CVE-2014-1529: The Web Notification API in Mozilla Firefox before 29.0, Firefox ESR 24.x before 24.5, Thunderbird before 24.5, and SeaMonkey before 2.26 allows remote…

CVE-2014-1529 [HIGH] CWE-269 GHSA-vcpc-r52j-cpgq: The Web Notification API in Mozilla Firefox before 29 The Web Notification API in Mozilla Firefox before 29.0, Firefox ESR 24.x before 24.5, Thunderbird before 24.5, and SeaMonkey before 2.26 allows remote attackers to bypass intended source-component restrictions and execute arbitrary JavaScript code in a privileged context via a crafted web page for which Notification.permission is granted.

CVE-2014-1518 [HIGH] thunderbird vulnerabilities thunderbird vulnerabilities Bobby Holley, Carsten Book, Christoph Diehl, Gary Kwong, Jan de Mooij, Jesse Ruderman, Nathan Froyd and Christian Holler discovered multiple memory safety issues in Thunderbird. If a user were tricked in to opening a specially crafted message with scripting enabled, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Thunderbird. (CVE-2014-1518) Abhishek Arya discovered an out of bounds read when decoding JPG images. An attacker could potentially exploit this to cause a denial of service via application crash. (CVE-2014-1523) Abhishek Arya discovered a buffer overflow when a script uses a non-XBL object as an XBL object. If a user had enabled scripti

CVE-2014-1529 [HIGH] CVE-2014-1529: The Web Notification API in Mozilla Firefox before 29 The Web Notification API in Mozilla Firefox before 29.0, Firefox ESR 24.x before 24.5, Thunderbird before 24.5, and SeaMonkey before 2.26 allows remote attackers to bypass intended source-component restrictions and execute arbitrary JavaScript code in a privileged context via a crafted web page for which Notification.permission is granted.

[HIGH] firefox vulnerabilities firefox vulnerabilities Bobby Holley, Carsten Book, Christoph Diehl, Gary Kwong, Jan de Mooij, Jesse Ruderman, Nathan Froyd, John Schoenick, Karl Tomlinson, Vladimir Vukicevic and Christian Holler discovered multiple memory safety issues in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2014-1518, CVE-2014-1519) An out of bounds read was discovered in Web Audio. An attacker could potentially exploit this cause a denial of service via application crash or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2014-1522) Abhishek Arya discovered an out of bounds re

CVE-2014-1518 [HIGH] Thunderbird vulnerabilities Title: Thunderbird vulnerabilities Summary: Several security issues were fixed in Thunderbird. Bobby Holley, Carsten Book, Christoph Diehl, Gary Kwong, Jan de Mooij, Jesse Ruderman, Nathan Froyd and Christian Holler discovered multiple memory safety issues in Thunderbird. If a user were tricked in to opening a specially crafted message with scripting enabled, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Thunderbird. (CVE-2014-1518) Abhishek Arya discovered an out of bounds read when decoding JPG images. An attacker could potentially exploit this to cause a denial of service via application crash. (CVE-2014-1523) Abhishek Arya discovered a buffer overflow when a script u

CVE-2014-1518 [HIGH] Firefox vulnerabilities Title: Firefox vulnerabilities Summary: Firefox could be made to crash or run programs as your login if it opened a malicious website. Bobby Holley, Carsten Book, Christoph Diehl, Gary Kwong, Jan de Mooij, Jesse Ruderman, Nathan Froyd, John Schoenick, Karl Tomlinson, Vladimir Vukicevic and Christian Holler discovered multiple memory safety issues in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2014-1518, CVE-2014-1519) An out of bounds read was discovered in Web Audio. An attacker could potentially exploit this cause a denial of service via application crash or execute arbitrary code

CVE-2014-1529 [HIGH] Mozilla: Privilege escalation through Web Notification API (MFSA 2014-42) Mozilla: Privilege escalation through Web Notification API (MFSA 2014-42) The Web Notification API in Mozilla Firefox before 29.0, Firefox ESR 24.x before 24.5, Thunderbird before 24.5, and SeaMonkey before 2.26 allows remote attackers to bypass intended source-component restrictions and execute arbitrary JavaScript code in a privileged context via a crafted web page for which Notification.permission is granted.

CVE-2014-1529 [HIGH] CVE-2014-1529 Mozilla: Privilege escalation through Web Notification API (MFSA 2014-42) CVE-2014-1529 Mozilla: Privilege escalation through Web Notification API (MFSA 2014-42) Security researcher Mariusz Mlynski discovered an issue where sites that have been given notification permissions by a user can bypass security checks on source components for the Web Notification API. This allows for script to be run in a privileged context through notifications, leading to arbitrary code execution on these sites. In general this flaw cannot be exploited through email in the Thunderbird and Seamonkey products because scripting is disabled, but is potentially a risk in browser or browser-like contexts. External Reference: http://www.mozilla.org/security/announce/2014/mfsa2014-42.html Acknowledgements: Red Hat would like to thank the Mozilla project for reporting this issue. Upst