SeaMonkey 2.x < 2.13 Multiple Vulnerabilities

Versions of SeaMonkey 2.x prior to 2.13 are potentially affected by the following security issues :

• Multiple memory-corruption vulnerabilities in the browser engine exist which could lead to arbitrary code execution. (CVE-2012-3982, CVE-2012-3983, CVE-2012-4191)
• A URI-spoofing vulnerability exists due to an error when handling the ‘<select>’ dropdown menu. This issue can be exploited to display arbitrary content while showing the URL of another site. An attacker can also exploit this issue to cause click jacking attacks. (CVE-2012-3984)
• A security-bypass vulnerability exists because it fails to properly enforce the same-origin policy. Specifically, the error occurs when handling ‘document.domain’. An attacker can exploit this issue to execute cross-site scripting attacks. (CVE-2012-3985)
• Multiple security bypass vulnerabilities exist in the ‘nsDOMWindowUtils’ methods. (CVE-2012-3986)
• A use-after-free issue occurs when invoking full screen mode and navigating backwards in history. (CVE-2012-3988)
• A denial-of-service vulnerability exists due to an invalid cast error. Specifically, this issue occurs when using the instanceof operator on certain JavaScript objects. (CVE-2012-3989)
• A security-bypass vulnerability exists because it fails to properly enforce the cross-origin policy. Specifically, this issue occurs when invoking the ‘GetProperty()’ function through JSAPI. An attacker can exploit this issue to perform arbitrary code-execution. (CVE-2012-3991)
• A cross-site scripting vulnerability exists because it fails to sufficiently sanitize user-supplied input. Specifically, this issue occurs when handling the ‘location’ property through binary plugins. (CVE-2012-3994)
• A security-bypass vulnerability exists because of an error in the Chrome Object Wrapper (COW) when handling the ‘InstallTrigger’ object. An attacker can exploit this issue to access certain privileged functions and properties. (CVE-2012-4184, CVE-2012-3993)
• An arbitrary code-execution occurs when handling the ‘location.hash’ property and history navigation. (CVE-2012-3992)
• An out-of-bounds read error affects the ‘IsCSSWordSpacingSpace()’ function. (CVE-2012-3995)
• A use-after-free error affects the ‘nsHTMLCSSUtils::CreateCSSPropertyTxn()’ function. (CVE-2012-4179)
• A heap-based buffer-overflow vulnerability exists in the ‘nsHTMLEditor::IsPrevCharInNodeWhitespace()’ function. (CVE-2012-4180)
• A use-after-free error affects the ‘nsSMILAnimationController::DoSample()’ function. (CVE-2012-4181)
• A use-after-free error affects the ‘nsTextEditRules::WillInsert()’ function. (CVE-2012-4182)
• A use-after-free error affects the ‘DOMSVGTests::GetRequiredFeatures()’ function. (CVE-2012-4183)
• A buffer-overflow vulnerability exists in the ‘nsCharTraits::length()’ function. (CVE-2012-4185)
• A heap-based buffer-overflow vulnerability exists in the 'nsWaveReader::DecodeAudioData()" function. (CVE-2012-4186)
• A memory-corruption vulnerability exists in the ‘insPos’ property. (CVE-2012-4187)
• A heap-based buffer-overflow exists in the ‘Convolve3x3()’ function. (CVE-2012-4188)
• A use-after-free error affects the ‘nsIContent::GetNameSpaceID()’ function. (CVE-2012-3990)
• A cross domain information disclosure exists due to improper access to the ‘location’ object. (CVE-2012-4192)
• A security-bypass vulnerability exists due to an error in security wrappers that does not unwrap the ‘defaultValue()’ function properly. An attacker can exploit this issue to gain access to the ‘location’ object. (CVE-2012-4193)

These vulnerabilities allow attackers to execute arbitrary script or HTML code, steal cookie-based authentication credentials, conduct phishing attacks, execute arbitrary code in the context of the vulnerable application, crash affected applications, obtain potentially sensitive information, gain escalated privileges, bypass security restrictions, and perform unauthorized actions; other attacks may also be possible.