CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2019-9817 – Mozilla: Stealing of cross-domain images using canvas
https://notcve.org/view.php?id=CVE-2019-9817
Images from a different domain can be read using a canvas object in some circumstances. This could be used to steal image data from a different site in violation of same-origin policy. This vulnerability affects Thunderbird < 60.7, Firefox < 67, and Firefox ESR < 60.7. Las imágenes desde un dominio diferente pueden ser leídas utilizando un objeto de canvas en ciertas circunstancias. Esto podría ser usado para robar datos de imágenes desde un sitio diferente en violación de la política del mismo origen. • https://bugzilla.mozilla.org/show_bug.cgi?id=1540221 https://www.mozilla.org/security/advisories/mfsa2019-13 https://www.mozilla.org/security/advisories/mfsa2019-14 https://www.mozilla.org/security/advisories/mfsa2019-15 https://access.redhat.com/security/cve/CVE-2019-9817 https://bugzilla.redhat.com/show_bug.cgi?id=1712626 • CWE-346: Origin Validation Error CWE-829: Inclusion of Functionality from Untrusted Control Sphere •
CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 0CVE-2019-11693 – Mozilla: Buffer overflow in WebGL bufferdata on Linux
https://notcve.org/view.php?id=CVE-2019-11693
The bufferdata function in WebGL is vulnerable to a buffer overflow with specific graphics drivers on Linux. This could result in malicious content freezing a tab or triggering a potentially exploitable crash. *Note: this issue only occurs on Linux. Other operating systems are unaffected.*. This vulnerability affects Thunderbird < 60.7, Firefox < 67, and Firefox ESR < 60.7. • https://bugzilla.mozilla.org/show_bug.cgi?id=1532525 https://www.mozilla.org/security/advisories/mfsa2019-13 https://www.mozilla.org/security/advisories/mfsa2019-14 https://www.mozilla.org/security/advisories/mfsa2019-15 https://access.redhat.com/security/cve/CVE-2019-11693 https://bugzilla.redhat.com/show_bug.cgi?id=1712619 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') CWE-787: Out-of-bounds Write •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0CVE-2019-9819 – Mozilla: Compartment mismatch with fetch API
https://notcve.org/view.php?id=CVE-2019-9819
A vulnerability where a JavaScript compartment mismatch can occur while working with the fetch API, resulting in a potentially exploitable crash. This vulnerability affects Thunderbird < 60.7, Firefox < 67, and Firefox ESR < 60.7. Una vulnerabilidad donde puede ocurrir una discrepancia en el compartimento de JavaScript mientras trabaja con la API de fetch, lo que resulta en un bloqueo potencialmente explotable. Esta vulnerabilidad afecta a Thunderbird anterior a versión 60.7, Firefox anterior a versión 67 y Firefox ESR anterior a versión 60.7. • https://bugzilla.mozilla.org/show_bug.cgi?id=1532553 https://www.mozilla.org/security/advisories/mfsa2019-13 https://www.mozilla.org/security/advisories/mfsa2019-14 https://www.mozilla.org/security/advisories/mfsa2019-15 https://access.redhat.com/security/cve/CVE-2019-9819 https://bugzilla.redhat.com/show_bug.cgi?id=1712628 • CWE-567: Unsynchronized Access to Shared Data in a Multithreaded Context CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0CVE-2019-9820 – Mozilla: Use-after-free of ChromeEventHandler by DocShell
https://notcve.org/view.php?id=CVE-2019-9820
A use-after-free vulnerability can occur in the chrome event handler when it is freed while still in use. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 60.7, Firefox < 67, and Firefox ESR < 60.7. Puede ocurrir una vulnerabilidad de uso de la memoria previamente liberada en el controlador de eventos de Chrome cuando se libera mientras aún está en uso. Esto resulta en un bloqueo potencialmente explotable. • https://bugzilla.mozilla.org/show_bug.cgi?id=1536405 https://www.mozilla.org/security/advisories/mfsa2019-13 https://www.mozilla.org/security/advisories/mfsa2019-14 https://www.mozilla.org/security/advisories/mfsa2019-15 https://access.redhat.com/security/cve/CVE-2019-9820 https://bugzilla.redhat.com/show_bug.cgi?id=1712629 • CWE-416: Use After Free •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-11701
https://notcve.org/view.php?id=CVE-2019-11701
The default webcal: protocol handler will load a web site vulnerable to cross-site scripting (XSS) attacks. This default was left in place as a legacy feature and has now been removed. *Note: this issue only affects users with an account on the vulnerable service. Other users are unaffected.*. This vulnerability affects Firefox < 67. • https://bugzilla.mozilla.org/show_bug.cgi?id=1518627 https://www.mozilla.org/security/advisories/mfsa2019-13 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •