CVSS: 7.5EPSS: 6%CPEs: 9EXPL: 0CVE-2015-7199 – Mozilla: Vulnerabilities found through code inspection (MFSA 2015-131)
https://notcve.org/view.php?id=CVE-2015-7199
The (1) AddWeightedPathSegLists and (2) SVGPathSegListSMILType::Interpolate functions in Mozilla Firefox before 42.0 and Firefox ESR 38.x before 38.4 lack status checking, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted SVG document. Las funciones (1) AddWeightedPathSegLists y (2) SVGPathSegListSMILType::Interpolate en Mozilla Firefox en versiones anteriores a 42.0 y Firefox ESR 38.x en versiones anteriores a 38.4 carecen de comprobación de estado, lo que permite a atacantes remotos provocar una denegación de servicio (corrupción de memoria) o posiblemente tener otro impacto no especificado a través de un documento SVG manipulado. • http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00013.html http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00015.html http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00020.html http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00021.html http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00025.html http://lists.opensuse.org/opensuse-updates/2015-12/msg00037.html http://lists.opensuse.org/opensuse-updates/2015-12/msg00049.html http • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2015-4515
https://notcve.org/view.php?id=CVE-2015-4515
Mozilla Firefox before 42.0, when NTLM v1 is enabled for HTTP authentication, allows remote attackers to obtain sensitive hostname information by constructing a crafted web site that sends an NTLM request and reads the Workstation field of an NTLM type 3 message. Mozilla Firefox en versiones anteriores a 42.0, cuando NTLM v1 está habilitado para autenticación HTTP, permite a atacantes remotos obtener información sensible del hostname mediante la construcción de un sitio web manipulado que envía una petición NTLM y lee el campo Workstation de un mensaje NTLM tipo 3. • http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00015.html http://www.mozilla.org/security/announce/2015/mfsa2015-117.html http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html http://www.securitytracker.com/id/1034069 http://www.ubuntu.com/usn/USN-2785-1 https://bugzilla.mozilla.org/show_bug.cgi?id=1046421 https://security.gentoo.org/glsa/201512-10 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2015-7187
https://notcve.org/view.php?id=CVE-2015-7187
The Add-on SDK in Mozilla Firefox before 42.0 misinterprets a "script: false" panel setting, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via inline JavaScript code that is executed within a third-party extension. El Add-on SDK en Mozilla Firefox en versiones anteriores a 42.0 malinterpreta un 'script: false' en la configuración del panel, lo que hace que sea más fácil para atacantes remotos realizar ataques de cross-site scripting (XSS) a través de código JavaScript inline que se ejecuta dentro de una extensión de terceros. • http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00015.html http://www.mozilla.org/security/announce/2015/mfsa2015-121.html http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html http://www.securitytracker.com/id/1034069 http://www.ubuntu.com/usn/USN-2785-1 https://bugzilla.mozilla.org/show_bug.cgi?id=1195735 https://security.gentoo.org/glsa/201512-10 • CWE-254: 7PK - Security Features •
CVSS: 7.5EPSS: 6%CPEs: 9EXPL: 0CVE-2015-4514
https://notcve.org/view.php?id=CVE-2015-4514
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 42.0 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Múltiples vulnerabilidades no especificadas en el motor de navegación en Mozilla Firefox en versiones anteriores a 42.0 permiten a atacantes remotos provocar una denegación de servicio (corrupción de memoria y caída de la aplicación) o posiblemente ejecutar código arbitrario a través de vectores desconocidos. • http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00015.html http://lists.opensuse.org/opensuse-updates/2015-12/msg00037.html http://lists.opensuse.org/opensuse-updates/2015-12/msg00049.html http://www.mozilla.org/security/announce/2015/mfsa2015-116.html http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html http://www.securityfocus.com/bid/77411 http://www.securitytracker.com/id/1034069 http://www.ubuntu.com/usn/USN-2785-1 https://bugzilla.mozilla. • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2015-4518
https://notcve.org/view.php?id=CVE-2015-4518
The Reader View implementation in Mozilla Firefox before 42.0 has an improper whitelist, which makes it easier for remote attackers to bypass the Content Security Policy (CSP) protection mechanism and conduct cross-site scripting (XSS) attacks via vectors involving SVG animations and the about:reader URL. La implementación Reader View en Mozilla Firefox en versiones anteriores a 42.0 tiene una lista blanca inadecuada, lo que hace que sea más fácil para atacantes remotos eludir el mecanismo de protección Content Security Policy (CSP) y realizar ataques cross-site scripting (XSS) a través de vectores involucrados con animaciones SVG y la URL about:reader. • http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00015.html http://www.mozilla.org/security/announce/2015/mfsa2015-118.html http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html http://www.securitytracker.com/id/1034069 http://www.ubuntu.com/usn/USN-2785-1 https://bugzilla.mozilla.org/show_bug.cgi?id=1136692 https://bugzilla.mozilla.org/show_bug.cgi?id=1182778 https://security.gentoo.org/glsa/201512-10 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •