CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2017-5458
https://notcve.org/view.php?id=CVE-2017-5458
When a "javascript:" URL is drag and dropped by a user into the addressbar, the URL will be processed and executed. This allows for users to be socially engineered to execute an XSS attack on themselves. This vulnerability affects Firefox < 53. Cuando un usuario arrastra y suelta una URL "javascript:" en la barra de direcciones, la URL será procesada y ejecutada. Esto permite que se le aplique ingeniería social a los usuarios para ejecutar un ataque de Cross-Site Scripting (XSS) en ellos mismos. • http://www.securityfocus.com/bid/97940 http://www.securitytracker.com/id/1038320 https://bugzilla.mozilla.org/show_bug.cgi?id=1229426 https://www.mozilla.org/security/advisories/mfsa2017-10 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2017-5453
https://notcve.org/view.php?id=CVE-2017-5453
A mechanism to inject static HTML into the RSS reader preview page due to a failure to escape characters sent as URL parameters for a feed's "TITLE" element. This vulnerability allows for spoofing but no scripted content can be run. This vulnerability affects Firefox < 53. Mecanismo para inyectar HTML estático en la página de previsualización del lector RSS debido a un error a la hora de escapar caracteres enviados como parámetros de URL para un elemento "TITLE" de un feed. Esta vulnerabilidad permite la suplantación, pero no se puede ejecutar el contenido que no esté en script. • http://www.securityfocus.com/bid/97940 http://www.securitytracker.com/id/1038320 https://bugzilla.mozilla.org/show_bug.cgi?id=1321247 https://www.mozilla.org/security/advisories/mfsa2017-10 • CWE-20: Improper Input Validation •
CVSS: 9.8EPSS: 0%CPEs: 6EXPL: 0CVE-2017-5430 – Mozilla: Memory safety bugs fixed in Firefox 53 and Firefox ESR 52.1 (MFSA 2017-12)
https://notcve.org/view.php?id=CVE-2017-5430
Memory safety bugs were reported in Firefox 52, Firefox ESR 52, and Thunderbird 52. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 52.1, and Firefox < 53. Se han reportado errores de seguridad de memoria en Firefox 52, Firefox ESR 52, y Thunderbird 52. Algunos de estos errores mostraron evidencias de corrupción de memoria y se entiende que, con el suficiente esfuerzo, algunos de estos podrían explotarse para ejecutar código arbitrario. • http://www.securityfocus.com/bid/97940 http://www.securitytracker.com/id/1038320 https://access.redhat.com/errata/RHSA-2017:1106 https://bugzilla.mozilla.org/buglist.cgi?bug_id=1342101%2C1340482%2C1344686%2C1329796%2C1346419%2C1349621%2C1344081%2C1344305%2C1348143%2C1349719%2C1353476%2C1337418%2C1346140%2C1339722 https://www.mozilla.org/security/advisories/mfsa2017-10 https://www.mozilla.org/security/advisories/mfsa2017-12 https://www.mozilla.org/security/advisories/mfsa2017-13 https://access.redhat.com/security/ • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 7.5EPSS: 0%CPEs: 16EXPL: 0CVE-2017-5454 – Mozilla: Sandbox escape allowing file system read access through file picker (MFSA 2017-12)
https://notcve.org/view.php?id=CVE-2017-5454
A mechanism to bypass file system access protections in the sandbox to use the file picker to access different files than those selected in the file picker through the use of relative paths. This allows for read only access to the local file system. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 52.1, and Firefox < 53. Mecanismo para omitir las protecciones de acceso al sistema de archivos en el sandbox para emplear el picker de archivos para acceder a diferentes archivos que los seleccionados en el picker mediante el uso de rutas relativas. Esto permite acceso de solo lectura en el sistema de archivos local. • http://www.securityfocus.com/bid/97940 http://www.securitytracker.com/id/1038320 https://access.redhat.com/errata/RHSA-2017:1106 https://access.redhat.com/errata/RHSA-2017:1201 https://bugzilla.mozilla.org/show_bug.cgi?id=1349276 https://www.mozilla.org/security/advisories/mfsa2017-10 https://www.mozilla.org/security/advisories/mfsa2017-12 https://www.mozilla.org/security/advisories/mfsa2017-13 https://access.redhat.com/security/cve/CVE-2017-5454 https://bugzilla.redhat.com/sho • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.8EPSS: 5%CPEs: 11EXPL: 1CVE-2017-5456 – Mozilla: Sandbox escape allowing local file system read access (MFSA 2017-12)
https://notcve.org/view.php?id=CVE-2017-5456
A mechanism to bypass file system access protections in the sandbox using the file system request constructor through an IPC message. This allows for read and write access to the local file system. This vulnerability affects Firefox ESR < 52.1 and Firefox < 53. Mecanismo para omitir las protecciones de acceso al sistema de archivos en el sandbox mediante el constructor de peticiones al sistema de archivos mediante un mensaje IPC. Esto permite acceso de lectura y escritura al sistema de archivos local. • http://www.securityfocus.com/bid/97940 http://www.securitytracker.com/id/1038320 https://access.redhat.com/errata/RHSA-2017:1106 https://bugzilla.mozilla.org/show_bug.cgi?id=1344415 https://www.mozilla.org/security/advisories/mfsa2017-10 https://www.mozilla.org/security/advisories/mfsa2017-12 https://access.redhat.com/security/cve/CVE-2017-5456 https://bugzilla.redhat.com/show_bug.cgi?id=1443297 • CWE-732: Incorrect Permission Assignment for Critical Resource •