Vulnerabilities > Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2018-06-11 | CVE-2018-5172 | Cross-site Scripting vulnerability in multiple products The Live Bookmarks page and the PDF viewer can run injected script content if a user pastes script from the clipboard into them while viewing RSS feeds or PDF files. | 4.3 |
| 2018-06-11 | CVE-2018-5164 | Cross-site Scripting vulnerability in multiple products Content Security Policy (CSP) is not applied correctly to all parts of multipart content sent with the "multipart/x-mixed-replace" MIME type. | 6.1 |
| 2018-06-11 | CVE-2018-5143 | Cross-site Scripting vulnerability in multiple products URLs using "javascript:" have the protocol removed when pasted into the addressbar to protect users from cross-site scripting (XSS) attacks, but if a tab character is embedded in the "javascript:" URL the protocol is not removed and the script will execute. | 6.1 |
| 2018-06-11 | CVE-2017-7840 | Cross-site Scripting vulnerability in Mozilla Firefox JavaScript can be injected into an exported bookmarks file by placing JavaScript code into user-supplied tags in saved bookmarks. | 6.1 |
| 2018-06-11 | CVE-2017-7839 | Cross-site Scripting vulnerability in Mozilla Firefox Control characters prepended before "javascript:" URLs pasted in the addressbar can cause the leading characters to be ignored and the pasted JavaScript to be executed instead of being blocked. | 6.1 |
| 2018-06-11 | CVE-2017-7834 | Cross-site Scripting vulnerability in Mozilla Firefox A "data:" URL loaded in a new tab did not inherit the Content Security Policy (CSP) of the original page, allowing for bypasses of the policy including the execution of JavaScript. | 6.1 |
| 2018-06-11 | CVE-2017-7823 | Cross-site Scripting vulnerability in multiple products The content security policy (CSP) "sandbox" directive did not create a unique origin for the document, causing it to behave as if the "allow-same-origin" keyword were always specified. | 5.4 |
| 2018-06-11 | CVE-2017-7799 | Cross-site Scripting vulnerability in Mozilla Firefox JavaScript in the "about:webrtc" page is not sanitized properly being assigned to "innerHTML". | 6.1 |
| 2018-06-11 | CVE-2017-5466 | Cross-site Scripting vulnerability in multiple products If a page is loaded from an original site through a hyperlink and contains a redirect to a "data:text/html" URL, triggering a reload will run the reloaded "data:text/html" page with its origin set incorrectly. | 6.1 |
| 2018-06-11 | CVE-2017-5458 | Cross-site Scripting vulnerability in Mozilla Firefox When a "javascript:" URL is drag and dropped by a user into the addressbar, the URL will be processed and executed. | 6.1 |