Moz_Bug_R_A4

Name of the Vulnerable Software and Affected Versions: Mozilla Firefox versions prior to 25 Description: The issue allows modification of anonymous content of pluginProblem.xml binding. Recommendations: For versions prior to 25, update to version 25 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Mozilla Firefox versions prior to 22.0 Firefox ESR 17.x versions prior to 17.0.7 Thunderbird versions prior to 17.0.7 Thunderbird ESR 17.x versions prior to 17.0.7 **Description** The issue allows remote attackers to execute arbitrary JavaScript code with chrome privileges via a crafted web site. This is possible because the XrayWrapper implementation does not properly restrict use of DefaultValue for method calls, specifically when a user-defined `toString` or `valueOf` method is triggered. **Recommendations** For Mozilla Firefox versions prior to 22.0, update to version 22.0 or later. For Firefox ESR 17.x versions prior to 17.0.7, update to version 17.0.7 or later. For Thunderbird versions prior to 17.0.7, update to version 17.0.7 or later. For Thunderbird ESR 17.x versions prior to 17.0.7, update to version 17.0.7 or later.

**Name of the Vulnerable Software and Affected Versions** Mozilla Firefox versions prior to 21.0 **Description** The issue is related to the improper implementation of the INPUT element in Mozilla Firefox, allowing remote attackers to obtain the full pathname via a crafted web site. **Recommendations** For versions prior to 21.0, update to version 21.0 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Mozilla Firefox versions prior to 17.0 Firefox ESR versions prior to 10.0.11 Thunderbird versions prior to 17.0 Thunderbird ESR versions prior to 10.0.11 SeaMonkey versions prior to 2.14 **Description** The issue allows remote attackers to conduct cross-site scripting (XSS) attacks or read arbitrary files by leveraging a sandboxed add-on. This is due to the incorrect context used during the handling of JavaScript code that sets the `location.href` property. **Recommendations** For Mozilla Firefox versions prior to 17.0, update to version 17.0 or later. For Firefox ESR versions prior to 10.0.11, update to version 10.0.11 or later. For Thunderbird versions prior to 17.0, update to version 17.0 or later. For Thunderbird ESR versions prior to 10.0.11, update to version 10.0.11 or later. For SeaMonkey versions prior to 2.14, update to version 2.14 or later.

**Name of the Vulnerable Software and Affected Versions** Mozilla Firefox versions prior to 16.0.2 Firefox ESR versions prior to 10.0.10 Thunderbird versions prior to 16.0.2 Thunderbird ESR versions prior to 10.0.10 SeaMonkey versions prior to 2.13.2 **Description** The issue makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via a crafted web site. It also allows remote attackers to execute arbitrary JavaScript code by leveraging certain add-on behavior. The `nsLocation::CheckURL` function does not properly determine the calling document and principal in its return value. **Recommendations** For Mozilla Firefox versions prior to 16.0.2, update to version 16.0.2 or later. For Firefox ESR versions prior to 10.0.10, update to version 10.0.10 or later. For Thunderbird versions prior to 16.0.2, update to version 16.0.2 or later. For Thunderbird ESR versions prior to 10.0.10, update to version 10.0.10 or later. For SeaMonkey versions prior to 2.13.2, update to version 2.13.2 or later.

**Name of the Vulnerable Software and Affected Versions** Mozilla Firefox versions prior to 16.0.1 Firefox ESR versions prior to 10.0.9 Thunderbird versions prior to 16.0.1 Thunderbird ESR versions prior to 10.0.9 SeaMonkey versions prior to 2.13.1 **Description** The issue allows remote attackers to bypass the Same Origin Policy and read the properties of a Location object, or execute arbitrary JavaScript code, via a crafted web site. This is due to a missing security check in the defaultValue function during the unwrapping of security wrappers. **Recommendations** For Mozilla Firefox versions prior to 16.0.1, update to version 16.0.1 or later. For Firefox ESR versions prior to 10.0.9, update to version 10.0.9 or later. For Thunderbird versions prior to 16.0.1, update to version 16.0.1 or later. For Thunderbird ESR versions prior to 10.0.9, update to version 10.0.9 or later. For SeaMonkey versions prior to 2.13.1, update to version 2.13.1 or later.

**Name of the Vulnerable Software and Affected Versions** Mozilla Firefox versions prior to 16.0 Firefox ESR versions prior to 10.0.8 Thunderbird versions prior to 16.0 Thunderbird ESR versions prior to 10.0.8 SeaMonkey versions prior to 2.13 **Description** The issue allows remote attackers to execute arbitrary JavaScript code with chrome privileges via a crafted web site, due to the Chrome Object Wrapper (COW) implementation not preventing access to properties of a prototype for a standard class. **Recommendations** For Mozilla Firefox versions prior to 16.0, update to version 16.0 or later. For Firefox ESR versions prior to 10.0.8, update to version 10.0.8 or later. For Thunderbird versions prior to 16.0, update to version 16.0 or later. For Thunderbird ESR versions prior to 10.0.8, update to version 10.0.8 or later. For SeaMonkey versions prior to 2.13, update to version 2.13 or later.

**Name of the Vulnerable Software and Affected Versions** Mozilla Firefox versions prior to 15.0 Firefox ESR versions prior to 10.0.7 Thunderbird versions prior to 15.0 Thunderbird ESR versions prior to 10.0.7 SeaMonkey versions prior to 2.12 **Description** The issue is related to the `nsLocation::CheckURL` function, which does not properly follow the security model of the location object. This allows remote attackers to bypass intended content-loading restrictions, possibly having other unspecified impacts via vectors involving chrome code. **Recommendations** For Mozilla Firefox versions prior to 15.0, update to version 15.0 or later. For Firefox ESR versions prior to 10.0.7, update to version 10.0.7 or later. For Thunderbird versions prior to 15.0, update to version 15.0 or later. For Thunderbird ESR versions prior to 10.0.7, update to version 10.0.7 or later. For SeaMonkey versions prior to 2.12, update to version 2.12 or later.

**Name of the Vulnerable Software and Affected Versions** Mozilla Firefox versions 4.x through 13.0 Mozilla Firefox ESR versions 10.x before 10.0.6 **Description** The issue allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL, due to insufficient context-menu restrictions for data: URLs compared to javascript: URLs. **Recommendations** For Mozilla Firefox versions 4.x through 13.0, update to a version later than 13.0 to resolve the issue. For Mozilla Firefox ESR versions 10.x before 10.0.6, update to version 10.0.6 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Mozilla Firefox versions 4.x through 13.0 Firefox ESR versions 10.x before 10.0.6 Thunderbird versions 5.0 through 13.0 Thunderbird ESR versions 10.x before 10.0.6 SeaMonkey versions prior to 2.11 **Description** The issue is related to the improper implementation of the JavaScript sandbox utility. This allows remote attackers to execute arbitrary JavaScript code with improper privileges via a `javascript:` URL. **Recommendations** For Mozilla Firefox versions 4.x through 13.0, update to a version after 13.0. For Firefox ESR versions 10.x before 10.0.6, update to version 10.0.6 or later. For Thunderbird versions 5.0 through 13.0, update to a version after 13.0. For Thunderbird ESR versions 10.x before 10.0.6, update to version 10.0.6 or later. For SeaMonkey versions prior to 2.11, update to version 2.11 or later.

**Name of the Vulnerable Software and Affected Versions** Mozilla Firefox versions 4.x through 9.0 Thunderbird versions 5.0 through 9.0 SeaMonkey versions prior to 2.7 **Description** The issue allows remote attackers to inject arbitrary web script or HTML via a web page or Firefox extension, due to improper enforcement of XPConnect security restrictions for frame scripts that call untrusted objects. **Recommendations** For Mozilla Firefox versions 4.x through 9.0, update to a version later than 9.0 to resolve the issue. For Thunderbird versions 5.0 through 9.0, update to a version later than 9.0 to resolve the issue. For SeaMonkey versions prior to 2.7, update to version 2.7 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Mozilla Firefox versions prior to 3.6.24 Thunderbird versions prior to 3.1.6 **Description** The issue arises from the JSSubScriptLoader in Mozilla Firefox and Thunderbird, which does not properly handle XPCNativeWrappers during calls to the `loadSubScript` method in an add-on. This makes it easier for remote attackers to gain privileges via a crafted web site that leverages certain unwrapping behavior. **Recommendations** For Mozilla Firefox versions prior to 3.6.24, update to version 3.6.24 or later. For Thunderbird versions prior to 3.1.6, update to version 3.1.6 or later.

**Name of the Vulnerable Software and Affected Versions** Mozilla Firefox versions prior to 3.6.20 Thunderbird versions prior to 3.1.12 SeaMonkey versions 2.x **Description** The issue is related to the `appendChild` function not properly handling DOM objects, allowing remote attackers to execute arbitrary code via unspecified vectors that lead to dereferencing of a "dangling pointer." **Recommendations** For Mozilla Firefox versions prior to 3.6.20, update to version 3.6.20 or later. For Thunderbird versions prior to 3.1.12, update to version 3.1.12 or later. For SeaMonkey versions 2.x, consider disabling the `appendChild` function as a temporary workaround until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Mozilla Firefox versions prior to 3.6.20 SeaMonkey versions 2.x Thunderbird versions 3.x prior to 3.1.12 **Description** The issue is related to the event-management implementation, which does not properly select the context for script execution. This allows remote attackers to bypass the Same Origin Policy or execute arbitrary JavaScript code with chrome privileges via a crafted web site. **Recommendations** For Mozilla Firefox versions prior to 3.6.20, update to version 3.6.20 or later. For SeaMonkey versions 2.x, there is no information about a newer version that contains a fix for this issue. For Thunderbird versions 3.x prior to 3.1.12, update to version 3.1.12 or later.

**Name of the Vulnerable Software and Affected Versions** Mozilla Firefox versions prior to 3.6.20 SeaMonkey versions 2.x Thunderbird versions prior to 3.1.12 **Description** The issue arises from improper handling of dropping a tab element, allowing remote attackers to execute arbitrary JavaScript code with chrome privileges. This is achieved by establishing a content area and registering for drop events. **Recommendations** For Mozilla Firefox versions prior to 3.6.20, update to version 3.6.20 or later. For SeaMonkey versions 2.x, consider disabling the ability to drop tab elements as a temporary workaround until a patch is available. For Thunderbird versions prior to 3.1.12, update to version 3.1.12 or later.

**Name of the Vulnerable Software and Affected Versions** Mozilla Firefox versions prior to 5.0 **Description** The issue is related to the xpinstall functionality in Mozilla Firefox, where the whitelist is not properly enforced. This allows remote attackers to trigger an installation dialog for a (1) add-on or (2) theme via unspecified vectors. **Recommendations** For versions prior to 5.0, update to version 5.0 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Mozilla Firefox versions prior to 3.5.16 Mozilla Firefox versions 3.6.x prior to 3.6.13 SeaMonkey versions prior to 2.0.11 **Description** The issue arises from the interaction between the XMLHttpRequestSpy object and chrome privileged objects when the XMLHttpRequestSpy module in the Firebug add-on is used. This allows remote attackers to execute arbitrary JavaScript via a crafted HTTP response. **Recommendations** For Mozilla Firefox versions prior to 3.5.16, update to version 3.5.16 or later. For Mozilla Firefox versions 3.6.x prior to 3.6.13, update to version 3.6.13 or later. For SeaMonkey versions prior to 2.0.11, update to version 2.0.11 or later.

**Name of the Vulnerable Software and Affected Versions** Mozilla Firefox versions prior to 3.5.12 Thunderbird versions prior to 3.0.7 SeaMonkey versions prior to 2.0.7 **Description** The issue allows remote attackers to bypass the Same Origin Policy and conduct cross-site scripting (XSS) attacks via a crafted function, due to the XPCSafeJSObjectWrapper class in the SafeJSObjectWrapper implementation not properly restricting scripted functions. **Recommendations** For Mozilla Firefox versions prior to 3.5.12, update to version 3.5.12 or later. For Thunderbird versions prior to 3.0.7, update to version 3.0.7 or later. For SeaMonkey versions prior to 2.0.7, update to version 2.0.7 or later.

**Name of the Vulnerable Software and Affected Versions** Mozilla Firefox versions 3.6.x before 3.6.7 Thunderbird versions 3.1.x before 3.1.1 **Description** The issue arises from improper implementation of access to a content object through a SafeJSObjectWrapper (SJOW) wrapper. This allows remote attackers to execute arbitrary JavaScript code with chrome privileges by leveraging access to an object from the chrome scope. **Recommendations** For Mozilla Firefox versions 3.6.x before 3.6.7, update to version 3.6.7 or later to resolve the issue. For Thunderbird versions 3.1.x before 3.1.1, update to version 3.1.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Mozilla Firefox versions prior to 3.0.19 Mozilla Firefox versions 3.5.x prior to 3.5.8 SeaMonkey versions prior to 2.0.3 **Description** The issue arises from improper handling of interaction between the XMLHttpRequestSpy object and chrome privileged objects when the XMLHttpRequestSpy module in the Firebug add-on is used. This allows remote attackers to execute arbitrary JavaScript via a crafted HTTP response. **Recommendations** For Mozilla Firefox versions prior to 3.0.19, update to version 3.0.19 or later. For Mozilla Firefox versions 3.5.x prior to 3.5.8, update to version 3.5.8 or later. For SeaMonkey versions prior to 2.0.3, update to version 2.0.3 or later.