Log

CVE-2018-5155 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Remote
Type
+ Arbitrary code execution
Description
+ A use-after-free vulnerability has been found in Firefox < 60.0 and Thunderbird < 52.8, while adjusting layout during SVG animations with text paths.
References
+ https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5155
+ https://bugzilla.mozilla.org/show_bug.cgi?id=1448774
Notes
CVE-2018-5156 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Remote
Type
+ Arbitrary code execution
Description
+ A vulnerability can occur in Firefox before 61.0 and Thunderbird before 60.0 when capturing a media stream when the media source type is changed as the capture is occurring. This can result in stream data being cast to the wrong type causing a potentially exploitable crash.
References
+ https://www.mozilla.org/en-US/security/advisories/mfsa2018-15/#CVE-2018-5156
+ https://bugzilla.mozilla.org/show_bug.cgi?id=1453127
Notes
CVE-2018-5157 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Remote
Type
+ Same-origin policy bypass
Description
+ A same-origin policy bypass vulnerability has been found in the PDF viewer of Firefox < 60.0, allowing a malicious site to intercept messages meant for the viewer. This could allow the site to retrieve PDF files restricted to viewing by an authenticated user on a third-party website.
References
+ https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5157
+ https://bugzilla.mozilla.org/show_bug.cgi?id=1449898
Notes
CVE-2018-5158 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Remote
Type
+ Arbitrary code execution
Description
+ A insufficient sanitization of Postscript calculator functions vulnerability has been found in the PDF viewer of Firefox < 60.0, allowing malicious JavaScript to be injected through a crafted PDF file. This JavaScript can then be run with the permissions of the PDF viewer by its worker.
References
+ https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5158
+ https://bugzilla.mozilla.org/show_bug.cgi?id=1452075
Notes
CVE-2018-5159 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Remote
Type
+ Arbitrary code execution
Description
+ An integer overflow vulnerability has been found in the Skia library used in Firefox < 60.0 and Thunderbird < 52.8, due to 32-bit integer use in an array without integer overflow checks, resulting in possible out-of-bounds writes. This could lead to a potentially exploitable crash triggerable by web content.
References
+ https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5159
+ https://bugzilla.mozilla.org/show_bug.cgi?id=1441941
Notes
CVE-2018-5160 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Remote
Type
+ Arbitrary code execution
Description
+ A uninitialized memory use vulnerability has been found in the WebRTC component of Firefox < 60.0, which can use a WrappedI420Buffer pixel buffer whose owning image object can be freed while it is still in use. This can result in the WebRTC encoder using uninitialized memory, leading to a potentially exploitable crash.
References
+ https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5160
+ https://bugzilla.mozilla.org/show_bug.cgi?id=1436117
Notes
CVE-2018-5161 created at 25 Sep 2019 19:31:40
Severity
+ Medium
Remote
+ Remote
Type
+ Denial of service
Description
+ A security issue has been found in Thunderbird before 52.8, where crafted message headers can cause a Thunderbird process to hang on receiving the message.
References
+ https://www.mozilla.org/en-US/security/advisories/mfsa2018-13/#CVE-2018-5161
+ https://bugzilla.mozilla.org/show_bug.cgi?id=1411720
Notes
CVE-2018-5162 created at 25 Sep 2019 19:31:40
Severity
+ Medium
Remote
+ Remote
Type
+ Information disclosure
Description
+ A security issue has been found in Thunderbird before 52.8, where plaintext of decrypted emails can leak through the src attribute of remote images, or links.
References
+ https://www.mozilla.org/en-US/security/advisories/mfsa2018-13/#CVE-2018-5162
+ https://bugzilla.mozilla.org/show_bug.cgi?id=1457721
Notes
+ I'm guessing this is related to CVE-2017-17688 but Mozilla has not included any details and I'm not a mind reader.
CVE-2018-5163 created at 25 Sep 2019 19:31:40
Severity
+ Medium
Remote
+ Remote
Type
+ Sandbox escape
Description
+ A sandbox escape vulnerability has been found in Firefox < 60.0. If a malicious attacker has used another vulnerability to gain full control over a content process, they may be able to replace the alternate data resources stored in the JavaScript Start-up Bytecode Cache (JSBC) for other JavaScript code. If the parent process then runs this replaced code, the executed script would be run with the parent process' privileges, escaping the sandbox on content processes.
References
+ https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5163
+ https://bugzilla.mozilla.org/show_bug.cgi?id=1426353
Notes
CVE-2018-5164 created at 25 Sep 2019 19:31:40
Severity
+ Medium
Remote
+ Remote
Type
+ Access restriction bypass
Description
+ A Content Security Policy (CSP) bypass has been found in Firefox < 60.0, where the CSP is not applied correctly to all parts of multipart content sent with the multipart/x-mixed-replace MIME type. This could allow for script to run where CSP should block it, allowing for cross-site scripting (XSS) and other attacks.
References
+ https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5164
+ https://bugzilla.mozilla.org/show_bug.cgi?id=1416045
Notes