CVSS: 7.5EPSS: 93%CPEs: 2EXPL: 2CVE-2014-8636 – Firefox Proxy Prototype Privileged Javascript Injection
https://notcve.org/view.php?id=CVE-2014-8636
The XrayWrapper implementation in Mozilla Firefox before 35.0 and SeaMonkey before 2.32 does not properly interact with a DOM object that has a named getter, which might allow remote attackers to execute arbitrary JavaScript code with chrome privileges via unspecified vectors. La implementación XrayWrapper en Mozilla Firefox anterior a 35.0 y SeaMonkey anterior a 2.32 no interactua correctamente con un objeto DOM que tiene nombrado un getter nombrado, lo que podría permitir a atacantes remotos ejecutar código JavaScript arbitrario con privilegios chrome a través de vectores no especificados. • https://www.exploit-db.com/exploits/36480 http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00014.html http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00032.html http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00033.html http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00036.html http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00002.html http://packetstormsecurity.com/files/130972/Firefox-Proxy-Prototype-Privileged-Javascript-Injection.h • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.5EPSS: 26%CPEs: 2EXPL: 0CVE-2014-8635
https://notcve.org/view.php?id=CVE-2014-8635
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 35.0 and SeaMonkey before 2.32 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Múltiples vulnerabilidades no especificadas en el motor del navegador de Mozilla Firefox anterior a 35.0 y SeaMonkey anterior a 2.32 permite a atacantes remotos causar una denegación de servicio (corrupción de memoria y caida de la aplicación) o la posibilidad de ejecutar código arbitrario a través de vectores no conocidos • http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00014.html http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00002.html http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00031.html http://lists.opensuse.org/opensuse-updates/2015-01/msg00071.html http://secunia.com/advisories/62242 http://secunia.com/advisories/62250 http://secunia.com/advisories/62253 http://secunia.com/advisories/62316 http://secunia.com/advisories/62418 http://secunia.com/advi •
CVSS: 5.0EPSS: 4%CPEs: 4EXPL: 0CVE-2014-8640
https://notcve.org/view.php?id=CVE-2014-8640
The mozilla::dom::AudioParamTimeline::AudioNodeInputValue function in the Web Audio API implementation in Mozilla Firefox before 35.0 and SeaMonkey before 2.32 does not properly restrict timeline operations, which allows remote attackers to cause a denial of service (uninitialized-memory read and application crash) via crafted API calls. La función mozilla::dom::AudioParamTimeline::AudioNodeInputValue en la implementación de API Web Audio en Mozilla Firefox anterior a 35.0 y SeaMonkey anterior a 2.32 no restringe correctamente las operaciones de líneas de tiempos, lo que permite a atacantes remotos causar una denegación de servicio (lectura de memoria no inicializada y caída de la aplicación) via crafted API calls. • http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00014.html http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00032.html http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00033.html http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00036.html http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00002.html http://secunia.com/advisories/62242 http://secunia.com/advisories/62250 http://secunia.com/advisories/62418 http://secunia.com • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 7.1EPSS: 0%CPEs: 4EXPL: 0CVE-2014-8643
https://notcve.org/view.php?id=CVE-2014-8643
Mozilla Firefox before 35.0 on Windows allows remote attackers to bypass the Gecko Media Plugin (GMP) sandbox protection mechanism by leveraging access to the GMP process, as demonstrated by the OpenH264 plugin's process. Mozilla Firefox anterior a 35.0 en Windows permite a atacantes remotos evadir el mecanismo de protección sandbox del Gecko Media Plugin (GMP) mediante el aprovechamiento del acceso al proceso GMP, tal y como fue demostrado por el proceso del plugin OpenH264. • http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00014.html http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00002.html http://secunia.com/advisories/62253 http://secunia.com/advisories/62446 http://www.mozilla.org/security/announce/2014/mfsa2015-07.html http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html http://www.securityfocus.com/bid/72043 http://www.securitytracker.com/id/1031533 https://bugzilla.mozilla.org/show_bug.cgi?id=1117140&# • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 0CVE-2014-8642
https://notcve.org/view.php?id=CVE-2014-8642
Mozilla Firefox before 35.0 and SeaMonkey before 2.32 do not consider the id-pkix-ocsp-nocheck extension in deciding whether to trust an OCSP responder, which makes it easier for remote attackers to obtain sensitive information by sniffing the network during a session in which there was an incorrect decision to accept a compromised and revoked certificate. Mozilla Firefox anterior a 35.0 y SeaMonkey anterior a 2.32 no consideran la extensión id-pkix-ocsp-nocheck cuando deciden si confían de un contestador OCSP, lo que facilita a atacantes remotos obtener información sensible mediante la lectura de la red durante una sesión en la cual hubo una decisión incorrecta para aceptar un certificado comprometido y revocado. • http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00014.html http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00002.html http://secunia.com/advisories/62242 http://secunia.com/advisories/62250 http://secunia.com/advisories/62253 http://secunia.com/advisories/62316 http://secunia.com/advisories/62418 http://secunia.com/advisories/62446 http://secunia.com/advisories/62790 http://www.mozilla.org/security/announce/2014/mfsa2015-08.html http://www.oracle.com • CWE-310: Cryptographic Issues •