CVSS: 6.1EPSS: 0%CPEs: 21EXPL: 1CVE-2016-9895 – Mozilla: CSP bypass using marquee tag (MFSA 2016-94, MFSA 2016-95)
https://notcve.org/view.php?id=CVE-2016-9895
Event handlers on "marquee" elements were executed despite a strict Content Security Policy (CSP) that disallowed inline JavaScript. This vulnerability affects Firefox < 50.1, Firefox ESR < 45.6, and Thunderbird < 45.6. Los gestores de eventos en los elementos "marquee" se ejecutaron a pesar de que existe un CSP (Content Security Policy) estricto que prohibía el JavaScript inline. La vulnerabilidad afecta a Firefox en versiones anteriores a la 50.1, Firefox ESR en versiones anteriores a la 45.6 y Thunderbird en versiones anteriores a la 45.6. • http://rhn.redhat.com/errata/RHSA-2016-2946.html http://rhn.redhat.com/errata/RHSA-2016-2973.html http://www.securityfocus.com/bid/94885 http://www.securitytracker.com/id/1037461 https://bugzilla.mozilla.org/show_bug.cgi?id=1312272 https://security.gentoo.org/glsa/201701-15 https://www.debian.org/security/2017/dsa-3757 https://www.mozilla.org/security/advisories/mfsa2016-94 https://www.mozilla.org/security/advisories/mfsa2016-95 https://www.mozilla.org/security/advisories&# • CWE-254: 7PK - Security Features •
CVSS: 7.5EPSS: 0%CPEs: 10EXPL: 1CVE-2016-9897 – Mozilla: Memory corruption in libGLES (MFSA 2016-94, MFSA 2016-95)
https://notcve.org/view.php?id=CVE-2016-9897
Memory corruption resulting in a potentially exploitable crash during WebGL functions using a vector constructor with a varying array within libGLES. This vulnerability affects Firefox < 50.1, Firefox ESR < 45.6, and Thunderbird < 45.6. Corrupción de memoria que resulta en un cierre inesperado potencialmente explotable durante las funciones de WebGL mediante un constructor de vectores con un array variable en libGLES. La vulnerabilidad afecta a Firefox en versiones anteriores a la 50.1, Firefox ESR en versiones anteriores a la 45.6 y Thunderbird en versiones anteriores a la 45.6. • http://rhn.redhat.com/errata/RHSA-2016-2946.html http://www.securityfocus.com/bid/94885 http://www.securitytracker.com/id/1037461 https://bugzilla.mozilla.org/show_bug.cgi?id=1301381 https://security.gentoo.org/glsa/201701-15 https://www.debian.org/security/2017/dsa-3757 https://www.mozilla.org/security/advisories/mfsa2016-94 https://www.mozilla.org/security/advisories/mfsa2016-95 https://www.mozilla.org/security/advisories/mfsa2016-96 https://access.redhat.com/security/cve&#x • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 9.8EPSS: 0%CPEs: 21EXPL: 1CVE-2016-9898 – Mozilla: Use-after-free in Editor while manipulating DOM subtrees (MFSA 2016-94, MFSA 2016-95)
https://notcve.org/view.php?id=CVE-2016-9898
Use-after-free resulting in potentially exploitable crash when manipulating DOM subtrees in the Editor. This vulnerability affects Firefox < 50.1, Firefox ESR < 45.6, and Thunderbird < 45.6. Uso de memoria previamente liberada que resulta en un cierre inesperado potencialmente explotable al manipular subárboles DOM en el Editor. La vulnerabilidad afecta a Firefox en versiones anteriores a la 50.1, Firefox ESR en versiones anteriores a la 45.6 y Thunderbird en versiones anteriores a la 45.6. • http://rhn.redhat.com/errata/RHSA-2016-2946.html http://www.securityfocus.com/bid/94885 http://www.securitytracker.com/id/1037461 https://bugzilla.mozilla.org/show_bug.cgi?id=1314442 https://security.gentoo.org/glsa/201701-15 https://www.debian.org/security/2017/dsa-3757 https://www.mozilla.org/security/advisories/mfsa2016-94 https://www.mozilla.org/security/advisories/mfsa2016-95 https://www.mozilla.org/security/advisories/mfsa2016-96 https://access.redhat.com/security/cve&#x • CWE-416: Use After Free •
CVSS: 9.8EPSS: 82%CPEs: 22EXPL: 2CVE-2016-9899 – Mozilla Firefox < 50.1.0 - Use-After-Free
https://notcve.org/view.php?id=CVE-2016-9899
Use-after-free while manipulating DOM events and removing audio elements due to errors in the handling of node adoption. This vulnerability affects Firefox < 50.1, Firefox ESR < 45.6, and Thunderbird < 45.6. Uso de memoria previamente liberada al manipular eventos DOM y eliminar elementos de audio debido a errores en la gestión de la adopción de nodos. La vulnerabilidad afecta a Firefox en versiones anteriores a la 50.1, Firefox ESR en versiones anteriores a la 45.6 y Thunderbird en versiones anteriores a la 45.6. • https://www.exploit-db.com/exploits/41042 http://rhn.redhat.com/errata/RHSA-2016-2946.html http://rhn.redhat.com/errata/RHSA-2016-2973.html http://www.securityfocus.com/bid/94885 http://www.securitytracker.com/id/1037461 https://bugzilla.mozilla.org/show_bug.cgi?id=1317409 https://security.gentoo.org/glsa/201701-15 https://www.debian.org/security/2017/dsa-3757 https://www.mozilla.org/security/advisories/mfsa2016-94 https://www.mozilla.org/security/advisories/mfsa2016-95 • CWE-416: Use After Free •
CVSS: 7.5EPSS: 0%CPEs: 21EXPL: 1CVE-2016-9900 – Mozilla: Restricted external resources can be loaded by SVG images through data URLs (MFSA 2016-94, MFSA 2016-95)
https://notcve.org/view.php?id=CVE-2016-9900
External resources that should be blocked when loaded by SVG images can bypass security restrictions through the use of "data:" URLs. This could allow for cross-domain data leakage. This vulnerability affects Firefox < 50.1, Firefox ESR < 45.6, and Thunderbird < 45.6. Los recursos externos que deberían estar bloqueados al ser cargados por imágenes SVG pueden omitir restricciones de seguridad mediante el uso de URL "data:". Esto podría permitir el filtrado de datos Cross-Domain. • http://rhn.redhat.com/errata/RHSA-2016-2946.html http://rhn.redhat.com/errata/RHSA-2016-2973.html http://www.securityfocus.com/bid/94885 http://www.securitytracker.com/id/1037461 https://bugzilla.mozilla.org/show_bug.cgi?id=1319122 https://security.gentoo.org/glsa/201701-15 https://www.debian.org/security/2017/dsa-3757 https://www.mozilla.org/security/advisories/mfsa2016-94 https://www.mozilla.org/security/advisories/mfsa2016-95 https://www.mozilla.org/security/advisories&# • CWE-254: 7PK - Security Features •