Vulnerabilities > Mozilla > Firefox
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2016-08-05 | CVE-2016-5268 | 7PK - Security Features vulnerability in Mozilla Firefox Mozilla Firefox before 48.0 does not properly set the LINKABLE and URI_SAFE_FOR_UNTRUSTED_CONTENT flags of about: URLs that are used for error pages, which makes it easier for remote attackers to conduct spoofing attacks via a crafted URL, as demonstrated by misleading text after an about:neterror?d= substring. | 4.3 |
2016-08-05 | CVE-2016-5267 | Improper Input Validation vulnerability in Mozilla Firefox Mozilla Firefox before 48.0 on Android allows remote attackers to spoof the address bar via left-to-right characters in conjunction with a right-to-left character set. | 5.3 |
2016-08-05 | CVE-2016-5266 | Permissions, Privileges, and Access Controls vulnerability in Mozilla Firefox Mozilla Firefox before 48.0 does not properly restrict drag-and-drop (aka dataTransfer) actions for file: URIs, which allows user-assisted remote attackers to access local files via a crafted web site. | 8.1 |
2016-08-05 | CVE-2016-5265 | Information Exposure vulnerability in multiple products Mozilla Firefox before 48.0 and Firefox ESR 45.x before 45.3 allow user-assisted remote attackers to bypass the Same Origin Policy, and conduct Universal XSS (UXSS) attacks or read arbitrary files, by arranging for the presence of a crafted HTML document and a crafted shortcut file in the same local directory. | 5.5 |
2016-08-05 | CVE-2016-5264 | Use After Free vulnerability in multiple products Use-after-free vulnerability in the nsNodeUtils::NativeAnonymousChildListChange function in Mozilla Firefox before 48.0 and Firefox ESR 45.x before 45.3 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via an SVG element that is mishandled during effect application. | 8.8 |
2016-08-05 | CVE-2016-5263 | Incorrect Type Conversion or Cast vulnerability in multiple products The nsDisplayList::HitTest function in Mozilla Firefox before 48.0 and Firefox ESR 45.x before 45.3 mishandles rendering display transformation, which allows remote attackers to execute arbitrary code via a crafted web site that leverages "type confusion." | 8.8 |
2016-08-05 | CVE-2016-5262 | Cross-site Scripting vulnerability in multiple products Mozilla Firefox before 48.0 and Firefox ESR 45.x before 45.3 process JavaScript event-handler attributes of a MARQUEE element within a sandboxed IFRAME element that lacks the sandbox="allow-scripts" attribute value, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via a crafted web site. | 6.1 |
2016-08-05 | CVE-2016-5261 | Integer Overflow or Wraparound vulnerability in Mozilla Firefox Integer overflow in the WebSocketChannel class in the WebSockets subsystem in Mozilla Firefox before 48.0 and Firefox ESR < 45.4 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted packets that trigger incorrect buffer-resize operations during buffering. | 8.8 |
2016-08-05 | CVE-2016-5260 | Information Exposure vulnerability in Mozilla Firefox Mozilla Firefox before 48.0 mishandles changes from 'INPUT type="password"' to 'INPUT type="text"' within a single Session Manager session, which might allow attackers to discover cleartext passwords by reading a session restoration file. | 6.5 |
2016-08-05 | CVE-2016-5259 | Use After Free vulnerability in multiple products Use-after-free vulnerability in the CanonicalizeXPCOMParticipant function in Mozilla Firefox before 48.0 and Firefox ESR 45.x before 45.3 allows remote attackers to execute arbitrary code via a script that closes its own Service Worker within a nested sync event loop. | 8.8 |