CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2019-9817 – Mozilla: Stealing of cross-domain images using canvas
https://notcve.org/view.php?id=CVE-2019-9817
Images from a different domain can be read using a canvas object in some circumstances. This could be used to steal image data from a different site in violation of same-origin policy. This vulnerability affects Thunderbird < 60.7, Firefox < 67, and Firefox ESR < 60.7. Las imágenes desde un dominio diferente pueden ser leídas utilizando un objeto de canvas en ciertas circunstancias. Esto podría ser usado para robar datos de imágenes desde un sitio diferente en violación de la política del mismo origen. • https://bugzilla.mozilla.org/show_bug.cgi?id=1540221 https://www.mozilla.org/security/advisories/mfsa2019-13 https://www.mozilla.org/security/advisories/mfsa2019-14 https://www.mozilla.org/security/advisories/mfsa2019-15 https://access.redhat.com/security/cve/CVE-2019-9817 https://bugzilla.redhat.com/show_bug.cgi?id=1712626 • CWE-346: Origin Validation Error CWE-829: Inclusion of Functionality from Untrusted Control Sphere •
CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 0CVE-2019-11693 – Mozilla: Buffer overflow in WebGL bufferdata on Linux
https://notcve.org/view.php?id=CVE-2019-11693
The bufferdata function in WebGL is vulnerable to a buffer overflow with specific graphics drivers on Linux. This could result in malicious content freezing a tab or triggering a potentially exploitable crash. *Note: this issue only occurs on Linux. Other operating systems are unaffected.*. This vulnerability affects Thunderbird < 60.7, Firefox < 67, and Firefox ESR < 60.7. • https://bugzilla.mozilla.org/show_bug.cgi?id=1532525 https://www.mozilla.org/security/advisories/mfsa2019-13 https://www.mozilla.org/security/advisories/mfsa2019-14 https://www.mozilla.org/security/advisories/mfsa2019-15 https://access.redhat.com/security/cve/CVE-2019-11693 https://bugzilla.redhat.com/show_bug.cgi?id=1712619 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') CWE-787: Out-of-bounds Write •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0CVE-2019-9819 – Mozilla: Compartment mismatch with fetch API
https://notcve.org/view.php?id=CVE-2019-9819
A vulnerability where a JavaScript compartment mismatch can occur while working with the fetch API, resulting in a potentially exploitable crash. This vulnerability affects Thunderbird < 60.7, Firefox < 67, and Firefox ESR < 60.7. Una vulnerabilidad donde puede ocurrir una discrepancia en el compartimento de JavaScript mientras trabaja con la API de fetch, lo que resulta en un bloqueo potencialmente explotable. Esta vulnerabilidad afecta a Thunderbird anterior a versión 60.7, Firefox anterior a versión 67 y Firefox ESR anterior a versión 60.7. • https://bugzilla.mozilla.org/show_bug.cgi?id=1532553 https://www.mozilla.org/security/advisories/mfsa2019-13 https://www.mozilla.org/security/advisories/mfsa2019-14 https://www.mozilla.org/security/advisories/mfsa2019-15 https://access.redhat.com/security/cve/CVE-2019-9819 https://bugzilla.redhat.com/show_bug.cgi?id=1712628 • CWE-567: Unsynchronized Access to Shared Data in a Multithreaded Context CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0CVE-2019-9820 – Mozilla: Use-after-free of ChromeEventHandler by DocShell
https://notcve.org/view.php?id=CVE-2019-9820
A use-after-free vulnerability can occur in the chrome event handler when it is freed while still in use. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 60.7, Firefox < 67, and Firefox ESR < 60.7. Puede ocurrir una vulnerabilidad de uso de la memoria previamente liberada en el controlador de eventos de Chrome cuando se libera mientras aún está en uso. Esto resulta en un bloqueo potencialmente explotable. • https://bugzilla.mozilla.org/show_bug.cgi?id=1536405 https://www.mozilla.org/security/advisories/mfsa2019-13 https://www.mozilla.org/security/advisories/mfsa2019-14 https://www.mozilla.org/security/advisories/mfsa2019-15 https://access.redhat.com/security/cve/CVE-2019-9820 https://bugzilla.redhat.com/show_bug.cgi?id=1712629 • CWE-416: Use After Free •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2019-11698 – Mozilla: Theft of user history data through drag and drop of hyperlinks to and from bookmarks
https://notcve.org/view.php?id=CVE-2019-11698
If a crafted hyperlink is dragged and dropped to the bookmark bar or sidebar and the resulting bookmark is subsequently dragged and dropped into the web content area, an arbitrary query of a user's browser history can be run and transmitted to the content page via drop event data. This allows for the theft of browser history by a malicious site. This vulnerability affects Thunderbird < 60.7, Firefox < 67, and Firefox ESR < 60.7. Si un hipervínculo especialmente diseñado se arrastra y suelta en la barra de marcadores o en la barra lateral y el marcador resultante se arrastra y suelta posteriormente en el área de contenido web, se puede ejecutar una consulta arbitraria del historial del navegador de un usuario y transmitirla a la página de contenido a través de los datos del evento. . Esto permite el robo del historial del navegador por un sitio malicioso. • https://bugzilla.mozilla.org/show_bug.cgi?id=1543191 https://www.mozilla.org/security/advisories/mfsa2019-13 https://www.mozilla.org/security/advisories/mfsa2019-14 https://www.mozilla.org/security/advisories/mfsa2019-15 https://access.redhat.com/security/cve/CVE-2019-11698 https://bugzilla.redhat.com/show_bug.cgi?id=1712621 • CWE-20: Improper Input Validation CWE-829: Inclusion of Functionality from Untrusted Control Sphere •