| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2018-12385 |
20 |
|
|
2018-10-18 |
2018-12-06 |
4.4 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
Partial |
|
A potentially exploitable crash in TransportSecurityInfo used for SSL can be triggered by data stored in the local cache in the user profile directory. This issue is only exploitable in combination with another vulnerability allowing an attacker to write data into the local cache or from locally installed malware. This issue also triggers a non-exploitable startup crash for users switching between the Nightly and Release versions of Firefox if the same profile is used. This vulnerability affects Thunderbird < 60.2.1, Firefox ESR < 60.2.1, and Firefox < 62.0.2. |
|
2 |
CVE-2018-12379 |
787 |
|
|
2018-10-18 |
2018-12-06 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
When the Mozilla Updater opens a MAR format file which contains a very long item filename, an out-of-bounds write can be triggered, leading to a potentially exploitable crash. This requires running the Mozilla Updater manually on the local system with the malicious MAR file in order to occur. This vulnerability affects Firefox < 62, Firefox ESR < 60.2, and Thunderbird < 60.2.1. |
|
3 |
CVE-2018-12367 |
20 |
|
|
2018-10-18 |
2018-12-06 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
In the previous mitigations for Spectre, the resolution or precision of various methods was reduced to counteract the ability to measure precise time intervals. In that work PerformanceNavigationTiming was not adjusted but it was found that it could be used as a precision timer. This vulnerability affects Thunderbird < 60, Firefox ESR < 60.1, and Firefox < 61. |
|
4 |
CVE-2018-12366 |
125 |
|
|
2018-10-18 |
2018-12-03 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
An invalid grid size during QCMS (color profile) transformations can result in the out-of-bounds read interpreted as a float value. This could leak private data into the output. This vulnerability affects Thunderbird < 60, Thunderbird < 52.9, Firefox ESR < 60.1, Firefox ESR < 52.9, and Firefox < 61. |
|
5 |
CVE-2018-12365 |
200 |
|
+Info |
2018-10-18 |
2018-12-03 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
A compromised IPC child process can escape the content sandbox and list the names of arbitrary files on the file system without user consent or interaction. This could result in exposure of private local files. This vulnerability affects Thunderbird < 60, Thunderbird < 52.9, Firefox ESR < 60.1, Firefox ESR < 52.9, and Firefox < 61. |
|
6 |
CVE-2018-12358 |
200 |
|
+Info |
2018-10-18 |
2018-12-06 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Service workers can use redirection to avoid the tainting of cross-origin resources in some instances, allowing a malicious site to read responses which are supposed to be opaque. This vulnerability affects Firefox < 61. |
|
7 |
CVE-2018-5185 |
200 |
|
+Info |
2018-06-11 |
2018-11-25 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Plaintext of decrypted emails can leak through by user submitting an embedded form. This vulnerability affects Thunderbird ESR < 52.8 and Thunderbird < 52.8. |
|
8 |
CVE-2018-5176 |
20 |
|
|
2018-06-11 |
2018-08-03 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The JSON Viewer displays clickable hyperlinks for strings that are parseable as URLs, including "javascript:" links. If a JSON file contains malicious JavaScript script embedded as "javascript:" links, users may be tricked into clicking and running this code in the context of the JSON Viewer. This can allow for the theft of cookies and authorization tokens which are accessible to that context. This vulnerability affects Firefox < 60. |
|
9 |
CVE-2018-5175 |
20 |
|
Bypass |
2018-06-11 |
2018-08-03 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
A mechanism to bypass Content Security Policy (CSP) protections on sites that have a "script-src" policy of "'strict-dynamic'". If a target website contains an HTML injection flaw an attacker could inject a reference to a copy of the "require.js" library that is part of Firefox's Developer Tools, and then use a known technique using that library to bypass the CSP restrictions on executing injected scripts. This vulnerability affects Firefox < 60. |
|
10 |
CVE-2018-5172 |
74 |
|
|
2018-06-11 |
2018-08-03 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The Live Bookmarks page and the PDF viewer can run injected script content if a user pastes script from the clipboard into them while viewing RSS feeds or PDF files. This could allow a malicious site to socially engineer a user to copy and paste malicious script content that could then run with the context of either page but does not allow for privilege escalation. This vulnerability affects Firefox < 60. |
|
11 |
CVE-2018-5170 |
20 |
|
|
2018-06-11 |
2018-11-25 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
It is possible to spoof the filename of an attachment and display an arbitrary attachment name. This could lead to a user opening a remote attachment which is a different file type than expected. This vulnerability affects Thunderbird ESR < 52.8 and Thunderbird < 52.8. |
|
12 |
CVE-2018-5169 |
20 |
|
|
2018-06-11 |
2018-08-02 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
If manipulated hyperlinked text with "chrome:" URL contained in it is dragged and dropped on the "home" icon, the home page can be reset to include a normally-unlinkable chrome page as one of the home page tabs. This vulnerability affects Firefox < 60. |
|
13 |
CVE-2018-5167 |
20 |
|
|
2018-06-11 |
2018-08-03 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The web console and JavaScript debugger do not sanitize all output that can be hyperlinked. Both will display "chrome:" links as active, clickable hyperlinks in their output. Web sites should not be able to directly link to internal chrome pages. Additionally, the JavaScript debugger will display "javascript:" links, which users could be tricked into clicking by malicious sites. This vulnerability affects Firefox < 60. |
|
14 |
CVE-2018-5164 |
79 |
|
XSS |
2018-06-11 |
2018-08-02 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Content Security Policy (CSP) is not applied correctly to all parts of multipart content sent with the "multipart/x-mixed-replace" MIME type. This could allow for script to run where CSP should block it, allowing for cross-site scripting (XSS) and other attacks. This vulnerability affects Firefox < 60. |
|
15 |
CVE-2018-5161 |
20 |
|
|
2018-06-11 |
2018-11-25 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
Crafted message headers can cause a Thunderbird process to hang on receiving the message. This vulnerability affects Thunderbird ESR < 52.8 and Thunderbird < 52.8. |
|
16 |
CVE-2018-5152 |
200 |
|
+Info |
2018-06-11 |
2018-08-07 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
WebExtensions with the appropriate permissions can attach content scripts to Mozilla sites such as accounts.firefox.com and listen to network traffic to the site through the "webRequest" API. For example, this allows for the interception of username and an encrypted password during login to Firefox Accounts. This issue does not expose synchronization traffic directly and is limited to the process of user login to the website and the data displayed to the user once logged in. This vulnerability affects Firefox < 60. |
|
17 |
CVE-2018-5143 |
79 |
|
XSS |
2018-06-11 |
2018-08-02 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
URLs using "javascript:" have the protocol removed when pasted into the addressbar to protect users from cross-site scripting (XSS) attacks, but if a tab character is embedded in the "javascript:" URL the protocol is not removed and the script will execute. This could allow users to be socially engineered to run an XSS attack against themselves. This vulnerability affects Firefox < 59. |
|
18 |
CVE-2018-5133 |
200 |
|
+Info |
2018-06-11 |
2018-08-03 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
If the "app.support.baseURL" preference is changed by a malicious local program to contain HTML and script content, this content is not sanitized. It will be executed if a user loads "chrome://browser/content/preferences/in-content/preferences.xul" directly in a tab and executes a search. This stored preference is also executed whenever an EME video player plugin displays a CDM-disabled message as a notification message. This vulnerability affects Firefox < 59. |
|
19 |
CVE-2018-5132 |
200 |
|
+Info |
2018-06-11 |
2018-08-07 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The Find API for WebExtensions can search some privileged pages, such as "about:debugging", if these pages are open in a tab. This could allow a malicious WebExtension to search for otherwise protected data if a user has it open. This vulnerability affects Firefox < 59. |
|
20 |
CVE-2018-5131 |
200 |
|
+Info |
2018-06-11 |
2018-10-20 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Under certain circumstances the "fetch()" API can return transient local copies of resources that were sent with a "no-store" or "no-cache" cache header instead of downloading a copy from the network as it should. This can result in previously stored, locally cached data of a website being accessible to users if they share a common profile while browsing. This vulnerability affects Firefox ESR < 52.7 and Firefox < 59. |
|
21 |
CVE-2018-5111 |
20 |
|
|
2018-06-11 |
2018-06-25 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
When the text of a specially formatted URL is dragged to the addressbar from page content, the displayed URL can be spoofed to show a different site than the one loaded. This allows for phishing attacks where a malicious page can spoof the identify of another site. This vulnerability affects Firefox < 58. |
|
22 |
CVE-2018-5108 |
200 |
|
+Info |
2018-06-11 |
2018-06-25 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
A Blob URL can violate origin attribute segregation, allowing it to be accessed from a private browsing tab and for data to be passed between the private browsing tab and a normal tab. This could allow for the leaking of private information specific to the private browsing context. This issue is mitigated by the requirement that the user enter the Blob URL manually in order for the access violation to occur. This vulnerability affects Firefox < 58. |
|
23 |
CVE-2017-17689 |
310 |
|
|
2018-05-16 |
2018-06-27 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The S/MIME specification allows a Cipher Block Chaining (CBC) malleability-gadget attack that can indirectly lead to plaintext exfiltration, aka EFAIL. |
|
24 |
CVE-2017-17688 |
310 |
|
|
2018-05-16 |
2018-06-27 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
** DISPUTED ** The OpenPGP specification allows a Cipher Feedback Mode (CFB) malleability-gadget attack that can indirectly lead to plaintext exfiltration, aka EFAIL. NOTE: third parties report that this is a problem in applications that mishandle the Modification Detection Code (MDC) feature or accept an obsolete packet type, not a problem in the OpenPGP specification. |
|
25 |
CVE-2017-11698 |
119 |
|
Overflow |
2017-12-27 |
2018-01-10 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
Heap-based buffer overflow in the __get_page function in lib/dbm/src/h_page.c in Mozilla Network Security Services (NSS) allows context-dependent attackers to have unspecified impact using a crafted cert8.db file. |
|
26 |
CVE-2017-11697 |
119 |
|
DoS Overflow |
2017-12-27 |
2018-01-10 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
The __hash_open function in hash.c:229 in Mozilla Network Security Services (NSS) allows context-dependent attackers to cause a denial of service (floating point exception and crash) via a crafted cert8.db file. |
|
27 |
CVE-2017-11696 |
119 |
|
Overflow |
2017-12-27 |
2018-01-10 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
Heap-based buffer overflow in the __hash_open function in lib/dbm/src/hash.c in Mozilla Network Security Services (NSS) allows context-dependent attackers to have unspecified impact using a crafted cert8.db file. |
|
28 |
CVE-2017-11695 |
119 |
|
Overflow |
2017-12-27 |
2018-01-10 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
Heap-based buffer overflow in the alloc_segs function in lib/dbm/src/hash.c in Mozilla Network Security Services (NSS) allows context-dependent attackers to have unspecified impact using a crafted cert8.db file. |
|
29 |
CVE-2017-7847 |
200 |
|
+Info |
2018-06-11 |
2018-08-07 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Crafted CSS in an RSS feed can leak and reveal local path strings, which may contain user name. This vulnerability affects Thunderbird < 52.5.2. |
|
30 |
CVE-2017-7844 |
200 |
|
+Info |
2018-06-11 |
2018-08-06 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
A combination of an external SVG image referenced on a page and the coloring of anchor links stored within this image can be used to determine which pages a user has in their history. This can allow a malicious website to query user history. Note: This issue only affects Firefox 57. Earlier releases are not affected. This vulnerability affects Firefox < 57.0.1. |
|
31 |
CVE-2017-7840 |
79 |
|
Exec Code XSS |
2018-06-11 |
2018-06-25 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
JavaScript can be injected into an exported bookmarks file by placing JavaScript code into user-supplied tags in saved bookmarks. If the resulting exported HTML file is later opened in a browser this JavaScript will be executed. This could be used in social engineering and self-cross-site-scripting (self-XSS) attacks if users were convinced to add malicious tags to bookmarks, export them, and then open the resulting file. This vulnerability affects Firefox < 57. |
|
32 |
CVE-2017-7839 |
79 |
|
XSS |
2018-06-11 |
2018-06-25 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Control characters prepended before "javascript:" URLs pasted in the addressbar can cause the leading characters to be ignored and the pasted JavaScript to be executed instead of being blocked. This could be used in social engineering and self-cross-site-scripting (self-XSS) attacks where users are convinced to copy and paste text into the addressbar. This vulnerability affects Firefox < 57. |
|
33 |
CVE-2017-7836 |
264 |
|
|
2018-06-11 |
2018-06-25 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
The "pingsender" executable used by the Firefox Health Report dynamically loads a system copy of libcurl, which an attacker could replace. This allows for privilege escalation as the replaced libcurl code will run with Firefox's privileges. Note: This attack requires an attacker have local system access and only affects OS X and Linux. Windows systems are not affected. This vulnerability affects Firefox < 57. |
|
34 |
CVE-2017-7834 |
79 |
|
XSS Bypass |
2018-06-11 |
2018-06-25 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
A "data:" URL loaded in a new tab did not inherit the Content Security Policy (CSP) of the original page, allowing for bypasses of the policy including the execution of JavaScript. In prior versions when "data:" documents also inherited the context of the original page this would allow for potential cross-site scripting (XSS) attacks. This vulnerability affects Firefox < 57. |
|
35 |
CVE-2017-7830 |
284 |
|
|
2018-06-11 |
2018-08-06 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The Resource Timing API incorrectly revealed navigations in cross-origin iframes. This is a same-origin policy violation and could allow for data theft of URLs loaded by users. This vulnerability affects Firefox < 57, Firefox ESR < 52.5, and Thunderbird < 52.5. |
|
36 |
CVE-2017-7823 |
79 |
|
XSS |
2018-06-11 |
2018-08-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The content security policy (CSP) "sandbox" directive did not create a unique origin for the document, causing it to behave as if the "allow-same-origin" keyword were always specified. This could allow a Cross-Site Scripting (XSS) attack to be launched from unsafe content. This vulnerability affects Firefox < 56, Firefox ESR < 52.4, and Thunderbird < 52.4. |
|
37 |
CVE-2017-7799 |
79 |
|
XSS |
2018-06-11 |
2018-08-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
JavaScript in the "about:webrtc" page is not sanitized properly being assigned to "innerHTML". Data on this page is supplied by WebRTC usage and is not under third-party control, making this difficult to exploit, but the vulnerability could possibly be used for a cross-site scripting (XSS) attack. This vulnerability affects Firefox < 55. |
|
38 |
CVE-2017-7794 |
264 |
|
|
2018-06-11 |
2018-08-09 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
On Linux systems, if the content process is compromised, the sandbox broker will allow files to be truncated even though the sandbox explicitly only has read access to the local file system and no write permissions. Note: This attack only affects the Linux operating system. Other operating systems are not affected. This vulnerability affects Firefox < 55. |
|
39 |
CVE-2017-7781 |
310 |
|
|
2018-06-11 |
2018-08-06 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
An error occurs in the elliptic curve point addition algorithm that uses mixed Jacobian-affine coordinates where it can yield a result "POINT_AT_INFINITY" when it should not. A man-in-the-middle attacker could use this to interfere with a connection, resulting in an attacked party computing an incorrect shared secret. This vulnerability affects Firefox < 55. |
|
40 |
CVE-2017-7770 |
20 |
|
|
2018-06-11 |
2018-08-13 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
A mechanism where when a new tab is loaded through JavaScript events, if fullscreen mode is then entered, the addressbar will not be rendered. This would allow a malicious site to displayed a spoofed addressbar, showing the location of an arbitrary website instead of the one loaded. Note: this issue only affects Firefox for Android. Desktop Firefox is unaffected. This vulnerability affects Firefox < 54. |
|
41 |
CVE-2017-7766 |
264 |
|
|
2018-06-11 |
2018-08-13 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
An attack using manipulation of "updater.ini" contents, used by the Mozilla Windows Updater, and privilege escalation through the Mozilla Maintenance Service to allow for arbitrary file execution and deletion by the Maintenance Service, which has privileged access. Note: This attack requires local system access and only affects Windows. Other operating systems are not affected. This vulnerability affects Firefox ESR < 52.2 and Firefox < 54. |
|
42 |
CVE-2017-7760 |
417 |
|
Bypass |
2018-06-11 |
2018-08-14 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
The Mozilla Windows updater modifies some files to be updated by reading the original file and applying changes to it. The location of the original file can be altered by a malicious user by passing a special path to the callback parameter through the Mozilla Maintenance Service, allowing the manipulation of files in the installation directory and privilege escalation by manipulating the Mozilla Maintenance Service, which has privileged access. Note: This attack requires local system access and only affects Windows. Other operating systems are not affected. This vulnerability affects Firefox ESR < 52.2 and Firefox < 54. |
|
43 |
CVE-2017-5466 |
79 |
|
XSS |
2018-06-11 |
2018-08-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
If a page is loaded from an original site through a hyperlink and contains a redirect to a "data:text/html" URL, triggering a reload will run the reloaded "data:text/html" page with its origin set incorrectly. This allows for a cross-site scripting (XSS) attack. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 52.1, and Firefox < 53. |
|
44 |
CVE-2017-5458 |
79 |
|
XSS |
2018-06-11 |
2018-08-07 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
When a "javascript:" URL is drag and dropped by a user into the addressbar, the URL will be processed and executed. This allows for users to be socially engineered to execute an XSS attack on themselves. This vulnerability affects Firefox < 53. |
|
45 |
CVE-2017-5453 |
20 |
|
|
2018-06-11 |
2018-08-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
A mechanism to inject static HTML into the RSS reader preview page due to a failure to escape characters sent as URL parameters for a feed's "TITLE" element. This vulnerability allows for spoofing but no scripted content can be run. This vulnerability affects Firefox < 53. |
|
46 |
CVE-2017-5452 |
20 |
|
|
2018-06-11 |
2018-08-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Malicious sites can display a spoofed addressbar on a page when the existing location bar on the new page is scrolled out of view if an HTML editable page element is user selected. Note: This attack only affects Firefox for Android. Other operating systems are not affected. This vulnerability affects Firefox < 53. |
|
47 |
CVE-2017-5451 |
20 |
|
|
2018-06-11 |
2018-08-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
A mechanism to spoof the addressbar through the user interaction on the addressbar and the "onblur" event. The event could be used by script to affect text display to make the loaded site appear to be different from the one actually loaded within the addressbar. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 52.1, and Firefox < 53. |
|
48 |
CVE-2017-5420 |
20 |
|
|
2018-06-11 |
2018-08-07 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
A "javascript:" url loaded by a malicious page can obfuscate its location by blanking the URL displayed in the addressbar, allowing for an attacker to spoof an existing page without the malicious page's address being displayed correctly. This vulnerability affects Firefox < 52. |
|
49 |
CVE-2017-5414 |
200 |
|
+Info |
2018-06-11 |
2018-08-02 |
4.9 |
None |
Local |
Low |
Not required |
Complete |
None |
None |
|
The file picker dialog can choose and display the wrong local default directory when instantiated. On some operating systems, this can lead to information disclosure, such as the operating system or the local account name. This vulnerability affects Firefox < 52 and Thunderbird < 52. |
|
50 |
CVE-2017-5407 |
200 |
|
+Info |
2018-06-11 |
2018-07-31 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Using SVG filters that don't use the fixed point math implementation on a target iframe, a malicious page can extract pixel values from a targeted user. This can be used to extract history information and read text values across domains. This violates same-origin policy and leads to information disclosure. This vulnerability affects Firefox < 52, Firefox ESR < 45.8, Thunderbird < 52, and Thunderbird < 45.8. |
