CVSS: 6.5EPSS: 0%CPEs: 6EXPL: 0CVE-2020-15654 – Mozilla: Custom cursor can overlay user interface
https://notcve.org/view.php?id=CVE-2020-15654
30 Jul 2020 — When in an endless loop, a website specifying a custom cursor using CSS could make it look like the user is interacting with the user interface, when they are not. This could lead to a perceived broken state, especially when interactions with existing browser dialogs and warnings do not work. This vulnerability affects Firefox ESR < 78.1, Firefox < 79, and Thunderbird < 78.1. Cuando en un bucle infinito, un sitio web que especifica un cursor personalizado usando CSS podría hacer que parezca que el usuario e... • http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00025.html • CWE-451: User Interface (UI) Misrepresentation of Critical Information CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVSS: 6.5EPSS: 0%CPEs: 6EXPL: 0CVE-2020-15653 – Mozilla: Bypassing iframe sandbox when allowing popups
https://notcve.org/view.php?id=CVE-2020-15653
30 Jul 2020 — An iframe sandbox element with the allow-popups flag could be bypassed when using noopener links. This could have led to security issues for websites relying on sandbox configurations that allowed popups and hosted arbitrary content. This vulnerability affects Firefox ESR < 78.1, Firefox < 79, and Thunderbird < 78.1. Un elemento del sandbox de iframe con el flag allow-popups podría ser omitida cuando se usan enlaces noopener. Esto podría haber conllevado a problemas de seguridad para los sitios web que depe... • http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00025.html • CWE-276: Incorrect Default Permissions •
CVSS: 6.5EPSS: 0%CPEs: 8EXPL: 0CVE-2020-15652 – Mozilla: Potential leak of redirect targets when loading scripts in a worker
https://notcve.org/view.php?id=CVE-2020-15652
28 Jul 2020 — By observing the stack trace for JavaScript errors in web workers, it was possible to leak the result of a cross-origin redirect. This applied only to content that can be parsed as script. This vulnerability affects Firefox < 79, Firefox ESR < 68.11, Firefox ESR < 78.1, Thunderbird < 68.11, and Thunderbird < 78.1. Al observar el seguimiento de la pila de errores de JavaScript en los trabajadores web, fue posible filtrar el resultado de un redireccionamiento de origen cruzado. Esto se aplica solo al contenid... • http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00022.html • CWE-209: Generation of Error Message Containing Sensitive Information CWE-346: Origin Validation Error •
CVSS: 9.3EPSS: 1%CPEs: 10EXPL: 0CVE-2020-15659 – Mozilla: Memory safety bugs fixed in Firefox 79 and Firefox ESR 68.11
https://notcve.org/view.php?id=CVE-2020-15659
28 Jul 2020 — Mozilla developers and community members reported memory safety bugs present in Firefox 78 and Firefox ESR 78.0. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 79, Firefox ESR < 68.11, Firefox ESR < 78.1, Thunderbird < 68.11, and Thunderbird < 78.1. Los desarrolladores de Mozilla y los miembros de la comunidad informaron bugs de seguridad de la memoria presentes... • http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00022.html • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') CWE-787: Out-of-bounds Write •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2020-12414
https://notcve.org/view.php?id=CVE-2020-12414
09 Jul 2020 — IndexedDB should be cleared when leaving private browsing mode and it is not, the API for WKWebViewConfiguration was being used incorrectly and requires the private instance of this object be deleted when leaving private mode. This vulnerability affects Firefox for iOS < 27. IndexedDB debe ser borrada cuando sale del modo de navegación privada y no es así, la API para WKWebViewConfiguration se estaba usando incorrectamente y requiere que la instancia privada de este objeto sea eliminada al abandonar el modo... • https://bugzilla.mozilla.org/show_bug.cgi?id=1646756 • CWE-459: Incomplete Cleanup •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2020-12412
https://notcve.org/view.php?id=CVE-2020-12412
09 Jul 2020 — By navigating a tab using the history API, an attacker could cause the address bar to display the incorrect domain (with the https:// scheme, a blocked port number such as '1', and without a lock icon) while controlling the page contents. This vulnerability affects Firefox < 70. Al navegar en una pestaña usando la API history, un atacante podría causar que la barra de direcciones muestre el dominio incorrecto (con el esquema https://, un número de puerto bloqueado como "1" y sin un ícono de bloqueo) mientra... • https://bugzilla.mozilla.org/show_bug.cgi?id=1528587 •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2020-12404
https://notcve.org/view.php?id=CVE-2020-12404
09 Jul 2020 — For native-to-JS bridging the app requires a unique token to be passed that ensures non-app code can't call the bridging functions. That token could leak when used for downloading files. This vulnerability affects Firefox for iOS < 26. Para el puente native-to-JS, la aplicación requiere que sea pasado un token único que garantice que un código que no sea de la aplicación no pueda llamar a las funciones de puente. Ese token podría filtrarse cuando sea usado para descargar archivos. • https://bugzilla.mozilla.org/show_bug.cgi?id=1631739 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.3EPSS: 0%CPEs: 3EXPL: 1CVE-2020-12416 – Gentoo Linux Security Advisory 202007-10
https://notcve.org/view.php?id=CVE-2020-12416
09 Jul 2020 — A VideoStreamEncoder may have been freed in a race condition with VideoBroadcaster::AddOrUpdateSink, resulting in a use-after-free, memory corruption, and a potentially exploitable crash. This vulnerability affects Firefox < 78. Un VideoStreamEncoder puede haberse liberado en una condición de carrera con la función VideoBroadcaster::AddOrUpdateSink, resultando en un uso de la memoria previamente liberada, una corrupción de la memoria y un bloqueo potencialmente explotable. Esta vulnerabilidad afecta a Firef... • http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00027.html • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') CWE-416: Use After Free •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0CVE-2020-12422 – Mozilla: Integer overflow in nsJPEGEncoder::emptyOutputBuffer
https://notcve.org/view.php?id=CVE-2020-12422
09 Jul 2020 — In non-standard configurations, a JPEG image created by JavaScript could have caused an internal variable to overflow, resulting in an out of bounds write, memory corruption, and a potentially exploitable crash. This vulnerability affects Firefox < 78. En configuraciones no estándar, una imagen JPEG creada por JavaScript podría haber causado un desbordamiento de una variable interna, resultando en una escritura fuera de límites, corrupción de la memoria y un bloqueo explotable potencialmente. Esta vulnerabi... • http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00027.html • CWE-190: Integer Overflow or Wraparound CWE-787: Out-of-bounds Write •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2020-12423
https://notcve.org/view.php?id=CVE-2020-12423
09 Jul 2020 — When the Windows DLL "webauthn.dll" was missing from the Operating System, and a malicious one was placed in a folder in the user's %PATH%, Firefox may have loaded the DLL, leading to arbitrary code execution. *Note: This issue only affects the Windows operating system; other operating systems are unaffected.* This vulnerability affects Firefox < 78. Cuando la DLL "webauthn.dll" de Windows estaba faltando desde el Sistema Operativo y se colocaba una maliciosa en una carpeta en la %PATH% de usuario, Firefox ... • http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00027.html • CWE-427: Uncontrolled Search Path Element •