1574 matches found
Local downloaded file tampering — Mozilla
Security researcher Jeremy Brown reported that the file naming scheme used for downloading a file which already exists in the downloads folder is predictable. If an attacker had local access to a victim's computer and knew the name of a file the victim intended to open through the Download Manage...
Crashes with evidence of memory corruption (rv:1.8.1.13) — Mozilla
Mozilla developers identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be...
Security Vulnerabilities fixed in Firefox ESR 78.4 — Mozilla
A use-after-free bug in the usersctp library was reported upstream. We assume this could have led to memory corruption and a potentially exploitable crash. Mozilla developers and community members Jason Kratzer, Simon Giesecke, Philipp, and Christian Holler reported memory safety bugs present in...
Security vulnerabilities fixed in - Thunderbird 68.2 — Mozilla
In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early. A subsequent call to XMLGetCurrentLineNumber or XMLGetCurrentColumnNumber then resulted in a heap-based buffer over-read. When following the value's prototype chain, it...
Same-origin policy violation using local HTML file and saved shortcut file — Mozilla
Security researcher Abdulrahman Alqabandi reported that when a local HTML file resides in the same directory as a malicious local shortcut file, the shortcut can be called by the local page to allow the page to read the contents of local files or directories or to load an arbitrary website in...
Spoofing attack through text injection into internal error pages — Mozilla
Security researcher musicDespiteEverything reported that some of the special about: URLs used by Firefox to display system information or error messages can incorporate text passed as parameters. These could be used in spoofing attacks...
Incorrect icon displayed on permissions notifications — Mozilla
Security researcher Tim McCormack reported that when a page requests a series of permissions in a short timespan, the resulting permission notifications can show the icon for the wrong permission request. This can lead to user confusion and inadvertent consent given when a user is prompted by web...
Firefox Health Reports could accept events from untrusted domains — Mozilla
Mozilla engineer Mark Goodwin discovered that the Firefox Health Report about:healthreport accepts certain events from any content document present in the remote-report iframe. If there were another vulnerability that allowed the injection of web content into the Firefox Health Report iframe, thi...
Displayed page address can be overridden — Mozilla
Security researcher Abdulrahman Alqabandi reported an issue where an attacker can load an arbitrary web page but the addressbar's displayed URL will be blank or filled with page defined content. This can be used to obfuscate which page is currently loaded and allows for an attacker to spoof an...
Memory corruption when modifying a file being read by FileReader — Mozilla
Security researcher Oriol reported memory corruption when local files are modified by either the user or another program at the same time being read using the FileReader API. This flaw requires that input be taken from a local file in order to be triggered and cannot be triggered by web content...
Integer overflow in MP4 playback in 64-bit versions — Mozilla
Security researcher Ronald Crane reported a vulnerability found through code inspection. This issue is an integer overflow while processing an MP4 format video file when an a erroneously-small buffer is allocated and then overrun, resulting in a potentially exploitable crash...
Add-on notification bypass through data URLs — Mozilla
Security researcher Bas Venis reported a mechanism where add-ons could be installed from a different source than user expectations. Normally, when a user enters the URL to an add-on directly in the addressbar, warning prompts are bypassed because it is the result of direct user action. He...
Memory corruption crashes in Off Main Thread Compositing — Mozilla
Security researcher Abhishek Arya Inferno of the Google Chrome Security Team used the Address Sanitizer tool to discover two memory corruption crashes during 2D graphics rendering due to problems in Off Main Thread Compositing. These crashes are potentially exploitable...
Reading of local files through manipulation of form autocomplete — Mozilla
Security researcher Armin Ebert reported that a user readable file in a known local path could be uploaded to a malicious site. This was done by manipulating the autocomplete feature in a form and user interaction with it. While the local file is not visibly uploaded through the form, its content...
XrayWrapper bypass through DOM objects — Mozilla
Mozilla developer Bobby Holley reported that Document Object Model DOM objects with some specific properties can bypass XrayWrappers. This can allow web content to confuse privileged code, potentially enabling privilege escalation...
CSP leaks redirect data via violation reports — Mozilla
Security researcher Muneaki Nishimura discovered that Content Security Policy CSP violation reports triggered by a redirect did not remove path information as required by the CSP specification. This potentially reveals information about the redirect that would not otherwise be known to the origin...
Buffer overflow during CSS manipulation — Mozilla
Using the Address Sanitizer tool, security researcher Atte Kettunen from OUSPG discovered a buffer overflow when making capitalization style changes during CSS parsing. This can cause a crash that is potentially exploitable...
Miscellaneous memory safety hazards (rv:29.0 / rv:24.5) — Mozilla
Mozilla developers and community identified identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least...
Local file access via Open Link in new tab — Mozilla
Security researcher Alex Inführ reported that on Firefox for Android it is possible to open links to local files from web content by selecting "Open Link in New Tab" from the context menu using the file: protocol. The web content would have to know the precise location of a malicious local file i...
Content Security Policy for data: documents not preserved by session restore — Mozilla
Security researcher Nicolas Golubovic reported that the Content Security Policy CSP of data: documents was not saved as part of session restore. If an attacker convinced a victim to open a document from a data: URL injected onto a page, this can lead to a Cross-Site Scripting XSS attack. The targ...
XSLT stylesheets treated as styles in Content Security Policy — Mozilla
Mozilla security engineer Frederik Braun reported an issue where the implementation of Content Security Policy CSP is not in compliance with the specification. XSLT stylesheets must be subject to script-src directives but Mozilla's implementation of CSP treats them as styles. This could lead to...
Use-after-free in Animation Manager during stylesheet cloning — Mozilla
Security researcher Abhishek Arya Inferno of the Google Chrome Security Team used the Address Sanitizer tool to discover a use-after-free problem in the Animation Manager during the cloning of stylesheets. This can lead to a potentially exploitable crash...
Uninitialized data in IonMonkey — Mozilla
Software developer Dan Gohman of Google reported uninitialized data and variables in the IonMonkey Javascript engine when running the engine in Valgrind mode. This could be combined with additional exploits to allow the reading and use of previously allocated memory in some circumstances...
Further Privilege escalation through Mozilla Updater — Mozilla
Security researcher Ash reported an issue with the Mozilla Updater on Windows 7 and later versions of Windows. On vulnerable platforms, the Mozilla Updater can be made to load a specific malicious DLL file from the local system. This DLL file can run in a privileged context through the Mozilla...
Inaccessible updater can lead to local privilege escalation — Mozilla
Security researcher Seb Patane reported an issue with the Mozilla Maintenance Service on Windows. He discovered that when the Mozilla Updater executable was inaccessible, the Maintenance Service will behave incorrectly and can be made to use an updater at an arbitrary location. This updater will...
Out-of-bounds array read in CERT_DecodeCertPackage — Mozilla
Mozilla community member Ambroz Bizjak reported an out-of-bounds array read in the CERTDecodeCertPackage function of the Network Security Services NSS library when decoding a certificate. When this occurs, it will lead to memory corruption and a non-exploitable crash...
Use-after-free in HTML Editor — Mozilla
VUPEN Security, via TippingPoint's Zero Day Initiative, reported a use-after-free within the HTML editor when content script is run by the document.execCommand function while internal editor operations are occurring. This could allow for arbitrary code execution...
URL spoofing in addressbar during page loads — Mozilla
Security researcher Masato Kinugawa found a flaw in which the displayed URL values within the addressbar can be spoofed by a page during loading. This allows for phishing attacks where a malicious page can spoof the identify of another site...
top object and location property accessible by plugins — Mozilla
Security researcher Mariusz Mlynski reported that the location property can be accessed by binary plugins through top.location and top can be shadowed by Object.defineProperty as well. This can allow for possible cross-site scripting XSS attacks through plugins...
window.fullScreen writeable by untrusted content — Mozilla
Mozilla developer Matt Brubeck reported that window.fullScreen is writeable by untrusted content now that the DOM fullscreen API is enabled. Because window.fullScreen does not include mozRequestFullscreen's security protections, it could be used for UI spoofing. This code change makes...
Key detection without JavaScript via SVG animation — Mozilla
Security researcher Mario Heiderich reported it was possible to use SVG animation accessKey events to detect key strokes even when JavaScript was disabled. Since web pages can normally detect key events through script and most users have scripting enabled this does not present a risk for most...
Integer overflow and arbitrary code execution in Array.reduceRight() — Mozilla
Security researchers Chris Rohlf and Yan Ivnitskiy of Matasano Security reported that when a JavaScript Array object had its length set to an extremely large value, the iteration of array elements that occurs when its reduceRight method was subsequently called could result in the execution of...
Recursive eval call causes confirm dialogs to evaluate to true — Mozilla
Security researcher Zach Hoffman reported that a recursive call to eval wrapped in a try/catch statement places the browser into a inconsistent state. Any dialog box opened in this state is displayed without text and with non-functioning buttons. Closing the window causes the dialog to evaluate t...
Remote code execution using malformed PNG image — Mozilla
OUSPG researcher Aki Helin reported a buffer overflow in Mozilla graphics code which consumes image data processed by libpng. A malformed PNG file could be created which would cause libpng to incorrectly report the size of the image to downstream consumers. When the dimensions of such images are...
Freed object reuse across plugin instances — Mozilla
Microsoft Vulnerability Research reported that two plugin instances could interact in a way in which one plugin gets a reference to an object owned by a second plugin and continues to hold that reference after the second plugin is unloaded and its object is destroyed. In these cases, the first...
Download filename spoofing with RTL override — Mozilla
Mozilla security researchers Jesse Ruderman and Sid Stamm reported that when downloading a file containing a right-to-left override character RTL in the filename, the name displayed in the dialog title bar conflicts with the name of the file shown in the dialog body. An attacker could use this...
Insufficient warning for PKCS11 module installation and removal — Mozilla
Mozilla security researcher Jesse Ruderman reported that when security modules were added or removed via pkcs11.addmodule or pkcs11.deletemodule, the resulting dialog was not sufficiently informative. Without sufficient warning, an attacker could entice a victim to install a malicious PKCS11 modu...
jar: scheme ignores the content-disposition: header on the inner URI — Mozilla
Mozilla developer Daniel Veditz reported that when the jar: scheme is used to wrap a URI which serves the content with Content-Disposition: attachment, the HTTP header is ignored and the content is unpacked and displayed inline. A site may depend on this HTTP header to prevent potentially untrust...
UTF-8 URL stack buffer overflow — Mozilla
Justin Schuh and Tom Cross of the IBM X-Force and Peter Williams of IBM Watson Labs reported errors in Mozilla URL parsing routines. These errors could be exploited using a specially crafted UTF-8 URL in a hyperlink which could overflow a stack buffer and allow an attacker to execute arbitrary co...
Security Vulnerabilities fixed in Firefox ESR 102.9 — Mozilla
Sometimes, when invalidating JIT code while following an iterator, the newly generated code could be overwritten incorrectly. This could lead to a potentially exploitable crash. Dragging a URL from a cross-origin iframe that was removed during the drag could have led to user confusion and website...
Security Vulnerabilities fixed in Firefox ESR 91.13 — Mozilla
An attacker could have abused XSLT error handling to associate attacker-controlled content with another origin which was displayed in the address bar. This could have been used to fool the user into submitting data intended for the spoofed origin. A cross-origin iframe referencing an XSLT documen...
Security Vulnerabilities fixed in Firefox ESR 91.3 — Mozilla
The iframe sandbox rules were not correctly applied to XSLT stylesheets, allowing an iframe to bypass restrictions such as executing scripts or navigating the top-level frame. When interacting with an HTML input element's file picker dialog with webkitdirectory set, a use-after-free could have...
Security vulnerabilities fixed in Firefox ESR 60.4 — Mozilla
A buffer overflow and out-of-bounds read can occur in TextureStorage11 within the ANGLE graphics library, used for WebGL content. This results in a potentially exploitable crash. A use-after-free vulnerability can occur after deleting a selection element due to a weak reference to the select...
Information disclosure and local file manipulation through drag and drop — Mozilla
Security researcher Rafael Gieschke reported that file URIs dragged from a web page in Firefox to other software do not have their contents properly filtered before being passed to other programs, such as the local file manager. This can allow for the theft or manipulation of arbitrary local file...
CSP not applied to pages sent with multipart/x-mixed-replace — Mozilla
Security researcher Muneaki Nishimura nishimunea of Recruit Technologies Co., Ltd. reported that Content Security Policy CSP is not applied correctly to web content sent with the multipart/x-mixed-replace MIME type. This allows for script to run in instances where CSP should block it, leading to ...
Linux file chooser crashes on malformed images due to flaws in Jasper library — Mozilla
Security researcher Gustavo Grieco reported that on Linux Gnome systems the dialog for choosing local files uses the operating system's gdk-pixbuf library to render thumbnails for image file types. This library supports various image decoders, and Grieco reported that the Jasper and TGA decoders...
Integer underflow and buffer overflow processing MP4 metadata in libstagefright — Mozilla
Mozilla developer Gerald Squelart fixed an integer underflow in the libstagefright library initially reported by Joshua Drake to Google. The issues occurred in MP4 format video file while parsing cover metadata, leading to a buffer overflow. This results in a potentially exploitable crash and can...
Buffer overflows found through code inspection — Mozilla
Security researcher Ronald Crane reported three buffer overflows affecting released code that were found through code inspection. They do not all have clear mechanisms to be exploited through web content but are vulnerable if a mechanism can be found to trigger them...
Arbitrary file manipulation by local user through Mozilla updater — Mozilla
Security researcher Holger Fuhrmannek reported that when the Mozilla updater is run, the updater can be manipulated to load the updated files from a working directory under user control in concert with junctions. When the updates are run by the Mozilla Maintenance Service on Windows, these...
Integer overflows in libstagefright while processing MP4 video metadata — Mozilla
Security researcher Joshua Drake reported potential integer overflows in the libstagefright library while processing video sample metadata in MPEG4 video files. This can lead to a potentially exploitable crash...