Total
178 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2018-12391 | 2 Google, Mozilla | 4 Android, Firefox, Firefox Esr and 1 more | 2024-08-05 | N/A |
| During HTTP Live Stream playback on Firefox for Android, audio data can be accessed across origins in violation of security policies. Because the problem is in the underlying Android service, this issue is addressed by treating all HLS streams as cross-origin and opaque to access. *Note: this issue only affects Firefox for Android. Desktop versions of Firefox are unaffected.*. This vulnerability affects Firefox < 63, Firefox ESR < 60.3, and Thunderbird < 60.3. | ||||
| CVE-2018-12358 | 2 Canonical, Mozilla | 2 Ubuntu Linux, Firefox | 2024-08-05 | N/A |
| Service workers can use redirection to avoid the tainting of cross-origin resources in some instances, allowing a malicious site to read responses which are supposed to be opaque. This vulnerability affects Firefox < 61. | ||||
| CVE-2018-12370 | 2 Canonical, Mozilla | 2 Ubuntu Linux, Firefox | 2024-08-05 | N/A |
| In Reader View SameSite cookie protections are not checked on exiting. This allows for a payload to be triggered when Reader View is exited if loaded by a malicious site while Reader mode is active, bypassing CSRF protections. This vulnerability affects Firefox < 61. | ||||
| CVE-2018-12120 | 1 Nodejs | 1 Node.js | 2024-08-05 | 8.1 High |
| Node.js: All versions prior to Node.js 6.15.0: Debugger port 5858 listens on any interface by default: When the debugger is enabled with `node --debug` or `node debug`, it listens to port 5858 on all interfaces by default. This may allow remote computers to attach to the debug port and evaluate arbitrary JavaScript. The default interface is now localhost. It has always been possible to start the debugger on a specific interface, such as `node --debug=localhost`. The debugger was removed in Node.js 8 and replaced with the inspector, so no versions from 8 and later are vulnerable. | ||||
| CVE-2018-8351 | 1 Microsoft | 9 Edge, Internet Explorer, Windows 10 and 6 more | 2024-08-05 | N/A |
| An information disclosure vulnerability exists when affected Microsoft browsers improperly allow cross-frame interaction, aka "Microsoft Browser Information Disclosure Vulnerability." This affects Internet Explorer 11, Microsoft Edge, Internet Explorer 10. | ||||
| CVE-2018-7422 | 1 Siteeditor | 1 Site Editor | 2024-08-05 | N/A |
| A Local File Inclusion vulnerability in the Site Editor plugin through 1.1.1 for WordPress allows remote attackers to retrieve arbitrary files via the ajax_path parameter to editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php, aka absolute path traversal. | ||||
| CVE-2018-5163 | 2 Canonical, Mozilla | 2 Ubuntu Linux, Firefox | 2024-08-05 | N/A |
| If a malicious attacker has used another vulnerability to gain full control over a content process, they may be able to replace the alternate data resources stored in the JavaScript Start-up Bytecode Cache (JSBC) for other JavaScript code. If the parent process then runs this replaced code, the executed script would be run with the parent process' privileges, escaping the sandbox on content processes. This vulnerability affects Firefox < 60. | ||||
| CVE-2018-5164 | 2 Canonical, Mozilla | 2 Ubuntu Linux, Firefox | 2024-08-05 | N/A |
| Content Security Policy (CSP) is not applied correctly to all parts of multipart content sent with the "multipart/x-mixed-replace" MIME type. This could allow for script to run where CSP should block it, allowing for cross-site scripting (XSS) and other attacks. This vulnerability affects Firefox < 60. | ||||
| CVE-2018-5157 | 4 Canonical, Debian, Mozilla and 1 more | 11 Ubuntu Linux, Debian Linux, Firefox and 8 more | 2024-08-05 | N/A |
| Same-origin protections for the PDF viewer can be bypassed, allowing a malicious site to intercept messages meant for the viewer. This could allow the site to retrieve PDF files restricted to viewing by an authenticated user on a third-party website. This vulnerability affects Firefox ESR < 52.8 and Firefox < 60. | ||||
| CVE-2018-1122 | 4 Canonical, Debian, Procps-ng Project and 1 more | 9 Ubuntu Linux, Debian Linux, Procps-ng and 6 more | 2024-08-05 | N/A |
| procps-ng before version 3.3.15 is vulnerable to a local privilege escalation in top. If a user runs top with HOME unset in an attacker-controlled directory, the attacker could achieve privilege escalation by exploiting one of several vulnerabilities in the config_file() function. | ||||
| CVE-2019-17400 | 2 Redhat, Universal Office Converter Project | 2 Enterprise Linux, Universal Office Converter | 2024-08-05 | 7.5 High |
| The unoconv package before 0.9 mishandles untrusted pathnames, leading to SSRF and local file inclusion. | ||||
| CVE-2019-17014 | 1 Mozilla | 1 Firefox | 2024-08-05 | 7.4 High |
| If an image had not loaded correctly (such as when it is not actually an image), it could be dragged and dropped cross-domain, resulting in a cross-origin information leak. This vulnerability affects Firefox < 71. | ||||
| CVE-2019-16951 | 1 Enghouse | 1 Web Chat | 2024-08-05 | 5.3 Medium |
| A remote file include (RFI) issue was discovered in Enghouse Web Chat 6.2.284.34. One can replace the localhost attribute with one's own domain name. When the product calls this domain after the POST request is sent, it retrieves an attacker's data and displays it. Also worth mentioning is the amount of information sent in the request from this product to the attacker: it reveals information the public should not have. This includes pathnames and internal ip addresses. | ||||
| CVE-2019-15839 | 1 Shaosina | 1 Sina Extension For Elementor | 2024-08-05 | N/A |
| The sina-extension-for-elementor plugin before 2.2.1 for WordPress has local file inclusion. | ||||
| CVE-2019-13589 | 1 Anjlab | 1 Paranoid2 | 2024-08-04 | N/A |
| The paranoid2 gem 1.1.6 for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party. The current version, without this backdoor, is 1.1.5. | ||||
| CVE-2019-11770 | 1 Eclipse | 1 Buildship | 2024-08-04 | 8.1 High |
| In Eclipse Buildship versions prior to 3.1.1, the build files indicate that this project is resolving dependencies over HTTP instead of HTTPS. Any of these artifacts could have been MITM to maliciously compromise them and infect the build artifacts that were produced. Additionally, if any of these JARs or other dependencies were compromised, any developers using these could continue to be infected past updating to fix this. | ||||
| CVE-2019-11762 | 3 Canonical, Mozilla, Redhat | 5 Ubuntu Linux, Firefox, Firefox Esr and 2 more | 2024-08-04 | 6.1 Medium |
| If two same-origin documents set document.domain differently to become cross-origin, it was possible for them to call arbitrary DOM methods/getters/setters on the now-cross-origin window. This vulnerability affects Firefox < 70, Thunderbird < 68.2, and Firefox ESR < 68.2. | ||||
| CVE-2019-11743 | 2 Mozilla, Redhat | 4 Firefox, Firefox Esr, Thunderbird and 1 more | 2024-08-04 | 3.7 Low |
| Navigation events were not fully adhering to the W3C's "Navigation-Timing Level 2" draft specification in some instances for the unload event, which restricts access to detailed timing attributes to only be same-origin. This resulted in potential cross-origin information exposure of history through timing side-channel attacks. This vulnerability affects Firefox < 69, Thunderbird < 68.1, Thunderbird < 60.9, Firefox ESR < 60.9, and Firefox ESR < 68.1. | ||||
| CVE-2019-11730 | 5 Debian, Mozilla, Opensuse and 2 more | 8 Debian Linux, Firefox, Firefox Esr and 5 more | 2024-08-04 | 6.5 Medium |
| A vulnerability exists where if a user opens a locally saved HTML file, this file can use file: URIs to access other files in the same directory or sub-directories if the names are known or guessed. The Fetch API can then be used to read the contents of any files stored in these directories and they may uploaded to a server. It was demonstrated that in combination with a popular Android messaging app, if a malicious HTML attachment is sent to a user and they opened that attachment in Firefox, due to that app's predictable pattern for locally-saved file names, it is possible to read attachments the victim received from other correspondents. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. | ||||
| CVE-2019-11742 | 2 Mozilla, Redhat | 4 Firefox, Firefox Esr, Thunderbird and 1 more | 2024-08-04 | 6.5 Medium |
| A same-origin policy violation occurs allowing the theft of cross-origin images through a combination of SVG filters and a <canvas> element due to an error in how same-origin policy is applied to cached image content. The resulting same-origin policy violation could allow for data theft. This vulnerability affects Firefox < 69, Thunderbird < 68.1, Thunderbird < 60.9, Firefox ESR < 60.9, and Firefox ESR < 68.1. | ||||