News aggregator

CVE-2018-5138

National Vulnerability Database - Mon, 06/11/2018 - 17:29
A spoofing vulnerability can occur when a malicious site with an extremely long domain name is opened in an Android Custom Tab (a browser panel inside another app) and the default browser is Firefox for Android. This could allow an attacker to spoof which page is actually loaded and in use. Note: this issue only affects Firefox for Android. Other versions and operating systems are unaffected. This vulnerability affects Firefox < 59.
Categories: Security News

CVE-2018-5140

National Vulnerability Database - Mon, 06/11/2018 - 17:29
Image for moz-icons can be accessed through the "moz-icon:" protocol through script in web content even when otherwise prohibited. This could allow for information leakage of which applications are associated with specific MIME types by a malicious page. This vulnerability affects Firefox < 59.
Categories: Security News

CVE-2018-5141

National Vulnerability Database - Mon, 06/11/2018 - 17:29
A vulnerability in the notifications Push API where notifications can be sent through service workers by web content without direct user interaction. This could be used to open new tabs in a denial of service (DOS) attack or to display unwanted content from arbitrary URLs to users. This vulnerability affects Firefox < 59.
Categories: Security News

CVE-2018-5142

National Vulnerability Database - Mon, 06/11/2018 - 17:29
If Media Capture and Streams API permission is requested from documents with "data:" or "blob:" URLs, the permission notifications do not properly display the originating domain. The notification states "Unknown protocol" as the requestee, leading to user confusion about which site is asking for this permission. This vulnerability affects Firefox < 59.
Categories: Security News

CVE-2018-5143

National Vulnerability Database - Mon, 06/11/2018 - 17:29
URLs using "javascript:" have the protocol removed when pasted into the addressbar to protect users from cross-site scripting (XSS) attacks, but if a tab character is embedded in the "javascript:" URL the protocol is not removed and the script will execute. This could allow users to be socially engineered to run an XSS attack against themselves. This vulnerability affects Firefox < 59.
Categories: Security News

CVE-2018-5144

National Vulnerability Database - Mon, 06/11/2018 - 17:29
An integer overflow can occur during conversion of text to some Unicode character sets due to an unchecked length parameter. This vulnerability affects Firefox ESR < 52.7 and Thunderbird < 52.7.
Categories: Security News

CVE-2018-5145

National Vulnerability Database - Mon, 06/11/2018 - 17:29
Memory safety bugs were reported in Firefox ESR 52.6. These bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Firefox ESR < 52.7 and Thunderbird < 52.7.
Categories: Security News

CVE-2018-5146

National Vulnerability Database - Mon, 06/11/2018 - 17:29
An out of bounds memory write while processing Vorbis audio data was reported through the Pwn2Own contest. This vulnerability affects Firefox < 59.0.1, Firefox ESR < 52.7.2, and Thunderbird < 52.7.
Categories: Security News

CVE-2018-5147

National Vulnerability Database - Mon, 06/11/2018 - 17:29
The libtremor library has the same flaw as CVE-2018-5146. This library is used by Firefox in place of libvorbis on Android and ARM platforms. This vulnerability affects Firefox ESR < 52.7.2 and Firefox < 59.0.1.
Categories: Security News

CVE-2018-5148

National Vulnerability Database - Mon, 06/11/2018 - 17:29
A use-after-free vulnerability can occur in the compositor during certain graphics operations when a raw pointer is used instead of a reference counted one. This results in a potentially exploitable crash. This vulnerability affects Firefox ESR < 52.7.3 and Firefox < 59.0.2.
Categories: Security News

CVE-2018-5150

National Vulnerability Database - Mon, 06/11/2018 - 17:29
Memory safety bugs were reported in Firefox 59, Firefox ESR 52.7, and Thunderbird 52.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Thunderbird < 52.8, Thunderbird ESR < 52.8, Firefox < 60, and Firefox ESR < 52.8.
Categories: Security News

CVE-2018-5151

National Vulnerability Database - Mon, 06/11/2018 - 17:29
Memory safety bugs were reported in Firefox 59. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Firefox < 60.
Categories: Security News

CVE-2018-5105

National Vulnerability Database - Mon, 06/11/2018 - 17:29
WebExtensions can bypass user prompts to first save and then open an arbitrarily downloaded file. This can result in an executable file running with local user privileges without explicit user consent. This vulnerability affects Firefox < 58.
Categories: Security News

CVE-2018-5106

National Vulnerability Database - Mon, 06/11/2018 - 17:29
Style editor traffic in the Developer Tools can be routed through a service worker hosted on a third party website if a user selects error links when these tools are open. This can allow style editor information used within Developer Tools to leak cross-origin. This vulnerability affects Firefox < 58.
Categories: Security News

CVE-2018-5107

National Vulnerability Database - Mon, 06/11/2018 - 17:29
The printing process can bypass local access protections to read files available through symlinks, bypassing local file restrictions. The printing process requires files in a specific format so arbitrary data cannot be read but it is possible that some local file information could be exposed. This vulnerability affects Firefox < 58.
Categories: Security News

CVE-2018-5108

National Vulnerability Database - Mon, 06/11/2018 - 17:29
A Blob URL can violate origin attribute segregation, allowing it to be accessed from a private browsing tab and for data to be passed between the private browsing tab and a normal tab. This could allow for the leaking of private information specific to the private browsing context. This issue is mitigated by the requirement that the user enter the Blob URL manually in order for the access violation to occur. This vulnerability affects Firefox < 58.
Categories: Security News

CVE-2018-5109

National Vulnerability Database - Mon, 06/11/2018 - 17:29
An audio capture session can started under an incorrect origin from the site making the capture request. Users are still prompted to allow the request but the prompt can display the wrong origin, leading to user confusion about which site is making the request to capture an audio stream. This vulnerability affects Firefox < 58.
Categories: Security News

CVE-2018-5110

National Vulnerability Database - Mon, 06/11/2018 - 17:29
If cursor visibility is toggled by script using from 'none' to an image and back through script, the cursor will be rendered temporarily invisible within Firefox. Note: This vulnerability only affects OS X. Other operating systems are not affected. This vulnerability affects Firefox < 58.
Categories: Security News

CVE-2018-5111

National Vulnerability Database - Mon, 06/11/2018 - 17:29
When the text of a specially formatted URL is dragged to the addressbar from page content, the displayed URL can be spoofed to show a different site than the one loaded. This allows for phishing attacks where a malicious page can spoof the identify of another site. This vulnerability affects Firefox < 58.
Categories: Security News

CVE-2018-5112

National Vulnerability Database - Mon, 06/11/2018 - 17:29
Development Tools panels of an extension are required to load URLs for the panels as relative URLs from the extension manifest file but this requirement was not enforced in all instances. This could allow the development tools panel for the extension to load a URL that it should not be able to access, including potentially privileged pages. This vulnerability affects Firefox < 58.
Categories: Security News

Pages