CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2017-7761
https://notcve.org/view.php?id=CVE-2017-7761
11 Jun 2018 — The Mozilla Maintenance Service "helper.exe" application creates a temporary directory writable by non-privileged users. When this is combined with creation of a junction (a form of symbolic link), protected files in the target directory of the junction can be deleted by the Mozilla Maintenance Service, which has privileged access. Note: This attack requires local system access and only affects Windows. Other operating systems are not affected. This vulnerability affects Firefox ESR < 52.2 and Firefox < 54.... • http://www.securityfocus.com/bid/99057 • CWE-276: Incorrect Default Permissions •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2017-7767
https://notcve.org/view.php?id=CVE-2017-7767
11 Jun 2018 — The Mozilla Maintenance Service can be invoked by an unprivileged user to overwrite arbitrary files with junk data using the Mozilla Windows Updater, which runs with the Maintenance Service's privileged access. Note: This attack requires local system access and only affects Windows. Other operating systems are not affected. This vulnerability affects Firefox ESR < 52.2 and Firefox < 54. Mozilla Maintenance Service puede ser invocado por un usuario sin privilegios para sobrescribir archivos arbitrarios con d... • http://www.securityfocus.com/bid/99057 • CWE-269: Improper Privilege Management •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2017-7804
https://notcve.org/view.php?id=CVE-2017-7804
11 Jun 2018 — The destructor function for the "WindowsDllDetourPatcher" class can be re-purposed by malicious code in concert with another vulnerability to write arbitrary data to an attacker controlled location in memory. This can be used to bypass existing memory protections in this situation. Note: This attack only affects Windows operating systems. Other operating systems are not affected. This vulnerability affects Thunderbird < 52.3, Firefox ESR < 52.3, and Firefox < 55. • http://www.securityfocus.com/bid/100234 • CWE-20: Improper Input Validation •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2017-5463
https://notcve.org/view.php?id=CVE-2017-5463
11 Jun 2018 — Android intents can be used to launch Firefox for Android in reader mode with a user specified URL. This allows an attacker to spoof the contents of the addressbar as displayed to users. Note: This attack only affects Firefox for Android. Other operating systems are not affected. This vulnerability affects Firefox < 53. • http://www.securityfocus.com/bid/97940 • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2017-5425
https://notcve.org/view.php?id=CVE-2017-5425
11 Jun 2018 — The Gecko Media Plugin sandbox allows access to local files that match specific regular expressions. On OS OX, this matching allows access to some data in subdirectories of "/private/var" that could expose personal or temporary data. This has been updated to not allow access to "/private/var" and its subdirectories. Note: this issue only affects OS X. Other operating systems are not affected. • http://www.securityfocus.com/bid/96692 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2017-5450
https://notcve.org/view.php?id=CVE-2017-5450
11 Jun 2018 — A mechanism to spoof the Firefox for Android addressbar using a "javascript:" URI. On Firefox for Android, the base domain is parsed incorrectly, making the resulting location less visibly a spoofed site and showing an incorrect domain in appended notifications. This vulnerability affects Firefox < 53. Mecanismo para suplantar la barra de direcciones en Firefox para Android mediante un URI "javascript:". En Firefox para Android, el dominio base se analiza incorrectamente, lo que hace que sea menos visible q... • http://www.securityfocus.com/bid/97940 • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2018-5174
https://notcve.org/view.php?id=CVE-2018-5174
11 Jun 2018 — In the Windows 10 April 2018 Update, Windows Defender SmartScreen honors the "SEE_MASK_FLAG_NO_UI" flag associated with downloaded files and will not show any UI. Files that are unknown and potentially dangerous will be allowed to run because SmartScreen will not prompt the user for a decision, and if the user is offline all files will be allowed to be opened because Windows won't prompt the user to ask what to do. Firefox incorrectly sets this flag when downloading files, leading to less secure behavior fr... • http://www.securityfocus.com/bid/104136 •
CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 0CVE-2017-7782
https://notcve.org/view.php?id=CVE-2017-7782
11 Jun 2018 — An error in the "WindowsDllDetourPatcher" where a RWX ("Read/Write/Execute") 4k block is allocated but never protected, violating DEP protections. Note: This attack only affects Windows operating systems. Other operating systems are not affected. This vulnerability affects Thunderbird < 52.3, Firefox ESR < 52.3, and Firefox < 55. Error en "WindowsDllDetourPatcher", donde un bloque 4k RWX ("Read/Write/Execute") se asigna, pero nunca se proteje, violando las protecciones DEP. • http://www.securityfocus.com/bid/100243 • CWE-269: Improper Privilege Management •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 1CVE-2016-5299
https://notcve.org/view.php?id=CVE-2016-5299
11 Jun 2018 — A previously installed malicious Android application with same signature-level permissions as Firefox can intercept AuthTokens meant for Firefox only. Note: This issue only affects Firefox for Android. Other versions and operating systems are unaffected. This vulnerability affects Firefox < 50. Una aplicación Android maliciosa previamente instalada con los mismos permisos a nivel de firma que Firefox puede interceptar AuthTokens destinados solo a Firefox. • http://www.securityfocus.com/bid/94337 • CWE-275: Permission Issues •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 1CVE-2016-5298
https://notcve.org/view.php?id=CVE-2016-5298
11 Jun 2018 — A mechanism where disruption of the loading of a new web page can cause the previous page's favicon and SSL indicator to not be reset when the new page is loaded. Note: this issue only affects Firefox for Android. Desktop Firefox is unaffected. This vulnerability affects Firefox < 50. Un mecanismo donde la interrupción de la carga de una nueva página web puede provocar que los indicadores favicon y SSL de la página anterior no se restablezcan. • http://www.securityfocus.com/bid/94337 • CWE-20: Improper Input Validation •