CVSS: 7.5EPSS: 1%CPEs: 1EXPL: 0CVE-2018-5135 – Ubuntu Security Notice USN-3596-1
https://notcve.org/view.php?id=CVE-2018-5135
14 Mar 2018 — WebExtensions can bypass normal restrictions in some circumstances and use "browser.tabs.executeScript" to inject scripts into contexts where this should not be allowed, such as pages from other WebExtensions or unprivileged "about:" pages. This vulnerability affects Firefox < 59. WebExtensions puede omitir las restricciones normales en algunas circunstancias y utilizar "browser.tabs.executeScript" para inyectar secuencias de comandos en contextos en los que esto no debería permitirse, como páginas de otros... • http://www.securityfocus.com/bid/103386 • CWE-862: Missing Authorization •
CVSS: 7.5EPSS: 1%CPEs: 4EXPL: 0CVE-2018-5136 – Ubuntu Security Notice USN-3596-2
https://notcve.org/view.php?id=CVE-2018-5136
14 Mar 2018 — A shared worker created from a "data:" URL in one tab can be shared by another tab with a different origin, bypassing the same-origin policy. This vulnerability affects Firefox < 59. Un worker compartido creado a partir de una URL "data:" en una pestaña puede ser compartido por otra pestaña con un origen diferente, evitando la política de mismo origen. Esta vulnerabilidad afecta a las versiones anteriores a la 59 de Firefox. USN-3596-1 fixed vulnerabilities in Firefox. • http://www.securityfocus.com/bid/103386 • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 1%CPEs: 4EXPL: 0CVE-2018-5137 – Ubuntu Security Notice USN-3596-2
https://notcve.org/view.php?id=CVE-2018-5137
14 Mar 2018 — A legacy extension's non-contentaccessible, defined resources can be loaded by an arbitrary web page through script. This script does this by using a maliciously crafted path string to reference the resources. Note: this vulnerability does not affect WebExtensions. This vulnerability affects Firefox < 59. Los recursos definidos y no accesibles de una extensión legacy pueden ser cargados por una página web arbitraria a través de un script. • http://www.securityfocus.com/bid/103386 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 0CVE-2018-5140 – Ubuntu Security Notice USN-3596-2
https://notcve.org/view.php?id=CVE-2018-5140
14 Mar 2018 — Image for moz-icons can be accessed through the "moz-icon:" protocol through script in web content even when otherwise prohibited. This could allow for information leakage of which applications are associated with specific MIME types by a malicious page. This vulnerability affects Firefox < 59. Se puede acceder a la imagen de los moz-icons a través del protocolo "moz-icon:" mediante un script en el contenido de la web, incluso cuando esté prohibido. Esto podría permitir la fuga de información de qué aplicac... • http://www.securityfocus.com/bid/103386 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.2EPSS: 1%CPEs: 4EXPL: 0CVE-2018-5141 – Ubuntu Security Notice USN-3596-2
https://notcve.org/view.php?id=CVE-2018-5141
14 Mar 2018 — A vulnerability in the notifications Push API where notifications can be sent through service workers by web content without direct user interaction. This could be used to open new tabs in a denial of service (DOS) attack or to display unwanted content from arbitrary URLs to users. This vulnerability affects Firefox < 59. Una vulnerabilidad en la API de notificaciones push en donde las notificaciones pueden ser enviadas a través de los service workers por contenido web sin la interacción directa del usuario... • http://www.securityfocus.com/bid/103386 • CWE-20: Improper Input Validation •
CVSS: 5.3EPSS: 1%CPEs: 4EXPL: 0CVE-2018-5142 – Ubuntu Security Notice USN-3596-2
https://notcve.org/view.php?id=CVE-2018-5142
14 Mar 2018 — If Media Capture and Streams API permission is requested from documents with "data:" or "blob:" URLs, the permission notifications do not properly display the originating domain. The notification states "Unknown protocol" as the requestee, leading to user confusion about which site is asking for this permission. This vulnerability affects Firefox < 59. Si se solicita permiso de la API Media Capture and Streams desde documentos con URL "data:" o "blob:", las notificaciones de permiso no muestran correctament... • http://www.securityfocus.com/bid/103386 •
CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 0CVE-2018-5143 – Ubuntu Security Notice USN-3596-2
https://notcve.org/view.php?id=CVE-2018-5143
14 Mar 2018 — URLs using "javascript:" have the protocol removed when pasted into the addressbar to protect users from cross-site scripting (XSS) attacks, but if a tab character is embedded in the "javascript:" URL the protocol is not removed and the script will execute. This could allow users to be socially engineered to run an XSS attack against themselves. This vulnerability affects Firefox < 59. Las URL que utilizan "javascript:" eliminan el protocolo cuando se pega en la barra de direcciones para proteger a los usua... • http://www.securityfocus.com/bid/103386 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 1%CPEs: 1EXPL: 0CVE-2017-7844 – Gentoo Linux Security Advisory 201802-03
https://notcve.org/view.php?id=CVE-2017-7844
20 Feb 2018 — A combination of an external SVG image referenced on a page and the coloring of anchor links stored within this image can be used to determine which pages a user has in their history. This can allow a malicious website to query user history. Note: This issue only affects Firefox 57. Earlier releases are not affected. This vulnerability affects Firefox < 57.0.1. • http://www.securityfocus.com/bid/102039 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-5124 – Ubuntu Security Notice USN-3552-1
https://notcve.org/view.php?id=CVE-2018-5124
31 Jan 2018 — Unsanitized output in the browser UI leaves HTML tags in place and can result in arbitrary code execution in Firefox before version 58.0.1. Una salida no saneada en la interfaz de usuario en el navegador deja etiquetas HTML que pueden conllevar en una ejecución de código en Firefox versiones anteriores a 58.0.1. Johann Hofmann discovered that HTML fragments created for chrome-privileged documents were not properly sanitized. An attacker could exploit this to execute arbitrary code. • https://www.mozilla.org/en-US/security/advisories/mfsa2018-05 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 27%CPEs: 4EXPL: 0CVE-2018-5093 – Ubuntu Security Notice USN-3544-1
https://notcve.org/view.php?id=CVE-2018-5093
25 Jan 2018 — A heap buffer overflow vulnerability may occur in WebAssembly during Memory/Table resizing, resulting in a potentially exploitable crash. This vulnerability affects Firefox < 58. Podría ocurrir un desbordamiento de búfer basado en memoria dinámica (heap) en WebAssembly durante el redimensionamiento de Memory/Table, resultando en un cierre inesperado potencialmente explotable. Esta vulnerabilidad afecta a las versiones anteriores a la 58 de Firefox. Multiple security issues were discovered in Firefox. • http://www.securityfocus.com/bid/102786 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •