CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2017-7836
https://notcve.org/view.php?id=CVE-2017-7836
11 Jun 2018 — The "pingsender" executable used by the Firefox Health Report dynamically loads a system copy of libcurl, which an attacker could replace. This allows for privilege escalation as the replaced libcurl code will run with Firefox's privileges. Note: This attack requires an attacker have local system access and only affects OS X and Linux. Windows systems are not affected. This vulnerability affects Firefox < 57. • http://www.securityfocus.com/bid/101832 • CWE-427: Uncontrolled Search Path Element •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2017-7768
https://notcve.org/view.php?id=CVE-2017-7768
11 Jun 2018 — The Mozilla Maintenance Service can be invoked by an unprivileged user to read 32 bytes of any arbitrary file on the local system by convincing the service that it is reading a status file provided by the Mozilla Windows Updater. The Mozilla Maintenance Service executes with privileged access, bypassing system protections against unprivileged users. Note: This attack requires local system access and only affects Windows. Other operating systems are not affected. This vulnerability affects Firefox ESR < 52.2... • http://www.securityfocus.com/bid/99057 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 1CVE-2017-5394
https://notcve.org/view.php?id=CVE-2017-5394
11 Jun 2018 — A location bar spoofing attack where the location bar of loaded page will be shown over the content of another tab due to a series of JavaScript events combined with fullscreen mode. Note: This issue only affects Firefox for Android. Other operating systems are not affected. This vulnerability affects Firefox < 51. Ataque de suplantación de barra de direcciones donde la barra de direcciones de la página cargada se mostrará sobre el contenido de otra pestaña debido a la combinación de una serie de eventos Ja... • http://www.securityfocus.com/bid/95763 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2018-5165
https://notcve.org/view.php?id=CVE-2018-5165
11 Jun 2018 — In 32-bit versions of Firefox, the Adobe Flash plugin setting for "Enable Adobe Flash protected mode" is unchecked by default even though the Adobe Flash sandbox is actually enabled. The displayed state is the reverse of the true setting, resulting in user confusion. This could cause users to select this setting intending to activate it and inadvertently turn protections off. This vulnerability affects Firefox < 60. En las versiones de 32 bits de Firefox, la configuración del plugin de Adobe Flash para "Act... • http://www.securityfocus.com/bid/104139 •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2018-5138
https://notcve.org/view.php?id=CVE-2018-5138
11 Jun 2018 — A spoofing vulnerability can occur when a malicious site with an extremely long domain name is opened in an Android Custom Tab (a browser panel inside another app) and the default browser is Firefox for Android. This could allow an attacker to spoof which page is actually loaded and in use. Note: this issue only affects Firefox for Android. Other versions and operating systems are unaffected. This vulnerability affects Firefox < 59. • http://www.securityfocus.com/bid/103386 • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2016-9072
https://notcve.org/view.php?id=CVE-2016-9072
11 Jun 2018 — When a new Firefox profile is created on 64-bit Windows installations, the sandbox for 64-bit NPAPI plugins is not enabled by default. Note: This issue only affects 64-bit Windows. 32-bit Windows and other operating systems are unaffected. This vulnerability affects Firefox < 50. Cuando se crea un nuevo perfil de Firefox en instalaciones de 64 bits de Windows, el sandbox para los plugins NPAPI de 64 bits no están habilitados por defecto. Nota: este problema solo afecta a la versión 64 bits de Windows. • http://www.securityfocus.com/bid/94337 • CWE-254: 7PK - Security Features •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2017-5452
https://notcve.org/view.php?id=CVE-2017-5452
11 Jun 2018 — Malicious sites can display a spoofed addressbar on a page when the existing location bar on the new page is scrolled out of view if an HTML editable page element is user selected. Note: This attack only affects Firefox for Android. Other operating systems are not affected. This vulnerability affects Firefox < 53. Los sitios maliciosos pueden mostrar una barra de direcciones suplantada en una página cuando la barra de direcciones existente en la nueva página se deja de ver al desplazarse si un elemento HTML... • http://www.securityfocus.com/bid/97940 • CWE-20: Improper Input Validation •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2017-7761
https://notcve.org/view.php?id=CVE-2017-7761
11 Jun 2018 — The Mozilla Maintenance Service "helper.exe" application creates a temporary directory writable by non-privileged users. When this is combined with creation of a junction (a form of symbolic link), protected files in the target directory of the junction can be deleted by the Mozilla Maintenance Service, which has privileged access. Note: This attack requires local system access and only affects Windows. Other operating systems are not affected. This vulnerability affects Firefox ESR < 52.2 and Firefox < 54.... • http://www.securityfocus.com/bid/99057 • CWE-276: Incorrect Default Permissions •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2017-7767
https://notcve.org/view.php?id=CVE-2017-7767
11 Jun 2018 — The Mozilla Maintenance Service can be invoked by an unprivileged user to overwrite arbitrary files with junk data using the Mozilla Windows Updater, which runs with the Maintenance Service's privileged access. Note: This attack requires local system access and only affects Windows. Other operating systems are not affected. This vulnerability affects Firefox ESR < 52.2 and Firefox < 54. Mozilla Maintenance Service puede ser invocado por un usuario sin privilegios para sobrescribir archivos arbitrarios con d... • http://www.securityfocus.com/bid/99057 • CWE-269: Improper Privilege Management •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2017-7804
https://notcve.org/view.php?id=CVE-2017-7804
11 Jun 2018 — The destructor function for the "WindowsDllDetourPatcher" class can be re-purposed by malicious code in concert with another vulnerability to write arbitrary data to an attacker controlled location in memory. This can be used to bypass existing memory protections in this situation. Note: This attack only affects Windows operating systems. Other operating systems are not affected. This vulnerability affects Thunderbird < 52.3, Firefox ESR < 52.3, and Firefox < 55. • http://www.securityfocus.com/bid/100234 • CWE-20: Improper Input Validation •