CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0CVE-2019-9795 – Mozilla: Type-confusion in IonMonkey JIT compiler
https://notcve.org/view.php?id=CVE-2019-9795
A vulnerability where type-confusion in the IonMonkey just-in-time (JIT) compiler could potentially be used by malicious JavaScript to trigger a potentially exploitable crash. This vulnerability affects Thunderbird < 60.6, Firefox ESR < 60.6, and Firefox < 66. Una vulnerabilidad de confusión de tipo en compilador IonMonkey just-in-time (JIT) podría ser utilizado por JavaScript malicioso para desencadenar un fallo potencialmente explotable. Esta vulnerabilidad afecta a Thunderbird versiones anteriores a 60.6, Firefox ESR versiones anteriores a 60.6 y Firefox versiones anteriores a 66. • https://access.redhat.com/errata/RHSA-2019:0966 https://access.redhat.com/errata/RHSA-2019:1144 https://bugzilla.mozilla.org/show_bug.cgi?id=1514682 https://www.mozilla.org/security/advisories/mfsa2019-07 https://www.mozilla.org/security/advisories/mfsa2019-08 https://www.mozilla.org/security/advisories/mfsa2019-11 https://access.redhat.com/security/cve/CVE-2019-9795 https://bugzilla.redhat.com/show_bug.cgi?id=1690680 • CWE-617: Reachable Assertion CWE-787: Out-of-bounds Write CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0CVE-2019-9796 – Mozilla: Use-after-free with SMIL animation controller
https://notcve.org/view.php?id=CVE-2019-9796
A use-after-free vulnerability can occur when the SMIL animation controller incorrectly registers with the refresh driver twice when only a single registration is expected. When a registration is later freed with the removal of the animation controller element, the refresh driver incorrectly leaves a dangling pointer to the driver's observer array. This vulnerability affects Thunderbird < 60.6, Firefox ESR < 60.6, and Firefox < 66. Una vulnerabilidad de uso después de liberación de memoria puede darse cuando el controlador de animación SMIL registra incorrectamente con el controlador de actualización dos veces cuando sólo se espera un único registro. Cuando se libera un registro con la eliminación del elemento de controlador de animación, el controlador de actualización deja incorrectamente un puntero pendiente en la matriz de observadores del controlador. • https://access.redhat.com/errata/RHSA-2019:0966 https://access.redhat.com/errata/RHSA-2019:1144 https://bugzilla.mozilla.org/show_bug.cgi?id=1531277 https://www.mozilla.org/security/advisories/mfsa2019-07 https://www.mozilla.org/security/advisories/mfsa2019-08 https://www.mozilla.org/security/advisories/mfsa2019-11 https://access.redhat.com/security/cve/CVE-2019-9796 https://bugzilla.redhat.com/show_bug.cgi?id=1690681 • CWE-416: Use After Free •
CVSS: 9.8EPSS: 17%CPEs: 11EXPL: 3CVE-2019-9792 – Spidermonkey - IonMonkey Leaks JS_OPTIMIZED_OUT Magic Value to Script
https://notcve.org/view.php?id=CVE-2019-9792
The IonMonkey just-in-time (JIT) compiler can leak an internal JS_OPTIMIZED_OUT magic value to the running script during a bailout. This magic value can then be used by JavaScript to achieve memory corruption, which results in a potentially exploitable crash. This vulnerability affects Thunderbird < 60.6, Firefox ESR < 60.6, and Firefox < 66. El compilador IonMonkey just-in-time (JIT) puede filtrar un valor mágico interno JS_OPTIMIZED_OUT para la ejecución script durante un rescate. JavaScript puede utilizar este valor mágico para lograr daños en la memoria, lo que lleva a un fallo potencialmente explotable. • https://www.exploit-db.com/exploits/46939 http://packetstormsecurity.com/files/153106/Spidermonkey-IonMonkey-JS_OPTIMIZED_OUT-Value-Leak.html https://access.redhat.com/errata/RHSA-2019:0966 https://access.redhat.com/errata/RHSA-2019:1144 https://bugzilla.mozilla.org/show_bug.cgi?id=1532599 https://www.mozilla.org/security/advisories/mfsa2019-07 https://www.mozilla.org/security/advisories/mfsa2019-08 https://www.mozilla.org/security/advisories/mfsa2019-11 https://access.redhat.com/security/ • CWE-787: Out-of-bounds Write •
CVSS: 9.8EPSS: 0%CPEs: 11EXPL: 0CVE-2019-9788 – Mozilla: Memory safety bugs fixed in Firefox 66 and Firefox ESR 60.6
https://notcve.org/view.php?id=CVE-2019-9788
Mozilla developers and community members reported memory safety bugs present in Firefox 65, Firefox ESR 60.5, and Thunderbird 60.5. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Thunderbird < 60.6, Firefox ESR < 60.6, and Firefox < 66. Desarrolladores de Mozilla y miembros de la comunidad reportaron bugs en seguridad de memoria presentes en Firefox 65, Firefox ESR 60.5, y Thunderbird 60.5. Algunos de los bugs mostraron evidencias de corrupción de memoria y asumimos que con el suficiente esfuerzo esto podría ser explotado para ejecutar código arbitrario. • https://access.redhat.com/errata/RHSA-2019:0966 https://access.redhat.com/errata/RHSA-2019:1144 https://bugzilla.mozilla.org/buglist.cgi?bug_id=1518001%2C1521304%2C1521214%2C1506665%2C1516834%2C1518774%2C1524755%2C1523362%2C1524214%2C1529203 https://www.mozilla.org/security/advisories/mfsa2019-07 https://www.mozilla.org/security/advisories/mfsa2019-08 https://www.mozilla.org/security/advisories/mfsa2019-11 https://access.redhat.com/security/cve/CVE-2019-9788 https://bugzilla.redhat.com/show_bug.cgi?id • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') CWE-787: Out-of-bounds Write •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0CVE-2019-9790 – Mozilla: Use-after-free when removing in-use DOM elements
https://notcve.org/view.php?id=CVE-2019-9790
A use-after-free vulnerability can occur when a raw pointer to a DOM element on a page is obtained using JavaScript and the element is then removed while still in use. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 60.6, Firefox ESR < 60.6, and Firefox < 66. Podría ocurrir una vulnerabilidad de uso después de liberación de memoria cuando es obtenido un puntero raw al elemento DOM en una página empleando JavaScript y el elemento es eliminado mientras sigue en uso. Esto resulta en un cierre inesperado potencialmente explotable. • https://access.redhat.com/errata/RHSA-2019:0966 https://access.redhat.com/errata/RHSA-2019:1144 https://bugzilla.mozilla.org/show_bug.cgi?id=1525145 https://www.mozilla.org/security/advisories/mfsa2019-07 https://www.mozilla.org/security/advisories/mfsa2019-08 https://www.mozilla.org/security/advisories/mfsa2019-11 https://access.redhat.com/security/cve/CVE-2019-9790 https://bugzilla.redhat.com/show_bug.cgi?id=1690675 • CWE-416: Use After Free •