CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2019-11733 – firefox: stored passwords in 'Saved Logins' can be copied without master password entry
https://notcve.org/view.php?id=CVE-2019-11733
When a master password is set, it is required to be entered again before stored passwords can be accessed in the 'Saved Logins' dialog. It was found that locally stored passwords can be copied to the clipboard thorough the 'copy password' context menu item without re-entering the master password if the master password had been previously entered in the same session, allowing for potential theft of stored passwords. This vulnerability affects Firefox < 68.0.2 and Firefox ESR < 68.0.2. Cuando se establece una contraseña maestra, es necesario ingresarla nuevamente antes de que pueda ser accedida a las contraseñas almacenadas en el cuadro de diálogo "Saved Logins". Se detectó que las contraseñas almacenadas localmente pueden ser copiadas en el portapapeles por medio del elemento del menú contextual "copy password" sin reingresar la contraseña maestra, si la contraseña maestra ha sido ingresada previamente en la misma sesión, permitiendo el robo potencial de contraseñas almacenadas. • http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html https://bugzilla.mozilla.org/show_bug.cgi?id=1565780 https://www.mozilla.org/security/advisories/mfsa2019-24 https://access.redhat.com/security/cve/CVE-2019-11733 https://bugzilla.redhat.com/show_bug.cgi?id=1745687 • CWE-287: Improper Authentication CWE-306: Missing Authentication for Critical Function •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-9814
https://notcve.org/view.php?id=CVE-2019-9814
Mozilla developers and community members reported memory safety bugs present in Firefox 66. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Firefox < 67. Los desarrolladores de Mozilla y los miembros de la comunidad reportaron bugs de seguridad de memoria presentes en Firefox 66. Algunos de estos errores mostraron evidencias de corrupción de memoria y presumimos que, con un esfuerzo suficiente, algunos de ellos podrían ser explotados para ejecutar código arbitrario. • https://bugzilla.mozilla.org/buglist.cgi?bug_id=1527592%2C1534536%2C1520132%2C1543159%2C1539393%2C1459932%2C1459182%2C1516425 https://www.mozilla.org/security/advisories/mfsa2019-13 • CWE-787: Out-of-bounds Write •
CVSS: 8.1EPSS: 0%CPEs: 4EXPL: 0CVE-2019-9815
https://notcve.org/view.php?id=CVE-2019-9815
If hyperthreading is not disabled, a timing attack vulnerability exists, similar to previous Spectre attacks. Apple has shipped macOS 10.14.5 with an option to disable hyperthreading in applications running untrusted code in a thread through a new sysctl. Firefox now makes use of it on the main thread and any worker threads. *Note: users need to update to macOS 10.14.5 in order to take advantage of this change.*. This vulnerability affects Thunderbird < 60.7, Firefox < 67, and Firefox ESR < 60.7. • https://bugzilla.mozilla.org/show_bug.cgi?id=1546544 https://mdsattacks.com https://www.mozilla.org/security/advisories/mfsa2019-13 https://www.mozilla.org/security/advisories/mfsa2019-14 https://www.mozilla.org/security/advisories/mfsa2019-15 • CWE-203: Observable Discrepancy •
CVSS: 8.3EPSS: 0%CPEs: 4EXPL: 0CVE-2019-9818
https://notcve.org/view.php?id=CVE-2019-9818
A race condition is present in the crash generation server used to generate data for the crash reporter. This issue can lead to a use-after-free in the main process, resulting in a potentially exploitable crash and a sandbox escape. *Note: this vulnerability only affects Windows. Other operating systems are unaffected.*. This vulnerability affects Thunderbird < 60.7, Firefox < 67, and Firefox ESR < 60.7. • https://bugzilla.mozilla.org/show_bug.cgi?id=1542581 https://www.mozilla.org/security/advisories/mfsa2019-13 https://www.mozilla.org/security/advisories/mfsa2019-14 https://www.mozilla.org/security/advisories/mfsa2019-15 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') CWE-416: Use After Free •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2019-11694
https://notcve.org/view.php?id=CVE-2019-11694
A vulnerability exists in the Windows sandbox where an uninitialized value in memory can be leaked to a renderer from a broker when making a call to access an otherwise unavailable file. This results in the potential leaking of information stored at that memory location. *Note: this issue only occurs on Windows. Other operating systems are unaffected.*. This vulnerability affects Thunderbird < 60.7, Firefox < 67, and Firefox ESR < 60.7. • https://bugzilla.mozilla.org/show_bug.cgi?id=1534196 https://www.mozilla.org/security/advisories/mfsa2019-13 https://www.mozilla.org/security/advisories/mfsa2019-14 https://www.mozilla.org/security/advisories/mfsa2019-15 • CWE-755: Improper Handling of Exceptional Conditions CWE-908: Use of Uninitialized Resource •