CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0CVE-2019-11712 – Mozilla: Cross-origin POST requests can be made with NPAPI plugins by following 308 redirects
https://notcve.org/view.php?id=CVE-2019-11712
11 Jul 2019 — POST requests made by NPAPI plugins, such as Flash, that receive a status 308 redirect response can bypass CORS requirements. This can allow an attacker to perform Cross-Site Request Forgery (CSRF) attacks. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. Las peticiones POST realizadas por complementos de NPAPI, tal y como Flash, que reciben una respuesta de redireccionamiento del estado 308 pueden pasar por alto los requerimientos de CORS. Esto puede permitir a un atacan... • http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html • CWE-352: Cross-Site Request Forgery (CSRF) CWE-829: Inclusion of Functionality from Untrusted Control Sphere •
CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 0CVE-2019-11711 – Mozilla: Script injection within domain through inner window reuse
https://notcve.org/view.php?id=CVE-2019-11711
11 Jul 2019 — When an inner window is reused, it does not consider the use of document.domain for cross-origin protections. If pages on different subdomains ever cooperatively use document.domain, then either page can abuse this to inject script into arbitrary pages on the other subdomain, even those that did not use document.domain to relax their origin security. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. Cuando se reutiliza una ventana interior, no se considera el uso de docume... • http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html • CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer •
CVSS: 9.8EPSS: 0%CPEs: 8EXPL: 0CVE-2019-11709 – Mozilla: Memory safety bugs fixed in Firefox 68 and Firefox ESR 60.8
https://notcve.org/view.php?id=CVE-2019-11709
11 Jul 2019 — Mozilla developers and community members reported memory safety bugs present in Firefox 67 and Firefox ESR 60.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. Los desarrolladores de Mozilla y los miembros de la comunidad reportaron bugs de seguridad de memoria presentes en Firefox versión 67 y Firefox ESR versión 60... • http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') CWE-787: Out-of-bounds Write •
CVSS: 8.3EPSS: 2%CPEs: 7EXPL: 2CVE-2019-9811 – Mozilla Firefox Language Pack XUL Injection Sandbox Escape Vulnerability
https://notcve.org/view.php?id=CVE-2019-9811
10 Jul 2019 — As part of a winning Pwn2Own entry, a researcher demonstrated a sandbox escape by installing a malicious language pack and then opening a browser feature that used the compromised translation. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. Como parte de una entrada Pwn2Own ganadora, un investigador demostró un escape del sandbox mediante la instalación de un paquete de idioma malicioso y luego abriendo una funcionalidad del navegador que usaba la traducción comprometida... • http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-807: Reliance on Untrusted Inputs in a Security Decision •
CVSS: 10.0EPSS: 0%CPEs: 3EXPL: 4CVE-2019-11708 – Mozilla Firefox and Thunderbird Sandbox Escape Vulnerability
https://notcve.org/view.php?id=CVE-2019-11708
24 Jun 2019 — Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes can result in the non-sandboxed parent process opening web content chosen by a compromised child process. When combined with additional vulnerabilities this could result in executing arbitrary code on the user's computer. This vulnerability affects Firefox ESR < 60.7.2, Firefox < 67.0.4, and Thunderbird < 60.7.2. Una revisión insuficiente de los parámetros pasados ??con el mensaje IPC de Prompt:Open... • https://packetstorm.news/files/id/165816 • CWE-20: Improper Input Validation CWE-270: Privilege Context Switching Error •
CVSS: 8.8EPSS: 68%CPEs: 3EXPL: 6CVE-2019-11707 – Mozilla Firefox and Thunderbird Type Confusion Vulnerability
https://notcve.org/view.php?id=CVE-2019-11707
19 Jun 2019 — A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash. We are aware of targeted attacks in the wild abusing this flaw. This vulnerability affects Firefox ESR < 60.7.1, Firefox < 67.0.3, and Thunderbird < 60.7.2. Se puede producir una vulnerabilidad de tipo confusión cuando se manipulan objetos de JavaScript debido a problemas en Array.pop. • https://packetstorm.news/files/id/165816 • CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') •
CVSS: 7.5EPSS: 3%CPEs: 1EXPL: 2CVE-2019-11706 – Thunderbird ESR < 60.7.XXX - Type Confusion
https://notcve.org/view.php?id=CVE-2019-11706
13 Jun 2019 — A flaw in Thunderbird's implementation of iCal causes a type confusion in icaltimezone_get_vtimezone_properties when processing certain email messages, resulting in a crash. This vulnerability affects Thunderbird < 60.7.1. Una fallo en la implementación de iCal en Thunderbird causa una confusión de tipo en icaltimezone_get_vtimezone_properties cuando se procesan ciertos mensajes de correo electrónico, lo que resulta un fallo. Esta vulnerabilidad afecta a Thunderbird anterior a la versión 60.7.1. Mozilla Thu... • https://packetstorm.news/files/id/153287 • CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') •
CVSS: 9.8EPSS: 33%CPEs: 1EXPL: 2CVE-2019-11705 – Thunderbird ESR < 60.7.XXX - 'icalrecur_add_bydayrules' Stack-Based Buffer Overflow
https://notcve.org/view.php?id=CVE-2019-11705
13 Jun 2019 — A flaw in Thunderbird's implementation of iCal causes a stack buffer overflow in icalrecur_add_bydayrules when processing certain email messages, resulting in a potentially exploitable crash. This vulnerability affects Thunderbird < 60.7.1. Una fallo en la implementación de iCunder por parte de Thunderbird provoca un desbordamiento del búfer de pila en icalrecur_add_bydayrules cuando se procesan ciertos mensajes de correo electrónico, lo que resulta en una fallo potencialmente explotable. Esta vulnerabilida... • https://packetstorm.news/files/id/153286 • CWE-121: Stack-based Buffer Overflow CWE-787: Out-of-bounds Write •
CVSS: 9.8EPSS: 29%CPEs: 1EXPL: 3CVE-2019-11704 – Thunderbird ESR < 60.7.XXX - 'icalmemorystrdupanddequote' Heap-Based Buffer Overflow
https://notcve.org/view.php?id=CVE-2019-11704
13 Jun 2019 — A flaw in Thunderbird's implementation of iCal causes a heap buffer overflow in icalmemory_strdup_and_dequote when processing certain email messages, resulting in a potentially exploitable crash. This vulnerability affects Thunderbird < 60.7.1. Un fallo en la implementación de iCunder por parte de Thunderbird provoca un desbordamiento del búfer de pila en icalmemory_strdup_and_dequote cuando se procesan ciertos mensajes de correo electrónico, lo que resulta un fallo potencialmente explotable. Esta vulnerabi... • https://packetstorm.news/files/id/153284 • CWE-122: Heap-based Buffer Overflow CWE-787: Out-of-bounds Write •
CVSS: 9.8EPSS: 29%CPEs: 1EXPL: 3CVE-2019-11703 – Thunderbird ESR < 60.7.XXX - 'parser_get_next_char' Heap-Based Buffer Overflow
https://notcve.org/view.php?id=CVE-2019-11703
13 Jun 2019 — A flaw in Thunderbird's implementation of iCal causes a heap buffer overflow in parser_get_next_char when processing certain email messages, resulting in a potentially exploitable crash. This vulnerability affects Thunderbird < 60.7.1. Una fallo en la implementación de iCunder en Thunderbird provoca un desbordamiento del búfer del montón en parser_get_next_char cuando se procesan ciertos mensajes de correo electrónico, lo que resulta en una fallo potencialmente explotable. Esta vulnerabilidad afecta a Thund... • https://packetstorm.news/files/id/153285 • CWE-122: Heap-based Buffer Overflow CWE-787: Out-of-bounds Write •