CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2017-5463
https://notcve.org/view.php?id=CVE-2017-5463
Android intents can be used to launch Firefox for Android in reader mode with a user specified URL. This allows an attacker to spoof the contents of the addressbar as displayed to users. Note: This attack only affects Firefox for Android. Other operating systems are not affected. This vulnerability affects Firefox < 53. • http://www.securityfocus.com/bid/97940 http://www.securitytracker.com/id/1038320 https://bugzilla.mozilla.org/show_bug.cgi?id=1338867 https://www.mozilla.org/security/advisories/mfsa2017-10 • CWE-20: Improper Input Validation •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2016-5295
https://notcve.org/view.php?id=CVE-2016-5295
This vulnerability allows an attacker to use the Mozilla Maintenance Service to escalate privilege by having the Maintenance Service invoke the Mozilla Updater to run malicious local files. This vulnerability requires local system access and is a variant of MFSA2013-44. Note: this issue only affects Windows operating systems. This vulnerability affects Firefox < 50. Esta vulnerabilidad permite que un atacante emplee Mozilla Maintenance Service para escalar privilegios haciendo que Maintenance Service invoque a Mozilla Updater para ejecutar archivos locales maliciosos. • http://www.securityfocus.com/bid/94337 http://www.securitytracker.com/id/1037298 https://bugzilla.mozilla.org/show_bug.cgi?id=1247239 https://www.mozilla.org/en-US/security/advisories/mfsa2013-44 https://www.mozilla.org/security/advisories/mfsa2016-89 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2018-5138
https://notcve.org/view.php?id=CVE-2018-5138
A spoofing vulnerability can occur when a malicious site with an extremely long domain name is opened in an Android Custom Tab (a browser panel inside another app) and the default browser is Firefox for Android. This could allow an attacker to spoof which page is actually loaded and in use. Note: this issue only affects Firefox for Android. Other versions and operating systems are unaffected. This vulnerability affects Firefox < 59. • http://www.securityfocus.com/bid/103386 http://www.securitytracker.com/id/1040514 https://bugzilla.mozilla.org/show_bug.cgi?id=1432624 https://www.mozilla.org/security/advisories/mfsa2018-06 • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 1CVE-2016-5299
https://notcve.org/view.php?id=CVE-2016-5299
A previously installed malicious Android application with same signature-level permissions as Firefox can intercept AuthTokens meant for Firefox only. Note: This issue only affects Firefox for Android. Other versions and operating systems are unaffected. This vulnerability affects Firefox < 50. Una aplicación Android maliciosa previamente instalada con los mismos permisos a nivel de firma que Firefox puede interceptar AuthTokens destinados solo a Firefox. • http://www.securityfocus.com/bid/94337 http://www.securitytracker.com/id/1037298 https://bugzilla.mozilla.org/show_bug.cgi?id=1245791 https://www.mozilla.org/security/advisories/mfsa2016-89 • CWE-275: Permission Issues •
CVSS: 4.7EPSS: 0%CPEs: 2EXPL: 0CVE-2017-7796
https://notcve.org/view.php?id=CVE-2017-7796
On Windows systems, the logger run by the Windows updater deletes the file "update.log" before it runs in order to write a new log of that name. The path to this file is supplied at the command line to the updater and could be used in concert with another local exploit to delete a different file named "update.log" instead of the one intended. Note: This attack only affects Windows operating systems. Other operating systems are not affected. This vulnerability affects Firefox < 55. • http://www.securitytracker.com/id/1039124 https://bugzilla.mozilla.org/show_bug.cgi?id=1234401 https://www.mozilla.org/security/advisories/mfsa2017-18 • CWE-20: Improper Input Validation •