rpm package
suse/MozillaFirefox&distro=SUSE Linux Enterprise Server 12 SP5
pkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5
Vulnerabilities (593)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2019-11718 | — | < 68.1.0-109.89.1 | 68.1.0-109.89.1 | Jul 23, 2019 | Activity Stream can display content from sent from the Snippet Service website. This content is written to innerHTML on the Activity Stream page without sanitization, allowing for a potential access to other information available to the Activity Stream, such as browsing history, | ||
| CVE-2019-11719 | — | < 68.1.0-109.89.1 | 68.1.0-109.89.1 | Jul 23, 2019 | When importing a curve25519 private key in PKCS#8format with leading 0x00 bytes, it is possible to trigger an out-of-bounds read in the Network Security Services (NSS) library. This could lead to information disclosure. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, | ||
| CVE-2019-11720 | — | < 68.1.0-109.89.1 | 68.1.0-109.89.1 | Jul 23, 2019 | Some unicode characters are incorrectly treated as whitespace during the parsing of web content instead of triggering parsing errors. This allows malicious code to then be processed, evading cross-site scripting (XSS) filtering. This vulnerability affects Firefox < 68. | ||
| CVE-2019-11721 | — | < 68.1.0-109.89.1 | 68.1.0-109.89.1 | Jul 23, 2019 | The unicode latin 'kra' character can be used to spoof a standard 'k' character in the addressbar. This allows for domain spoofing attacks as do not display as punycode text, allowing for user confusion. This vulnerability affects Firefox < 68. | ||
| CVE-2019-11723 | — | < 68.1.0-109.89.1 | 68.1.0-109.89.1 | Jul 23, 2019 | A vulnerability exists during the installation of add-ons where the initial fetch ignored the origin attributes of the browsing context. This could leak cookies in private browsing mode or across different "containers" for people who use the Firefox Multi-Account Containers Web E | ||
| CVE-2019-11724 | — | < 68.1.0-109.89.1 | 68.1.0-109.89.1 | Jul 23, 2019 | Application permissions give additional remote troubleshooting permission to the site input.mozilla.org, which has been retired and now redirects to another site. This additional permission is unnecessary and is a potential vector for malicious attacks. This vulnerability affects | ||
| CVE-2019-11725 | — | < 68.1.0-109.89.1 | 68.1.0-109.89.1 | Jul 23, 2019 | When a user navigates to site marked as unsafe by the Safebrowsing API, warning messages are displayed and navigation is interrupted but resources from the same site loaded through websockets are not blocked, leading to the loading of unsafe resources and bypassing safebrowsing p | ||
| CVE-2019-11727 | — | < 68.1.0-109.89.1 | 68.1.0-109.89.1 | Jul 23, 2019 | A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messag | ||
| CVE-2019-11728 | — | < 68.1.0-109.89.1 | 68.1.0-109.89.1 | Jul 23, 2019 | The HTTP Alternative Services header, Alt-Svc, can be used by a malicious site to scan all TCP ports of any host that the accessible to a user when web content is loaded. This vulnerability affects Firefox < 68. | ||
| CVE-2019-11729 | — | < 68.1.0-109.89.1 | 68.1.0-109.89.1 | Jul 23, 2019 | Empty or malformed p256-ECDH public keys may trigger a segmentation fault due values being improperly sanitized before being copied into memory and used. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. | ||
| CVE-2019-11730 | — | < 68.1.0-109.89.1 | 68.1.0-109.89.1 | Jul 23, 2019 | A vulnerability exists where if a user opens a locally saved HTML file, this file can use file: URIs to access other files in the same directory or sub-directories if the names are known or guessed. The Fetch API can then be used to read the contents of any files stored in these | ||
| CVE-2018-5179 | — | < 68.2.0-109.95.2 | 68.2.0-109.95.2 | Apr 26, 2019 | A service worker can send the activate event on itself periodically which allows it to run perpetually, allowing it to monitor activity by users. Affects all versions prior to Firefox 60. | ||
| CVE-2016-9069 | — | < 68.2.0-109.95.2 | 68.2.0-109.95.2 | Oct 18, 2018 | A use-after-free in nsINode::ReplaceOrInsertBefore during DOM operations resulting in potentially exploitable crashes. This vulnerability affects Firefox < 50. | ||
| CVE-2018-5183 | — | < 68.2.0-109.95.2 | 68.2.0-109.95.2 | Jun 11, 2018 | Mozilla developers backported selected changes in the Skia library. These changes correct memory corruption issues including invalid buffer reads and writes during graphic operations. This vulnerability affects Thunderbird ESR < 52.8, Thunderbird < 52.8, and Firefox ESR < 52.8. | ||
| CVE-2018-5182 | — | < 68.2.0-109.95.2 | 68.2.0-109.95.2 | Jun 11, 2018 | If a text string that happens to be a filename in the operating system's native format is dragged and dropped onto the addressbar the specified local file will be opened. This is contrary to policy and is what would happen if the string were the equivalent "file:" URL. This vulne | ||
| CVE-2018-5181 | — | < 68.2.0-109.95.2 | 68.2.0-109.95.2 | Jun 11, 2018 | If a URL using the "file:" protocol is dragged and dropped onto an open tab that is running in a different child process the tab will open a local file corresponding to the dropped URL, contrary to policy. One way to make the target tab open more reliably in a separate process is | ||
| CVE-2018-5180 | — | < 68.2.0-109.95.2 | 68.2.0-109.95.2 | Jun 11, 2018 | A use-after-free vulnerability can occur during WebGL operations. While this results in a potentially exploitable crash, the vulnerability is limited because the memory is freed and reused in a brief window of time during the freeing of the same callstack. This vulnerability affe | ||
| CVE-2018-5178 | — | < 68.2.0-109.95.2 | 68.2.0-109.95.2 | Jun 11, 2018 | A buffer overflow was found during UTF8 to Unicode string conversion within JavaScript with extremely large amounts of data. This vulnerability requires the use of a malicious or vulnerable legacy extension in order to occur. This vulnerability affects Thunderbird ESR < 52.8, Thu | ||
| CVE-2018-5177 | — | < 68.2.0-109.95.2 | 68.2.0-109.95.2 | Jun 11, 2018 | A vulnerability exists in XSLT during number formatting where a negative buffer size may be allocated in some instances, leading to a buffer overflow and crash if it occurs. This vulnerability affects Firefox < 60. | ||
| CVE-2018-5176 | — | < 68.2.0-109.95.2 | 68.2.0-109.95.2 | Jun 11, 2018 | The JSON Viewer displays clickable hyperlinks for strings that are parseable as URLs, including "javascript:" links. If a JSON file contains malicious JavaScript script embedded as "javascript:" links, users may be tricked into clicking and running this code in the context of the |
- CVE-2019-11718Jul 23, 2019affected < 68.1.0-109.89.1fixed 68.1.0-109.89.1
Activity Stream can display content from sent from the Snippet Service website. This content is written to innerHTML on the Activity Stream page without sanitization, allowing for a potential access to other information available to the Activity Stream, such as browsing history,
- CVE-2019-11719Jul 23, 2019affected < 68.1.0-109.89.1fixed 68.1.0-109.89.1
When importing a curve25519 private key in PKCS#8format with leading 0x00 bytes, it is possible to trigger an out-of-bounds read in the Network Security Services (NSS) library. This could lead to information disclosure. This vulnerability affects Firefox ESR < 60.8, Firefox < 68,
- CVE-2019-11720Jul 23, 2019affected < 68.1.0-109.89.1fixed 68.1.0-109.89.1
Some unicode characters are incorrectly treated as whitespace during the parsing of web content instead of triggering parsing errors. This allows malicious code to then be processed, evading cross-site scripting (XSS) filtering. This vulnerability affects Firefox < 68.
- CVE-2019-11721Jul 23, 2019affected < 68.1.0-109.89.1fixed 68.1.0-109.89.1
The unicode latin 'kra' character can be used to spoof a standard 'k' character in the addressbar. This allows for domain spoofing attacks as do not display as punycode text, allowing for user confusion. This vulnerability affects Firefox < 68.
- CVE-2019-11723Jul 23, 2019affected < 68.1.0-109.89.1fixed 68.1.0-109.89.1
A vulnerability exists during the installation of add-ons where the initial fetch ignored the origin attributes of the browsing context. This could leak cookies in private browsing mode or across different "containers" for people who use the Firefox Multi-Account Containers Web E
- CVE-2019-11724Jul 23, 2019affected < 68.1.0-109.89.1fixed 68.1.0-109.89.1
Application permissions give additional remote troubleshooting permission to the site input.mozilla.org, which has been retired and now redirects to another site. This additional permission is unnecessary and is a potential vector for malicious attacks. This vulnerability affects
- CVE-2019-11725Jul 23, 2019affected < 68.1.0-109.89.1fixed 68.1.0-109.89.1
When a user navigates to site marked as unsafe by the Safebrowsing API, warning messages are displayed and navigation is interrupted but resources from the same site loaded through websockets are not blocked, leading to the loading of unsafe resources and bypassing safebrowsing p
- CVE-2019-11727Jul 23, 2019affected < 68.1.0-109.89.1fixed 68.1.0-109.89.1
A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messag
- CVE-2019-11728Jul 23, 2019affected < 68.1.0-109.89.1fixed 68.1.0-109.89.1
The HTTP Alternative Services header, Alt-Svc, can be used by a malicious site to scan all TCP ports of any host that the accessible to a user when web content is loaded. This vulnerability affects Firefox < 68.
- CVE-2019-11729Jul 23, 2019affected < 68.1.0-109.89.1fixed 68.1.0-109.89.1
Empty or malformed p256-ECDH public keys may trigger a segmentation fault due values being improperly sanitized before being copied into memory and used. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.
- CVE-2019-11730Jul 23, 2019affected < 68.1.0-109.89.1fixed 68.1.0-109.89.1
A vulnerability exists where if a user opens a locally saved HTML file, this file can use file: URIs to access other files in the same directory or sub-directories if the names are known or guessed. The Fetch API can then be used to read the contents of any files stored in these
- CVE-2018-5179Apr 26, 2019affected < 68.2.0-109.95.2fixed 68.2.0-109.95.2
A service worker can send the activate event on itself periodically which allows it to run perpetually, allowing it to monitor activity by users. Affects all versions prior to Firefox 60.
- CVE-2016-9069Oct 18, 2018affected < 68.2.0-109.95.2fixed 68.2.0-109.95.2
A use-after-free in nsINode::ReplaceOrInsertBefore during DOM operations resulting in potentially exploitable crashes. This vulnerability affects Firefox < 50.
- CVE-2018-5183Jun 11, 2018affected < 68.2.0-109.95.2fixed 68.2.0-109.95.2
Mozilla developers backported selected changes in the Skia library. These changes correct memory corruption issues including invalid buffer reads and writes during graphic operations. This vulnerability affects Thunderbird ESR < 52.8, Thunderbird < 52.8, and Firefox ESR < 52.8.
- CVE-2018-5182Jun 11, 2018affected < 68.2.0-109.95.2fixed 68.2.0-109.95.2
If a text string that happens to be a filename in the operating system's native format is dragged and dropped onto the addressbar the specified local file will be opened. This is contrary to policy and is what would happen if the string were the equivalent "file:" URL. This vulne
- CVE-2018-5181Jun 11, 2018affected < 68.2.0-109.95.2fixed 68.2.0-109.95.2
If a URL using the "file:" protocol is dragged and dropped onto an open tab that is running in a different child process the tab will open a local file corresponding to the dropped URL, contrary to policy. One way to make the target tab open more reliably in a separate process is
- CVE-2018-5180Jun 11, 2018affected < 68.2.0-109.95.2fixed 68.2.0-109.95.2
A use-after-free vulnerability can occur during WebGL operations. While this results in a potentially exploitable crash, the vulnerability is limited because the memory is freed and reused in a brief window of time during the freeing of the same callstack. This vulnerability affe
- CVE-2018-5178Jun 11, 2018affected < 68.2.0-109.95.2fixed 68.2.0-109.95.2
A buffer overflow was found during UTF8 to Unicode string conversion within JavaScript with extremely large amounts of data. This vulnerability requires the use of a malicious or vulnerable legacy extension in order to occur. This vulnerability affects Thunderbird ESR < 52.8, Thu
- CVE-2018-5177Jun 11, 2018affected < 68.2.0-109.95.2fixed 68.2.0-109.95.2
A vulnerability exists in XSLT during number formatting where a negative buffer size may be allocated in some instances, leading to a buffer overflow and crash if it occurs. This vulnerability affects Firefox < 60.
- CVE-2018-5176Jun 11, 2018affected < 68.2.0-109.95.2fixed 68.2.0-109.95.2
The JSON Viewer displays clickable hyperlinks for strings that are parseable as URLs, including "javascript:" links. If a JSON file contains malicious JavaScript script embedded as "javascript:" links, users may be tricked into clicking and running this code in the context of the
Page 28 of 30