Log

CVE-2019-11705 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Remote
Type
+ Arbitrary code execution
Description
+ A flaw in Thunderbird's implementation of iCal before 60.7.1 causes a stack buffer overflow in icalrecur_add_bydayrules when processing certain email messages, resulting in a potentially exploitable crash.
References
+ https://www.mozilla.org/en-US/security/advisories/mfsa2019-17/#CVE-2019-11705
+ https://bugzilla.mozilla.org/show_bug.cgi?id=1553808
+ https://seclists.org/oss-sec/2019/q2/159
+ https://www.x41-dsec.de/lab/advisories/x41-2019-003-thunderbird/
Notes
CVE-2019-11706 created at 25 Sep 2019 19:31:40
Severity
+ Low
Remote
+ Remote
Type
+ Denial of service
Description
+ A flaw in Thunderbird's implementation of iCal before 60.7.1 causes a type confusion in icaltimezone_get_vtimezone_properties when processing certain email messages, resulting in a crash.
References
+ https://www.mozilla.org/en-US/security/advisories/mfsa2019-17/#CVE-2019-11706
+ https://bugzilla.mozilla.org/show_bug.cgi?id=1555646
+ https://seclists.org/oss-sec/2019/q2/160
+ https://www.x41-dsec.de/lab/advisories/x41-2019-004-thunderbird
Notes
CVE-2019-11707 created at 25 Sep 2019 19:31:40
Severity
+ Critical
Remote
+ Remote
Type
+ Arbitrary code execution
Description
+ A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop, in Firefox before 67.0.3. This can allow for an exploitable crash. Mozilla has been made aware of targeted attacks in the wild abusing this flaw.
References
+ https://www.mozilla.org/en-US/security/advisories/mfsa2019-18/#CVE-2019-11707
+ https://bugzilla.mozilla.org/show_bug.cgi?id=1544386
Notes
CVE-2019-11708 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Remote
Type
+ Sandbox escape
Description
+ An issue has been found in Firefox before 67.0.4, where an insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes can result in the non-sandboxed parent process opening web content chosen by a compromised child process. When combined with additional vulnerabilities this could result in executing arbitrary code on the user's computer.
References
+ https://www.mozilla.org/en-US/security/advisories/mfsa2019-19/#CVE-2019-11708
+ https://bugzilla.mozilla.org/show_bug.cgi?id=1559858
Notes
CVE-2019-11709 created at 25 Sep 2019 19:31:40
Severity
+ Critical
Remote
+ Remote
Type
+ Arbitrary code execution
Description
+ Several memory safety bugs have been found in Firefox before 68.0. Some of these bugs showed evidence of memory corruption and Mozilla presumes that with enough effort that some of these could be exploited to run arbitrary code.
References
+ https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11709
+ https://bugzilla.mozilla.org/buglist.cgi?bug_id=1547266%2C1540759%2C1548822%2C1550498%2C1515052%2C1539219%2C1547757%2C1550498%2C1533522
Notes
CVE-2019-11710 created at 25 Sep 2019 19:31:40
Severity
+ Critical
Remote
+ Remote
Type
+ Arbitrary code execution
Description
+ Several memory safety bugs have been found in Firefox before 68.0. Some of these bugs showed evidence of memory corruption and Mozilla presumes that with enough effort that some of these could be exploited to run arbitrary code.
References
+ https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11710
+ https://bugzilla.mozilla.org/buglist.cgi?bug_id=1549768%2C1548611%2C1533842%2C1537692%2C1540590%2C1551907%2C1510345%2C1535482%2C1535848%2C1547472%2C1547760%2C1507696%2C1544180
Notes
CVE-2019-11711 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Remote
Type
+ Access restriction bypass
Description
+ In Firefox before 68.0, when an inner window is reused, it does not consider the use of document.domain for cross-origin protections. If pages on different subdomains ever cooperatively use document.domain, then either page can abuse this to inject script into arbitrary pages on the other subdomain, even those that did not use document.domain to relax their origin security.
References
+ https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11711
+ https://bugzilla.mozilla.org/show_bug.cgi?id=1552541
Notes
CVE-2019-11712 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Remote
Type
+ Cross-site request forgery
Description
+ In Firefox before 68.0, POST requests made by NPAPI plugins, such as Flash, that receive a status 308 redirect response can bypass CORS requirements. This can allow an attacker to perform Cross-Site Request Forgery (CSRF) attacks.
References
+ https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11712
+ https://bugzilla.mozilla.org/show_bug.cgi?id=1543804
Notes
CVE-2019-11713 created at 25 Sep 2019 19:31:40
Severity
+ Critical
Remote
+ Remote
Type
+ Arbitrary code execution
Description
+ A use-after-free vulnerability can occur in the HTTP/2 component of Firefox before 68.0, when a cached HTTP/2 stream is closed while still in use, resulting in a potentially exploitable crash.
References
+ https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11713
+ https://bugzilla.mozilla.org/show_bug.cgi?id=1528481
Notes
CVE-2019-11714 created at 25 Sep 2019 19:31:40
Severity
+ Critical
Remote
+ Remote
Type
+ Arbitrary code execution
Description
+ Necko can access a child on the wrong thread during UDP connections, resulting in a potentially exploitable crash in some instances.
References
+ https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11714
+ https://bugzilla.mozilla.org/show_bug.cgi?id=1542593
Notes