Vulnerabilities > Mozilla > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2018-06-11 | CVE-2018-5168 | Sites can bypass security checks on permissions to install lightweight themes by manipulating the "baseURI" property of the theme element. | 5.3 |
| 2018-06-11 | CVE-2018-5167 | Improper Input Validation vulnerability in multiple products The web console and JavaScript debugger do not sanitize all output that can be hyperlinked. | 4.3 |
| 2018-06-11 | CVE-2018-5165 | Unspecified vulnerability in Mozilla Firefox In 32-bit versions of Firefox, the Adobe Flash plugin setting for "Enable Adobe Flash protected mode" is unchecked by default even though the Adobe Flash sandbox is actually enabled. | 5.3 |
| 2018-06-11 | CVE-2018-5164 | Cross-site Scripting vulnerability in multiple products Content Security Policy (CSP) is not applied correctly to all parts of multipart content sent with the "multipart/x-mixed-replace" MIME type. | 6.1 |
| 2018-06-11 | CVE-2018-5161 | Improper Input Validation vulnerability in multiple products Crafted message headers can cause a Thunderbird process to hang on receiving the message. | 4.3 |
| 2018-06-11 | CVE-2018-5152 | Use of a Broken or Risky Cryptographic Algorithm vulnerability in multiple products WebExtensions with the appropriate permissions can attach content scripts to Mozilla sites such as accounts.firefox.com and listen to network traffic to the site through the "webRequest" API. | 6.5 |
| 2018-06-11 | CVE-2018-5143 | Cross-site Scripting vulnerability in multiple products URLs using "javascript:" have the protocol removed when pasted into the addressbar to protect users from cross-site scripting (XSS) attacks, but if a tab character is embedded in the "javascript:" URL the protocol is not removed and the script will execute. | 6.1 |
| 2018-06-11 | CVE-2018-5142 | If Media Capture and Streams API permission is requested from documents with "data:" or "blob:" URLs, the permission notifications do not properly display the originating domain. | 5.3 |
| 2018-06-11 | CVE-2018-5140 | Information Exposure vulnerability in multiple products Image for moz-icons can be accessed through the "moz-icon:" protocol through script in web content even when otherwise prohibited. | 5.3 |
| 2018-06-11 | CVE-2018-5138 | Improper Input Validation vulnerability in Mozilla Firefox A spoofing vulnerability can occur when a malicious site with an extremely long domain name is opened in an Android Custom Tab (a browser panel inside another app) and the default browser is Firefox for Android. | 5.3 |