Vulnerabilidad en Thunderbird y SeaMonkey de Mozilla (CVE-2010-3765)
Gravedad CVSS v3.1:
CRÍTICA
Tipo:
CWE-119
Restricción de operaciones inapropiada dentro de los límites del búfer de la memoria
Fecha de publicación:
28/10/2010
Última modificación:
22/10/2025
Descripción
Firefox versiones 3.5.x hasta 3.5.14 y versiones 3.6.x hasta 3.6.11, Thunderbird versiones 3.1.6 anteriores a 3.1.6 y versiones 3.0.x anteriores a 3.0.10, y SeaMonkey versiones 2.x anteriores a 2.0.10, de Mozilla, cuando JavaScript está habilitado, permite a los atacantes remotos ejecutar código arbitrario por medio de vectores relacionados con nsCSSFrameConstructor::ContentAppended, el método appendChild, el seguimiento incorrecto de índices y la creación de varias tramas, lo que desencadena corrupción de memoria, como se explotó “in the wild” en octubre de 2010 por el malware Belmoo.
Impacto
Puntuación base 3.x
9.80
Gravedad 3.x
CRÍTICA
Puntuación base 2.0
9.30
Gravedad 2.0
ALTA
Productos y versiones vulnerables
| CPE | Desde | Hasta |
|---|---|---|
| cpe:2.3:a:mozilla:firefox:3.5:*:*:*:*:*:*:* | ||
| cpe:2.3:a:mozilla:firefox:3.5.1:*:*:*:*:*:*:* | ||
| cpe:2.3:a:mozilla:firefox:3.5.2:*:*:*:*:*:*:* | ||
| cpe:2.3:a:mozilla:firefox:3.5.3:*:*:*:*:*:*:* | ||
| cpe:2.3:a:mozilla:firefox:3.5.4:*:*:*:*:*:*:* | ||
| cpe:2.3:a:mozilla:firefox:3.5.5:*:*:*:*:*:*:* | ||
| cpe:2.3:a:mozilla:firefox:3.5.6:*:*:*:*:*:*:* | ||
| cpe:2.3:a:mozilla:firefox:3.5.7:*:*:*:*:*:*:* | ||
| cpe:2.3:a:mozilla:firefox:3.5.8:*:*:*:*:*:*:* | ||
| cpe:2.3:a:mozilla:firefox:3.5.9:*:*:*:*:*:*:* | ||
| cpe:2.3:a:mozilla:firefox:3.5.10:*:*:*:*:*:*:* | ||
| cpe:2.3:a:mozilla:firefox:3.5.11:*:*:*:*:*:*:* | ||
| cpe:2.3:a:mozilla:firefox:3.5.12:*:*:*:*:*:*:* | ||
| cpe:2.3:a:mozilla:firefox:3.5.13:*:*:*:*:*:*:* | ||
| cpe:2.3:a:mozilla:firefox:3.5.14:*:*:*:*:*:*:* |
Para consultar la lista completa de nombres de CPE con productos y versiones, ver esta página
Referencias a soluciones, herramientas e información
- http://blog.mozilla.com/security/2010/10/26/critical-vulnerability-in-firefox-3-5-and-firefox-3-6/
- http://blogs.sun.com/security/entry/multiple_vulnerabilities_in_mozilla_firefox
- http://isc.sans.edu/diary.html?storyid=9817
- http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050233.html
- http://lists.fedoraproject.org/pipermail/package-announce/2010-October/050061.html
- http://lists.fedoraproject.org/pipermail/package-announce/2010-October/050077.html
- http://lists.fedoraproject.org/pipermail/package-announce/2010-October/050154.html
- http://norman.com/about_norman/press_center/news_archive/2010/129223/en?utm_source=twitterfeed&utm_medium=twitter
- http://secunia.com/advisories/41761
- http://secunia.com/advisories/41965
- http://secunia.com/advisories/41966
- http://secunia.com/advisories/41969
- http://secunia.com/advisories/41975
- http://secunia.com/advisories/42003
- http://secunia.com/advisories/42008
- http://secunia.com/advisories/42043
- http://secunia.com/advisories/42867
- http://slackware.com/security/viewer.php?l=slackware-security&y=2010&m=slackware-security.556706
- http://support.avaya.com/css/P8/documents/100114329
- http://support.avaya.com/css/P8/documents/100114335
- http://www.debian.org/security/2010/dsa-2124
- http://www.exploit-db.com/exploits/15341
- http://www.exploit-db.com/exploits/15342
- http://www.exploit-db.com/exploits/15352
- http://www.mandriva.com/security/advisories?name=MDVSA-2010%3A213
- http://www.mandriva.com/security/advisories?name=MDVSA-2010%3A219
- http://www.mozilla.org/security/announce/2010/mfsa2010-73.html
- http://www.norman.com/about_norman/press_center/news_archive/2010/129223/
- http://www.norman.com/security_center/virus_description_archive/129146/
- http://www.redhat.com/support/errata/RHSA-2010-0808.html
- http://www.redhat.com/support/errata/RHSA-2010-0809.html
- http://www.redhat.com/support/errata/RHSA-2010-0810.html
- http://www.redhat.com/support/errata/RHSA-2010-0861.html
- http://www.redhat.com/support/errata/RHSA-2010-0896.html
- http://www.securityfocus.com/bid/44425
- http://www.securitytracker.com/id?1024645=
- http://www.securitytracker.com/id?1024650=
- http://www.securitytracker.com/id?1024651=
- http://www.ubuntu.com/usn/USN-1011-2
- http://www.ubuntu.com/usn/USN-1011-3
- http://www.ubuntu.com/usn/usn-1011-1
- http://www.vupen.com/english/advisories/2010/2837
- http://www.vupen.com/english/advisories/2010/2857
- http://www.vupen.com/english/advisories/2010/2864
- http://www.vupen.com/english/advisories/2010/2871
- http://www.vupen.com/english/advisories/2011/0061
- https://bugzilla.mozilla.org/show_bug.cgi?id=607222
- https://bugzilla.mozilla.org/show_bug.cgi?id=607222#c53
- https://bugzilla.redhat.com/show_bug.cgi?id=646997
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12108
- https://rhn.redhat.com/errata/RHSA-2010-0812.html
- http://blog.mozilla.com/security/2010/10/26/critical-vulnerability-in-firefox-3-5-and-firefox-3-6/
- http://blogs.sun.com/security/entry/multiple_vulnerabilities_in_mozilla_firefox
- http://isc.sans.edu/diary.html?storyid=9817
- http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050233.html
- http://lists.fedoraproject.org/pipermail/package-announce/2010-October/050061.html
- http://lists.fedoraproject.org/pipermail/package-announce/2010-October/050077.html
- http://lists.fedoraproject.org/pipermail/package-announce/2010-October/050154.html
- http://norman.com/about_norman/press_center/news_archive/2010/129223/en?utm_source=twitterfeed&utm_medium=twitter
- http://secunia.com/advisories/41761
- http://secunia.com/advisories/41965
- http://secunia.com/advisories/41966
- http://secunia.com/advisories/41969
- http://secunia.com/advisories/41975
- http://secunia.com/advisories/42003
- http://secunia.com/advisories/42008
- http://secunia.com/advisories/42043
- http://secunia.com/advisories/42867
- http://slackware.com/security/viewer.php?l=slackware-security&y=2010&m=slackware-security.556706
- http://support.avaya.com/css/P8/documents/100114329
- http://support.avaya.com/css/P8/documents/100114335
- http://www.debian.org/security/2010/dsa-2124
- http://www.exploit-db.com/exploits/15341
- http://www.exploit-db.com/exploits/15342
- http://www.exploit-db.com/exploits/15352
- http://www.mandriva.com/security/advisories?name=MDVSA-2010%3A213
- http://www.mandriva.com/security/advisories?name=MDVSA-2010%3A219
- http://www.mozilla.org/security/announce/2010/mfsa2010-73.html
- http://www.norman.com/about_norman/press_center/news_archive/2010/129223/
- http://www.norman.com/security_center/virus_description_archive/129146/
- http://www.redhat.com/support/errata/RHSA-2010-0808.html
- http://www.redhat.com/support/errata/RHSA-2010-0809.html
- http://www.redhat.com/support/errata/RHSA-2010-0810.html
- http://www.redhat.com/support/errata/RHSA-2010-0861.html
- http://www.redhat.com/support/errata/RHSA-2010-0896.html
- http://www.securityfocus.com/bid/44425
- http://www.securitytracker.com/id?1024645=
- http://www.securitytracker.com/id?1024650=
- http://www.securitytracker.com/id?1024651=
- http://www.ubuntu.com/usn/USN-1011-2
- http://www.ubuntu.com/usn/USN-1011-3
- http://www.ubuntu.com/usn/usn-1011-1
- http://www.vupen.com/english/advisories/2010/2837
- http://www.vupen.com/english/advisories/2010/2857
- http://www.vupen.com/english/advisories/2010/2864
- http://www.vupen.com/english/advisories/2010/2871
- http://www.vupen.com/english/advisories/2011/0061
- https://bugzilla.mozilla.org/show_bug.cgi?id=607222
- https://bugzilla.mozilla.org/show_bug.cgi?id=607222#c53
- https://bugzilla.redhat.com/show_bug.cgi?id=646997
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12108
- https://rhn.redhat.com/errata/RHSA-2010-0812.html
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2010-3765