CVE-2016-9075

CVE-2016-9075 : Firefox WebExtensions can misuse mozAddonManager API to elevate privileges because privileged pages are allowed in the permissions list, enabling a malicious extension to install additional extensions without explicit user permission. Affected: Firefox versions before 50. Root cau...

CVE-2018-5166

CVE-2018-5166 affects Firefox

CVE-2018-5152

CVE-2018-5152 affects Firefox before 60. WebExtensions with appropriate permissions can inject content scripts into sites like accounts.firefox.com and monitor traffic via webRequest, enabling interception during login and exposure of username and encrypted password. The issue is limited to the l...

CVE-2017-5389

WebExtensions could use the "mozAddonManager" API by modifying the CSP headers on sites with the appropriate permissions and then using host requests to redirect script loads to a malicious site. This allows a malicious extension to then install additional extensions without explicit user...

CVE-2018-5152

WebExtensions with the appropriate permissions can attach content scripts to Mozilla sites such as accounts.firefox.com and listen to network traffic to the site through the "webRequest" API. For example, this allows for the interception of username and an encrypted password during login to Firef...

CVE-2017-7821

A vulnerability where WebExtensions can download and attempt to open a file of some non-executable file types. This can be triggered without specific user interaction for the file download and open actions. This could be used to trigger known vulnerabilities in the programs that handle those...

CVE-2018-5135

WebExtensions can bypass normal restrictions in some circumstances and use "browser.tabs.executeScript" to inject scripts into contexts where this should not be allowed, such as pages from other WebExtensions or unprivileged "about:" pages. This vulnerability affects Firefox 59...

CVE-2017-5389

WebExtensions could use the "mozAddonManager" API by modifying the CSP headers on sites with the appropriate permissions and then using host requests to redirect script loads to a malicious site. This allows a malicious extension to then install additional extensions without explicit user...

CVE-2018-5132

The Find API for WebExtensions can search some privileged pages, such as "about:debugging", if these pages are open in a tab. This could allow a malicious WebExtension to search for otherwise protected data if a user has it open. This vulnerability affects Firefox 59...

CVE-2018-5132

The Find API for WebExtensions can search some privileged pages, such as "about:debugging", if these pages are open in a tab. This could allow a malicious WebExtension to search for otherwise protected data if a user has it open. This vulnerability affects Firefox 59...

CVE-2018-5134

WebExtensions may use "view-source:" URLs to view local "file:" URL content, as well as content stored in "about:cache", bypassing restrictions that only allow WebExtensions to view specific content. This vulnerability affects Firefox 59...

CVE-2018-5135

CVE-2018-5135 affects Mozilla Firefox versions earlier than 59.0. The issue allows WebExtensions to bypass normal restrictions and use browser.tabs.executeScript to inject scripts into contexts where injection should not be allowed (e.g., other WebExtensions or unprivileged about: pages). This is...

CVE-2016-9073

WebExtensions can bypass security checks to load privileged URLs and potentially escape the WebExtension sandbox. This vulnerability affects Firefox 50...

CVE-2018-5105

WebExtensions can bypass user prompts to first save and then open an arbitrarily downloaded file. This can result in an executable file running with local user privileges without explicit user consent. This vulnerability affects Firefox 58...

Security fix for the ALT Linux 10 package firefox-esr version 60.0.1-alt1

June 5, 2018 Andrey Cherepanov 60.0.1-alt1 - New ESR version 60.0.1. - Fixed: + CVE-2018-5154: Use-after-free with SVG animations and clip paths + CVE-2018-5155: Use-after-free with SVG animations and text paths + CVE-2018-5157: Same-origin bypass of PDF Viewer to view protected PDF files +...

Ubuntu: Security Advisory (USN-3645-2)

The remote host is missing an update for the SPDX-FileCopyrightText: 2018 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

USN-3645-2: Firefox regression

USN-3645-1 fixed vulnerabilities in Firefox. The update caused an issue where users experienced long UI pauses in some circumsances. This update fixes the problem. We apologize for the inconvenience. Original advisory details: Multiple security issues were discovered in Firefox. If a user were...

Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS : Firefox vulnerabilities (USN-3645-1)

The remote Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-3645-1 advisory. Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacke...

Ubuntu: Security Advisory (USN-3645-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2018 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Mozilla Firefox WebExtensions Host Privilege Bypass Vulnerability

Mozilla Firefox browser Firefox is a free and open source browser for Windows, Linux and MacOSX platforms. Mozilla Firefox suffers from a WebExtensions host privilege bypass vulnerability. An attacker can exploit this vulnerability to bypass host privilege settings via request redirection and...