CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2016-5250 – Mozilla: Resource Timing API is storing resources sent by the previous page (MFSA 2016-84, MFSA 2016-86)
https://notcve.org/view.php?id=CVE-2016-5250
Mozilla Firefox before 48.0, Firefox ESR < 45.4 and Thunderbird < 45.4 allow remote attackers to obtain sensitive information about the previously retrieved page via Resource Timing API calls. Mozilla Firefox en versiones anteriores a la 48.0, Firefox ESR en versiones anteriores a la 45.4 y Thunderbird en versiones anteriores a la 45.4 permiten que los atacantes remotos obtengan información sensible sombre la página previamente recuperada mediante llamadas a la API Resource Timing. • http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00004.html http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00029.html http://rhn.redhat.com/errata/RHSA-2016-1912.html http://www.debian.org/security/2016/dsa-3674 http://www.mozilla.org/security/announce/2016/mfsa2016-84.html http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html http://www.securityfocus.com/bid/92260 http://www.securitytracker.com/id/1036508 http://www.ubuntu.c • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2016-5266
https://notcve.org/view.php?id=CVE-2016-5266
Mozilla Firefox before 48.0 does not properly restrict drag-and-drop (aka dataTransfer) actions for file: URIs, which allows user-assisted remote attackers to access local files via a crafted web site. Mozilla Firefox en versiones anteriores a 48.0 no restringe adecuadamente acciones arrastrar y soltar (también conocido como dataTransfer) para file: URIs, lo que permite a atacantes remotos asistidos por usuario acceder a archivos locales a través de un sitio web manipulado. • http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00004.html http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00029.html http://www.mozilla.org/security/announce/2016/mfsa2016-81.html http://www.securityfocus.com/bid/92260 http://www.securitytracker.com/id/1036508 http://www.ubuntu.com/usn/USN-3044-1 https://bugzilla.mozilla.org/show_bug.cgi?id=1226977 https://security.gentoo.org/glsa/201701-15 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2016-5251
https://notcve.org/view.php?id=CVE-2016-5251
Mozilla Firefox before 48.0 allows remote attackers to spoof the location bar via crafted characters in the media type of a data: URL. Mozilla Firefox en versiones anteriores a 48.0 permite a atacantes remotos suplantar la barra de direcciones a través de caracteres manipulados en el formato de un data: URL. • http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00004.html http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00029.html http://www.mozilla.org/security/announce/2016/mfsa2016-66.html http://www.securityfocus.com/bid/92260 http://www.securitytracker.com/id/1036508 http://www.ubuntu.com/usn/USN-3044-1 https://bugzilla.mozilla.org/show_bug.cgi?id=1255570 https://security.gentoo.org/glsa/201701-15 • CWE-20: Improper Input Validation •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2016-5268
https://notcve.org/view.php?id=CVE-2016-5268
Mozilla Firefox before 48.0 does not properly set the LINKABLE and URI_SAFE_FOR_UNTRUSTED_CONTENT flags of about: URLs that are used for error pages, which makes it easier for remote attackers to conduct spoofing attacks via a crafted URL, as demonstrated by misleading text after an about:neterror?d= substring. Mozilla Firefox en versiones anteriores a 48.0 no fija adecuadamente los indicadores LINKABLE y URI_SAFE_FOR_UNTRUSTED_CONTENT de about: URLs que se usan para páginas de error, lo que facilita a atacantes remotos llevar a cabo ataques de suplantación a través de una URL manipuladas, según lo demostrado induciendo a error texto después de un about:neterror?d= substring. • http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00004.html http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00029.html http://www.mozilla.org/security/announce/2016/mfsa2016-83.html http://www.securityfocus.com/bid/92260 http://www.securitytracker.com/id/1036508 http://www.ubuntu.com/usn/USN-3044-1 https://bugzilla.mozilla.org/show_bug.cgi?id=1253673 https://security.gentoo.org/glsa/201701-15 • CWE-254: 7PK - Security Features •
CVSS: 8.8EPSS: 1%CPEs: 1EXPL: 0CVE-2016-5261 – Mozilla: Integer overflow and memory corruption in WebSocketChannel (MFSA 2016-75, MFSA 2016-86)
https://notcve.org/view.php?id=CVE-2016-5261
Integer overflow in the WebSocketChannel class in the WebSockets subsystem in Mozilla Firefox before 48.0 and Firefox ESR < 45.4 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted packets that trigger incorrect buffer-resize operations during buffering. Desbordamiento de enteros en la clase WebSocketChannel en el subsistema WebSockets en Mozilla Firefox en versiones anteriores a la 48.0 y Firefox ESR en versiones anteriores a la 45.4 permite que los atacantes remotos ejecuten código arbitrario o provoquen una denegación de servicio (corrupción de memoria) mediante paquetes manipulados que desencadenan operaciones de redimensionamiento de búfer incorrectas durante el "buffering". • http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00004.html http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00029.html http://rhn.redhat.com/errata/RHSA-2016-1912.html http://www.debian.org/security/2016/dsa-3674 http://www.mozilla.org/security/announce/2016/mfsa2016-75.html http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html http://www.securityfocus.com/bid/92260 http://www.securitytracker.com/id/1036508 http://www.ubuntu.c • CWE-190: Integer Overflow or Wraparound •