Log

CVE-2018-5152 created at 25 Sep 2019 19:31:40
Severity
+ Medium
Remote
+ Remote
Type
+ Information disclosure
Description
+ An information disclosure vulnerability has been found in Firefox < 60.0. WebExtensions with the appropriate permissions can attach content scripts to Mozilla sites such as accounts.firefox.com and listen to network traffic to the site through the webRequest API. For example, this allows for the interception of username and an encrypted password during login to Firefox Accounts. This issue does not expose synchronization traffic directly and is limited to the process of user login to the website and the data displayed to the user once logged in.
References
+ https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5152
+ https://bugzilla.mozilla.org/show_bug.cgi?id=1415644
Notes
CVE-2018-5153 created at 25 Sep 2019 19:31:40
Severity
+ Medium
Remote
+ Remote
Type
+ Information disclosure
Description
+ An information disclosure vulnerability has been found in Firefox < 60.0. If websocket data is sent with mixed text and binary in a single message, the binary data can be corrupted. This can result in an out-of-bounds read with the read memory sent to the originating server in response.
References
+ https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5153
+ https://bugzilla.mozilla.org/show_bug.cgi?id=1436809
Notes
CVE-2018-5154 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Remote
Type
+ Arbitrary code execution
Description
+ A use-after-free vulnerability has been found in Firefox < 60.0 and Thunderbird < 52.8, while enumerating attributes during SVG animations with clip paths.
References
+ https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5154
+ https://bugzilla.mozilla.org/show_bug.cgi?id=1443092
Notes
CVE-2018-5155 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Remote
Type
+ Arbitrary code execution
Description
+ A use-after-free vulnerability has been found in Firefox < 60.0 and Thunderbird < 52.8, while adjusting layout during SVG animations with text paths.
References
+ https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5155
+ https://bugzilla.mozilla.org/show_bug.cgi?id=1448774
Notes
CVE-2018-5156 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Remote
Type
+ Arbitrary code execution
Description
+ A vulnerability can occur in Firefox before 61.0 and Thunderbird before 60.0 when capturing a media stream when the media source type is changed as the capture is occurring. This can result in stream data being cast to the wrong type causing a potentially exploitable crash.
References
+ https://www.mozilla.org/en-US/security/advisories/mfsa2018-15/#CVE-2018-5156
+ https://bugzilla.mozilla.org/show_bug.cgi?id=1453127
Notes
CVE-2018-5157 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Remote
Type
+ Same-origin policy bypass
Description
+ A same-origin policy bypass vulnerability has been found in the PDF viewer of Firefox < 60.0, allowing a malicious site to intercept messages meant for the viewer. This could allow the site to retrieve PDF files restricted to viewing by an authenticated user on a third-party website.
References
+ https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5157
+ https://bugzilla.mozilla.org/show_bug.cgi?id=1449898
Notes
CVE-2018-5158 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Remote
Type
+ Arbitrary code execution
Description
+ A insufficient sanitization of Postscript calculator functions vulnerability has been found in the PDF viewer of Firefox < 60.0, allowing malicious JavaScript to be injected through a crafted PDF file. This JavaScript can then be run with the permissions of the PDF viewer by its worker.
References
+ https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5158
+ https://bugzilla.mozilla.org/show_bug.cgi?id=1452075
Notes
CVE-2018-5159 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Remote
Type
+ Arbitrary code execution
Description
+ An integer overflow vulnerability has been found in the Skia library used in Firefox < 60.0 and Thunderbird < 52.8, due to 32-bit integer use in an array without integer overflow checks, resulting in possible out-of-bounds writes. This could lead to a potentially exploitable crash triggerable by web content.
References
+ https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5159
+ https://bugzilla.mozilla.org/show_bug.cgi?id=1441941
Notes
CVE-2018-5160 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Remote
Type
+ Arbitrary code execution
Description
+ A uninitialized memory use vulnerability has been found in the WebRTC component of Firefox < 60.0, which can use a WrappedI420Buffer pixel buffer whose owning image object can be freed while it is still in use. This can result in the WebRTC encoder using uninitialized memory, leading to a potentially exploitable crash.
References
+ https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5160
+ https://bugzilla.mozilla.org/show_bug.cgi?id=1436117
Notes
CVE-2018-5161 created at 25 Sep 2019 19:31:40
Severity
+ Medium
Remote
+ Remote
Type
+ Denial of service
Description
+ A security issue has been found in Thunderbird before 52.8, where crafted message headers can cause a Thunderbird process to hang on receiving the message.
References
+ https://www.mozilla.org/en-US/security/advisories/mfsa2018-13/#CVE-2018-5161
+ https://bugzilla.mozilla.org/show_bug.cgi?id=1411720
Notes