Vulnerabilities > Mozilla > Medium

DATE CVE VULNERABILITY TITLE RISK
2019-02-28 CVE-2018-18499 Origin Validation Error vulnerability in Mozilla Firefox
A same-origin policy violation allowing the theft of cross-origin URL entries when using a meta http-equiv="refresh" on a page to cause a redirection to another site using performance.getEntries().
network
low complexity
mozilla CWE-346
6.5
2019-02-28 CVE-2018-18497 Limitations on the URIs allowed to WebExtensions by the browser.windows.create API can be bypassed when a pipe in the URL field is used within the extension to load multiple pages as a single argument.
network
low complexity
mozilla canonical
6.5
2019-02-28 CVE-2018-18495 Incorrect Permission Assignment for Critical Resource vulnerability in multiple products
WebExtension content scripts can be loaded into about: pages in some circumstances, in violation of the permissions granted to extensions.
network
low complexity
mozilla canonical CWE-732
6.5
2019-02-28 CVE-2018-18494 Origin Validation Error vulnerability in multiple products
A same-origin policy violation allowing the theft of cross-origin URL entries when using the Javascript location property to cause a redirection to another site using performance.getEntries().
network
low complexity
mozilla debian canonical redhat CWE-346
6.5
2019-02-28 CVE-2018-12403 If a site is loaded over a HTTPS connection but loads a favicon resource over HTTP, the mixed content warning is not displayed to users.
network
low complexity
mozilla canonical
5.3
2019-02-28 CVE-2018-12402 Origin Validation Error vulnerability in multiple products
The internal WebBrowserPersist code does not use correct origin context for a resource being saved.
network
low complexity
mozilla canonical CWE-346
6.5
2019-02-28 CVE-2018-12400 Information Exposure vulnerability in Mozilla Firefox
In private browsing mode on Firefox for Android, favicons are cached in the cache/icons folder as they are in non-private mode.
network
low complexity
mozilla CWE-200
5.3
2019-02-28 CVE-2018-12399 Improper Authentication vulnerability in multiple products
When a new protocol handler is registered, the API accepts a title argument which can be used to mislead users about which domain is registering the new protocol.
network
low complexity
mozilla canonical CWE-287
4.3
2019-02-28 CVE-2018-12398 By using the reflected URL in some special resource URIs, such as chrome:, it is possible to inject stylesheets and bypass Content Security Policy (CSP).
network
low complexity
mozilla canonical
6.5
2019-02-28 CVE-2018-12396 Incorrect Permission Assignment for Critical Resource vulnerability in multiple products
A vulnerability where a WebExtension can run content scripts in disallowed contexts following navigation or other events.
network
low complexity
mozilla debian canonical redhat CWE-732
6.5