Vulnerabilities > Canonical > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2018-06-11 | CVE-2018-5166 | Improper Privilege Management vulnerability in multiple products WebExtensions can use request redirection and a "filterReponseData" filter to bypass host permission settings to redirect network traffic and access content from a host for which they do not have explicit user permission. | 5.0 |
| 2018-06-11 | CVE-2018-5164 | Cross-site Scripting vulnerability in multiple products Content Security Policy (CSP) is not applied correctly to all parts of multipart content sent with the "multipart/x-mixed-replace" MIME type. | 4.3 |
| 2018-06-11 | CVE-2018-5163 | Improper Preservation of Permissions vulnerability in multiple products If a malicious attacker has used another vulnerability to gain full control over a content process, they may be able to replace the alternate data resources stored in the JavaScript Start-up Bytecode Cache (JSBC) for other JavaScript code. | 5.1 |
| 2018-06-11 | CVE-2018-5162 | Missing Encryption of Sensitive Data vulnerability in multiple products Plaintext of decrypted emails can leak through the src attribute of remote images, or links. | 5.0 |
| 2018-06-11 | CVE-2018-5161 | Improper Input Validation vulnerability in multiple products Crafted message headers can cause a Thunderbird process to hang on receiving the message. | 4.3 |
| 2018-06-11 | CVE-2018-5160 | Use After Free vulnerability in multiple products WebRTC can use a "WrappedI420Buffer" pixel buffer but the owning image object can be freed while it is still in use. | 5.0 |
| 2018-06-11 | CVE-2018-5158 | Code Injection vulnerability in multiple products The PDF viewer does not sufficiently sanitize PostScript calculator functions, allowing malicious JavaScript to be injected through a crafted PDF file. | 6.8 |
| 2018-06-11 | CVE-2018-5157 | Information Exposure vulnerability in multiple products Same-origin protections for the PDF viewer can be bypassed, allowing a malicious site to intercept messages meant for the viewer. | 5.0 |
| 2018-06-11 | CVE-2018-5153 | Out-of-bounds Read vulnerability in multiple products If websocket data is sent with mixed text and binary in a single message, the binary data can be corrupted. | 5.0 |
| 2018-06-11 | CVE-2018-5152 | Use of a Broken or Risky Cryptographic Algorithm vulnerability in multiple products WebExtensions with the appropriate permissions can attach content scripts to Mozilla sites such as accounts.firefox.com and listen to network traffic to the site through the "webRequest" API. | 4.3 |