CVSS: 9.8EPSS: 2%CPEs: 20EXPL: 0CVE-2018-5156 – Mozilla: Media recorder segmentation fault when track type is changed during capture
https://notcve.org/view.php?id=CVE-2018-5156
29 Jun 2018 — A vulnerability can occur when capturing a media stream when the media source type is changed as the capture is occurring. This can result in stream data being cast to the wrong type causing a potentially exploitable crash. This vulnerability affects Thunderbird < 60, Firefox ESR < 60.1, Firefox ESR < 52.9, and Firefox < 61. Puede ocurrir una vulnerabilidad al capturar una transmisión de medios cuando el tipo de origen de medios se cambia al mismo tiempo que se realiza la captura. Esto puede resultar en que... • http://www.securityfocus.com/bid/104560 • CWE-20: Improper Input Validation CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 6.5EPSS: 0%CPEs: 21EXPL: 0CVE-2018-12365 – Mozilla: Compromised IPC child process can list local filenames
https://notcve.org/view.php?id=CVE-2018-12365
29 Jun 2018 — A compromised IPC child process can escape the content sandbox and list the names of arbitrary files on the file system without user consent or interaction. This could result in exposure of private local files. This vulnerability affects Thunderbird < 60, Thunderbird < 52.9, Firefox ESR < 60.1, Firefox ESR < 52.9, and Firefox < 61. Un proceso hijo IPC comprometido puede escapar el sandbox de contenido y listar los nombres de archivos arbitrarios en el sistema de archivos sin consentimiento o interacción del... • http://www.securityfocus.com/bid/104560 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-552: Files or Directories Accessible to External Parties •
CVSS: 8.8EPSS: 1%CPEs: 21EXPL: 0CVE-2018-12359 – Mozilla: Buffer overflow using computed size of canvas element
https://notcve.org/view.php?id=CVE-2018-12359
29 Jun 2018 — A buffer overflow can occur when rendering canvas content while adjusting the height and width of the canvas element dynamically, causing data to be written outside of the currently computed boundaries. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 60, Thunderbird < 52.9, Firefox ESR < 60.1, Firefox ESR < 52.9, and Firefox < 61. Puede ocurrir un desbordamiento de búfer al renderizar contenido canvas al ajustar dinámicamente la altura y anchura del elemento canvas,... • http://www.securityfocus.com/bid/104555 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2017-7755
https://notcve.org/view.php?id=CVE-2017-7755
11 Jun 2018 — The Firefox installer on Windows can be made to load malicious DLL files stored in the same directory as the installer when it is run. This allows privileged execution if the installer is run with elevated privileges. Note: This attack only affects Windows operating systems. Other operating systems are unaffected. This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2. • http://www.securityfocus.com/bid/99057 • CWE-426: Untrusted Search Path •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 1CVE-2017-7759
https://notcve.org/view.php?id=CVE-2017-7759
11 Jun 2018 — Android intent URLs given to Firefox for Android can be used to navigate from HTTP or HTTPS URLs to local "file:" URLs, allowing for the reading of local data through a violation of same-origin policy. Note: This attack only affects Firefox for Android. Other operating systems are not affected. This vulnerability affects Firefox < 54. Las URL de intent Android dadas a Firefox para Android pueden emplearse para navegar desde URL HTTP o HTTPS hasta URL "file:" locales, lo que permite la lectura de datos local... • http://www.securityfocus.com/bid/99052 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 1CVE-2017-7760
https://notcve.org/view.php?id=CVE-2017-7760
11 Jun 2018 — The Mozilla Windows updater modifies some files to be updated by reading the original file and applying changes to it. The location of the original file can be altered by a malicious user by passing a special path to the callback parameter through the Mozilla Maintenance Service, allowing the manipulation of files in the installation directory and privilege escalation by manipulating the Mozilla Maintenance Service, which has privileged access. Note: This attack requires local system access and only affects... • http://www.securityfocus.com/bid/99057 • CWE-417: Communication Channel Errors •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2017-7761
https://notcve.org/view.php?id=CVE-2017-7761
11 Jun 2018 — The Mozilla Maintenance Service "helper.exe" application creates a temporary directory writable by non-privileged users. When this is combined with creation of a junction (a form of symbolic link), protected files in the target directory of the junction can be deleted by the Mozilla Maintenance Service, which has privileged access. Note: This attack requires local system access and only affects Windows. Other operating systems are not affected. This vulnerability affects Firefox ESR < 52.2 and Firefox < 54.... • http://www.securityfocus.com/bid/99057 • CWE-276: Incorrect Default Permissions •
CVSS: 5.3EPSS: 0%CPEs: 6EXPL: 0CVE-2017-7763
https://notcve.org/view.php?id=CVE-2017-7763
11 Jun 2018 — Default fonts on OS X display some Tibetan characters as whitespace. When used in the addressbar as part of an IDN this can be used for domain name spoofing attacks. Note: This attack only affects OS X operating systems. Other operating systems are unaffected. This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2. • http://www.securityfocus.com/bid/99057 • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2017-7765
https://notcve.org/view.php?id=CVE-2017-7765
11 Jun 2018 — The "Mark of the Web" was not correctly saved on Windows when files with very long names were downloaded from the Internet. Without the Mark of the Web data, the security warning that Windows displays before running executables downloaded from the Internet is not shown. Note: This attack only affects Windows operating systems. Other operating systems are unaffected. This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2. • http://www.securityfocus.com/bid/99057 • CWE-20: Improper Input Validation •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2017-7766
https://notcve.org/view.php?id=CVE-2017-7766
11 Jun 2018 — An attack using manipulation of "updater.ini" contents, used by the Mozilla Windows Updater, and privilege escalation through the Mozilla Maintenance Service to allow for arbitrary file execution and deletion by the Maintenance Service, which has privileged access. Note: This attack requires local system access and only affects Windows. Other operating systems are not affected. This vulnerability affects Firefox ESR < 52.2 and Firefox < 54. Un ataque que emplea la manipulación del contenido de "updater.ini"... • http://www.securityfocus.com/bid/99057 •