CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2020-26953 – Mozilla: Fullscreen could be enabled without displaying the security UI
https://notcve.org/view.php?id=CVE-2020-26953
28 Nov 2020 — It was possible to cause the browser to enter fullscreen mode without displaying the security UI; thus making it possible to attempt a phishing attack or otherwise confuse the user. This vulnerability affects Firefox < 83, Firefox ESR < 78.5, and Thunderbird < 78.5. Fue posible causar que el navegador entre en modo de pantalla completa sin mostrar la interfaz de seguridad, lo que permite intentar un ataque de phishing o confundir de alguna manera al usuario. Esta vulnerabilidad afecta a Firefox versiones an... • https://bugzilla.mozilla.org/show_bug.cgi?id=1656741 • CWE-451: User Interface (UI) Misrepresentation of Critical Information CWE-1021: Improper Restriction of Rendered UI Layers or Frames •
CVSS: 9.3EPSS: 0%CPEs: 3EXPL: 0CVE-2020-26968 – Mozilla: Memory safety bugs fixed in Firefox 83 and Firefox ESR 78.5
https://notcve.org/view.php?id=CVE-2020-26968
26 Nov 2020 — Mozilla developers reported memory safety bugs present in Firefox 82 and Firefox ESR 78.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 83, Firefox ESR < 78.5, and Thunderbird < 78.5. Los desarrolladores de Mozilla reportaron bugs de seguridad de la memoria presentes en Firefox versión 82 y Firefox ESR versión 78.4. Algunos de estos bugs mostraron evidenc... • https://bugzilla.mozilla.org/buglist.cgi?bug_id=1551615%2C1607762%2C1656697%2C1657739%2C1660236%2C1667912%2C1671479%2C1671923 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') CWE-787: Out-of-bounds Write •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2020-26951 – Mozilla: Parsing mismatches could confuse and bypass security sanitizer for chrome privileged code
https://notcve.org/view.php?id=CVE-2020-26951
26 Nov 2020 — A parsing and event loading mismatch in Firefox's SVG code could have allowed load events to fire, even after sanitization. An attacker already capable of exploiting an XSS vulnerability in privileged internal pages could have used this attack to bypass our built-in sanitizer. This vulnerability affects Firefox < 83, Firefox ESR < 78.5, and Thunderbird < 78.5. Un desajuste en el análisis y la carga de eventos en el código SVG de Firefox podría haber permitido a unos eventos de carga dispararse, incluso desp... • https://bugzilla.mozilla.org/show_bug.cgi?id=1667113 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-354: Improper Validation of Integrity Check Value •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0CVE-2020-26959 – Mozilla: Use-after-free in WebRequestService
https://notcve.org/view.php?id=CVE-2020-26959
26 Nov 2020 — During browser shutdown, reference decrementing could have occured on a previously freed object, resulting in a use-after-free, memory corruption, and a potentially exploitable crash. This vulnerability affects Firefox < 83, Firefox ESR < 78.5, and Thunderbird < 78.5. Durante el cierre del navegador, la disminución de la referencia podría haber ocurrido en un objeto previamente liberado, resultando en un uso de la memoria previamente liberada, una corrupción de la memoria y un bloqueo potencialmente explota... • https://bugzilla.mozilla.org/show_bug.cgi?id=1669466 • CWE-416: Use After Free •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 2CVE-2020-16012 – Mozilla: Variable time processing of cross-origin images during drawImage calls
https://notcve.org/view.php?id=CVE-2020-16012
18 Nov 2020 — Side-channel information leakage in graphics in Google Chrome prior to 87.0.4280.66 allowed a remote attacker to leak cross-origin data via a crafted HTML page. Un filtrado de información de canal lateral en graphics en Google Chrome versiones anteriores a 87.0.4280.66, permitió a un atacante remoto filtrar datos de origen cruzado por medio de una página HTML diseñada • https://github.com/aleksejspopovs/cve-2020-16012 • CWE-829: Inclusion of Functionality from Untrusted Control Sphere •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2020-26961 – Mozilla: DoH did not filter IPv4 mapped IP Addresses
https://notcve.org/view.php?id=CVE-2020-26961
18 Nov 2020 — When DNS over HTTPS is in use, it intentionally filters RFC1918 and related IP ranges from the responses as these do not make sense coming from a DoH resolver. However when an IPv4 address was mapped through IPv6, these addresses were erroneously let through, leading to a potential DNS Rebinding attack. This vulnerability affects Firefox < 83, Firefox ESR < 78.5, and Thunderbird < 78.5. Cuando un DNS sobre HTTPS está en uso, intencionalmente filtra el RFC1918 y los rangos de IP relacionados con las respuest... • https://bugzilla.mozilla.org/show_bug.cgi?id=1672528 • CWE-358: Improperly Implemented Security Check for Standard •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2020-26956 – Mozilla: XSS through paste (manual and clipboard API)
https://notcve.org/view.php?id=CVE-2020-26956
18 Nov 2020 — In some cases, removing HTML elements during sanitization would keep existing SVG event handlers and therefore lead to XSS. This vulnerability affects Firefox < 83, Firefox ESR < 78.5, and Thunderbird < 78.5. En algunos casos, al eliminar unos elementos HTML durante el saneamiento mantendría los actuales manejadores de eventos SVG y, por lo tanto, conllevaría a un ataque de tipo XSS. Esta vulnerabilidad afecta a Firefox versiones anteriores a 83, Firefox ESR versiones anteriores a 78.5, y Thunderbird versio... • https://bugzilla.mozilla.org/show_bug.cgi?id=1666300 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2020-26967 – Ubuntu Security Notice USN-4637-2
https://notcve.org/view.php?id=CVE-2020-26967
18 Nov 2020 — When listening for page changes with a Mutation Observer, a malicious web page could confuse Firefox Screenshots into interacting with elements other than those that it injected into the page. This would lead to internal errors and unexpected behavior in the Screenshots code. This vulnerability affects Firefox < 83. Cuando se escuchan unos cambios de página con un Mutation Observer, una página web maliciosa podría confundir unas Screenshots de Firefox para interactuar con elementos distintos a los que inyec... • https://bugzilla.mozilla.org/show_bug.cgi?id=1665820 •
CVSS: 9.3EPSS: 86%CPEs: 3EXPL: 3CVE-2020-26950 – Mozilla: Write side effects in MCallGetProperty opcode not accounted for
https://notcve.org/view.php?id=CVE-2020-26950
11 Nov 2020 — In certain circumstances, the MCallGetProperty opcode can be emitted with unmet assumptions resulting in an exploitable use-after-free condition. This vulnerability affects Firefox < 82.0.3, Firefox ESR < 78.4.1, and Thunderbird < 78.4.2. En determinadas circunstancias, el opcode MCallGetProperty puede ser emitido con suposiciones no cumplidas, resultando en una condición de uso de la memoria previamente liberada explotable. Esta vulnerabilidad afecta a Firefox versiones anteriores a 82.0.3, Firefox ESR ver... • https://packetstorm.news/files/id/166175 • CWE-416: Use After Free •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2020-15680
https://notcve.org/view.php?id=CVE-2020-15680
22 Oct 2020 — If a valid external protocol handler was referenced in an image tag, the resulting broken image size could be distinguished from a broken image size of a non-existent protocol handler. This allowed an attacker to successfully probe whether an external protocol handler was registered. This vulnerability affects Firefox < 82. Si fue referenciado un manejador de protocolo externo válido en una etiqueta de imagen, el tamaño de imagen rota resultante podría distinguirse de un tamaño de imagen rota de un manejado... • https://bugzilla.mozilla.org/show_bug.cgi?id=1658881 •