CVSS: 9.3EPSS: 0%CPEs: 3EXPL: 0CVE-2019-9812 – Mozilla Firefox sync Universal Cross-Site Scripting Sandbox Escape Vulnerability
https://notcve.org/view.php?id=CVE-2019-9812
04 Sep 2019 — Given a compromised sandboxed content process due to a separate vulnerability, it is possible to escape that sandbox by loading accounts.firefox.com in that process and forcing a log-in to a malicious Firefox Sync account. Preference settings that disable the sandbox are then synchronized to the local machine and the compromised browser would restart without the sandbox if a crash is triggered. This vulnerability affects Firefox ESR < 60.9, Firefox ESR < 68.1, and Firefox < 69. Dado un proceso de contenido ... • https://bugzilla.mozilla.org/show_bug.cgi?id=1538008 • CWE-250: Execution with Unnecessary Privileges •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-11734 – Ubuntu Security Notice USN-4122-1
https://notcve.org/view.php?id=CVE-2019-11734
04 Sep 2019 — Mozilla developers and community members reported memory safety bugs present in Firefox 68. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Firefox < 69. Los desarrolladores de Mozilla y los miembros de la comunidad reportaron bugs de seguridad de la memoria presentes en Firefox versión 68. Algunos de estos errores mostraron evidencia de corrupción de la memoria y presumimos... • https://bugzilla.mozilla.org/buglist.cgi?bug_id=1352875%2C1536227%2C1557208%2C1560641 • CWE-787: Out-of-bounds Write •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2019-11750 – Mozilla: Type confusion in Spidermonkey
https://notcve.org/view.php?id=CVE-2019-11750
04 Sep 2019 — A type confusion vulnerability exists in Spidermonkey, which results in a non-exploitable crash. This vulnerability affects Firefox < 69 and Firefox ESR < 68.1. Se presenta una vulnerabilidad de confusión de tipos en Spidermonkey, lo que resulta en un bloqueo no explotable. Esta vulnerabilidad afecta a Firefox versiones anteriores a 69 y Firefox ESR versiones anteriores a 68.1. Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. • http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html • CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') CWE-908: Use of Uninitialized Resource •
CVSS: 8.8EPSS: 1%CPEs: 5EXPL: 0CVE-2019-11746 – Mozilla: Use-after-free while manipulating video
https://notcve.org/view.php?id=CVE-2019-11746
04 Sep 2019 — A use-after-free vulnerability can occur while manipulating video elements if the body is freed while still in use. This results in a potentially exploitable crash. This vulnerability affects Firefox < 69, Thunderbird < 68.1, Thunderbird < 60.9, Firefox ESR < 60.9, and Firefox ESR < 68.1. Se puede presentar una vulnerabilidad de uso de la memoria previamente liberada después de manipular elementos de video si el cuerpo es liberado mientras todavía se encuentra en uso. Esto resulta en un bloqueo potencialmen... • http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html • CWE-416: Use After Free •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2019-11747 – Mozilla: 'Forget about this site' removes sites from pre-loaded HSTS list
https://notcve.org/view.php?id=CVE-2019-11747
04 Sep 2019 — The "Forget about this site" feature in the History pane is intended to remove all saved user data that indicates a user has visited a site. This includes removing any HTTP Strict Transport Security (HSTS) settings received from sites that use it. Due to a bug, sites on the pre-load list also have their HSTS setting removed. On the next visit to that site if the user specifies an http: URL rather than secure https: they will not be protected by the pre-loaded HSTS setting. After that visit the site's HSTS s... • http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html • CWE-358: Improperly Implemented Security Check for Standard CWE-665: Improper Initialization •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2019-11737 – Ubuntu Security Notice USN-4122-1
https://notcve.org/view.php?id=CVE-2019-11737
04 Sep 2019 — If a wildcard ('*') is specified for the host in Content Security Policy (CSP) directives, any port or path restriction of the directive will be ignored, leading to CSP directives not being properly applied to content. This vulnerability affects Firefox < 69. Si es especificado un comodín ('*') para el host en las directivas de Content Security Policy (CSP), será ignorada cualquier restricción de puerto o ruta de la directiva, lo que provocará que las directivas CSP no se apliquen correctamente al contenido... • https://bugzilla.mozilla.org/show_bug.cgi?id=1388015 • CWE-345: Insufficient Verification of Data Authenticity •
CVSS: 6.1EPSS: 0%CPEs: 5EXPL: 0CVE-2019-11744 – Mozilla: XSS by breaking out of title and textarea elements using innerHTML
https://notcve.org/view.php?id=CVE-2019-11744
04 Sep 2019 — Some HTML elements, such as <title> and <textarea>, can contain literal angle brackets without treating them as markup. It is possible to pass a literal closing tag to .innerHTML on these elements, and subsequent content after that will be parsed as if it were outside the tag. This can lead to XSS if a site does not filter user input as strictly for these elements as it does for other elements. This vulnerability affects Firefox < 69, Thunderbird < 68.1, Thunderbird < 60.9, Firefox ESR < 60.9, a... • http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.3EPSS: 1%CPEs: 5EXPL: 0CVE-2019-11752 – Mozilla: Use-after-free while extracting a key value in IndexedDB
https://notcve.org/view.php?id=CVE-2019-11752
04 Sep 2019 — It is possible to delete an IndexedDB key value and subsequently try to extract it during conversion. This results in a use-after-free and a potentially exploitable crash. This vulnerability affects Firefox < 69, Thunderbird < 68.1, Thunderbird < 60.9, Firefox ESR < 60.9, and Firefox ESR < 68.1. Es posible eliminar un valor de clave IndexedDB y posteriormente intentar extraerlo durante la conversión. Esto resulta en un uso de la memoria previamente liberada y un bloqueo potencialmente explotable. • http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html • CWE-416: Use After Free •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2019-11748 – Mozilla: Persistence of WebRTC permissions in a third party context
https://notcve.org/view.php?id=CVE-2019-11748
04 Sep 2019 — WebRTC in Firefox will honor persisted permissions given to sites for access to microphone and camera resources even when in a third-party context. In light of recent high profile vulnerabilities in other software, a decision was made to no longer persist these permissions. This avoids the possibility of trusted WebRTC resources being invisibly embedded in web content and abusing permissions previously given by users. Users will now be prompted for permissions on each use. This vulnerability affects Firefox... • http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html • CWE-281: Improper Preservation of Permissions CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 0CVE-2019-11735 – Mozilla: Memory safety bugs fixed in Firefox 69 and Firefox ESR 68.1
https://notcve.org/view.php?id=CVE-2019-11735
04 Sep 2019 — Mozilla developers and community members reported memory safety bugs present in Firefox 68 and Firefox ESR 68. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Firefox < 69 and Firefox ESR < 68.1. Los desarrolladores de Mozilla y los miembros de la comunidad reportaron bugs de seguridad de la memoria presentes en Firefox versión 68 y Firefox ESR versión 68. Algunos de estos e... • http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') CWE-787: Out-of-bounds Write •