CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 0CVE-2019-9801
https://notcve.org/view.php?id=CVE-2019-9801
26 Apr 2019 — Firefox will accept any registered Program ID as an external protocol handler and offer to launch this local application when given a matching URL on Windows operating systems. This should only happen if the program has specifically registered itself as a "URL Handler" in the Windows registry. *Note: This issue only affects Windows operating systems. Other operating systems are unaffected.*. This vulnerability affects Thunderbird < 60.6, Firefox ESR < 60.6, and Firefox < 66. • https://bugzilla.mozilla.org/show_bug.cgi?id=1527717 • CWE-20: Improper Input Validation •
CVSS: 9.8EPSS: 1%CPEs: 2EXPL: 0CVE-2019-9804
https://notcve.org/view.php?id=CVE-2019-9804
26 Apr 2019 — In Firefox Developer Tools it is possible that pasting the result of the 'Copy as cURL' command into a command shell on macOS will cause the execution of unintended additional bash script commands if the URL was maliciously crafted. This is the result of an issue with the native version of Bash on macOS. *Note: This issue only affects macOS. Other operating systems are unaffected.*. This vulnerability affects Firefox < 66. • https://bugzilla.mozilla.org/show_bug.cgi?id=1518026 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2019-9807
https://notcve.org/view.php?id=CVE-2019-9807
26 Apr 2019 — When arbitrary text is sent over an FTP connection and a page reload is initiated, it is possible to create a modal alert message with this text as the content. This could potentially be used for social engineering attacks. This vulnerability affects Firefox < 66. Cuando un text arbitrario es enviado sobre una conexión FTP y la recarga de página es iniciada, es posible crear un mensaje de alerta modal con ese texto como contenido. Esto puede ser potencialmente empleado para ataques de ingeniería social. • https://bugzilla.mozilla.org/show_bug.cgi?id=1362050 • CWE-20: Improper Input Validation •
CVSS: 8.8EPSS: 70%CPEs: 11EXPL: 8CVE-2019-9810 – Mozilla Firefox Array.slice Out-Of-Bounds Write Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2019-9810
25 Mar 2019 — Incorrect alias information in IonMonkey JIT compiler for Array.prototype.slice method may lead to missing bounds check and a buffer overflow. This vulnerability affects Firefox < 66.0.1, Firefox ESR < 60.6.1, and Thunderbird < 60.6.1. La información incorrecta de alias en el compilador IonMonkey JIT para el método Array.prototype.slice puede llevar a la falta de comprobación de límites y a un desbordamiento del búfer. Esta vulnerabilidad afecta a Firefox versiones anteriores a 66.0.1, Firefox ESR versiones... • https://packetstorm.news/files/id/152251 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 8.8EPSS: 52%CPEs: 3EXPL: 2CVE-2019-9813 – Mozilla Firefox IonMonkey Optimizer Type Confusion Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2019-9813
25 Mar 2019 — Incorrect handling of __proto__ mutations may lead to type confusion in IonMonkey JIT code and can be leveraged for arbitrary memory read and write. This vulnerability affects Firefox < 66.0.1, Firefox ESR < 60.6.1, and Thunderbird < 60.6.1. Un manejo incorrecto de __proto__ mutations puede llevar a confusión de tipo en el código IonMonkey JIT, y puede aprovecharse para la lectura y escritura de memoria arbitraria. Esta vulnerabilidad afecta a Firefox versiones anteriores a 66.0.1, Firefox ESR versiones ant... • https://packetstorm.news/files/id/152304 • CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2019-9797 – Mozilla: Cross-origin theft of images with createImageBitmap
https://notcve.org/view.php?id=CVE-2019-9797
22 Mar 2019 — Cross-origin images can be read in violation of the same-origin policy by exporting an image after using createImageBitmap to read the image and then rendering the resulting bitmap image within a canvas element. This vulnerability affects Firefox < 66. Las imágenes de origen cruzado se pueden leer infringiendo la política del mismo origen al exportar una imagen después de utilizar createImageBitmap para leer la imagen y luego renderizar la imagen de mapa de bits resultante dentro de un elemento canvas. Esta... • http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00002.html • CWE-346: Origin Validation Error CWE-829: Inclusion of Functionality from Untrusted Control Sphere •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2019-9799 – Ubuntu Security Notice USN-3918-2
https://notcve.org/view.php?id=CVE-2019-9799
22 Mar 2019 — Insufficient bounds checking of data during inter-process communication might allow a compromised content process to be able to read memory from the parent process under certain conditions. This vulnerability affects Firefox < 66. La comprobación de límites insuficientes de datos durante la comunicación entre procesos puede permitir que un proceso de contenido comprometido pueda leer la memoria del proceso principal en determinadas condiciones. Esta vulnerabilidad afecta a Firefox a las anteriores a 66. USN... • https://bugzilla.mozilla.org/show_bug.cgi?id=1505678 • CWE-20: Improper Input Validation CWE-125: Out-of-bounds Read •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2019-9802 – Ubuntu Security Notice USN-3918-1
https://notcve.org/view.php?id=CVE-2019-9802
22 Mar 2019 — If a Sandbox content process is compromised, it can initiate an FTP download which will then use a child process to render the downloaded data. The downloaded data can then be passed to the Chrome process with an arbitrary file length supplied by an attacker, bypassing sandbox protections and allow for a potential memory read of adjacent data from the privileged Chrome process, which may include sensitive data. This vulnerability affects Firefox < 66. Si un proceso contenido de Sandbox se ve comprometido, p... • https://bugzilla.mozilla.org/show_bug.cgi?id=1415508 • CWE-125: Out-of-bounds Read •
CVSS: 7.4EPSS: 0%CPEs: 1EXPL: 0CVE-2019-9803 – Ubuntu Security Notice USN-3918-2
https://notcve.org/view.php?id=CVE-2019-9803
22 Mar 2019 — The Upgrade-Insecure-Requests (UIR) specification states that if UIR is enabled through Content Security Policy (CSP), navigation to a same-origin URL must be upgraded to HTTPS. Firefox will incorrectly navigate to an HTTP URL rather than perform the security upgrade requested by the CSP in some circumstances, allowing for potential man-in-the-middle attacks on the linked resources. This vulnerability affects Firefox < 66. La especificación de Upgrade-Insecure-Requests (UIR) establece que si la UIR se habil... • https://bugzilla.mozilla.org/show_bug.cgi?id=1437009 • CWE-346: Origin Validation Error •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-9805 – Ubuntu Security Notice USN-3918-2
https://notcve.org/view.php?id=CVE-2019-9805
22 Mar 2019 — A latent vulnerability exists in the Prio library where data may be read from uninitialized memory for some functions, leading to potential memory corruption. This vulnerability affects Firefox < 66. Existe una vulnerabilidad latente en la libreria Prio, donde los datos pueden leerse desde la memoria no inicializada para algunas funciones, lo que puede dar lugar a una posible corrupción de la memoria. Esta vulnerabilidad afecta a Firefox versiones anteriores a la 66. USN-3918-1 fixed vulnerabilities in Fire... • https://bugzilla.mozilla.org/show_bug.cgi?id=1521360 • CWE-908: Use of Uninitialized Resource •