CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2018-5134
https://notcve.org/view.php?id=CVE-2018-5134
WebExtensions may use "view-source:" URLs to view local "file:" URL content, as well as content stored in "about:cache", bypassing restrictions that only allow WebExtensions to view specific content. This vulnerability affects Firefox < 59. WebExtensions puede usar URL "view-source:" para visualizar contenido de URL"file:" local, así como el contenido almacenado en "about:cache", omitiendo las restricciones que solo permiten a WebExtensions visualizar contenido específico. Esta vulnerabilidad afecta a las versiones anteriores a la 59 de Firefox. • http://www.securityfocus.com/bid/103386 http://www.securitytracker.com/id/1040514 https://bugzilla.mozilla.org/show_bug.cgi?id=1429379 https://usn.ubuntu.com/3596-1 https://www.mozilla.org/security/advisories/mfsa2018-06 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2018-5137
https://notcve.org/view.php?id=CVE-2018-5137
A legacy extension's non-contentaccessible, defined resources can be loaded by an arbitrary web page through script. This script does this by using a maliciously crafted path string to reference the resources. Note: this vulnerability does not affect WebExtensions. This vulnerability affects Firefox < 59. Los recursos definidos y no accesibles de una extensión legacy pueden ser cargados por una página web arbitraria a través de un script. • http://www.securityfocus.com/bid/103386 http://www.securitytracker.com/id/1040514 https://bugzilla.mozilla.org/show_bug.cgi?id=1432870 https://usn.ubuntu.com/3596-1 https://www.mozilla.org/security/advisories/mfsa2018-06 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0CVE-2018-5133
https://notcve.org/view.php?id=CVE-2018-5133
If the "app.support.baseURL" preference is changed by a malicious local program to contain HTML and script content, this content is not sanitized. It will be executed if a user loads "chrome://browser/content/preferences/in-content/preferences.xul" directly in a tab and executes a search. This stored preference is also executed whenever an EME video player plugin displays a CDM-disabled message as a notification message. This vulnerability affects Firefox < 59. Si un programa local malicioso cambia la preferencia "app.support.baseURL" para que contenga contenido HTML y script, este contenido no se sanea. • http://www.securityfocus.com/bid/103386 http://www.securitytracker.com/id/1040514 https://bugzilla.mozilla.org/show_bug.cgi?id=1430511 https://bugzilla.mozilla.org/show_bug.cgi?id=1430974 https://usn.ubuntu.com/3596-1 https://www.mozilla.org/security/advisories/mfsa2018-06 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 0CVE-2018-5143
https://notcve.org/view.php?id=CVE-2018-5143
URLs using "javascript:" have the protocol removed when pasted into the addressbar to protect users from cross-site scripting (XSS) attacks, but if a tab character is embedded in the "javascript:" URL the protocol is not removed and the script will execute. This could allow users to be socially engineered to run an XSS attack against themselves. This vulnerability affects Firefox < 59. Las URL que utilizan "javascript:" eliminan el protocolo cuando se pega en la barra de direcciones para proteger a los usuarios de ataques Cross-Site Scripting (XSS), pero si hay un carácter de tabulación incrustado en la URL "javascript:", el protocolo no se elimina y el script se ejecutará. Esto podría permitir que se realice ingeniería social sobre los usuarios para ejecutar un ataque Cross-Site Scripting (XSS) contra ellos mismos. • http://www.securityfocus.com/bid/103386 http://www.securitytracker.com/id/1040514 https://bugzilla.mozilla.org/show_bug.cgi?id=1422643 https://usn.ubuntu.com/3596-1 https://www.mozilla.org/security/advisories/mfsa2018-06 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 0CVE-2018-5142
https://notcve.org/view.php?id=CVE-2018-5142
If Media Capture and Streams API permission is requested from documents with "data:" or "blob:" URLs, the permission notifications do not properly display the originating domain. The notification states "Unknown protocol" as the requestee, leading to user confusion about which site is asking for this permission. This vulnerability affects Firefox < 59. Si se solicita permiso de la API Media Capture and Streams desde documentos con URL "data:" o "blob:", las notificaciones de permiso no muestran correctamente el dominio de origen. La notificación indica "Unknown protocol" (protocolo desconocido) como el solicitante, lo que lleva a la confusión del usuario sobre qué sitio está solicitando este permiso. • http://www.securityfocus.com/bid/103386 http://www.securitytracker.com/id/1040514 https://bugzilla.mozilla.org/show_bug.cgi?id=1366357 https://usn.ubuntu.com/3596-1 https://www.mozilla.org/security/advisories/mfsa2018-06 •