Vulnerabilities > Mozilla > High

DATE CVE VULNERABILITY TITLE RISK
2018-06-11 CVE-2018-5160 Use of Uninitialized Resource vulnerability in multiple products
WebRTC can use a "WrappedI420Buffer" pixel buffer but the owning image object can be freed while it is still in use.
network
low complexity
canonical mozilla CWE-908
7.5
2018-06-11 CVE-2018-5158 Code Injection vulnerability in multiple products
The PDF viewer does not sufficiently sanitize PostScript calculator functions, allowing malicious JavaScript to be injected through a crafted PDF file.
network
low complexity
debian redhat mozilla canonical CWE-94
8.8
2018-06-11 CVE-2018-5157 Origin Validation Error vulnerability in multiple products
Same-origin protections for the PDF viewer can be bypassed, allowing a malicious site to intercept messages meant for the viewer.
network
low complexity
redhat debian canonical mozilla CWE-346
7.5
2018-06-11 CVE-2018-5153 Out-of-bounds Read vulnerability in multiple products
If websocket data is sent with mixed text and binary in a single message, the binary data can be corrupted.
network
low complexity
mozilla canonical CWE-125
7.5
2018-06-11 CVE-2018-5146 Out-of-bounds Write vulnerability in multiple products
An out of bounds memory write while processing Vorbis audio data was reported through the Pwn2Own contest.
network
low complexity
redhat debian canonical mozilla CWE-787
8.8
2018-06-11 CVE-2018-5144 Integer Overflow or Wraparound vulnerability in multiple products
An integer overflow can occur during conversion of text to some Unicode character sets due to an unchecked length parameter.
network
low complexity
redhat debian canonical mozilla CWE-190
7.3
2018-06-11 CVE-2018-5141 Improper Input Validation vulnerability in multiple products
A vulnerability in the notifications Push API where notifications can be sent through service workers by web content without direct user interaction.
network
low complexity
mozilla canonical CWE-20
8.2
2018-06-11 CVE-2018-5137 Information Exposure vulnerability in multiple products
A legacy extension's non-contentaccessible, defined resources can be loaded by an arbitrary web page through script.
network
low complexity
mozilla canonical CWE-200
7.5
2018-06-11 CVE-2018-5136 Improper Input Validation vulnerability in multiple products
A shared worker created from a "data:" URL in one tab can be shared by another tab with a different origin, bypassing the same-origin policy.
network
low complexity
canonical mozilla CWE-20
7.5
2018-06-11 CVE-2018-5135 Missing Authorization vulnerability in Mozilla Firefox
WebExtensions can bypass normal restrictions in some circumstances and use "browser.tabs.executeScript" to inject scripts into contexts where this should not be allowed, such as pages from other WebExtensions or unprivileged "about:" pages.
network
low complexity
mozilla CWE-862
7.5