Search for packages
| purl | pkg:deb/debian/icedove@31.5.0-1~deb7u1 |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 10.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-11n2-z2te-8uhz
Aliases: CVE-2015-0807 |
Mozilla developer Christoph Kerschbaumer discovered an issue while investigating Mozilla Foundation Security Advisory 2015-03, previously reported by security researcher Muneaki Nishimura. This flaw was that a cross-origin resource sharing (CORS) request should not follow 30x redirections after preflight according to the specification. This only affects sendBeacon() requests but could allow for a potential Cross-site request forgery (XSRF) attack from malicious websites. In general this flaw cannot be exploited through email in the Thunderbird product because scripting is disabled, but is potentially a risk in browser or browser-like contexts. |
Affected by 134 other vulnerabilities. |
|
VCID-17z1-t58q-yqfz
Aliases: CVE-2016-2836 |
Mozilla developers and community members reported several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. |
Affected by 32 other vulnerabilities. |
|
VCID-1msn-8tvt-ekhd
Aliases: CVE-2015-7182 |
Mozilla engineers Tyson Smith and David Keeler reported a use-after-poison and buffer overflow in the ASN.1 decoder in Network Security Services (NSS). These issues were in octet string parsing and were found through fuzzing and code inspection. If these issues were triggered, they would lead to a potentially exploitable crash. These issues were fixed in NSS version 3.19.2.1 and 3.19.4, shipped in Firefox and Firefox ESR, respectively, as well as NSS 3.20.1.Google security engineer Ryan Sleevi reported an integer overflow in the Netscape Portable Runtime (NSPR) due to a lack of checks during memory allocation. This leads to a potentially exploitable crash. This issue is fixed in NSPR 4.10.10. The NSPR library is a required component of NSS. |
Affected by 94 other vulnerabilities. |
|
VCID-1n21-dcjc-g3f7
Aliases: CVE-2017-5408 |
Video files loaded video captions cross-origin without checking for the presence of CORS headers permitting such cross-origin use, leading to potential information disclosure for video captions. |
Affected by 32 other vulnerabilities. |
|
VCID-1stj-xuxd-ykbt
Aliases: CVE-2016-2802 |
Security researcher Holger Fuhrmannek and Mozilla security engineer Tyson Smith reported a number of security vulnerabilities in the Graphite 2 library affecting version 1.3.5. The issue reported by Holger Fuhrmannek is a mechanism to induce stack corruption with a malicious graphite font. This leads to a potentially exploitable crash when the font is loaded. Tyson Smith used the Address Sanitizer tool in concert with a custom software fuzzer to find a series of uninitialized memory, out-of-bounds read, and out-of-bounds write errors when working with fuzzed graphite fonts. To address these security vulnerabilities, Firefox 45 and Firefox ESR 38.7 have been updated to Graphite 2 version 1.3.6. |
Affected by 94 other vulnerabilities. Affected by 32 other vulnerabilities. |
|
VCID-21wp-eycu-kbfu
Aliases: CVE-2016-1977 |
Security researcher Holger Fuhrmannek and Mozilla security engineer Tyson Smith reported a number of security vulnerabilities in the Graphite 2 library affecting version 1.3.5. The issue reported by Holger Fuhrmannek is a mechanism to induce stack corruption with a malicious graphite font. This leads to a potentially exploitable crash when the font is loaded. Tyson Smith used the Address Sanitizer tool in concert with a custom software fuzzer to find a series of uninitialized memory, out-of-bounds read, and out-of-bounds write errors when working with fuzzed graphite fonts. To address these security vulnerabilities, Firefox 45 and Firefox ESR 38.7 have been updated to Graphite 2 version 1.3.6. |
Affected by 94 other vulnerabilities. Affected by 32 other vulnerabilities. |
|
VCID-29cd-ee2e-eudd
Aliases: CVE-2016-2800 |
Security researcher Holger Fuhrmannek and Mozilla security engineer Tyson Smith reported a number of security vulnerabilities in the Graphite 2 library affecting version 1.3.5. The issue reported by Holger Fuhrmannek is a mechanism to induce stack corruption with a malicious graphite font. This leads to a potentially exploitable crash when the font is loaded. Tyson Smith used the Address Sanitizer tool in concert with a custom software fuzzer to find a series of uninitialized memory, out-of-bounds read, and out-of-bounds write errors when working with fuzzed graphite fonts. To address these security vulnerabilities, Firefox 45 and Firefox ESR 38.7 have been updated to Graphite 2 version 1.3.6. |
Affected by 94 other vulnerabilities. Affected by 32 other vulnerabilities. |
|
VCID-2bx8-2dn3-zyhv
Aliases: CVE-2015-7213 |
Security researcher Ronald Crane reported a vulnerability found through code inspection. This issue is an integer overflow while processing an MP4 format video file when an a erroneously-small buffer is allocated and then overrun, resulting in a potentially exploitable crash. This issue only affects 64-bit versions with 32-bit versions being unaffected.In general this flaw cannot be exploited through email in the Thunderbird product, but is potentially a risk in browser or browser-like contexts. |
Affected by 94 other vulnerabilities. |
|
VCID-2krw-arzc-83bf
Aliases: CVE-2017-7758 |
An out-of-bounds read vulnerability with the Opus encoder when the number of channels in an audio stream changes while the encoder is in use. |
Affected by 14 other vulnerabilities. |
|
VCID-2nux-rchb-k3fq
Aliases: CVE-2015-2737 |
Security researcher Ronald Crane reported seven vulnerabilities affecting released code that he found through code inspection. These included three uses of uninitialized memory, one poor validation leading to an exploitable crash, one read of unowned memory in zip files, and two buffer overflows. These do not all have clear mechanisms to be exploited through web content but are vulnerable if a mechanism can be found to trigger them. |
Affected by 129 other vulnerabilities. Affected by 94 other vulnerabilities. |
|
VCID-347w-5rsv-tugs
Aliases: CVE-2017-7773 |
Heap-based Buffer Overflow write in Graphite2 library in Firefox before 54 in lz4::decompress src/Decompressor. |
Affected by 14 other vulnerabilities. |
|
VCID-3cp3-cxzm-17bt
Aliases: CVE-2017-7776 |
Heap-based Buffer Overflow read in Graphite2 library in Firefox before 54 in graphite2::Silf::getClassGlyph. |
Affected by 14 other vulnerabilities. |
|
VCID-3df4-jtcb-p3h1
Aliases: CVE-2017-5400 |
JIT-spray targeting asm.js combined with a heap spray allows for a bypass of ASLR and DEP protections leading to potential memory corruption attacks. |
Affected by 32 other vulnerabilities. |
|
VCID-3edf-hhbn-dqba
Aliases: CVE-2016-9898 |
Use-after-free resulting in potentially exploitable crash when manipulating DOM subtrees in the Editor. |
Affected by 32 other vulnerabilities. |
|
VCID-3nmw-zq4v-ebgc
Aliases: CVE-2016-1974 |
Security researcher Ronald Crane reported an out-of-bounds read following a failed allocation in the HTML parser while working with unicode strings. This can also affect the parsing of XML and SVG format data. This leads to a potentially exploitable crash. In general this flaw cannot be exploited through email in the Thunderbird product because scripting is disabled, but is potentially a risk in browser or browser-like contexts. |
Affected by 94 other vulnerabilities. Affected by 32 other vulnerabilities. |
|
VCID-3zm4-kw65-5khp
Aliases: CVE-2016-2791 |
Security researcher Holger Fuhrmannek and Mozilla security engineer Tyson Smith reported a number of security vulnerabilities in the Graphite 2 library affecting version 1.3.5. The issue reported by Holger Fuhrmannek is a mechanism to induce stack corruption with a malicious graphite font. This leads to a potentially exploitable crash when the font is loaded. Tyson Smith used the Address Sanitizer tool in concert with a custom software fuzzer to find a series of uninitialized memory, out-of-bounds read, and out-of-bounds write errors when working with fuzzed graphite fonts. To address these security vulnerabilities, Firefox 45 and Firefox ESR 38.7 have been updated to Graphite 2 version 1.3.6. |
Affected by 94 other vulnerabilities. Affected by 32 other vulnerabilities. |
|
VCID-4qyh-v6gx-uqfs
Aliases: CVE-2017-7785 |
A buffer overflow can occur when manipulating Accessible Rich Internet Applications (ARIA) attributes within the DOM. This results in a potentially exploitable crash. |
Affected by 14 other vulnerabilities. |
|
VCID-4u3g-ucaz-pkfd
Aliases: CVE-2017-7777 |
Use of uninitialized memory in Graphite2 library in Firefox before 54 in graphite2::GlyphCache::Loader::read_glyph function. |
Affected by 14 other vulnerabilities. |
|
VCID-5arh-jpfa-aya9
Aliases: CVE-2015-0815 |
Mozilla developers and community identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code.In general these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled, but are potentially a risk in browser or browser-like contexts. |
Affected by 134 other vulnerabilities. |
|
VCID-5qtd-751s-mqhp
Aliases: CVE-2017-7784 |
A use-after-free vulnerability can occur when reading an image observer during frame reconstruction after the observer has been freed. This results in a potentially exploitable crash. |
Affected by 14 other vulnerabilities. |
|
VCID-6929-dm6j-ufgv
Aliases: CVE-2015-0813 |
Security researcher Aki Helin reported a use-after-free when playing certain MP3 format audio files on the web using the Fluendo MP3 plugin for GStreamer on Linux. This is due to a flaw in handling certain MP3 files by the plugin and its interaction with Mozilla code. This can lead to a potentially exploitable crash. This flaw only affects Linux installations. Windows and OS X users are unaffected by it. |
Affected by 134 other vulnerabilities. |
|
VCID-6nes-q68w-ebgt
Aliases: CVE-2015-7189 |
Security researcher Looben Yang reported a buffer overflow in the JPEGEncoder function during script interactions with a canvas element. This is caused by a race condition and incorrectly matched sizes following image interactions. This leads to a potentially exploitable crash. In general this flaw cannot be exploited through email in the Thunderbird product because scripting is disabled, but is potentially a risk in browser or browser-like contexts. |
Affected by 94 other vulnerabilities. |
|
VCID-6t8u-wes9-6kfc
Aliases: CVE-2017-5407 |
Using SVG filters that don't use the fixed point math implementation on a target iframe, a malicious page can extract pixel values from a targeted user. This can be used to extract history information and read text values across domains. This violates same-origin policy and leads to information disclosure. |
Affected by 32 other vulnerabilities. |
|
VCID-6ts4-3n4j-8fex
Aliases: CVE-2016-5290 |
Mozilla developers and community members Olli Pettay, Christian Holler, Ehsan Akhgari, Jon Coppeard, Gary Kwong, Tooru Fujisawa, Philipp, and Randell Jesup reported memory safety bugs present in Thunderbird ESR 45.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. |
Affected by 32 other vulnerabilities. |
|
VCID-7jgy-prep-9ka9
Aliases: CVE-2016-9900 |
External resources that should be blocked when loaded by SVG images can bypass security restrictions through the use of data: URLs. This could allow for cross-domain data leakage. |
Affected by 32 other vulnerabilities. |
|
VCID-7mjw-rf57-rugg
Aliases: CVE-2016-2805 |
Mozilla developers fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. |
Affected by 32 other vulnerabilities. |
|
VCID-7svy-v5cp-u3fd
Aliases: CVE-2015-7575 |
Security researcher Karthikeyan Bhargavan reported an issue in Network Security Services (NSS) where MD5 signatures in the server signature within the TLS 1.2 ServerKeyExchange message are still accepted. This is an issue since NSS has officially disallowed the accepting MD5 as a hash algorithm in signatures since 2011. This issues exposes NSS based clients such as Firefox to theoretical collision-based forgery attacks. This issue was fixed in NSS version 3.20.2. |
Affected by 94 other vulnerabilities. |
|
VCID-7xvr-jqtj-a3c7
Aliases: CVE-2016-2799 |
Security researcher Holger Fuhrmannek and Mozilla security engineer Tyson Smith reported a number of security vulnerabilities in the Graphite 2 library affecting version 1.3.5. The issue reported by Holger Fuhrmannek is a mechanism to induce stack corruption with a malicious graphite font. This leads to a potentially exploitable crash when the font is loaded. Tyson Smith used the Address Sanitizer tool in concert with a custom software fuzzer to find a series of uninitialized memory, out-of-bounds read, and out-of-bounds write errors when working with fuzzed graphite fonts. To address these security vulnerabilities, Firefox 45 and Firefox ESR 38.7 have been updated to Graphite 2 version 1.3.6. |
Affected by 94 other vulnerabilities. Affected by 32 other vulnerabilities. |
|
VCID-8e3r-hr9a-4bdw
Aliases: CVE-2017-7786 |
A buffer overflow can occur when the image renderer attempts to paint non-displayable SVG elements. This results in a potentially exploitable crash. |
Affected by 14 other vulnerabilities. |
|
VCID-8pk6-9wzx-47da
Aliases: CVE-2016-1964 |
Security researcher Nicolas Grégoire used the Address Sanitizer to find a use-after-free during XML transformation operations. This results in a potentially exploitable crash triggerable by web content. In general this flaw cannot be exploited through email in the Thunderbird product because scripting is disabled, but is potentially a risk in browser or browser-like contexts. |
Affected by 94 other vulnerabilities. Affected by 32 other vulnerabilities. |
|
VCID-8rxk-qxz2-2ff6
Aliases: CVE-2016-9899 |
Use-after-free while manipulating DOM events and removing audio elements due to errors in the handling of node adoption. |
Affected by 32 other vulnerabilities. |
|
VCID-9dq3-sh61-s3h9
Aliases: CVE-2015-2734 |
Security researcher Ronald Crane reported seven vulnerabilities affecting released code that he found through code inspection. These included three uses of uninitialized memory, one poor validation leading to an exploitable crash, one read of unowned memory in zip files, and two buffer overflows. These do not all have clear mechanisms to be exploited through web content but are vulnerable if a mechanism can be found to trigger them. |
Affected by 129 other vulnerabilities. Affected by 94 other vulnerabilities. |
|
VCID-9pm7-9tph-f3fz
Aliases: CVE-2015-2724 |
Mozilla developers and community identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code.In general these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled, but are potentially a risk in browser or browser-like contexts. |
Affected by 129 other vulnerabilities. Affected by 94 other vulnerabilities. |
|
VCID-a342-967v-aycs
Aliases: CVE-2017-7802 |
A use-after-free vulnerability can occur when manipulating the DOM during the resize event of an image element. If these elements have been freed due to a lack of strong references, a potentially exploitable crash may occur when the freed elements are accessed. |
Affected by 14 other vulnerabilities. |
|
VCID-ab54-wdtp-33ea
Aliases: CVE-2016-2792 |
Security researcher Holger Fuhrmannek and Mozilla security engineer Tyson Smith reported a number of security vulnerabilities in the Graphite 2 library affecting version 1.3.5. The issue reported by Holger Fuhrmannek is a mechanism to induce stack corruption with a malicious graphite font. This leads to a potentially exploitable crash when the font is loaded. Tyson Smith used the Address Sanitizer tool in concert with a custom software fuzzer to find a series of uninitialized memory, out-of-bounds read, and out-of-bounds write errors when working with fuzzed graphite fonts. To address these security vulnerabilities, Firefox 45 and Firefox ESR 38.7 have been updated to Graphite 2 version 1.3.6. |
Affected by 94 other vulnerabilities. Affected by 32 other vulnerabilities. |
|
VCID-adqx-5gbp-pkbg
Aliases: CVE-2015-2738 |
Security researcher Ronald Crane reported seven vulnerabilities affecting released code that he found through code inspection. These included three uses of uninitialized memory, one poor validation leading to an exploitable crash, one read of unowned memory in zip files, and two buffer overflows. These do not all have clear mechanisms to be exploited through web content but are vulnerable if a mechanism can be found to trigger them. |
Affected by 129 other vulnerabilities. Affected by 94 other vulnerabilities. |
|
VCID-age6-jr9v-2qcq
Aliases: CVE-2015-7197 |
Mozilla developer Ehsan Akhgari reported a mechanism through which a web worker could be used to bypass secure requirements for WebSockets when workers are used to create WebSockets. This allows for the bypassing of mixed content WebSocket policy. In general this flaw cannot be exploited through email in the Thunderbird product because scripting is disabled, but is potentially a risk in browser or browser-like contexts. |
Affected by 94 other vulnerabilities. |
|
VCID-arv7-nfbr-dfc1
Aliases: CVE-2015-2721 |
Security researcher Karthikeyan Bhargavan reported an issue in Network Security Services (NSS) where the client allows for a ECDHE_ECDSA exchange where the server does not send its ServerKeyExchange message instead of aborting the handshake. Instead, the NSS client will take the EC key from the ECDSA certificate. This violates the TLS protocol and also has some security implications for forward secrecy. In this situation, the browser thinks it is engaged in an ECDHE exchange, but has been silently downgraded to a non-forward secret mixed-ECDH exchange instead. As a result, if False Start is enabled, the browser will start sending data encrypted under these non-forward-secret connection keys. This issue was fixed in NSS version 3.19.1. |
Affected by 129 other vulnerabilities. Affected by 94 other vulnerabilities. |
|
VCID-asfc-cmcs-b7hm
Aliases: CVE-2016-1954 |
Security researcher Nicolas Golubovic reported that a malicious page can overwrite files on the user's machine using Content Security Policy (CSP) violation reports. The file contents are restricted to the JSON format of the report. In many cases overwriting a local file may simply be destructive, breaking the functionality of that file. The CSP error reports can include HTML fragments which could be rendered by browsers. If a user has disabled add-on signing and has installed an "unpacked" add-on, a malicious page could overwrite one of the add-on resources. Depending on how this resource is used, this could lead to privilege escalation. In general this flaw cannot be exploited through email in the Thunderbird product because scripting is disabled, but is potentially a risk in browser or browser-like contexts. |
Affected by 94 other vulnerabilities. Affected by 32 other vulnerabilities. |
|
VCID-awjf-692c-dubk
Aliases: CVE-2015-7200 |
Security researcher Ronald Crane reported three vulnerabilities affecting released code that were found through code inspection. These included a buffer overflow in the ANGLE graphics library and two issues of missing status checks in SVG rendering and during cryptographic key manipulation. These do not all have clear mechanisms to be exploited through web content but are vulnerable if a mechanism can be found to trigger them. In general this flaw cannot be exploited through email in the Thunderbird product because scripting is disabled, but is potentially a risk in browser or browser-like contexts. |
Affected by 94 other vulnerabilities. |
|
VCID-bexe-a2pb-8ubp
Aliases: CVE-2016-1966 |
The CESG, the Information Security Arm of GCHQ, reported a dangling pointer dereference within the Netscape Plugin Application Programming Interface (NPAPI) that could lead to the NPAPI subsystem crashing. This issue requires a maliciously crafted NPAPI plugin in concert with scripted web content, resulting in a potentially exploitable crash when triggered. In general this flaw cannot be exploited through email in the Thunderbird product because scripting is disabled, but is potentially a risk in browser or browser-like contexts. |
Affected by 94 other vulnerabilities. Affected by 32 other vulnerabilities. |
|
VCID-cfr5-npdq-j3fm
Aliases: CVE-2017-7771 |
Out-of-bounds read in Graphite2 Library in Firefox before 54 in graphite2::Pass::readPass function. |
Affected by 14 other vulnerabilities. |
|
VCID-cxgc-yjjk-7fa4
Aliases: CVE-2016-5257 |
Mozilla developers and community members Christoph Diehl, Andrew McCreight, Dan Minor, Byron Campen, Jon Coppeard, Steve Fink, Tyson Smith, Philipp, and Carsten Book reported memory safety bugs present in Firefox 48 and Firefox ESR 45.3. Some of these bugs showed evidence of memory corruption and we presume that with enough effort at least some of these could be exploited to run arbitrary code. |
Affected by 32 other vulnerabilities. |
|
VCID-d4jc-jjrm-4kfp
Aliases: CVE-2017-5390 |
The JSON viewer in the Developer Tools uses insecure methods to create a communication channel for copying and viewing JSON or HTTP headers data, allowing for potential privilege escalation. |
Affected by 32 other vulnerabilities. |
|
VCID-ddum-taaj-2kdx
Aliases: CVE-2015-2710 |
Using the Address Sanitizer tool, security researcher Atte Kettunen found a buffer overflow during the rendering of SVG format graphics when combined with specific CSS properties on a page. This results in a potentially exploitable crash. In general this flaw cannot be exploited through email in the Thunderbird product because scripting is disabled, but is potentially a risk in browser or browser-like contexts. |
Affected by 129 other vulnerabilities. |
|
VCID-dwe4-y9ka-6qby
Aliases: CVE-2015-2716 |
Security researcher Ucha Gobejishvili used the Address Sanitizer tool to find a buffer overflow while parsing compressed XML content. This was due to an error in how buffer space is created and modified when handling large amounts of XML data. This results in a potentially exploitable crash. In general this flaw cannot be exploited through email in the Thunderbird product because scripting is disabled, but is potentially a risk in browser or browser-like contexts. |
Affected by 129 other vulnerabilities. |
|
VCID-dx7d-zrtg-6kby
Aliases: CVE-2016-2806 |
Mozilla developers fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. |
Affected by 32 other vulnerabilities. |
|
VCID-e3u7-eyhx-nqf3
Aliases: CVE-2015-0801 |
Mozilla developer Olli Pettay reported that while investigating Mozilla Foundation Security Advisory 2015-28, he and Mozilla developer Boris Zbarsky found an alternate way to trigger a similar vulnerability. The previously reported flaw used an issue with SVG content navigation to bypass same-origin policy protections to run scripts in a privileged context. This newer variant found that the same flaw could be used during anchor navigation of a page, allowing bypassing of same-origin policy protections. In general this flaw cannot be exploited through email in the Thunderbird product because scripting is disabled, but is potentially a risk in browser or browser-like contexts. |
Affected by 134 other vulnerabilities. |
|
VCID-e6rt-wj7s-9qc9
Aliases: CVE-2016-9895 |
Event handlers on marquee elements were executed despite a strict Content Security Policy (CSP) that disallowed inline JavaScript. |
Affected by 32 other vulnerabilities. |
|
VCID-e9nx-vbp7-mbbh
Aliases: CVE-2015-7201 |
Mozilla developers and community identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. |
Affected by 94 other vulnerabilities. |
|
VCID-esvq-px6q-uubw
Aliases: CVE-2015-7181 |
Mozilla engineers Tyson Smith and David Keeler reported a use-after-poison and buffer overflow in the ASN.1 decoder in Network Security Services (NSS). These issues were in octet string parsing and were found through fuzzing and code inspection. If these issues were triggered, they would lead to a potentially exploitable crash. These issues were fixed in NSS version 3.19.2.1 and 3.19.4, shipped in Firefox and Firefox ESR, respectively, as well as NSS 3.20.1.Google security engineer Ryan Sleevi reported an integer overflow in the Netscape Portable Runtime (NSPR) due to a lack of checks during memory allocation. This leads to a potentially exploitable crash. This issue is fixed in NSPR 4.10.10. The NSPR library is a required component of NSS. |
Affected by 94 other vulnerabilities. |
|
VCID-fbup-v86f-97ex
Aliases: CVE-2016-2801 |
Security researcher Holger Fuhrmannek and Mozilla security engineer Tyson Smith reported a number of security vulnerabilities in the Graphite 2 library affecting version 1.3.5. The issue reported by Holger Fuhrmannek is a mechanism to induce stack corruption with a malicious graphite font. This leads to a potentially exploitable crash when the font is loaded. Tyson Smith used the Address Sanitizer tool in concert with a custom software fuzzer to find a series of uninitialized memory, out-of-bounds read, and out-of-bounds write errors when working with fuzzed graphite fonts. To address these security vulnerabilities, Firefox 45 and Firefox ESR 38.7 have been updated to Graphite 2 version 1.3.6. |
Affected by 94 other vulnerabilities. Affected by 32 other vulnerabilities. |
|
VCID-fv71-g376-5ua4
Aliases: CVE-2017-7753 |
An out-of-bounds read occurs when applying style rules to pseudo-elements, such as ::first-line, using cached style data. |
Affected by 14 other vulnerabilities. |
|
VCID-fydh-5vcp-tfd6
Aliases: CVE-2016-1935 |
Security researcher Aki Helin used the Address Sanitizer tool to find a buffer overflow write when rendering some WebGL content. This leads to a potentially exploitable crash. In general this flaw cannot be exploited through email in the Thunderbird product, but is potentially a risk in browser or browser-like contexts. |
Affected by 94 other vulnerabilities. |
|
VCID-g5u2-5m8s-cfby
Aliases: CVE-2017-7807 |
A mechanism that uses AppCache to hijack a URL in a domain using fallback by serving the files from a sub-path on the domain. This has been addressed by requiring fallback files be inside the manifest directory. |
Affected by 14 other vulnerabilities. |
|
VCID-gbxv-bdeg-77d2
Aliases: CVE-2015-4513 |
Mozilla developers and community identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. |
Affected by 94 other vulnerabilities. |
|
VCID-gtbg-y7fe-wkex
Aliases: CVE-2016-9905 |
A potentially exploitable crash in EnumerateSubDocuments while adding or removing sub-documents. |
Affected by 32 other vulnerabilities. |
|
VCID-gwft-ftnm-sufv
Aliases: CVE-2017-7803 |
When a page’s content security policy (CSP) header contains a sandbox directive, other directives are ignored. This results in the incorrect enforcement of CSP. |
Affected by 14 other vulnerabilities. |
|
VCID-h5yu-dhjs-jfhh
Aliases: CVE-2015-4489 |
Security researcher Ronald Crane reported three vulnerabilities affecting released code that were found through code inspection. These included one use of unowned memory, one use of a deleted object, and one memory safety bug. These do not all have clear mechanisms to be exploited through web content but are vulnerable if a mechanism can be found to trigger them. |
Affected by 94 other vulnerabilities. |
|
VCID-h7t9-j2ty-vqfh
Aliases: CVE-2017-7750 |
A use-after-free vulnerability during video control operations when a <track> element holds a reference to an older window if that window has been replaced in the DOM. This results in a potentially exploitable crash. |
Affected by 14 other vulnerabilities. |
|
VCID-hggy-wmkk-3udj
Aliases: CVE-2015-2735 |
Security researcher Ronald Crane reported seven vulnerabilities affecting released code that he found through code inspection. These included three uses of uninitialized memory, one poor validation leading to an exploitable crash, one read of unowned memory in zip files, and two buffer overflows. These do not all have clear mechanisms to be exploited through web content but are vulnerable if a mechanism can be found to trigger them. |
Affected by 129 other vulnerabilities. Affected by 94 other vulnerabilities. |
|
VCID-hhan-628q-tqbb
Aliases: CVE-2017-7756 |
A use-after-free and use-after-scope vulnerability when logging errors from headers for XML HTTP Requests (XHR). This could result in a potentially exploitable crash. |
Affected by 14 other vulnerabilities. |
|
VCID-hhuc-sqft-byfe
Aliases: CVE-2015-2740 |
Security researcher Ronald Crane reported seven vulnerabilities affecting released code that he found through code inspection. These included three uses of uninitialized memory, one poor validation leading to an exploitable crash, one read of unowned memory in zip files, and two buffer overflows. These do not all have clear mechanisms to be exploited through web content but are vulnerable if a mechanism can be found to trigger them. |
Affected by 129 other vulnerabilities. Affected by 94 other vulnerabilities. |
|
VCID-hpa9-njdx-5bch
Aliases: CVE-2015-2736 |
Security researcher Ronald Crane reported seven vulnerabilities affecting released code that he found through code inspection. These included three uses of uninitialized memory, one poor validation leading to an exploitable crash, one read of unowned memory in zip files, and two buffer overflows. These do not all have clear mechanisms to be exploited through web content but are vulnerable if a mechanism can be found to trigger them. |
Affected by 129 other vulnerabilities. Affected by 94 other vulnerabilities. |
|
VCID-hrwg-335p-kqbs
Aliases: CVE-2015-7198 |
Security researcher Ronald Crane reported three vulnerabilities affecting released code that were found through code inspection. These included a buffer overflow in the ANGLE graphics library and two issues of missing status checks in SVG rendering and during cryptographic key manipulation. These do not all have clear mechanisms to be exploited through web content but are vulnerable if a mechanism can be found to trigger them. In general this flaw cannot be exploited through email in the Thunderbird product because scripting is disabled, but is potentially a risk in browser or browser-like contexts. |
Affected by 94 other vulnerabilities. |
|
VCID-hue9-wr9c-3yfw
Aliases: CVE-2017-7752 |
A use-after-free vulnerability during specific user interactions with the input method editor (IME) in some languages due to how events are handled. This results in a potentially exploitable crash but would require specific user interaction to trigger. |
Affected by 14 other vulnerabilities. |
|
VCID-j7dr-d5kk-4kdt
Aliases: CVE-2016-2798 |
Security researcher Holger Fuhrmannek and Mozilla security engineer Tyson Smith reported a number of security vulnerabilities in the Graphite 2 library affecting version 1.3.5. The issue reported by Holger Fuhrmannek is a mechanism to induce stack corruption with a malicious graphite font. This leads to a potentially exploitable crash when the font is loaded. Tyson Smith used the Address Sanitizer tool in concert with a custom software fuzzer to find a series of uninitialized memory, out-of-bounds read, and out-of-bounds write errors when working with fuzzed graphite fonts. To address these security vulnerabilities, Firefox 45 and Firefox ESR 38.7 have been updated to Graphite 2 version 1.3.6. |
Affected by 94 other vulnerabilities. Affected by 32 other vulnerabilities. |
|
VCID-jxju-q8ue-r7g7
Aliases: CVE-2016-2793 |
Security researcher Holger Fuhrmannek and Mozilla security engineer Tyson Smith reported a number of security vulnerabilities in the Graphite 2 library affecting version 1.3.5. The issue reported by Holger Fuhrmannek is a mechanism to induce stack corruption with a malicious graphite font. This leads to a potentially exploitable crash when the font is loaded. Tyson Smith used the Address Sanitizer tool in concert with a custom software fuzzer to find a series of uninitialized memory, out-of-bounds read, and out-of-bounds write errors when working with fuzzed graphite fonts. To address these security vulnerabilities, Firefox 45 and Firefox ESR 38.7 have been updated to Graphite 2 version 1.3.6. |
Affected by 94 other vulnerabilities. Affected by 32 other vulnerabilities. |
|
VCID-kphr-u6t6-yqeh
Aliases: CVE-2016-5291 |
A same-origin policy bypass with local shortcut files to load arbitrary local content from disk. |
Affected by 32 other vulnerabilities. |
|
VCID-kxzj-2jys-ubc5
Aliases: CVE-2017-7749 |
A use-after-free vulnerability when using an incorrect URL during the reloading of a docshell. This results in a potentially exploitable crash. |
Affected by 14 other vulnerabilities. |
|
VCID-m3b3-mkbm-k3hu
Aliases: CVE-2017-5373 |
Mozilla developers and community members Christian Holler, Gary Kwong, André Bargull, Jan de Mooij, Tom Schuster, and Oriol reported memory safety bugs present in Thunderbird 45.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. |
Affected by 32 other vulnerabilities. |
|
VCID-m5ne-1n7g-8ka3
Aliases: CVE-2017-7772 |
Heap-based Buffer Overflow in Graphite2 library in Firefox before 54 in lz4::decompress function. |
Affected by 14 other vulnerabilities. |
|
VCID-mbbs-34nc-gyb4
Aliases: CVE-2017-7778 |
A number of security vulnerabilities in the Graphite 2 library including out-of-bounds reads, buffer overflow reads and writes, and the use of uninitialized memory. These issues were addressed in Graphite 2 version 1.3.10. |
Affected by 14 other vulnerabilities. |
|
VCID-metk-5msu-zffq
Aliases: CVE-2017-5396 |
A use-after-free vulnerability in the Media Decoder when working with media files when some events are fired after the media elements are freed from memory. |
Affected by 32 other vulnerabilities. |
|
VCID-mhc7-38eq-xqh2
Aliases: CVE-2016-9066 |
A buffer overflow resulting in a potentially exploitable crash due to memory allocation issues when handling large amounts of incoming data. |
Affected by 32 other vulnerabilities. |
|
VCID-n28y-9aw4-z3dq
Aliases: CVE-2016-1962 |
Security researcher Dominique Hazaël-Massieux reported a use-after-free issue when using multiple WebRTC data channel connections. This causes a potentially exploitable crash when a data channel connection is freed from within a call through it. |
Affected by 94 other vulnerabilities. Affected by 32 other vulnerabilities. |
|
VCID-n7zq-kjfr-kfd3
Aliases: CVE-2016-1950 |
Security researcher Francis Gabriel of Quarkslab reported a heap-based buffer overflow in the way the Network Security Services (NSS) libraries parsed certain ASN.1 structures. An attacker could create a specially-crafted certificate which, when parsed by NSS, would cause it to crash or execute arbitrary code with the permissions of the user. This issue has been addressed in the NSS releases shipping on affected Mozilla products: |
Affected by 94 other vulnerabilities. Affected by 32 other vulnerabilities. |
|
VCID-ndf2-cp9s-c3cz
Aliases: CVE-2016-1960 |
Security researcher ca0nguyen, working with HP's Zero Day Initiative, reported a use-after-free issue in the HTML5 string parser when parsing a particular set of table-related tags in a foreign fragment context such as SVG. This results in a potentially exploitable crash. In general this flaw cannot be exploited through email in the Thunderbird product because scripting is disabled, but is potentially a risk in browser or browser-like contexts. |
Affected by 94 other vulnerabilities. Affected by 32 other vulnerabilities. |
|
VCID-ndm7-hzra-5bgp
Aliases: CVE-2017-7792 |
A buffer overflow will occur when viewing a certificate in the certificate manager if the certificate has an extremely long object identifier (OID). This results in a potentially exploitable crash. |
Affected by 14 other vulnerabilities. |
|
VCID-npdh-ajd4-4bfb
Aliases: CVE-2017-5376 |
Use-after-free while manipulating XSL in XSLT documents |
Affected by 32 other vulnerabilities. |
|
VCID-nwk4-r82n-mufd
Aliases: CVE-2015-4487 |
Security researcher Ronald Crane reported three vulnerabilities affecting released code that were found through code inspection. These included one use of unowned memory, one use of a deleted object, and one memory safety bug. These do not all have clear mechanisms to be exploited through web content but are vulnerable if a mechanism can be found to trigger them. |
Affected by 94 other vulnerabilities. |
|
VCID-pda8-gnfv-5qa5
Aliases: CVE-2017-5472 |
A use-after-free vulnerability with the frameloader during tree reconstruction while regenerating CSS layout when attempting to use a node in the tree that no longer exists. This results in a potentially exploitable crash. |
Affected by 14 other vulnerabilities. |
|
VCID-pphb-ty98-tkgx
Aliases: CVE-2016-1979 |
Mozilla developer Tim Taubert used the Address Sanitizer tool and software fuzzing to discover a use-after-free vulnerability while processing DER encoded keys in the Network Security Services (NSS) libraries. The vulnerability overwrites the freed memory with zeroes. This issue has been addressed in NSS 3.21.1, shipping in Firefox 45. |
Affected by 32 other vulnerabilities. |
|
VCID-ptfw-t9ej-z7b7
Aliases: CVE-2017-7751 |
A use-after-free vulnerability with content viewer listeners that results in a potentially exploitable crash. |
Affected by 14 other vulnerabilities. |
|
VCID-q4wr-b8ak-dbe6
Aliases: CVE-2017-7801 |
A use-after-free vulnerability can occur while re-computing layout for a marquee element during window resizing where the updated style object is freed while still in use. This results in a potentially exploitable crash. |
Affected by 14 other vulnerabilities. |
|
VCID-qq41-ja86-2ya2
Aliases: CVE-2015-7212 |
Security researcher Abhishek Arya (Inferno) of the Google Chrome Security Team used the Address Sanitizer tool to discover an integer overflow when when allocating textures of extremely larges sizes during graphics operations. This results in a potentially exploitable crash when triggered. In general this flaw cannot be exploited through email in the Thunderbird product because scripting is disabled, but is potentially a risk in browser or browser-like contexts. |
Affected by 94 other vulnerabilities. |
|
VCID-qw8k-uaj6-pqgk
Aliases: CVE-2015-4473 |
Mozilla developers and community identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. |
Affected by 94 other vulnerabilities. |
|
VCID-raem-kwtm-t7e7
Aliases: CVE-2017-7754 |
An out-of-bounds read in WebGL with a maliciously crafted ImageInfo object during WebGL operations. |
Affected by 14 other vulnerabilities. |
|
VCID-rb5k-j1nc-hyej
Aliases: CVE-2017-5375 |
JIT code allocation can allow for a bypass of ASLR and DEP protections leading to potential memory corruption attacks. |
Affected by 32 other vulnerabilities. |
|
VCID-rj6f-fqqu-73gs
Aliases: CVE-2017-7757 |
A use-after-free vulnerability in IndexedDB when one of its objects is destroyed in memory while a method on it is still being executed. This results in a potentially exploitable crash. |
Affected by 14 other vulnerabilities. |
|
VCID-rkku-97ca-q7g7
Aliases: CVE-2017-5380 |
A potential use-after-free found through fuzzing during DOM manipulation of SVG content. |
Affected by 32 other vulnerabilities. |
|
VCID-rnq7-9xzc-zfcv
Aliases: CVE-2015-0797 |
Security researcher Aki Helin used the Address Sanitizer tool to find a buffer overflow during video playback on Linux systems. This was due to a problem in older versions of the Gstreamer plugin during the parsing of H.264 formatted video. This issue could be used to induce a possibly exploitable crash. This issue does not affect the current 1.0 version of Gstreamer and does not affect Windows or OS X systems. |
Affected by 129 other vulnerabilities. |
|
VCID-rwdr-vgwr-6fd2
Aliases: CVE-2017-7800 |
A use-after-free vulnerability can occur in WebSockets when the object holding the connection is freed before the disconnection operation is finished. This results in an exploitable crash. |
Affected by 14 other vulnerabilities. |
|
VCID-s7rr-2tvd-xfah
Aliases: CVE-2016-9893 |
Mozilla developers and community members Jan de Mooij, Iris Hsiao, Christian Holler, Carsten Book, Timothy Nikkel, Christoph Diehl, Olli Pettay, Raymond Forbes, Boris Zbarsky, and Marco Castelluccio reported memory safety bugs present in Firefox 50.0.2 and Firefox ESR 45.5.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. |
Affected by 32 other vulnerabilities. |
|
VCID-sa8g-umkv-93h6
Aliases: CVE-2017-7787 |
Same-origin policy protections can be bypassed on pages with embedded iframes during page reloads, allowing the iframes to access content on the top level page, leading to information disclosure. |
Affected by 14 other vulnerabilities. |
|
VCID-stvs-mzq6-27ef
Aliases: CVE-2017-7774 |
Out-of-bounds read in Graphite2 Library in Firefox before 54 in graphite2::Silf::readGraphite function. |
Affected by 14 other vulnerabilities. |
|
VCID-sv59-6e26-bbgc
Aliases: CVE-2015-2713 |
Security researcher Scott Bell used the Address Sanitizer tool to discover a use-after-free error during the processing of text when vertical text is enabled. This leads to a potentially exploitable crash. |
Affected by 129 other vulnerabilities. |
|
VCID-sy78-y9qc-3ug1
Aliases: CVE-2017-7764 |
Characters from the "Canadian Syllabics" unicode block can be mixed with characters from other unicode blocks in the addressbar instead of being rendered as their raw "punycode" form, allowing for domain name spoofing attacks through character confusion. The current Unicode standard allows characters from "Aspirational Use Scripts" such as Canadian Syllabics to be mixed with Latin characters in the "moderately restrictive" IDN profile. We have changed Firefox behavior to match the upcoming Unicode version 10.0 which removes this category and treats them as "Limited Use Scripts." |
Affected by 14 other vulnerabilities. |
|
VCID-t4qy-pne2-tfg8
Aliases: CVE-2016-2807 |
Mozilla developers fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. |
Affected by 32 other vulnerabilities. |
|
VCID-tekz-b2u3-8fcs
Aliases: CVE-2016-1523 |
Security researcher Holger Fuhrmannek reported that a malicious Graphite "smart font" could circumvent the validation of internal instruction parameters in the Graphite 2 library using special CNTXT_ITEM instructions. This could result in arbitrary code execution. This issue affected Graphite 2 version 1.3.4, which was used in the Firefox ESR branch. To address this issue and other security vulnerabilities recently disclosed by Cisco Talos affecting this version of the library, Firefox ESR has been updated to version 1.3.5, the same one used in Firefox 44. In general this flaw cannot be exploited through email in the Thunderbird product, but is potentially a risk in browser or browser-like contexts. |
Affected by 94 other vulnerabilities. |
|
VCID-tfz9-mdn5-ffhj
Aliases: CVE-2017-5402 |
A use-after-free can occur when events are fired for a FontFace object after the object has been already been destroyed while working with fonts. This results in a potentially exploitable crash. |
Affected by 32 other vulnerabilities. |
|
VCID-tpju-q2sh-rbck
Aliases: CVE-2015-4000 |
Security researcher Matthew Green reported a Diffie–Hellman (DHE) key processing issue in Network Security Services (NSS) where a man-in-the-middle (MITM) attacker can force a server to downgrade TLS connections to 512-bit export-grade cryptography by modifying client requests to include only export-grade cipher suites. The resulting weak key can then be leveraged to impersonate the server. This attack is detailed in the "Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice" paper and is known as the "Logjam Attack."This issue was fixed in NSS version 3.19.1 by limiting the lower strength of supported DHE keys to use 1023 bit primes. |
Affected by 129 other vulnerabilities. Affected by 94 other vulnerabilities. |
|
VCID-tyk6-m1s7-7fcu
Aliases: CVE-2015-7199 |
Security researcher Ronald Crane reported three vulnerabilities affecting released code that were found through code inspection. These included a buffer overflow in the ANGLE graphics library and two issues of missing status checks in SVG rendering and during cryptographic key manipulation. These do not all have clear mechanisms to be exploited through web content but are vulnerable if a mechanism can be found to trigger them. In general this flaw cannot be exploited through email in the Thunderbird product because scripting is disabled, but is potentially a risk in browser or browser-like contexts. |
Affected by 94 other vulnerabilities. |
|
VCID-tznf-6ej8-7bg1
Aliases: CVE-2017-5405 |
Certain response codes in FTP connections can result in the use of uninitialized values for ports in FTP operations. |
Affected by 32 other vulnerabilities. |
|
VCID-u62c-xz51-fbd4
Aliases: CVE-2016-2790 |
Security researcher Holger Fuhrmannek and Mozilla security engineer Tyson Smith reported a number of security vulnerabilities in the Graphite 2 library affecting version 1.3.5. The issue reported by Holger Fuhrmannek is a mechanism to induce stack corruption with a malicious graphite font. This leads to a potentially exploitable crash when the font is loaded. Tyson Smith used the Address Sanitizer tool in concert with a custom software fuzzer to find a series of uninitialized memory, out-of-bounds read, and out-of-bounds write errors when working with fuzzed graphite fonts. To address these security vulnerabilities, Firefox 45 and Firefox ESR 38.7 have been updated to Graphite 2 version 1.3.6. |
Affected by 94 other vulnerabilities. Affected by 32 other vulnerabilities. |
|
VCID-u7ae-pca4-j7fp
Aliases: CVE-2016-2795 |
Security researcher Holger Fuhrmannek and Mozilla security engineer Tyson Smith reported a number of security vulnerabilities in the Graphite 2 library affecting version 1.3.5. The issue reported by Holger Fuhrmannek is a mechanism to induce stack corruption with a malicious graphite font. This leads to a potentially exploitable crash when the font is loaded. Tyson Smith used the Address Sanitizer tool in concert with a custom software fuzzer to find a series of uninitialized memory, out-of-bounds read, and out-of-bounds write errors when working with fuzzed graphite fonts. To address these security vulnerabilities, Firefox 45 and Firefox ESR 38.7 have been updated to Graphite 2 version 1.3.6. |
Affected by 94 other vulnerabilities. Affected by 32 other vulnerabilities. |
|
VCID-uah2-uf25-rkg5
Aliases: CVE-2017-5401 |
A crash triggerable by web content in which an ErrorResult references unassigned memory due to a logic error. The resulting crash may be exploitable. |
Affected by 32 other vulnerabilities. |
|
VCID-uanj-k2n4-j7ak
Aliases: CVE-2017-5383 |
URLs containing certain unicode glyphs for alternative hyphens and quotes do not properly trigger punycode display, allowing for domain name spoofing attacks in the location bar. |
Affected by 32 other vulnerabilities. |
|
VCID-uqhq-r8p1-k7fn
Aliases: CVE-2016-2797 |
Security researcher Holger Fuhrmannek and Mozilla security engineer Tyson Smith reported a number of security vulnerabilities in the Graphite 2 library affecting version 1.3.5. The issue reported by Holger Fuhrmannek is a mechanism to induce stack corruption with a malicious graphite font. This leads to a potentially exploitable crash when the font is loaded. Tyson Smith used the Address Sanitizer tool in concert with a custom software fuzzer to find a series of uninitialized memory, out-of-bounds read, and out-of-bounds write errors when working with fuzzed graphite fonts. To address these security vulnerabilities, Firefox 45 and Firefox ESR 38.7 have been updated to Graphite 2 version 1.3.6. |
Affected by 94 other vulnerabilities. Affected by 32 other vulnerabilities. |
|
VCID-uu1s-gq4b-9fg2
Aliases: CVE-2015-7194 |
Security researcher Gustavo Grieco reported a buffer underflow in libjar triggered through a maliciously crafted ZIP format file. This results in a potentially exploitable crash. In general this flaw cannot be exploited through email in the Thunderbird product because scripting is disabled, but is potentially a risk in browser or browser-like contexts. |
Affected by 94 other vulnerabilities. |
|
VCID-uw53-wc7r-afgd
Aliases: CVE-2016-5296 |
A heap-buffer-overflow in Cairo when processing SVG content caused by compiler optimization, resulting in a potentially exploitable crash. |
Affected by 32 other vulnerabilities. |
|
VCID-uxy7-4p8m-3fg7
Aliases: CVE-2016-9897 |
Memory corruption resulting in a potentially exploitable crash during WebGL functions using a vector constructor with a varying array within libGLES. |
Affected by 32 other vulnerabilities. |
|
VCID-uyv2-1v9z-c7fj
Aliases: CVE-2016-9904 |
An attacker could use a JavaScript Map/Set timing attack to determine whether an atom is used by another compartment/zone in specific contexts. This could be used to leak information, such as usernames embedded in JavaScript code, across websites. |
Affected by 32 other vulnerabilities. |
|
VCID-uz8d-y5tg-mkbj
Aliases: CVE-2015-4488 |
Security researcher Ronald Crane reported three vulnerabilities affecting released code that were found through code inspection. These included one use of unowned memory, one use of a deleted object, and one memory safety bug. These do not all have clear mechanisms to be exploited through web content but are vulnerable if a mechanism can be found to trigger them. |
Affected by 94 other vulnerabilities. |
|
VCID-v3y1-1jnd-qkb7
Aliases: CVE-2015-2739 |
Security researcher Ronald Crane reported seven vulnerabilities affecting released code that he found through code inspection. These included three uses of uninitialized memory, one poor validation leading to an exploitable crash, one read of unowned memory in zip files, and two buffer overflows. These do not all have clear mechanisms to be exploited through web content but are vulnerable if a mechanism can be found to trigger them. |
Affected by 129 other vulnerabilities. Affected by 94 other vulnerabilities. |
|
VCID-vc8v-fq5q-vybn
Aliases: CVE-2017-5410 |
Memory corruption resulting in a potentially exploitable crash during garbage collection of JavaScript due errors in how incremental sweeping is managed for memory cleanup. |
Affected by 32 other vulnerabilities. |
|
VCID-vf4x-44t6-13dz
Aliases: CVE-2016-1961 |
Security researcher lokihardt, working with HP's Zero Day Initiative, reported a use-after-free issue in the SetBody function of HTMLDocument. This results in a potentially exploitable crash. In general this flaw cannot be exploited through email in the Thunderbird product because scripting is disabled, but is potentially a risk in browser or browser-like contexts. |
Affected by 94 other vulnerabilities. Affected by 32 other vulnerabilities. |
|
VCID-vg39-zu3z-8yge
Aliases: CVE-2016-1957 |
Security researchers Jose Martinez and Romina Santillan reported a memory leak in the libstagefright library when array destruction occurs during MPEG4 video file processing. In general this flaw cannot be exploited through email in the Thunderbird product because scripting is disabled, but is potentially a risk in browser or browser-like contexts. |
Affected by 94 other vulnerabilities. Affected by 32 other vulnerabilities. |
|
VCID-vz2b-4a9g-eqfa
Aliases: CVE-2017-7779 |
Mozilla developers and community members Masayuki Nakano, Gary Kwong, Ronald Crane, Andrew McCreight, Tyson Smith, Bevis Tseng, Christian Holler, Bryce Van Dyk, Dragana Damjanovic, Kartikaya Gupta, Philipp, Tristan Bourvon, and Andi-Bogdan Postelnicu reported memory safety bugs present in Firefox 54 and Firefox ESR 52.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. |
Affected by 14 other vulnerabilities. |
|
VCID-w2bh-w125-6qf7
Aliases: CVE-2017-7809 |
A use-after-free vulnerability can occur when an editor DOM node is deleted prematurely during tree traversal while still bound to the document. This results in a potentially exploitable crash. |
Affected by 14 other vulnerabilities. |
|
VCID-w2cv-hkkh-4kcb
Aliases: CVE-2017-5398 |
Mozilla developers and community members Boris Zbarsky, Christian Holler, Honza Bambas, Jon Coppeard, Randell Jesup, André Bargull, Kan-Ru Chen, and Nathan Froyd reported memory safety bugs present in Firefox 51 and Firefox ESR 45.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. |
Affected by 32 other vulnerabilities. |
|
VCID-w2n7-49dv-6ba3
Aliases: CVE-2015-7188 |
Security researcher Michał Bentkowski reported that adding white-space characters to hostnames that are IP addresses can bypass same-origin policy. This flaw was caused by trailing whitespaces being evaluated differently when parsing IP addresses instead of alphanumeric hostnames. This could lead to a cross-site script (XSS) attack. In general this flaw cannot be exploited through email in the Thunderbird product because scripting is disabled, but is potentially a risk in browser or browser-like contexts. |
Affected by 94 other vulnerabilities. |
|
VCID-wghz-erzn-hkgz
Aliases: CVE-2016-2818 |
Mozilla developers and community members reported several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. |
Affected by 32 other vulnerabilities. |
|
VCID-wmdm-wzx4-nkhr
Aliases: CVE-2016-2794 |
Security researcher Holger Fuhrmannek and Mozilla security engineer Tyson Smith reported a number of security vulnerabilities in the Graphite 2 library affecting version 1.3.5. The issue reported by Holger Fuhrmannek is a mechanism to induce stack corruption with a malicious graphite font. This leads to a potentially exploitable crash when the font is loaded. Tyson Smith used the Address Sanitizer tool in concert with a custom software fuzzer to find a series of uninitialized memory, out-of-bounds read, and out-of-bounds write errors when working with fuzzed graphite fonts. To address these security vulnerabilities, Firefox 45 and Firefox ESR 38.7 have been updated to Graphite 2 version 1.3.6. |
Affected by 94 other vulnerabilities. Affected by 32 other vulnerabilities. |
|
VCID-wnpc-64sr-e7fq
Aliases: CVE-2015-7193 |
Security researcher Shinto K Anto reported an issue with cross-origin resource sharing (CORS) "preflight" requests when receiving certain Content-Type headers. This is due to an error in implementation resulting in trying to process multiple media types when they are returned in the Content-Type headers from a server. This is disallowed in the CORS specification and results in a simple instead of a "preflight" request, leading to potential same-origin policy violation. In general this flaw cannot be exploited through email in the Thunderbird product because scripting is disabled, but is potentially a risk in browser or browser-like contexts. |
Affected by 94 other vulnerabilities. |
|
VCID-wyqh-8t7j-fbht
Aliases: CVE-2017-7791 |
On pages containing an iframe, the data: protocol can be used to create a modal alert that will render over arbitrary domains following page navigation, spoofing of the origin of the modal alert from the iframe content. |
Affected by 14 other vulnerabilities. |
|
VCID-wywz-9zta-efdm
Aliases: CVE-2015-0816 |
Security researcher Mariusz Mlynski reported, through HP Zero Day Initiative's Pwn2Own contest, that documents loaded though a resource: URL, such as Mozilla's PDF.js PDF file viewer, were able to subsequently load privileged chrome pages. The privilege restrictions on resource: URLs was handled incorrectly and these restrictions could be bypassed if this flaw was combined with a separate vulnerability allowing for same-origin policy violation, it could be used to run arbitrary code. In general this flaw cannot be exploited through email in the Thunderbird product because scripting is disabled, but is potentially a risk in browser or browser-like contexts. |
Affected by 134 other vulnerabilities. |
|
VCID-x664-xzxa-ckbe
Aliases: CVE-2016-5297 |
An error in argument length checking in JavaScript, leading to potential integer overflows or other bounds checking issues. |
Affected by 32 other vulnerabilities. |
|
VCID-xmuc-c5b6-a3ab
Aliases: CVE-2015-7214 |
Security researcher Tsubasa Iinuma reported a mechanism to violate same-origin policy to content using data: and view-source: URIs to confuse protections and bypass restrictions. This resulted in the ability to read data from cross-site URLs and local files. In general this flaw cannot be exploited through email in the Thunderbird product because scripting is disabled, but is potentially a risk in browser or browser-like contexts. |
Affected by 94 other vulnerabilities. |
|
VCID-xsjn-fjrv-hfa8
Aliases: CVE-2016-9079 |
A use-after-free vulnerability in SVG Animation has been discovered. An exploit built on this vulnerability has been discovered in the wild targeting Firefox and Tor Browser users on Windows. |
Affected by 32 other vulnerabilities. |
|
VCID-y1hs-1byq-mbhu
Aliases: CVE-2017-5404 |
A use-after-free error can occur when manipulating ranges in selections with one node inside a native anonymous tree and one node outside of it. This results in a potentially exploitable crash. |
Affected by 32 other vulnerabilities. |
|
VCID-ybsg-p8wx-sqam
Aliases: CVE-2016-1930 |
Mozilla developers and community identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. In general these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled, but are potentially a risk in browser or browser-like contexts. |
Affected by 94 other vulnerabilities. |
|
VCID-yj1m-aufw-yuct
Aliases: CVE-2017-5470 |
Mozilla developers and community members Tyson Smith, Mats Palmgren, Philipp, Masayuki Nakano, Christian Holler, Andrew McCreight, Gary Kwong, André Bargull, Carsten Book, Jesse Schwartzentruber, Julian Hector, Marcia Knous, Ronald Crane, and Nils Ohlmeier reported memory safety bugs present in Firefox 53, Firefox ESR 52.1, and Thunderbird 52.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. |
Affected by 14 other vulnerabilities. |
|
VCID-yqd8-64h2-ekcc
Aliases: CVE-2015-7205 |
Security researcher Ronald Crane reported an underflow found through code inspection. This does not all have a clear mechanism to be exploited through web content but could be vulnerable if a means can be found to trigger it.In general this flaw cannot be exploited through email in the Thunderbird product because scripting is disabled, but is potentially a risk in browser or browser-like contexts. |
Affected by 94 other vulnerabilities. |
|
VCID-yrhc-hchg-7kf3
Aliases: CVE-2016-2796 |
Security researcher Holger Fuhrmannek and Mozilla security engineer Tyson Smith reported a number of security vulnerabilities in the Graphite 2 library affecting version 1.3.5. The issue reported by Holger Fuhrmannek is a mechanism to induce stack corruption with a malicious graphite font. This leads to a potentially exploitable crash when the font is loaded. Tyson Smith used the Address Sanitizer tool in concert with a custom software fuzzer to find a series of uninitialized memory, out-of-bounds read, and out-of-bounds write errors when working with fuzzed graphite fonts. To address these security vulnerabilities, Firefox 45 and Firefox ESR 38.7 have been updated to Graphite 2 version 1.3.6. |
Affected by 94 other vulnerabilities. Affected by 32 other vulnerabilities. |
|
VCID-yt4r-4gez-gfgc
Aliases: CVE-2016-1526 |
Affected by 94 other vulnerabilities. |
|
|
VCID-yvmp-jgtb-bfcy
Aliases: CVE-2015-2708 |
Mozilla developers and community identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code.In general these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled, but are potentially a risk in browser or browser-like contexts. |
Affected by 129 other vulnerabilities. |
|
VCID-zbvf-vds2-zbd6
Aliases: CVE-2017-5378 |
Hashed codes of JavaScript objects are shared between pages. This allows for pointer leaks because an object’s address can be discovered through hash codes, and also allows for data leakage of an object’s content using these hash codes. |
Affected by 32 other vulnerabilities. |
|
VCID-zxmj-tzr9-c3cy
Aliases: CVE-2016-9074 |
An existing mitigation of timing side-channel attacks is insufficient in some circumstances. This issue is addressed in Network Security Services (NSS) 3.26.1. |
Affected by 32 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-1atw-2txv-jydj | Using the Address Sanitizer tool, security researcher Atte Kettunen from OUSPG discovered a buffer overflow when making capitalization style changes during CSS parsing. This can cause a crash that is potentially exploitable. |
CVE-2014-1576
|
| VCID-1qch-mpm2-2ua6 | Mozilla developers and community identified identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code.In general these flaws cannot be exploited through email in the Thunderbird and Seamonkey products because scripting is disabled, but are potentially a risk in browser or browser-like contexts. |
CVE-2014-1493
|
| VCID-27bs-ub3m-7fcx | Security researcher Joe Vennix from Rapid7 reported that passing a JavaScript object to XMLHttpRequest that mimics an input stream will a crash. This crash is not exploitable and can only be used for denial of service attacks. In general this flaw cannot be exploited through email in the Thunderbird product because scripting is disabled, but is potentially a risk in browser or browser-like contexts. |
CVE-2014-1590
|
| VCID-2c12-xkmw-rba7 | Security researchers Tyson Smith and Jesse Schwartzentruber of the BlackBerry Security Automated Analysis Team used the Address Sanitizer tool while fuzzing to discover a use-after-free during host resolution in some circumstances. This leads to a potentially exploitable crash. |
CVE-2014-1532
|
| VCID-43hc-6n9u-7yer | Using the Address Sanitizer tool, security researcher Abhishek Arya (Inferno) of the Google Chrome Security Team found an out-of-bounds write when buffering WebM format video containing frames with invalid tile sizes. This can lead to a potentially exploitable crash during WebM video playback. In general this flaw cannot be exploited through email in the Thunderbird product because scripting is disabled, but is potentially a risk in browser or browser-like contexts. |
CVE-2014-1578
|
| VCID-4ymv-58y7-kybh | Security researcher SkyLined reported a use-after-free created by triggering the creation of a second root element while parsing HTML written to a document created with document.open(). This leads to a potentially exploitable crash.In general this flaw cannot be exploited through email in the Thunderbird product because scripting is disabled, but is potentially a risk in browser or browser-like contexts. |
CVE-2014-1592
|
| VCID-8k4x-p39x-p3hm | Developer Patrick Cozzi reported a crash in some circumstances when using the Cesium JavaScript library to generate WebGL content. Mozilla developers determined that this crash is potentially exploitable. In general this flaw cannot be exploited through email in the Thunderbird product because scripting is disabled, but is potentially a risk in browser or browser-like contexts. |
CVE-2014-1556
|
| VCID-98gx-zzje-cfhx | Security researcher Jethro Beekman of the University of California, Berkeley reported a crash when the FireOnStateChange event is triggered in some circumstances. This leads to a use-after-free and a potentially exploitable crash when it occurs. In general this flaw cannot be exploited through email in the Thunderbird product because scripting is disabled, but is potentially a risk in browser or browser-like contexts. |
CVE-2014-1555
|
| VCID-9dhq-vhpf-eqg3 | Mozilla developers and community identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code.In general these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled, but are potentially a risk in browser or browser-like contexts. |
CVE-2015-0836
|
| VCID-9g92-xeur-sue1 | Mozilla developers and community identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code.In general these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled, but are potentially a risk in browser or browser-like contexts. |
CVE-2014-1574
|
| VCID-aacf-9zz5-bfag | Mozilla developers and community identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. |
CVE-2014-1533
|
| VCID-b6p1-6aza-due3 | Mozilla developers and community identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code.In general these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled, but are potentially a risk in browser or browser-like contexts. |
CVE-2014-8634
|
| VCID-c8je-szqb-u3e2 | Security researcher Mariusz Mlynski discovered an issue where sites that have been given notification permissions by a user can bypass security checks on source components for the Web Notification API. This allows for script to be run in a privileged context through notifications, leading to arbitrary code execution on these sites. In general this flaw cannot be exploited through email in the Thunderbird and Seamonkey products because scripting is disabled, but is potentially a risk in browser or browser-like contexts. |
CVE-2014-1529
|
| VCID-cua7-h6xk-b7e6 | Security researcher Abhishek Arya (Inferno) of the Google Chrome Security Team reported an out of bounds write in the Netscape Portable Runtime (NSPR) leading to a potentially exploitable crash or code execution. This issue is fixed in NSPR version 4.10.6. This NSPR flaw was not exposed to web content in any shipped version of Firefox. |
CVE-2014-1545
|
| VCID-cwa3-wrxa-8ff7 | Mozilla developers and community identified identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code.In general these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled, but are potentially a risk in browser or browser-like contexts. |
CVE-2014-1547
|
| VCID-e9km-d4gr-9yds | Security researcher Muneaki Nishimura reported that navigator.sendBeacon() does not follow the cross-origin resource sharing (CORS) specification. This results in the request from sendBeacon() lacking an origin header in violation of the W3C Beacon specification and not being treated as a CORS request. This allows for a potential Cross-site request forgery (XSRF) attack from malicious websites. In general this flaw cannot be exploited through email in the Thunderbird product because scripting is disabled, but is potentially a risk in browser or browser-like contexts. |
CVE-2014-8638
|
| VCID-f1t3-3c36-bbh2 | Security researcher regenrecht reported, via TippingPoint's Zero Day Initiative, a use-after-free during text layout when interacting with the setting of text direction. This results in a use-after-free which can lead to arbitrary code execution. In general this flaw cannot be exploited through email in the Thunderbird product because scripting is disabled, but is potentially a risk in browser or browser-like contexts. |
CVE-2014-1567
|
| VCID-fbdf-q6pu-6kf1 | Security researcher Abhishek Arya (Inferno) of the Google Chrome Security Team used the Address Sanitizer tool to discover a fixed offset out of bounds read issue while decoding specifically formatted JPG format images. This causes a non-exploitable crash. |
CVE-2014-1523
|
| VCID-fgfx-47ad-6fda | Security researchers Byoungyoung Lee, Chengyu Song, and Taesoo Kim at the Georgia Tech Information Security Center (GTISC) reported a bad casting from the BasicThebesLayer to BasicContainerLayer, resulting in undefined behavior. This behavior is potentially exploitable with some compilers but no clear mechanism to trigger it through web content was identified. |
CVE-2014-1594
|
| VCID-fms6-tbu7-ybg5 | Security researcher Armin Ebert reported that a user readable file in a known local path could be uploaded to a malicious site. This was done by manipulating the autocomplete feature in a form and user interaction with it. While the local file is not visibly uploaded through the form, its contents are made available through the Document Object Model (DOM) to script content on the attacking page, leading to information disclosure. In general this flaw cannot be exploited through email in the Thunderbird product because scripting is disabled, but is potentially a risk in browser or browser-like contexts. |
CVE-2015-0822
|
| VCID-g6h4-cq47-5bc1 | Mozilla developer Robert O'Callahan reported a mechanism for timing attacks involving SVG filters and displacements input to feDisplacementMap. This allows displacements to potentially be correlated with values derived from content. This is similar to the previously reported techniques used for SVG timing attacks and could allow for text values to be read across domains, leading to information disclosure. In general this flaw cannot be exploited through email in the Thunderbird and Seamonkey products because scripting is disabled, but is potentially a risk in browser or browser-like contexts. |
CVE-2014-1505
|
| VCID-grsd-14b8-5ydq | Mozilla developers and community identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code.In general these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled, but are potentially a risk in browser or browser-like contexts. |
CVE-2014-1562
|
| VCID-jjf8-bfjp-d7fk | Security researcher Xiaofeng Zheng of the Blue Lotus Team at Tsinghua University reported reported that a Web Proxy returning a 407 Proxy Authentication response with a Set-Cookie header could inject cookies into the originally requested domain. This could be used for session-fixation attacks. This attack only allows cookies to be written but does not allow them to be read. In general this flaw cannot be exploited through email in the Thunderbird product, but is potentially a risk in browser or browser-like contexts. |
CVE-2014-8639
|
| VCID-kae4-f2ku-4fa4 | Security researcher Nils used the Address Sanitizer to discover a use-after-free problem with the SMIL Animation Controller when interacting with and rendering improperly formed web content. This causes a potentially exploitable crash. In general this flaw cannot be exploited through email in the Thunderbird and Seamonky products because scripting is disabled, but is potentially a risk in browser or browser-like contexts. |
CVE-2014-1541
|
| VCID-kxsu-7d8e-akcy | Security researcher Abhishek Arya (Inferno) of the Google Chrome Security Team used the Address Sanitizer tool to report an out-of-bounds read and an out-of-bounds write when rendering an improperly formatted SVG graphic. This could potentially allow the attacker to read uninitialized memory. In general this flaw cannot be exploited through email in the Thunderbird product because scripting is disabled, but is potentially a risk in browser or browser-like contexts. |
CVE-2015-0827
|
| VCID-m67w-mzaf-duch |
CVE-2014-3566
|
|
| VCID-mpbx-48aw-rbh2 | Security researchers Tyson Smith and Jesse Schwartzentruber used the Address Sanitizer tool while fuzzing to discover a use-after-free error resulting in a crash. This is a result of a pair of NSSCertificate structures being added to a trust domain and then one of them is removed while they are still in use by the trusted cache. This crash is potentially exploitable. This issue was addressed in the Network Security Services (NSS) library in version 3.16.2, shipping on affected platforms.In general this flaw cannot be exploited through email in the Thunderbird product because scripting is disabled, but is potentially a risk in browser or browser-like contexts. |
CVE-2014-1544
|
| VCID-mx87-qd7k-y7aw | Mozilla developers Eric Shepherd and Jan-Ivar Bruaroey reported issues with privacy and video sharing using WebRTC. Once video sharing has started within a WebRTC session running within an <iframe>, video will continue to be shared even if the user selects the "e;Stop Sharing" button in the controls. The camera will also remain on even if the user navigates to another site and will begin streaming again if the user returns to the original site. This is a privacy problem and can lead to inadvertent video streaming. This does not affect implementations that are not within an <iframe>. In general this flaw cannot be exploited through email in the Thunderbird product because scripting is disabled, but is potentially a risk in browser or browser-like contexts. |
CVE-2014-1586
|
| VCID-p7ny-wkrx-17e5 | Security researcher Paul Bandha used the used the Address Sanitizer tool to discover a use-after-free vulnerability when running specific web content with IndexedDB to create an index. This leads to a potentially exploitable crash. In general this flaw cannot be exploited through email in the Thunderbird product because scripting is disabled, but is potentially a risk in browser or browser-like contexts. |
CVE-2015-0831
|
| VCID-peys-83eq-vqgr | Mozilla developers and community identified identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code.In general these flaws cannot be exploited through email in the Thunderbird and Seamonkey products because scripting is disabled, but are potentially a risk in browser or browser-like contexts. |
CVE-2014-1518
|
| VCID-pnzg-ep3p-pbbn | Mozilla developers Eric Shepherd and Jan-Ivar Bruaroey reported issues with privacy and video sharing using WebRTC. Once video sharing has started within a WebRTC session running within an <iframe>, video will continue to be shared even if the user selects the "e;Stop Sharing" button in the controls. The camera will also remain on even if the user navigates to another site and will begin streaming again if the user returns to the original site. This is a privacy problem and can lead to inadvertent video streaming. This does not affect implementations that are not within an <iframe>. In general this flaw cannot be exploited through email in the Thunderbird product because scripting is disabled, but is potentially a risk in browser or browser-like contexts. |
CVE-2014-1585
|
| VCID-pvbr-sspz-eufv | Security researcher Mariusz Mlynski, via TippingPoint's Pwn2Own contest, reported that it is possible for untrusted web content to load a chrome-privileged page by getting JavaScript-implemented WebIDL to call window.open(). A second bug allowed the bypassing of the popup-blocker without user interaction. Combined these two bugs allow an attacker to load a JavaScript URL that is executed with the full privileges of the browser, which allows arbitrary code execution. In general this flaw cannot be exploited through email in the Thunderbird and Seamonkey products because scripting is disabled, but is potentially a risk in browser or browser-like contexts. |
CVE-2014-1510
|
| VCID-q23j-6ywc-uud5 | Security researcher George Hotz, via TippingPoint's Pwn2Own contest, discovered an issue where values are copied from an array into a second, neutered array. This allows for an out-of-bounds write into memory, causing an exploitable crash leading to arbitrary code execution. In general this flaw cannot be exploited through email in the Thunderbird and Seamonkey products because scripting is disabled, but is potentially a risk in browser or browser-like contexts. |
CVE-2014-1514
|
| VCID-qg6z-q5gz-syb4 | Security researcher Nils discovered a use-after-free error in which the imgLoader object is freed while an image is being resized. This results in a potentially exploitable crash. In general this flaw cannot be exploited through email in the Thunderbird and Seamonkey products because scripting is disabled, but is potentially a risk in browser or browser-like contexts. |
CVE-2014-1531
|
| VCID-qp45-51af-syhx | Security researcher Mariusz Mlynski, via TippingPoint's Pwn2Own contest, reported that it is possible for untrusted web content to load a chrome-privileged page by getting JavaScript-implemented WebIDL to call window.open(). A second bug allowed the bypassing of the popup-blocker without user interaction. Combined these two bugs allow an attacker to load a JavaScript URL that is executed with the full privileges of the browser, which allows arbitrary code execution. In general this flaw cannot be exploited through email in the Thunderbird and Seamonkey products because scripting is disabled, but is potentially a risk in browser or browser-like contexts. |
CVE-2014-1511
|
| VCID-rvtm-yf4q-a3d8 | Security researcher Abhishek Arya (Inferno) of the Google Chrome Security Team used the Address Sanitizer tool to discover a buffer overflow when a script uses a non-XBL object as an XBL object because the XBL status of the object is not properly validated. The resulting memory corruption is potentially exploitable. In general this flaw cannot be exploited through email in the Thunderbird and Seamonkey products because scripting is disabled, but is potentially a risk in browser or browser-like contexts. |
CVE-2014-1524
|
| VCID-s8v6-d8yn-u7bj | Security researcher Abhishek Arya (Inferno) of the Google Chrome Security Team discovered a number of use-after-free and out of bounds read issues using the Address Sanitizer tool. These issues are potentially exploitable, allowing for remote code execution. In general this flaw cannot be exploited through email in the Thunderbird and Seamonky products because scripting is disabled, but is potentially a risk in browser or browser-like contexts. |
CVE-2014-1538
|
| VCID-u6nu-186u-auh1 | Antoine Delignat-Lavaud, security researcher at Inria Paris in team Prosecco, reported an issue in Network Security Services (NSS) libraries affecting all versions. He discovered that NSS is vulnerable to a variant of a signature forgery attack previously published by Daniel Bleichenbacher. This is due to lenient parsing of ASN.1 values involved in a signature and could lead to the forging of RSA certificates.The Advanced Threat Research team at Intel Security also independently discovered and reported this issue.These have been addressed in the NSS releases shipping on affected Mozilla products: |
CVE-2014-1568
|
| VCID-urfm-xdca-xye9 | Security researcher Tyson Smith and Jesse Schwartzentruber of the BlackBerry Security Automated Analysis Team used the Address Sanitizer tool while fuzzing to discover an out-of-bounds read during polygon rendering in MathML. This can allow web content to potentially read protected memory addresses. In combination with previous techniques used for SVG timing attacks, this could allow for text values to be read across domains, leading to information disclosure. In general this flaw cannot be exploited through email in the Thunderbird and Seamonkey products because scripting is disabled, but is potentially a risk in browser or browser-like contexts. |
CVE-2014-1508
|
| VCID-uuuq-8jhe-33hm | Mozilla security researcher moz_bug_r_a4 reported a method to use browser navigations through history to load a website with that page's baseURI property pointing to that of another site instead of the seemingly loaded one. The user will continue to see the incorrect site in the addressbar of the browser. This allows for a cross-site scripting (XSS) attack or the theft of data through a phishing attack. In general this flaw cannot be exploited through email in the Thunderbird and Seamonkey products because scripting is disabled, but is potentially a risk in browser or browser-like contexts. |
CVE-2014-1530
|
| VCID-wsup-bb2y-k3cs | Security researcher regenrecht reported, via TippingPoint's Zero Day Initiative, a use-after-free during text layout when interacting with text direction. This results in a crash which can lead to arbitrary code execution. In general this flaw cannot be exploited through email in the Thunderbird product because scripting is disabled, but is potentially a risk in browser or browser-like contexts. |
CVE-2014-1581
|
| VCID-x6eg-dt6c-cucv | Security researcher Abhishek Arya (Inferno) of the Google Chrome Security Team used the Address Sanitizer tool to discover a buffer overflow during the parsing of media content. This leads to a potentially exploitable crash. In general this flaw cannot be exploited through email in the Thunderbird product because scripting is disabled, but is potentially a risk in browser or browser-like contexts. |
CVE-2014-1593
|
| VCID-xb7x-q641-mkh7 | Security researcher Atte Kettunen from OUSPG reported an out of bounds read during the decoding of WAV format audio files for playback. This could allow web content access to heap data as well as causing a crash. In general this flaw cannot be exploited through email in the Thunderbird and Seamonkey products because audio is disabled, but is potentially a risk in browser or browser-like contexts. |
CVE-2014-1497
|
| VCID-xepx-ajgs-43bz | Mozilla community member John reported a crash in the Skia library when scaling high quality images if the scaling operation takes too long. This is caused by the image data being discarded while still in use by the scaling operation. This crash is potentially exploitable on some systems. In general this flaw cannot be exploited through email in the Thunderbird product because scripting is disabled, but is potentially a risk in browser or browser-like contexts. |
CVE-2014-1557
|
| VCID-ya5w-hkw5-9yg8 | Security research firm VUPEN, via TippingPoint's Pwn2Own contest, reported that memory pressure during Garbage Collection could lead to memory corruption of TypeObjects in the JS engine, resulting in an exploitable use-after-free condition.In general this flaw cannot be exploited through email in the Thunderbird and Seamonkey products because scripting is disabled, but is potentially a risk in browser or browser-like contexts. |
CVE-2014-1512
|
| VCID-z3hu-n45e-wua7 | Security researcher John Thomson discovered a memory corruption in the Cairo graphics library during font rendering of a PDF file for display. This memory corruption leads to a potentially exploitable crash and to a denial of service (DOS). This issues is not able to be triggered in a default configuration and would require a malicious extension to be installed. |
CVE-2014-1509
|
| VCID-zcny-hn57-tqhu | Security researcher Holger Fuhrmannek used the used the Address Sanitizer tool to discover an out-of-bounds read issue with Web Audio when interacting with custom waveforms with invalid values. This results in a crash and could allow for the reading of random memory which may contain sensitive data, or of memory addresses that could be used in combination with another bug. In general this flaw cannot be exploited through email in the Thunderbird product because scripting is disabled, but is potentially a risk in browser or browser-like contexts. |
CVE-2014-1577
|
| VCID-zd36-7c8s-tych | Mozilla developers and community identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code.In general these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled, but are potentially a risk in browser or browser-like contexts. |
CVE-2014-1587
|
| VCID-zdmn-zf3s-buep | Security researcher Jüri Aedla, via TippingPoint's Pwn2Own contest, reported that TypedArrayObject does not handle the case where ArrayBuffer objects are neutered, setting their length to zero while still in use. This leads to out-of-bounds reads and writes into the JavaScript heap, allowing for arbitrary code execution. In general this flaw cannot be exploited through email in the Thunderbird and Seamonkey products because scripting is disabled, but is potentially a risk in browser or browser-like contexts. |
CVE-2014-1513
|