Cross-Site Request Forgery (CSRF)

Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with...

FreeBSD : Gitlab -- Multiple vulnerabilities (da459dbc-5586-11e9-abd6-001b217b3468)

Gitlab reports : DoS potential for regex in CI/CD refs Related branches visible in issues for guests Persistent XSS at merge request resolve conflicts Improper authorization control 'move issue' Guest users of private projects have access to releases DoS potential on project languages page Recuri...

Gitlab -- Multiple vulnerabilities

Gitlab reports: DoS potential for regex in CI/CD refs Related branches visible in issues for guests Persistent XSS at merge request resolve conflicts Improper authorization control "move issue" Guest users of private projects have access to releases DoS potential on project languages page Recurit...

openSUSE Security Update : nextcloud (openSUSE-2019-640)

This update for nextcloud to version 13.0.5 fixes the following issues : Security issues fixed : - CVE-2018-3780: Fixed a missing sanitization of search results for an autocomplete field that could lead to a stored XSS requiring user-interaction. The missing sanitization only affected user names,...

Same-Origin Policy Bypass

Mozilla Firefox is vulnerable to same-origin policy bypass. A flaw was discovered in Mozilla Firefox that could be used to violate the same-origin policy and inject web script into a non-privileged part of the built-in PDF file viewer PDF.js. An attacker could create a malicious web page that, wh...

openSUSE Security Update : nextcloud (openSUSE-2018-936)

This update for nextcloud to version 13.0.5 fixes the following issues : Security issues fixed : - CVE-2018-3780: Fixed a missing sanitization of search results for an autocomplete field that could lead to a stored XSS requiring user-interaction. The missing sanitization only affected user names,...

Security update for nextcloud (moderate)

This update for nextcloud to version 13.0.5 fixes the following issues: Security issues fixed: - CVE-2018-3780: Fixed a missing sanitization of search results for an autocomplete field that could lead to a stored XSS requiring user-interaction. The missing sanitization only affected user names,...

Firefox PDF.js Javascript Injection (CVE-2015-0802; CVE-2015-0816)

A remote code execution vulnerability exists in Firefox 35-36. The vulnerability is due to a privilege escalation bug in certain resources. A remote attacker can exploit this vulnerability by enticing a victim to view maliciously crafted content...

The vulnerability of the Thunderbird email client, which allows a remote attacker to execute arbitrary JavaScript code

The vulnerability of the Thunderbird email client lies in the improper restriction of the resource:URL. Exploiting this vulnerability allows a malicious actor to execute arbitrary JavaScript code with privileges of a Chrome user, bypassing access policies. This can be achieved by using a...

The vulnerability of the Firefox ESR browser allows a remote attacker to execute arbitrary JavaScript code.

The vulnerability of Firefox ESR lies in the improper restriction on the resource:URL. Exploiting this vulnerability allows a malicious actor to execute arbitrary JavaScript code with privileges equivalent to those of Chrome, thereby circumventing access control policies. This can be achieved, fo...

chromium: information leakage

The PDF viewer does not properly restrict scripting messages and API exposure, which allows remote attackers to bypass the Same Origin Policy via an unintended embedder or unintended plugin loading, related to pdf.js and outofprocessinstance.cc...

Design/Logic Flaw

The PDF viewer in Google Chrome before 46.0.2490.86 does not properly restrict scripting messages and API exposure, which allows remote attackers to bypass the Same Origin Policy via an unintended embedder or unintended plugin loading, related to pdf.js and outofprocessinstance.cc...

UBUNTU-CVE-2015-1302

The PDF viewer in Google Chrome before 46.0.2490.86 does not properly restrict scripting messages and API exposure, which allows remote attackers to bypass the Same Origin Policy via an unintended embedder or unintended plugin loading, related to pdf.js and outofprocessinstance.cc...

CVE-2015-1302

The PDF viewer in Google Chrome before 46.0.2490.86 does not properly restrict scripting messages and API exposure, which allows remote attackers to bypass the Same Origin Policy via an unintended embedder or unintended plugin loading, related to pdf.js and outofprocessinstance.cc...

Firefox < 39.0.3 - pdf.js Same Origin Policy Exploit

CVE-2015-4495Description:This exploit allow attacker to read and copy information on victim's computer, once they view the web site crafted with this exploit. //exploit.js: var starttimeout=2000; var sandboxcontexti=null; var DIRCACHE=; var FILECACHE=; var hidden=true; var mywinid=null; function...

Mozilla Firefox - &#039;pdf.js&#039; Privileged JavaScript Injection (Metasploit)

This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' class Metasploit3 'Firefox PDF.js Privileged Javascript Injection', 'Description' = %q This module gains remote code execution on Firefox 35-36 by...

Firefox PDF.js Privileged Javascript Injection Exploit

This Metasploit module gains remote code execution on Firefox 35-36 by abusing a privilege escalation bug in resource:// URIs. PDF.js is used to exploit the bug. This exploit requires the user to click anywhere on the page to trigger the vulnerability. This module requires Metasploit:...

Firefox PDF.js Privileged Javascript Injection

This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' class Metasploit3 'Firefox PDF.js Privileged Javascript Injection', 'Description' = %q This module gains remote code execution on Firefox 35-36 by...

Firefox PDF.js Privileged Javascript Injection

This module gains remote code execution on Firefox 35-36 by abusing a privilege escalation bug in resource:// URIs. PDF.js is used to exploit the bug. This exploit requires the user to click anywhere on the page to trigger the vulnerability. This module requires Metasploit:...

Mozilla Firefox &lt; 39.03 - &#039;pdf.js&#039; Same Origin Policy

/ Exploit Title: Firefox CVE-2015-4495 Test Run the index.html Make sure the main.js is in the same directory and we should be able to see the directory listing. 3. Solution Upgrade to the latest firefox 39.0.3 / var starttimeout=2000; var sandboxcontexti=null; var DIRCACHE=; var FILECACHE=; var...