CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2017-7804
https://notcve.org/view.php?id=CVE-2017-7804
The destructor function for the "WindowsDllDetourPatcher" class can be re-purposed by malicious code in concert with another vulnerability to write arbitrary data to an attacker controlled location in memory. This can be used to bypass existing memory protections in this situation. Note: This attack only affects Windows operating systems. Other operating systems are not affected. This vulnerability affects Thunderbird < 52.3, Firefox ESR < 52.3, and Firefox < 55. • http://www.securityfocus.com/bid/100234 http://www.securitytracker.com/id/1039124 https://bugzilla.mozilla.org/show_bug.cgi?id=1372849 https://www.mozilla.org/security/advisories/mfsa2017-18 https://www.mozilla.org/security/advisories/mfsa2017-19 https://www.mozilla.org/security/advisories/mfsa2017-20 • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 1CVE-2016-9061
https://notcve.org/view.php?id=CVE-2016-9061
A previously installed malicious Android application which defines a specific signature-level permissions used by Firefox can access API keys meant for Firefox only. Note: This issue only affects Firefox for Android. Other versions and operating systems are unaffected. This vulnerability affects Firefox < 50. Una aplicación Android maliciosa previamente instalada que define permisos específicos a nivel de firma empleados por Firefox puede acceder a claves API destinadas solo a Firefox. • http://www.securityfocus.com/bid/94337 http://www.securitytracker.com/id/1037298 https://bugzilla.mozilla.org/show_bug.cgi?id=1245795 https://www.mozilla.org/security/advisories/mfsa2016-89 • CWE-275: Permission Issues •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2017-7790
https://notcve.org/view.php?id=CVE-2017-7790
On Windows systems, if non-null-terminated strings are copied into the crash reporter for some specific registry keys, stack memory data can be copied until a null is found. This can potentially contain private data from the local system. Note: This attack only affects Windows operating systems. Other operating systems are not affected. This vulnerability affects Firefox < 55. • http://www.securitytracker.com/id/1039124 https://bugzilla.mozilla.org/show_bug.cgi?id=1350460 https://www.mozilla.org/security/advisories/mfsa2017-18 •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2017-7765
https://notcve.org/view.php?id=CVE-2017-7765
The "Mark of the Web" was not correctly saved on Windows when files with very long names were downloaded from the Internet. Without the Mark of the Web data, the security warning that Windows displays before running executables downloaded from the Internet is not shown. Note: This attack only affects Windows operating systems. Other operating systems are unaffected. This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2. • http://www.securityfocus.com/bid/99057 http://www.securitytracker.com/id/1038689 https://bugzilla.mozilla.org/show_bug.cgi?id=1273265 https://www.mozilla.org/security/advisories/mfsa2017-15 https://www.mozilla.org/security/advisories/mfsa2017-16 https://www.mozilla.org/security/advisories/mfsa2017-17 • CWE-20: Improper Input Validation •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2017-7836
https://notcve.org/view.php?id=CVE-2017-7836
The "pingsender" executable used by the Firefox Health Report dynamically loads a system copy of libcurl, which an attacker could replace. This allows for privilege escalation as the replaced libcurl code will run with Firefox's privileges. Note: This attack requires an attacker have local system access and only affects OS X and Linux. Windows systems are not affected. This vulnerability affects Firefox < 57. • http://www.securityfocus.com/bid/101832 http://www.securitytracker.com/id/1039803 https://bugzilla.mozilla.org/show_bug.cgi?id=1401339 https://www.mozilla.org/security/advisories/mfsa2017-24 • CWE-427: Uncontrolled Search Path Element •