CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2017-7755
https://notcve.org/view.php?id=CVE-2017-7755
11 Jun 2018 — The Firefox installer on Windows can be made to load malicious DLL files stored in the same directory as the installer when it is run. This allows privileged execution if the installer is run with elevated privileges. Note: This attack only affects Windows operating systems. Other operating systems are unaffected. This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2. • http://www.securityfocus.com/bid/99057 • CWE-426: Untrusted Search Path •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2018-5174
https://notcve.org/view.php?id=CVE-2018-5174
11 Jun 2018 — In the Windows 10 April 2018 Update, Windows Defender SmartScreen honors the "SEE_MASK_FLAG_NO_UI" flag associated with downloaded files and will not show any UI. Files that are unknown and potentially dangerous will be allowed to run because SmartScreen will not prompt the user for a decision, and if the user is offline all files will be allowed to be opened because Windows won't prompt the user to ask what to do. Firefox incorrectly sets this flag when downloading files, leading to less secure behavior fr... • http://www.securityfocus.com/bid/104136 •
CVSS: 5.3EPSS: 1%CPEs: 2EXPL: 1CVE-2017-7817
https://notcve.org/view.php?id=CVE-2017-7817
11 Jun 2018 — A spoofing vulnerability can occur when a page switches to fullscreen mode without user notification, allowing a fake address bar to be displayed. This allows an attacker to spoof which page is actually loaded and in use. Note: This attack only affects Firefox for Android. Other operating systems are not affected. This vulnerability affects Firefox < 56. • http://www.securityfocus.com/bid/101057 • CWE-20: Improper Input Validation •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2017-7761
https://notcve.org/view.php?id=CVE-2017-7761
11 Jun 2018 — The Mozilla Maintenance Service "helper.exe" application creates a temporary directory writable by non-privileged users. When this is combined with creation of a junction (a form of symbolic link), protected files in the target directory of the junction can be deleted by the Mozilla Maintenance Service, which has privileged access. Note: This attack requires local system access and only affects Windows. Other operating systems are not affected. This vulnerability affects Firefox ESR < 52.2 and Firefox < 54.... • http://www.securityfocus.com/bid/99057 • CWE-276: Incorrect Default Permissions •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2017-7790
https://notcve.org/view.php?id=CVE-2017-7790
11 Jun 2018 — On Windows systems, if non-null-terminated strings are copied into the crash reporter for some specific registry keys, stack memory data can be copied until a null is found. This can potentially contain private data from the local system. Note: This attack only affects Windows operating systems. Other operating systems are not affected. This vulnerability affects Firefox < 55. • http://www.securitytracker.com/id/1039124 •
CVSS: 7.5EPSS: 1%CPEs: 2EXPL: 0CVE-2016-9072
https://notcve.org/view.php?id=CVE-2016-9072
11 Jun 2018 — When a new Firefox profile is created on 64-bit Windows installations, the sandbox for 64-bit NPAPI plugins is not enabled by default. Note: This issue only affects 64-bit Windows. 32-bit Windows and other operating systems are unaffected. This vulnerability affects Firefox < 50. Cuando se crea un nuevo perfil de Firefox en instalaciones de 64 bits de Windows, el sandbox para los plugins NPAPI de 64 bits no están habilitados por defecto. Nota: este problema solo afecta a la versión 64 bits de Windows. • http://www.securityfocus.com/bid/94337 • CWE-254: 7PK - Security Features •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2017-7766
https://notcve.org/view.php?id=CVE-2017-7766
11 Jun 2018 — An attack using manipulation of "updater.ini" contents, used by the Mozilla Windows Updater, and privilege escalation through the Mozilla Maintenance Service to allow for arbitrary file execution and deletion by the Maintenance Service, which has privileged access. Note: This attack requires local system access and only affects Windows. Other operating systems are not affected. This vulnerability affects Firefox ESR < 52.2 and Firefox < 54. Un ataque que emplea la manipulación del contenido de "updater.ini"... • http://www.securityfocus.com/bid/99057 •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2017-5397
https://notcve.org/view.php?id=CVE-2017-5397
11 Jun 2018 — The cache directory on the local file system is set to be world writable. Firefox defaults to extracting libraries from this cache. This allows for the possibility of an installed malicious application or tools with write access to the file system to replace files used by Firefox with their own versions. This vulnerability affects Firefox < 51.0.3. El directorio cache en el sistema de archivos local está establecido para que tenga permisos de escritura global. • http://www.securityfocus.com/bid/96144 • CWE-829: Inclusion of Functionality from Untrusted Control Sphere •
CVSS: 5.3EPSS: 1%CPEs: 2EXPL: 0CVE-2018-5110
https://notcve.org/view.php?id=CVE-2018-5110
11 Jun 2018 — If cursor visibility is toggled by script using from 'none' to an image and back through script, the cursor will be rendered temporarily invisible within Firefox. Note: This vulnerability only affects OS X. Other operating systems are not affected. This vulnerability affects Firefox < 58. Si la visibilidad del cursor se cambia con un script usando desde "nada" hasta una imagen y viceversa a través del script, el cursor se vuelve temporalmente invisible en Firefox. • http://www.securityfocus.com/bid/102786 • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 1CVE-2016-9065
https://notcve.org/view.php?id=CVE-2016-9065
11 Jun 2018 — The location bar in Firefox for Android can be spoofed by forcing a user into fullscreen mode, blocking its exiting, and creating of a fake location bar without any user notification. Note: This issue only affects Firefox for Android. Other versions and operating systems are unaffected. This vulnerability affects Firefox < 50. La barra de direcciones en firefox para Android puede suplantarse forzando a un usuario a emplear el modo de pantalla completa, bloqueando la salida y creando una barra de direcciones... • http://www.securityfocus.com/bid/94342 • CWE-20: Improper Input Validation •