CVSS: 6.8EPSS: 1%CPEs: 2EXPL: 0CVE-2015-2727 – Mozilla: Local files or privileged URLs in pages can be opened into new tabs (MFSA 2015-60)
https://notcve.org/view.php?id=CVE-2015-2727
Mozilla Firefox 38.0 and Firefox ESR 38.0 allow user-assisted remote attackers to read arbitrary files or execute arbitrary JavaScript code with chrome privileges via a crafted web site that is accessed with unspecified mouse and keyboard actions. NOTE: this vulnerability exists because of a CVE-2015-0821 regression. Mozilla Firefox 38.0 y Firefox ESR 38.0 permiten a atacantes remotos asistidos por usuario leer ficheros arbitrarios o ejecutar código JavaScript arbitrario con privilegios chrome a través de un sitio web al que se accede con acciones de ratón y teclado no especificadas. NOTA: esta vulnerabilidad existe debido a una regresión del CVE-2015-0821. • http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00025.html http://rhn.redhat.com/errata/RHSA-2015-1207.html http://www.mozilla.org/security/announce/2015/mfsa2015-60.html http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html http://www.securityfocus.com/bid/75541 http://www.securitytracker.com/id/1032783 http://www.ubuntu.com/usn/USN-2656-1 http://www.ubuntu.com/usn/USN-2656-2 https://bugzilla.mozilla.org/show_bug.cgi?id=1163422 https& • CWE-20: Improper Input Validation •
CVSS: 4.3EPSS: 0%CPEs: 17EXPL: 0CVE-2015-2741 – Mozilla: Key pinning is ignored when overridable errors are encountered (MFSA 2015-67)
https://notcve.org/view.php?id=CVE-2015-2741
Mozilla Firefox before 39.0, Firefox ESR 38.x before 38.1, and Thunderbird before 38.1 do not enforce key pinning upon encountering an X.509 certificate problem that generates a user dialog, which allows user-assisted man-in-the-middle attackers to bypass intended access restrictions by triggering a (1) expired certificate or (2) mismatched hostname for a domain with pinning enabled. Mozilla Firefox anterior a 39.0, Firefox ESR 38.x anterior a 38.1, y Thunderbird anterior a 38.1 no refuerzan la fijación (pinning) de las claves cuando encuentre un problema con los certificados X.509 que genere un dialogo de usuario, lo que permite a atacantes man-in-the-middle asistidos por usuario evadir las restricciones de acceso mediante la provocación de (1) un certificado caducado o (2) un nombre de anfitrión malasociado para un dominio con la fijación (pinning) habilitado. It was found that Firefox skipped key-pinning checks when handling an error that could be overridden by the user (for example an expired certificate error). This flaw allowed a user to override a pinned certificate, which is an action the user should not be able to perform. • http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00025.html http://rhn.redhat.com/errata/RHSA-2015-1207.html http://rhn.redhat.com/errata/RHSA-2015-1455.html http://www.mozilla.org/security/announce/2015/mfsa2015-67.html http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html http://www.securityfocus.com/bid/75541 http://www.securitytracker.com/id/1032783 http://www.securityt • CWE-310: Cryptographic Issues •
CVSS: 10.0EPSS: 0%CPEs: 28EXPL: 0CVE-2015-2724 – Mozilla: Miscellaneous memory safety hazards (rv:31.8 / rv:38.1) (MFSA 2015-59)
https://notcve.org/view.php?id=CVE-2015-2724
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 39.0, Firefox ESR 31.x before 31.8 and 38.x before 38.1, and Thunderbird before 38.1 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Múltiples vulnerabilidades no especificadas en el motor de navegación en Mozilla Firefox anterior a 39.0, Firefox ESR 31.x anterior a 31.8 y 38.x anterior a 38.1, y Thunderbird anterior a 38.1 permiten a atacantes remotos causar una denegación de servicio (corrupción de memoria y caída de aplicación) o posiblemente ejecutar código arbitrario a través de vectores desconocidos. • http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00025.html http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00031.html http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00033.html http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00034.html http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00021.html http://rhn.redhat.com/errata/RHSA-2015-1207.html http://rhn.redhat.com/errata/RHSA-2015-1455.html http://www.debian.org&#x • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 7.5EPSS: 3%CPEs: 21EXPL: 0CVE-2015-2743 – Mozilla: Privilege escalation through internal workers (MFSA 2015-69)
https://notcve.org/view.php?id=CVE-2015-2743
PDF.js in Mozilla Firefox before 39.0 and Firefox ESR 31.x before 31.8 and 38.x before 38.1 enables excessive privileges for internal Workers, which might allow remote attackers to execute arbitrary code by leveraging a Same Origin Policy bypass. PDF.js en Mozilla Firefox anterior a 39.0 y Firefox ESR 31.x anterior a 31.8 y 38.x anterior a 38.1 habilita privilegios excesivos para los trabajadores internos, lo que podría permitir a atacantes remotos ejecutar código arbitrario mediante el aprovechamiento de una evasión de Same Origin Policy. A flaw was discovered in Mozilla's PDF.js PDF file viewer. When combined with another vulnerability, it could allow execution of arbitrary code with the privileges of the user running Firefox. • http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00025.html http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00031.html http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00033.html http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00034.html http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00021.html http://rhn.redhat.com/errata/RHSA-2015-1207.html http://www.debian.org/security/2015/dsa-3300 http://www.mozilla.org/sec • CWE-17: DEPRECATED: Code CWE-250: Execution with Unnecessary Privileges •
CVSS: 9.3EPSS: 1%CPEs: 28EXPL: 0CVE-2015-2736 – Mozilla: Vulnerabilities found through code inspection (MFSA 2015-66)
https://notcve.org/view.php?id=CVE-2015-2736
The nsZipArchive::BuildFileList function in Mozilla Firefox before 39.0, Firefox ESR 31.x before 31.8 and 38.x before 38.1, and Thunderbird before 38.1 accesses unintended memory locations, which allows remote attackers to have an unspecified impact via a crafted ZIP archive. La función nsZipArchive::BuildFileList en Mozilla Firefox anterior a 39.0, Firefox ESR 31.x anterior a 31.8 y 38.x anterior a 38.1, y Thunderbird anterior a 38.1 accede a localizaciones de memoria no intencionadas, lo que permite a atacantes remotos tener un impacto no especificado a través de un archivo ZIP manipulado. • http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00025.html http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00031.html http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00033.html http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00034.html http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00021.html http://rhn.redhat.com/errata/RHSA-2015-1207.html http://rhn.redhat.com/errata/RHSA-2015-1455.html http://www.debian.org&#x • CWE-17: DEPRECATED: Code •