Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
9.3
CVSSv2

CVE-2010-3765

Published: 28/10/2010 Updated: 19/09/2017
CVSS v2 Base Score: 9.3 | Impact Score: 10 | Exploitability Score: 8.6
VMScore: 950
Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C
Subscribe to Mozilla

Vulnerability Summary

Mozilla Firefox 3.5.x up to and including 3.5.14 and 3.6.x up to and including 3.6.11, Thunderbird 3.1.6 prior to 3.1.6 and 3.0.x prior to 3.0.10, and SeaMonkey 2.x prior to 2.0.10, when JavaScript is enabled, allows remote malicious users to execute arbitrary code via vectors related to nsCSSFrameConstructor::ContentAppended, the appendChild method, incorrect index tracking, and the creation of multiple frames, which triggers memory corruption, as exploited in the wild in October 2010 by the Belmoo malware.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

mozilla firefox 3.5.5

mozilla firefox 3.5.4

mozilla firefox 3.5.1

mozilla firefox 3.5

mozilla firefox 3.5.7

mozilla firefox 3.5.6

mozilla firefox 3.5.12

mozilla firefox 3.5.11

mozilla firefox 3.5.10

mozilla firefox 3.5.9

mozilla firefox 3.5.8

mozilla firefox 3.5.14

mozilla firefox 3.5.13

mozilla firefox 3.5.3

mozilla firefox 3.5.2

mozilla firefox 3.6.4

mozilla firefox 3.6.6

mozilla firefox 3.6.2

mozilla firefox 3.6.3

mozilla firefox 3.6.10

mozilla firefox 3.6.11

mozilla firefox 3.6.9

mozilla firefox 3.6

mozilla firefox 3.6.7

mozilla firefox 3.6.8

mozilla thunderbird 3.1.3

mozilla thunderbird 3.1.1

mozilla thunderbird 3.0.2

mozilla thunderbird 3.0.9

mozilla thunderbird 3.1.2

mozilla thunderbird 3.1.4

mozilla thunderbird 3.0.7

mozilla thunderbird 3.0.6

mozilla thunderbird 3.0.4

mozilla thunderbird 3.0.5

mozilla thunderbird 3.0.8

mozilla thunderbird 3.1.5

mozilla thunderbird 3.0.1

mozilla thunderbird 3.0.3

mozilla seamonkey 2.0.2

mozilla seamonkey 2.0.7

mozilla seamonkey 2.0

mozilla seamonkey 2.0.3

mozilla seamonkey 2.0.8

mozilla seamonkey 2.0.6

mozilla seamonkey 2.0.5

mozilla seamonkey 2.0.4

mozilla seamonkey 2.0.1

mozilla seamonkey 2.0.9

Vendor Advisories

Red Hat: Critical: xulrunner security update
Synopsis Critical: xulrunner security update Type/Severity Security Advisory: Critical Topic Updated xulrunner packages that fix one security issue are now availablefor Red Hat Enterprise Linux 5The Red Hat Security Response Team has rated this update as having criticalsecurity impact A Common Vulnerabili ...
Red Hat: Critical: seamonkey security update
Synopsis Critical: seamonkey security update Type/Severity Security Advisory: Critical Topic Updated seamonkey packages that fix one security issue are now availablefor Red Hat Enterprise Linux 3 and 4The Red Hat Security Response Team has rated this update as having criticalsecurity impact A Common Vulne ...
Ubuntu Security Notice: thunderbird vulnerability
Thunderbird could be made to run programs as your login if it opened a specially crafted email message or news item ...
Ubuntu Security Notice: firefox, firefox-3.0, firefox-3.5 vulnerability
Firefox could be made to run programs as your login if it opened a specially crafted web page ...
Ubuntu Security Notice: xulrunner-1.9.1, xulrunner-1.9.2 vulnerability
A Xulrunner application could be made to run programs as your login if it opened a specially crafted file ...
Mozilla: Heap buffer overflow mixing document.write and DOM insertion
Mozilla Foundation Security Advisory 2010-73 Heap buffer overflow mixing documentwrite and DOM insertion Announced October 27, 2010 Reporter Morten Kråkvik Impact Critical Products Firefox, SeaMonkey, Thunderbird Fixe ...

Exploits

Exploit DB: Firefox Memory Corruption
For those who still do not know The proof of concept (that I haveextracted) for CVE-2010-3765 is the following: <html><body><script> function G(str){ var cobj=documentcreateElement(str); documentbodyappendChild(cobj); cobjscrollWidth; } function crashme() { documentwrite("fooFOO"); G("a"); documentw ...
Exploit DB: Mozilla Firefox 3.6.8 < 3.6.11 - Interleaving 'document.write' / 'appendChild' Remote Overflow
&lt;!-- WARNING! This is exploit code from the wild The original first 2 unicode chars at 'id=sun8' were ub8acu1029 Use, as always, at your own risk &lt;body&gt; &lt;div style="visibility:hidden;width:0px;height:0px"&gt; &lt;div id=sun8&gt;uccccuccccu0d00u0d0du0d00u102du1000u0d00u102du1000u102du1000u2853u1000u0011u0000u116cu1000u0300u7ffeub45 ...
Exploit DB: Mozilla Firefox - Interleaving 'document.write' / 'appendChild' Denial of Service
Source: bugzillamozillaorg/show_bugcgi?id=607222 &lt;html&gt;&lt;body&gt; &lt;script&gt; function getatts(str){ var cobj=documentcreateElement(str); cobjid="testcase"; documentbodyappendChild(cobj); var obj=documentgetElementById("testcase"); var atts = new Array(); for(p in obj){ if(typeof(obj[p ...
Exploit DB: Mozilla Firefox - Simplified Memory Corruption (PoC)
Hi there, For those who still do not know The proof of concept (that I have extracted) for CVE-2010-3765 is the following: &lt;html&gt;&lt;body&gt; &lt;script&gt; function G(str){ var cobj=documentcreateElement(str); documentbodyappendChild(cobj); cobjscrollWidth; } function crashme() { documentwrite("fooFOO"); ...
Exploit DB: Mozilla Firefox - Interleaving 'document.write' / 'appendChild' (Metasploit)
## # $Id: mozilla_interleaved_writerb 11796 2011-02-22 20:49:44Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions Please see the Metasploit # Framework web site for more information on licensing and terms of use # metasploitcom/framework/ ## require 'msf/co ...

Recent Articles

Firefox Tricked – Current 0day
Securelist • Kurt Baumgartner • 27 Oct 2010

Firefox (FF) users should be aware of a use-after-free vulnerability affecting Firefox versions 3.6.11 and earlier. The security team at Firefox has been working on getting a patch out since at least early Tuesday morning, delivering a v3.6.12 release candidate available for brave nightly build developers and testers last night. A zero day exploit attacking this vulnerability was used at the compromised Nobel Peace Prize website to drop a trojan on unsuspecting visitors’ systems, although the ...

Read more...

References

CWE-119http://blog.mozilla.com/security/2010/10/26/critical-vulnerability-in-firefox-3-5-and-firefox-3-6/http://isc.sans.edu/diary.html?storyid=9817http://www.norman.com/security_center/virus_description_archive/129146/https://bugzilla.mozilla.org/show_bug.cgi?id=607222http://www.norman.com/about_norman/press_center/news_archive/2010/129223/https://bugzilla.redhat.com/show_bug.cgi?id=646997https://bugzilla.mozilla.org/show_bug.cgi?id=607222#c53http://www.mandriva.com/security/advisories?name=MDVSA-2010:219http://www.vupen.com/english/advisories/2010/2871http://www.mandriva.com/security/advisories?name=MDVSA-2010:213http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050233.htmlhttps://rhn.redhat.com/errata/RHSA-2010-0812.htmlhttp://secunia.com/advisories/42008http://www.mozilla.org/security/announce/2010/mfsa2010-73.htmlhttp://www.redhat.com/support/errata/RHSA-2010-0808.htmlhttp://www.ubuntu.com/usn/USN-1011-3http://www.vupen.com/english/advisories/2010/2864http://www.redhat.com/support/errata/RHSA-2010-0809.htmlhttp://www.vupen.com/english/advisories/2010/2857http://lists.fedoraproject.org/pipermail/package-announce/2010-October/050061.htmlhttp://www.redhat.com/support/errata/RHSA-2010-0810.htmlhttp://secunia.com/advisories/41966http://secunia.com/advisories/41969http://www.securitytracker.com/id?1024650http://www.vupen.com/english/advisories/2010/2837http://www.securitytracker.com/id?1024651http://slackware.com/security/viewer.php?l=slackware-security&y=2010&m=slackware-security.556706http://secunia.com/advisories/42043http://secunia.com/advisories/41965http://secunia.com/advisories/41761http://norman.com/about_norman/press_center/news_archive/2010/129223/en?utm_source=twitterfeed&utm_medium=twitterhttp://support.avaya.com/css/P8/documents/100114329http://www.securitytracker.com/id?1024645http://www.ubuntu.com/usn/usn-1011-1http://secunia.com/advisories/41975http://www.securityfocus.com/bid/44425http://secunia.com/advisories/42003http://support.avaya.com/css/P8/documents/100114335http://www.redhat.com/support/errata/RHSA-2010-0896.htmlhttp://www.redhat.com/support/errata/RHSA-2010-0861.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2010-October/050154.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2010-October/050077.htmlhttp://blogs.sun.com/security/entry/multiple_vulnerabilities_in_mozilla_firefoxhttp://secunia.com/advisories/42867http://www.vupen.com/english/advisories/2011/0061http://www.exploit-db.com/exploits/15341http://www.exploit-db.com/exploits/15352http://www.exploit-db.com/exploits/15342http://www.ubuntu.com/usn/USN-1011-2http://www.debian.org/security/2010/dsa-2124https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12108https://access.redhat.com/errata/RHSA-2010:0809https://nvd.nist.govhttps://usn.ubuntu.com/1011-2/https://www.exploit-db.com/exploits/15352/
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
deserializationCVE-2024-4040cross-site scriptingCVE-2023-25790CVE-2024-2961XML external entityCVE-2024-26926CVE-2024-32806CVE-2024-32711
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook