFirefox (important)
2018-06-28 15:07:56
Security update for seamonkey (important)
2018-08-15 15:07:29
archlinux
archlinux
[ASA-201806-14] firefox: multiple issues
2018-06-27 00:00:00
[ASA-201808-8] thunderbird: multiple issues
2018-08-10 00:00:00
[ASA-201807-4] thunderbird: multiple issues
2018-07-16 00:00:00
kaspersky
kaspersky
KLA11299 Multiple vulnerabilities in Mozilla Thunderbird
2018-08-06 00:00:00
KLA11278 Multiple vulnerabilities in Mozilla Thunderbird
2018-07-03 00:00:00
osv
osv
firefox-esr - security update
2018-06-27 00:00:00
firefox-esr - security update
2018-06-29 00:00:00
thunderbird - security update
2018-09-16 00:00:00
mageia
mageia
Updated firefox packages fix security vulnerability
2018-07-01 20:17:14
Updated thunderbird packages fix security issues & bugs
2018-12-16 00:29:48
Updated thunderbird packages fix security vulnerabilities
2018-07-24 01:27:34
debian
debian
[SECURITY] [DSA 4235-1] firefox-esr security update
2018-06-27 19:38:06
[SECURITY] [DLA 1406-1] firefox-esr security update
2018-06-29 08:26:14
[SECURITY] [DSA 4295-1] thunderbird security update
2018-09-16 20:54:24
ibm
ibm
Security Bulletin: Multiple Mozilla Firefox vulnerability issues in IBM SONAS
2018-11-01 10:50:01
centos
centos
firefox security update
2018-07-11 23:01:41
firefox security update
2018-07-12 20:46:19
thunderbird security update
2018-07-25 16:11:17
redhat
redhat
(RHSA-2018:2112) Critical: firefox security update
2018-06-28 14:54:49
(RHSA-2018:2113) Critical: firefox security update
2018-06-28 14:55:24
(RHSA-2018:2252) Important: thunderbird security update
2018-07-24 20:50:32
oraclelinux
oraclelinux
firefox security update
2018-07-04 00:00:00
thunderbird security update
2018-07-24 00:00:00
thunderbird security update
2018-07-24 00:00:00
amazon
amazon
Critical: thunderbird
2018-08-21 17:15:00
gentoo
gentoo
Mozilla Firefox: Multiple vulnerabilities
2018-10-02 00:00:00
Mozilla Thunderbird: Multiple vulnerabilities
2018-11-24 00:00:00
debiancve
debiancve
CVE-2018-12358
2018-10-18 13:29:00
CVE-2018-12369
2018-10-18 13:29:03
CVE-2018-12367
2018-10-18 13:29:03
cve
cve
CVE-2018-12369
2018-10-18 13:29:03
CVE-2018-12370
2018-10-18 13:29:03
CVE-2018-12367
2018-10-18 13:29:03
nvd
nvd
CVE-2018-12370
2018-10-18 13:29:03
CVE-2018-12361
2018-10-18 13:29:01
CVE-2018-12369
2018-10-18 13:29:03
prion
prion
Design/Logic Flaw
2018-10-18 13:29:00
Integer overflow
2020-07-09 14:15:00
Cross site request forgery (csrf)
2018-10-18 13:29:00
redhatcve
redhatcve
CVE-2018-12370
2018-06-27 01:23:58
CVE-2018-12358
2018-06-27 01:29:17
CVE-2018-12371
2018-06-27 01:24:25
ubuntucve
ubuntucve
CVE-2018-12358
2018-06-27 00:00:00
CVE-2018-12371
2018-06-27 00:00:00
CVE-2018-12369
2018-06-27 00:00:00
cvelist
cvelist
CVE-2018-12358
2018-10-18 13:00:00
CVE-2018-12361
2018-10-18 13:00:00
CVE-2018-12368
2018-10-18 13:00:00
checkpoint_advisories
checkpoint_advisories
Mozilla Firefox WebExtensions SettingContent-ms Policy Bypass (CVE-2018-12368)
2018-11-29 00:00:00
veracode
veracode
Denial Of Service (DoS)
2020-12-06 04:02:06
Timing Attack
2020-12-06 04:02:03
Arbitrary Code Execution
2020-12-06 04:01:46

9.3 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

9.5 High

AI Score

Confidence

High

0.33 Low

EPSS

Percentile

97.1%

JSON
Related for KLA11271
nessus54freebsd1openvas37ubuntu3mozilla5altlinux3suse8archlinux3kaspersky2osv6mageia4debian6ibm1centos4redhat4oraclelinux3amazon1gentoo2debiancve7cve7nvd7prion6redhatcve7ubuntucve8cvelist6checkpoint_advisories1veracode3