CVSS: 9.8EPSS: 0%CPEs: 21EXPL: 0CVE-2017-5390 – Mozilla: Insecure communication methods in Developer Tools JSON viewer (MFSA 2017-02)
https://notcve.org/view.php?id=CVE-2017-5390
The JSON viewer in the Developer Tools uses insecure methods to create a communication channel for copying and viewing JSON or HTTP headers data, allowing for potential privilege escalation. This vulnerability affects Thunderbird < 45.7, Firefox ESR < 45.7, and Firefox < 51. El visor JSON en Developer Tools emplea métodos inseguros para crear un canal de comunicación para copiar y visualizar datos de cabeceras HTTP o JSON, lo que permite un potencial escalado de privilegios. La vulnerabilidad afecta a Thunderbird en versiones anteriores a la 45.7, Firefox ESR en versiones anteriores a la 45.7 y Firefox en versiones anteriores a la 51. • http://rhn.redhat.com/errata/RHSA-2017-0190.html http://rhn.redhat.com/errata/RHSA-2017-0238.html http://www.securityfocus.com/bid/95769 http://www.securitytracker.com/id/1037693 https://bugzilla.mozilla.org/show_bug.cgi?id=1297361 https://security.gentoo.org/glsa/201702-13 https://security.gentoo.org/glsa/201702-22 https://www.debian.org/security/2017/dsa-3771 https://www.debian.org/security/2017/dsa-3832 https://www.mozilla.org/security/advisories/mfsa2017-01 http •
CVSS: 9.8EPSS: 0%CPEs: 21EXPL: 0CVE-2017-5380 – Mozilla: Potential use-after-free during DOM manipulations (MFSA 2017-02)
https://notcve.org/view.php?id=CVE-2017-5380
A potential use-after-free found through fuzzing during DOM manipulation of SVG content. This vulnerability affects Thunderbird < 45.7, Firefox ESR < 45.7, and Firefox < 51. Se ha encontrado un potencial uso de memoria previamente liberada mediante fuzzing durante la manipulación DOM del contenido SVG. La vulnerabilidad afecta a Thunderbird en versiones anteriores a la 45.7, Firefox ESR en versiones anteriores a la 45.7 y Firefox en versiones anteriores a la 51. • http://rhn.redhat.com/errata/RHSA-2017-0190.html http://rhn.redhat.com/errata/RHSA-2017-0238.html http://www.securityfocus.com/bid/95769 http://www.securitytracker.com/id/1037693 https://bugzilla.mozilla.org/show_bug.cgi?id=1322107 https://security.gentoo.org/glsa/201702-13 https://security.gentoo.org/glsa/201702-22 https://www.debian.org/security/2017/dsa-3771 https://www.debian.org/security/2017/dsa-3832 https://www.mozilla.org/security/advisories/mfsa2017-01 http • CWE-416: Use After Free •
CVSS: 7.5EPSS: 0%CPEs: 16EXPL: 1CVE-2016-9902 – Mozilla: Pocket extension does not validate the origin of events (MFSA 2016-94, MFSA 2016-95)
https://notcve.org/view.php?id=CVE-2016-9902
The Pocket toolbar button, once activated, listens for events fired from it's own pages but does not verify the origin of incoming events. This allows content from other origins to fire events and inject content and commands into the Pocket context. Note: this issue does not affect users with e10s enabled. This vulnerability affects Firefox ESR < 45.6 and Firefox < 50.1. El botón de la barra de herramientas Pocket, una vez se activa, escucha eventos lanzados desde sus propias páginas, pero no verifica el origen de los eventos entrantes. • http://rhn.redhat.com/errata/RHSA-2016-2946.html http://rhn.redhat.com/errata/RHSA-2016-2973.html http://www.securityfocus.com/bid/94885 http://www.securitytracker.com/id/1037461 https://bugzilla.mozilla.org/show_bug.cgi?id=1320039 https://security.gentoo.org/glsa/201701-15 https://www.mozilla.org/security/advisories/mfsa2016-94 https://www.mozilla.org/security/advisories/mfsa2016-95 https://access.redhat.com/security/cve/CVE-2016-9902 https://bugzilla.redhat.com/show_bu • CWE-346: Origin Validation Error •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2016-9903
https://notcve.org/view.php?id=CVE-2016-9903
Mozilla's add-ons SDK had a world-accessible resource with an HTML injection vulnerability. If an additional vulnerability allowed this resource to be loaded as a document it could allow injecting content and script into an add-on's context. This vulnerability affects Firefox < 50.1. El SDK de add-ons de Mozilla tenía un recurso accesible globalmente con una vulnerabilidad de inyección HTML. Si una vulnerabilidad adicional permite que este recurso se cargue como documento, podría permitir la adición de contenido y scripts en el contexto de un add-on. • http://www.securityfocus.com/bid/94883 http://www.securitytracker.com/id/1037461 https://bugzilla.mozilla.org/show_bug.cgi?id=1315435 https://www.mozilla.org/security/advisories/mfsa2016-94 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 21EXPL: 1CVE-2016-9898 – Mozilla: Use-after-free in Editor while manipulating DOM subtrees (MFSA 2016-94, MFSA 2016-95)
https://notcve.org/view.php?id=CVE-2016-9898
Use-after-free resulting in potentially exploitable crash when manipulating DOM subtrees in the Editor. This vulnerability affects Firefox < 50.1, Firefox ESR < 45.6, and Thunderbird < 45.6. Uso de memoria previamente liberada que resulta en un cierre inesperado potencialmente explotable al manipular subárboles DOM en el Editor. La vulnerabilidad afecta a Firefox en versiones anteriores a la 50.1, Firefox ESR en versiones anteriores a la 45.6 y Thunderbird en versiones anteriores a la 45.6. • http://rhn.redhat.com/errata/RHSA-2016-2946.html http://www.securityfocus.com/bid/94885 http://www.securitytracker.com/id/1037461 https://bugzilla.mozilla.org/show_bug.cgi?id=1314442 https://security.gentoo.org/glsa/201701-15 https://www.debian.org/security/2017/dsa-3757 https://www.mozilla.org/security/advisories/mfsa2016-94 https://www.mozilla.org/security/advisories/mfsa2016-95 https://www.mozilla.org/security/advisories/mfsa2016-96 https://access.redhat.com/security/cve&#x • CWE-416: Use After Free •