Kaspersky LabKLA11611KLA11611 Multiple vulnerabilities in Mozilla Firefox
6.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
9.9 High
AI Score
Confidence
High
0.014 Low
EPSS
Percentile
86.4%
Multiple vulnerabilities were found in Mozilla Firefox. Malicious users can exploit these vulnerabilities to obtain sensitive information, execute arbitrary code, cause denial of service, bypass security restrictions.
Below is a complete list of vulnerabilities:
- Incorrectly image loading vulnerability in Mozilla Firefox can be exploited remotely via specially designed website to obtain sensitive information
- Race condition vulnerability in Resist Fingerprinting can be exploited remotely via specially designed website to cause denial of service;
- Stack corruption due to incorrect number of arguments in WebRTC code can be exploited remotely via specially designed website to cause denial of service;
- Use-after-free vulnerability in SFTKSession object can be exploited remotely via specially designed website to cause denial of service;
- Incorrect temporary files access configuration of Mozilla updater service can be exploited locally to bypass security restrictions;
- Use-after-free vulnerability in DocShell can be exploited remotely via specially designed website to cause denial of service;
- Buffer overflow vulnerability in plain Firefox text serializer can be exploited remotely via specially designed website to cause denial of service;
- Use-after-free vulnerability in worker destruction can be exploited remotely via specially designed website to cause denial of service;
- Out of bounds write vulnerability in NSS can be exploited remotely via specially designed website to cause denial of service;
Original advisories
Related products
CVE list
CVE-2019-17014 warning
CVE-2019-17012 high
CVE-2019-17010 high
CVE-2019-17013 high
CVE-2019-13722 warning
CVE-2019-11756 high
CVE-2019-17009 warning
CVE-2019-17011 high
CVE-2019-17005 high
CVE-2019-17008 high
CVE-2019-11745 high
Solution
Update to the latest version
Impacts
- ACE
Arbitrary code execution. Exploitation of vulnerabilities with this impact can lead to executing by abuser any code or commands at vulnerable machine or process.
- OSI
Obtain sensitive information. Exploitation of vulnerabilities with this impact can lead to capturing by abuser information, critical for user or system.
- DoS
Denial of service. Exploitation of vulnerabilities with this impact can lead to loss of system availability or critical functional fault.
- SB
Security bypass. Exploitation of vulnerabilities with this impact can lead to performing actions restricted by current security settings.
- PE
Privilege escalation. Exploitation of vulnerabilities with this impact can lead to performing by abuser actions, which are normally disallowed for current role.
- XSS/CSS
Cross site scripting. Exploitation of vulnerabilities with this impact can lead to partial interception of information transmitted between user and site.
Affected Products
- Mozilla Firefox earlier than 71
Related
6.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
9.9 High
AI Score
Confidence
High
0.014 Low
EPSS
Percentile
86.4%