CVSS: 9.8EPSS: 1%CPEs: 20EXPL: 0CVE-2018-5188 – Mozilla: Memory safety bugs fixed in Firefox 61, Firefox ESR 60.1, and Firefox ESR 52.9
https://notcve.org/view.php?id=CVE-2018-5188
29 Jun 2018 — Memory safety bugs present in Firefox 60, Firefox ESR 60, and Firefox ESR 52.8. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Thunderbird < 60, Thunderbird < 52.9, Firefox ESR < 60.1, Firefox ESR < 52.9, and Firefox < 61. Hay errores de seguridad de memoria en Firefox 60, Firefox ESR 60 y Firefox ESR 52.8. Algunos de estos errores mostraron evidencias de corrupción de memo... • http://www.securityfocus.com/bid/104555 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2017-7836
https://notcve.org/view.php?id=CVE-2017-7836
11 Jun 2018 — The "pingsender" executable used by the Firefox Health Report dynamically loads a system copy of libcurl, which an attacker could replace. This allows for privilege escalation as the replaced libcurl code will run with Firefox's privileges. Note: This attack requires an attacker have local system access and only affects OS X and Linux. Windows systems are not affected. This vulnerability affects Firefox < 57. • http://www.securityfocus.com/bid/101832 • CWE-427: Uncontrolled Search Path Element •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 1CVE-2017-7760
https://notcve.org/view.php?id=CVE-2017-7760
11 Jun 2018 — The Mozilla Windows updater modifies some files to be updated by reading the original file and applying changes to it. The location of the original file can be altered by a malicious user by passing a special path to the callback parameter through the Mozilla Maintenance Service, allowing the manipulation of files in the installation directory and privilege escalation by manipulating the Mozilla Maintenance Service, which has privileged access. Note: This attack requires local system access and only affects... • http://www.securityfocus.com/bid/99057 • CWE-417: Communication Channel Errors •
CVSS: 9.8EPSS: 4%CPEs: 2EXPL: 0CVE-2017-5392
https://notcve.org/view.php?id=CVE-2017-5392
11 Jun 2018 — Weak proxy objects have weak references on multiple threads when they should only have them on one, resulting in incorrect memory usage and corruption, which leads to potentially exploitable crashes. Note: This issue only affects Firefox for Android. Other operating systems are not affected. This vulnerability affects Firefox < 51. Los objetos proxy débiles tienen referencias débiles en múltiples hilos cuando solo deberían tenerlas en uno, lo que resulta en un uso incorrecto y una corrupción de la memoria, ... • http://www.securityfocus.com/bid/95763 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 1CVE-2017-5394
https://notcve.org/view.php?id=CVE-2017-5394
11 Jun 2018 — A location bar spoofing attack where the location bar of loaded page will be shown over the content of another tab due to a series of JavaScript events combined with fullscreen mode. Note: This issue only affects Firefox for Android. Other operating systems are not affected. This vulnerability affects Firefox < 51. Ataque de suplantación de barra de direcciones donde la barra de direcciones de la página cargada se mostrará sobre el contenido de otra pestaña debido a la combinación de una serie de eventos Ja... • http://www.securityfocus.com/bid/95763 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 1CVE-2017-5395
https://notcve.org/view.php?id=CVE-2017-5395
11 Jun 2018 — Malicious sites can display a spoofed location bar on a subsequently loaded page when the existing location bar on the new page is scrolled out of view if navigations between pages can be timed correctly. Note: This issue only affects Firefox for Android. Other operating systems are not affected. This vulnerability affects Firefox < 51. Los sitios maliciosos pueden mostrar una barra de direcciones suplantada en una página subsecuentemente cargada cuando la barra de direcciones existente en la nueva página s... • http://www.securityfocus.com/bid/95763 • CWE-20: Improper Input Validation •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2017-5397
https://notcve.org/view.php?id=CVE-2017-5397
11 Jun 2018 — The cache directory on the local file system is set to be world writable. Firefox defaults to extracting libraries from this cache. This allows for the possibility of an installed malicious application or tools with write access to the file system to replace files used by Firefox with their own versions. This vulnerability affects Firefox < 51.0.3. El directorio cache en el sistema de archivos local está establecido para que tenga permisos de escritura global. • http://www.securityfocus.com/bid/96144 • CWE-829: Inclusion of Functionality from Untrusted Control Sphere •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 1CVE-2017-5409
https://notcve.org/view.php?id=CVE-2017-5409
11 Jun 2018 — The Mozilla Windows updater can be called by a non-privileged user to delete an arbitrary local file by passing a special path to the callback parameter through the Mozilla Maintenance Service, which has privileged access. Note: This attack requires local system access and only affects Windows. Other operating systems are not affected. This vulnerability affects Firefox ESR < 45.8 and Firefox < 52. El actualizador Mozilla para Windows puede ser llamado por un usuario sin privilegios para eliminar un archivo... • http://www.securityfocus.com/bid/96696 • CWE-269: Improper Privilege Management •
CVSS: 7.5EPSS: 3%CPEs: 4EXPL: 1CVE-2017-5411
https://notcve.org/view.php?id=CVE-2017-5411
11 Jun 2018 — A use-after-free can occur during buffer storage operations within the ANGLE graphics library, used for WebGL content. The buffer storage can be freed while still in use in some circumstances, leading to a potentially exploitable crash. Note: This issue is in "libGLES", which is only in use on Windows. Other operating systems are not affected. This vulnerability affects Firefox < 52 and Thunderbird < 52. • http://www.securityfocus.com/bid/96692 • CWE-416: Use After Free •
CVSS: 7.5EPSS: 1%CPEs: 4EXPL: 0CVE-2017-5425
https://notcve.org/view.php?id=CVE-2017-5425
11 Jun 2018 — The Gecko Media Plugin sandbox allows access to local files that match specific regular expressions. On OS OX, this matching allows access to some data in subdirectories of "/private/var" that could expose personal or temporary data. This has been updated to not allow access to "/private/var" and its subdirectories. Note: this issue only affects OS X. Other operating systems are not affected. • http://www.securityfocus.com/bid/96692 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •