Vulnerabilities > Mozilla > Medium

DATE CVE VULNERABILITY TITLE RISK
2018-06-11 CVE-2018-5170 Improper Input Validation vulnerability in multiple products
It is possible to spoof the filename of an attachment and display an arbitrary attachment name.
network
low complexity
redhat mozilla debian canonical CWE-20
4.3
2018-06-11 CVE-2018-5169 Improper Input Validation vulnerability in multiple products
If manipulated hyperlinked text with "chrome:" URL contained in it is dragged and dropped on the "home" icon, the home page can be reset to include a normally-unlinkable chrome page as one of the home page tabs.
network
low complexity
canonical mozilla CWE-20
6.5
2018-06-11 CVE-2018-5168 Sites can bypass security checks on permissions to install lightweight themes by manipulating the "baseURI" property of the theme element.
network
low complexity
debian mozilla canonical redhat
5.3
2018-06-11 CVE-2018-5167 Improper Input Validation vulnerability in multiple products
The web console and JavaScript debugger do not sanitize all output that can be hyperlinked.
network
low complexity
canonical mozilla CWE-20
4.3
2018-06-11 CVE-2018-5165 Unspecified vulnerability in Mozilla Firefox
In 32-bit versions of Firefox, the Adobe Flash plugin setting for "Enable Adobe Flash protected mode" is unchecked by default even though the Adobe Flash sandbox is actually enabled.
network
low complexity
mozilla
5.3
2018-06-11 CVE-2018-5164 Cross-site Scripting vulnerability in multiple products
Content Security Policy (CSP) is not applied correctly to all parts of multipart content sent with the "multipart/x-mixed-replace" MIME type.
network
low complexity
mozilla canonical CWE-79
6.1
2018-06-11 CVE-2018-5161 Improper Input Validation vulnerability in multiple products
Crafted message headers can cause a Thunderbird process to hang on receiving the message.
network
low complexity
redhat debian canonical mozilla CWE-20
4.3
2018-06-11 CVE-2018-5152 Use of a Broken or Risky Cryptographic Algorithm vulnerability in multiple products
WebExtensions with the appropriate permissions can attach content scripts to Mozilla sites such as accounts.firefox.com and listen to network traffic to the site through the "webRequest" API.
network
low complexity
mozilla canonical CWE-327
6.5
2018-06-11 CVE-2018-5143 Cross-site Scripting vulnerability in multiple products
URLs using "javascript:" have the protocol removed when pasted into the addressbar to protect users from cross-site scripting (XSS) attacks, but if a tab character is embedded in the "javascript:" URL the protocol is not removed and the script will execute.
network
low complexity
mozilla canonical CWE-79
6.1
2018-06-11 CVE-2018-5142 If Media Capture and Streams API permission is requested from documents with "data:" or "blob:" URLs, the permission notifications do not properly display the originating domain.
network
low complexity
mozilla canonical
5.3