CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2018-5121
https://notcve.org/view.php?id=CVE-2018-5121
Low descenders on some Tibetan characters in several fonts on OS X are clipped when rendered in the addressbar. When used as part of an Internationalized Domain Name (IDN) this can be used for domain name spoofing attacks. Note: This attack only affects OS X operating systems. Other operating systems are unaffected. This vulnerability affects Firefox < 58. • http://www.securityfocus.com/bid/102786 http://www.securitytracker.com/id/1040270 https://bugzilla.mozilla.org/show_bug.cgi?id=1402368 https://www.mozilla.org/security/advisories/mfsa2018-02 • CWE-20: Improper Input Validation •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2017-7836
https://notcve.org/view.php?id=CVE-2017-7836
The "pingsender" executable used by the Firefox Health Report dynamically loads a system copy of libcurl, which an attacker could replace. This allows for privilege escalation as the replaced libcurl code will run with Firefox's privileges. Note: This attack requires an attacker have local system access and only affects OS X and Linux. Windows systems are not affected. This vulnerability affects Firefox < 57. • http://www.securityfocus.com/bid/101832 http://www.securitytracker.com/id/1039803 https://bugzilla.mozilla.org/show_bug.cgi?id=1401339 https://www.mozilla.org/security/advisories/mfsa2017-24 • CWE-427: Uncontrolled Search Path Element •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2017-7766
https://notcve.org/view.php?id=CVE-2017-7766
An attack using manipulation of "updater.ini" contents, used by the Mozilla Windows Updater, and privilege escalation through the Mozilla Maintenance Service to allow for arbitrary file execution and deletion by the Maintenance Service, which has privileged access. Note: This attack requires local system access and only affects Windows. Other operating systems are not affected. This vulnerability affects Firefox ESR < 52.2 and Firefox < 54. Un ataque que emplea la manipulación del contenido de "updater.ini", empleado por Mozilla Windows Updater, y un escalado de privilegios mediante Mozilla Maintenance Service permite la ejecución y eliminación de archivos arbitrarios por parte de Maintenance Service, que tiene acceso privilegiado. • http://www.securityfocus.com/bid/99057 http://www.securitytracker.com/id/1038689 https://bugzilla.mozilla.org/show_bug.cgi?id=1342742 https://www.mozilla.org/security/advisories/mfsa2017-15 https://www.mozilla.org/security/advisories/mfsa2017-16 •
CVSS: 5.3EPSS: 0%CPEs: 6EXPL: 0CVE-2017-7763
https://notcve.org/view.php?id=CVE-2017-7763
Default fonts on OS X display some Tibetan characters as whitespace. When used in the addressbar as part of an IDN this can be used for domain name spoofing attacks. Note: This attack only affects OS X operating systems. Other operating systems are unaffected. This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2. • http://www.securityfocus.com/bid/99057 http://www.securitytracker.com/id/1038689 https://bugzilla.mozilla.org/show_bug.cgi?id=1360309 https://www.mozilla.org/security/advisories/mfsa2017-15 https://www.mozilla.org/security/advisories/mfsa2017-16 https://www.mozilla.org/security/advisories/mfsa2017-17 • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 1CVE-2017-7759
https://notcve.org/view.php?id=CVE-2017-7759
Android intent URLs given to Firefox for Android can be used to navigate from HTTP or HTTPS URLs to local "file:" URLs, allowing for the reading of local data through a violation of same-origin policy. Note: This attack only affects Firefox for Android. Other operating systems are not affected. This vulnerability affects Firefox < 54. Las URL de intent Android dadas a Firefox para Android pueden emplearse para navegar desde URL HTTP o HTTPS hasta URL "file:" locales, lo que permite la lectura de datos locales mediante una violación de la política del mismo origen. • http://www.securityfocus.com/bid/99052 http://www.securitytracker.com/id/1038689 https://bugzilla.mozilla.org/show_bug.cgi?id=1356893 https://www.mozilla.org/security/advisories/mfsa2017-15 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •