Vulnerabilities > Mozilla > Firefox > 20.0.1

DATE CVE VULNERABILITY TITLE RISK
2018-06-11 CVE-2018-5175 Cross-site Scripting vulnerability in multiple products
A mechanism to bypass Content Security Policy (CSP) protections on sites that have a "script-src" policy of "'strict-dynamic'".
4.3
2018-06-11 CVE-2018-5174 Unspecified vulnerability in Mozilla Firefox, Firefox ESR and Thunderbird
In the Windows 10 April 2018 Update, Windows Defender SmartScreen honors the "SEE_MASK_FLAG_NO_UI" flag associated with downloaded files and will not show any UI.
network
low complexity
mozilla microsoft
5.0
2018-06-11 CVE-2018-5173 Improper Input Validation vulnerability in multiple products
The filename appearing in the "Downloads" panel improperly renders some Unicode characters, allowing for the file name to be spoofed.
network
low complexity
canonical mozilla CWE-20
5.0
2018-06-11 CVE-2018-5172 Cross-site Scripting vulnerability in multiple products
The Live Bookmarks page and the PDF viewer can run injected script content if a user pastes script from the clipboard into them while viewing RSS feeds or PDF files.
4.3
2018-06-11 CVE-2018-5169 Improper Input Validation vulnerability in multiple products
If manipulated hyperlinked text with "chrome:" URL contained in it is dragged and dropped on the "home" icon, the home page can be reset to include a normally-unlinkable chrome page as one of the home page tabs.
4.3
2018-06-11 CVE-2018-5168 Sites can bypass security checks on permissions to install lightweight themes by manipulating the "baseURI" property of the theme element.
network
low complexity
debian mozilla canonical redhat
5.0
2018-06-11 CVE-2018-5167 Improper Input Validation vulnerability in multiple products
The web console and JavaScript debugger do not sanitize all output that can be hyperlinked.
4.3
2018-06-11 CVE-2018-5166 Improper Privilege Management vulnerability in multiple products
WebExtensions can use request redirection and a "filterReponseData" filter to bypass host permission settings to redirect network traffic and access content from a host for which they do not have explicit user permission.
network
low complexity
canonical mozilla CWE-269
5.0
2018-06-11 CVE-2018-5164 Cross-site Scripting vulnerability in multiple products
Content Security Policy (CSP) is not applied correctly to all parts of multipart content sent with the "multipart/x-mixed-replace" MIME type.
4.3
2018-06-11 CVE-2018-5163 Improper Preservation of Permissions vulnerability in multiple products
If a malicious attacker has used another vulnerability to gain full control over a content process, they may be able to replace the alternate data resources stored in the JavaScript Start-up Bytecode Cache (JSBC) for other JavaScript code.
network
high complexity
canonical mozilla CWE-281
5.1