CVE-2015-7195
https://notcve.org/view.php?id=CVE-2015-7195
The URL parsing implementation in Mozilla Firefox before 42.0 improperly recognizes escaped characters in hostnames within Location headers, which allows remote attackers to obtain sensitive information via vectors involving a redirect. La implementación del análisis gramatical URL en Mozilla Firefox en versiones anteriores a 42.0 reconoce caracteres de escape indebidamente en los nombres de host dentro de las cabeceras Location, lo que permite a atacantes remotos obtener información sensible a través de vectores involucrando una redirección. • http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00015.html http://www.mozilla.org/security/announce/2015/mfsa2015-129.html http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html http://www.securitytracker.com/id/1034069 http://www.ubuntu.com/usn/USN-2785-1 https://bugzilla.mozilla.org/show_bug.cgi?id=1211871 https://security.gentoo.org/glsa/201512-10 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2015-7200 – Mozilla: Vulnerabilities found through code inspection (MFSA 2015-131)
https://notcve.org/view.php?id=CVE-2015-7200
The CryptoKey interface implementation in Mozilla Firefox before 42.0 and Firefox ESR 38.x before 38.4 lacks status checking, which allows attackers to have an unspecified impact via vectors related to a cryptographic key. La implementación de la interfaz CryptoKey en Mozilla Firefox en versiones anteriores a 42.0 y Firefox ESR 38.x en versiones anteriores a 38.4 carece de comprobación de estado, lo que permite a atacantes tener un impacto no especificado a través de vectores relacionados con una clave criptográfica. • http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00013.html http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00015.html http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00020.html http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00021.html http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00025.html http://lists.opensuse.org/opensuse-updates/2015-12/msg00037.html http://lists.opensuse.org/opensuse-updates/2015-12/msg00049.html http • CWE-17: DEPRECATED: Code •
CVE-2015-7199 – Mozilla: Vulnerabilities found through code inspection (MFSA 2015-131)
https://notcve.org/view.php?id=CVE-2015-7199
The (1) AddWeightedPathSegLists and (2) SVGPathSegListSMILType::Interpolate functions in Mozilla Firefox before 42.0 and Firefox ESR 38.x before 38.4 lack status checking, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted SVG document. Las funciones (1) AddWeightedPathSegLists y (2) SVGPathSegListSMILType::Interpolate en Mozilla Firefox en versiones anteriores a 42.0 y Firefox ESR 38.x en versiones anteriores a 38.4 carecen de comprobación de estado, lo que permite a atacantes remotos provocar una denegación de servicio (corrupción de memoria) o posiblemente tener otro impacto no especificado a través de un documento SVG manipulado. • http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00013.html http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00015.html http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00020.html http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00021.html http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00025.html http://lists.opensuse.org/opensuse-updates/2015-12/msg00037.html http://lists.opensuse.org/opensuse-updates/2015-12/msg00049.html http • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVE-2015-4515
https://notcve.org/view.php?id=CVE-2015-4515
Mozilla Firefox before 42.0, when NTLM v1 is enabled for HTTP authentication, allows remote attackers to obtain sensitive hostname information by constructing a crafted web site that sends an NTLM request and reads the Workstation field of an NTLM type 3 message. Mozilla Firefox en versiones anteriores a 42.0, cuando NTLM v1 está habilitado para autenticación HTTP, permite a atacantes remotos obtener información sensible del hostname mediante la construcción de un sitio web manipulado que envía una petición NTLM y lee el campo Workstation de un mensaje NTLM tipo 3. • http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00015.html http://www.mozilla.org/security/announce/2015/mfsa2015-117.html http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html http://www.securitytracker.com/id/1034069 http://www.ubuntu.com/usn/USN-2785-1 https://bugzilla.mozilla.org/show_bug.cgi?id=1046421 https://security.gentoo.org/glsa/201512-10 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2015-7187
https://notcve.org/view.php?id=CVE-2015-7187
The Add-on SDK in Mozilla Firefox before 42.0 misinterprets a "script: false" panel setting, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via inline JavaScript code that is executed within a third-party extension. El Add-on SDK en Mozilla Firefox en versiones anteriores a 42.0 malinterpreta un 'script: false' en la configuración del panel, lo que hace que sea más fácil para atacantes remotos realizar ataques de cross-site scripting (XSS) a través de código JavaScript inline que se ejecuta dentro de una extensión de terceros. • http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00015.html http://www.mozilla.org/security/announce/2015/mfsa2015-121.html http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html http://www.securitytracker.com/id/1034069 http://www.ubuntu.com/usn/USN-2785-1 https://bugzilla.mozilla.org/show_bug.cgi?id=1195735 https://security.gentoo.org/glsa/201512-10 • CWE-254: 7PK - Security Features •