CVSS: 8.4EPSS: 27%CPEs: 11EXPL: 0CVE-2015-7181 – nss: use-after-poison in sec_asn1d_parse_leaf() (MFSA 2015-133)
https://notcve.org/view.php?id=CVE-2015-7181
04 Nov 2015 — The sec_asn1d_parse_leaf function in Mozilla Network Security Services (NSS) before 3.19.2.1 and 3.20.x before 3.20.1, as used in Firefox before 42.0 and Firefox ESR 38.x before 38.4 and other products, improperly restricts access to an unspecified data structure, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via crafted OCTET STRING data, related to a "use-after-poison" issue. La función sec_asn1d_parse_leaf en Mozilla Network Security Ser... • http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00013.html • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 9.1EPSS: 0%CPEs: 9EXPL: 0CVE-2015-7193 – Mozilla: CORS preflight is bypassed when non-standard Content-Type headers are received (MFSA 2015-127)
https://notcve.org/view.php?id=CVE-2015-7193
04 Nov 2015 — Mozilla Firefox before 42.0 and Firefox ESR 38.x before 38.4 improperly follow the CORS cross-origin request algorithm for the POST method in situations involving an unspecified Content-Type header manipulation, which allows remote attackers to bypass the Same Origin Policy by leveraging the lack of a preflight-request step. Mozilla Firefox en versiones anteriores a 42.0 y Firefox ESR 38.x en versiones anteriores a 38.4 sigue el algoritmo de petición CORS cross-origin indebidamente para el método POST en si... • http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00013.html • CWE-254: 7PK - Security Features •
CVSS: 9.8EPSS: 23%CPEs: 17EXPL: 0CVE-2015-7182 – nss: ASN.1 decoder heap overflow when decoding constructed OCTET STRING that mixes indefinite and definite length encodings (MFSA 2015-133)
https://notcve.org/view.php?id=CVE-2015-7182
04 Nov 2015 — Heap-based buffer overflow in the ASN.1 decoder in Mozilla Network Security Services (NSS) before 3.19.2.1 and 3.20.x before 3.20.1, as used in Firefox before 42.0 and Firefox ESR 38.x before 38.4 and other products, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via crafted OCTET STRING data. Desbordamiento de buffer basado en memoria dinámica en el decodificador ASN.1 en Mozilla Network Security Services (NSS) en versiones anteriores a 3.19.2.1 ... • http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00013.html • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-122: Heap-based Buffer Overflow •
CVSS: 9.8EPSS: 20%CPEs: 11EXPL: 0CVE-2015-7183 – nspr: heap-buffer overflow in PL_ARENA_ALLOCATE (MFSA 2015-133)
https://notcve.org/view.php?id=CVE-2015-7183
04 Nov 2015 — Integer overflow in the PL_ARENA_ALLOCATE implementation in Netscape Portable Runtime (NSPR) in Mozilla Network Security Services (NSS) before 3.19.2.1 and 3.20.x before 3.20.1, as used in Firefox before 42.0 and Firefox ESR 38.x before 38.4 and other products, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via unspecified vectors. Desbordamiento de entero en la implementación de PL_ARENA_ALLOCATE en Netscape Portable Runtime (NSPR) e... • http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00013.html • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-122: Heap-based Buffer Overflow CWE-189: Numeric Errors •
CVSS: 7.5EPSS: 0%CPEs: 9EXPL: 0CVE-2015-7188 – Mozilla: Trailing whitespace in IP address hostnames can bypass same-origin policy (MFSA 2015-122)
https://notcve.org/view.php?id=CVE-2015-7188
04 Nov 2015 — Mozilla Firefox before 42.0 and Firefox ESR 38.x before 38.4 allow remote attackers to bypass the Same Origin Policy for an IP address origin, and conduct cross-site scripting (XSS) attacks, by appending whitespace characters to an IP address string. Mozilla Firefox en versiones anteriores a 42.0 y Firefox ESR 38.x en versiones anteriores a 38.4 permite a atacantes remotos eludir la Same Origin Policy para un origen dirección IP y realizar ataques de cross-site scripting (XSS), añadiendo caracteres de espac... • http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00013.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-254: 7PK - Security Features •
CVSS: 8.8EPSS: 5%CPEs: 9EXPL: 0CVE-2015-7194 – Mozilla: Memory corruption in libjar through zip files (MFSA 2015-128)
https://notcve.org/view.php?id=CVE-2015-7194
04 Nov 2015 — Buffer underflow in libjar in Mozilla Firefox before 42.0 and Firefox ESR 38.x before 38.4 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted ZIP archive. Desbordamiento inferior de buffer en libjar en Mozilla Firefox en versiones anteriores a 42.0 y Firefox ESR 38.x en versiones anteriores a 38.4 permite a atacantes remotos provocar una denegación de servicio (caída de aplicación) o posiblemente ejecutar código arbitrario a través de un... • http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00013.html • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 9.8EPSS: 6%CPEs: 9EXPL: 0CVE-2015-7189 – Mozilla: Buffer overflow during image interactions in canvas (MFSA 2015-123)
https://notcve.org/view.php?id=CVE-2015-7189
04 Nov 2015 — Race condition in the JPEGEncoder function in Mozilla Firefox before 42.0 and Firefox ESR 38.x before 38.4 allows remote attackers to execute arbitrary code or cause a denial of service (heap-based buffer overflow) via vectors involving a CANVAS element and crafted JavaScript code. Condición de carrera en la función JPEGEncoder en Mozilla Firefox en versiones anteriores a 42.0 y Firefox ESR 38.x en versiones anteriores a 38.4 permite a atacantes remotos ejecutar código arbitrario o provocar una denegación d... • http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00013.html • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 8.1EPSS: 0%CPEs: 9EXPL: 0CVE-2015-7197 – Mozilla: Mixed content WebSocket policy bypass through workers (MFSA 2015-132)
https://notcve.org/view.php?id=CVE-2015-7197
04 Nov 2015 — Mozilla Firefox before 42.0 and Firefox ESR 38.x before 38.4 improperly control the ability of a web worker to create a WebSocket object, which allows remote attackers to bypass intended mixed-content restrictions via crafted JavaScript code. Mozilla Firefox en versiones anteriores a 42.0 y Firefox ESR 38.x en versiones anteriores a 38.4 controla indebidamente la capacidad de un web worker para crear un objeto WebSocket, lo que permite a atacantes remotos eludir las restricciones destinadas al contenido mix... • http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00013.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2015-7184 – Ubuntu Security Notice USN-2768-1
https://notcve.org/view.php?id=CVE-2015-7184
17 Oct 2015 — The fetch API implementation in Mozilla Firefox before 41.0.2 does not restrict access to the HTTP response body in certain situations where user credentials are supplied but the CORS cross-origin request algorithm is improperly followed, which allows remote attackers to bypass the Same Origin Policy via a crafted web site. La implementación de la API fetch en Mozilla Firefox en versiones anteriores a 41.0.2 no restringe el acceso al cuerpo de respuesta de HTTP en ciertas situaciones, donde las credenciales... • http://lists.opensuse.org/opensuse-security-announce/2015-10/msg00021.html • CWE-284: Improper Access Control •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2015-7327
https://notcve.org/view.php?id=CVE-2015-7327
24 Sep 2015 — Mozilla Firefox before 41.0 does not properly restrict the availability of High Resolution Time API times, which allows remote attackers to track last-level cache access, and consequently obtain sensitive information, via crafted JavaScript code that makes performance.now calls. Vulnerabiliad en Mozilla Firefox en versiones anteriores a 41.0, no restringe adecuadamente la disponibilidad de tiempos de la API High Resolution Time, lo que podría permitir a atacantes remotos rastrear el acceso a la caché de últ... • http://arxiv.org/abs/1502.07373 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •