304 North Cardinal St.
Dorchester Center, MA 02124
CERT-In on Monday issued an alert on vulnerabilities in Mozilla and Drupal products that could allow remote attackers to bypass the restrictions.
CERT-In (Computer Emergency Response Team) regularly issues threat alerts on vulnerabilities present in software that attackers could use to compromise the security of affected systems.
In Mozilla products
A high severity vulnerability in Mozilla products could allow remote attackers to bypass security restrictions, execute arbitrary code, and cause a denial of service.
The vulnerability exists in Mozilla products due to exploiting its XSLT error handling, referencing an XSLT document between iframes, data races in the PK11_ChangePW function leading to a no-use-after-use error, and memory safety flaws in the browser engine.
Attackers can exploit these vulnerabilities by convincing a victim to open a specially crafted web request.
If successfully exploited, the vulnerability could allow remote attackers to bypass security restrictions, execute arbitrary code, and cause a denial of service on targeted systems.
A Mozilla software update was designed to fix the vulnerability.
In Commerce Elavon Drupal module
Moderate vulnerabilities have been discovered in the Commerce Elavon Drupal module.
Drupal is an open source software that is mainly used to create and manage websites. A moderate vulnerability in the Elavon Commerce module exists due to insufficient validation of the module that it is communicating with the correct server when using the Elavon Payment Gateway (On-site).
An attacker could exploit this vulnerability by sending a specially crafted malicious request to the target system.
Successful exploitation of this vulnerability could allow attackers to bypass security restrictions. Attackers can also leak valid payment information and accept invalid payment information by exploiting this vulnerability.
It has been proposed to implement the updates made available by the Drupal Security Advisory to address this vulnerability.