CVSS: 5.5EPSS: 0%CPEs: 18EXPL: 1CVE-2018-12383 – Mozilla: Setting a master password post-Firefox 58 does not delete unencrypted previously stored passwords
https://notcve.org/view.php?id=CVE-2018-12383
If a user saved passwords before Firefox 58 and then later set a master password, an unencrypted copy of these passwords is still accessible. This is because the older stored password file was not deleted when the data was copied to a new format starting in Firefox 58. The new master password is added only on the new file. This could allow the exposure of stored password data outside of user expectations. This vulnerability affects Firefox < 62, Firefox ESR < 60.2.1, and Thunderbird < 60.2.1. • http://www.securityfocus.com/bid/105276 http://www.securitytracker.com/id/1041610 http://www.securitytracker.com/id/1041701 https://access.redhat.com/errata/RHSA-2018:2834 https://access.redhat.com/errata/RHSA-2018:2835 https://access.redhat.com/errata/RHSA-2018:3403 https://access.redhat.com/errata/RHSA-2018:3458 https://bugzilla.mozilla.org/show_bug.cgi?id=1475775 https://lists.debian.org/debian-lts-announce/2018/11/msg00011.html https://security.gentoo.org/glsa/201810- • CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer CWE-522: Insufficiently Protected Credentials •
CVSS: 9.8EPSS: 0%CPEs: 18EXPL: 0CVE-2018-12378 – Mozilla: Use-after-free in IndexedDB
https://notcve.org/view.php?id=CVE-2018-12378
A use-after-free vulnerability can occur when an IndexedDB index is deleted while still in use by JavaScript code that is providing payload values to be stored. This results in a potentially exploitable crash. This vulnerability affects Firefox < 62, Firefox ESR < 60.2, and Thunderbird < 60.2.1. Puede ocurrir una vulnerabilidad de uso de memoria previamente liberada cuando un índice IndexedDB se elimina mientras sigue en uso por parte de código JavaScript que está proporcionando valores de carga útil para que sean almacenados. Esto resulta en un cierre inesperado potencialmente explotable. • http://www.securityfocus.com/bid/105280 http://www.securitytracker.com/id/1041610 https://access.redhat.com/errata/RHSA-2018:2692 https://access.redhat.com/errata/RHSA-2018:2693 https://access.redhat.com/errata/RHSA-2018:3403 https://access.redhat.com/errata/RHSA-2018:3458 https://bugzilla.mozilla.org/show_bug.cgi?id=1459383 https://lists.debian.org/debian-lts-announce/2018/11/msg00011.html https://security.gentoo.org/glsa/201810-01 https://security.gentoo.org/glsa/20181 • CWE-416: Use After Free •
CVSS: 7.5EPSS: 1%CPEs: 11EXPL: 2CVE-2018-14624 – 389-ds-base: Server crash through modify command with large DN
https://notcve.org/view.php?id=CVE-2018-14624
A vulnerability was discovered in 389-ds-base through versions 1.3.7.10, 1.3.8.8 and 1.4.0.16. The lock controlling the error log was not correctly used when re-opening the log file in log__error_emergency(). An attacker could send a flood of modifications to a very large DN, which would cause slapd to crash. Se ha descubierto una vulnerabilidad en 389-ds-base hasta las versiones 1.3.7.10, 1.3.8.8 y 1.4.0.16. El bloqueo que controla el registro de errores no se empleaba correctamente al reabrir el archivo de registro en log__error_emergency(). • http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00033.html https://access.redhat.com/errata/RHSA-2018:2757 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14624 https://lists.debian.org/debian-lts-announce/2018/09/msg00037.html https://pagure.io/389-ds-base/issue/49937 https://access.redhat.com/security/cve/CVE-2018-14624 https://bugzilla.redhat.com/show_bug.cgi?id=1619450 • CWE-20: Improper Input Validation •
CVSS: 5.5EPSS: 0%CPEs: 12EXPL: 0CVE-2018-16539 – ghostscript: incorrect access checking in temp file handling to disclose contents of files (699658)
https://notcve.org/view.php?id=CVE-2018-16539
In Artifex Ghostscript before 9.24, attackers able to supply crafted PostScript files could use incorrect access checking in temp file handling to disclose contents of files on the system otherwise not readable. En Artifex Ghostscript en versiones anteriores a la 9.24, los atacantes que puedan proporcionar archivos PostScript manipulados podrían emplear la comprobación de acceso incorrecta en el manejo de archivos temporales para revelar el contenido de los archivos del sistema que, normalmente, no estarían disponibles. It was discovered that the ghostscript did not properly restrict access to files open prior to enabling the -dSAFER mode. An attacker could possibly exploit this to bypass the -dSAFER protection and disclose the content of affected files via a specially crafted PostScript document. • http://git.ghostscript.com/?p=ghostpdl.git%3Ba=commit%3Bh=a054156d425b4dbdaaa9fda4b5f1182b27598c2b https://access.redhat.com/errata/RHSA-2018:3650 https://bugs.ghostscript.com/show_bug.cgi?id=699658 https://lists.debian.org/debian-lts-announce/2018/09/msg00015.html https://security.gentoo.org/glsa/201811-12 https://usn.ubuntu.com/3768-1 https://www.artifex.com/news/ghostscript-security-resolved https://www.debian.org/security/2018/dsa-4288 https://access.redhat.com/security/cve/CVE- • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-377: Insecure Temporary File •
CVSS: 7.3EPSS: 0%CPEs: 12EXPL: 0CVE-2018-16541 – ghostscript: Incorrect free logic in pagedevice replacement (699664)
https://notcve.org/view.php?id=CVE-2018-16541
In Artifex Ghostscript before 9.24, attackers able to supply crafted PostScript files could use incorrect free logic in pagedevice replacement to crash the interpreter. En Artifex Ghostscript en versiones anteriores a la 9.24, los atacantes que puedan proporcionar archivos PostScript manipulados podrían emplear una lógica libre incorrecta en el reemplazo pagedevice para provocar el cierre inesperado del intérprete. It was discovered that the ghostscript device cleanup did not properly handle devices replaced with a null device. An attacker could possibly exploit this to bypass the -dSAFER protection and crash ghostscript or, possibly, execute arbitrary code in the ghostscript context via a specially crafted PostScript document. • http://git.ghostscript.com/?p=ghostpdl.git%3Ba=commit%3Bh=241d91112771a6104de10b3948c3f350d6690c1d https://access.redhat.com/errata/RHSA-2018:3834 https://bugs.ghostscript.com/show_bug.cgi?id=699664 https://lists.debian.org/debian-lts-announce/2018/09/msg00015.html https://security.gentoo.org/glsa/201811-12 https://usn.ubuntu.com/3768-1 https://www.artifex.com/news/ghostscript-security-resolved https://www.debian.org/security/2018/dsa-4288 https://access.redhat.com/security/cve/CVE- • CWE-416: Use After Free •