Multiple vulnerabilities in Mozilla Firefox
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 26 |
| CVE-ID | CVE-2018-5154 CVE-2018-5155 CVE-2018-5157 CVE-2018-5158 CVE-2018-5159 CVE-2018-5160 CVE-2018-5152 CVE-2018-5153 CVE-2018-5163 CVE-2018-5164 CVE-2018-5166 CVE-2018-5167 CVE-2018-5168 CVE-2018-5169 CVE-2018-5172 CVE-2018-5173 CVE-2018-5174 CVE-2018-5175 CVE-2018-5176 CVE-2018-5177 CVE-2018-5165 CVE-2018-5180 CVE-2018-5181 CVE-2018-5182 CVE-2018-5151 CVE-2018-5150 |
| CWE-ID | CWE-416 CWE-20 CWE-79 CWE-119 CWE-401 CWE-125 CWE-264 CWE-200 CWE-451 CWE-120 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Mozilla Firefox Client/Desktop applications / Web browsers |
| Vendor | Mozilla |
Security Bulletin
This security bulletin contains information about 26 vulnerabilities.
1) Use-after-free error
EUVDB-ID: #VU12528
Risk: High
CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-5154
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to use-after-free error while enumerating attributes during SVG animations with clip paths. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability result may result in system compromise.
Update to version 60.0.
Mozilla Firefox: 59.0 - 59.0.2
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2018-11/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Use-after-free error
EUVDB-ID: #VU12529
Risk: High
CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-5155
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to use-after-free error while adjusting layout during SVG animations with text paths. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability result may result in system compromise.
Update to version 60.0.
Mozilla Firefox: 59.0 - 59.0.2
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2018-11/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Same-origin policy bypass
EUVDB-ID: #VU12534
Risk: Low
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-5157
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass same-origin policy on the target system.
The weakness exists due to improper input validation. A remote attacker can trick the victim into visiting a specially crafted website, bypass same-origin protections for the PDF viewer and cause a malicious site to intercept messages meant for the viewer and retrieve PDF files restricted to viewing by an authenticated user on a third-party website.
Update to version 60.0.
Mozilla Firefox: 59.0 - 59.0.2
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2018-11/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Cross-site scripting
EUVDB-ID: #VU12535
Risk: Low
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-5158
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to the PDF viewer does not sufficiently sanitize PostScript calculator functions. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks
MitigationUpdate to version 60.0.
Mozilla Firefox: 59.0 - 59.0.2
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2018-11/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Memory corruption
EUVDB-ID: #VU12530
Risk: High
CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-5159
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to integer overflow in the Skia library while 32-bit integer use in an array without integer overflow checks. A remote attacker can trick the victim into visiting a specially crafted website, trigger out-of-bounds write and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability result may result in system compromise.
Update to version 60.0.
Mozilla Firefox: 59.0 - 59.0.2
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2018-11/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Memory corruption
EUVDB-ID: #VU12531
Risk: High
CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-5160
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to WebRTC can use a WrappedI420Buffer pixel buffer but the owning image object can be freed while it is still in use. A remote attacker can trick the victim into visiting a specially crafted website, cause the WebRTC encoder using uninitialized memory, trigger memory corruption and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability result may result in system compromise.
Update to version 60.0.
Mozilla Firefox: 59.0 - 59.0.2
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2018-11/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Memory leak
EUVDB-ID: #VU12536
Risk: Low
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-5152
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.
The weakness exists due to WebExtensions with the appropriate permissions can attach content scripts to Mozilla sites such as accounts.firefox.com and listen to network traffic to the site through the webRequest API. A remote attacker can intercept username and an encrypted
password during login to Firefox Accounts.
Update to version 60.0.
Mozilla Firefox: 59.0 - 59.0.2
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2018-11/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Out-of-bounds read
EUVDB-ID: #VU12541
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-5153
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.
The weakness exists due to out-of-bounds read in mixed content websocket messages. A remote attacker can send websocket data with mixed text and binary in a
single message, corrupt binary data, trigger an out-of-bounds read with
the read memory sent to the originating server in response.
Update to version 60.0.
Mozilla Firefox: 59.0 - 59.0.2
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2018-11/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Security restrictions bypass
EUVDB-ID: #VU12544
Risk: Low
CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-5163
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass security restrictions on the target system.
The weakness exists due to replacing of cached data in JavaScript start-up bytecode cache. A remote attacker with full
control over a content process can replace the
alternate data resources stored in the JavaScript Start-up Bytecode
Cache (JSBC) for other JavaScript code, run the executed script with the parent
process' privileges and escaping the sandbox on content processes.
Update to version 60.0.
Mozilla Firefox: 59.0 - 59.0.2
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2018-11/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Cross-site scripting
EUVDB-ID: #VU12545
Risk: Low
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-5164
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to Content Security Policy (CSP) is not applied correctly to all parts of multipart content sent with the multipart/x-mixed-replace
MIME type. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationUpdate to version 60.0.
Mozilla Firefox: 59.0 - 59.0.2
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2018-11/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Security restrictions bypass
EUVDB-ID: #VU12547
Risk: Low
CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-5166
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass security restrictions on the target system.
The weakness exists due to WebExtensions can use request redirection and a filterReponseData
filter. A remote attacker can bypass host permission settings to redirect network traffic
and access content from a host for which he does not have explicit user
permission.
Update to version 60.0.
Mozilla Firefox: 59.0 - 59.0.2
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2018-11/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Information disclosure
EUVDB-ID: #VU12550
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-5167
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.
The weakness exists due to improper linkification of chrome: and javascript: content in web console and JavaScript debugger. A remote attacker can supply specially crafted output
and cause JavaScript debugger to display some content as clickable links.
Update to version 60.0.
Mozilla Firefox: 59.0 - 59.0.2
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2018-11/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) Security restrictions bypass
EUVDB-ID: #VU12551
Risk: Low
CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-5168
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass security restrictions on the target system.
The weakness exists due to improper privileges or access controls. A remote attacker can manipulate the baseURI
property of the theme element, bypass security restrictions and cause lightweight themes to be installed without user interaction which could contain offensive or embarrassing images.
Update to version 60.0.
Mozilla Firefox: 59.0 - 59.0.2
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2018-11/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
14) Security restrictions bypass
EUVDB-ID: #VU12553
Risk: Low
CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-5169
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass security restrictions on the target system.
The weakness exists due to improper privileges or access controls. A remote attacker can drag and drop specially crafted manipulated hyperlinked text containing chrome: URL on the "home" icon, cause the home page to be
reset to include a normally-unlinkable chrome page as one of the home
page tabs.
Update to version 60.0.
Mozilla Firefox: 59.0 - 59.0.2
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2018-11/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
15) Security restrictions bypass
EUVDB-ID: #VU12556
Risk: Low
CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-5172
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass security restrictions on the target system.
The weakness exists due to the Live Bookmarks page and the PDF viewer can run injected script content from the clipboard. A remote attacker can trick the victim into coping and pasting script from the clipboard into the Live Bookmarks page and the PDF viewer while viewing RSS feeds or PDF files and run malicious script content with the context of the page.
Update to version 60.0.
Mozilla Firefox: 59.0 - 59.0.2
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2018-11/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
16) Spoofing attack
EUVDB-ID: #VU12559
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-5173
CWE-ID:
CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to conduct spoofing attack.
The vulnerability exists due to the filename appearing in the Downloads panel improperly renders some Unicode characters. A remote attacker can spoof the filename and obscure the file extension of potentially executable files from user view in the panel.
Update to version 60.0.
Mozilla Firefox: 59.0 - 59.0.2
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2018-11/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
17) Security restrictions bypass
EUVDB-ID: #VU12563
Risk: Low
CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-5174
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass security restrictions on the target system.
The vulnerability exists due to the Windows Defender SmartScreen UI runs with less secure behavior for downloaded files. A remote attacker can bypass security restrictions and perform further attack.
Update to version 60.0.
Mozilla Firefox: 59.0 - 59.0.2
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2018-11/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
18) Security restrictions bypass
EUVDB-ID: #VU12564
Risk: Low
CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-5175
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass security restrictions on the target system.
The vulnerability exists due to improper security mechanism of Content Security Policy (CSP) protections on sites that have a script-src policy of 'strict-dynamic'. A remote attacker can inject a reference to a copy of the require.js library that is part of Firefox’s Developer Tools and bypass Content Security Policy (CSP) protections for sites that have a script-src policy of 'strict-dynamic'.
Update to version 60.0.
Mozilla Firefox: 59.0 - 59.0.2
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2018-11/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
19) Cross-site scripting
EUVDB-ID: #VU12565
Risk: Low
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-5176
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to JSON Viewer displays clickable hyperlinks for strings that are parseable as URLs, including javascript: links. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationUpdate to version 60.0.
Mozilla Firefox: 59.0 - 59.0.2
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2018-11/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
20) Buffer overflow
EUVDB-ID: #VU12567
Risk: Low
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-5177
CWE-ID:
CWE-120 - Buffer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The vulnerability exists due to boundary error in XSLT during number formatting. A remote unauthenticated attacker can allocate negative buffer size, trigger memory corruption and cause the service to crash.
MitigationUpdate to version 60.0.
http://www.mozilla.org/en-US/security/advisories/mfsa2018-11/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
21) Security restrictions bypass
EUVDB-ID: #VU12570
Risk: Low
CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-5165
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass security restrictions on the target system.
The vulnerability exists due to the Adobe Flash plugin setting for 'Enable Adobe Flash protected mode' displays the opposite status of the Adobe Flash sandbox. A remote attacker can bypass security restrictions and turn protections off.
MitigationUpdate to version 60.0.
Mozilla Firefox: 59.0 - 59.0.2
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2018-11/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
22) Heap-use-after-free error
EUVDB-ID: #VU12532
Risk: High
CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-5180
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to heap-used-after-free error during WebGL operations. A remote attacker can trick the victim into visiting a specially crafted website, cause the memory to be freed and reused in a brief window of time during the freeing of the same callstack.
Successful exploitation of the vulnerability result may result in system compromise.
Update to version 60.0.
Mozilla Firefox: 59.0 - 59.0.2
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2018-11/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
23) Information disclosure
EUVDB-ID: #VU12571
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-5181
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.
file: protocol onto an open tab that is running in a different child process and cause the system to display local files in tabs or the hyperlink.Mitigation
Update to version 60.0.
Mozilla Firefox: 59.0 - 59.0.2
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2018-11/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
24) Information disclosure
EUVDB-ID: #VU12572
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-5182
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.
Update to version 60.0.
Mozilla Firefox: 59.0 - 59.0.2
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2018-11/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
25) Memory corruption
EUVDB-ID: #VU12574
Risk: High
CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-5151
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to boundary error when handling malicious input. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability result may result in system compromise.
Update to version 60.0.
Mozilla Firefox: 59.0 - 59.0.2
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2018-11/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
26) Buffer overflow
EUVDB-ID: #VU12566
Risk: High
CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-5150
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to boundary error when handling malicious input. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability result may result in system compromise.
Update to version 60.0.
Mozilla Firefox: 59.0 - 59.0.2
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2018-11/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
