CVSS: 5.3EPSS: 0%CPEs: 17EXPL: 0CVE-2017-7848 – Mozilla: RSS Feed vulnerable to new line Injection
https://notcve.org/view.php?id=CVE-2017-7848
RSS fields can inject new lines into the created email structure, modifying the message body. This vulnerability affects Thunderbird < 52.5.2. Los campos RSS pueden inyectar nuevas líneas en la estructura del correo electrónico creado, modificando el cuerpo del mensaje. La vulnerabilidad afecta a las versiones anteriores a la 52.5.2 de Thunderbird. • http://www.securityfocus.com/bid/102258 http://www.securitytracker.com/id/1040123 https://access.redhat.com/errata/RHSA-2018:0061 https://bugzilla.mozilla.org/show_bug.cgi?id=1411699 https://lists.debian.org/debian-lts-announce/2017/12/msg00026.html https://www.debian.org/security/2017/dsa-4075 https://www.mozilla.org/security/advisories/mfsa2017-30 https://access.redhat.com/security/cve/CVE-2017-7848 https://bugzilla.redhat.com/show_bug.cgi?id=1530192 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 8.8EPSS: 0%CPEs: 13EXPL: 0CVE-2017-7846 – Mozilla: JavaScript Execution via RSS in mailbox:// origin
https://notcve.org/view.php?id=CVE-2017-7846
It is possible to execute JavaScript in the parsed RSS feed when RSS feed is viewed as a website, e.g. via "View -> Feed article -> Website" or in the standard format of "View -> Feed article -> default format". This vulnerability affects Thunderbird < 52.5.2. Es posible ejecutar código JavaScript en el canal RSS analizado cuando el canal RSS se ve como un sitio web, por ejemplo, a través de "View -> Feed article -> Website" o en el formato estándar de "View -> Feed article -> default format". La vulnerabilidad afecta a las versiones anteriores a la 52.5.2 de Thunderbird. • http://www.securityfocus.com/bid/102258 http://www.securitytracker.com/id/1040123 https://access.redhat.com/errata/RHSA-2018:0061 https://bugzilla.mozilla.org/show_bug.cgi?id=1411716 https://lists.debian.org/debian-lts-announce/2017/12/msg00026.html https://www.debian.org/security/2017/dsa-4075 https://www.mozilla.org/security/advisories/mfsa2017-30 https://access.redhat.com/security/cve/CVE-2017-7846 https://bugzilla.redhat.com/show_bug.cgi?id=1530187 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 4.3EPSS: 0%CPEs: 13EXPL: 0CVE-2017-7847 – Mozilla: Local path string can be leaked from RSS feed
https://notcve.org/view.php?id=CVE-2017-7847
Crafted CSS in an RSS feed can leak and reveal local path strings, which may contain user name. This vulnerability affects Thunderbird < 52.5.2. El CSS creado en un feed RSS puede filtrar y revelar cadenas de rutas locales que pueden contener el nombre de un usuario. La vulnerabilidad afecta a las versiones anteriores a la 52.5.2 de Thunderbird. • http://www.securityfocus.com/bid/102258 http://www.securitytracker.com/id/1040123 https://access.redhat.com/errata/RHSA-2018:0061 https://bugzilla.mozilla.org/show_bug.cgi?id=1411708 https://lists.debian.org/debian-lts-announce/2017/12/msg00026.html https://www.debian.org/security/2017/dsa-4075 https://www.mozilla.org/security/advisories/mfsa2017-30 https://access.redhat.com/security/cve/CVE-2017-7847 https://bugzilla.redhat.com/show_bug.cgi?id=1530190 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.8EPSS: 0%CPEs: 15EXPL: 0CVE-2017-7828 – Mozilla: Use-after-free of PressShell while restyling layout (MFSA 2017-25)
https://notcve.org/view.php?id=CVE-2017-7828
A use-after-free vulnerability can occur when flushing and resizing layout because the "PressShell" object has been freed while still in use. This results in a potentially exploitable crash during these operations. This vulnerability affects Firefox < 57, Firefox ESR < 52.5, and Thunderbird < 52.5. Puede ocurrir una vulnerabilidad de uso de memoria previamente liberada cuando se alinea y redimensiona la disposición porque el objeto "PressShell'" se ha liberado cuando se estaba utilizando. Esto resulta en un cierre inesperado potencialmente explotable durante estas operaciones. • http://www.securityfocus.com/bid/101832 http://www.securitytracker.com/id/1039803 https://access.redhat.com/errata/RHSA-2017:3247 https://access.redhat.com/errata/RHSA-2017:3372 https://bugzilla.mozilla.org/show_bug.cgi?id=1406750 https://bugzilla.mozilla.org/show_bug.cgi?id=1412252 https://lists.debian.org/debian-lts-announce/2017/11/msg00018.html https://lists.debian.org/debian-lts-announce/2017/12/msg00001.html https://www.debian.org/security/2017/dsa-4035 https:// • CWE-416: Use After Free •
CVSS: 10.0EPSS: 0%CPEs: 17EXPL: 0CVE-2017-7826 – Mozilla: Memory safety bugs fixed in Firefox 57 and Firefox ESR 52.5 (MFSA 2017-25)
https://notcve.org/view.php?id=CVE-2017-7826
Memory safety bugs were reported in Firefox 56 and Firefox ESR 52.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Firefox < 57, Firefox ESR < 52.5, and Thunderbird < 52.5. Se han informado de errores de seguridad de memoria en Firefox 56 y Firefox ESR 52.4. Algunos de estos errores mostraron evidencias de corrupción de memoria y se cree que, con el esfuerzo necesario, se podrían explotar para ejecutar código arbitrario. • http://www.securityfocus.com/bid/101832 http://www.securitytracker.com/id/1039803 https://access.redhat.com/errata/RHSA-2017:3247 https://access.redhat.com/errata/RHSA-2017:3372 https://bugzilla.mozilla.org/buglist.cgi?bug_id=1394530%2C1369561%2C1411458%2C1400003%2C1395138%2C1408412%2C1393840%2C1400763%2C1339259%2C1394265%2C1407740%2C1407751%2C1408005%2C1406398%2C1387799%2C1261175%2C1400554%2C1375146%2C1397811%2C1404636%2C1401804 https://lists.debian.org/debian-lts-announce/2017/11/msg00018.html https://lists.debian.org/de • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •