CVSS: 9.8EPSS: 1%CPEs: 8EXPL: 0CVE-2014-8639 – Mozilla: Cookie injection through Proxy Authenticate responses (MFSA 2015-04)
https://notcve.org/view.php?id=CVE-2014-8639
14 Jan 2015 — Mozilla Firefox before 35.0, Firefox ESR 31.x before 31.4, Thunderbird before 31.4, and SeaMonkey before 2.32 do not properly interpret Set-Cookie headers within responses that have a 407 (aka Proxy Authentication Required) status code, which allows remote HTTP proxy servers to conduct session fixation attacks by providing a cookie name that corresponds to the session cookie of the origin server. Mozilla Firefox anterior a 35.0, Firefox ESR 31.x anterior a 31.4, Thunderbird anterior a 31.4, y SeaMonkey ante... • http://linux.oracle.com/errata/ELSA-2015-0046.html • CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •
CVSS: 9.1EPSS: 1%CPEs: 7EXPL: 0CVE-2014-8641 – Mozilla: Read-after-free in WebRTC (MFSA 2015-06)
https://notcve.org/view.php?id=CVE-2014-8641
14 Jan 2015 — Use-after-free vulnerability in the WebRTC implementation in Mozilla Firefox before 35.0, Firefox ESR 31.x before 31.4, and SeaMonkey before 2.32 allows remote attackers to execute arbitrary code via crafted track data. Vulnerabilidad de uso después de liberación en la implementación WebRTC en Mozilla Firefox anterior a 35.0, Firefox ESR 31.x anterior a 31.4, y SeaMonkey anterior a 2.32 permite a atacantes remotos ejecutar código arbitrario a través de datos track manipulados. USN-2458-1 fixed vulnerabiliti... • http://linux.oracle.com/errata/ELSA-2015-0046.html • CWE-416: Use After Free •
CVSS: 9.1EPSS: 0%CPEs: 2EXPL: 0CVE-2014-8631 – Gentoo Linux Security Advisory 201504-01
https://notcve.org/view.php?id=CVE-2014-8631
11 Dec 2014 — The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 34.0 and SeaMonkey before 2.31 supports native-interface passing, which allows remote attackers to bypass intended DOM object restrictions via a call to an unspecified method. La implementación Chrome Object Wrapper (COW) en Mozilla Firefox anterior a 34.0 y SeaMonkey anterior a 2.31 soporta el pasaje de la interfaz nativa, lo que permite a atacantes remotos evadir las restricciones de los objetos DOM a través de una llamada a un métod... • http://www.mozilla.org/security/announce/2014/mfsa2014-91.html • CWE-284: Improper Access Control •
CVSS: 9.1EPSS: 0%CPEs: 2EXPL: 0CVE-2014-8632 – Gentoo Linux Security Advisory 201504-01
https://notcve.org/view.php?id=CVE-2014-8632
11 Dec 2014 — The structured-clone implementation in Mozilla Firefox before 34.0 and SeaMonkey before 2.31 does not properly interact with XrayWrapper property filtering, which allows remote attackers to bypass intended DOM object restrictions by leveraging property availability after XrayWrapper removal. La implementación structured-clone en Mozilla Firefox anterior a 34.0 y SeaMonkey anterior a 2.31 no interactúa correctamente con el filtrado de los propiedades de XrayWrapper, lo que permite a atacantes remotos evadir ... • http://www.mozilla.org/security/announce/2014/mfsa2014-91.html • CWE-284: Improper Access Control •
CVSS: 6.1EPSS: 2%CPEs: 28EXPL: 1CVE-2012-4201 – Mozilla: evalInSanbox location context incorrectly applied (MFSA 2012-93)
https://notcve.org/view.php?id=CVE-2012-4201
21 Nov 2012 — The evalInSandbox implementation in Mozilla Firefox before 17.0, Firefox ESR 10.x before 10.0.11, Thunderbird before 17.0, Thunderbird ESR 10.x before 10.0.11, and SeaMonkey before 2.14 uses an incorrect context during the handling of JavaScript code that sets the location.href property, which allows remote attackers to conduct cross-site scripting (XSS) attacks or read arbitrary files by leveraging a sandboxed add-on. La implementación evalInSandbox en Mozilla Firefox antes de v17.0, v10.x Firefox ESR ante... • http://lists.opensuse.org/opensuse-security-announce/2012-11/msg00021.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 6%CPEs: 26EXPL: 0CVE-2012-4202 – Mozilla: Buffer overflow while rendering GIF images (MFSA 2012-92)
https://notcve.org/view.php?id=CVE-2012-4202
21 Nov 2012 — Heap-based buffer overflow in the image::RasterImage::DrawFrameTo function in Mozilla Firefox before 17.0, Firefox ESR 10.x before 10.0.11, Thunderbird before 17.0, Thunderbird ESR 10.x before 10.0.11, and SeaMonkey before 2.14 allows remote attackers to execute arbitrary code via a crafted GIF image. Un desbordamiento de búfer basado en memoria dinámica ('heap') en la función image::RasterImage::DrawFrameTo en Mozilla Firefox antes de v17.0, Firefox ESR v10.x antes de v10.0.11, Thunderbird antes de v17.0, ... • http://lists.opensuse.org/opensuse-security-announce/2012-11/msg00021.html • CWE-787: Out-of-bounds Write •
CVSS: 9.8EPSS: 3%CPEs: 17EXPL: 1CVE-2012-4204
https://notcve.org/view.php?id=CVE-2012-4204
21 Nov 2012 — The str_unescape function in the JavaScript engine in Mozilla Firefox before 17.0, Thunderbird before 17.0, and SeaMonkey before 2.14 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via unspecified vectors. La función str_unescape en el motor Javascript en Mozilla Firefox antes de v17.0 Thunderbird antes de v17.0 y SeaMonkey antes v2.14, permite a atacantes remotos provocar una denegación de servicio (corrupción de memoria y caída de l... • http://lists.opensuse.org/opensuse-security-announce/2012-11/msg00021.html • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 8.8EPSS: 0%CPEs: 17EXPL: 0CVE-2012-4205
https://notcve.org/view.php?id=CVE-2012-4205
21 Nov 2012 — Mozilla Firefox before 17.0, Thunderbird before 17.0, and SeaMonkey before 2.14 assign the system principal, rather than the sandbox principal, to XMLHttpRequest objects created in sandboxes, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks or obtain sensitive information by leveraging a sandboxed add-on. Mozilla Firefox antes de v17.0 Thunderbird antes de v17.0 y SeaMonkey antes v2.14, asigna el principal sistema, en lugar del entorno de seguridad, a los objetos XMLHttpReq... • http://lists.opensuse.org/opensuse-security-announce/2012-11/msg00021.html • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 1%CPEs: 28EXPL: 1CVE-2012-4207 – Mozilla: Improper character decoding in HZ-GB-2312 charset (MFSA 2012-101)
https://notcve.org/view.php?id=CVE-2012-4207
21 Nov 2012 — The HZ-GB-2312 character-set implementation in Mozilla Firefox before 17.0, Firefox ESR 10.x before 10.0.11, Thunderbird before 17.0, Thunderbird ESR 10.x before 10.0.11, and SeaMonkey before 2.14 does not properly handle a ~ (tilde) character in proximity to a chunk delimiter, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted document. La implementación del juego de caracteres HZ-GB-2312 en Mozilla Firefox anterior a v17.0, Firefox ESR v10.x anterior a v10.0.11, Thun... • http://lists.opensuse.org/opensuse-security-announce/2012-11/msg00021.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.1EPSS: 0%CPEs: 17EXPL: 0CVE-2012-4208
https://notcve.org/view.php?id=CVE-2012-4208
21 Nov 2012 — The XrayWrapper implementation in Mozilla Firefox before 17.0, Thunderbird before 17.0, and SeaMonkey before 2.14 does not consider the compartment during property filtering, which allows remote attackers to bypass intended chrome-only restrictions on reading DOM object properties via a crafted web site. La implementación XrayWrapper en Mozilla Firefox anterior a v17.0, Thunderbird anterior a v17.0, y SeaMonkey anterior a v2.14 no considera el compartimiento durante la característica de filtrado, permitiend... • http://lists.opensuse.org/opensuse-security-announce/2012-11/msg00021.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •