Lucene search

K
kasperskyKaspersky LabKLA12011
HistoryNov 17, 2020 - 12:00 a.m.

KLA12011 Multiple vulnerabilities in Mozilla Firefox ESR

2020-11-1700:00:00
Kaspersky Lab
threats.kaspersky.com
46

9.3 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

10 High

AI Score

Confidence

High

0.026 Low

EPSS

Percentile

90.3%

Multiple vulnerabilities were found in Mozilla Firefox ESR. Malicious users can exploit these vulnerabilities to gain privileges, perform cross-site scripting attack, obtain sensitive information, cause denial of service, spoof user interface, execute arbitrary code, bypass security restrictions.

Below is a complete list of vulnerabilities:

  1. An elevation of privilege vulnerability in the Remote Debugging via USB feature for Android can exploited to gain privileges.
  2. A cross-site-scripting (XSS) vulnerability can be exploited to perform cross-site scripting attack.
  3. A side-channel information leakage vulnerability in graphics component can be exploited to obtain sensitive information.
  4. A heap buffer overflow vulnerability in Freetype can be exploited to cause denial of service.
  5. A security UI vulnerability in fullscreen mode can be exploited remotely to obtain sensitive information and spoof user interface.
  6. A memory safety vulnerability can be exploited to to cause denial of service and execute arbitrary code.
  7. A denial of service vulnerability in History and Location interfaces can be exploited to potentially cause denial of service.
  8. A security bypass vulnerability in DoH can be exploited to security bypass restrictions.
  9. A security bypass vulnerability in Screenshoot mode can be exploited to bypass securty restrictions.
  10. A security bypass vulnerability in OneCRL for Android can be exploited to cause denial of service.
  11. A security UI vulnerability in fullscreen mode for Android can be exploited to spoof user interface and perform cross-site scripting attack.
  12. A use after free vulnerability in nsTArray can be exploited to potentially cause denial of service or execute arbitrary code.
  13. A security bypass vulnerability in “Show Password” feature can be exploited to bypass security restrictions and obtain sensitive information.
  14. A use after free vulnerability in WebRequestService can be exploited to cause denial of service.
  15. A memory corruption vulnerability in JIT compilation can be exploited to potentially cause denial of service.
  16. A security vulnerability in mDNS request for Windows can be exploited to obtain sensitive information.
  17. A security bypass vulnerability in ServiceWorker can be exploited to bypass security restrictions and perform cross-site scripting attack.
  18. A security vulnerability in cookies can be exploited to obtain sensitive information.

Original advisories

MFSA2020-51

Exploitation

Public exploits exist for this vulnerability.

Malware exists for this vulnerability. Usually such malware is classified as Exploit. More details.

Related products

Mozilla-Firefox-ESR

CVE list

CVE-2020-15999 high

CVE-2020-16012 warning

CVE-2020-26964 high

CVE-2020-26951 high

CVE-2020-26953 warning

CVE-2020-26956 high

CVE-2020-26962 high

CVE-2020-26968 critical

CVE-2020-26963 warning

CVE-2020-26961 high

CVE-2020-26967 high

CVE-2020-26957 high

CVE-2020-26954 warning

CVE-2020-26969 critical

CVE-2020-26960 critical

CVE-2020-26965 high

CVE-2020-26959 critical

CVE-2020-26952 critical

CVE-2020-26966 high

CVE-2020-26958 high

CVE-2020-26955 high

Solution

Update to the latest version

Download Firefox ESR

Impacts

  • ACE

Arbitrary code execution. Exploitation of vulnerabilities with this impact can lead to executing by abuser any code or commands at vulnerable machine or process.

  • OSI

Obtain sensitive information. Exploitation of vulnerabilities with this impact can lead to capturing by abuser information, critical for user or system.

  • DoS

Denial of service. Exploitation of vulnerabilities with this impact can lead to loss of system availability or critical functional fault.

  • SB

Security bypass. Exploitation of vulnerabilities with this impact can lead to performing actions restricted by current security settings.

  • PE

Privilege escalation. Exploitation of vulnerabilities with this impact can lead to performing by abuser actions, which are normally disallowed for current role.

  • XSS/CSS

Cross site scripting. Exploitation of vulnerabilities with this impact can lead to partial interception of information transmitted between user and site.

  • SUI

Spoof user interface. Exploitation of vulnerabilities with this impact can lead to changes in user interface to beguile user into inaccurate behavior.

Affected Products

  • Mozilla Firefox ESR earlier than 78.5

9.3 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

10 High

AI Score

Confidence

High

0.026 Low

EPSS

Percentile

90.3%