PT-2014-1290 · Mozilla+5 · Firefox Esr+8

Published

2014-04-29

·

Updated

2024-12-12

·

CVE-2014-1523

CVSS v2.0

7.8

High

VectorAV:N/AC:M/Au:N/C:C/I:N/A:P
Name of the Vulnerable Software and Affected Versions Mozilla Firefox versions prior to 29.0 Mozilla Firefox ESR versions prior to 24.5 Mozilla Thunderbird versions prior to 24.5 SeaMonkey versions prior to 2.26
Description The issue allows a remote attacker to execute arbitrary code or cause a denial of service by manipulating the web notification API component through the creation of a special ICC profile, exploiting a vulnerability in the qcms profile from memory function. Additionally, a heap-based buffer overflow in the read u32 function can be triggered via a crafted JPEG image, causing an out-of-bounds read and application crash.
Recommendations For Mozilla Firefox versions prior to 29.0, update to version 29.0 or later. For Mozilla Firefox ESR versions prior to 24.5, update to version 24.5 or later. For Mozilla Thunderbird versions prior to 24.5, update to version 24.5 or later. For SeaMonkey versions prior to 2.26, update to version 2.26 or later.

Exploit

Fix

DoS

Buffer Overflow

Memory Corruption

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-119CWE-787

Related Identifiers

ALT-PU-2014-1620
ALT-PU-2014-1621
ALT-PU-2014-1678
BDU:2015-00069
BDU:2015-00070
BDU:2015-00071
BDU:2015-00072
CESA-2014_0448
CESA-2014_0449
CVE-2014-1523
DSA-2918-1
DSA-2924-1
MGASA-2014-0201
MGASA-2014-0259
OPENSUSE-SU-2014_1100-1
OPENSUSE-SU-2024:10071-1
OPENSUSE-SU-2024:10230-1
OPENSUSE-SU-2024:14572-1
RHSA-2014:0448
RHSA-2014:0449
RHSA-2014_0448
RHSA-2014_0449
USN-2185-1
USN-2189-1

Affected Products

Alt Linux
Centos
Firefox
Firefox Esr
Thunderbird
Red Hat
Seamonkey
Suse
Ubuntu