88 matches found
Mozilla: WebExtensions can use data: protocol to affect other extensions (MFSA 2017-02)
WebExtension scripts can use the "data:" protocol to affect pages loaded by other web extensions using this protocol, leading to potential data disclosure or privilege escalation in affected extensions. This vulnerability affects Firefox ESR 45.7 and Firefox 51...
UBUNTU-CVE-2016-9073
WebExtensions can bypass security checks to load privileged URLs and potentially escape the WebExtension sandbox. This vulnerability affects Firefox 50...
USN-2936-3: Firefox regression
USN-2936-1 fixed vulnerabilities in Firefox. The update caused an issue where a device update POST request was sent every time about:preferencessync was shown. This update fixes the problem. We apologize for the inconvenience. Original advisory details: Christian Holler, Tyson Smith, Phil Ringald...
FreeBSD : mozilla -- multiple vulnerabilities (92d44f83-a7bf-41cf-91ee-3d1b8ecf579f)
Mozilla Foundation reports : MFSA 2016-39 Miscellaneous memory safety hazards rv:46.0 / rv:45.1 / rv:38.8 MFSA 2016-42 Use-after-free and buffer overflow in Service Workers MFSA 2016-44 Buffer overflow in libstagefright with CENC offsets MFSA 2016-45 CSP not applied to pages sent with...
Elevation of privilege with chrome.tabs.update API in web extensions — Mozilla
Security researcher Muneaki Nishimura nishimunea of Recruit Technologies Co., Ltd. reported that the chrome.tabs.update API for web extensions allows for navigation to javascript: URLs without additional permissions. This can used to elevate privilege for a universal cross-site scripting XSS atta...
mozilla -- multiple vulnerabilities
Mozilla Foundation reports: MFSA 2016-39 Miscellaneous memory safety hazards rv:46.0 / rv:45.1 / rv:38.8 MFSA 2016-42 Use-after-free and buffer overflow in Service Workers MFSA 2016-44 Buffer overflow in libstagefright with CENC offsets MFSA 2016-45 CSP not applied to pages sent with...
CVE-2002-0482
PCI Netsupport Manager (before v7) is affected by a directory traversal vulnerability in web extensions that allows an attacker to read arbitrary files via .. in an HTTP GET request. The issue arises from insufficient validation of path input in the web extension context, enabling access to files...
Webtraversal in PCI Netsupport Manager (all version up to 7 using web extensions)
It is possible to view and download files on machines running PCI Netsupport Manager all version up to 7 that have the web extensions switched on default port 80. This has only been tested on Windows NT 4 server and workstation and Windows 2000 Pro , Server and Advanced server. Example on a...