CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-0606
https://notcve.org/view.php?id=CVE-2024-0606
22 Jan 2024 — An attacker could execute unauthorized script on a legitimate site through UXSS using window.open() by opening a javascript URI leading to unauthorized actions within the user's loaded webpage. This vulnerability affects Focus for iOS < 122. Un atacante podría ejecutar un script no autorizado en un sitio legítimo a través de UXSS usando window.open() abriendo un URI de JavaScript que conduzca a acciones no autorizadas dentro de la página web cargada por el usuario. Esta vulnerabilidad afecta a Focus para iO... • https://bugzilla.mozilla.org/show_bug.cgi?id=1855030 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.6EPSS: 0%CPEs: 1EXPL: 0CVE-2024-0605
https://notcve.org/view.php?id=CVE-2024-0605
22 Jan 2024 — Using a javascript: URI with a setTimeout race condition, an attacker can execute unauthorized scripts on top origin sites in urlbar. This bypasses security measures, potentially leading to arbitrary code execution or unauthorized actions within the user's loaded webpage. This vulnerability affects Focus for iOS < 122. Usando un javascript: URI con una condición de ejecución setTimeout, un atacante puede ejecutar scripts no autorizados en los principales sitios de origen en urlbar. Esto elude las medidas de... • https://bugzilla.mozilla.org/show_bug.cgi?id=1855575 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 10.0EPSS: 75%CPEs: 25EXPL: 2CVE-2023-5217 – Google Chromium libvpx Heap Buffer Overflow Vulnerability
https://notcve.org/view.php?id=CVE-2023-5217
28 Sep 2023 — Heap buffer overflow in vp8 encoding in libvpx in Google Chrome prior to 117.0.5938.132 and libvpx 1.13.1 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) El desbordamiento del búfer en la codificación vp8 en libvpx en Google Chrome anterior a 117.0.5938.132 y libvpx 1.13.1 permitía a un atacante remoto explotar potencialmente la corrupción del montón a través de una página HTML manipulada. (Severidad de seguridad de Chrome: alta) A... • https://github.com/UT-Security/cve-2023-5217-poc • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-787: Out-of-bounds Write •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2023-29546
https://notcve.org/view.php?id=CVE-2023-29546
19 Jun 2023 — When recording the screen while in Private Browsing on Firefox for Android the address bar and keyboard were not hidden, potentially leaking sensitive information. *This bug only affects Firefox for Android. Other operating systems are unaffected.* This vulnerability affects Firefox for Android < 112 and Focus for Android < 112. • https://bugzilla.mozilla.org/show_bug.cgi?id=1780842 •
CVSS: 9.4EPSS: 0%CPEs: 2EXPL: 0CVE-2023-29534
https://notcve.org/view.php?id=CVE-2023-29534
19 Jun 2023 — Different techniques existed to obscure the fullscreen notification in Firefox and Focus for Android. These could have led to potential user confusion and spoofing attacks. *This bug only affects Firefox and Focus for Android. Other versions of Firefox are unaffected.* This vulnerability affects Firefox for Android < 112 and Focus for Android < 112. • https://bugzilla.mozilla.org/show_bug.cgi?id=1816007 •
CVSS: 10.0EPSS: 2%CPEs: 5EXPL: 2CVE-2022-26485 – Mozilla Firefox Use-After-Free Vulnerability
https://notcve.org/view.php?id=CVE-2022-26485
07 Mar 2022 — Removing an XSLT parameter during processing could have lead to an exploitable use-after-free. We have had reports of attacks in the wild abusing this flaw. This vulnerability affects Firefox < 97.0.2, Firefox ESR < 91.6.1, Firefox for Android < 97.3.0, Thunderbird < 91.6.2, and Focus < 97.3.0. La eliminación de un parámetro XSLT durante el procesamiento podría haber dado lugar a un use-after-free explotable. Hemos recibido informes de ataques en la naturaleza que abusan de esta falla. • https://github.com/mistymntncop/CVE-2022-26485 • CWE-416: Use After Free •
CVSS: 10.0EPSS: 1%CPEs: 5EXPL: 2CVE-2022-26486 – Mozilla Firefox Use-After-Free Vulnerability
https://notcve.org/view.php?id=CVE-2022-26486
07 Mar 2022 — An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape. We have had reports of attacks in the wild abusing this flaw. This vulnerability affects Firefox < 97.0.2, Firefox ESR < 91.6.1, Firefox for Android < 97.3.0, Thunderbird < 91.6.2, and Focus < 97.3.0. Un mensaje inesperado en el framework IPC de WebGPU podría provocar un escape de la sandbox explotable y de use-after-free. Hemos recibido informes de ataques en la naturaleza que abusan de esta fal... • https://bugzilla.mozilla.org/show_bug.cgi?id=1758070 • CWE-416: Use After Free •