CVE-2019-9818
https://notcve.org/view.php?id=CVE-2019-9818
This issue can lead to a use-after-free in the main process, resulting in a potentially exploitable crash and a sandbox escape. ... Este problema puede conllevar a un uso de la memoria previamente liberada en el proceso principal, lo que resulta en un bloqueo explotable potencialmente y un escape del sandbox. * Nota: esta vulnerabilidad solo afecta a Windows. • https://bugzilla.mozilla.org/show_bug.cgi?id=1542581 https://www.mozilla.org/security/advisories/mfsa2019-13 https://www.mozilla.org/security/advisories/mfsa2019-14 https://www.mozilla.org/security/advisories/mfsa2019-15 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') CWE-416: Use After Free •
CVE-2019-9811 – Mozilla Firefox Language Pack XUL Injection Sandbox Escape Vulnerability
https://notcve.org/view.php?id=CVE-2019-9811
As part of a winning Pwn2Own entry, a researcher demonstrated a sandbox escape by installing a malicious language pack and then opening a browser feature that used the compromised translation. ... Como parte de una entrada Pwn2Own ganadora, un investigador demostró un escape del sandbox mediante la instalación de un paquete de idioma malicioso y luego abriendo una funcionalidad del navegador que usaba la traducción comprometida. ... This vulnerability allows remote attackers to escape the sandbox on affected installations of Mozilla Firefox. ... An attacker can leverage this vulnerability to escape the sandbox and execute code at medium integrity. • http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00058.html http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00073.html http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html https://bugzilla.mozilla.org/show_bug.cgi?id=1538007 https://bugzilla.mozilla.org/show_bug.cgi?id=1539598 https://bugzilla.mozil • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-807: Reliance on Untrusted Inputs in a Security Decision •
CVE-2019-11708 – Mozilla Firefox and Thunderbird Sandbox Escape Vulnerability
https://notcve.org/view.php?id=CVE-2019-11708
con el mensaje IPC de Prompt:Open, entre procesos hijo y padre puede resultar que el proceso padre fuera del Sandbox abra el contenido web elegido por un proceso hijo comprometido. ... Mozilla Firefox and Thunderbird contain a sandbox escape vulnerability that could result in remote code execution. • https://www.exploit-db.com/exploits/47752 https://github.com/0vercl0k/CVE-2019-11708 http://packetstormsecurity.com/files/155592/Mozilla-Firefox-Windows-64-Bit-Chain-Exploit.html https://bugzilla.mozilla.org/show_bug.cgi?id=1559858 https://security.gentoo.org/glsa/201908-12 https://www.mozilla.org/security/advisories/mfsa2019-19 https://www.mozilla.org/security/advisories/mfsa2019-20 https://access.redhat.com/security/cve/CVE-2019-11708 https://bugzilla.redhat.com/show_bug.cgi?id=1 • CWE-20: Improper Input Validation CWE-270: Privilege Context Switching Error •
CVE-2019-1727 – Cisco NX-OS Software Python Parser Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2019-1727
A vulnerability in the Python scripting subsystem of Cisco NX-OS Software could allow an authenticated, local attacker to escape the Python parser and issue arbitrary commands to elevate the attacker's privilege level. The vulnerability is due to insufficient sanitization of user-supplied parameters that are passed to certain Python functions in the scripting sandbox of the affected device. An attacker could exploit this vulnerability to escape the scripting sandbox and execute arbitrary commands to elevate the attacker's privilege level. • http://www.securityfocus.com/bid/108341 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190515-nxos-pyth-escal • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-264: Permissions, Privileges, and Access Controls •
CVE-2019-0938 – Microsoft Edge DownloadOperation Sandbox Escape Vulnerability
https://notcve.org/view.php?id=CVE-2019-0938
An elevation of privilege vulnerability exists in Microsoft Edge that could allow an attacker to escape from the AppContainer sandbox in the browser, aka 'Microsoft Edge Elevation of Privilege Vulnerability'. Hay una vulnerabilidad de elevación de privilegios en Microsoft Edge que podría permitir a un atacante escapar de AppContainer sandbox en el navegador, también conocida como "vulnerabilidad de elevación de privilegios de Microsoft Edge". ... An attacker can leverage this vulnerability to escalate privileges and escape the Microsoft Edge sandbox. • https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0938 •