Log

CVE-2018-5129 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Local
Type
+ Access restriction bypass
Description
+ A lack of parameter validation on IPC messages results in a potential out-of-bounds write in Thunderbird < 52.7.0, through malformed IPC messages. This can potentially allow for sandbox escape through memory corruption in the parent process.
References
+ https://www.mozilla.org/en-US/security/advisories/mfsa2018-09/#CVE-2018-5129
+ https://bugzilla.mozilla.org/show_bug.cgi?id=1428947
Notes
CVE-2018-5144 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Remote
Type
+ Arbitrary code execution
Description
+ An integer overflow can occur during conversion of text to some Unicode character sets in Thunderbird < 52.7.0, due to an unchecked length parameter.
References
+ https://www.mozilla.org/en-US/security/advisories/mfsa2018-09/#CVE-2018-5144
+ https://bugzilla.mozilla.org/show_bug.cgi?id=1440926
Notes
CVE-2018-5145 created at 25 Sep 2019 19:31:40
Severity
+ Critical
Remote
+ Remote
Type
+ Arbitrary code execution
Description
+ Various memory safety bugs have been found in Thunderbird < 52.7.0, some of them presenting evidence of memory corruption. Mozilla presumes that with enough effort some of these could be exploited to run arbitrary code.
References
+ https://www.mozilla.org/en-US/security/advisories/mfsa2018-09/#CVE-2018-5145
+ https://bugzilla.mozilla.org/buglist.cgi?bug_id=1261175%2C1348955
Notes
CVE-2018-5146 created at 25 Sep 2019 19:31:40
Severity
+ Critical
Remote
+ Remote
Type
+ Arbitrary code execution
Description
+ An out of bounds memory write vulnerability has been discovered in libvorbis before 1.3.6 while processing Vorbis audio data related to codebooks that are not an exact divisor of the partition size.
References
+ https://github.com/xiph/vorbis/commit/667ceb4aab60c1f74060143bb24e5f427b3cce5f
+ http://seclists.org/oss-sec/2018/q1/243
Notes
CVE-2018-5147 created at 25 Sep 2019 19:31:40
Severity
+ Critical
Remote
+ Remote
Type
+ Arbitrary code execution
Description
+ An out of bounds memory write vulnerability has been discovered in libtremor while processing Vorbis audio data related to codebooks that are not an exact divisor of the partition size.
References
+ https://www.mozilla.org/en-US/security/advisories/mfsa2018-08/#CVE-2018-5147
+ https://git.xiph.org/?p=tremor.git;a=commitdiff;h=562307a4a7082e24553f3d2c55dab397a17c4b4f
+ http://seclists.org/oss-sec/2018/q1/243
Notes
+ The libtremor library has the same flaw as CVE-2018-5146.
CVE-2018-5150 created at 25 Sep 2019 19:31:40
Severity
+ Critical
Remote
+ Remote
Type
+ Arbitrary code execution
Description
+ Several memory safety bugs have been found in Firefox before 60.0 and Thunderbird before 52.8. Some of these bugs showed evidence of memory corruption and Mozilla presumes that with enough effort some of these could be exploited to run arbitrary code.
References
+ https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5150
+ https://bugzilla.mozilla.org/buglist.cgi?bug_id=1388020%2C1433609%2C1409440%2C1448705%2C1451376%2C1452202%2C1444668%2C1393367%2C1411415%2C1426129
Notes
CVE-2018-5151 created at 25 Sep 2019 19:31:40
Severity
+ Critical
Remote
+ Remote
Type
+ Arbitrary code execution
Description
+ Several memory safety bugs has been found in Firefox before 60.0. Some of these bugs showed evidence of memory corruption and Mozilla presumes that with enough effort some of these could be exploited to run arbitrary code.
References
+ https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5151
+ https://bugzilla.mozilla.org/buglist.cgi?bug_id=1445234%2C1449530%2C1437455%2C1447989%2C1438827%2C1436983%2C1435036%2C1440465%2C1439723%2C1448771%2C1453653%2C1454359%2C1432323%2C1454126%2C1436759%2C1439655%2C1448612%2C1449358%2C1367727%2C1452417
Notes
CVE-2018-5152 created at 25 Sep 2019 19:31:40
Severity
+ Medium
Remote
+ Remote
Type
+ Information disclosure
Description
+ An information disclosure vulnerability has been found in Firefox < 60.0. WebExtensions with the appropriate permissions can attach content scripts to Mozilla sites such as accounts.firefox.com and listen to network traffic to the site through the webRequest API. For example, this allows for the interception of username and an encrypted password during login to Firefox Accounts. This issue does not expose synchronization traffic directly and is limited to the process of user login to the website and the data displayed to the user once logged in.
References
+ https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5152
+ https://bugzilla.mozilla.org/show_bug.cgi?id=1415644
Notes
CVE-2018-5153 created at 25 Sep 2019 19:31:40
Severity
+ Medium
Remote
+ Remote
Type
+ Information disclosure
Description
+ An information disclosure vulnerability has been found in Firefox < 60.0. If websocket data is sent with mixed text and binary in a single message, the binary data can be corrupted. This can result in an out-of-bounds read with the read memory sent to the originating server in response.
References
+ https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5153
+ https://bugzilla.mozilla.org/show_bug.cgi?id=1436809
Notes
CVE-2018-5154 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Remote
Type
+ Arbitrary code execution
Description
+ A use-after-free vulnerability has been found in Firefox < 60.0 and Thunderbird < 52.8, while enumerating attributes during SVG animations with clip paths.
References
+ https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5154
+ https://bugzilla.mozilla.org/show_bug.cgi?id=1443092
Notes