CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-11741 – Ubuntu Security Notice USN-4122-1
https://notcve.org/view.php?id=CVE-2019-11741
04 Sep 2019 — A compromised sandboxed content process can perform a Universal Cross-site Scripting (UXSS) attack on content from any site it can cause to be loaded in the same process. Because addons.mozilla.org and accounts.firefox.com have close ties to the Firefox product, malicious manipulation of these sites within the browser can potentially be used to modify a user's Firefox configuration. These two sites will now be isolated into their own process and not allowed to be loaded in a standard content process. This v... • https://bugzilla.mozilla.org/show_bug.cgi?id=1539595 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.3EPSS: 0%CPEs: 3EXPL: 0CVE-2019-9812 – Mozilla Firefox sync Universal Cross-Site Scripting Sandbox Escape Vulnerability
https://notcve.org/view.php?id=CVE-2019-9812
04 Sep 2019 — Given a compromised sandboxed content process due to a separate vulnerability, it is possible to escape that sandbox by loading accounts.firefox.com in that process and forcing a log-in to a malicious Firefox Sync account. Preference settings that disable the sandbox are then synchronized to the local machine and the compromised browser would restart without the sandbox if a crash is triggered. This vulnerability affects Firefox ESR < 60.9, Firefox ESR < 68.1, and Firefox < 69. Dado un proceso de contenido ... • https://bugzilla.mozilla.org/show_bug.cgi?id=1538008 • CWE-250: Execution with Unnecessary Privileges •
CVSS: 6.5EPSS: 0%CPEs: 5EXPL: 0CVE-2019-11742 – Mozilla: Same-origin policy violation with SVG filters and canvas to steal cross-origin images
https://notcve.org/view.php?id=CVE-2019-11742
04 Sep 2019 — A same-origin policy violation occurs allowing the theft of cross-origin images through a combination of SVG filters and a <canvas> element due to an error in how same-origin policy is applied to cached image content. The resulting same-origin policy violation could allow for data theft. This vulnerability affects Firefox < 69, Thunderbird < 68.1, Thunderbird < 60.9, Firefox ESR < 60.9, and Firefox ESR < 68.1. Se presenta una violación de la política del mismo origen, que permite el robo de imágenes d... • http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html • CWE-829: Inclusion of Functionality from Untrusted Control Sphere •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2019-11733 – firefox: stored passwords in 'Saved Logins' can be copied without master password entry
https://notcve.org/view.php?id=CVE-2019-11733
16 Aug 2019 — When a master password is set, it is required to be entered again before stored passwords can be accessed in the 'Saved Logins' dialog. It was found that locally stored passwords can be copied to the clipboard thorough the 'copy password' context menu item without re-entering the master password if the master password had been previously entered in the same session, allowing for potential theft of stored passwords. This vulnerability affects Firefox < 68.0.2 and Firefox ESR < 68.0.2. Cuando se establece una... • http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html • CWE-287: Improper Authentication CWE-306: Missing Authentication for Critical Function •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-9814
https://notcve.org/view.php?id=CVE-2019-9814
23 Jul 2019 — Mozilla developers and community members reported memory safety bugs present in Firefox 66. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Firefox < 67. Los desarrolladores de Mozilla y los miembros de la comunidad reportaron bugs de seguridad de memoria presentes en Firefox 66. Algunos de estos errores mostraron evidencias de corrupción de memoria y presumimos que, con un ... • https://bugzilla.mozilla.org/buglist.cgi?bug_id=1527592%2C1534536%2C1520132%2C1543159%2C1539393%2C1459932%2C1459182%2C1516425 • CWE-787: Out-of-bounds Write •
CVSS: 8.1EPSS: 0%CPEs: 4EXPL: 0CVE-2019-9815
https://notcve.org/view.php?id=CVE-2019-9815
23 Jul 2019 — If hyperthreading is not disabled, a timing attack vulnerability exists, similar to previous Spectre attacks. Apple has shipped macOS 10.14.5 with an option to disable hyperthreading in applications running untrusted code in a thread through a new sysctl. Firefox now makes use of it on the main thread and any worker threads. *Note: users need to update to macOS 10.14.5 in order to take advantage of this change.*. This vulnerability affects Thunderbird < 60.7, Firefox < 67, and Firefox ESR < 60.7. • https://bugzilla.mozilla.org/show_bug.cgi?id=1546544 • CWE-203: Observable Discrepancy •
CVSS: 8.3EPSS: 0%CPEs: 4EXPL: 0CVE-2019-9818
https://notcve.org/view.php?id=CVE-2019-9818
23 Jul 2019 — A race condition is present in the crash generation server used to generate data for the crash reporter. This issue can lead to a use-after-free in the main process, resulting in a potentially exploitable crash and a sandbox escape. *Note: this vulnerability only affects Windows. Other operating systems are unaffected.*. This vulnerability affects Thunderbird < 60.7, Firefox < 67, and Firefox ESR < 60.7. • https://bugzilla.mozilla.org/show_bug.cgi?id=1542581 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') CWE-416: Use After Free •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2019-11694
https://notcve.org/view.php?id=CVE-2019-11694
23 Jul 2019 — A vulnerability exists in the Windows sandbox where an uninitialized value in memory can be leaked to a renderer from a broker when making a call to access an otherwise unavailable file. This results in the potential leaking of information stored at that memory location. *Note: this issue only occurs on Windows. Other operating systems are unaffected.*. This vulnerability affects Thunderbird < 60.7, Firefox < 67, and Firefox ESR < 60.7. • https://bugzilla.mozilla.org/show_bug.cgi?id=1534196 • CWE-755: Improper Handling of Exceptional Conditions CWE-908: Use of Uninitialized Resource •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2019-11699
https://notcve.org/view.php?id=CVE-2019-11699
23 Jul 2019 — A malicious page can briefly cause the wrong name to be highlighted as the domain name in the addressbar during page navigations. This could result in user confusion of which site is currently loaded for spoofing attacks. This vulnerability affects Firefox < 67. Una página maliciosa puede causar brevemente que se resalte el nombre incorrecto como el nombre de dominio en la barra de direcciones durante la navegación de la página. Esto podría generar confusión en el usuario sobre qué sitio está cargado actual... • https://bugzilla.mozilla.org/show_bug.cgi?id=1528939 •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2019-11700
https://notcve.org/view.php?id=CVE-2019-11700
23 Jul 2019 — A hyperlink using the res: protocol can be used to open local files at a known location in Internet Explorer if a user approves execution when prompted. *Note: this issue only occurs on Windows. Other operating systems are unaffected.*. This vulnerability affects Firefox < 67. Se puede usar un hipervínculo que utiliza el protocolo res: para abrir archivos locales en una ubicación conocida en Internet Explorer si un usuario aprueba la ejecución cuando se le solicite. * Nota: este problema solo ocurre en Wind... • https://bugzilla.mozilla.org/show_bug.cgi?id=1549833 • CWE-862: Missing Authorization •