Page 2 of 647 results (0.019 seconds)

CVSS: 7.5EPSS: 93%CPEs: 2EXPL: 1

CVE-2014-8636 – Mozilla Firefox - Proxy Prototype Privileged JavaScript Injection

https://notcve.org/view.php?id=CVE-2014-8636

The XrayWrapper implementation in Mozilla Firefox before 35.0 and SeaMonkey before 2.32 does not properly interact with a DOM object that has a named getter, which might allow remote attackers to execute arbitrary JavaScript code with chrome privileges via unspecified vectors. La implementación XrayWrapper en Mozilla Firefox anterior a 35.0 y SeaMonkey anterior a 2.32 no interactua correctamente con un objeto DOM que tiene nombrado un getter nombrado, lo que podría permitir a atacantes remotos ejecutar código JavaScript arbitrario con privilegios chrome a través de vectores no especificados. • https://www.exploit-db.com/exploits/36480 http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00014.html http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00032.html http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00033.html http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00036.html http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00002.html http://packetstormsecurity.com/files/130972/Firefox-Proxy-Prototype-Privileged-Javascript-Injection.h • CWE-94: Improper Control of Generation of Code ('Code Injection') •

CVSS: 5.0EPSS: 4%CPEs: 4EXPL: 0

CVE-2014-8640

https://notcve.org/view.php?id=CVE-2014-8640

The mozilla::dom::AudioParamTimeline::AudioNodeInputValue function in the Web Audio API implementation in Mozilla Firefox before 35.0 and SeaMonkey before 2.32 does not properly restrict timeline operations, which allows remote attackers to cause a denial of service (uninitialized-memory read and application crash) via crafted API calls. La función mozilla::dom::AudioParamTimeline::AudioNodeInputValue en la implementación de API Web Audio en Mozilla Firefox anterior a 35.0 y SeaMonkey anterior a 2.32 no restringe correctamente las operaciones de líneas de tiempos, lo que permite a atacantes remotos causar una denegación de servicio (lectura de memoria no inicializada y caída de la aplicación) via crafted API calls. • http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00014.html http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00032.html http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00033.html http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00036.html http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00002.html http://secunia.com/advisories/62242 http://secunia.com/advisories/62250 http://secunia.com/advisories/62418 http://secunia.com • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •

CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 0

CVE-2014-8642

https://notcve.org/view.php?id=CVE-2014-8642

Mozilla Firefox before 35.0 and SeaMonkey before 2.32 do not consider the id-pkix-ocsp-nocheck extension in deciding whether to trust an OCSP responder, which makes it easier for remote attackers to obtain sensitive information by sniffing the network during a session in which there was an incorrect decision to accept a compromised and revoked certificate. Mozilla Firefox anterior a 35.0 y SeaMonkey anterior a 2.32 no consideran la extensión id-pkix-ocsp-nocheck cuando deciden si confían de un contestador OCSP, lo que facilita a atacantes remotos obtener información sensible mediante la lectura de la red durante una sesión en la cual hubo una decisión incorrecta para aceptar un certificado comprometido y revocado. • http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00014.html http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00002.html http://secunia.com/advisories/62242 http://secunia.com/advisories/62250 http://secunia.com/advisories/62253 http://secunia.com/advisories/62316 http://secunia.com/advisories/62418 http://secunia.com/advisories/62446 http://secunia.com/advisories/62790 http://www.mozilla.org/security/announce/2014/mfsa2015-08.html http://www.oracle.com • CWE-310: Cryptographic Issues •

CVSS: 7.5EPSS: 9%CPEs: 7EXPL: 0

CVE-2014-8641 – Mozilla: Read-after-free in WebRTC (MFSA 2015-06)

https://notcve.org/view.php?id=CVE-2014-8641

Use-after-free vulnerability in the WebRTC implementation in Mozilla Firefox before 35.0, Firefox ESR 31.x before 31.4, and SeaMonkey before 2.32 allows remote attackers to execute arbitrary code via crafted track data. Vulnerabilidad de uso después de liberación en la implementación WebRTC en Mozilla Firefox anterior a 35.0, Firefox ESR 31.x anterior a 31.4, y SeaMonkey anterior a 2.32 permite a atacantes remotos ejecutar código arbitrario a través de datos track manipulados. • http://linux.oracle.com/errata/ELSA-2015-0046.html http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00014.html http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00032.html http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00033.html http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00036.html http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00002.html http://rhn.redhat.com/errata/RHSA-2015-0046.html http://secunia.com/ad • CWE-416: Use After Free •

CVSS: 6.8EPSS: 0%CPEs: 8EXPL: 0

CVE-2014-8638 – Mozilla: sendBeacon requests lack an Origin header (MFSA 2015-03)

https://notcve.org/view.php?id=CVE-2014-8638

The navigator.sendBeacon implementation in Mozilla Firefox before 35.0, Firefox ESR 31.x before 31.4, Thunderbird before 31.4, and SeaMonkey before 2.32 omits the CORS Origin header, which allows remote attackers to bypass intended CORS access-control checks and conduct cross-site request forgery (CSRF) attacks via a crafted web site. La implementación navigator.sendBeacon en Mozilla Firefox anterior a 35.0, Firefox ESR 31.x anterior a 31.4, Thunderbird anterior a 31.4, y SeaMonkey anterior a 2.32 omite la cabecera CORS Origin, lo que permite a atacantes remotos evadir las comprobaciones del control de acceso a CORS y realizar ataques de CSRF a través de un sitio web manipulado. • http://linux.oracle.com/errata/ELSA-2015-0046.html http://linux.oracle.com/errata/ELSA-2015-0047.html http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00014.html http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00032.html http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00033.html http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00036.html http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00002.html http://lists.opensuse • CWE-352: Cross-Site Request Forgery (CSRF) •