CVSS: 8.1EPSS: 1%CPEs: 1EXPL: 0CVE-2016-5266 – Gentoo Linux Security Advisory 201701-15
https://notcve.org/view.php?id=CVE-2016-5266
05 Aug 2016 — Mozilla Firefox before 48.0 does not properly restrict drag-and-drop (aka dataTransfer) actions for file: URIs, which allows user-assisted remote attackers to access local files via a crafted web site. Mozilla Firefox en versiones anteriores a 48.0 no restringe adecuadamente acciones arrastrar y soltar (también conocido como dataTransfer) para file: URIs, lo que permite a atacantes remotos asistidos por usuario acceder a archivos locales a través de un sitio web manipulado. Gustavo Grieco discovered an out-... • http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00004.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2016-5251 – Gentoo Linux Security Advisory 201701-15
https://notcve.org/view.php?id=CVE-2016-5251
05 Aug 2016 — Mozilla Firefox before 48.0 allows remote attackers to spoof the location bar via crafted characters in the media type of a data: URL. Mozilla Firefox en versiones anteriores a 48.0 permite a atacantes remotos suplantar la barra de direcciones a través de caracteres manipulados en el formato de un data: URL. Gustavo Grieco discovered an out-of-bounds read during XML parsing in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to ... • http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00004.html • CWE-20: Improper Input Validation •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2016-5260 – Gentoo Linux Security Advisory 201701-15
https://notcve.org/view.php?id=CVE-2016-5260
05 Aug 2016 — Mozilla Firefox before 48.0 mishandles changes from 'INPUT type="password"' to 'INPUT type="text"' within a single Session Manager session, which might allow attackers to discover cleartext passwords by reading a session restoration file. Mozilla Firefox en versiones anteriores a 48.0 no maneja correctamente cambios de 'INPUT type="password"' a 'INPUT type="text"' dentro de una sola sesión Session Manager, lo que podría permitir a atacantes descubrir contraseñas en texto plano mediante la lectura de un arch... • http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00004.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.8EPSS: 1%CPEs: 1EXPL: 0CVE-2016-5261 – Mozilla: Integer overflow and memory corruption in WebSocketChannel (MFSA 2016-75, MFSA 2016-86)
https://notcve.org/view.php?id=CVE-2016-5261
05 Aug 2016 — Integer overflow in the WebSocketChannel class in the WebSockets subsystem in Mozilla Firefox before 48.0 and Firefox ESR < 45.4 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted packets that trigger incorrect buffer-resize operations during buffering. Desbordamiento de enteros en la clase WebSocketChannel en el subsistema WebSockets en Mozilla Firefox en versiones anteriores a la 48.0 y Firefox ESR en versiones anteriores a la 45.4 permite que lo... • http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00004.html • CWE-190: Integer Overflow or Wraparound •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2016-5268 – Gentoo Linux Security Advisory 201701-15
https://notcve.org/view.php?id=CVE-2016-5268
05 Aug 2016 — Mozilla Firefox before 48.0 does not properly set the LINKABLE and URI_SAFE_FOR_UNTRUSTED_CONTENT flags of about: URLs that are used for error pages, which makes it easier for remote attackers to conduct spoofing attacks via a crafted URL, as demonstrated by misleading text after an about:neterror?d= substring. Mozilla Firefox en versiones anteriores a 48.0 no fija adecuadamente los indicadores LINKABLE y URI_SAFE_FOR_UNTRUSTED_CONTENT de about: URLs que se usan para páginas de error, lo que facilita a atac... • http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00004.html • CWE-254: 7PK - Security Features •
CVSS: 8.8EPSS: 2%CPEs: 1EXPL: 0CVE-2016-2835 – Gentoo Linux Security Advisory 201701-15
https://notcve.org/view.php?id=CVE-2016-2835
05 Aug 2016 — Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 48.0 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Multiples vulnerabilidades no especificadas en el motor del navegador en Mozilla Firefox en versiones anteriores a 48.0 permite a atacantes remotos provocar una denegación de servicio (corrupción de memoria y caída de aplicación) o posiblemente ejecutar código arbitrario ... • http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00004.html •
CVSS: 8.8EPSS: 3%CPEs: 1EXPL: 0CVE-2016-5255 – Gentoo Linux Security Advisory 201701-15
https://notcve.org/view.php?id=CVE-2016-5255
05 Aug 2016 — Use-after-free vulnerability in the js::PreliminaryObjectArray::sweep function in Mozilla Firefox before 48.0 allows remote attackers to execute arbitrary code via crafted JavaScript that is mishandled during incremental garbage collection. Vulnerabilidad de uso después de liberación de memoria en la función js::PreliminaryObjectArray::sweep en Mozilla Firefox en versiones anteriores a 48.0 permite a atacantes remotos ejecutar código arbitrario a través de JavaScript manipulado que es manejado incorrectamen... • http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00004.html • CWE-416: Use After Free •
CVSS: 6.5EPSS: 1%CPEs: 7EXPL: 0CVE-2016-2839 – Gentoo Linux Security Advisory 201701-15
https://notcve.org/view.php?id=CVE-2016-2839
05 Aug 2016 — Mozilla Firefox before 48.0 and Firefox ESR 45.x before 45.3 on Linux make cairo _cairo_surface_get_extents calls that do not properly interact with libav header allocation in FFmpeg 0.10, which allows remote attackers to cause a denial of service (application crash) via a crafted video. Mozilla Firefox en versiones anteriores a 48.0 y Firefox ESR 45.x en versiones anteriores a 45.3 en Linux hace llamadas cairo _cairo_surface_get_extents que no interactúan adecuadamente con asignación de cabecera libav en F... • http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00004.html • CWE-20: Improper Input Validation •
CVSS: 8.8EPSS: 2%CPEs: 8EXPL: 1CVE-2016-5264 – Mozilla: Use-after-free when applying SVG effects (MFSA 2016-79)
https://notcve.org/view.php?id=CVE-2016-5264
03 Aug 2016 — Use-after-free vulnerability in the nsNodeUtils::NativeAnonymousChildListChange function in Mozilla Firefox before 48.0 and Firefox ESR 45.x before 45.3 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via an SVG element that is mishandled during effect application. Vulnerabilidad de uso después de liberación de memoria en la función nsNodeUtils::NativeAnonymousChildListChange en Mozilla Firefox en versiones anteriores a 48.0 y Firefox ESR 45.x en versi... • http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00004.html • CWE-416: Use After Free •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2016-5265 – Mozilla: Same-origin policy violation using local HTML file and saved shortcut file (MFSA 2016-80)
https://notcve.org/view.php?id=CVE-2016-5265
03 Aug 2016 — Mozilla Firefox before 48.0 and Firefox ESR 45.x before 45.3 allow user-assisted remote attackers to bypass the Same Origin Policy, and conduct Universal XSS (UXSS) attacks or read arbitrary files, by arranging for the presence of a crafted HTML document and a crafted shortcut file in the same local directory. Mozilla Firefox en versiones anteriores a 48.0 y Firefox ESR 45.x en versiones anteriores a 45.3 permite a atacantes remotos asistidos por usuario eludir el Same Origin Policy, y llevar a cabo ataques... • http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00004.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •