Vulnerabilities > Mozilla > Firefox > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2018-06-11 | CVE-2018-5152 | Use of a Broken or Risky Cryptographic Algorithm vulnerability in multiple products WebExtensions with the appropriate permissions can attach content scripts to Mozilla sites such as accounts.firefox.com and listen to network traffic to the site through the "webRequest" API. | 6.5 |
| 2018-06-11 | CVE-2018-5143 | Cross-site Scripting vulnerability in multiple products URLs using "javascript:" have the protocol removed when pasted into the addressbar to protect users from cross-site scripting (XSS) attacks, but if a tab character is embedded in the "javascript:" URL the protocol is not removed and the script will execute. | 6.1 |
| 2018-06-11 | CVE-2018-5142 | If Media Capture and Streams API permission is requested from documents with "data:" or "blob:" URLs, the permission notifications do not properly display the originating domain. | 5.3 |
| 2018-06-11 | CVE-2018-5140 | Information Exposure vulnerability in multiple products Image for moz-icons can be accessed through the "moz-icon:" protocol through script in web content even when otherwise prohibited. | 5.3 |
| 2018-06-11 | CVE-2018-5138 | Improper Input Validation vulnerability in Mozilla Firefox A spoofing vulnerability can occur when a malicious site with an extremely long domain name is opened in an Android Custom Tab (a browser panel inside another app) and the default browser is Firefox for Android. | 5.3 |
| 2018-06-11 | CVE-2018-5133 | Information Exposure vulnerability in multiple products If the "app.support.baseURL" preference is changed by a malicious local program to contain HTML and script content, this content is not sanitized. | 6.5 |
| 2018-06-11 | CVE-2018-5132 | Information Exposure vulnerability in multiple products The Find API for WebExtensions can search some privileged pages, such as "about:debugging", if these pages are open in a tab. | 6.5 |
| 2018-06-11 | CVE-2018-5131 | Information Exposure vulnerability in multiple products Under certain circumstances the "fetch()" API can return transient local copies of resources that were sent with a "no-store" or "no-cache" cache header instead of downloading a copy from the network as it should. | 5.9 |
| 2018-06-11 | CVE-2018-5121 | Improper Input Validation vulnerability in Mozilla Firefox Low descenders on some Tibetan characters in several fonts on OS X are clipped when rendered in the addressbar. | 5.3 |
| 2018-06-11 | CVE-2018-5119 | Information Exposure vulnerability in multiple products The reader view will display cross-origin content when CORS headers are set to prohibit the loading of cross-origin content by a site. | 5.3 |