CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 1CVE-2017-7781
https://notcve.org/view.php?id=CVE-2017-7781
An error occurs in the elliptic curve point addition algorithm that uses mixed Jacobian-affine coordinates where it can yield a result "POINT_AT_INFINITY" when it should not. A man-in-the-middle attacker could use this to interfere with a connection, resulting in an attacked party computing an incorrect shared secret. This vulnerability affects Firefox < 55. Ocurre un error en el algoritmo de suma de puntos de curva elíptica que emplea coordenadas mixtas Jacobian-affine que pueden dar como resultado "POINT_AT_INFINITY", aunque no deberían. Un atacante Man-in-the-Middle (MitM) podría aprovecharlo para interferir con una conexión, lo que resulta en que la parte atacada calcula un secreto compartido de forma incorrecta. • http://www.securityfocus.com/bid/100383 http://www.securitytracker.com/id/1039124 https://bugzilla.mozilla.org/show_bug.cgi?id=1352039 https://www.mozilla.org/security/advisories/mfsa2017-18 •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 1CVE-2017-7794
https://notcve.org/view.php?id=CVE-2017-7794
On Linux systems, if the content process is compromised, the sandbox broker will allow files to be truncated even though the sandbox explicitly only has read access to the local file system and no write permissions. Note: This attack only affects the Linux operating system. Other operating systems are not affected. This vulnerability affects Firefox < 55. En sistemas Linux, si el proceso content se ve comprometido, el broker del sandbox permitirá el truncado de archivos aunque el sandbox solo tenga explícitamente acceso de lectura al sistema de archivos local y no tenga permisos de escritura. • http://www.securitytracker.com/id/1039124 https://bugzilla.mozilla.org/show_bug.cgi?id=1374281 https://www.mozilla.org/security/advisories/mfsa2017-18 • CWE-276: Incorrect Default Permissions •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2017-7788
https://notcve.org/view.php?id=CVE-2017-7788
When an "iframe" has a "sandbox" attribute and its content is specified using "srcdoc", that content does not inherit the containing page's Content Security Policy (CSP) as it should unless the sandbox attribute included "allow-same-origin". This vulnerability affects Firefox < 55. cuando un iframe tiene un atributo "sandbox" y su contenido se especifica mediante "srcdoc", dicho contenido no hereda el CSP (Content Security Policy) de la página que lo contiene, tal y como debería, a no ser que el atributo sandbox incluya "allow-same-origin". La vulnerabilidad afecta a Firefox en versiones anteriores a la 55. • http://www.securityfocus.com/bid/100379 http://www.securitytracker.com/id/1039124 https://bugzilla.mozilla.org/show_bug.cgi?id=1073952 https://www.mozilla.org/security/advisories/mfsa2017-18 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 9.8EPSS: 0%CPEs: 18EXPL: 1CVE-2017-7809 – Mozilla: Use-after-free while deleting attached editor DOM node (MFSA 2017-19)
https://notcve.org/view.php?id=CVE-2017-7809
A use-after-free vulnerability can occur when an editor DOM node is deleted prematurely during tree traversal while still bound to the document. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.3, Firefox ESR < 52.3, and Firefox < 55. Puede ocurrir una vulnerabilidad de uso de memoria previamente liberada cuando un nodo DOM editor se borra de manera prematura durante el salto de árbol cuando aún sigue vinculado al documento. Esto resulta en un cierre inesperado explotable. • http://www.securityfocus.com/bid/100203 http://www.securitytracker.com/id/1039124 https://access.redhat.com/errata/RHSA-2017:2456 https://access.redhat.com/errata/RHSA-2017:2534 https://bugzilla.mozilla.org/show_bug.cgi?id=1380284 https://security.gentoo.org/glsa/201803-14 https://www.debian.org/security/2017/dsa-3928 https://www.debian.org/security/2017/dsa-3968 https://www.mozilla.org/security/advisories/mfsa2017-18 https://www.mozilla.org/security/advisories/mfsa2017-19 • CWE-416: Use After Free •
CVSS: 9.8EPSS: 0%CPEs: 22EXPL: 1CVE-2017-7784 – Mozilla: Use-after-free with image observers (MFSA 2017-19)
https://notcve.org/view.php?id=CVE-2017-7784
A use-after-free vulnerability can occur when reading an image observer during frame reconstruction after the observer has been freed. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.3, Firefox ESR < 52.3, and Firefox < 55. Puede ocurrir una vulnerabilidad de uso de memoria previamente liberada al leer un observador de imagen durante la reconstrucción de frames una vez se ha liberado el observador. Esto resulta en un cierre inesperado potencialmente explotable. • http://www.securityfocus.com/bid/100202 http://www.securitytracker.com/id/1039124 https://access.redhat.com/errata/RHSA-2017:2456 https://access.redhat.com/errata/RHSA-2017:2534 https://bugzilla.mozilla.org/show_bug.cgi?id=1376087 https://security.gentoo.org/glsa/201803-14 https://www.debian.org/security/2017/dsa-3928 https://www.debian.org/security/2017/dsa-3968 https://www.mozilla.org/security/advisories/mfsa2017-18 https://www.mozilla.org/security/advisories/mfsa2017-19 • CWE-416: Use After Free •