CVSS: 7.0EPSS: 0%CPEs: 3EXPL: 0CVE-2019-11736
https://notcve.org/view.php?id=CVE-2019-11736
27 Sep 2019 — The Mozilla Maintenance Service does not guard against files being hardlinked to another file in the updates directory, allowing for the replacement of local files, including the Maintenance Service executable, which is run with privileged access. Additionally, there was a race condition during checks for junctions and symbolic links by the Maintenance Service, allowing for potential local file and directory manipulation to be undetected in some circumstances. This allows for potential privilege escalation ... • http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0CVE-2019-11751
https://notcve.org/view.php?id=CVE-2019-11751
27 Sep 2019 — Logging-related command line parameters are not properly sanitized when Firefox is launched by another program, such as when a user clicks on malicious links in a chat application. This can be used to write a log file to an arbitrary location such as the Windows 'Startup' folder.
*Note: this issue only affects Firefox on Windows operating systems.*. This vulnerability affects Firefox < 69 and Firefox ESR < 68.1. Los parámetros de línea de comando relacionados con el Inicio de Sesión no son saneados apro... • http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html • CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2019-11753
https://notcve.org/view.php?id=CVE-2019-11753
27 Sep 2019 — The Firefox installer allows Firefox to be installed to a custom user writable location, leaving it unprotected from manipulation by unprivileged users or malware. If the Mozilla Maintenance Service is manipulated to update this unprotected location and the updated maintenance service in the unprotected location has been altered, the altered maintenance service can run with elevated privileges during the update process due to a lack of integrity checks. This allows for privilege escalation if the executable... • http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html • CWE-354: Improper Validation of Integrity Check Value •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2019-11754 – Ubuntu Security Notice USN-4140-1
https://notcve.org/view.php?id=CVE-2019-11754
26 Sep 2019 — When the pointer lock is enabled by a website though requestPointerLock(), no user notification is given. This could allow a malicious website to hijack the mouse pointer and confuse users. This vulnerability affects Firefox < 69.0.1. Cuando el bloqueo del puntero es habilitado por un sitio web por medio de la función requestPointerLock(), no se entrega ninguna notificación al usuario. Esto podría permitir que un sitio web malicioso secuestrara el puntero del mouse y confundiera a los usuarios. • https://bugzilla.mozilla.org/show_bug.cgi?id=1580506 •
CVSS: 6.5EPSS: 0%CPEs: 5EXPL: 0CVE-2019-11742 – Mozilla: Same-origin policy violation with SVG filters and canvas to steal cross-origin images
https://notcve.org/view.php?id=CVE-2019-11742
04 Sep 2019 — A same-origin policy violation occurs allowing the theft of cross-origin images through a combination of SVG filters and a <canvas> element due to an error in how same-origin policy is applied to cached image content. The resulting same-origin policy violation could allow for data theft. This vulnerability affects Firefox < 69, Thunderbird < 68.1, Thunderbird < 60.9, Firefox ESR < 60.9, and Firefox ESR < 68.1. Se presenta una violación de la política del mismo origen, que permite el robo de imágenes d... • http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html • CWE-829: Inclusion of Functionality from Untrusted Control Sphere •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-11741 – Ubuntu Security Notice USN-4122-1
https://notcve.org/view.php?id=CVE-2019-11741
04 Sep 2019 — A compromised sandboxed content process can perform a Universal Cross-site Scripting (UXSS) attack on content from any site it can cause to be loaded in the same process. Because addons.mozilla.org and accounts.firefox.com have close ties to the Firefox product, malicious manipulation of these sites within the browser can potentially be used to modify a user's Firefox configuration. These two sites will now be isolated into their own process and not allowed to be loaded in a standard content process. This v... • https://bugzilla.mozilla.org/show_bug.cgi?id=1539595 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2019-11749 – Mozilla: Camera information available without prompting using getUserMedia
https://notcve.org/view.php?id=CVE-2019-11749
04 Sep 2019 — A vulnerability exists in WebRTC where malicious web content can use probing techniques on the getUserMedia API using constraints to reveal device properties of cameras on the system without triggering a user prompt or notification. This allows for the potential fingerprinting of users. This vulnerability affects Firefox < 69 and Firefox ESR < 68.1. Se presenta una vulnerabilidad en WebRTC donde el contenido web malicioso puede utilizar técnicas de sondeo en la API getUserMedia usando restricciones para rev... • http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.3EPSS: 0%CPEs: 3EXPL: 0CVE-2019-9812 – Mozilla Firefox sync Universal Cross-Site Scripting Sandbox Escape Vulnerability
https://notcve.org/view.php?id=CVE-2019-9812
04 Sep 2019 — Given a compromised sandboxed content process due to a separate vulnerability, it is possible to escape that sandbox by loading accounts.firefox.com in that process and forcing a log-in to a malicious Firefox Sync account. Preference settings that disable the sandbox are then synchronized to the local machine and the compromised browser would restart without the sandbox if a crash is triggered. This vulnerability affects Firefox ESR < 60.9, Firefox ESR < 68.1, and Firefox < 69. Dado un proceso de contenido ... • https://bugzilla.mozilla.org/show_bug.cgi?id=1538008 • CWE-250: Execution with Unnecessary Privileges •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-11734 – Ubuntu Security Notice USN-4122-1
https://notcve.org/view.php?id=CVE-2019-11734
04 Sep 2019 — Mozilla developers and community members reported memory safety bugs present in Firefox 68. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Firefox < 69. Los desarrolladores de Mozilla y los miembros de la comunidad reportaron bugs de seguridad de la memoria presentes en Firefox versión 68. Algunos de estos errores mostraron evidencia de corrupción de la memoria y presumimos... • https://bugzilla.mozilla.org/buglist.cgi?bug_id=1352875%2C1536227%2C1557208%2C1560641 • CWE-787: Out-of-bounds Write •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2019-11750 – Mozilla: Type confusion in Spidermonkey
https://notcve.org/view.php?id=CVE-2019-11750
04 Sep 2019 — A type confusion vulnerability exists in Spidermonkey, which results in a non-exploitable crash. This vulnerability affects Firefox < 69 and Firefox ESR < 68.1. Se presenta una vulnerabilidad de confusión de tipos en Spidermonkey, lo que resulta en un bloqueo no explotable. Esta vulnerabilidad afecta a Firefox versiones anteriores a 69 y Firefox ESR versiones anteriores a 68.1. Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. • http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html • CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') CWE-908: Use of Uninitialized Resource •