CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In June 2018

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
801 CVE-2018-5157 200 Bypass +Info 2018-06-11 2019-03-13
5.0
None Remote Low Not required Partial None None
Same-origin protections for the PDF viewer can be bypassed, allowing a malicious site to intercept messages meant for the viewer. This could allow the site to retrieve PDF files restricted to viewing by an authenticated user on a third-party website. This vulnerability affects Firefox ESR < 52.8 and Firefox < 60.
802 CVE-2018-5155 416 2018-06-11 2019-03-11
7.5
None Remote Low Not required Partial Partial Partial
A use-after-free vulnerability can occur while adjusting layout during SVG animations with text paths. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.8, Thunderbird ESR < 52.8, Firefox < 60, and Firefox ESR < 52.8.
803 CVE-2018-5154 416 2018-06-11 2019-03-11
7.5
None Remote Low Not required Partial Partial Partial
A use-after-free vulnerability can occur while enumerating attributes during SVG animations with clip paths. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.8, Thunderbird ESR < 52.8, Firefox < 60, and Firefox ESR < 52.8.
804 CVE-2018-5153 125 2018-06-11 2018-08-14
5.0
None Remote Low Not required Partial None None
If websocket data is sent with mixed text and binary in a single message, the binary data can be corrupted. This can result in an out-of-bounds read with the read memory sent to the originating server in response. This vulnerability affects Firefox < 60.
805 CVE-2018-5152 327 2018-06-11 2019-10-03
4.3
None Remote Medium Not required Partial None None
WebExtensions with the appropriate permissions can attach content scripts to Mozilla sites such as accounts.firefox.com and listen to network traffic to the site through the "webRequest" API. For example, this allows for the interception of username and an encrypted password during login to Firefox Accounts. This issue does not expose synchronization traffic directly and is limited to the process of user login to the website and the data displayed to the user once logged in. This vulnerability affects Firefox < 60.
806 CVE-2018-5151 119 Overflow Mem. Corr. 2018-06-11 2018-08-03
10.0
None Remote Low Not required Complete Complete Complete
Memory safety bugs were reported in Firefox 59. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Firefox < 60.
807 CVE-2018-5150 119 Overflow Mem. Corr. 2018-06-11 2019-03-13
7.5
None Remote Low Not required Partial Partial Partial
Memory safety bugs were reported in Firefox 59, Firefox ESR 52.7, and Thunderbird 52.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Thunderbird < 52.8, Thunderbird ESR < 52.8, Firefox < 60, and Firefox ESR < 52.8.
808 CVE-2018-5148 416 2018-06-11 2018-08-09
7.5
None Remote Low Not required Partial Partial Partial
A use-after-free vulnerability can occur in the compositor during certain graphics operations when a raw pointer is used instead of a reference counted one. This results in a potentially exploitable crash. This vulnerability affects Firefox ESR < 52.7.3 and Firefox < 59.0.2.
809 CVE-2018-5147 787 2018-06-11 2018-08-14
7.5
None Remote Low Not required Partial Partial Partial
The libtremor library has the same flaw as CVE-2018-5146. This library is used by Firefox in place of libvorbis on Android and ARM platforms. This vulnerability affects Firefox ESR < 52.7.2 and Firefox < 59.0.1.
810 CVE-2018-5146 787 2018-06-11 2019-03-11
6.8
None Remote Medium Not required Partial Partial Partial
An out of bounds memory write while processing Vorbis audio data was reported through the Pwn2Own contest. This vulnerability affects Firefox < 59.0.1, Firefox ESR < 52.7.2, and Thunderbird < 52.7.
811 CVE-2018-5145 119 Overflow Mem. Corr. 2018-06-11 2019-03-13
7.5
None Remote Low Not required Partial Partial Partial
Memory safety bugs were reported in Firefox ESR 52.6. These bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Firefox ESR < 52.7 and Thunderbird < 52.7.
812 CVE-2018-5144 190 Overflow 2018-06-11 2019-03-08
7.5
None Remote Low Not required Partial Partial Partial
An integer overflow can occur during conversion of text to some Unicode character sets due to an unchecked length parameter. This vulnerability affects Firefox ESR < 52.7 and Thunderbird < 52.7.
813 CVE-2018-5143 79 XSS 2018-06-11 2018-08-02
4.3
None Remote Medium Not required None Partial None
URLs using "javascript:" have the protocol removed when pasted into the addressbar to protect users from cross-site scripting (XSS) attacks, but if a tab character is embedded in the "javascript:" URL the protocol is not removed and the script will execute. This could allow users to be socially engineered to run an XSS attack against themselves. This vulnerability affects Firefox < 59.
814 CVE-2018-5142 2018-06-11 2019-10-03
5.0
None Remote Low Not required None Partial None
If Media Capture and Streams API permission is requested from documents with "data:" or "blob:" URLs, the permission notifications do not properly display the originating domain. The notification states "Unknown protocol" as the requestee, leading to user confusion about which site is asking for this permission. This vulnerability affects Firefox < 59.
815 CVE-2018-5141 20 DoS 2018-06-11 2018-08-02
6.4
None Remote Low Not required Partial None Partial
A vulnerability in the notifications Push API where notifications can be sent through service workers by web content without direct user interaction. This could be used to open new tabs in a denial of service (DOS) attack or to display unwanted content from arbitrary URLs to users. This vulnerability affects Firefox < 59.
816 CVE-2018-5140 200 +Info 2018-06-11 2018-08-02
5.0
None Remote Low Not required Partial None None
Image for moz-icons can be accessed through the "moz-icon:" protocol through script in web content even when otherwise prohibited. This could allow for information leakage of which applications are associated with specific MIME types by a malicious page. This vulnerability affects Firefox < 59.
817 CVE-2018-5138 20 2018-06-11 2018-08-08
5.0
None Remote Low Not required None Partial None
A spoofing vulnerability can occur when a malicious site with an extremely long domain name is opened in an Android Custom Tab (a browser panel inside another app) and the default browser is Firefox for Android. This could allow an attacker to spoof which page is actually loaded and in use. Note: this issue only affects Firefox for Android. Other versions and operating systems are unaffected. This vulnerability affects Firefox < 59.
818 CVE-2018-5137 200 +Info 2018-06-11 2018-08-10
5.0
None Remote Low Not required Partial None None
A legacy extension's non-contentaccessible, defined resources can be loaded by an arbitrary web page through script. This script does this by using a maliciously crafted path string to reference the resources. Note: this vulnerability does not affect WebExtensions. This vulnerability affects Firefox < 59.
819 CVE-2018-5136 20 Bypass 2018-06-11 2018-08-14
5.0
None Remote Low Not required Partial None None
A shared worker created from a "data:" URL in one tab can be shared by another tab with a different origin, bypassing the same-origin policy. This vulnerability affects Firefox < 59.
820 CVE-2018-5135 862 Bypass 2018-06-11 2019-10-03
5.0
None Remote Low Not required None Partial None
WebExtensions can bypass normal restrictions in some circumstances and use "browser.tabs.executeScript" to inject scripts into contexts where this should not be allowed, such as pages from other WebExtensions or unprivileged "about:" pages. This vulnerability affects Firefox < 59.
821 CVE-2018-5134 200 Bypass +Info 2018-06-11 2018-08-08
5.0
None Remote Low Not required Partial None None
WebExtensions may use "view-source:" URLs to view local "file:" URL content, as well as content stored in "about:cache", bypassing restrictions that only allow WebExtensions to view specific content. This vulnerability affects Firefox < 59.
822 CVE-2018-5133 200 +Info 2018-06-11 2018-08-03
4.3
None Remote Medium Not required Partial None None
If the "app.support.baseURL" preference is changed by a malicious local program to contain HTML and script content, this content is not sanitized. It will be executed if a user loads "chrome://browser/content/preferences/in-content/preferences.xul" directly in a tab and executes a search. This stored preference is also executed whenever an EME video player plugin displays a CDM-disabled message as a notification message. This vulnerability affects Firefox < 59.
823 CVE-2018-5132 200 +Info 2018-06-11 2018-08-07
4.3
None Remote Medium Not required Partial None None
The Find API for WebExtensions can search some privileged pages, such as "about:debugging", if these pages are open in a tab. This could allow a malicious WebExtension to search for otherwise protected data if a user has it open. This vulnerability affects Firefox < 59.
824 CVE-2018-5131 200 +Info 2018-06-11 2019-03-08
4.3
None Remote Medium Not required Partial None None
Under certain circumstances the "fetch()" API can return transient local copies of resources that were sent with a "no-store" or "no-cache" cache header instead of downloading a copy from the network as it should. This can result in previously stored, locally cached data of a website being accessible to users if they share a common profile while browsing. This vulnerability affects Firefox ESR < 52.7 and Firefox < 59.
825 CVE-2018-5130 20 2018-06-11 2019-03-08
6.8
None Remote Medium Not required Partial Partial Partial
When packets with a mismatched RTP payload type are sent in WebRTC connections, in some circumstances a potentially exploitable crash is triggered. This vulnerability affects Firefox ESR < 52.7 and Firefox < 59.
826 CVE-2018-5129 787 Mem. Corr. 2018-06-11 2019-03-08
5.0
None Remote Low Not required None Partial None
A lack of parameter validation on IPC messages results in a potential out-of-bounds write through malformed IPC messages. This can potentially allow for sandbox escape through memory corruption in the parent process. This vulnerability affects Thunderbird < 52.7, Firefox ESR < 52.7, and Firefox < 59.
827 CVE-2018-5128 416 2018-06-11 2018-08-06
7.5
None Remote Low Not required Partial Partial Partial
A use-after-free vulnerability can occur when manipulating elements, events, and selection ranges during editor operations. This results in a potentially exploitable crash. This vulnerability affects Firefox < 59.
828 CVE-2018-5127 119 Overflow 2018-06-11 2019-03-08
6.8
None Remote Medium Not required Partial Partial Partial
A buffer overflow can occur when manipulating the SVG "animatedPathSegList" through script. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.7, Firefox ESR < 52.7, and Firefox < 59.
829 CVE-2018-5126 119 Overflow Mem. Corr. 2018-06-11 2018-08-06
7.5
None Remote Low Not required Partial Partial Partial
Memory safety bugs were reported in Firefox 58. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Firefox < 59.
830 CVE-2018-5125 119 Overflow Mem. Corr. 2018-06-11 2019-03-08
6.8
None Remote Medium Not required Partial Partial Partial
Memory safety bugs were reported in Firefox 58 and Firefox ESR 52.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Thunderbird < 52.7, Firefox ESR < 52.7, and Firefox < 59.
831 CVE-2018-5122 787 Overflow 2018-06-11 2020-08-24
7.5
None Remote Low Not required Partial Partial Partial
A potential integer overflow in the "DoCrypt" function of WebCrypto was identified. If a means was found of exploiting it, it could result in an out-of-bounds write. This vulnerability affects Firefox < 58.
832 CVE-2018-5121 20 2018-06-11 2018-06-25
5.0
None Remote Low Not required None Partial None
Low descenders on some Tibetan characters in several fonts on OS X are clipped when rendered in the addressbar. When used as part of an Internationalized Domain Name (IDN) this can be used for domain name spoofing attacks. Note: This attack only affects OS X operating systems. Other operating systems are unaffected. This vulnerability affects Firefox < 58.
833 CVE-2018-5119 200 +Info 2018-06-11 2018-06-25
5.0
None Remote Low Not required Partial None None
The reader view will display cross-origin content when CORS headers are set to prohibit the loading of cross-origin content by a site. This could allow access to content that should be restricted in reader view. This vulnerability affects Firefox < 58.
834 CVE-2018-5118 200 +Info 2018-06-11 2018-06-25
5.0
None Remote Low Not required Partial None None
The screenshot images displayed in the Activity Stream page displayed when a new tab is opened is created from the meta tags of websites. An issue was discovered where the page could attempt to create these images through "file:" URLs from the local file system. This loading is blocked by the sandbox but could expose local data if combined with another attack that escapes sandbox protections. This vulnerability affects Firefox < 58.
835 CVE-2018-5117 2018-06-11 2019-10-03
5.0
None Remote Low Not required None Partial None
If right-to-left text is used in the addressbar with left-to-right alignment, it is possible in some circumstances to scroll this text to spoof the displayed URL. This issue could result in the wrong URL being displayed as a location, which can mislead users to believe they are on a different site than the one loaded. This vulnerability affects Thunderbird < 52.6, Firefox ESR < 52.6, and Firefox < 58.
836 CVE-2018-5116 346 Bypass 2018-06-11 2018-06-25
7.5
None Remote Low Not required Partial Partial Partial
WebExtensions with the "ActiveTab" permission are able to access frames hosted within the active tab even if the frames are cross-origin. Malicious extensions can inject frames from arbitrary origins into the loaded page and then interact with them, bypassing same-origin user expectations with this permission. This vulnerability affects Firefox < 58.
837 CVE-2018-5115 200 +Info 2018-06-11 2018-06-25
5.0
None Remote Low Not required Partial None None
If an HTTP authentication prompt is triggered by a background network request from a page or extension, it is displayed over the currently loaded foreground page. Although the prompt contains the real domain making the request, this can result in user confusion about the originating site of the authentication request and may cause users to mistakenly send private credential information to a third party site. This vulnerability affects Firefox < 58.
838 CVE-2018-5114 200 +Info 2018-06-11 2018-06-25
5.0
None Remote Low Not required Partial None None
If an existing cookie is changed to be "HttpOnly" while a document is open, the original value remains accessible through script until that document is closed. Network requests correctly use the changed HttpOnly cookie. This vulnerability affects Firefox < 58.
839 CVE-2018-5113 862 2018-06-11 2019-10-03
5.0
None Remote Low Not required Partial None None
The "browser.identity.launchWebAuthFlow" function of WebExtensions is only allowed to load content over "https:" but this requirement was not properly enforced. This can potentially allow privileged pages to be loaded by the extension. This vulnerability affects Firefox < 58.
840 CVE-2018-5112 552 2018-06-11 2019-10-03
5.0
None Remote Low Not required Partial None None
Development Tools panels of an extension are required to load URLs for the panels as relative URLs from the extension manifest file but this requirement was not enforced in all instances. This could allow the development tools panel for the extension to load a URL that it should not be able to access, including potentially privileged pages. This vulnerability affects Firefox < 58.
841 CVE-2018-5111 20 2018-06-11 2018-06-25
4.3
None Remote Medium Not required None Partial None
When the text of a specially formatted URL is dragged to the addressbar from page content, the displayed URL can be spoofed to show a different site than the one loaded. This allows for phishing attacks where a malicious page can spoof the identify of another site. This vulnerability affects Firefox < 58.
842 CVE-2018-5110 20 2018-06-11 2018-06-25
5.0
None Remote Low Not required None Partial None
If cursor visibility is toggled by script using from 'none' to an image and back through script, the cursor will be rendered temporarily invisible within Firefox. Note: This vulnerability only affects OS X. Other operating systems are not affected. This vulnerability affects Firefox < 58.
843 CVE-2018-5109 346 2018-06-11 2018-06-25
5.0
None Remote Low Not required None Partial None
An audio capture session can started under an incorrect origin from the site making the capture request. Users are still prompted to allow the request but the prompt can display the wrong origin, leading to user confusion about which site is making the request to capture an audio stream. This vulnerability affects Firefox < 58.
844 CVE-2018-5108 200 +Info 2018-06-11 2018-06-25
4.3
None Remote Medium Not required Partial None None
A Blob URL can violate origin attribute segregation, allowing it to be accessed from a private browsing tab and for data to be passed between the private browsing tab and a normal tab. This could allow for the leaking of private information specific to the private browsing context. This issue is mitigated by the requirement that the user enter the Blob URL manually in order for the access violation to occur. This vulnerability affects Firefox < 58.
845 CVE-2018-5107 59 Bypass 2018-06-11 2018-06-25
5.0
None Remote Low Not required Partial None None
The printing process can bypass local access protections to read files available through symlinks, bypassing local file restrictions. The printing process requires files in a specific format so arbitrary data cannot be read but it is possible that some local file information could be exposed. This vulnerability affects Firefox < 58.
846 CVE-2018-5106 200 +Info 2018-06-11 2018-06-25
5.0
None Remote Low Not required Partial None None
Style editor traffic in the Developer Tools can be routed through a service worker hosted on a third party website if a user selects error links when these tools are open. This can allow style editor information used within Developer Tools to leak cross-origin. This vulnerability affects Firefox < 58.
847 CVE-2018-5105 Bypass 2018-06-11 2019-10-03
7.2
None Local Low Not required Complete Complete Complete
WebExtensions can bypass user prompts to first save and then open an arbitrarily downloaded file. This can result in an executable file running with local user privileges without explicit user consent. This vulnerability affects Firefox < 58.
848 CVE-2018-5104 416 2018-06-11 2018-08-03
7.5
None Remote Low Not required Partial Partial Partial
A use-after-free vulnerability can occur during font face manipulation when a font face is freed while still in use, resulting in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.6, Firefox ESR < 52.6, and Firefox < 58.
849 CVE-2018-5103 416 2018-06-11 2018-08-03
7.5
None Remote Low Not required Partial Partial Partial
A use-after-free vulnerability can occur during mouse event handling due to issues with multiprocess support. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.6, Firefox ESR < 52.6, and Firefox < 58.
850 CVE-2018-5102 416 2018-06-11 2018-08-03
7.5
None Remote Low Not required Partial Partial Partial
A use-after-free vulnerability can occur when manipulating HTML media elements with media streams, resulting in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.6, Firefox ESR < 52.6, and Firefox < 58.
Total number of vulnerabilities : 1788   Page : 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 (This Page)18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.