9.8

CVE-2010-3765

Warnung
Medienbericht
Exploit
Mozilla Firefox 3.5.x through 3.5.14 and 3.6.x through 3.6.11, Thunderbird 3.1.6 before 3.1.6 and 3.0.x before 3.0.10, and SeaMonkey 2.x before 2.0.10, when JavaScript is enabled, allows remote attackers to execute arbitrary code via vectors related to nsCSSFrameConstructor::ContentAppended, the appendChild method, incorrect index tracking, and the creation of multiple frames, which triggers memory corruption, as exploited in the wild in October 2010 by the Belmoo malware.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
MozillaFirefox Version3.5
MozillaFirefox Version3.5.1
MozillaFirefox Version3.5.2
MozillaFirefox Version3.5.3
MozillaFirefox Version3.5.4
MozillaFirefox Version3.5.5
MozillaFirefox Version3.5.6
MozillaFirefox Version3.5.7
MozillaFirefox Version3.5.8
MozillaFirefox Version3.5.9
MozillaFirefox Version3.5.10
MozillaFirefox Version3.5.11
MozillaFirefox Version3.5.12
MozillaFirefox Version3.5.13
MozillaFirefox Version3.5.14
MozillaFirefox Version3.6
MozillaFirefox Version3.6.2
MozillaFirefox Version3.6.3
MozillaFirefox Version3.6.4
MozillaFirefox Version3.6.6
MozillaFirefox Version3.6.7
MozillaFirefox Version3.6.8
MozillaFirefox Version3.6.9
MozillaFirefox Version3.6.10
MozillaFirefox Version3.6.11
MozillaThunderbird Version3.0.1
MozillaThunderbird Version3.0.2
MozillaThunderbird Version3.0.3
MozillaThunderbird Version3.0.4
MozillaThunderbird Version3.0.5
MozillaThunderbird Version3.0.6
MozillaThunderbird Version3.0.7
MozillaThunderbird Version3.0.8
MozillaThunderbird Version3.0.9
MozillaThunderbird Version3.1.1
MozillaThunderbird Version3.1.2
MozillaThunderbird Version3.1.3
MozillaThunderbird Version3.1.4
MozillaThunderbird Version3.1.5
MozillaSeamonkey Version2.0
MozillaSeamonkey Version2.0 Updatealpha_1
MozillaSeamonkey Version2.0 Updatealpha_2
MozillaSeamonkey Version2.0 Updatealpha_3
MozillaSeamonkey Version2.0 Updatebeta_1
MozillaSeamonkey Version2.0 Updatebeta_2
MozillaSeamonkey Version2.0 Updaterc1
MozillaSeamonkey Version2.0 Updaterc2
MozillaSeamonkey Version2.0.1
MozillaSeamonkey Version2.0.2
MozillaSeamonkey Version2.0.3
MozillaSeamonkey Version2.0.4
MozillaSeamonkey Version2.0.5
MozillaSeamonkey Version2.0.6
MozillaSeamonkey Version2.0.7
MozillaSeamonkey Version2.0.8
MozillaSeamonkey Version2.0.9

06.10.2025: CISA Known Exploited Vulnerabilities (KEV) Catalog

Mozilla Multiple Products Remote Code Execution Vulnerability

Schwachstelle

Mozilla Firefox, SeaMonkey, and Thunderbird contain an unspecified vulnerability when JavaScript is enabled. This allows remote attackers to execute arbitrary code via vectors related to nsCSSFrameConstructor::ContentAppended, the appendChild method, incorrect index tracking, and the creation of multiple frames, which triggers memory corruption.

Beschreibung

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Erforderliche Maßnahmen
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 83.28% 0.996
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.3 8.6 10
AV:N/AC:M/Au:N/C:C/I:C/A:C
134c704f-9b21-4f2e-91b3-4a467353bcc0 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.

http://blogs.sun.com/security/entry/multiple_vulnerabilities_in_mozilla_firefox
Broken Link
http://secunia.com/advisories/42867
Vendor Advisory
http://www.vupen.com/english/advisories/2011/0061
Vendor Advisory
http://www.debian.org/security/2010/dsa-2124
Third Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2010-October/050077.html
Third Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2010-October/050154.html
Third Party Advisory
http://www.redhat.com/support/errata/RHSA-2010-0861.html
Third Party Advisory
http://www.redhat.com/support/errata/RHSA-2010-0896.html
Third Party Advisory
http://blog.mozilla.com/security/2010/10/26/critical-vulnerability-in-firefox-3-5-and-firefox-3-6/
Vendor Advisory
http://isc.sans.edu/diary.html?storyid=9817
Press/Media Coverage
http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050233.html
Third Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2010-October/050061.html
Third Party Advisory
http://norman.com/about_norman/press_center/news_archive/2010/129223/en?utm_source=twitterfeed&utm_medium=twitter
Product
http://secunia.com/advisories/41761
Vendor Advisory
http://secunia.com/advisories/41965
Vendor Advisory
http://secunia.com/advisories/41966
Vendor Advisory
http://secunia.com/advisories/41969
Vendor Advisory
http://secunia.com/advisories/41975
Vendor Advisory
http://secunia.com/advisories/42003
Vendor Advisory
http://secunia.com/advisories/42008
Vendor Advisory
http://secunia.com/advisories/42043
Vendor Advisory
http://slackware.com/security/viewer.php?l=slackware-security&y=2010&m=slackware-security.556706
Third Party Advisory
http://support.avaya.com/css/P8/documents/100114329
Third Party Advisory
http://support.avaya.com/css/P8/documents/100114335
Third Party Advisory
http://www.exploit-db.com/exploits/15341
Exploit
http://www.exploit-db.com/exploits/15342
Exploit
http://www.exploit-db.com/exploits/15352
Exploit
http://www.mandriva.com/security/advisories?name=MDVSA-2010:213
Third Party Advisory
http://www.mandriva.com/security/advisories?name=MDVSA-2010:219
Third Party Advisory
http://www.mozilla.org/security/announce/2010/mfsa2010-73.html
Third Party Advisory
http://www.norman.com/about_norman/press_center/news_archive/2010/129223/
Broken Link
http://www.norman.com/security_center/virus_description_archive/129146/
Broken Link
http://www.redhat.com/support/errata/RHSA-2010-0808.html
Third Party Advisory
http://www.redhat.com/support/errata/RHSA-2010-0809.html
Third Party Advisory
http://www.redhat.com/support/errata/RHSA-2010-0810.html
Third Party Advisory
http://www.securityfocus.com/bid/44425
Broken Link
http://www.securitytracker.com/id?1024645
Broken Link
http://www.securitytracker.com/id?1024650
Broken Link
http://www.securitytracker.com/id?1024651
Broken Link
http://www.ubuntu.com/usn/USN-1011-2
Third Party Advisory
http://www.ubuntu.com/usn/USN-1011-3
Third Party Advisory
http://www.ubuntu.com/usn/usn-1011-1
Third Party Advisory
http://www.vupen.com/english/advisories/2010/2837
Vendor Advisory
http://www.vupen.com/english/advisories/2010/2857
Vendor Advisory
http://www.vupen.com/english/advisories/2010/2864
Vendor Advisory
http://www.vupen.com/english/advisories/2010/2871
Vendor Advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=607222
Issue Tracking
https://bugzilla.mozilla.org/show_bug.cgi?id=607222#c53
Issue Tracking
https://bugzilla.redhat.com/show_bug.cgi?id=646997
Issue Tracking
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12108
Third Party Advisory
https://rhn.redhat.com/errata/RHSA-2010-0812.html
Third Party Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2010-3765
US Government Resource