CVE-2019-11696
https://notcve.org/view.php?id=CVE-2019-11696
Files with the .JNLP extension used for "Java web start" applications are not treated as executable content for download prompts even though they can be executed if Java is installed on the local system. This could allow users to mistakenly launch an executable binary locally. This vulnerability affects Firefox < 67. Los archivos con la extensión .JNLP utilizada para las aplicaciones "Java web start" no se tratan como contenido ejecutable para las solicitudes de descarga, aunque se pueden ejecutar si Java está instalado en el sistema local. Esto podría permitir a los usuarios lanzar de forma local un binario ejecutable. • https://bugzilla.mozilla.org/show_bug.cgi?id=1392955 https://www.mozilla.org/security/advisories/mfsa2019-13 • CWE-20: Improper Input Validation •
CVE-2019-11691 – Mozilla: Use-after-free in XMLHttpRequest
https://notcve.org/view.php?id=CVE-2019-11691
A use-after-free vulnerability can occur when working with XMLHttpRequest (XHR) in an event loop, causing the XHR main thread to be called after it has been freed. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 60.7, Firefox < 67, and Firefox ESR < 60.7. Puede ocurrir una vulnerabilidad de uso después de liberarse cuando se trabaja con XMLHttpRequest (XHR) en un bucle de eventos, lo que hace que se llame al subproceso principal de XHR después de que se haya liberado. Esto da lugar a una caída potencialmente explotable. • https://bugzilla.mozilla.org/show_bug.cgi?id=1542465 https://www.mozilla.org/security/advisories/mfsa2019-13 https://www.mozilla.org/security/advisories/mfsa2019-14 https://www.mozilla.org/security/advisories/mfsa2019-15 https://access.redhat.com/security/cve/CVE-2019-11691 https://bugzilla.redhat.com/show_bug.cgi?id=1712617 • CWE-416: Use After Free •
CVE-2019-9806
https://notcve.org/view.php?id=CVE-2019-9806
A vulnerability exists during authorization prompting for FTP transaction where successive modal prompts are displayed and cannot be immediately dismissed. This allows for a denial of service (DOS) attack. This vulnerability affects Firefox < 66. Una vulnerabilidad existente durante la solicitud de una transacción FTP donde sucesivos mensajes modales son mostrados y no pueden ser inmediatamente rechazados. Esto permite un ataque de denegación de servicios (DoS). • https://bugzilla.mozilla.org/show_bug.cgi?id=1525267 https://www.mozilla.org/security/advisories/mfsa2019-07 • CWE-399: Resource Management Errors •
CVE-2019-9794
https://notcve.org/view.php?id=CVE-2019-9794
A vulnerability was discovered where specific command line arguments are not properly discarded during Firefox invocation as a shell handler for URLs. This could be used to retrieve and execute files whose location is supplied through these command line arguments if Firefox is configured as the default URI handler for a given URI scheme in third party applications and these applications insufficiently sanitize URL data. *Note: This issue only affects Windows operating systems. Other operating systems are unaffected.*. This vulnerability affects Thunderbird < 60.6, Firefox ESR < 60.6, and Firefox < 66. • https://bugzilla.mozilla.org/show_bug.cgi?id=1530103 https://www.mozilla.org/security/advisories/mfsa2019-07 https://www.mozilla.org/security/advisories/mfsa2019-08 https://www.mozilla.org/security/advisories/mfsa2019-11 • CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •
CVE-2019-9804
https://notcve.org/view.php?id=CVE-2019-9804
In Firefox Developer Tools it is possible that pasting the result of the 'Copy as cURL' command into a command shell on macOS will cause the execution of unintended additional bash script commands if the URL was maliciously crafted. This is the result of an issue with the native version of Bash on macOS. *Note: This issue only affects macOS. Other operating systems are unaffected.*. This vulnerability affects Firefox < 66. • https://bugzilla.mozilla.org/show_bug.cgi?id=1518026 https://www.mozilla.org/security/advisories/mfsa2019-07 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •