Beschreibung: | Summary: This host is installed with Mozilla Firefox ESR and is prone to multiple vulnerabilities.
Vulnerability Insight: Multiple flaws exist due to:
- An error within Network Security Services (NSS) where the client allows for a 'ECDHE_ECDSA' exchange where the server does not send its 'ServerKeyExchange' message.
- Multiple use-after-free vulnerabilities.
- Multiple unspecified memory related errors.
- An error within the 'IndexedDatabaseManager' class in the IndexedDB implementation.
- An error in the implementation of Elliptical Curve Cryptography (ECC) multiplication for Elliptic Curve Digital Signature Algorithm (ECDSA) signature validation in Network Security Services (NSS).
- An error in the 'CairoTextureClientD3D9::BorrowDrawTarget' function in the Direct3D 9 implementation.
- An error in 'nsZipArchive::BuildFileList' function.
- Unspecified error in nsZipArchive.cpp script.
- An error in the 'rx::d3d11::SetBufferData' function in the Direct3D 11 implementation.
- An error in the 'YCbCrImageDataDeserializer::ToDataSourceSurface' function in the YCbCr implementation.
- An error in 'ArrayBufferBuilder::append' function.
- Buffer overflow error in the 'nsXMLHttpRequest::AppendToResponseText' function.
- An error in PDF.js PDF file viewer.
Vulnerability Impact: Successful exploitation will allow remote attackers to execute arbitrary code, obtain sensitive information, conduct man-in-the-middle attack, conduct denial-of-service attack, spoof ECDSA signatures and other unspecified impacts.
Affected Software/OS: Mozilla Firefox ESR 31.x before 31.8 and 38.x before 38.1
Solution: Upgrade to Mozilla Firefox ESR version 31.8 or 38.1 or later.
CVSS Score: 10.0
CVSS Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C
|