CVSS: 8.2EPSS: 2%CPEs: 144EXPL: 0CVE-2008-5012 – Mozilla Image stealing via canvas and HTTP redirect
https://notcve.org/view.php?id=CVE-2008-5012
13 Nov 2008 — Mozilla Firefox 2.x before 2.0.0.18, Thunderbird 2.x before 2.0.0.18, and SeaMonkey 1.x before 1.1.13 do not properly change the source URI when processing a canvas element and an HTTP redirect, which allows remote attackers to bypass the same origin policy and access arbitrary images that are not directly accessible to the attacker. NOTE: this issue can be leveraged to enumerate software on the client by performing redirections related to moz-icon. Mozilla Firefox 2.x versiones anteriores a v2.0.0.18, Thun... • http://lists.opensuse.org/opensuse-security-announce/2008-11/msg00004.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.3EPSS: 55%CPEs: 91EXPL: 0CVE-2008-5013 – Mozilla Firefox Flash Player Dynamic Module Unloading Vulnerability
https://notcve.org/view.php?id=CVE-2008-5013
12 Nov 2008 — Mozilla Firefox 2.x before 2.0.0.18 and SeaMonkey 1.x before 1.1.13 do not properly check when the Flash module has been dynamically unloaded properly, which allows remote attackers to execute arbitrary code via a crafted SWF file that "dynamically unloads itself from an outside JavaScript function," which triggers an access of an expired memory address. Mozilla Firefox 2.x antes de 2.0.0.18 y SeaMonkey 1.x antes de 1.1.13 no comprueba correctamente cuando se ha descargado dinámicamente el módulo Flash, lo ... • http://lists.opensuse.org/opensuse-security-announce/2008-11/msg00004.html • CWE-399: Resource Management Errors •
CVSS: 9.8EPSS: 75%CPEs: 22EXPL: 0CVE-2008-5021 – Mozilla Firefox Input Box Type Property Dangling Pointer Vulnerability
https://notcve.org/view.php?id=CVE-2008-5021
12 Nov 2008 — nsFrameManager in Firefox 3.x before 3.0.4, Firefox 2.x before 2.0.0.18, Thunderbird 2.x before 2.0.0.18, and SeaMonkey 1.x before 1.1.13 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code by modifying properties of a file input element while it is still being initialized, then using the blur method to access uninitialized memory. nsFrameManager en Firefox v3.x antes de la v3.0.4, Firefox v2.x antes de la v2.0.0.18, Thunderbird 2.x antes de la v2.0.0.18, y SeaMo... • http://lists.opensuse.org/opensuse-security-announce/2008-11/msg00004.html • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 1CVE-2008-4723
https://notcve.org/view.php?id=CVE-2008-4723
23 Oct 2008 — Multiple cross-site scripting (XSS) vulnerabilities in Mozilla Firefox 3.0.1 through 3.0.3 allow remote attackers to inject arbitrary web script or HTML via an ftp:// URL for an HTML document within a (1) JPG, (2) PDF, or (3) TXT file. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. Múltiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en Mozilla Firefox v3.0.1 hasta v3.0.3 permiten a atacantes remotos inyectar web sc... • http://www.securityfocus.com/bid/31855 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 6%CPEs: 48EXPL: 1CVE-2008-4582 – Mozilla Firefox 3.0.3 - Internet Shortcut Same Origin Policy Violation
https://notcve.org/view.php?id=CVE-2008-4582
15 Oct 2008 — Mozilla Firefox 3.0.1 through 3.0.3, Firefox 2.x before 2.0.0.18, and SeaMonkey 1.x before 1.1.13, when running on Windows, do not properly identify the context of Windows .url shortcut files, which allows user-assisted remote attackers to bypass the Same Origin Policy and obtain sensitive information via an HTML document that is directly accessible through a filesystem, as demonstrated by documents in (1) local folders, (2) Windows share folders, and (3) RAR archives, and as demonstrated by IFRAMEs referen... • https://www.exploit-db.com/exploits/32466 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 6.5EPSS: 10%CPEs: 2EXPL: 4CVE-2008-4324 – Mozilla Firefox 3.0.3 - User Interface Null Pointer Dereference Crash
https://notcve.org/view.php?id=CVE-2008-4324
29 Sep 2008 — The user interface event dispatcher in Mozilla Firefox 3.0.3 on Windows XP SP2 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a series of keypress, click, onkeydown, onkeyup, onmousedown, and onmouseup events. NOTE: it was later reported that Firefox 3.0.2 on Mac OS X 10.5 is also affected. El despachador de eventos de la interfaz de usuario en Mozilla Firefox versión 3.0.3, en Windows XP SP2, permite a los atacantes remotos causar una denegación de... • https://www.exploit-db.com/exploits/6614 • CWE-399: Resource Management Errors •
CVSS: 7.5EPSS: 2%CPEs: 10EXPL: 2CVE-2008-4067 – resource: traversal vulnerability
https://notcve.org/view.php?id=CVE-2008-4067
24 Sep 2008 — Directory traversal vulnerability in Mozilla Firefox before 2.0.0.17 and 3.x before 3.0.2, Thunderbird before 2.0.0.17, and SeaMonkey before 1.1.12 on Linux allows remote attackers to read arbitrary files via a .. (dot dot) and URL-encoded / (slash) characters in a resource: URI. Vulnerabilidad de salto de directorio en Firefox de Mozilla anterior a 2.0.0.17 y 3.x anterior a 3.0.2, Thunderbird anterior a 2.0.0.17 y SeaMonkey anterior a 1.1.12 en Linux permite a atacantes remotos leer archivos de su elección... • http://download.novell.com/Download?buildid=WZXONb-tqBw~ • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.1EPSS: 94%CPEs: 9EXPL: 1CVE-2008-4065 – Mozilla BOM characters stripped from JavaScript before execution
https://notcve.org/view.php?id=CVE-2008-4065
24 Sep 2008 — Mozilla Firefox before 2.0.0.17 and 3.x before 3.0.2, Thunderbird before 2.0.0.17, and SeaMonkey before 1.1.12 allow remote attackers to bypass cross-site scripting (XSS) protection mechanisms and conduct XSS attacks via byte order mark (BOM) characters that are removed from JavaScript code before execution, aka "Stripped BOM characters bug." Firefox de Mozilla antes de 2.0.0.17 y 3.x anterior a 3.0.2, Thunderbird anterior a 2.0.0.17 y SeaMonkey anterior a 1.1.12 permite a atacantes remotos evitar los mecan... • http://download.novell.com/Download?buildid=WZXONb-tqBw~ • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 85%CPEs: 3EXPL: 2CVE-2008-4066 – Mozilla low surrogates stripped from JavaScript before execution
https://notcve.org/view.php?id=CVE-2008-4066
24 Sep 2008 — Mozilla Firefox 2.0.0.14, and other versions before 2.0.0.17, allows remote attackers to bypass cross-site scripting (XSS) protection mechanisms and conduct XSS attacks via HTML-escaped low surrogate characters that are ignored by the HTML parser, as demonstrated by a "jav�ascript" sequence, aka "HTML escaped low surrogates bug." Mozilla Firefox versión 2.0.0.14, y otras versiones anteriores a 2.0.0.17, permiten a los atacantes remotos omitir los mecanismos de protección de cross-site scripting (XSS) ... • http://blogs.technet.com/bluehat/archive/2008/08/14/targeted-fuzzing.aspx • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 89%CPEs: 70EXPL: 1CVE-2008-0016 – Mozilla Firefox 2.0.0.16 - UTF-8 URL Remote Buffer Overflow
https://notcve.org/view.php?id=CVE-2008-0016
24 Sep 2008 — Stack-based buffer overflow in the URL parsing implementation in Mozilla Firefox before 2.0.0.17 and SeaMonkey before 1.1.12 allows remote attackers to execute arbitrary code via a crafted UTF-8 URL in a link. Desbordamiento de búfer basado en pila en la implementación de análisis URL de Firefox de Mozilla antes de 2.0.0.17 y SeaMonkey antes de 1.1.12 permite a atacantes remotos ejecutar código de su elección mediante un URL UTF-8 manipulado en un enlace. • https://www.exploit-db.com/exploits/9663 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-121: Stack-based Buffer Overflow •