Design/Logic Flaw

The Developer Tools feature suffers from a XUL injection vulnerability due to improper sanitization of the web page source code. In the worst case, this could allow arbitrary code execution when opening a malicious page with the style editor tool. This vulnerability affects Firefox ESR 52.3 and...

Design/Logic Flaw

An issue with incorrect ownership model of "privateBrowsing" information exposed through developer tools. This can result in a non-exploitable crash when manually triggered during debugging. This vulnerability affects Firefox 53...

CVE-2017-5468

An issue with incorrect ownership model of "privateBrowsing" information exposed through developer tools. This can result in a non-exploitable crash when manually triggered during debugging. This vulnerability affects Firefox 53...

CVE-2018-5175

CVE-2018-5175 describes a universal CSP bypass on sites using strict-dynamic. An HTML injection flaw could reference Firefox DevTools’ require.js to bypass CSP and execute injected scripts. Affected product: Mozilla Firefox

CVE-2017-5390

The JSON viewer in the Developer Tools uses insecure methods to create a communication channel for copying and viewing JSON or HTTP headers data, allowing for potential privilege escalation. This vulnerability affects Thunderbird 45.7, Firefox ESR 45.7, and Firefox 51...

CVE-2017-7798

The Developer Tools feature suffers from a XUL injection vulnerability due to improper sanitization of the web page source code. In the worst case, this could allow arbitrary code execution when opening a malicious page with the style editor tool. This vulnerability affects Firefox ESR 52.3 and...

CVE-2018-5106

CVE-2018-5106 is a Firefox Developer Tools vulnerability affecting Firefox versions prior to 58. The issue allows a third‑party hosted service worker to leak style editor information when a user with DevTools open clicks error links, enabling cross‑origin data exposure of the editor. Affected pro...

CVE-2017-5390

The JSON viewer in the Developer Tools uses insecure methods to create a communication channel for copying and viewing JSON or HTTP headers data, allowing for potential privilege escalation. This vulnerability affects Thunderbird 45.7, Firefox ESR 45.7, and Firefox 51...

CVE-2018-5175

A mechanism to bypass Content Security Policy CSP protections on sites that have a "script-src" policy of "'strict-dynamic'". If a target website contains an HTML injection flaw an attacker could inject a reference to a copy of the "require.js" library that is part of Firefox's Developer Tools, a...

CVE-2017-7798

The CVE-2017-7798 issue is a XUL injection vulnerability in Firefox Developer Tools (style editor) caused by improper sanitization of the web page source. A malicious page could trigger arbitrary code execution via the style editor, affecting Firefox ESR versions <52.3 and Firefox

CVE-2017-5468

An issue with incorrect ownership model of "privateBrowsing" information exposed through developer tools. This can result in a non-exploitable crash when manually triggered during debugging. This vulnerability affects Firefox 53...

CVE-2017-5390

The JSON viewer in the Developer Tools uses insecure methods to create a communication channel for copying and viewing JSON or HTTP headers data, allowing for potential privilege escalation. This vulnerability affects Thunderbird 45.7, Firefox ESR 45.7, and Firefox 51...

CVE-2018-5106

Style editor traffic in the Developer Tools can be routed through a service worker hosted on a third party website if a user selects error links when these tools are open. This can allow style editor information used within Developer Tools to leak cross-origin. This vulnerability affects Firefox ...

CVE-2017-7798

The Developer Tools feature suffers from a XUL injection vulnerability due to improper sanitization of the web page source code. In the worst case, this could allow arbitrary code execution when opening a malicious page with the style editor tool. This vulnerability affects Firefox ESR 52.3 and...

Malicious Typo-Squatting

crossenv is a malicious typo-squatting package. The package uses a similar name to the original library so that developers may mistake it for the real one but have malicious actions under the hood such as stealing environment variables...

CVE-2016-10581

CVE-2016-10581 concerns the Steroids library (PhoneGap on Steroids), which downloads zipped resources over HTTP. The description states this makes it vulnerable to MITM attacks and, if an attacker can position themselves between the user and the server, may allow remote code execution by swapping...

RIPS Integration into Jenkins CI with Pipeline Support

Pipelines The Pipeline approach is a more developer friendly method to define the build and test process of a project. It is as easy as placing a file named Jenkinsfile into your project which contains all the configuration. This is well known from other build tools like Docker or make and improv...

JVN#79301396: Susie plug-in "axpdfium" may insecurely load Dynamic Link Libraries

Susie plug-in "axpdfium" contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Impact Arbitrary code may be executed with the privilege of the user running the program where "axpdfium" is used. Solution Update the plug-in Update the plug-...

Why bad coding habits die hard—and 7 ways to kill them

Developers are usually the focus of blame when software vulnerabilities cause organizational breaches. Sometimes, quality assurance engineers are included in the flame. Interestingly, though, hardly anyone looks at why bad coding habits form in the first place. We're talking about the culture, th...

Microsoft Guidance for Speculative Store Bypass

Executive summary On January 3, 2018, Microsoft released an advisory and security updates related to a newly-discovered class of hardware vulnerabilities known as Spectre and Meltdown involving speculative execution side channels that affect AMD, ARM, and Intel CPUs to varying degrees. On May 21s...