CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 0CVE-2019-11762 – Mozilla: document.domain-based origin isolation has same-origin-property violation
https://notcve.org/view.php?id=CVE-2019-11762
23 Oct 2019 — If two same-origin documents set document.domain differently to become cross-origin, it was possible for them to call arbitrary DOM methods/getters/setters on the now-cross-origin window. This vulnerability affects Firefox < 70, Thunderbird < 68.2, and Firefox ESR < 68.2. Si dos documentos del mismo origen configuran a document.domain de manera diferente para convertirse en origen cruzado, es posible llamar arbitrariamente a DOM methods/getters/setters en la ventana ahora de origen cruzado. Esta vulnerabili... • https://bugzilla.mozilla.org/show_bug.cgi?id=1582857 • CWE-346: Origin Validation Error CWE-829: Inclusion of Functionality from Untrusted Control Sphere •
CVSS: 5.8EPSS: 0%CPEs: 4EXPL: 0CVE-2019-11761 – Mozilla: Unintended access to a privileged JSONView object
https://notcve.org/view.php?id=CVE-2019-11761
23 Oct 2019 — By using a form with a data URI it was possible to gain access to the privileged JSONView object that had been cloned into content. Impact from exposing this object appears to be minimal, however it was a bypass of existing defense in depth mechanisms. This vulnerability affects Firefox < 70, Thunderbird < 68.2, and Firefox ESR < 68.2. Mediante el uso de un formulario con un URI de datos, fue posible conseguir acceso al objeto JSONView privilegiado que había sido clonado en contenido. El impacto de exponer ... • https://bugzilla.mozilla.org/show_bug.cgi?id=1561502 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') CWE-749: Exposed Dangerous Method or Function CWE-862: Missing Authorization •
CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 1CVE-2019-11758 – Mozilla: Potentially exploitable crash due to 360 Total Security
https://notcve.org/view.php?id=CVE-2019-11758
23 Oct 2019 — Mozilla community member Philipp reported a memory safety bug present in Firefox 68 when 360 Total Security was installed. This bug showed evidence of memory corruption in the accessibility engine and we presume that with enough effort that it could be exploited to run arbitrary code. This vulnerability affects Firefox < 69, Thunderbird < 68.2, and Firefox ESR < 68.2. Philipp, miembro de la comunidad de Mozilla, reportó un bug de seguridad de la memoria presente en Firefox versión 68 cuando 360 Total Securi... • https://bugzilla.mozilla.org/show_bug.cgi?id=1536227 • CWE-122: Heap-based Buffer Overflow CWE-787: Out-of-bounds Write •
CVSS: 8.8EPSS: 2%CPEs: 4EXPL: 0CVE-2019-11759 – Mozilla: Stack buffer overflow in HKDF output
https://notcve.org/view.php?id=CVE-2019-11759
23 Oct 2019 — An attacker could have caused 4 bytes of HMAC output to be written past the end of a buffer stored on the stack. This could be used by an attacker to execute arbitrary code or more likely lead to a crash. This vulnerability affects Firefox < 70, Thunderbird < 68.2, and Firefox ESR < 68.2. Un atacante podría haber causado que 4 bytes de salida HMAC se escribieran más allá del final de un búfer almacenado en la pila. Esto podría ser usado por un atacante para ejecutar código arbitrario o, más probablemente, c... • https://bugzilla.mozilla.org/show_bug.cgi?id=1577953 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 0CVE-2019-11760 – Mozilla: Stack buffer overflow in WebRTC networking
https://notcve.org/view.php?id=CVE-2019-11760
23 Oct 2019 — A fixed-size stack buffer could overflow in nrappkit when doing WebRTC signaling. This resulted in a potentially exploitable crash in some instances. This vulnerability affects Firefox < 70, Thunderbird < 68.2, and Firefox ESR < 68.2. Un búfer de pila de tamaño fijo podría desbordarse en nrappkit cuando realiza la señalización de WebRTC. Esto resultó en un bloqueo explotable potencialmente en algunos casos. • https://bugzilla.mozilla.org/show_bug.cgi?id=1577719 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') CWE-787: Out-of-bounds Write •
CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 0CVE-2019-11763 – Mozilla: Incorrect HTML parsing results in XSS bypass technique
https://notcve.org/view.php?id=CVE-2019-11763
23 Oct 2019 — Failure to correctly handle null bytes when processing HTML entities resulted in Firefox incorrectly parsing these entities. This could have led to HTML comment text being treated as HTML which could have led to XSS in a web application under certain conditions. It could have also led to HTML entities being masked from filters - enabling the use of entities to mask the actual characters of interest from filters. This vulnerability affects Firefox < 70, Thunderbird < 68.2, and Firefox ESR < 68.2. Si no se ma... • https://bugzilla.mozilla.org/show_bug.cgi?id=1584216 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 1%CPEs: 4EXPL: 1CVE-2019-11764 – Mozilla: Memory safety bugs fixed in Firefox 70 and Firefox ESR 68.2
https://notcve.org/view.php?id=CVE-2019-11764
23 Oct 2019 — Mozilla developers and community members reported memory safety bugs present in Firefox 69 and Firefox ESR 68.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could be exploited to run arbitrary code. This vulnerability affects Firefox < 70, Thunderbird < 68.2, and Firefox ESR < 68.2. Los desarrolladores de Mozilla y los miembros de la comunidad reportaron bugs de seguridad de memoria presentes en Firefox versión 69 y Firefox ESR versión 68.1. A... • https://bugzilla.mozilla.org/buglist.cgi?bug_id=1558522%2C1577061%2C1548044%2C1571223%2C1573048%2C1578933%2C1575217%2C1583684%2C1586845%2C1581950%2C1583463%2C1586599 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') CWE-787: Out-of-bounds Write •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2019-11755 – Ubuntu Security Notice USN-4202-2
https://notcve.org/view.php?id=CVE-2019-11755
27 Sep 2019 — A crafted S/MIME message consisting of an inner encryption layer and an outer SignedData layer was shown as having a valid digital signature, although the signer might have had no access to the contents of the encrypted message, and might have stripped a different signature from the encrypted message. Previous versions had only suppressed showing a digital signature for messages with an outer multipart/signed layer. This vulnerability affects Thunderbird < 68.1.1. Un mensaje S/MIME diseñado que consta de un... • http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html • CWE-347: Improper Verification of Cryptographic Signature •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2019-11739 – Mozilla: Covert Content Attack on S/MIME encryption using a crafted multipart/alternative message
https://notcve.org/view.php?id=CVE-2019-11739
16 Sep 2019 — Encrypted S/MIME parts in a crafted multipart/alternative message can leak plaintext when included in a a HTML reply/forward. This vulnerability affects Thunderbird < 68.1 and Thunderbird < 60.9. Las partes S/ MIME cifradas en un mensaje multiparte y alternativo diseñado pueden perder texto plano cuando son incluidos en una respuesta y reenvío HTML. Esta vulnerabilidad afecta a Thunderbird versiones anteriores a 68.1 y Thunderbird versiones anteriores a 60.9. Multiple security issues have been found in Thun... • http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html • CWE-319: Cleartext Transmission of Sensitive Information CWE-356: Product UI does not Warn User of Unsafe Actions •
CVSS: 6.5EPSS: 0%CPEs: 5EXPL: 0CVE-2019-11742 – Mozilla: Same-origin policy violation with SVG filters and canvas to steal cross-origin images
https://notcve.org/view.php?id=CVE-2019-11742
04 Sep 2019 — A same-origin policy violation occurs allowing the theft of cross-origin images through a combination of SVG filters and a <canvas> element due to an error in how same-origin policy is applied to cached image content. The resulting same-origin policy violation could allow for data theft. This vulnerability affects Firefox < 69, Thunderbird < 68.1, Thunderbird < 60.9, Firefox ESR < 60.9, and Firefox ESR < 68.1. Se presenta una violación de la política del mismo origen, que permite el robo de imágenes d... • http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html • CWE-829: Inclusion of Functionality from Untrusted Control Sphere •