CVSS: 6.1EPSS: 0%CPEs: 5EXPL: 0CVE-2018-5164
https://notcve.org/view.php?id=CVE-2018-5164
Content Security Policy (CSP) is not applied correctly to all parts of multipart content sent with the "multipart/x-mixed-replace" MIME type. This could allow for script to run where CSP should block it, allowing for cross-site scripting (XSS) and other attacks. This vulnerability affects Firefox < 60. La política de seguridad de contenidos (CSP) no se aplica correctamente a todas las partes del contenido multiparte enviado con el tipo MIME "multipart/x-mixed-replace". Esto podría permitir que el script se ejecute donde el CSP debería bloquearlo, permitiendo Cross-Site Scripting (XSS) y otros ataques. • http://www.securityfocus.com/bid/104139 http://www.securitytracker.com/id/1040896 https://bugzilla.mozilla.org/show_bug.cgi?id=1416045 https://usn.ubuntu.com/3645-1 https://www.mozilla.org/security/advisories/mfsa2018-11 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 5EXPL: 0CVE-2018-5176
https://notcve.org/view.php?id=CVE-2018-5176
The JSON Viewer displays clickable hyperlinks for strings that are parseable as URLs, including "javascript:" links. If a JSON file contains malicious JavaScript script embedded as "javascript:" links, users may be tricked into clicking and running this code in the context of the JSON Viewer. This can allow for the theft of cookies and authorization tokens which are accessible to that context. This vulnerability affects Firefox < 60. JSON Viewer muestra hipervínculos que se pueden hacer clic en ellos para cadenas que son analizables sintácticamente como URL, incluyendo enlaces "javascript:". • http://www.securityfocus.com/bid/104139 http://www.securitytracker.com/id/1040896 https://bugzilla.mozilla.org/show_bug.cgi?id=1442840 https://usn.ubuntu.com/3645-1 https://www.mozilla.org/security/advisories/mfsa2018-11 • CWE-20: Improper Input Validation •
CVSS: 6.5EPSS: 0%CPEs: 5EXPL: 0CVE-2018-5169
https://notcve.org/view.php?id=CVE-2018-5169
If manipulated hyperlinked text with "chrome:" URL contained in it is dragged and dropped on the "home" icon, the home page can be reset to include a normally-unlinkable chrome page as one of the home page tabs. This vulnerability affects Firefox < 60. Si se manipula el texto hipervinculado que contiene una URL "chrome:" y se arrastra y suelta en el icono "home", la página de inicio se puede restablecer para incluir una página chrome que normalmente no es enlazable como una de las pestañas de la página de inicio. Esta vulnerabilidad afecta a las versiones anteriores a la 60 de Firefox. • http://www.securityfocus.com/bid/104139 http://www.securitytracker.com/id/1040896 https://bugzilla.mozilla.org/show_bug.cgi?id=1319157 https://usn.ubuntu.com/3645-1 https://www.mozilla.org/security/advisories/mfsa2018-11 • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2018-5160
https://notcve.org/view.php?id=CVE-2018-5160
WebRTC can use a "WrappedI420Buffer" pixel buffer but the owning image object can be freed while it is still in use. This can result in the WebRTC encoder using uninitialized memory, leading to a potentially exploitable crash. This vulnerability affects Firefox < 60. WebRTC puede utilizar un búfer de píxeles "WrappedI420Buffer", pero el objeto owning image puede liberarse mientras está en uso. Esto puede provocar que el codificador WebRTC utilice memoria no inicializada, lo que puede provocar un cierre inesperado potencialmente explotable. • http://www.securityfocus.com/bid/104139 http://www.securitytracker.com/id/1040896 https://bugzilla.mozilla.org/show_bug.cgi?id=1436117 https://usn.ubuntu.com/3645-1 https://www.mozilla.org/security/advisories/mfsa2018-11 • CWE-416: Use After Free CWE-908: Use of Uninitialized Resource •
CVSS: 4.3EPSS: 0%CPEs: 5EXPL: 0CVE-2018-5167
https://notcve.org/view.php?id=CVE-2018-5167
The web console and JavaScript debugger do not sanitize all output that can be hyperlinked. Both will display "chrome:" links as active, clickable hyperlinks in their output. Web sites should not be able to directly link to internal chrome pages. Additionally, the JavaScript debugger will display "javascript:" links, which users could be tricked into clicking by malicious sites. This vulnerability affects Firefox < 60. • http://www.securityfocus.com/bid/104139 http://www.securitytracker.com/id/1040896 https://bugzilla.mozilla.org/show_bug.cgi?id=1447969 https://usn.ubuntu.com/3645-1 https://www.mozilla.org/security/advisories/mfsa2018-11 • CWE-20: Improper Input Validation •