Security Advisories for SeaMonkey 2.0

SeaMonkey 2.0 is unsupported. Please upgrade to the latest version.

Impact key

• Critical Vulnerability can be used to run attacker code and install software, requiring no user interaction beyond normal browsing.
• High Vulnerability can be used to gather sensitive data from sites in other windows or inject data or code into those sites, requiring no more than normal browsing actions.
• Moderate Vulnerabilities that would otherwise be High or Critical except they only work in uncommon non-default configurations or require the user to perform complicated and/or unlikely steps.
• Low Minor security vulnerabilities such as Denial of Service attacks, minor data leaks, or spoofs. (Undetectable spoofs of SSL indicia would have "High" impact because those are generally used to steal sensitive data intended for other sites.)

# Fixed in SeaMonkey 2.0.14

• 2011-18 XSLT generate-id() function heap address leak
• 2011-16 Directory traversal in resource: protocol
• 2011-15 Escalation of privilege through Java Embedding Plugin
• 2011-14 Information stealing via form history
• 2011-13 Multiple dangling pointer vulnerabilities
• 2011-12 Miscellaneous memory safety hazards (rv:2.0.1/ 1.9.2.17/ 1.9.1.19)

# Fixed in SeaMonkey 2.0.13

• 2011-11 Update to HTTPS certificate blacklist

# Fixed in SeaMonkey 2.0.12

• 2011-10 CSRF risk with plugins and 307 redirects
• 2011-08 ParanoidFragmentSink allows javascript: URLs in chrome documents
• 2011-07 Memory corruption during text run construction (Windows)
• 2011-06 Use-after-free error using Web Workers
• 2011-05 Buffer overflow in JavaScript atom map
• 2011-04 Buffer overflow in JavaScript upvarMap
• 2011-03 Use-after-free error in JSON.stringify
• 2011-02 Recursive eval call causes confirm dialogs to evaluate to true
• 2011-01 Miscellaneous memory safety hazards (rv:1.9.2.14/ 1.9.1.17)

# Fixed in SeaMonkey 2.0.11

• 2010-84 XSS hazard in multiple character encodings
• 2010-83 Location bar SSL spoofing using network error page
• 2010-82 Incomplete fix for CVE-2010-0179
• 2010-81 Integer overflow vulnerability in NewIdArray
• 2010-80 Use-after-free error with nsDOMAttribute MutationObserver
• 2010-79 Java security bypass from LiveConnect loaded via data: URL meta refresh
• 2010-78 Add support for OTS font sanitizer
• 2010-77 Crash and remote code execution using HTML tags inside a XUL tree
• 2010-76 Chrome privilege escalation with window.open and <isindex> element
• 2010-75 Buffer overflow while line breaking after document.write with long string
• 2010-74 Miscellaneous memory safety hazards (rv:1.9.2.13/ 1.9.1.16)

# Fixed in SeaMonkey 2.0.10

• 2010-73 Heap buffer overflow mixing document.write and DOM insertion

# Fixed in SeaMonkey 2.0.9

• 2010-72 Insecure Diffie-Hellman key exchange
• 2010-71 Unsafe library loading vulnerabilities
• 2010-70 SSL wildcard certificate matching IP addresses
• 2010-69 Cross-site information disclosure via modal calls
• 2010-68 XSS in gopher parser when parsing hrefs
• 2010-67 Dangling pointer vulnerability in LookupGetterOrSetter
• 2010-66 Use-after-free error in nsBarProp
• 2010-65 Buffer overflow and memory corruption using document.write
• 2010-64 Miscellaneous memory safety hazards (rv:1.9.2.11/ 1.9.1.14)

# Fixed in SeaMonkey 2.0.7

• 2010-63 Information leak via XMLHttpRequest statusText
• 2010-62 Copy-and-paste or drag-and-drop into designMode document allows XSS
• 2010-61 UTF-7 XSS by overriding document charset using <object> type attribute
• 2010-60 XSS using SJOW scripted function
• 2010-58 Crash on Mac using fuzzed font in data: URL
• 2010-57 Crash and remote code execution in normalizeDocument
• 2010-56 Dangling pointer vulnerability in nsTreeContentView
• 2010-55 XUL tree removal crash and remote code execution
• 2010-54 Dangling pointer vulnerability in nsTreeSelection
• 2010-53 Heap buffer overflow in nsTextFrameUtils::TransformText
• 2010-52 Windows XP DLL loading vulnerability
• 2010-51 Dangling pointer vulnerability using DOM plugin array
• 2010-50 Frameset integer overflow vulnerability
• 2010-49 Miscellaneous memory safety hazards (rv:1.9.2.9/ 1.9.1.12)

# Fixed in SeaMonkey 2.0.6

• 2010-47 Cross-origin data leakage from script filename in error messages
• 2010-46 Cross-domain data theft using CSS
• 2010-45 Multiple location bar spoofing vulnerabilities
• 2010-42 Cross-origin data disclosure via Web Workers and importScripts
• 2010-41 Remote code execution using malformed PNG image
• 2010-40 nsTreeSelection dangling pointer remote code execution vulnerability
• 2010-39 nsCSSValue::Array index integer overflow
• 2010-37 Plugin parameter EnsureCachedAttrParamArrays remote code execution vulnerability
• 2010-36 Use-after-free error in NodeIterator
• 2010-35 DOM attribute cloning remote code execution vulnerability
• 2010-34 Miscellaneous memory safety hazards (rv:1.9.2.7/ 1.9.1.11)

# Fixed in SeaMonkey 2.0.5

• 2010-33 User tracking across sites using Math.random()
• 2010-32 Content-Disposition: attachment ignored if Content-Type: multipart also present
• 2010-31 focus() behavior can be used to inject or steal keystrokes
• 2010-30 Integer Overflow in XSLT Node Sorting
• 2010-29 Heap buffer overflow in nsGenericDOMDataNode::SetTextInternal
• 2010-28 Freed object reuse across plugin instances
• 2010-27 Use-after-free error in nsCycleCollector::MarkRoots()
• 2010-26 Crashes with evidence of memory corruption (rv:1.9.2.4/ 1.9.1.10)
• 2010-25 Re-use of freed object due to scope confusion

# Fixed in SeaMonkey 2.0.4

• 2010-24 XMLDocument::load() doesn't check nsIContentPolicy
• 2010-23 Image src redirect to mailto: URL opens email editor
• 2010-22 Update NSS to support TLS renegotiation indication
• 2010-20 Chrome privilege escalation via forced URL drag and drop
• 2010-19 Dangling pointer vulnerability in nsPluginArray
• 2010-18 Dangling pointer vulnerability in nsTreeContentView
• 2010-17 Remote code execution with use-after-free in nsTreeSelection
• 2010-16 Crashes with evidence of memory corruption (rv:1.9.2.2/ 1.9.1.9/ 1.9.0.19)

# Fixed in SeaMonkey 2.0.3

• 2010-21 Arbitrary code execution with Firebug XMLHttpRequestSpy
• 2010-14 Browser chrome defacement via cached XUL stylesheets
• 2010-12 XSS using addEventListener and setTimeout on a wrapped object
• 2010-11 Crashes with evidence of memory corruption (rv:1.9.2.2/ 1.9.1.8/ 1.9.0.18)
• 2010-05 XSS hazard using SVG document and binary Content-Type
• 2010-04 XSS due to window.dialogArguments being readable cross-domain
• 2010-03 Use-after-free crash in HTML parser
• 2010-02 Web Worker Array Handling Heap Corruption Vulnerability
• 2010-01 Crashes with evidence of memory corruption (rv:1.9.1.8/ 1.9.0.18)

# Fixed in SeaMonkey 2.0.1

• 2009-71 GeckoActiveXObject exception messages can be used to enumerate installed COM objects
• 2009-70 Privilege escalation via chrome window.opener
• 2009-69 Location bar spoofing vulnerabilities
• 2009-68 NTLM reflection vulnerability
• 2009-67 Integer overflow, crash in libtheora video library
• 2009-66 Memory safety fixes in liboggplay media library
• 2009-65 Crashes with evidence of memory corruption (rv:1.9.1.6/ 1.9.0.16)

# Fixed in SeaMonkey 2

• 2009-62 Download filename spoofing with RTL override
• 2009-56 Heap buffer overflow in GIF color map parser
• 2009-55 Crash in proxy auto-configuration regexp parsing