CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 0CVE-2019-11735 – Mozilla: Memory safety bugs fixed in Firefox 69 and Firefox ESR 68.1
https://notcve.org/view.php?id=CVE-2019-11735
Mozilla developers and community members reported memory safety bugs present in Firefox 68 and Firefox ESR 68. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Firefox < 69 and Firefox ESR < 68.1. Los desarrolladores de Mozilla y los miembros de la comunidad reportaron bugs de seguridad de la memoria presentes en Firefox versión 68 y Firefox ESR versión 68. Algunos de estos errores mostraron evidencia de corrupción de memoria y presumimos que con el esfuerzo suficiente algunos de estos podrían ser explotados para ejecutar código arbitrario. • http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html https://bugzilla.mozilla.org/buglist.cgi?bug_id=1561404%2C1561484%2C1568047%2C1561912%2C1565744%2C1568858%2C1570358 https://www.mozilla.org/security/advisories/mfsa2019-25 https://www.mozilla.org/security/advisories/mfsa2019-26 https://access.redhat.com/security/cve/CVE-2019-11735 https://bugzilla.redhat.com/show_bug.cgi?id=1748661 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') CWE-787: Out-of-bounds Write •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2019-11748 – Mozilla: Persistence of WebRTC permissions in a third party context
https://notcve.org/view.php?id=CVE-2019-11748
WebRTC in Firefox will honor persisted permissions given to sites for access to microphone and camera resources even when in a third-party context. In light of recent high profile vulnerabilities in other software, a decision was made to no longer persist these permissions. This avoids the possibility of trusted WebRTC resources being invisibly embedded in web content and abusing permissions previously given by users. Users will now be prompted for permissions on each use. This vulnerability affects Firefox < 69 and Firefox ESR < 68.1. • http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html https://bugzilla.mozilla.org/show_bug.cgi?id=1564588 https://www.mozilla.org/security/advisories/mfsa2019-25 https://www.mozilla.org/security/advisories/mfsa2019-26 https://access.redhat.com/security/cve/CVE-2019-11748 https://bugzilla.redhat.com/show_bug.cgi?id=1748665 • CWE-281: Improper Preservation of Permissions CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2019-11750 – Mozilla: Type confusion in Spidermonkey
https://notcve.org/view.php?id=CVE-2019-11750
A type confusion vulnerability exists in Spidermonkey, which results in a non-exploitable crash. This vulnerability affects Firefox < 69 and Firefox ESR < 68.1. Se presenta una vulnerabilidad de confusión de tipos en Spidermonkey, lo que resulta en un bloqueo no explotable. Esta vulnerabilidad afecta a Firefox versiones anteriores a 69 y Firefox ESR versiones anteriores a 68.1. • http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html https://bugzilla.mozilla.org/show_bug.cgi?id=1568397 https://www.mozilla.org/security/advisories/mfsa2019-25 https://www.mozilla.org/security/advisories/mfsa2019-26 https://access.redhat.com/security/cve/CVE-2019-11750 https://bugzilla.redhat.com/show_bug.cgi?id=1748667 • CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') CWE-908: Use of Uninitialized Resource •
CVSS: 9.3EPSS: 1%CPEs: 5EXPL: 0CVE-2019-11752 – Mozilla: Use-after-free while extracting a key value in IndexedDB
https://notcve.org/view.php?id=CVE-2019-11752
It is possible to delete an IndexedDB key value and subsequently try to extract it during conversion. This results in a use-after-free and a potentially exploitable crash. This vulnerability affects Firefox < 69, Thunderbird < 68.1, Thunderbird < 60.9, Firefox ESR < 60.9, and Firefox ESR < 68.1. Es posible eliminar un valor de clave IndexedDB y posteriormente intentar extraerlo durante la conversión. Esto resulta en un uso de la memoria previamente liberada y un bloqueo potencialmente explotable. • http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html https://bugzilla.mozilla.org/show_bug.cgi?id=1501152 https://security.gentoo.org/glsa/201911-07 https://usn.ubuntu.com/4150-1 https://www.mozilla.org/security/advisories/mfsa2019-25 https://w • CWE-416: Use After Free •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2019-11747 – Mozilla: 'Forget about this site' removes sites from pre-loaded HSTS list
https://notcve.org/view.php?id=CVE-2019-11747
The "Forget about this site" feature in the History pane is intended to remove all saved user data that indicates a user has visited a site. This includes removing any HTTP Strict Transport Security (HSTS) settings received from sites that use it. Due to a bug, sites on the pre-load list also have their HSTS setting removed. On the next visit to that site if the user specifies an http: URL rather than secure https: they will not be protected by the pre-loaded HSTS setting. After that visit the site's HSTS setting will be restored. • http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html https://bugzilla.mozilla.org/show_bug.cgi?id=1564481 https://www.mozilla.org/security/advisories/mfsa2019-25 https://www.mozilla.org/security/advisories/mfsa2019-26 https://access.redhat.com/security/cve/CVE-2019-11747 https://bugzilla.redhat.com/show_bug.cgi?id=1748664 • CWE-358: Improperly Implemented Security Check for Standard CWE-665: Improper Initialization •