FreshPorts - VuXML

Mozilla Foundation reports:

MFSA 2009-32 JavaScript chrome privilege escalation

MFSA 2009-31 XUL scripts bypass content-policy checks

MFSA 2009-30 Incorrect principal set for file: resources loaded via location bar

MFSA 2009-29 Arbitrary code execution using event listeners attached to an element whose owner document is null

MFSA 2009-28 Race condition while accessing the private data of a NPObject JS wrapper class object

MFSA 2009-27 SSL tampering via non-200 responses to proxy CONNECT requests

MFSA 2009-26 Arbitrary domain cookie access by local file: resources

MFSA 2009-25 URL spoofing with invalid unicode characters

MFSA 2009-24 Crashes with evidence of memory corruption (rv:1.9.0.11)

< 2.0.0.20_8,1

gt 3.*,1 lt 3.0.11,1

< 3.0.11

< 2.0.0.22

< 1.1.17

Google Chrome Releases reports:

[583607] High CVE-2016-1624: Buffer overflow in Brotli. Credit to lukezli.

Mozilla Foundation reports:

Security researcher Luke Li reported a pointer underflow bug in the Brotli library's decompression that leads to a buffer overflow. This results in a potentially exploitable crash when triggered.

ge 0.3.0 lt 0.3.0_1

< 0.2.0_2

< 0.3.0_3

< 48.0.2564.109

< 45.0,1

< 2.42

< 38.7.0,1

< 38.7.0

Mozilla Foundation reports:

CVE-2017-7828: Use-after-free of PressShell while restyling layout

CVE-2017-7830: Cross-origin URL information leak through Resource Timing API

CVE-2017-7831: Information disclosure of exposed properties on JavaScript proxy objects

CVE-2017-7832: Domain spoofing through use of dotless 'i' character followed by accent markers

CVE-2017-7833: Domain spoofing with Arabic and Indic vowel marker characters

CVE-2017-7834: data: URLs opened in new tabs bypass CSP protections

CVE-2017-7835: Mixed content blocking incorrectly applies with redirects

CVE-2017-7836: Pingsender dynamically loads libcurl on Linux and OS X

CVE-2017-7837: SVG loaded as can use meta tags to set cookies

CVE-2017-7838: Failure of individual decoding of labels in international domain names triggers punycode display of entire IDN

CVE-2017-7839: Control characters before javascript: URLs defeats self-XSS prevention mechanism

CVE-2017-7840: Exported bookmarks do not strip script elements from user-supplied tags

CVE-2017-7842: Referrer Policy is not always respected for elements

CVE-2017-7827: Memory safety bugs fixed in Firefox 57

CVE-2017-7826: Memory safety bugs fixed in Firefox 57 and Firefox ESR 52.5

< 56.0.2_10,1

< 2.49.2

< 52.5.0,1

< 52.5.0,2

< 52.5.0

The Mozilla Foundation reports of multiple security issues in Firefox, Seamonkey, and Thunderbird. Several of these issues can probably be used to run arbitrary code with the privilege of the user running the program.

• Web forgery overwrite with div overlay
• URL token stealing via stylesheet redirect
• Mishandling of locally-saved plain text files
• File action dialog tampering
• Possible information disclosure in BMP decoder
• Web browsing history and forward navigation stealing
• Directory traversal via chrome: URI
• Stored password corruption
• Privilege escalation, XSS, Remote Code Execution
• Multiple file input focus stealing vulnerabilities
• Crashes with evidence of memory corruption (rv:1.8.1.12)

< 2.0.0.12,1

< 2.0.0.12

< 1.1.8

< 1.0.9

gt 0

The Mozilla Project reports:

MFSA 2012-20 Miscellaneous memory safety hazards (rv:12.0/ rv:10.0.4)

MFSA 2012-21 Multiple security flaws fixed in FreeType v2.4.9

MFSA 2012-22 use-after-free in IDBKeyRange

MFSA 2012-23 Invalid frees causes heap corruption in gfxImageSurface

MFSA 2012-24 Potential XSS via multibyte content processing errors

MFSA 2012-25 Potential memory corruption during font rendering using cairo-dwrite

MFSA 2012-26 WebGL.drawElements may read illegal video memory due to FindMaxUshortElement error

MFSA 2012-27 Page load short-circuit can lead to XSS

MFSA 2012-28 Ambiguous IPv6 in Origin headers may bypass webserver access restrictions

MFSA 2012-29 Potential XSS through ISO-2022-KR/ISO-2022-CN decoding issues

MFSA 2012-30 Crash with WebGL content using textImage2D

MFSA 2012-31 Off-by-one error in OpenType Sanitizer

MFSA 2012-32 HTTP Redirections and remote content can be read by javascript errors

MFSA 2012-33 Potential site identity spoofing when loading RSS and Atom feeds

gt 11.0,1 lt 12.0,1

< 10.0.4,1

< 10.0.4,1

< 2.9

< 10.0.4

< 2.9

gt 11.0 lt 12.0

< 10.0.4

gt 1.9.2.* lt 10.0.4

Mozilla Foundation reports:

Please reference CVE/URL list for details

< 53.0_2,1

< 2.49.1

ge 46.0,1 lt 52.1.0_2,1

< 45.9.0,1

ge 46.0,2 lt 52.1.0,2

< 45.9.0,2

ge 46.0 lt 52.1.0

< 45.9.0

ge 46.0 lt 52.1.0

< 45.9.0

A Mozilla Foundation Security Advisory reports:

moz_bug_r_a4 reported several exploits giving an attacker the ability to install malicious code or steal data, requiring only that the user do commonplace actions like click on a link or open the context menu. The common cause in each case was privileged UI code ("chrome") being overly trusting of DOM nodes from the content window. Scripts in the web page can override properties and methods of DOM nodes and shadow the native values, unless steps are taken to get the true underlying values.

We found that most extensions also interacted with content DOM in a natural, but unsafe, manner. Changes were made so that chrome code using this natural DOM coding style will now automatically use the native DOM value if it exists without having to use cumbersome wrapper objects.

Most of the specific exploits involved tricking the privileged code into calling eval() on an attacker-supplied script string, or the equivalent using the Script() object. Checks were added in the security manager to make sure eval and Script objects are run with the privileges of the context that created them, not the potentially elevated privileges of the context calling them.

Workaround: Disable Javascript

< 1.0.3,1

< 1.0.3

< 1.7.7,2

ge 1.8.*,2

< 1.7.7

ge 1.8.*

ge 0

ge 0

ge 0

Mozilla Foundation reports:

CVE-2016-9894: Buffer overflow in SkiaGL

CVE-2016-9899: Use-after-free while manipulating DOM events and audio elements

CVE-2016-9895: CSP bypass using marquee tag

CVE-2016-9896: Use-after-free with WebVR

CVE-2016-9897: Memory corruption in libGLES

CVE-2016-9898: Use-after-free in Editor while manipulating DOM subtrees

CVE-2016-9900: Restricted external resources can be loaded by SVG images through data URLs

CVE-2016-9904: Cross-origin information leak in shared atoms

CVE-2016-9901: Data from Pocket server improperly sanitized before execution

CVE-2016-9902: Pocket extension does not validate the origin of events

CVE-2016-9903: XSS injection vulnerability in add-ons SDK

CVE-2016-9080: Memory safety bugs fixed in Firefox 50.1

CVE-2016-9893: Memory safety bugs fixed in Firefox 50.1 and Firefox ESR 45.6

< 50.1.0_1,1

< 2.47

< 45.6.0,1

< 45.6.0,2

< 45.6.0

The Mozilla Project reports:

Security researcher Abhishek Arya (Inferno) of the Google Chrome Security Team used the Address Sanitizer tool to discover two buffer overflow issues in the Libvpx library used for WebM video when decoding a malformed WebM video file. These buffer overflows result in potentially exploitable crashes.

< 1.4.0.488

< 40.0,1

< 40.0,1

The Mozilla Foundation reports of multiple security issues in Firefox, Seamonkey, and Thunderbird. Several of these issues can probably be used to run arbitrary code with the privilege of the user running the program.

• MFSA 2007-08 onUnload + document.write() memory corruption
• MFSA 2007-07 Embedded nulls in location.hostname confuse same-domain checks
• MFSA 2007-06 Mozilla Network Security Services (NSS) SSLv2 buffer overflow
• MFSA 2007-05 XSS and local file access by opening blocked popups
• MFSA 2007-04 Spoofing using custom cursor and CSS3 hotspot
• MFSA 2007-03 Information disclosure through cache collisions
• MFSA 2007-02 Improvements to help protect against Cross-Site Scripting attacks
• MFSA 2007-01 Crashes with evidence of memory corruption (rv:1.8.0.10/1.8.1.2)

< 1.5.0.10,1

gt 2.*,1 lt 2.0.0.2,1

< 1.5.0.10

< 0.3.1

< 1.0.8

ge 1.1 lt 1.1.1

< 1.5.0.10

< 3.0.a2007.04.18

< 1.5.a2007.04.18

gt 0

Mozilla Project reports:

MFSA 2009-38: Data corruption with SOCKS5 reply containing DNS name longer than 15 characters

MFSA 2009-42: Compromise of SSL-protected communication

MFSA 2009-43: Heap overflow in certificate regexp parsing

MFSA 2009-44: Location bar and SSL indicator spoofing via window.open() on invalid URL

MFSA 2009-45: Crashes with evidence of memory corruption (rv:1.9.1.2/1.9.0.13)

MFSA 2009-46: Chrome privilege escalation due to incorrectly cached wrapper

< 3.*,1

gt 3.*,1 lt 3.0.13,1

gt 3.5.*,1 lt 3.5.2,1

< 3.5.2

< 1.1.18

gt 0

< 2.0.0.23

Mozilla Foundation reports:

MFSA 2016-49 Miscellaneous memory safety hazards (rv:47.0 / rv:45.2)

MFSA 2016-50 Buffer overflow parsing HTML5 fragments

MFSA 2016-51 Use-after-free deleting tables from a contenteditable document

MFSA 2016-52 Addressbar spoofing though the SELECT element

MFSA 2016-54 Partial same-origin-policy through setting location.host through data URI

MFSA 2016-56 Use-after-free when textures are used in WebGL operations after recycle pool destruction

MFSA 2016-57 Incorrect icon displayed on permissions notifications

MFSA 2016-58 Entering fullscreen and persistent pointerlock without user permission

MFSA 2016-59 Information disclosure of disabled plugins through CSS pseudo-classes

MFSA 2016-60 Java applets bypass CSP protections

< 47.0,1

< 2.44

< 45.2.0,1

< 45.2.0,2

< 45.2.0

The Mozilla Foundation reports:

An integer overflow in createImageBitmap() was reported through the Pwn2Own contest. The fix for this vulnerability disables the experimental extensions to the createImageBitmap API. This function runs in the content sandbox, requiring a second vulnerability to compromise a user's computer.

< 52.0.1,1

The Mozilla Project reports:

MFSA 2013-21 Miscellaneous memory safety hazards (rv:19.0 / rv:17.0.3)

MFSA 2013-22 Out-of-bounds read in image rendering

MFSA 2013-23 Wrapped WebIDL objects can be wrapped again

MFSA 2013-24 Web content bypass of COW and SOW security wrappers

MFSA 2013-25 Privacy leak in JavaScript Workers

MFSA 2013-26 Use-after-free in nsImageLoadingContent

MFSA 2013-27 Phishing on HTTPS connection through malicious proxy

MFSA 2013-28 Use-after-free, out of bounds read, and buffer overflow issues found using Address Sanitizer

gt 18.0,1 lt 19.0,1

< 17.0.3,1

< 17.0.3,1

< 2.16

< 17.0.3

< 2.16

gt 11.0 lt 17.0.3

< 10.0.12

gt 1.9.2.* lt 10.0.12

The Mozilla Foundation reports:

MFSA 2008-69 XSS vulnerabilities in SessionStore

MFSA 2008-68 XSS and JavaScript privilege escalation

MFSA 2008-67 Escaped null characters ignored by CSS parser

MFSA 2008-66 Errors parsing URLs with leading whitespace and control characters

MFSA 2008-65 Cross-domain data theft via script redirect error message

MFSA 2008-64 XMLHttpRequest 302 response disclosure

MFSA 2008-62 Additional XSS attack vectors in feed preview

MFSA 2008-61 Information stealing via loadBindingDocument

MFSA 2008-60 Crashes with evidence of memory corruption (rv:1.9.0.5/1.8.1.19)

< 2.0.0.20,1

gt 3.*,1 lt 3.0.5,1

< 2.0.0.20

< 1.1.14

< 2.0.0.18

Mozilla Foundation reports:

Fixes for security problems in the JavaScript engine described in MFSA 2008-15 introduced a stability problem, where some users experienced crashes during JavaScript garbage collection. This is being fixed primarily to address stability concerns. We have no demonstration that this particular crash is exploitable but are issuing this advisory because some crashes of this type have been shown to be exploitable in the past.

< 2.0.0.14,1

< 2.0.0.14

< 1.1.10

< 1.1.2

gt 0

< 2.0.0.14

The Mozilla Project reports:

MFSA 2012-74 Miscellaneous memory safety hazards (rv:16.0/ rv:10.0.8)

MFSA 2012-75 select element persistance allows for attacks

MFSA 2012-76 Continued access to initial origin after setting document.domain

MFSA 2012-77 Some DOMWindowUtils methods bypass security checks

MFSA 2012-78 Reader Mode pages have chrome privileges

MFSA 2012-79 DOS and crash with full screen and history navigation

MFSA 2012-80 Crash with invalid cast when using instanceof operator

MFSA 2012-81 GetProperty function can bypass security checks

MFSA 2012-82 top object and location property accessible by plugins

MFSA 2012-83 Chrome Object Wrapper (COW) does not disallow acces to privileged functions or properties

MFSA 2012-84 Spoofing and script injection through location.hash

MFSA 2012-85 Use-after-free, buffer overflow, and out of bounds read issues found using Address Sanitizer

MFSA 2012-86 Heap memory corruption issues found using Address Sanitizer

MFSA 2012-87 Use-after-free in the IME State Manager

MFSA 2012-88 Miscellaneous memory safety hazards (rv:16.0.1)

MFSA 2012-89 defaultValue security checks not applied

gt 11.0,1 lt 16.0.1,1

< 10.0.9,1

< 10.0.9,1

< 2.13.1

< 10.0.9

< 2.13.1

gt 11.0 lt 16.0.1

< 10.0.9

gt 1.9.2.* lt 10.0.9

The Mozilla Foundation reports a vulnerability within the mozilla browser. This vulnerability also affects various other browsers like firefox and seamonkey. The vulnerability is caused by QuickTime Media-Link files that contain a qtnext attribute. This could allow an attacker to start the browser with arbitrary command-line options. This could allow the attacker to install malware, steal local data and possibly execute and/or do other arbitrary things within the users context.

< 2.0.0.7,1

< 2.0.0.7

< 1.1.5

< 3.0.a2007.12.12

< 2.0.a2007.12.12

gt 0

The Mozilla Project reports:

ASN.1 DER decoding of lengths is too permissive, allowing undetected smuggling of arbitrary data

MFSA-2014-90 Apple CoreGraphics framework on OS X 10.10 logging input data to /tmp directory

MFSA-2014-89 Bad casting from the BasicThebesLayer to BasicContainerLayer

MFSA-2014-88 Buffer overflow while parsing media content

MFSA-2014-87 Use-after-free during HTML5 parsing

MFSA-2014-86 CSP leaks redirect data via violation reports

MFSA-2014-85 XMLHttpRequest crashes with some input streams

MFSA-2014-84 XBL bindings accessible via improper CSS declarations

MFSA-2014-83 Miscellaneous memory safety hazards (rv:34.0 / rv:31.3)

< 34.0,1

< 31.3.0,1

< 34.0,1

< 2.31

< 31.3.0

< 2.31

< 31.3.0

< 31.3.0

< 3.17.3

The Mozilla Project reports:

MFSA 2012-57 Miscellaneous memory safety hazards (rv:15.0/ rv:10.0.7)

MFSA 2012-58 Use-after-free issues found using Address Sanitizer

MFSA 2012-59 Location object can be shadowed using Object.defineProperty

MFSA 2012-60 Escalation of privilege through about:newtab

MFSA 2012-61 Memory corruption with bitmap format images with negative height

MFSA 2012-62 WebGL use-after-free and memory corruption

MFSA 2012-63 SVG buffer overflow and use-after-free issues

MFSA 2012-64 Graphite 2 memory corruption

MFSA 2012-65 Out-of-bounds read in format-number in XSLT

MFSA 2012-66 HTTPMonitor extension allows for remote debugging without explicit activation

MFSA 2012-67 Installer will launch incorrect executable following new installation

MFSA 2012-68 DOMParser loads linked resources in extensions when parsing text/html

MFSA 2012-69 Incorrect site SSL certificate data display

MFSA 2012-70 Location object security checks bypassed by chrome code

MFSA 2012-71 Insecure use of __android_log_print

MFSA 2012-72 Web console eval capable of executing chrome-privileged code

gt 11.0,1 lt 15.0,1

< 10.0.7,1

< 10.0.7,1

< 2.12

< 10.0.7

< 2.12

gt 11.0 lt 15.0

< 10.0.7

gt 1.9.2.* lt 10.0.7

The Mozilla Foundation reports:

MFSA 2008-58 Parsing error in E4X default namespace

MFSA 2008-57 -moz-binding property bypasses security checks on codebase principals

MFSA 2008-56 nsXMLHttpRequest::NotifyEventListeners() same-origin violation

MFSA 2008-55 Crash and remote code execution in nsFrameManager

MFSA 2008-54 Buffer overflow in http-index-format parser

MFSA 2008-53 XSS and JavaScript privilege escalation via session restore

MFSA 2008-52 Crashes with evidence of memory corruption (rv:1.9.0.4/1.8.1.18)

MFSA 2008-51 file: URIs inherit chrome privileges when opened from chrome

MFSA 2008-50 Crash and remote code execution via __proto__ tampering

MFSA 2008-49 Arbitrary code execution via Flash Player dynamic module unloading

MFSA 2008-48 Image stealing via canvas and HTTP redirect

MFSA 2008-47 Information stealing via local shortcut files

MFSA 2008-46 Heap overflow when canceling newsgroup message

MFSA 2008-44 resource: traversal vulnerabilities

MFSA 2008-43 BOM characters stripped from JavaScript before execution

MFSA 2008-42 Crashes with evidence of memory corruption (rv:1.9.0.2/1.8.1.17)

MFSA 2008-41 Privilege escalation via XPCnativeWrapper pollution

MFSA 2008-38 nsXMLDocument::OnChannelRedirect() same-origin violation

MFSA 2008-37 UTF-8 URL stack buffer overflow

< 2.0.0.18,1

gt 3.*,1 lt 3.0.4,1

< 2.0.0.18

< 1.1.13

< 2.0.0.18

The Mozilla Project reports:

MFSA-2015-46 Miscellaneous memory safety hazards (rv:38.0 / rv:31.7)

MFSA-2015-47 Buffer overflow parsing H.264 video with Linux Gstreamer

MFSA-2015-48 Buffer overflow with SVG content and CSS

MFSA-2015-49 Referrer policy ignored when links opened by middle-click and context menu

MFSA-2015-50 Out-of-bounds read and write in asm.js validation

MFSA-2015-51 Use-after-free during text processing with vertical text enabled

MFSA-2015-52 Sensitive URL encoded information written to Android logcat

MFSA-2015-53 Use-after-free due to Media Decoder Thread creation during shutdown

MFSA-2015-54 Buffer overflow when parsing compressed XML

MFSA-2015-55 Buffer overflow and out-of-bounds read while parsing MP4 video metadata

MFSA-2015-56 Untrusted site hosting trusted page can intercept webchannel responses

MFSA-2015-57 Privilege escalation through IPC channel messages

MFSA-2015-58 Mozilla Windows updater can be run outside of application directory

MFSA 2015-93 Integer overflows in libstagefright while processing MP4 video metadata

< 38.0,1

< 38.0,1

< 2.35

< 2.35

< 31.7.0,1

< 31.7.0

ge 32.0 lt 38.0

< 31.7.0

ge 32.0 lt 38.0

< 31.7.0

ge 32.0 lt 38.0

The Mozilla Project reports:

MFSA 2014-66 IFRAME sandbox same-origin access through redirect

MFSA 2014-65 Certificate parsing broken by non-standard character encoding

MFSA 2014-64 Crash in Skia library when scaling high quality images

MFSA 2014-63 Use-after-free while when manipulating certificates in the trusted cache

MFSA 2014-62 Exploitable WebGL crash with Cesium JavaScript library

MFSA 2014-61 Use-after-free with FireOnStateChange event

MFSA 2014-60 Toolbar dialog customization event spoofing

MFSA 2014-59 Use-after-free in DirectWrite font handling

MFSA 2014-58 Use-after-free in Web Audio due to incorrect control message ordering

MFSA 2014-57 Buffer overflow during Web Audio buffering for playback

MFSA 2014-56 Miscellaneous memory safety hazards (rv:31.0 / rv:24.7)

< 31.0,1

< 24.7.0,1

< 31.0,1

< 24.7.0

< 24.7.0

< 3.16.1_2

The Mozilla Project reports:

MFSA 2014-74 Miscellaneous memory safety hazards (rv:33.0 / rv:31.2)

MFSA 2014-75 Buffer overflow during CSS manipulation

MFSA 2014-76 Web Audio memory corruption issues with custom waveforms

MFSA 2014-78 Further uninitialized memory use during GIF

MFSA 2014-79 Use-after-free interacting with text directionality

MFSA 2014-80 Key pinning bypasses

MFSA 2014-81 Inconsistent video sharing within iframe

MFSA 2014-82 Accessing cross-origin objects via the Alarms API

< 33.0,1

< 31.2.0,1

< 33.0,1

< 2.30

< 31.2.0

< 2.30

< 31.2.0

< 31.2.0

Mozilla Foundation reports:

CVE-2018-12377: Use-after-free in refresh driver timers

CVE-2018-12378: Use-after-free in IndexedDB

CVE-2018-12379: Out-of-bounds write with malicious MAR file

CVE-2017-16541: Proxy bypass using automount and autofs

CVE-2018-12381: Dragging and dropping Outlook email message results in page navigation

CVE-2018-12382: Addressbar spoofing with javascript URI on Firefox for Android

CVE-2018-12383: Setting a master password post-Firefox 58 does not delete unencrypted previously stored passwords

CVE-2018-12375: Memory safety bugs fixed in Firefox 62

CVE-2018-12376: Memory safety bugs fixed in Firefox 62 and Firefox ESR 60.2

< 62.0_1,1

< 56.2.3

< 2.49.5

< 60.2.0_1,1

< 60.2.0,2

< 60.2

Mozilla Foundation reports:

MFSA 2009-22: Firefox allows Refresh header to redirect to javascript: URIs

MFSA 2009-21: POST data sent to wrong site when saving web page with embedded frame

MFSA 2009-20: Malicious search plugins can inject code into arbitrary sites

MFSA 2009-19: Same-origin violations in XMLHttpRequest and XPCNativeWrapper.toString

MFSA 2009-18: XSS hazard using third-party stylesheets and XBL bindings

MFSA 2009-17: Same-origin violations when Adobe Flash loaded via view-source: scheme

MFSA 2009-16: jar: scheme ignores the content-disposition: header on the inner URI

MFSA 2009-15: URL spoofing with box drawing character

MFSA 2009-14 Crashes with evidence of memory corruption (rv:1.9.0.9)

< 2.0.0.20_7,1

gt 3.*,1 lt 3.0.9,1

< 3.0.9

gt 0

< 1.1.17

< 2.0.0.22

The Mozilla Project reports:

MFSA-2015-11 Miscellaneous memory safety hazards (rv:36.0 / rv:31.5)

MFSA-2015-12 Invoking Mozilla updater will load locally stored DLL files

MFSA-2015-13 Appended period to hostnames can bypass HPKP and HSTS protections

MFSA-2015-14 Malicious WebGL content crash when writing strings

MFSA-2015-15 TLS TURN and STUN connections silently fail to simple TCP connections

MFSA-2015-16 Use-after-free in IndexedDB

MFSA-2015-17 Buffer overflow in libstagefright during MP4 video playback

MFSA-2015-18 Double-free when using non-default memory allocators with a zero-length XHR

MFSA-2015-19 Out-of-bounds read and write while rendering SVG content

MFSA-2015-20 Buffer overflow during CSS restyling

MFSA-2015-21 Buffer underflow during MP3 playback

MFSA-2015-22 Crash using DrawTarget in Cairo graphics library

MFSA-2015-23 Use-after-free in Developer Console date with OpenType Sanitiser

MFSA-2015-24 Reading of local files through manipulation of form autocomplete

MFSA-2015-25 Local files or privileged URLs in pages can be opened into new tabs

MFSA-2015-26 UI Tour whitelisted sites in background tab can spoof foreground tabs

MFSA-2015-27 Caja Compiler JavaScript sandbox bypass

< 36.0,1

< 31.5.0,1

< 36.0,1

< 2.33

< 31.5.0

< 2.33

< 31.5.0

< 31.5.0

The Mozilla Project reports:

Miscellaneous memory safety hazards (rv:22.0 / rv:17.0.7)

Title: Memory corruption found using Address Sanitizer

Privileged content access and execution via XBL

Arbitrary code execution within Profiler

Execution of unmapped memory through onreadystatechange

Data in the body of XHR HEAD requests leads to CSRF attacks

SVG filters can lead to information disclosure

PreserveWrapper has inconsistent behavior

Sandbox restrictions not applied to nested frame elements

X-Frame-Options ignored when using server push with multi-part responses

XrayWrappers can be bypassed to run user defined methods in a privileged context

getUserMedia permission dialog incorrectly displays location

Homograph domain spoofing in .com, .net and .name

Inaccessible updater can lead to local privilege escalation

gt 18.0,1 lt 22.0,1

< 17.0.7,1

< 17.0.7,1

< 2.19

< 17.0.7

< 2.19

gt 11.0 lt 17.0.7

The Mozilla Foundation reports:

MFSA 2016-13 Jason Pang of OneSignal reported that service workers intercept responses to plugin network requests made through the browser. Plugins which make security decisions based on the content of network requests can have these decisions subverted if a service worker forges responses to those requests. For example, a forged crossdomain.xml could allow a malicious site to violate the same-origin policy using the Flash plugin.

< 44.0.2,1

< 44.0.2,1

Mozilla Foundation reports:

CVE-2016-2827 - Out-of-bounds read in mozilla::net::IsValidReferrerPolicy [low]

CVE-2016-5256 - Memory safety bugs fixed in Firefox 49 [critical]

CVE-2016-5257 - Memory safety bugs fixed in Firefox 49 and Firefox ESR 45.4 [critical]

CVE-2016-5270 - Heap-buffer-overflow in nsCaseTransformTextRunFactory::TransformString [high]

CVE-2016-5271 - Out-of-bounds read in PropertyProvider::GetSpacingInternal [low]

CVE-2016-5272 - Bad cast in nsImageGeometryMixin [high]

CVE-2016-5273 - crash in mozilla::a11y::HyperTextAccessible::GetChildOffset [high]

CVE-2016-5274 - use-after-free in nsFrameManager::CaptureFrameState [high]

CVE-2016-5275 - global-buffer-overflow in mozilla::gfx::FilterSupport::ComputeSourceNeededRegions [critical]

CVE-2016-5276 - Heap-use-after-free in mozilla::a11y::DocAccessible::ProcessInvalidationList [high]

CVE-2016-5277 - Heap-use-after-free in nsRefreshDriver::Tick [high]

CVE-2016-5278 - Heap-buffer-overflow in nsBMPEncoder::AddImageFrame [critical]

CVE-2016-5279 - Full local path of files is available to web pages after drag and drop [moderate]

CVE-2016-5280 - Use-after-free in mozilla::nsTextNodeDirectionalityMap::RemoveElementFromMap [high]

CVE-2016-5281 - use-after-free in DOMSVGLength [high]

CVE-2016-5282 - Don't allow content to request favicons from non-whitelisted schemes [moderate]

CVE-2016-5283 -