CVSS: 6.1EPSS: 0%CPEs: 5EXPL: 0CVE-2018-5176
https://notcve.org/view.php?id=CVE-2018-5176
The JSON Viewer displays clickable hyperlinks for strings that are parseable as URLs, including "javascript:" links. If a JSON file contains malicious JavaScript script embedded as "javascript:" links, users may be tricked into clicking and running this code in the context of the JSON Viewer. This can allow for the theft of cookies and authorization tokens which are accessible to that context. This vulnerability affects Firefox < 60. JSON Viewer muestra hipervínculos que se pueden hacer clic en ellos para cadenas que son analizables sintácticamente como URL, incluyendo enlaces "javascript:". • http://www.securityfocus.com/bid/104139 http://www.securitytracker.com/id/1040896 https://bugzilla.mozilla.org/show_bug.cgi?id=1442840 https://usn.ubuntu.com/3645-1 https://www.mozilla.org/security/advisories/mfsa2018-11 • CWE-20: Improper Input Validation •
CVSS: 6.5EPSS: 0%CPEs: 5EXPL: 0CVE-2018-5169
https://notcve.org/view.php?id=CVE-2018-5169
If manipulated hyperlinked text with "chrome:" URL contained in it is dragged and dropped on the "home" icon, the home page can be reset to include a normally-unlinkable chrome page as one of the home page tabs. This vulnerability affects Firefox < 60. Si se manipula el texto hipervinculado que contiene una URL "chrome:" y se arrastra y suelta en el icono "home", la página de inicio se puede restablecer para incluir una página chrome que normalmente no es enlazable como una de las pestañas de la página de inicio. Esta vulnerabilidad afecta a las versiones anteriores a la 60 de Firefox. • http://www.securityfocus.com/bid/104139 http://www.securitytracker.com/id/1040896 https://bugzilla.mozilla.org/show_bug.cgi?id=1319157 https://usn.ubuntu.com/3645-1 https://www.mozilla.org/security/advisories/mfsa2018-11 • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2018-5160
https://notcve.org/view.php?id=CVE-2018-5160
WebRTC can use a "WrappedI420Buffer" pixel buffer but the owning image object can be freed while it is still in use. This can result in the WebRTC encoder using uninitialized memory, leading to a potentially exploitable crash. This vulnerability affects Firefox < 60. WebRTC puede utilizar un búfer de píxeles "WrappedI420Buffer", pero el objeto owning image puede liberarse mientras está en uso. Esto puede provocar que el codificador WebRTC utilice memoria no inicializada, lo que puede provocar un cierre inesperado potencialmente explotable. • http://www.securityfocus.com/bid/104139 http://www.securitytracker.com/id/1040896 https://bugzilla.mozilla.org/show_bug.cgi?id=1436117 https://usn.ubuntu.com/3645-1 https://www.mozilla.org/security/advisories/mfsa2018-11 • CWE-416: Use After Free CWE-908: Use of Uninitialized Resource •
CVSS: 4.3EPSS: 0%CPEs: 5EXPL: 0CVE-2018-5167
https://notcve.org/view.php?id=CVE-2018-5167
The web console and JavaScript debugger do not sanitize all output that can be hyperlinked. Both will display "chrome:" links as active, clickable hyperlinks in their output. Web sites should not be able to directly link to internal chrome pages. Additionally, the JavaScript debugger will display "javascript:" links, which users could be tricked into clicking by malicious sites. This vulnerability affects Firefox < 60. • http://www.securityfocus.com/bid/104139 http://www.securitytracker.com/id/1040896 https://bugzilla.mozilla.org/show_bug.cgi?id=1447969 https://usn.ubuntu.com/3645-1 https://www.mozilla.org/security/advisories/mfsa2018-11 • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2018-5166
https://notcve.org/view.php?id=CVE-2018-5166
WebExtensions can use request redirection and a "filterReponseData" filter to bypass host permission settings to redirect network traffic and access content from a host for which they do not have explicit user permission. This vulnerability affects Firefox < 60. WebExtensions puede utilizar la redirección de peticiones y un filtro "filterReponseData" para eludir la configuración de permisos del host para redirigir el tráfico de red y acceder al contenido de un host para el que no tienen permiso explícito del usuario. Esta vulnerabilidad afecta a las versiones anteriores a la 60 de Firefox. • http://www.securityfocus.com/bid/104139 http://www.securitytracker.com/id/1040896 https://bugzilla.mozilla.org/show_bug.cgi?id=1437325 https://usn.ubuntu.com/3645-1 https://www.mozilla.org/security/advisories/mfsa2018-11 • CWE-269: Improper Privilege Management •