CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2019-11695 – Ubuntu Security Notice USN-3991-1
https://notcve.org/view.php?id=CVE-2019-11695
21 May 2019 — A custom cursor defined by scripting on a site can position itself over the addressbar to spoof the actual cursor when it should not be allowed outside of the primary web content area. This could be used by a malicious site to trick users into clicking on permission prompts, doorhanger notifications, or other buttons inadvertently if the location is spoofed over the user interface. This vulnerability affects Firefox < 67. Un cursor personalizado definido mediante secuencias de comandos en un sitio puede pos... • https://bugzilla.mozilla.org/show_bug.cgi?id=1445844 •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-11701 – Ubuntu Security Notice USN-3991-1
https://notcve.org/view.php?id=CVE-2019-11701
21 May 2019 — The default webcal: protocol handler will load a web site vulnerable to cross-site scripting (XSS) attacks. This default was left in place as a legacy feature and has now been removed. *Note: this issue only affects users with an account on the vulnerable service. Other users are unaffected.*. This vulnerability affects Firefox < 67. • https://bugzilla.mozilla.org/show_bug.cgi?id=1518627 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0CVE-2019-9800 – Mozilla: Memory safety bugs fixed in Firefox 67 and Firefox ESR 60.7
https://notcve.org/view.php?id=CVE-2019-9800
21 May 2019 — Mozilla developers and community members reported memory safety bugs present in Firefox 66, Firefox ESR 60.6, and Thunderbird 60.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Thunderbird < 60.7, Firefox < 67, and Firefox ESR < 60.7. Los desarrolladores de Mozilla y los miembros de la comunidad reportaron bugs de seguridad de memoria presentes en Firefox versión 66, Fire... • https://bugzilla.mozilla.org/buglist.cgi?bug_id=1540166%2C1534593%2C1546327%2C1540136%2C1538736%2C1538042%2C1535612%2C1499719%2C1499108%2C1538619%2C1535194%2C1516325%2C1542324%2C1542097%2C1532465%2C1533554%2C1541580 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') CWE-787: Out-of-bounds Write •
CVSS: 5.9EPSS: 38%CPEs: 3EXPL: 1CVE-2019-9816 – Spidermonkey - IonMonkey Unexpected ObjectGroup in ObjectGroupDispatch Operation
https://notcve.org/view.php?id=CVE-2019-9816
21 May 2019 — A possible vulnerability exists where type confusion can occur when manipulating JavaScript objects in object groups, allowing for the bypassing of security checks within these groups. *Note: this vulnerability has only been demonstrated with UnboxedObjects, which are disabled by default on all supported releases.*. This vulnerability affects Thunderbird < 60.7, Firefox < 67, and Firefox ESR < 60.7. Se presenta una posible vulnerabilidad donde puede producirse una confusión de tipo al manipular objetos de J... • https://www.exploit-db.com/exploits/46940 • CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2019-11697 – Ubuntu Security Notice USN-3991-1
https://notcve.org/view.php?id=CVE-2019-11697
21 May 2019 — If the ALT and "a" keys are pressed when users receive an extension installation prompt, the extension will be installed without the install prompt delay that keeps the prompt visible in order for users to accept or decline the installation. A malicious web page could use this with spoofing on the page to trick users into installing a malicious extension. This vulnerability affects Firefox < 67. Si se presionan las teclas ALT y "a" cuando los usuarios reciben una solicitud de instalación de extensión, la ex... • https://bugzilla.mozilla.org/show_bug.cgi?id=1440079 • CWE-20: Improper Input Validation •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0CVE-2019-11691 – Mozilla: Use-after-free in XMLHttpRequest
https://notcve.org/view.php?id=CVE-2019-11691
21 May 2019 — A use-after-free vulnerability can occur when working with XMLHttpRequest (XHR) in an event loop, causing the XHR main thread to be called after it has been freed. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 60.7, Firefox < 67, and Firefox ESR < 60.7. Puede ocurrir una vulnerabilidad de uso después de liberarse cuando se trabaja con XMLHttpRequest (XHR) en un bucle de eventos, lo que hace que se llame al subproceso principal de XHR después de que se haya liberad... • https://bugzilla.mozilla.org/show_bug.cgi?id=1542465 • CWE-416: Use After Free •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2019-11698 – Mozilla: Theft of user history data through drag and drop of hyperlinks to and from bookmarks
https://notcve.org/view.php?id=CVE-2019-11698
21 May 2019 — If a crafted hyperlink is dragged and dropped to the bookmark bar or sidebar and the resulting bookmark is subsequently dragged and dropped into the web content area, an arbitrary query of a user's browser history can be run and transmitted to the content page via drop event data. This allows for the theft of browser history by a malicious site. This vulnerability affects Thunderbird < 60.7, Firefox < 67, and Firefox ESR < 60.7. Si un hipervínculo especialmente diseñado se arrastra y suelta en la barra de m... • https://bugzilla.mozilla.org/show_bug.cgi?id=1543191 • CWE-20: Improper Input Validation CWE-829: Inclusion of Functionality from Untrusted Control Sphere •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-9821 – Ubuntu Security Notice USN-3991-1
https://notcve.org/view.php?id=CVE-2019-9821
21 May 2019 — A use-after-free vulnerability can occur in AssertWorkerThread due to a race condition with shared workers. This results in a potentially exploitable crash. This vulnerability affects Firefox < 67. Puede ocurrir una vulnerabilidad de uso de la memoria previamente liberada en AssertWorkerThread debido a una condición de carrera con trabajadores compartidos. Esto resulta en un bloqueo potencialmente explotable. • https://bugzilla.mozilla.org/show_bug.cgi?id=1539125 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') CWE-416: Use After Free •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2019-9806
https://notcve.org/view.php?id=CVE-2019-9806
26 Apr 2019 — A vulnerability exists during authorization prompting for FTP transaction where successive modal prompts are displayed and cannot be immediately dismissed. This allows for a denial of service (DOS) attack. This vulnerability affects Firefox < 66. Una vulnerabilidad existente durante la solicitud de una transacción FTP donde sucesivos mensajes modales son mostrados y no pueden ser inmediatamente rechazados. Esto permite un ataque de denegación de servicios (DoS). • https://bugzilla.mozilla.org/show_bug.cgi?id=1525267 • CWE-399: Resource Management Errors •
CVSS: 7.4EPSS: 0%CPEs: 2EXPL: 0CVE-2019-9798
https://notcve.org/view.php?id=CVE-2019-9798
26 Apr 2019 — On Android systems, Firefox can load a library from APITRACE_LIB, which is writable by all users and applications. This could allow malicious third party applications to execute a man-in-the-middle attack if a malicious code was written to that location and loaded. *Note: This issue only affects Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 66. • https://bugzilla.mozilla.org/show_bug.cgi?id=1527534 • CWE-426: Untrusted Search Path •