SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Client)  >   Mozilla Thunderbird Vendors:   Mozilla.org
Mozilla Thunderbird Multiple Bugs Let Remote Users Execute Arbitrary Code, Obtain Information and Conduct Cross-Site Request Forgery Attacks
SecurityTracker Alert ID:  1028704
SecurityTracker URL:  http://securitytracker.com/id/1028704
CVE Reference:   CVE-2013-1682, CVE-2013-1683, CVE-2013-1684, CVE-2013-1685, CVE-2013-1686, CVE-2013-1687, CVE-2013-1690, CVE-2013-1692, CVE-2013-1693, CVE-2013-1694, CVE-2013-1697   (Links to External Site)
Date:  Jun 26 2013
Impact:   Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 17.0.7
Description:   Multiple vulnerabilities were reported in Mozilla Thunderbird. A remote user can cause arbitrary code to be executed on the target user's system. A remote user can conduct cross-site request forgery attacks. A remote user can obtain potentially sensitive information.

A remote user can create specially crafted content that, when loaded by the target user, will execute arbitrary code on the target system [CVE-2013-1682, CVE-2013-1683, CVE-2013-1684, CVE-2013-1685, CVE-2013-1686, CVE-2013-1687, CVE-2013-1690]. The code will run with the privileges of the target user.

The browser sends data in the body of XMLHttpRequest (XHR) HEAD requests. A remote user can exploit this to conduct cross-site request forgery attacks and take actions on the target site acting as the target user [CVE-2013-1692].

A remote user can exploit timing differences in the processing of SVG format images with filters to read pixel values [CVE-2013-1693].

A remote user can trigger a flaw in PreserveWrapper to execute arbitrary code [CVE-2013-1694].

A remote user can bypass XrayWrappers to run user defined methods with elevated privileges [CVE-2013-1697].

Gary Kwong, Jesse Ruderman, Andrew McCreight, Christian Holler, Bobby Holley, Ben Turner, Ehsan Akhgari, Mats Palmgren, John Schoenick, Abhishek Arya (Inferno) of the Google Chrome Security Team, Mariusz Mlynski, Nils, Johnathan Kuskos, Paul Stone of Context Information Security, Boris Zbarsky, and moz_bug_r_a4 reported these vulnerabilities.

Impact:   A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.

A remote user can take actions on the site acting as the target user.

A remote user can obtain potentially sensitive information.

Solution:   The vendor has issued a fix (ESR 17.0.7, 17.0.7).

The vendor's advisory is available at:

http://www.mozilla.org/security/announce/2013/mfsa2013-49.html
http://www.mozilla.org/security/announce/2013/mfsa2013-50.html
http://www.mozilla.org/security/announce/2013/mfsa2013-51.html
http://www.mozilla.org/security/announce/2013/mfsa2013-53.html
http://www.mozilla.org/security/announce/2013/mfsa2013-54.html
http://www.mozilla.org/security/announce/2013/mfsa2013-55.html
http://www.mozilla.org/security/announce/2013/mfsa2013-56.html
http://www.mozilla.org/security/announce/2013/mfsa2013-59.html

Vendor URL:  www.mozilla.org/security/announce/2013/mfsa2013-49.html (Links to External Site)
Cause:   Access control error, Boundary error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jun 26 2013 (Red Hat Issues Fix) Mozilla Thunderbird Multiple Bugs Let Remote Users Execute Arbitrary Code, Obtain Information and Conduct Cross-Site Request Forgery Attacks
Red Hat has issued a fix for Red Hat Enterprise Linux 5 and 6.



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC