CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0CVE-2019-11712 – Mozilla: Cross-origin POST requests can be made with NPAPI plugins by following 308 redirects
https://notcve.org/view.php?id=CVE-2019-11712
11 Jul 2019 — POST requests made by NPAPI plugins, such as Flash, that receive a status 308 redirect response can bypass CORS requirements. This can allow an attacker to perform Cross-Site Request Forgery (CSRF) attacks. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. Las peticiones POST realizadas por complementos de NPAPI, tal y como Flash, que reciben una respuesta de redireccionamiento del estado 308 pueden pasar por alto los requerimientos de CORS. Esto puede permitir a un atacan... • http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html • CWE-352: Cross-Site Request Forgery (CSRF) CWE-829: Inclusion of Functionality from Untrusted Control Sphere •
CVSS: 9.8EPSS: 2%CPEs: 3EXPL: 0CVE-2019-11713 – Mozilla: Use-after-free with HTTP/2 cached stream
https://notcve.org/view.php?id=CVE-2019-11713
11 Jul 2019 — A use-after-free vulnerability can occur in HTTP/2 when a cached HTTP/2 stream is closed while still in use, resulting in a potentially exploitable crash. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. Puede ocurrir una vulnerabilidad de uso de la memoria previamente liberada en HTTP/2 cuando una transmisión HTTP/2 almacenada en caché se cierra cuando aún está en uso, lo que resulta en un bloqueo potencialmente explotable. Esta vulnerabilidad afecta a Firefox ESR anteri... • http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html • CWE-416: Use After Free •
CVSS: 6.1EPSS: 1%CPEs: 3EXPL: 0CVE-2019-11715 – Mozilla: HTML parsing error can contribute to content XSS
https://notcve.org/view.php?id=CVE-2019-11715
11 Jul 2019 — Due to an error while parsing page content, it is possible for properly sanitized user input to be misinterpreted and lead to XSS hazards on web sites in certain circumstances. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. Debido a un error mientras se analiza el contenido de página, es posible que las entradas de los usuarios debidamente saneadas sean interpretadas inapropiadamente y conlleven a riesgos de tipo XSS peligrosos en los sitios web en determinadas circunst... • http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 5%CPEs: 7EXPL: 1CVE-2019-11717 – Mozilla: Caret character improperly escaped in origins
https://notcve.org/view.php?id=CVE-2019-11717
11 Jul 2019 — A vulnerability exists where the caret ("^") character is improperly escaped constructing some URIs due to it being used as a separator, allowing for possible spoofing of origin attributes. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. Se presenta una vulnerabilidad en la que el carácter de intercalación ("^") se escapa inapropiadamente al construir algunos URI debido a que se utiliza como separador, lo que permite la posible suplantación de atributos de origen. Esta v... • http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html • CWE-116: Improper Encoding or Escaping of Output CWE-138: Improper Neutralization of Special Elements •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2019-11719 – nss: Out-of-bounds read when importing curve25519 private key
https://notcve.org/view.php?id=CVE-2019-11719
11 Jul 2019 — When importing a curve25519 private key in PKCS#8format with leading 0x00 bytes, it is possible to trigger an out-of-bounds read in the Network Security Services (NSS) library. This could lead to information disclosure. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. Durante la importación de una clave privada de curve25519 en formato PKCS#8 con acarreo de 0x00 bytes, es posible activar una lectura fuera de límites en la biblioteca Network Security Services (NSS). Esto p... • http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html • CWE-125: Out-of-bounds Read •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2019-11729 – nss: Empty or malformed p256-ECDH public keys may trigger a segmentation fault
https://notcve.org/view.php?id=CVE-2019-11729
11 Jul 2019 — Empty or malformed p256-ECDH public keys may trigger a segmentation fault due values being improperly sanitized before being copied into memory and used. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. Las claves públicas de p256-ECDH vacías o malformadas pueden desencadenar un fallo de segmentación debido a que los valores son saneados inapropiadamente antes de copiarlos en la memoria y usarlos. Esta vulnerabilidad afecta a Firefox ESR anterior a versión 60.8, Firefox a... • http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 6.5EPSS: 34%CPEs: 8EXPL: 2CVE-2019-11730 – Mozilla: Same-origin policy treats all files in a directory as having the same-origin
https://notcve.org/view.php?id=CVE-2019-11730
11 Jul 2019 — A vulnerability exists where if a user opens a locally saved HTML file, this file can use file: URIs to access other files in the same directory or sub-directories if the names are known or guessed. The Fetch API can then be used to read the contents of any files stored in these directories and they may uploaded to a server. It was demonstrated that in combination with a popular Android messaging app, if a malicious HTML attachment is sent to a user and they opened that attachment in Firefox, due to that ap... • https://github.com/alidnf/CVE-2019-11730 • CWE-829: Inclusion of Functionality from Untrusted Control Sphere •
CVSS: 8.3EPSS: 1%CPEs: 7EXPL: 2CVE-2019-9811 – Mozilla Firefox Language Pack XUL Injection Sandbox Escape Vulnerability
https://notcve.org/view.php?id=CVE-2019-9811
10 Jul 2019 — As part of a winning Pwn2Own entry, a researcher demonstrated a sandbox escape by installing a malicious language pack and then opening a browser feature that used the compromised translation. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. Como parte de una entrada Pwn2Own ganadora, un investigador demostró un escape del sandbox mediante la instalación de un paquete de idioma malicioso y luego abriendo una funcionalidad del navegador que usaba la traducción comprometida... • http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-807: Reliance on Untrusted Inputs in a Security Decision •
CVSS: 10.0EPSS: 65%CPEs: 3EXPL: 4CVE-2019-11708 – Mozilla Firefox and Thunderbird Sandbox Escape Vulnerability
https://notcve.org/view.php?id=CVE-2019-11708
24 Jun 2019 — Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes can result in the non-sandboxed parent process opening web content chosen by a compromised child process. When combined with additional vulnerabilities this could result in executing arbitrary code on the user's computer. This vulnerability affects Firefox ESR < 60.7.2, Firefox < 67.0.4, and Thunderbird < 60.7.2. Una revisión insuficiente de los parámetros pasados ??con el mensaje IPC de Prompt:Open... • https://packetstorm.news/files/id/165816 • CWE-20: Improper Input Validation CWE-270: Privilege Context Switching Error •
CVSS: 8.8EPSS: 83%CPEs: 3EXPL: 6CVE-2019-11707 – Mozilla Firefox and Thunderbird Type Confusion Vulnerability
https://notcve.org/view.php?id=CVE-2019-11707
19 Jun 2019 — A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash. We are aware of targeted attacks in the wild abusing this flaw. This vulnerability affects Firefox ESR < 60.7.1, Firefox < 67.0.3, and Thunderbird < 60.7.2. Se puede producir una vulnerabilidad de tipo confusión cuando se manipulan objetos de JavaScript debido a problemas en Array.pop. • https://packetstorm.news/files/id/165816 • CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') •