Security News

CVE-2017-5404

National Vulnerability Database - Mon, 06/11/2018 - 17:29
A use-after-free error can occur when manipulating ranges in selections with one node inside a native anonymous tree and one node outside of it. This results in a potentially exploitable crash. This vulnerability affects Firefox < 52, Firefox ESR < 45.8, Thunderbird < 52, and Thunderbird < 45.8.
Categories: Security News

CVE-2017-5405

National Vulnerability Database - Mon, 06/11/2018 - 17:29
Certain response codes in FTP connections can result in the use of uninitialized values for ports in FTP operations. This vulnerability affects Firefox < 52, Firefox ESR < 45.8, Thunderbird < 52, and Thunderbird < 45.8.
Categories: Security News

CVE-2017-5406

National Vulnerability Database - Mon, 06/11/2018 - 17:29
A segmentation fault can occur in the Skia graphics library during some canvas operations due to issues with mask/clip intersection and empty masks. This vulnerability affects Firefox < 52 and Thunderbird < 52.
Categories: Security News

CVE-2017-5407

National Vulnerability Database - Mon, 06/11/2018 - 17:29
Using SVG filters that don't use the fixed point math implementation on a target iframe, a malicious page can extract pixel values from a targeted user. This can be used to extract history information and read text values across domains. This violates same-origin policy and leads to information disclosure. This vulnerability affects Firefox < 52, Firefox ESR < 45.8, Thunderbird < 52, and Thunderbird < 45.8.
Categories: Security News

CVE-2017-5408

National Vulnerability Database - Mon, 06/11/2018 - 17:29
Video files loaded video captions cross-origin without checking for the presence of CORS headers permitting such cross-origin use, leading to potential information disclosure for video captions. This vulnerability affects Firefox < 52, Firefox ESR < 45.8, Thunderbird < 52, and Thunderbird < 45.8.
Categories: Security News

CVE-2017-5409

National Vulnerability Database - Mon, 06/11/2018 - 17:29
The Mozilla Windows updater can be called by a non-privileged user to delete an arbitrary local file by passing a special path to the callback parameter through the Mozilla Maintenance Service, which has privileged access. Note: This attack requires local system access and only affects Windows. Other operating systems are not affected. This vulnerability affects Firefox ESR < 45.8 and Firefox < 52.
Categories: Security News

CVE-2017-5410

National Vulnerability Database - Mon, 06/11/2018 - 17:29
Memory corruption resulting in a potentially exploitable crash during garbage collection of JavaScript due errors in how incremental sweeping is managed for memory cleanup. This vulnerability affects Firefox < 52, Firefox ESR < 45.8, Thunderbird < 52, and Thunderbird < 45.8.
Categories: Security News

CVE-2017-5411

National Vulnerability Database - Mon, 06/11/2018 - 17:29
A use-after-free can occur during buffer storage operations within the ANGLE graphics library, used for WebGL content. The buffer storage can be freed while still in use in some circumstances, leading to a potentially exploitable crash. Note: This issue is in "libGLES", which is only in use on Windows. Other operating systems are not affected. This vulnerability affects Firefox < 52 and Thunderbird < 52.
Categories: Security News

CVE-2017-5412

National Vulnerability Database - Mon, 06/11/2018 - 17:29
A buffer overflow read during SVG filter color value operations, resulting in data exposure. This vulnerability affects Firefox < 52 and Thunderbird < 52.
Categories: Security News

CVE-2017-5413

National Vulnerability Database - Mon, 06/11/2018 - 17:29
A segmentation fault can occur during some bidirectional layout operations. This vulnerability affects Firefox < 52 and Thunderbird < 52.
Categories: Security News

CVE-2017-5414

National Vulnerability Database - Mon, 06/11/2018 - 17:29
The file picker dialog can choose and display the wrong local default directory when instantiated. On some operating systems, this can lead to information disclosure, such as the operating system or the local account name. This vulnerability affects Firefox < 52 and Thunderbird < 52.
Categories: Security News

CVE-2017-5415

National Vulnerability Database - Mon, 06/11/2018 - 17:29
An attack can use a blob URL and script to spoof an arbitrary addressbar URL prefaced by "blob:" as the protocol, leading to user confusion and further spoofing attacks. This vulnerability affects Firefox < 52.
Categories: Security News

CVE-2017-5416

National Vulnerability Database - Mon, 06/11/2018 - 17:29
In certain circumstances a networking event listener can be prematurely released. This appears to result in a null dereference in practice. This vulnerability affects Firefox < 52 and Thunderbird < 52.
Categories: Security News

CVE-2017-5380

National Vulnerability Database - Mon, 06/11/2018 - 17:29
A potential use-after-free found through fuzzing during DOM manipulation of SVG content. This vulnerability affects Thunderbird < 45.7, Firefox ESR < 45.7, and Firefox < 51.
Categories: Security News

CVE-2017-5381

National Vulnerability Database - Mon, 06/11/2018 - 17:29
The "export" function in the Certificate Viewer can force local filesystem navigation when the "common name" in a certificate contains slashes, allowing certificate content to be saved in unsafe locations with an arbitrary filename. This vulnerability affects Firefox < 51.
Categories: Security News

CVE-2017-5382

National Vulnerability Database - Mon, 06/11/2018 - 17:29
Feed preview for RSS feeds can be used to capture errors and exceptions generated by privileged content, allowing for the exposure of internal information not meant to be seen by web content. This vulnerability affects Firefox < 51.
Categories: Security News

CVE-2017-5383

National Vulnerability Database - Mon, 06/11/2018 - 17:29
URLs containing certain unicode glyphs for alternative hyphens and quotes do not properly trigger punycode display, allowing for domain name spoofing attacks in the location bar. This vulnerability affects Thunderbird < 45.7, Firefox ESR < 45.7, and Firefox < 51.
Categories: Security News

CVE-2017-5384

National Vulnerability Database - Mon, 06/11/2018 - 17:29
Proxy Auto-Config (PAC) files can specify a JavaScript function called for all URL requests with the full URL path which exposes more information than would be sent to the proxy itself in the case of HTTPS. Normally the Proxy Auto-Config file is specified by the user or machine owner and presumed to be non-malicious, but if a user has enabled Web Proxy Auto Detect (WPAD) this file can be served remotely. This vulnerability affects Firefox < 51.
Categories: Security News

CVE-2017-5385

National Vulnerability Database - Mon, 06/11/2018 - 17:29
Data sent with in multipart channels, such as the multipart/x-mixed-replace MIME type, will ignore the referrer-policy response header, leading to potential information disclosure for sites using this header. This vulnerability affects Firefox < 51.
Categories: Security News

CVE-2017-5386

National Vulnerability Database - Mon, 06/11/2018 - 17:29
WebExtension scripts can use the "data:" protocol to affect pages loaded by other web extensions using this protocol, leading to potential data disclosure or privilege escalation in affected extensions. This vulnerability affects Firefox ESR < 45.7 and Firefox < 51.
Categories: Security News

Pages