1574 matches found
Use-after-free in nsHTMLSelectElement — Mozilla
Security researcher regenrecht reported a flaw that affected Firefox versions 4 through 8 via TippingPoint's Zero Day Initiative. This flaw is a use-after-free in nsHTMLSelectElement when the parent node of the element is no longer active and could allow for possible remote code execution...
Potential XSS via multibyte content processing errors — Mozilla
Anne van Kesteren of Opera Software found a multi-octet encoding issue where certain octets will destroy the following octets in the processing of some multibyte character sets. This can leave users vulnerable to cross-site scripting XSS attacks on maliciously crafted web pages...
nsSVGValue out-of-bounds access — Mozilla
Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that a flaw in the Mozilla SVG implementation could result in an out-of-bounds memory access if SVG elements were removed during a DOMAttrModified event handler...
Crashes with evidence of memory corruption (rv:1.9.1.8/ 1.9.0.18) — Mozilla
Mozilla developers identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be...
Security Vulnerabilities fixed in Thunderbird 115.0.1 — Mozilla
During the worker lifecycle, a use-after-free condition could have occurred, which could have led to a potentially exploitable crash. Thunderbird allowed the Text Direction Override Unicode Character in filenames. An email attachment could be incorrectly shown as being a document file, while in...
Security Vulnerabilities fixed in Firefox ESR 68.12 — Mozilla
If Firefox is installed to a user-writable directory, the Mozilla Maintenance Service would execute updater.exe from the install location with system privileges. Although the Mozilla Maintenance Service does ensure that updater.exe is signed by Mozilla, the version could have been rolled back to ...
Out-of-bounds read in HTML parser following a failed allocation — Mozilla
Security researcher Ronald Crane reported an out-of-bounds read following a failed allocation in the HTML parser while working with unicode strings. This can also affect the parsing of XML and SVG format data. This leads to a potentially exploitable crash...
Errors in mp_div and mp_exptmod cryptographic functions in NSS — Mozilla
Security researcher Hanno Böck reported that calculations with mpdiv and mpexptmod in Network Security Services NSS can produce wrong results in some circumstances. These functions are used within NSS for a variety of cryptographic division functions, leading to potential cryptographic weaknesses...
Crash when accessing HTML tables with accessibility tools on OS X — Mozilla
Mozilla developer Frédéric Wang reported an issue affecting accessibility tools on OS X. This occurs when when an accessibility tool requests the index of a table row through the NSAccessibilityIndexAttribute value. This was caused by an error in how HTML tables are exposed to accessibility tools...
Use-after-free due to type confusion flaws — Mozilla
Security researcher Nils used the Address Sanitizer tool to discover two type confusion flaws. The first of these occurs while setting specific attributes of a source element resulting in incorrect object casting. The second flaw occurs when binding a source to a tree when the function fails to...
Crash using DrawTarget in Cairo graphics library — Mozilla
Security researcher Atte Kettunen used the Address Sanitizer tool to discover a crash while drawing images through the Cairo graphics library while using the DrawTarget function. This can result in a segmentation fault due to zero-ing out of memory outside the bounds of the image...
Privileged access to security wrapped protected objects — Mozilla
Mozilla developer Bobby Holley discovered two issues involving security wrappers...
Use-after-free while when manipulating certificates in the trusted cache — Mozilla
Security researchers Tyson Smith and Jesse Schwartzentruber used the Address Sanitizer tool while fuzzing to discover a use-after-free error resulting in a crash. This is a result of a pair of NSSCertificate structures being added to a trust domain and then one of them is removed while they are...
Memory corruption in Cairo during PDF font rendering — Mozilla
Security researcher John Thomson discovered a memory corruption in the Cairo graphics library during font rendering of a PDF file for display. This memory corruption leads to a potentially exploitable crash and to a denial of service DOS. This issues is not able to be triggered in a default...
GetElementIC typed array stubs can be generated outside observed typesets — Mozilla
Mozilla developer Eric Faust reported that during JavaScript compilation GetElementIC typed array stubs can be generated outside observed typesets. This could lead to unpredictable behavior with a potential security impact...
Use-after-free in serializeToStream — Mozilla
Security researcher regenrecht reported, via TippingPoint's Zero Day Initiative, a use-after-free in XMLSerializer by the exposing of serializeToStream to web content. This can lead to arbitrary code execution when exploited...
Miscellaneous memory safety hazards (rv:17.0/ rv:10.0.11) — Mozilla
Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be...
Spoofing issue with location — Mozilla
Security researcher Mariusz Mlynski reported an issue with spoofing of the location property. In this issue, calls to history.forward and history.back are used to navigate to a site while displaying the previous site in the addressbar but changing the baseURI to the newer site. This can be used f...
Miscellaneous memory safety hazards (rv:11.0/ rv:10.0.3 / rv:1.9.2.28) — Mozilla
Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be...
SVG issues found with Address Sanitizer — Mozilla
Security researcher Atte Kettunen from OUSPG found two issues with Firefox's handling of SVG using the Address Sanitizer tool. The first issue, critically rated, is a use-after-free in SVG animation that could potentially lead to arbitrary code execution. The second issue is rated moderate and is...
Cross-domain data theft using CSS — Mozilla
Google security researcher Chris Evans reported that data can be read across domains by injecting bogus CSS selectors into a target site and then retrieving the data using JavaScript APIs. If an attacker can inject opening and closing portions of a CSS selector into points A and B of a target pag...
Security Vulnerabilities fixed in Firefox ESR 102.15 — Mozilla
When receiving rendering data over IPC mStream could have been destroyed when initialized, which could have led to a use-after-free causing a potentially exploitable crash. When creating a callback over IPC for showing the Color Picker window, multiple of the same callbacks could have been create...
Security Vulnerabilities fixed in Firefox ESR 78.10.1 — Mozilla
The Mozilla Maintenance Service granted SERVICESTART access to BUILTIN|Users which, in a domain network, grants normal remote users access to start or stop the service. This could be used to prevent the browser update service from operating if an attacker spammed the 'Stop' command; but also...
Security Vulnerabilities fixed in Firefox ESR 78.9 — Mozilla
A transient execution vulnerability, named Floating Point Value Injection FPVI allowed an attacker to leak arbitrary memory addresses and may have also enabled JIT type confusion attacks. A related vulnerability, Speculative Code Store Bypass SCSB, did not affect Firefox. A texture upload of a...
Security Vulnerabilities fixed in Firefox ESR 78.2 — Mozilla
If Firefox is installed to a user-writable directory, the Mozilla Maintenance Service would execute updater.exe from the install location with system privileges. Although the Mozilla Maintenance Service does ensure that updater.exe is signed by Mozilla, the version could have been rolled back to ...
Security Vulnerabilities fixed in Firefox ESR 68.11 — Mozilla
By observing the stack trace for JavaScript errors in web workers, it was possible to leak the result of a cross-origin redirect. This applied only to content that can be parsed as script. WebRTC used the memory address of a class instance as a connection identifier. Unfortunately, this value is...
Security vulnerabilities fixed in Thunderbird 68 — Mozilla
When an inner window is reused, it does not consider the use of document.domain for cross-origin protections. If pages on different subdomains ever cooperatively use document.domain, then either page can abuse this to inject script into arbitrary pages on the other subdomain, even those that did...
Security vulnerabilities fixed in Thunderbird 60.8 — Mozilla
As part of his winning Pwn2Own entry, Niklas Baumstark demonstrated a sandbox escape by installing a malicious language pack and then opening a browser feature that used the compromised translation. When an inner window is reused, it does not consider the use of document.domain for cross-origin...
Buffer overflow in ClearKey Content Decryption Module (CDM) during video playback — Mozilla
An anonymous security researcher working with Trend Micro's Zero Day Initiative reported a buffer overflow in the ClearKey Content Decryption Module CDM used by the Encrypted Media Extensions EME API. This vulnerability can be triggered using a malformed video file due to incorrect error handling...
Java applets bypass CSP protections — Mozilla
Mozilla engineer Matt Wobensmith reported that Content Security Policy CSP does not block the loading of cross-domain Java applets when specified by policy. This is because the Java applet is loaded by the Java plugin, which then mediates all network requests without checking against CSP. This...
Use-after-free when textures are used in WebGL operations after recycle pool destruction — Mozilla
Mozilla community member jomo reported a use-after-free crash when processing WebGL content. This issue was caused by the use of a texture after its recycle pool has been destroyed during WebGL operations, which frees the memory associated with the texture. This results in a potentially exploitab...
Miscellaneous memory safety hazards (rv:45.0 / rv:38.7) — Mozilla
Mozilla developers fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run...
Same-origin-policy violation using Service Workers with plugins — Mozilla
Jason Pang of OneSignal reported that service workers intercept responses to plugin network requests made through the browser. Plugins which make security decisions based on the content of network requests can have these decisions subverted if a service worker forges responses to those requests...
Use-after-free in NSS during SSL connections in low memory — Mozilla
Mozilla developer Eric Rescorla reported that a failed allocation during DHE and ECDHE handshakes would lead to a use-after-free vulnerability...
Use-after-free in WebRTC when datachannel is used after being destroyed — Mozilla
Security researcher Looben Yang reported a use-after-free error in WebRTC that occurs due to timing issues in WebRTC when closing channels. WebRTC may still believe is has a datachannel open after another WebRTC function has closed it. This results in attempts to use the now destroyed datachannel...
Update OpenH264 plugin to version 1.3 — Mozilla
Mozilla and Cisco developers as well as security researcher Nils reported security and stability bugs affecting the OpenH264 plugin version 1.1. This plugin was available to Desktop Firefox 34 and 35 users as an on-demand download as needed. Security researchers Nils and Hanno Böck also reported...
Miscellaneous memory safety hazards (rv:30.0 / rv:24.6) — Mozilla
Mozilla developers and community identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of the...
SVG filters information disclosure through feDisplacementMap — Mozilla
Mozilla developer Robert O'Callahan reported a mechanism for timing attacks involving SVG filters and displacements input to feDisplacementMap. This allows displacements to potentially be correlated with values derived from content. This is similar to the previously reported techniques used for S...
Miscellaneous memory safety hazards (rv:28.0 / rv:24.4) — Mozilla
Mozilla developers and community identified identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least...
Script execution in HTML mail replies — Mozilla
Security researcher Fabián Cuchietti discovered that it was possible to bypass the restriction on JavaScript execution in mail by embedding an with a data: URL within a message. If the victim replied or forwarded the mail after receiving it, quoting it "in-line" using Thunderbird's HTML mail...
Profile path leaks to Android system log — Mozilla
Mozilla developer Roee Hay reported that Firefox for Android profile paths leak to the Android system log. When running on Android 4.2 or earlier, other applications are able to read these log files, leading to information disclosure from the user's profile directory. This issue was also...
Linux clipboard information disclosure though selection paste — Mozilla
Mozilla community member Vincent Lefevre reported that on Linux systems, web content can access data saved to the clipboard when a user attempts to paste a selection with a middle-click instead of pasting the selection content. This allows for possibly private data in the clipboard to be...
Arbitrary code execution within Profiler — Mozilla
Security researcher Mariusz Mlynski reported that when a user examines the profiler output on a malicious website containing specially crafted code, it is possible for arbitrary code execution to occur. This occurs because the profiler user interface runs in a special iframe that parses data from...
Cross-site scripting (XSS) using timed history navigations — Mozilla
Security researcher Mariusz Mlynski reported a method to use browser navigations through history to load an arbitrary website with that page's baseURI property pointing to another site instead of the seemingly loaded one. The user will continue to see the incorrect site in the addressbar of the...
Miscellaneous memory safety hazards (rv:19.0 / rv:17.0.3) — Mozilla
Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be...
Buffer overflow in Javascript string concatenation — Mozilla
Security researcher pakt reported a flaw via TippingPoint's Zero Day Initiative that an integer overflow is possible when calculating the length for a Javascript string concatenation, which is then used for memory allocation. This results in a buffer overflow, leading to a potentially exploitable...
Script entered into Developer Toolbar runs with chrome privileges — Mozilla
Security researcher Masato Kinugawa reported that when script is entered into the Developer Toolbar, it runs in a chrome privileged context. This allows for arbitrary code execution or cross-site scripting XSS if a user can be convinced to paste malicious code into the Developer Toolbar...
feed: URLs with an innerURI inherit security context of page — Mozilla
Security researchers Mario Gomes and Soroush Dalili reported that since Mozilla allows the pseudo-protocol feed: to prefix any valid URL, it is possible to construct feed:javascript: URLs that will execute scripts in some contexts. On some sites it may be possible to use this to evade output...
X-Frame-Options header ignored when duplicated — Mozilla
Bugzilla developer Frédéric Buclin reported that the "X-Frame-Options header is ignored when the value is duplicated, for example X-Frame-Options: SAMEORIGIN, SAMEORIGIN. This duplication occurs for unknown reasons on some websites and when it occurs results in Mozilla browsers not being protecte...
Code execution through javascript: URLs — Mozilla
Mozilla security researcher mozbugra4 reported a arbitrary code execution attack using a javascript: URL. The Gecko engine features a JavaScript sandbox utility that allows the browser or add-ons to safely execute script in the context of a web page. In certain cases, javascript: URLs are execute...