CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2017-7767
https://notcve.org/view.php?id=CVE-2017-7767
The Mozilla Maintenance Service can be invoked by an unprivileged user to overwrite arbitrary files with junk data using the Mozilla Windows Updater, which runs with the Maintenance Service's privileged access. Note: This attack requires local system access and only affects Windows. Other operating systems are not affected. This vulnerability affects Firefox ESR < 52.2 and Firefox < 54. Mozilla Maintenance Service puede ser invocado por un usuario sin privilegios para sobrescribir archivos arbitrarios con datos basura mediante Mozilla Windows Updater, el cual se ejecuta con el acceso privilegiado de Maintenance Service. • http://www.securityfocus.com/bid/99057 http://www.securitytracker.com/id/1038689 https://bugzilla.mozilla.org/show_bug.cgi?id=1336964 https://www.mozilla.org/security/advisories/mfsa2017-15 https://www.mozilla.org/security/advisories/mfsa2017-16 • CWE-269: Improper Privilege Management •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2017-7790
https://notcve.org/view.php?id=CVE-2017-7790
On Windows systems, if non-null-terminated strings are copied into the crash reporter for some specific registry keys, stack memory data can be copied until a null is found. This can potentially contain private data from the local system. Note: This attack only affects Windows operating systems. Other operating systems are not affected. This vulnerability affects Firefox < 55. • http://www.securitytracker.com/id/1039124 https://bugzilla.mozilla.org/show_bug.cgi?id=1350460 https://www.mozilla.org/security/advisories/mfsa2017-18 •
CVSS: 4.7EPSS: 0%CPEs: 2EXPL: 0CVE-2017-7796
https://notcve.org/view.php?id=CVE-2017-7796
On Windows systems, the logger run by the Windows updater deletes the file "update.log" before it runs in order to write a new log of that name. The path to this file is supplied at the command line to the updater and could be used in concert with another local exploit to delete a different file named "update.log" instead of the one intended. Note: This attack only affects Windows operating systems. Other operating systems are not affected. This vulnerability affects Firefox < 55. • http://www.securitytracker.com/id/1039124 https://bugzilla.mozilla.org/show_bug.cgi?id=1234401 https://www.mozilla.org/security/advisories/mfsa2017-18 • CWE-20: Improper Input Validation •
CVSS: 5.9EPSS: 0%CPEs: 2EXPL: 0CVE-2017-7770
https://notcve.org/view.php?id=CVE-2017-7770
A mechanism where when a new tab is loaded through JavaScript events, if fullscreen mode is then entered, the addressbar will not be rendered. This would allow a malicious site to displayed a spoofed addressbar, showing the location of an arbitrary website instead of the one loaded. Note: this issue only affects Firefox for Android. Desktop Firefox is unaffected. This vulnerability affects Firefox < 54. • http://www.securityfocus.com/bid/99049 http://www.securitytracker.com/id/1038689 https://bugzilla.mozilla.org/show_bug.cgi?id=1317242 https://www.mozilla.org/security/advisories/mfsa2017-15 • CWE-20: Improper Input Validation •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 1CVE-2017-7817
https://notcve.org/view.php?id=CVE-2017-7817
A spoofing vulnerability can occur when a page switches to fullscreen mode without user notification, allowing a fake address bar to be displayed. This allows an attacker to spoof which page is actually loaded and in use. Note: This attack only affects Firefox for Android. Other operating systems are not affected. This vulnerability affects Firefox < 56. • http://www.securityfocus.com/bid/101057 http://www.securitytracker.com/id/1039465 https://bugzilla.mozilla.org/show_bug.cgi?id=1356596 https://www.mozilla.org/security/advisories/mfsa2017-21 • CWE-20: Improper Input Validation •