CVSS: 7.5EPSS: 0%CPEs: 16EXPL: 1CVE-2016-9902 – Mozilla: Pocket extension does not validate the origin of events (MFSA 2016-94, MFSA 2016-95)
https://notcve.org/view.php?id=CVE-2016-9902
The Pocket toolbar button, once activated, listens for events fired from it's own pages but does not verify the origin of incoming events. This allows content from other origins to fire events and inject content and commands into the Pocket context. Note: this issue does not affect users with e10s enabled. This vulnerability affects Firefox ESR < 45.6 and Firefox < 50.1. El botón de la barra de herramientas Pocket, una vez se activa, escucha eventos lanzados desde sus propias páginas, pero no verifica el origen de los eventos entrantes. • http://rhn.redhat.com/errata/RHSA-2016-2946.html http://rhn.redhat.com/errata/RHSA-2016-2973.html http://www.securityfocus.com/bid/94885 http://www.securitytracker.com/id/1037461 https://bugzilla.mozilla.org/show_bug.cgi?id=1320039 https://security.gentoo.org/glsa/201701-15 https://www.mozilla.org/security/advisories/mfsa2016-94 https://www.mozilla.org/security/advisories/mfsa2016-95 https://access.redhat.com/security/cve/CVE-2016-9902 https://bugzilla.redhat.com/show_bu • CWE-346: Origin Validation Error •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2016-9894
https://notcve.org/view.php?id=CVE-2016-9894
A buffer overflow in SkiaGl caused when a GrGLBuffer is truncated during allocation. Later writers will overflow the buffer, resulting in a potentially exploitable crash. This vulnerability affects Firefox < 50.1. Se ha provocado un desbordamiento de búfer en SkiaGl cuando se trunca un GrGLBuffer durante la asignación. Las escrituras posteriores desbordarán el búfer, lo que resulta en un cierre inesperado potencialmente explotable. • http://www.securityfocus.com/bid/94883 http://www.securitytracker.com/id/1037461 https://bugzilla.mozilla.org/show_bug.cgi?id=1306628 https://www.mozilla.org/security/advisories/mfsa2016-94 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 7.5EPSS: 95%CPEs: 26EXPL: 6CVE-2016-9079 – Mozilla Firefox, Firefox ESR, and Thunderbird Use-After-Free Vulnerability
https://notcve.org/view.php?id=CVE-2016-9079
A use-after-free vulnerability in SVG Animation has been discovered. An exploit built on this vulnerability has been discovered in the wild targeting Firefox and Tor Browser users on Windows. This vulnerability affects Firefox < 50.0.2, Firefox ESR < 45.5.1, and Thunderbird < 45.5.1. Se ha descubierto una vulnerabilidad de uso de memoria previamente liberada en SVG Animation. Se ha descubierto un exploit construido sobre esta vulnerabilidad "in the wild" que apunta a usuarios de Firefox y Tor Browser en Windows. • https://www.exploit-db.com/exploits/42327 https://www.exploit-db.com/exploits/41151 https://github.com/dangokyo/CVE-2016-9079 https://github.com/LakshmiDesai/CVE-2016-9079 https://github.com/Tau-hub/Firefox-CVE-2016-9079 http://rhn.redhat.com/errata/RHSA-2016-2843.html http://rhn.redhat.com/errata/RHSA-2016-2850.html http://www.securityfocus.com/bid/94591 http://www.securitytracker.com/id/1037370 https://bugzilla.mozilla.org/show_bug.cgi?id=1321066 https://se • CWE-416: Use After Free •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2016-9071
https://notcve.org/view.php?id=CVE-2016-9071
Content Security Policy combined with HTTP to HTTPS redirection can be used by malicious server to verify whether a known site is within a user's browser history. This vulnerability affects Firefox < 50. Content Security Policy, junto con la redirección HTTP a HTTPS, puede ser empleado por un servidor malicioso para verificar si un sitio conocido existe en el historial de navegación de un usuario. La vulnerabilidad afecta a Firefox en versiones anteriores a la 50. • http://www.securityfocus.com/bid/94337 http://www.securitytracker.com/id/1037298 https://bugzilla.mozilla.org/show_bug.cgi?id=1285003 https://www.mozilla.org/security/advisories/mfsa2016-89 • CWE-254: 7PK - Security Features •
CVSS: 9.8EPSS: 1%CPEs: 9EXPL: 0CVE-2016-9063
https://notcve.org/view.php?id=CVE-2016-9063
An integer overflow during the parsing of XML using the Expat library. This vulnerability affects Firefox < 50. Desbordamiento de enteros durante el análisis de XML mediante la biblioteca Expat. La vulnerabilidad afecta a Firefox en versiones anteriores a la 50. • http://www.securityfocus.com/bid/94337 http://www.securitytracker.com/id/1037298 http://www.securitytracker.com/id/1039427 https://bugzilla.mozilla.org/show_bug.cgi?id=1274777 https://www.debian.org/security/2017/dsa-3898 https://www.mozilla.org/security/advisories/mfsa2016-89 • CWE-190: Integer Overflow or Wraparound •