CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2017-5397
https://notcve.org/view.php?id=CVE-2017-5397
The cache directory on the local file system is set to be world writable. Firefox defaults to extracting libraries from this cache. This allows for the possibility of an installed malicious application or tools with write access to the file system to replace files used by Firefox with their own versions. This vulnerability affects Firefox < 51.0.3. El directorio cache en el sistema de archivos local está establecido para que tenga permisos de escritura global. • http://www.securityfocus.com/bid/96144 https://bugzilla.mozilla.org/show_bug.cgi?id=1337304 https://www.mozilla.org/security/advisories/mfsa2017-04 • CWE-829: Inclusion of Functionality from Untrusted Control Sphere •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2016-5293
https://notcve.org/view.php?id=CVE-2016-5293
When the Mozilla Updater is run, if the Updater's log file in the working directory points to a hardlink, data can be appended to an arbitrary local file. This vulnerability requires local system access. Note: this issue only affects Windows operating systems. This vulnerability affects Firefox ESR < 45.5 and Firefox < 50. Cuando se ejecuta Mozilla Updater, si el archivo de registro de Updater en el directorio de trabajo señala a un vínculo permanente, los datos pueden anexarse a un archivo local arbitrario. • http://www.securityfocus.com/bid/94336 http://www.securitytracker.com/id/1037298 https://bugzilla.mozilla.org/show_bug.cgi?id=1246945 https://security.gentoo.org/glsa/201701-15 https://www.mozilla.org/security/advisories/mfsa2016-89 https://www.mozilla.org/security/advisories/mfsa2016-90 • CWE-20: Improper Input Validation •
CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 0CVE-2017-7782
https://notcve.org/view.php?id=CVE-2017-7782
An error in the "WindowsDllDetourPatcher" where a RWX ("Read/Write/Execute") 4k block is allocated but never protected, violating DEP protections. Note: This attack only affects Windows operating systems. Other operating systems are not affected. This vulnerability affects Thunderbird < 52.3, Firefox ESR < 52.3, and Firefox < 55. Error en "WindowsDllDetourPatcher", donde un bloque 4k RWX ("Read/Write/Execute") se asigna, pero nunca se proteje, violando las protecciones DEP. • http://www.securityfocus.com/bid/100243 http://www.securitytracker.com/id/1039124 https://bugzilla.mozilla.org/show_bug.cgi?id=1344034 https://www.mozilla.org/security/advisories/mfsa2017-18 https://www.mozilla.org/security/advisories/mfsa2017-19 https://www.mozilla.org/security/advisories/mfsa2017-20 • CWE-269: Improper Privilege Management •
CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 0CVE-2018-5122
https://notcve.org/view.php?id=CVE-2018-5122
A potential integer overflow in the "DoCrypt" function of WebCrypto was identified. If a means was found of exploiting it, it could result in an out-of-bounds write. This vulnerability affects Firefox < 58. Se ha identificado un potencial desbordamiento de enteros en la función "DoCrypt" de WebCrypto. Si se encuentra un medio para explotarlo, podría resultar en una escritura fuera de límites. • http://www.securityfocus.com/bid/102786 http://www.securitytracker.com/id/1040270 https://bugzilla.mozilla.org/show_bug.cgi?id=1413841 https://usn.ubuntu.com/3544-1 https://www.mozilla.org/security/advisories/mfsa2018-02 • CWE-190: Integer Overflow or Wraparound CWE-787: Out-of-bounds Write •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 1CVE-2016-5294
https://notcve.org/view.php?id=CVE-2016-5294
The Mozilla Updater can be made to choose an arbitrary target working directory for output files resulting from the update process. This vulnerability requires local system access. Note: this issue only affects Windows operating systems. This vulnerability affects Thunderbird < 45.5, Firefox ESR < 45.5, and Firefox < 50. Mozilla Updater puede ser forzado a escoger un directorio de trabajo objetivo arbitrario para enviar archivos resultantes del proceso de actualización. • http://www.securityfocus.com/bid/94336 http://www.securitytracker.com/id/1037298 https://bugzilla.mozilla.org/show_bug.cgi?id=1246972 https://security.gentoo.org/glsa/201701-15 https://www.mozilla.org/security/advisories/mfsa2016-89 https://www.mozilla.org/security/advisories/mfsa2016-90 https://www.mozilla.org/security/advisories/mfsa2016-93 • CWE-20: Improper Input Validation •