Total
2868 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-7782 | 2 Microsoft, Mozilla | 4 Windows, Firefox, Firefox Esr and 1 more | 2019-10-03 | 5.0 MEDIUM | 5.3 MEDIUM |
| An error in the "WindowsDllDetourPatcher" where a RWX ("Read/Write/Execute") 4k block is allocated but never protected, violating DEP protections. Note: This attack only affects Windows operating systems. Other operating systems are not affected. This vulnerability affects Thunderbird < 52.3, Firefox ESR < 52.3, and Firefox < 55. | |||||
| CVE-2017-7789 | 1 Mozilla | 1 Firefox | 2019-10-03 | 5.0 MEDIUM | 5.3 MEDIUM |
| If a server sends two Strict-Transport-Security (STS) headers for a single connection, they will be rejected as invalid and HTTP Strict Transport Security (HSTS) will not be enabled for the connection. This vulnerability affects Firefox < 55. | |||||
| CVE-2018-12398 | 2 Canonical, Mozilla | 2 Ubuntu Linux, Firefox | 2019-10-03 | 4.3 MEDIUM | 6.5 MEDIUM |
| By using the reflected URL in some special resource URIs, such as chrome:, it is possible to inject stylesheets and bypass Content Security Policy (CSP). This vulnerability affects Firefox < 63. | |||||
| CVE-2017-5419 | 1 Mozilla | 2 Firefox, Thunderbird | 2019-10-03 | 7.8 HIGH | 7.5 HIGH |
| If a malicious site repeatedly triggers a modal authentication prompt, eventually the browser UI will become non-responsive, requiring shutdown through the operating system. This is a denial of service (DOS) attack. This vulnerability affects Firefox < 52 and Thunderbird < 52. | |||||
| CVE-2017-7766 | 2 Microsoft, Mozilla | 3 Windows, Firefox, Firefox Esr | 2019-10-03 | 4.6 MEDIUM | 7.8 HIGH |
| An attack using manipulation of "updater.ini" contents, used by the Mozilla Windows Updater, and privilege escalation through the Mozilla Maintenance Service to allow for arbitrary file execution and deletion by the Maintenance Service, which has privileged access. Note: This attack requires local system access and only affects Windows. Other operating systems are not affected. This vulnerability affects Firefox ESR < 52.2 and Firefox < 54. | |||||
| CVE-2018-5105 | 2 Canonical, Mozilla | 2 Ubuntu Linux, Firefox | 2019-10-03 | 7.2 HIGH | 7.8 HIGH |
| WebExtensions can bypass user prompts to first save and then open an arbitrarily downloaded file. This can result in an executable file running with local user privileges without explicit user consent. This vulnerability affects Firefox < 58. | |||||
| CVE-2017-7765 | 2 Microsoft, Mozilla | 4 Windows, Firefox, Firefox Esr and 1 more | 2019-10-03 | 5.0 MEDIUM | 7.5 HIGH |
| The "Mark of the Web" was not correctly saved on Windows when files with very long names were downloaded from the Internet. Without the Mark of the Web data, the security warning that Windows displays before running executables downloaded from the Internet is not shown. Note: This attack only affects Windows operating systems. Other operating systems are unaffected. This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2. | |||||
| CVE-2018-5142 | 2 Canonical, Mozilla | 2 Ubuntu Linux, Firefox | 2019-10-03 | 5.0 MEDIUM | 5.3 MEDIUM |
| If Media Capture and Streams API permission is requested from documents with "data:" or "blob:" URLs, the permission notifications do not properly display the originating domain. The notification states "Unknown protocol" as the requestee, leading to user confusion about which site is asking for this permission. This vulnerability affects Firefox < 59. | |||||
| CVE-2017-7821 | 1 Mozilla | 1 Firefox | 2019-10-03 | 7.5 HIGH | 9.8 CRITICAL |
| A vulnerability where WebExtensions can download and attempt to open a file of some non-executable file types. This can be triggered without specific user interaction for the file download and open actions. This could be used to trigger known vulnerabilities in the programs that handle those document types. This vulnerability affects Firefox < 56. | |||||
| CVE-2017-7820 | 1 Mozilla | 1 Firefox | 2019-10-03 | 5.0 MEDIUM | 5.3 MEDIUM |
| The "instanceof" operator can bypass the Xray wrapper mechanism. When called on web content from the browser itself or an extension the web content can provide its own result for that operator, possibly tricking the browser or extension into mishandling the element. This vulnerability affects Firefox < 56. | |||||
| CVE-2018-5152 | 2 Canonical, Mozilla | 2 Ubuntu Linux, Firefox | 2019-10-03 | 4.3 MEDIUM | 6.5 MEDIUM |
| WebExtensions with the appropriate permissions can attach content scripts to Mozilla sites such as accounts.firefox.com and listen to network traffic to the site through the "webRequest" API. For example, this allows for the interception of username and an encrypted password during login to Firefox Accounts. This issue does not expose synchronization traffic directly and is limited to the process of user login to the website and the data displayed to the user once logged in. This vulnerability affects Firefox < 60. | |||||
| CVE-2017-7790 | 2 Microsoft, Mozilla | 2 Windows, Firefox | 2019-10-03 | 5.0 MEDIUM | 7.5 HIGH |
| On Windows systems, if non-null-terminated strings are copied into the crash reporter for some specific registry keys, stack memory data can be copied until a null is found. This can potentially contain private data from the local system. Note: This attack only affects Windows operating systems. Other operating systems are not affected. This vulnerability affects Firefox < 55. | |||||
| CVE-2017-5409 | 2 Microsoft, Mozilla | 3 Windows, Firefox, Firefox Esr | 2019-10-03 | 3.6 LOW | 5.5 MEDIUM |
| The Mozilla Windows updater can be called by a non-privileged user to delete an arbitrary local file by passing a special path to the callback parameter through the Mozilla Maintenance Service, which has privileged access. Note: This attack requires local system access and only affects Windows. Other operating systems are not affected. This vulnerability affects Firefox ESR < 45.8 and Firefox < 52. | |||||
| CVE-2017-5390 | 3 Debian, Mozilla, Redhat | 10 Debian Linux, Firefox, Firefox Esr and 7 more | 2019-10-03 | 7.5 HIGH | 9.8 CRITICAL |
| The JSON viewer in the Developer Tools uses insecure methods to create a communication channel for copying and viewing JSON or HTTP headers data, allowing for potential privilege escalation. This vulnerability affects Thunderbird < 45.7, Firefox ESR < 45.7, and Firefox < 51. | |||||
| CVE-2018-5179 | 1 Mozilla | 1 Firefox | 2019-10-03 | 5.0 MEDIUM | 7.5 HIGH |
| A service worker can send the activate event on itself periodically which allows it to run perpetually, allowing it to monitor activity by users. Affects all versions prior to Firefox 60. | |||||
| CVE-2017-7767 | 2 Microsoft, Mozilla | 3 Windows, Firefox, Firefox Esr | 2019-10-03 | 2.1 LOW | 5.5 MEDIUM |
| The Mozilla Maintenance Service can be invoked by an unprivileged user to overwrite arbitrary files with junk data using the Mozilla Windows Updater, which runs with the Maintenance Service's privileged access. Note: This attack requires local system access and only affects Windows. Other operating systems are not affected. This vulnerability affects Firefox ESR < 52.2 and Firefox < 54. | |||||
| CVE-2018-5174 | 2 Microsoft, Mozilla | 5 Windows 10, Firefox, Firefox Esr and 2 more | 2019-10-03 | 5.0 MEDIUM | 7.5 HIGH |
| In the Windows 10 April 2018 Update, Windows Defender SmartScreen honors the "SEE_MASK_FLAG_NO_UI" flag associated with downloaded files and will not show any UI. Files that are unknown and potentially dangerous will be allowed to run because SmartScreen will not prompt the user for a decision, and if the user is offline all files will be allowed to be opened because Windows won't prompt the user to ask what to do. Firefox incorrectly sets this flag when downloading files, leading to less secure behavior from SmartScreen. Note: this issue only affects Windows 10 users running the April 2018 update or later. It does not affect other Windows users or other operating systems. This vulnerability affects Thunderbird < 52.8, Thunderbird ESR < 52.8, Firefox < 60, and Firefox ESR < 52.8. | |||||
| CVE-2017-7816 | 1 Mozilla | 1 Firefox | 2019-10-03 | 5.0 MEDIUM | 5.3 MEDIUM |
| WebExtensions could use popups and panels in the extension UI to load an "about:" privileged URL, violating security checks that disallow this behavior. This vulnerability affects Firefox < 56. | |||||
| CVE-2017-5456 | 2 Mozilla, Redhat | 8 Firefox, Firefox Esr, Enterprise Linux and 5 more | 2019-10-03 | 7.5 HIGH | 9.8 CRITICAL |
| A mechanism to bypass file system access protections in the sandbox using the file system request constructor through an IPC message. This allows for read and write access to the local file system. This vulnerability affects Firefox ESR < 52.1 and Firefox < 53. | |||||
| CVE-2018-12383 | 4 Canonical, Debian, Mozilla and 1 more | 11 Ubuntu Linux, Debian Linux, Firefox and 8 more | 2019-10-03 | 2.1 LOW | 5.5 MEDIUM |
| If a user saved passwords before Firefox 58 and then later set a master password, an unencrypted copy of these passwords is still accessible. This is because the older stored password file was not deleted when the data was copied to a new format starting in Firefox 58. The new master password is added only on the new file. This could allow the exposure of stored password data outside of user expectations. This vulnerability affects Firefox < 62, Firefox ESR < 60.2.1, and Thunderbird < 60.2.1. | |||||