Vulnerabilities > Mozilla > Firefox > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2018-07-12 | CVE-2018-8024 | Information Exposure vulnerability in multiple products In Apache Spark 2.1.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, it's possible for a malicious user to construct a URL pointing to a Spark cluster's UI's job and stage info pages, and if a user can be tricked into accessing the URL, can be used to cause script to execute and expose information from the user's view of the Spark UI. | 5.4 |
| 2018-06-11 | CVE-2018-5176 | Improper Input Validation vulnerability in multiple products The JSON Viewer displays clickable hyperlinks for strings that are parseable as URLs, including "javascript:" links. | 6.1 |
| 2018-06-11 | CVE-2018-5175 | Cross-site Scripting vulnerability in multiple products A mechanism to bypass Content Security Policy (CSP) protections on sites that have a "script-src" policy of "'strict-dynamic'". | 6.1 |
| 2018-06-11 | CVE-2018-5173 | Improper Input Validation vulnerability in multiple products The filename appearing in the "Downloads" panel improperly renders some Unicode characters, allowing for the file name to be spoofed. | 5.3 |
| 2018-06-11 | CVE-2018-5172 | Cross-site Scripting vulnerability in multiple products The Live Bookmarks page and the PDF viewer can run injected script content if a user pastes script from the clipboard into them while viewing RSS feeds or PDF files. | 4.3 |
| 2018-06-11 | CVE-2018-5169 | Improper Input Validation vulnerability in multiple products If manipulated hyperlinked text with "chrome:" URL contained in it is dragged and dropped on the "home" icon, the home page can be reset to include a normally-unlinkable chrome page as one of the home page tabs. | 6.5 |
| 2018-06-11 | CVE-2018-5168 | Sites can bypass security checks on permissions to install lightweight themes by manipulating the "baseURI" property of the theme element. | 5.3 |
| 2018-06-11 | CVE-2018-5167 | Improper Input Validation vulnerability in multiple products The web console and JavaScript debugger do not sanitize all output that can be hyperlinked. | 4.3 |
| 2018-06-11 | CVE-2018-5165 | Unspecified vulnerability in Mozilla Firefox In 32-bit versions of Firefox, the Adobe Flash plugin setting for "Enable Adobe Flash protected mode" is unchecked by default even though the Adobe Flash sandbox is actually enabled. | 5.3 |
| 2018-06-11 | CVE-2018-5164 | Cross-site Scripting vulnerability in multiple products Content Security Policy (CSP) is not applied correctly to all parts of multipart content sent with the "multipart/x-mixed-replace" MIME type. | 6.1 |