Request a Demo
Rewterz
Rewterz Threat Alert – Team9 Backdoor
June 3, 2020
Rewterz
Rewterz Threat Advisory – CVE-2020-8174 – Node.js buffer overflow Vulnerability
June 3, 2020

Rewterz Threat Advisory – Multiple Vulnerabilities in Mozilla Firefox and ESR

Severity

High

Analysis Summary

CVE-2020-12411

Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by memory safety bugs within the browser engine. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.

CVE-2020-12408

Mozilla Firefox could allow a remote attacker to conduct spoofing attacks, caused by an error when browsing a document hosted on an IP address. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL.

CVE-2020-12407

Mozilla Firefox could allow a remote attacker to obtain sensitive information, caused by the leaking of arbitrary GPU memory to the visible screen when using border-image CSS directive. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to obtain sensitive information.

CVE-2020-12406

Mozilla Firefox is vulnerable to a denial of service, caused by a JavaScript type confusion with NativeTypes. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to possibly execute arbitrary code on the system or cause the browser to crash.

CVE-2020-12405

Mozilla Firefox is vulnerable to a denial of service, caused by a use-after-free in SharedWorkerService. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to cause the browser to crash.

CVE-2020-12399

Mozilla Firefox could allow a remote attacker to obtain sensitive information, caused by a timing timing attack when performing DSA signatures. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to leak private keys and obtain sensitive information.

CVE-2020-12409

Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by memory safety bugs within the browser engine. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.

Impact

  • Denial of service
  • URL spoofing
  • Information disclosure

Affected Vendors

Mozilla

Affected Products

  • Mozilla Firefox 76
  • Mozilla Firefox ESR 68.8

Remediation

Upgrade to latest versions.

  • Firefox ESR 68.9
  • Firefox 77