1573 matches found
Possible file stealing through sftp protocol — Mozilla
On Linux machines with gnome-vfs support the smb: and sftp: URI schemes are available in Firefox. Georgi Guninski showed that if an attacker can store the attack page in a mutually accessible location on the target server /tmp perhaps and lure the victim into loading it, the attacker could...
Persistent Autocomplete Denial of Service — Mozilla
Marcel reported that a malicious web page could perform a denial of service attack against the form autocomplete feature that would persist from session to session until the malicious form data was deleted. Filling a text field with millions of characters and submitting the form will cause the...
Privilege escalation by setting img.src to javascript: URI — Mozilla
mozbugra4 reports that the fix for MFSA 2006-72 in Firefox 1.5.0.9 and Firefox 2.0.0.1 introduced a regression that allows scripts from web content to execute arbitrary code by setting the src attribute of an IMG tag to a specially crafted javascript: URI...
Fixes for crashes with potential memory corruption (rv:1.8.0.4) — Mozilla
Mozilla team members discovered several crashes during testing of the browser engine showing evidence of memory corruption that we presume is exploitable...
Crashes with evidence of memory corruption (rv:1.8.0.2) — Mozilla
As part of the Firefox 1.5.0.2 release we fixed several crash bugs to improve the stability of the product, with a particular focus on finding crashes caused by DHTML. Some of these crashes showed evidence of memory corruption that we presume could be exploited to run arbitrary code with enough...
Downloading executables with "Save Image As..." — Mozilla
By layering a transparent image link to an executable on top of a visible and presumably desirable image a malicious site might be able to convince some visitors to right-click and choose "Save image as..." from the context menu and fool them by giving them the executable instead. When the users...
Privilege escalation using crypto.generateCRMFRequest — Mozilla
shutdown demonstrated that the crypto.generateCRMFRequest method can be used to run arbitrary code with the privilege of the user, which could enable an attacker to install malware...
CSS Letter-Spacing Heap Overflow Vulnerability — Mozilla
An anonymous researcher for TippingPoint and the Zero Day Initiative discovered an integer overflow triggered by the CSS letter-spacing property. This results in in under-allocating memory and ultimately a heap buffer overflow which could be exploited to run code of the attacker's choice...
Long document title causes startup denial of service — Mozilla
Web pages with extremely long titles--the public demonstration had a title 2.5 million characters long--cause subsequent launches of the browser to appear to "hang" for up to a few minutes, or even crash if the computer has insufficient memory...
JavaScript garbage-collection hazards — Mozilla
Garbage collection hazards have been found in the JavaScript engine where some routines used temporary variables that were not properly protected rooted. Specially crafted objects could contain a user-defined method that would be called during the lifetime of these temporaries. If this method...
Plugins can be used to load privileged content — Mozilla
Plugins such as flash can be used to load privileged content into a frame. Once loaded various spoofs can be applied to get the user to interact with the privileged content. Michael Krax's "Fireflashing" example demonstrates that an attacker can open about:config in a frame, hide it with an opaci...
Security Vulnerabilities fixed in Firefox ESR 115.26 — Mozilla
On 64-bit platforms IonMonkey-JIT only wrote 32 bits of the 64-bit return value space on the stack. Baseline-JIT, however, read the entire 64 bits. On arm64, a WASM brtable instruction with a lot of entries could lead to the label being too far from the instruction causing truncation and incorrec...
Security Vulnerabilities fixed in Firefox ESR 128.8 — Mozilla
In resizeToAtLeast of SkRegion.cpp, there was a possible out of bounds write due to an integer overflow On Windows, a compromised content process could use bad StreamData sent over AudioIPC to trigger a use-after-free in the Browser process. This could have led to a sandbox escape. It was possibl...
Security Vulnerabilities fixed in Thunderbird 115.13 — Mozilla
An error in the ECMA-262 specification relating to Async Generators could have resulted in a type confusion, potentially leading to memory corruption and an exploitable crash. Due to large allocation checks in Angle for GLSL shaders being too lenient an out-of-bounds access could occur when...
Security Vulnerabilities fixed in Firefox ESR 102.14 — Mozilla
Offscreen Canvas did not properly track cross-origin tainting, which could have been used to access image data from another site in violation of same-origin policy. In some circumstances, a stale value could have been used for a global variable in WASM JIT analysis. This resulted in incorrect...
Security Vulnerabilities fixed in Firefox for iOS 102 — Mozilla
Internal URLs are protected by a secret UUID key, which could have been leaked to web page through the Referrer header...
Security Vulnerabilities fixed in Firefox for iOS 101 — Mozilla
The search term could have been specified externally to trigger SQL injection...
JavaScript garbage collection crash with Java applet — Mozilla
Mozilla community member Vytautas Staraitis reported an issue with the interaction of Java applets and JavaScript. The Java plugin can deallocate a JavaScript wrapper when it is still in use, which leads to a JavaScript garbage collection crash. This crash is potentially exploitable...
Site attribute spoofing on Android by pasting URL with unknown scheme — Mozilla
Security researcher Jordi Chancel reported that on Firefox for Android, when a URL is pasted with an unknown protocol, such as secure: or httpz:, the pasted URL is shown in the addressbar but no navigation occurs. Other addressbar attributes present before this pasted URL is entered will continue...
Buffer overflow in libstagefright during MP4 video playback — Mozilla
Security researcher Pantrombka reported a buffer overflow in the libstagefright library during video playback when certain invalid MP4 video files led to the allocation of a buffer that was too small for the content. This led to a potentially exploitable crash...
Buffer overflow while parsing media content — Mozilla
Security researcher Abhishek Arya Inferno of the Google Chrome Security Team used the Address Sanitizer tool to discover a buffer overflow during the parsing of media content. This leads to a potentially exploitable crash...
IFRAME sandbox same-origin access through redirect — Mozilla
Mozilla developer Boris Zbarsky discovered an issue where network-level redirects cause an sandbox to forget its unique origin and behave as if the allow-same-origin keyword were applied. This allows the sandboxed content to access other content from the same origin without explicit approval...
Calling scope for new Javascript objects can lead to memory corruption — Mozilla
Mozilla community member Ms2ger found a mechanism where a new Javascript object with a compartment is uninitialized could be entered through web content. When the scope for this object is called, it leads to a potentially exploitable crash...
CSRF risk with plugins and 307 redirects — Mozilla
Independent security researcher Kuza55 and Microsoft security researcher Tom Gallagher reported that when plugin-initiated requests receive a 307 redirect response, the plugin is not notified and the request is forwarded to the new location. This is true even for cross-site redirects, so any cust...
XSS via plugins and unprotected Location object — Mozilla
Mozilla developer Blake Kaplan reported that the window.location object was made a normal overridable JavaScript object in the Firefox 3.6 browser engine Gecko 1.9.2 because new mechanisms were developed to enforce the same-origin policy between windows and frames. This object is unfortunately al...
Heap/integer overflows in font glyph rendering libraries — Mozilla
oCERT security researcher Will Drewry reported a series of heap and integer overflow vulnerabilities which independently affected multiple font glyph rendering libraries. On Linux platforms libpango was susceptible to the vulnerabilities while on OS X CoreGraphics was similarly vulnerable. An...
XSS hazard using third-party stylesheets and XBL bindings — Mozilla
Web developer Cefn Hoile reported that sites which allow users to embed third-party stylesheets are vulnerable to script injection attacks using XBL bindings. While this behavior was documented previously, it was determined that this particular risk was not well-understood by some websites. To...
Escaped null characters ignored by CSS parser — Mozilla
Kojima Hajime reported that unlike literal null characters which were handled correctly, the escaped form '\0' was ignored by the CSS parser and treated as if it was not present in the CSS input string. This issue could potentially be used to bypass script sanitization routines in web application...
Crashes with evidence of memory corruption (rv:1.8.1.15) — Mozilla
Mozilla developers identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be...
Crash in JavaScript garbage collector — Mozilla
Fixes for security problems in the JavaScript engine described in MFSA 2008-15 CVE-2008-1237 introduced a stability problem, where some users experienced crashes during JavaScript garbage collection. This is being fixed primarily to address stability concerns. We have no demonstration that this...
Privilege escalation through chrome-loaded about:blank windows — Mozilla
Mozilla researcher mozbugra4 reported that a flaw was introduced by the fix for MFSA 2007-20 that could enable privilege escalation attacks against addons that create "about:blank" windows and populate them in certain ways including implicit "about:blank" document creation through data: or...
Concurrency-related vulnerability — Mozilla
Jonathan Watt and Michal Zalewski independently reported timing dependent testcases that trigger crashes at the same place during text display. We have seen no demonstration that these crashes could be reliably exploited, but they do show evidence of memory corruption so we presume they could be...
Privilege escalation using named-functions and redefined "new Object()" — Mozilla
mozbugra4 discovered that named JavaScript functions have a parent object created using the standard Object constructor ECMA-specified behavior and that this constructor can be redefined by script also ECMA-specified behavior. If the Object constructor is changed to return a reference to a...
Buffer overflow in crypto.signText() — Mozilla
Mikolaj Habryn discovered an array index bug in crypto.signText that results in overflowing an allocated array of pointers by two when optional Certificate Authority name arguments are passed in...
EvalInSandbox escape (Proxy Autoconfig, Greasemonkey) — Mozilla
Mozilla researcher mozbugra4 demonstrated that javascript run via EvalInSandbox can escape the sandbox and gain elevated privilege by calling valueOf on objects created outside the sandbox and inserted into it. Malicious scripts could use these privileges to compromise your computer or data...
Cross-site JavaScript injection using event handlers — Mozilla
shutdown reported a method of injecting running JavaScript code into a page on another site using a modal alert to suspend an event handler while a new page is being loaded. This vulnerability allows an attacker to steal any confidential information the new page might contain, including any...
Memory corruption via QueryInterface on Location, Navigator objects — Mozilla
Calling the QueryInterface method of the built-in Location and Navigator objects causes memory corruption that might be exploitable to run arbitrary code...
Security Vulnerability fixed in Thunderbird 131.0.1, Thunderbird 128.3.1, Thunderbird 115.16.0 — Mozilla
An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines. We have had reports of this vulnerability being exploited in the wild...
Security Vulnerabilities fixed in Firefox ESR 102.13 — Mozilla
An attacker could have triggered a use-after-free condition when creating a WebRTC connection over HTTPS. Cross-compartment wrappers wrapping a scripted proxy could have caused objects from other compartments to be stored in the main compartment resulting in a use-after-free. A website could have...
Security Vulnerabilities fixed in Firefox ESR 102.6 — Mozilla
A missing check related to tex units could have led to a use-after-free and potentially exploitable crash. An attacker who compromised a content process could have partially escaped the sandbox to read arbitrary files via clipboard-related IPC messages.This bug only affects Firefox for Linux. Oth...
Security Vulnerabilities fixed in Firefox for iOS 34 — Mozilla
When a download was initiated, the client did not check whether it was in normal or private browsing mode, which led to private mode cookies being shared in normal browsing mode...
OAuth session fixation vulnerability in Mozilla VPN — Mozilla
An OAuth session fixation vulnerability existed in the VPN login flow, where an attacker could craft a custom login URL, convince a VPN user to login via that URL, and obtain authenticated access as that user. This issue is limited to cases where attacker and victim are sharing the same source IP...
Content provider permission bypass allows malicious application to access data — Mozilla
Security researcher Ken Okuyama reported an issue on Firefox for Android where a previously installed malicious application can access content provider permissions for Firefox in order to read data. This data includes browser history and locally saved passwords. This issue occurs when a list of...
Use-after-free when using multiple WebRTC data channels — Mozilla
Security researcher Dominique Hazaël-Massieux reported a use-after-free issue when using multiple WebRTC data channel connections. This causes a potentially exploitable crash when a data channel connection is freed from within a call through it...
Firefox allows for control characters to be set in cookies — Mozilla
Security researcher musicDespiteEverything reported an issue when ASCII code 11 for vertical tab is stored in a cookie in violation of RFC6265. This may result in incorrect cookie handling by servers, resulting in the potential ability to set cookie values and read cookie data from users in conce...
Out-of-bounds read during 2D canvas display on Linux 16-bit color depth systems — Mozilla
Security researcher Francisco Alonso of the NowSecure Research Team used the Address Sanitizer tool to discover an out-of-bounds read issue during 2D canvas rendering. This was due to an issue in the cairo graphics library when surfaces are created with 32-bit color depth but displayed on a 16-bi...
Profile directory file access through file: protocol — Mozilla
Security researcher Yu Dongsong reported on Firefox for Android that a file: protocol hyperlink could link to a local file in the Firefox profile directory, bypassing access restrictions. This issue was previously addressed in Mozilla Foundation Security Advisory 2014-33 but not completely...
Debugger can bypass XrayWrappers with JavaScript — Mozilla
Mozilla developer Boris Zbarsky discovered that the debugger will work with some objects while bypassing XrayWrappers. This could lead to privilege escalation if the victim used the debugger to interact with a malicious page...
Use-after-free when updating offline cache — Mozilla
Security researcher Byoungyoung Lee of Georgia Tech Information Security Center GTISC used the Address Sanitizer tool to discover a use-after-free during state change events while updating the offline cache. This leads to a potentially exploitable crash...
XrayWrappers exposes chrome-only properties when not in chrome compartment — Mozilla
Mozilla developer Peter Van der Beken discovered that same-origin XrayWrappers expose chrome-only properties even when not in a chrome compartment. This can allow web content to get properties of DOM objects that are intended to be chrome-only...