Vulnerabilities > Mozilla > Firefox > Medium

DATE CVE VULNERABILITY TITLE RISK
2018-10-18 CVE-2018-12365 Information Exposure vulnerability in multiple products
A compromised IPC child process can escape the content sandbox and list the names of arbitrary files on the file system without user consent or interaction.
network
low complexity
redhat debian canonical mozilla CWE-200
6.5
2018-10-18 CVE-2018-12358 Information Exposure vulnerability in multiple products
Service workers can use redirection to avoid the tainting of cross-origin resources in some instances, allowing a malicious site to read responses which are supposed to be opaque.
network
low complexity
mozilla canonical CWE-200
4.3
2018-07-12 CVE-2018-8024 Information Exposure vulnerability in multiple products
In Apache Spark 2.1.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, it's possible for a malicious user to construct a URL pointing to a Spark cluster's UI's job and stage info pages, and if a user can be tricked into accessing the URL, can be used to cause script to execute and expose information from the user's view of the Spark UI.
network
low complexity
apache mozilla CWE-200
5.4
2018-06-11 CVE-2018-5176 Improper Input Validation vulnerability in multiple products
The JSON Viewer displays clickable hyperlinks for strings that are parseable as URLs, including "javascript:" links.
network
low complexity
canonical mozilla CWE-20
6.1
2018-06-11 CVE-2018-5175 Cross-site Scripting vulnerability in multiple products
A mechanism to bypass Content Security Policy (CSP) protections on sites that have a "script-src" policy of "'strict-dynamic'".
network
low complexity
canonical mozilla CWE-79
6.1
2018-06-11 CVE-2018-5173 Improper Input Validation vulnerability in multiple products
The filename appearing in the "Downloads" panel improperly renders some Unicode characters, allowing for the file name to be spoofed.
network
low complexity
canonical mozilla CWE-20
5.3
2018-06-11 CVE-2018-5172 Cross-site Scripting vulnerability in multiple products
The Live Bookmarks page and the PDF viewer can run injected script content if a user pastes script from the clipboard into them while viewing RSS feeds or PDF files.
network
low complexity
canonical mozilla CWE-79
4.3
2018-06-11 CVE-2018-5169 Improper Input Validation vulnerability in multiple products
If manipulated hyperlinked text with "chrome:" URL contained in it is dragged and dropped on the "home" icon, the home page can be reset to include a normally-unlinkable chrome page as one of the home page tabs.
network
low complexity
canonical mozilla CWE-20
6.5
2018-06-11 CVE-2018-5168 Sites can bypass security checks on permissions to install lightweight themes by manipulating the "baseURI" property of the theme element.
network
low complexity
debian mozilla canonical redhat
5.3
2018-06-11 CVE-2018-5167 Improper Input Validation vulnerability in multiple products
The web console and JavaScript debugger do not sanitize all output that can be hyperlinked.
network
low complexity
canonical mozilla CWE-20
4.3