1574 matches found
XUL tree removal crash and remote code execution — Mozilla
Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that XUL objects could be manipulated such that the setting of certain properties on the object would trigger the removal of the tree from the DOM and cause certain sections of deleted memory to be accessed. In product...
UTF-7 XSS by overriding document charset using <object> type attribute — Mozilla
Security researchers David Huang and Collin Jackson of Carnegie Mellon University CyLab Silicon Valley campus reported that the type attribute of an tag can override the charset of a framed HTML document, even when the document is included across origins. A page could be constructed containing su...
Crashes with evidence of memory corruption (rv:1.9.2.4/ 1.9.1.10) — Mozilla
Mozilla developers identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be...
Image src redirect to mailto: URL opens email editor — Mozilla
phpBB developer Henry Sudhof reported that when an image tag points to a resource that redirects to a mailto: URL, the external mail handler application is launched. This issue poses no security threat to users but could create an annoyance when browsing a site that allows users to post arbitrary...
Compromise of SSL-protected communication — Mozilla
IOActive security researcher Dan Kaminsky reported a mismatch in the treatment of domain names in SSL certificates between SSL clients and the Certificate Authorities CA which issue server certificates. In particular, if a malicious person requested a certificate for a host name with an invalid...
Same-origin violations when Adobe Flash loaded via view-source: scheme — Mozilla
Security researcher Gregory Fleischer reported that when an Adobe Flash file is loaded via the view-source: scheme, the Flash plugin misinterprets the origin of the content as localhost, leading to two specific vulnerabilities:...
Privilege escalation through Print Preview — Mozilla
Georgi Guninski reported two variants of using scripts in an XBL control to gain chrome privileges when the page is viewed under "Print Preview"...
Security Vulnerabilities fixed in Firefox 136 — Mozilla
On Windows, a compromised content process could use bad StreamData sent over AudioIPC to trigger a use-after-free in the Browser process. This could have led to a sandbox escape. Android apps can load web pages using the Custom Tabs feature. This feature supports a transition animation that could...
Security Vulnerabilities fixed in Firefox 128 — Mozilla
An error in the ECMA-262 specification relating to Async Generators could have resulted in a type confusion, potentially leading to memory corruption and an exploitable crash. Firefox Android allowed immediate interaction with permission prompts. This could be used for tapjacking. Clipboard code...
Security Vulnerabilities fixed in Firefox for Android 110.1.0 — Mozilla
A potential use-after-free in libaudio was fixed by disabling the AAudio backend when running on Android API below version 30.This bug only affects Firefox for Android. Other versions of Firefox are unaffected...
Security Vulnerabilities fixed in Firefox ESR 78.13 — Mozilla
A suspected race condition when calling getaddrinfo led to memory corruption and a potentially exploitable crash. Note: This issue only affected Linux operating systems. Other operating systems are unaffected. Firefox incorrectly treated an inline list-item element as a block element, resulting i...
Use-after-free in service workers with nested sync events — Mozilla
Security researcher Looben Yang discovered a use-after-free vulnerability when working with nested sync event loops in Service Workers. He discovered a mechanism where scripts can close their own worker, which will then trigger a synchronization XMLHttpRequest on this now closed and released...
Integer overflow in WebSockets during data buffering — Mozilla
Security researcher Samuel Groß reported an integer overflow error in WebSockets during data buffering on incoming packets when an allocated buffer is resized incorrectly. This results in the buffer array holding the data being shrunk, instead of grown, resulting in attacker controlled data being...
Crash in incremental garbage collection in JavaScript — Mozilla
Security researcher Jukka Jylänki reported a use-after-free in JavaScript caused by how objects and pointers are handled during incremental garbage collection in some circumstances working with object groups. When triggered, this causes a potential exploitable crash but is mitigated by the...
Information disclosure through Resource Timing API during page navigation — Mozilla
Amazon software engineer Catalin Dumitru reported that the URLs of resources loaded after a navigation started such as in an unload event handler were leaked to the following page through the Resource Timing API. This leads to potential information disclosure...
Elevation of privilege with chrome.tabs.update API in web extensions — Mozilla
Security researcher Muneaki Nishimura nishimunea of Recruit Technologies Co., Ltd. reported that the chrome.tabs.update API for web extensions allows for navigation to javascript: URLs without additional permissions. This can used to elevate privilege for a universal cross-site scripting XSS atta...
Same-origin policy violation using performance.getEntries and history navigation with session restore — Mozilla
Security researcher Jordi Chancel discovered a variant of Mozilla Foundation Security Advisory 2015-136 which was fixed in Firefox 43. In the original bug, it was possible to read cross-origin URLs following a redirect if performance.getEntries was used along with an iframe to host a page...
Out of Memory crash when parsing GIF format images — Mozilla
Security researcher Gustavo Grieco reported an out of memory crash when loading maliciously crafted GIF format images. Investigation of the issue determined that the root cause was an error in image parsing code during deinterlacing, leading to a potential integer overflow...
Crash with JavaScript variable assignment with unboxed objects — Mozilla
Security researcher Cajus Pollmeier reported that Firefox 41 was crashing during some Javascript variable assignments. The issue was caused by an implementation error with unboxed objects and property storing in the JavaScript engine. This error could result in a potentially exploitable crash whe...
Certain escaped characters in host of Location-header are being treated as non-escaped — Mozilla
Security researcher Frans Rosén reported that URLs with certain escaped characters in hostnames are parsed incorrectly. This leads to parsing being abandoned when an effected escaped character is encountered followed by a navigation to the previously parsed version of the URL. When combined with ...
Errors in the handling of CORS preflight request headers — Mozilla
Mozilla developer Ehsan Akhgari reported two issues with Cross-origin resource sharing CORS "preflight" requests...
Use-after-free in workers while using XMLHttpRequest — Mozilla
Security researcher Looben Yang used the Address Sanitizer tool to discover two related use-after-free vulnerabilities that occur when using XMLHttpRequest in concert with either shared or dedicated workers. These errors occur when the XMLHttpRequest object is attached to a worker but that object...
Add-on lightweight theme installation approval bypassed through MITM attack — Mozilla
Security researcher Armin Ebert discovered that a man-in-the-middle MITM attacker spoofing a Mozilla sub-domain could bypass user approval messages to install a Firefox lightweight theme. This was possible because add-on installations of the lightweight themes do not require the use of HTTP over...
Out of bounds read in QCMS library — Mozilla
Security researcher Felix Gröbert of Google used the Address Sanitizer tool to discover an out of bounds read in the QCMS color management library while transforming images with certain parameters. This could lead to information disclosure...
Malicious WebGL content crash when writing strings — Mozilla
Security researcher Daniele Di Proietto discovered that when WebGL content crafted in a specific manner wrote strings, it would cause a crash when this content was run...
Use-after-free interacting with text directionality — Mozilla
Security researcher regenrecht reported, via TippingPoint's Zero Day Initiative, a use-after-free during text layout when interacting with text direction. This results in a crash which can lead to arbitrary code execution...
Use-after-free in imgLoader while resizing images — Mozilla
Security researcher Nils discovered a use-after-free error in which the imgLoader object is freed while an image is being resized. This results in a potentially exploitable crash...
Spoofing addressbar though SELECT element — Mozilla
Security researcher Jordi Chancel discovered a method to put arbitrary HTML content within elements and place it in arbitrary locations. This can be used to spoof the displayed addressbar, leading to clickjacking and other spoofing attacks...
Uninitialized functions in DOMSVGZoomEvent — Mozilla
Mozilla community member Ms2ger discovered that some DOMSVGZoomEvent functions are used without being properly initialized, causing uninitialized memory to be used when they are called by web content. This could lead to a information leakage to sites depending on the contents of this uninitialize...
Out-of-bounds write in Cairo library — Mozilla
Security researcher Abhishek Arya Inferno of the Google Chrome Security Team used the Address Sanitizer tool to discover an out-of-bounds write in Cairo graphics library. When certain values are passed to it during rendering, Cairo attempts to use negative boundaries or sizes for boxes, leading t...
Use-after-free in Javascript Proxy objects — Mozilla
...
Frames can shadow top.location — Mozilla
Security researcher Mariusz Mlynski reported that the location property can be accessed by binary plugins through top.location with a frame whose name attribute's value is set to "top". This can allow for possible cross-site scripting XSS attacks through plugins...
Miscellaneous memory safety hazards (rv:16.0.1) — Mozilla
Mozilla developers identified and fixed two top crashing bugs in the browser engine used in Firefox and other Mozilla-based products. These bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to ru...
Crash with WebGL content using textImage2D — Mozilla
Mozilla community member Ms2ger found an image rendering issue with WebGL when texImage2D uses use JSVALTOOBJECT on arbitrary objects. This can lead to a crash on a maliciously crafted web page. While there is no evidence that this is directly exploitable, there is a possibility of remote code...
Miscellaneous memory safety hazards (rv:12.0/ rv:10.0.4) — Mozilla
Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be...
Crash when accessing keyframe cssText after dynamic modification — Mozilla
Mozilla community member Daniel Glazman of Disruptive Innovations reported a crash when accessing a keyframe's cssText after dynamic modification. This crash may be potentially exploitable...
.jar not treated as executable in Firefox 3.6 on Mac — Mozilla
Part of the fix for MFSA 2011-40, reported by Mariusz Mlynski, was to treat .jar files as executables. This is necessary because Java treats downloaded .jar files as fully-featured "Applications" rather than restricting them to the limited privileges of in-browser "Applets". The fix taken in...
Crash when plugin removes itself on Mac OS X — Mozilla
FireBreath developer Richard Bateman reported a crash on Mac OS X that occurred when a plugin deletes its containing DOM frame during a call from that frame. The observed symptom is a null dereference but we cannot rule out the possibility that content from a scriptable plugin such as Flash could...
Code execution via NoWaiverWrapper — Mozilla
Mozilla security researcher mozbugra4 reported that an internal privilege check failed to respect the NoWaiverWrappers introduced with Firefox 4. This could result in elevated privilege being granted to web content...
Multiple dangling pointer vulnerabilities — Mozilla
Security researcher regenrecht reported via TippingPoint's Zero Day Initiative two instances of code which modifies SVG element lists failed to account for changes made to the list by user-supplied callbacks before accessing list elements. If a user-supplied callback deleted such an object, the...
WebGLES vulnerabilities — Mozilla
Two crashes that could potentially be exploited to run malicious code were found in the WebGL feature and fixed in Firefox 4.0.1. In addition the WebGLES libraries could potentially be used to bypass a security feature of recent Windows versions. The WebGL feature was introduced in Firefox 4; old...
Use-after-free error in JSON.stringify — Mozilla
Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that a method used by JSON.stringify contained a use-after-free error in which a currently in-use pointer was freed and subsequently dereferenced. This could lead to arbitrary code execution if an attacker was able to...
Miscellaneous memory safety hazards (rv:1.9.2.14/ 1.9.1.17) — Mozilla
Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be...
XSS hazard in multiple character encodings — Mozilla
Security researchers Yosuke Hasegawa and Masatoshi Kimura reported that the x-mac-arabic, x-mac-farsi and x-mac-hebrew character encodings are vulnerable to XSS attacks due to some characters being converted to angle brackets when displayed by the rendering engine. Sites using these character...
Crash and remote code execution using HTML tags inside a XUL tree — Mozilla
Security researcher wushi of team509 reported that when a XUL tree had an HTML element nested inside a element then code attempting to display content in the XUL tree would incorrectly treat the element as a parent node to tree content underneath it resulting in incorrect indexes being calculated...
Dangling pointer vulnerability in LookupGetterOrSetter — Mozilla
Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that when window.lookupGetter is called with no arguments the code assumes the top JavaScript stack value is a property name. Since there were no arguments passed into the function, the top value could represent...
Dangling pointer vulnerability using DOM plugin array — Mozilla
Security researcher Sergey Glazunov reported a dangling pointer vulnerability in the implementation of navigator.plugins in which the navigator object could retain a pointer to the plugins array even after it had been destroyed. An attacker could potentially use this issue to crash the browser an...
Frameset integer overflow vulnerability — Mozilla
Security researcher Chris Rohlf of Matasano Security reported that the implementation of the HTML frameset element contained an integer overflow vulnerability. The code responsible for parsing the frameset columns used an 8-byte counter for the column numbers, so when a very large number of colum...
Crash and remote code execution in normalizeDocument — Mozilla
Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that code used to normalize a document contained a logical flaw that could be leveraged to run arbitrary code. When the normalization code ran, a static count of the document's child nodes was used in the traversal, so...
Heap buffer overflow in nsTextFrameUtils::TransformText — Mozilla
Security researcher wushi of team509 reported a heap buffer overflow in code routines responsible for transforming text runs. A page could be constructed with a bidirectional text run which upon reflow could result in an incorrect length being calculated for the run of text. When this value is...