Vulnerabilities > Canonical > Ubuntu Linux > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2018-06-11 | CVE-2018-5173 | Improper Input Validation vulnerability in multiple products The filename appearing in the "Downloads" panel improperly renders some Unicode characters, allowing for the file name to be spoofed. | 5.3 |
| 2018-06-11 | CVE-2018-5172 | Cross-site Scripting vulnerability in multiple products The Live Bookmarks page and the PDF viewer can run injected script content if a user pastes script from the clipboard into them while viewing RSS feeds or PDF files. | 4.3 |
| 2018-06-11 | CVE-2018-5170 | Improper Input Validation vulnerability in multiple products It is possible to spoof the filename of an attachment and display an arbitrary attachment name. | 4.3 |
| 2018-06-11 | CVE-2018-5169 | Improper Input Validation vulnerability in multiple products If manipulated hyperlinked text with "chrome:" URL contained in it is dragged and dropped on the "home" icon, the home page can be reset to include a normally-unlinkable chrome page as one of the home page tabs. | 6.5 |
| 2018-06-11 | CVE-2018-5168 | Sites can bypass security checks on permissions to install lightweight themes by manipulating the "baseURI" property of the theme element. | 5.3 |
| 2018-06-11 | CVE-2018-5167 | Improper Input Validation vulnerability in multiple products The web console and JavaScript debugger do not sanitize all output that can be hyperlinked. | 4.3 |
| 2018-06-11 | CVE-2018-5164 | Cross-site Scripting vulnerability in multiple products Content Security Policy (CSP) is not applied correctly to all parts of multipart content sent with the "multipart/x-mixed-replace" MIME type. | 6.1 |
| 2018-06-11 | CVE-2018-5161 | Improper Input Validation vulnerability in multiple products Crafted message headers can cause a Thunderbird process to hang on receiving the message. | 4.3 |
| 2018-06-11 | CVE-2018-5152 | Use of a Broken or Risky Cryptographic Algorithm vulnerability in multiple products WebExtensions with the appropriate permissions can attach content scripts to Mozilla sites such as accounts.firefox.com and listen to network traffic to the site through the "webRequest" API. | 6.5 |
| 2018-06-11 | CVE-2018-5143 | Cross-site Scripting vulnerability in multiple products URLs using "javascript:" have the protocol removed when pasted into the addressbar to protect users from cross-site scripting (XSS) attacks, but if a tab character is embedded in the "javascript:" URL the protocol is not removed and the script will execute. | 6.1 |