CVSS: 7.1EPSS: 0%CPEs: 15EXPL: 0CVE-2018-12397 – Mozilla: WebExtension local file permission check bypass
https://notcve.org/view.php?id=CVE-2018-12397
25 Oct 2018 — A WebExtension can request access to local files without the warning prompt stating that the extension will "Access your data for all websites" being displayed to the user. This allows extensions to run content scripts in local pages without permission warnings when a local file is opened. This vulnerability affects Firefox ESR < 60.3 and Firefox < 63. WebExtensions pueden solicitar el acceso a archivos locales sin que salte un aviso de advertencia en el que consta que la extensión accederá a sus datos para... • http://www.securityfocus.com/bid/105718 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-862: Missing Authorization •
CVSS: 6.5EPSS: 0%CPEs: 17EXPL: 0CVE-2018-12396 – Mozilla: WebExtension content scripts can execute in disallowed contexts
https://notcve.org/view.php?id=CVE-2018-12396
25 Oct 2018 — A vulnerability where a WebExtension can run content scripts in disallowed contexts following navigation or other events. This allows for potential privilege escalation by the WebExtension on sites where content scripts should not be run. This vulnerability affects Firefox ESR < 60.3 and Firefox < 63. Una vulnerabilidad en la que WebExtensions pueden ejecutar scripts de contenido en contextos no permitidos tras una navegación u otros eventos. Esto permite el escalado de privilegios potencial mediante WebExt... • http://www.securityfocus.com/bid/105718 • CWE-284: Improper Access Control CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2018-5179 – chromium-browser: Lack of limits on update() in ServiceWorker
https://notcve.org/view.php?id=CVE-2018-5179
25 Oct 2018 — A service worker can send the activate event on itself periodically which allows it to run perpetually, allowing it to monitor activity by users. Affects all versions prior to Firefox 60. Un trabajador del servicio puede enviar el evento activate en sí mismo periódicamente, lo que le permite ejecutarse perpetuamente, permitiendo a su vez supervisar la actividad de los usuarios. Afecta a todas las versiones anteriores a Firefox 60. Chromium is an open-source web browser, powered by WebKit. • https://www.mozilla.org/en-US/security/advisories/mfsa2018-11 • CWE-772: Missing Release of Resource after Effective Lifetime •
CVSS: 9.8EPSS: 5%CPEs: 19EXPL: 0CVE-2018-12390 – Mozilla: Memory safety bugs fixed in Firefox 63 and Firefox ESR 60.3
https://notcve.org/view.php?id=CVE-2018-12390
25 Oct 2018 — Mozilla developers and community members reported memory safety bugs present in Firefox 62 and Firefox ESR 60.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Firefox < 63, Firefox ESR < 60.3, and Thunderbird < 60.3. Los desarrolladores de Mozilla y los miembros de la comunidad reportaron problemas de seguridad existentes en Firefox 62 y Firefox ESR 60.2. Algunos de estos ... • http://www.securityfocus.com/bid/105718 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 9.8EPSS: 3%CPEs: 19EXPL: 0CVE-2018-12392 – Mozilla: Crash with nested event loops
https://notcve.org/view.php?id=CVE-2018-12392
25 Oct 2018 — When manipulating user events in nested loops while opening a document through script, it is possible to trigger a potentially exploitable crash due to poor event handling. This vulnerability affects Firefox < 63, Firefox ESR < 60.3, and Thunderbird < 60.3. Al manipular los eventos de usuario en bucles anidados durante la apertura de un documento mediante script, es posible desencadenar un cierre inesperado potencialmente explotable debido a la mala gestión de eventos. Esta vulnerabilidad afecta a las versi... • http://www.securityfocus.com/bid/105718 • CWE-364: Signal Handler Race Condition •
CVSS: 7.5EPSS: 3%CPEs: 18EXPL: 0CVE-2018-12393 – Mozilla: Integer overflow during Unicode conversion while loading JavaScript
https://notcve.org/view.php?id=CVE-2018-12393
25 Oct 2018 — A potential vulnerability was found in 32-bit builds where an integer overflow during the conversion of scripts to an internal UTF-16 representation could result in allocating a buffer too small for the conversion. This leads to a possible out-of-bounds write. *Note: 64-bit builds are not vulnerable to this issue.*. This vulnerability affects Firefox < 63, Firefox ESR < 60.3, and Thunderbird < 60.3. Se ha encontrado una vulnerabilidad potencial en los builds de 32 bit en la que un desbordamiento de enteros ... • http://www.securityfocus.com/bid/105718 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') CWE-190: Integer Overflow or Wraparound CWE-787: Out-of-bounds Write •
CVSS: 4.3EPSS: 0%CPEs: 5EXPL: 0CVE-2018-12399 – Ubuntu Security Notice USN-3801-1
https://notcve.org/view.php?id=CVE-2018-12399
24 Oct 2018 — When a new protocol handler is registered, the API accepts a title argument which can be used to mislead users about which domain is registering the new protocol. This may result in the user approving a protocol handler that they otherwise would not have. This vulnerability affects Firefox < 63. Cuando se registra un nuevo manipulador de protocolos, la API acepta un argumento de títulos que puede utilizarse para engañar a los usuarios para que duden sobre el dominio que está registrando el nuevo protocolo. ... • http://www.securityfocus.com/bid/105721 • CWE-287: Improper Authentication •
CVSS: 7.5EPSS: 0%CPEs: 15EXPL: 0CVE-2018-12395 – Mozilla: WebExtension bypass of domain restrictions through header rewriting
https://notcve.org/view.php?id=CVE-2018-12395
24 Oct 2018 — By rewriting the Host: request headers using the webRequest API, a WebExtension can bypass domain restrictions through domain fronting. This would allow access to domains that share a host that are otherwise restricted. This vulnerability affects Firefox ESR < 60.3 and Firefox < 63. Al reescribir las cabeceras "Host: request" que utilizan la API webRequest, WebExtensions pueden omitir las restricciones de dominio mediante la fronting del dominio. Esto permitiría el acceso a dominios, cuyo acceso es normalme... • http://www.securityfocus.com/bid/105718 • CWE-284: Improper Access Control •
CVSS: 8.8EPSS: 0%CPEs: 5EXPL: 0CVE-2018-12388 – Ubuntu Security Notice USN-3801-1
https://notcve.org/view.php?id=CVE-2018-12388
24 Oct 2018 — Mozilla developers and community members reported memory safety bugs present in Firefox 62. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Firefox < 63. Los desarrolladores de Mozilla y los miembros de la comunidad reportaron problemas de seguridad existentes en Firefox 62. Algunos de estos errores mostraban evidencias de corrupción de memoria y se cree que, con el esfuerzo... • http://www.securityfocus.com/bid/105721 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 5.3EPSS: 0%CPEs: 5EXPL: 0CVE-2018-12403 – Ubuntu Security Notice USN-3801-2
https://notcve.org/view.php?id=CVE-2018-12403
24 Oct 2018 — If a site is loaded over a HTTPS connection but loads a favicon resource over HTTP, the mixed content warning is not displayed to users. This vulnerability affects Firefox < 63. Si se carga un sitio mediante una conexión HTTPS y, en consecuencia, se carga un recurso favicon mediante HTTP, no salta la advertencia de contenido mixto a los usuarios. Esta vulnerabilidad afecta a las versiones anteriores a la 63 de Firefox. USN-3801-1 fixed vulnerabilities in Firefox. • http://www.securityfocus.com/bid/105721 •