AVG-1002 log

Package firefox
Status Fixed
Severity Critical
Type multiple issues
Affected 67.0.4-2
Fixed 68.0-1
Current 70.0.1-1 [extra]
Ticket None
Created Wed Jul 10 09:03:38 2019
Issue Severity Remote Type Description
CVE-2019-11730 Medium Yes Arbitrary filesystem access
A vulnerability exists in Firefox before 68.0 where if a user opens a locally saved HTML file, this file can use file: URIs to access other files in the...
CVE-2019-11729 Medium Yes Denial of service
Empty or malformed p256-ECDH public keys may trigger a segmentation fault in Firefox before 68.0 due values being improperly sanitized before being copied...
CVE-2019-11728 Low Yes Information disclosure
In firefox before 68.0, the HTTP Alternative Services header, Alt-Svc, can be used by a malicious site to scan all TCP ports of any host that the accessible...
CVE-2019-11727 Low Yes Silent downgrade
A vulnerability exists in Firefox before 68.0 where it is possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5...
CVE-2019-11725 Low Yes Access restriction bypass
In Firefox before 68.0, when a user navigates to a site marked as unsafe by the Safebrowsing API, warning messages are displayed and navigation is...
CVE-2019-11724 Low Yes Access restriction bypass
Application permissions in Firefox before 68.0 give additional remote troubleshooting permission to the site input.mozilla.org, which has been retired and...
CVE-2019-11723 Low Yes Information disclosure
A vulnerability exists in Firefox 68.0 during the installation of add- ons where the initial fetch ignored the origin attributes of the browsing context....
CVE-2019-11721 Medium Yes Content spoofing
The unicode latin 'kra' character can be used to spoof a standard 'k' character in the addressbar in Firefox before 68.0. This allows for domain spoofing...
CVE-2019-11720 Medium Yes Insufficient validation
In Firefox before 68.0, some unicode characters are incorrectly treated as whitespace during the parsing of web content instead of triggering parsing...
CVE-2019-11719 Medium Yes Information disclosure
In Firefox before 68.0, when importing a curve25519 private key in PKCS#8format with leading 0x00 bytes, it is possible to trigger an out-of-bounds read in...
CVE-2019-11718 Medium Yes Insufficient validation
In Firefox before 68.0, Activity Stream can display content from sent from the Snippet Service website. This content is written to innerHTML on the Activity...
CVE-2019-11717 Medium Yes Insufficient validation
A vulnerability exists in Firebox before 68.0 where the caret ("^") character is improperly escaped constructing some URIs due to it being used as a...
CVE-2019-11716 Medium Yes Access restriction bypass
In Firefox before 68.0, until explicitly accessed by script, window.globalThis is not enumerable and, as a result, is not visible to code such as...
CVE-2019-11715 Medium Yes Cross-site scripting
In Firefox before 68.0, due to an error while parsing page content, it is possible for properly sanitized user input to be misinterpreted and lead to XSS...
CVE-2019-11714 Critical Yes Arbitrary code execution
Necko can access a child on the wrong thread during UDP connections, resulting in a potentially exploitable crash in some instances.
CVE-2019-11713 Critical Yes Arbitrary code execution
A use-after-free vulnerability can occur in the HTTP/2 component of Firefox before 68.0, when a cached HTTP/2 stream is closed while still in use, resulting...
CVE-2019-11712 High Yes Cross-site request forgery
In Firefox before 68.0, POST requests made by NPAPI plugins, such as Flash, that receive a status 308 redirect response can bypass CORS requirements. This...
CVE-2019-11711 High Yes Access restriction bypass
In Firefox before 68.0, when an inner window is reused, it does not consider the use of document.domain for cross-origin protections. If pages on different...
CVE-2019-11710 Critical Yes Arbitrary code execution
Several memory safety bugs have been found in Firefox before 68.0. Some of these bugs showed evidence of memory corruption and Mozilla presumes that with...
CVE-2019-11709 Critical Yes Arbitrary code execution
Several memory safety bugs have been found in Firefox before 68.0. Some of these bugs showed evidence of memory corruption and Mozilla presumes that with...
CVE-2019-9811 High Yes Sandbox escape
A sandbox escape has been found in Firefox before 68.0, by installing a malicious language pack and then opening a browser feature that used the compromised...
Date Advisory Package Description
17 Jul 2019 ASA-201907-4 firefox multiple issues
References
https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/