CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2019-11748 – Mozilla: Persistence of WebRTC permissions in a third party context
https://notcve.org/view.php?id=CVE-2019-11748
04 Sep 2019 — WebRTC in Firefox will honor persisted permissions given to sites for access to microphone and camera resources even when in a third-party context. In light of recent high profile vulnerabilities in other software, a decision was made to no longer persist these permissions. This avoids the possibility of trusted WebRTC resources being invisibly embedded in web content and abusing permissions previously given by users. Users will now be prompted for permissions on each use. This vulnerability affects Firefox... • http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html • CWE-281: Improper Preservation of Permissions CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 0CVE-2019-11735 – Mozilla: Memory safety bugs fixed in Firefox 69 and Firefox ESR 68.1
https://notcve.org/view.php?id=CVE-2019-11735
04 Sep 2019 — Mozilla developers and community members reported memory safety bugs present in Firefox 68 and Firefox ESR 68. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Firefox < 69 and Firefox ESR < 68.1. Los desarrolladores de Mozilla y los miembros de la comunidad reportaron bugs de seguridad de la memoria presentes en Firefox versión 68 y Firefox ESR versión 68. Algunos de estos e... • http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') CWE-787: Out-of-bounds Write •
CVSS: 6.8EPSS: 0%CPEs: 4EXPL: 1CVE-2019-11738 – Mozilla: Content security policy bypass through hash-based sources in directives
https://notcve.org/view.php?id=CVE-2019-11738
04 Sep 2019 — If a Content Security Policy (CSP) directive is defined that uses a hash-based source that takes the empty string as input, execution of any javascript: URIs will be allowed. This could allow for malicious JavaScript content to be run, bypassing CSP permissions. This vulnerability affects Firefox < 69 and Firefox ESR < 68.1. Si una directiva de Content Security Policy (CSP) se define que usa una fuente basada en hash que toma la cadena vacía como entrada, se permitirá la ejecución de cualquier URI javascrip... • http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html • CWE-358: Improperly Implemented Security Check for Standard •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2019-11733 – firefox: stored passwords in 'Saved Logins' can be copied without master password entry
https://notcve.org/view.php?id=CVE-2019-11733
16 Aug 2019 — When a master password is set, it is required to be entered again before stored passwords can be accessed in the 'Saved Logins' dialog. It was found that locally stored passwords can be copied to the clipboard thorough the 'copy password' context menu item without re-entering the master password if the master password had been previously entered in the same session, allowing for potential theft of stored passwords. This vulnerability affects Firefox < 68.0.2 and Firefox ESR < 68.0.2. Cuando se establece una... • http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html • CWE-287: Improper Authentication CWE-306: Missing Authentication for Critical Function •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-9814
https://notcve.org/view.php?id=CVE-2019-9814
23 Jul 2019 — Mozilla developers and community members reported memory safety bugs present in Firefox 66. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Firefox < 67. Los desarrolladores de Mozilla y los miembros de la comunidad reportaron bugs de seguridad de memoria presentes en Firefox 66. Algunos de estos errores mostraron evidencias de corrupción de memoria y presumimos que, con un ... • https://bugzilla.mozilla.org/buglist.cgi?bug_id=1527592%2C1534536%2C1520132%2C1543159%2C1539393%2C1459932%2C1459182%2C1516425 • CWE-787: Out-of-bounds Write •
CVSS: 8.1EPSS: 0%CPEs: 4EXPL: 0CVE-2019-9815
https://notcve.org/view.php?id=CVE-2019-9815
23 Jul 2019 — If hyperthreading is not disabled, a timing attack vulnerability exists, similar to previous Spectre attacks. Apple has shipped macOS 10.14.5 with an option to disable hyperthreading in applications running untrusted code in a thread through a new sysctl. Firefox now makes use of it on the main thread and any worker threads. *Note: users need to update to macOS 10.14.5 in order to take advantage of this change.*. This vulnerability affects Thunderbird < 60.7, Firefox < 67, and Firefox ESR < 60.7. • https://bugzilla.mozilla.org/show_bug.cgi?id=1546544 • CWE-203: Observable Discrepancy •
CVSS: 8.3EPSS: 0%CPEs: 4EXPL: 0CVE-2019-9818
https://notcve.org/view.php?id=CVE-2019-9818
23 Jul 2019 — A race condition is present in the crash generation server used to generate data for the crash reporter. This issue can lead to a use-after-free in the main process, resulting in a potentially exploitable crash and a sandbox escape. *Note: this vulnerability only affects Windows. Other operating systems are unaffected.*. This vulnerability affects Thunderbird < 60.7, Firefox < 67, and Firefox ESR < 60.7. • https://bugzilla.mozilla.org/show_bug.cgi?id=1542581 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') CWE-416: Use After Free •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2019-11694
https://notcve.org/view.php?id=CVE-2019-11694
23 Jul 2019 — A vulnerability exists in the Windows sandbox where an uninitialized value in memory can be leaked to a renderer from a broker when making a call to access an otherwise unavailable file. This results in the potential leaking of information stored at that memory location. *Note: this issue only occurs on Windows. Other operating systems are unaffected.*. This vulnerability affects Thunderbird < 60.7, Firefox < 67, and Firefox ESR < 60.7. • https://bugzilla.mozilla.org/show_bug.cgi?id=1534196 • CWE-755: Improper Handling of Exceptional Conditions CWE-908: Use of Uninitialized Resource •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2019-11699
https://notcve.org/view.php?id=CVE-2019-11699
23 Jul 2019 — A malicious page can briefly cause the wrong name to be highlighted as the domain name in the addressbar during page navigations. This could result in user confusion of which site is currently loaded for spoofing attacks. This vulnerability affects Firefox < 67. Una página maliciosa puede causar brevemente que se resalte el nombre incorrecto como el nombre de dominio en la barra de direcciones durante la navegación de la página. Esto podría generar confusión en el usuario sobre qué sitio está cargado actual... • https://bugzilla.mozilla.org/show_bug.cgi?id=1528939 •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2019-11700
https://notcve.org/view.php?id=CVE-2019-11700
23 Jul 2019 — A hyperlink using the res: protocol can be used to open local files at a known location in Internet Explorer if a user approves execution when prompted. *Note: this issue only occurs on Windows. Other operating systems are unaffected.*. This vulnerability affects Firefox < 67. Se puede usar un hipervínculo que utiliza el protocolo res: para abrir archivos locales en una ubicación conocida en Internet Explorer si un usuario aprueba la ejecución cuando se le solicite. * Nota: este problema solo ocurre en Wind... • https://bugzilla.mozilla.org/show_bug.cgi?id=1549833 • CWE-862: Missing Authorization •