CVSS: 7.5EPSS: 1%CPEs: 9EXPL: 0CVE-2015-7188 – Mozilla: Trailing whitespace in IP address hostnames can bypass same-origin policy (MFSA 2015-122)
https://notcve.org/view.php?id=CVE-2015-7188
Mozilla Firefox before 42.0 and Firefox ESR 38.x before 38.4 allow remote attackers to bypass the Same Origin Policy for an IP address origin, and conduct cross-site scripting (XSS) attacks, by appending whitespace characters to an IP address string. Mozilla Firefox en versiones anteriores a 42.0 y Firefox ESR 38.x en versiones anteriores a 38.4 permite a atacantes remotos eludir la Same Origin Policy para un origen dirección IP y realizar ataques de cross-site scripting (XSS), añadiendo caracteres de espacio en blanco a una cadena de dirección IP. • http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00013.html http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00015.html http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00020.html http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00021.html http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00025.html http://lists.opensuse.org/opensuse-updates/2015-12/msg00037.html http://lists.opensuse.org/opensuse-updates/2015-12/msg00049.html http • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-254: 7PK - Security Features •
CVSS: 5.0EPSS: 0%CPEs: 9EXPL: 0CVE-2015-7197 – Mozilla: Mixed content WebSocket policy bypass through workers (MFSA 2015-132)
https://notcve.org/view.php?id=CVE-2015-7197
Mozilla Firefox before 42.0 and Firefox ESR 38.x before 38.4 improperly control the ability of a web worker to create a WebSocket object, which allows remote attackers to bypass intended mixed-content restrictions via crafted JavaScript code. Mozilla Firefox en versiones anteriores a 42.0 y Firefox ESR 38.x en versiones anteriores a 38.4 controla indebidamente la capacidad de un web worker para crear un objeto WebSocket, lo que permite a atacantes remotos eludir las restricciones destinadas al contenido mixto a través de código JavaScript manipulado. • http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00013.html http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00015.html http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00020.html http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00021.html http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00025.html http://lists.opensuse.org/opensuse-updates/2015-12/msg00037.html http://lists.opensuse.org/opensuse-updates/2015-12/msg00049.html http • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.5EPSS: 6%CPEs: 9EXPL: 0CVE-2015-4513 – Mozilla: Miscellaneous memory safety hazards (rv:38.4) (MFSA 2015-116)
https://notcve.org/view.php?id=CVE-2015-4513
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 42.0 and Firefox ESR 38.x before 38.4 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Múltiples vulnerabilidades no especificadas en el motor de navegación en Mozilla Firefox en versiones anteriores a 42.0 y Firefox ESR 38.x en versiones anteriores a 38.4 permiten a atacantes remotos provocar una denegación de servicio (corrupción de memoria y caída de la aplicación) o posiblemente ejecutar código arbitrario a través de vectores desconocidos. • http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00013.html http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00015.html http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00020.html http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00021.html http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00025.html http://lists.opensuse.org/opensuse-updates/2015-12/msg00037.html http://lists.opensuse.org/opensuse-updates/2015-12/msg00049.html http • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 7.5EPSS: 7%CPEs: 9EXPL: 0CVE-2015-7198 – Mozilla: Vulnerabilities found through code inspection (MFSA 2015-131)
https://notcve.org/view.php?id=CVE-2015-7198
Buffer overflow in the rx::TextureStorage11 class in ANGLE, as used in Mozilla Firefox before 42.0 and Firefox ESR 38.x before 38.4, allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via crafted texture data. Desbordamiento de buffer en la clase rx::TextureStorage11 en ANGLE, como se utiliza en Mozilla Firefox en versiones anteriores a 42.0 y Firefox ESR 38.x en versiones anteriores a 38.4, permite a atacantes remotos provocar una denegación de servicio (corrupción de memoria) o posiblemente tener otro impacto no especificado a través de datos texture manipulados. • http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00013.html http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00015.html http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00020.html http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00021.html http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00025.html http://lists.opensuse.org/opensuse-updates/2015-12/msg00037.html http://lists.opensuse.org/opensuse-updates/2015-12/msg00049.html http • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 7.5EPSS: 2%CPEs: 9EXPL: 0CVE-2015-7193 – Mozilla: CORS preflight is bypassed when non-standard Content-Type headers are received (MFSA 2015-127)
https://notcve.org/view.php?id=CVE-2015-7193
Mozilla Firefox before 42.0 and Firefox ESR 38.x before 38.4 improperly follow the CORS cross-origin request algorithm for the POST method in situations involving an unspecified Content-Type header manipulation, which allows remote attackers to bypass the Same Origin Policy by leveraging the lack of a preflight-request step. Mozilla Firefox en versiones anteriores a 42.0 y Firefox ESR 38.x en versiones anteriores a 38.4 sigue el algoritmo de petición CORS cross-origin indebidamente para el método POST en situaciones que involucran una manipulación de la cabecera Content-Type no especificada, lo que permite a atacantes remotos eludir la Same Origin Policy mediante el aprovechamiento de la falta del paso preflight-request. • http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00013.html http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00015.html http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00020.html http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00021.html http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00025.html http://lists.opensuse.org/opensuse-updates/2015-12/msg00037.html http://lists.opensuse.org/opensuse-updates/2015-12/msg00049.html http • CWE-254: 7PK - Security Features •