Vulnerabilities > Mozilla > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2019-02-28 | CVE-2018-18495 | Incorrect Permission Assignment for Critical Resource vulnerability in multiple products WebExtension content scripts can be loaded into about: pages in some circumstances, in violation of the permissions granted to extensions. | 6.5 |
| 2019-02-28 | CVE-2018-18494 | Origin Validation Error vulnerability in multiple products A same-origin policy violation allowing the theft of cross-origin URL entries when using the Javascript location property to cause a redirection to another site using performance.getEntries(). | 6.5 |
| 2019-02-28 | CVE-2018-12403 | If a site is loaded over a HTTPS connection but loads a favicon resource over HTTP, the mixed content warning is not displayed to users. | 5.3 |
| 2019-02-28 | CVE-2018-12402 | Origin Validation Error vulnerability in multiple products The internal WebBrowserPersist code does not use correct origin context for a resource being saved. | 6.5 |
| 2019-02-28 | CVE-2018-12400 | Information Exposure vulnerability in Mozilla Firefox In private browsing mode on Firefox for Android, favicons are cached in the cache/icons folder as they are in non-private mode. | 5.3 |
| 2019-02-28 | CVE-2018-12399 | Improper Authentication vulnerability in multiple products When a new protocol handler is registered, the API accepts a title argument which can be used to mislead users about which domain is registering the new protocol. | 4.3 |
| 2019-02-28 | CVE-2018-12398 | By using the reflected URL in some special resource URIs, such as chrome:, it is possible to inject stylesheets and bypass Content Security Policy (CSP). | 6.5 |
| 2019-02-28 | CVE-2018-12396 | Incorrect Permission Assignment for Critical Resource vulnerability in multiple products A vulnerability where a WebExtension can run content scripts in disallowed contexts following navigation or other events. | 6.5 |
| 2019-02-05 | CVE-2018-18506 | When proxy auto-detection is enabled, if a web server serves a Proxy Auto-Configuration (PAC) file or if a PAC file is loaded locally, this PAC file can specify that requests to the localhost are to be sent through the proxy to another server. | 5.9 |
| 2019-02-04 | CVE-2019-7317 | Use After Free vulnerability in multiple products png_image_free in png.c in libpng 1.6.x before 1.6.37 has a use-after-free because png_image_free_function is called under png_safe_execute. | 5.3 |