CVE-2016-9065
https://notcve.org/view.php?id=CVE-2016-9065
The location bar in Firefox for Android can be spoofed by forcing a user into fullscreen mode, blocking its exiting, and creating of a fake location bar without any user notification. Note: This issue only affects Firefox for Android. Other versions and operating systems are unaffected. This vulnerability affects Firefox < 50. La barra de direcciones en firefox para Android puede suplantarse forzando a un usuario a emplear el modo de pantalla completa, bloqueando la salida y creando una barra de direcciones falsa sin notificaciones de usuario. • http://www.securityfocus.com/bid/94342 http://www.securitytracker.com/id/1037298 https://bugzilla.mozilla.org/show_bug.cgi?id=1306696 https://www.mozilla.org/security/advisories/mfsa2016-89 • CWE-20: Improper Input Validation •
CVE-2018-5174
https://notcve.org/view.php?id=CVE-2018-5174
In the Windows 10 April 2018 Update, Windows Defender SmartScreen honors the "SEE_MASK_FLAG_NO_UI" flag associated with downloaded files and will not show any UI. Files that are unknown and potentially dangerous will be allowed to run because SmartScreen will not prompt the user for a decision, and if the user is offline all files will be allowed to be opened because Windows won't prompt the user to ask what to do. Firefox incorrectly sets this flag when downloading files, leading to less secure behavior from SmartScreen. Note: this issue only affects Windows 10 users running the April 2018 update or later. It does not affect other Windows users or other operating systems. • http://www.securityfocus.com/bid/104136 http://www.securitytracker.com/id/1040896 https://bugzilla.mozilla.org/show_bug.cgi?id=1447080 https://www.mozilla.org/security/advisories/mfsa2018-11 https://www.mozilla.org/security/advisories/mfsa2018-12 https://www.mozilla.org/security/advisories/mfsa2018-13 •
CVE-2018-5165
https://notcve.org/view.php?id=CVE-2018-5165
In 32-bit versions of Firefox, the Adobe Flash plugin setting for "Enable Adobe Flash protected mode" is unchecked by default even though the Adobe Flash sandbox is actually enabled. The displayed state is the reverse of the true setting, resulting in user confusion. This could cause users to select this setting intending to activate it and inadvertently turn protections off. This vulnerability affects Firefox < 60. En las versiones de 32 bits de Firefox, la configuración del plugin de Adobe Flash para "Activar el modo protegido de Adobe Flash" está desactivada por defecto a pesar de que el sandbox de Adobe Flash está en realidad activado. • http://www.securityfocus.com/bid/104139 http://www.securitytracker.com/id/1040896 https://bugzilla.mozilla.org/show_bug.cgi?id=1451452 https://www.mozilla.org/security/advisories/mfsa2018-11 •
CVE-2016-5293
https://notcve.org/view.php?id=CVE-2016-5293
When the Mozilla Updater is run, if the Updater's log file in the working directory points to a hardlink, data can be appended to an arbitrary local file. This vulnerability requires local system access. Note: this issue only affects Windows operating systems. This vulnerability affects Firefox ESR < 45.5 and Firefox < 50. Cuando se ejecuta Mozilla Updater, si el archivo de registro de Updater en el directorio de trabajo señala a un vínculo permanente, los datos pueden anexarse a un archivo local arbitrario. • http://www.securityfocus.com/bid/94336 http://www.securitytracker.com/id/1037298 https://bugzilla.mozilla.org/show_bug.cgi?id=1246945 https://security.gentoo.org/glsa/201701-15 https://www.mozilla.org/security/advisories/mfsa2016-89 https://www.mozilla.org/security/advisories/mfsa2016-90 • CWE-20: Improper Input Validation •
CVE-2018-5153
https://notcve.org/view.php?id=CVE-2018-5153
If websocket data is sent with mixed text and binary in a single message, the binary data can be corrupted. This can result in an out-of-bounds read with the read memory sent to the originating server in response. This vulnerability affects Firefox < 60. Si se envían datos de sockets web con texto mixto y binario en un solo mensaje, los datos binarios pueden corromperse. Esto puede resultar en una lectura fuera de límites con la memoria de lectura enviada al servidor de origen en respuesta. • http://www.securityfocus.com/bid/104139 http://www.securitytracker.com/id/1040896 https://bugzilla.mozilla.org/show_bug.cgi?id=1436809 https://usn.ubuntu.com/3645-1 https://www.mozilla.org/security/advisories/mfsa2018-11 • CWE-125: Out-of-bounds Read •