CVSS: 9.8EPSS: 5%CPEs: 7EXPL: 0CVE-2016-5280 – Mozilla: Use-after-free in mozilla::nsTextNodeDirectionalityMap::RemoveElementFromMap (MFSA 2016-85, MFSA 2016-86)
https://notcve.org/view.php?id=CVE-2016-5280
21 Sep 2016 — Use-after-free vulnerability in the mozilla::nsTextNodeDirectionalityMap::RemoveElementFromMap function in Mozilla Firefox before 49.0, Firefox ESR 45.x before 45.4, and Thunderbird < 45.4 allows remote attackers to execute arbitrary code via bidirectional text. Vulnerabilidad de uso de memoria previamente liberada en la función mozilla::nsTextNodeDirectionalityMap::RemoveElementFromMap en Mozilla Firefox en versiones anteriores a la 49.0, Firefox ESR en versiones 45.x anteriores a la 45.4 y Thunderbird en ... • http://rhn.redhat.com/errata/RHSA-2016-1912.html • CWE-416: Use After Free •
CVSS: 9.8EPSS: 2%CPEs: 7EXPL: 0CVE-2016-5281 – Mozilla: use-after-free in DOMSVGLength (MFSA 2016-85, MFSA 2016-86)
https://notcve.org/view.php?id=CVE-2016-5281
21 Sep 2016 — Use-after-free vulnerability in the DOMSVGLength class in Mozilla Firefox before 49.0, Firefox ESR 45.x before 45.4, and Thunderbird < 45.4 allows remote attackers to execute arbitrary code by leveraging improper interaction between JavaScript code and an SVG document. Vulnerabilidad de uso de memoria previamente liberada en la claseDOMSVGLength en Mozilla Firefox en versiones anteriores a la 49.0, Firefox ESR en versiones 45.x anteriores a la 45.4 y Thunderbird en versiones anteriores a la 45.4 permite que... • http://rhn.redhat.com/errata/RHSA-2016-1912.html • CWE-416: Use After Free •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2016-5267 – Gentoo Linux Security Advisory 201701-15
https://notcve.org/view.php?id=CVE-2016-5267
05 Aug 2016 — Mozilla Firefox before 48.0 on Android allows remote attackers to spoof the address bar via left-to-right characters in conjunction with a right-to-left character set. Mozilla Firefox en versiones anteriores a 48.0 en Android permite a atacantes remotos suplantar la barra de direcciones a través de caracteres de izquierda a derecha en conjunción con un set de caracteres derecha a izquierda. Multiple vulnerabilities have been found in Mozilla Firefox, SeaMonkey, and Thunderbird the worst of which could lead ... • http://www.mozilla.org/security/announce/2016/mfsa2016-82.html • CWE-20: Improper Input Validation •
CVSS: 4.7EPSS: 0%CPEs: 1EXPL: 0CVE-2016-5253 – Gentoo Linux Security Advisory 201701-15
https://notcve.org/view.php?id=CVE-2016-5253
05 Aug 2016 — The Updater in Mozilla Firefox before 48.0 on Windows allows local users to write to arbitrary files via vectors involving the callback application-path parameter and a hard link. El Updater en Mozilla Firefox en versiones anteriores a 48.0 en Windows permite a usuarios locales escribir a archivos arbitrarios a través de vectores que involucran el parámetro de aplicación de ruta de llamada de retorno y un enlace duro. Multiple vulnerabilities have been found in Mozilla Firefox, SeaMonkey, and Thunderbird th... • http://www.mozilla.org/security/announce/2016/mfsa2016-69.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2016-5250 – Mozilla: Resource Timing API is storing resources sent by the previous page (MFSA 2016-84, MFSA 2016-86)
https://notcve.org/view.php?id=CVE-2016-5250
05 Aug 2016 — Mozilla Firefox before 48.0, Firefox ESR < 45.4 and Thunderbird < 45.4 allow remote attackers to obtain sensitive information about the previously retrieved page via Resource Timing API calls. Mozilla Firefox en versiones anteriores a la 48.0, Firefox ESR en versiones anteriores a la 45.4 y Thunderbird en versiones anteriores a la 45.4 permiten que los atacantes remotos obtengan información sensible sombre la página previamente recuperada mediante llamadas a la API Resource Timing. Catalin Dumitru discovere... • http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00004.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.1EPSS: 1%CPEs: 1EXPL: 0CVE-2016-5266 – Gentoo Linux Security Advisory 201701-15
https://notcve.org/view.php?id=CVE-2016-5266
05 Aug 2016 — Mozilla Firefox before 48.0 does not properly restrict drag-and-drop (aka dataTransfer) actions for file: URIs, which allows user-assisted remote attackers to access local files via a crafted web site. Mozilla Firefox en versiones anteriores a 48.0 no restringe adecuadamente acciones arrastrar y soltar (también conocido como dataTransfer) para file: URIs, lo que permite a atacantes remotos asistidos por usuario acceder a archivos locales a través de un sitio web manipulado. Gustavo Grieco discovered an out-... • http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00004.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2016-5251 – Gentoo Linux Security Advisory 201701-15
https://notcve.org/view.php?id=CVE-2016-5251
05 Aug 2016 — Mozilla Firefox before 48.0 allows remote attackers to spoof the location bar via crafted characters in the media type of a data: URL. Mozilla Firefox en versiones anteriores a 48.0 permite a atacantes remotos suplantar la barra de direcciones a través de caracteres manipulados en el formato de un data: URL. Gustavo Grieco discovered an out-of-bounds read during XML parsing in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to ... • http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00004.html • CWE-20: Improper Input Validation •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2016-5260 – Gentoo Linux Security Advisory 201701-15
https://notcve.org/view.php?id=CVE-2016-5260
05 Aug 2016 — Mozilla Firefox before 48.0 mishandles changes from 'INPUT type="password"' to 'INPUT type="text"' within a single Session Manager session, which might allow attackers to discover cleartext passwords by reading a session restoration file. Mozilla Firefox en versiones anteriores a 48.0 no maneja correctamente cambios de 'INPUT type="password"' a 'INPUT type="text"' dentro de una sola sesión Session Manager, lo que podría permitir a atacantes descubrir contraseñas en texto plano mediante la lectura de un arch... • http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00004.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.8EPSS: 1%CPEs: 1EXPL: 0CVE-2016-5261 – Mozilla: Integer overflow and memory corruption in WebSocketChannel (MFSA 2016-75, MFSA 2016-86)
https://notcve.org/view.php?id=CVE-2016-5261
05 Aug 2016 — Integer overflow in the WebSocketChannel class in the WebSockets subsystem in Mozilla Firefox before 48.0 and Firefox ESR < 45.4 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted packets that trigger incorrect buffer-resize operations during buffering. Desbordamiento de enteros en la clase WebSocketChannel en el subsistema WebSockets en Mozilla Firefox en versiones anteriores a la 48.0 y Firefox ESR en versiones anteriores a la 45.4 permite que lo... • http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00004.html • CWE-190: Integer Overflow or Wraparound •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2016-5268 – Gentoo Linux Security Advisory 201701-15
https://notcve.org/view.php?id=CVE-2016-5268
05 Aug 2016 — Mozilla Firefox before 48.0 does not properly set the LINKABLE and URI_SAFE_FOR_UNTRUSTED_CONTENT flags of about: URLs that are used for error pages, which makes it easier for remote attackers to conduct spoofing attacks via a crafted URL, as demonstrated by misleading text after an about:neterror?d= substring. Mozilla Firefox en versiones anteriores a 48.0 no fija adecuadamente los indicadores LINKABLE y URI_SAFE_FOR_UNTRUSTED_CONTENT de about: URLs que se usan para páginas de error, lo que facilita a atac... • http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00004.html • CWE-254: 7PK - Security Features •