| Description: | Summary:
Mozilla Firefox is prone to multiple vulnerabilities.
Vulnerability Insight:
Multiple flaws exist due to:
- Sandbox escape via installation of malicious language pack.
- Script injection within domain through inner window reuse.
- A use-after-free issue with HTTP/2 cached stream.
- NeckoChild can trigger crash when accessed off of main thread.
- Empty or malformed p256-ECDH public keys may trigger a segmentation
fault.
- HTML parsing error can contribute to content XSS.
- Sandbox can be bypassed as globalThis is not enumerable until accessed.
- Improper escaping of caret character.
- An out of bounds read issue when importing curve25519 private key.
- Same-origin policy treats all files in a directory as having the same-origin.
- Activity Stream writes unsanitized content to innerHTML.
- Domain spoofing through unicode latin 'kra'.
- Cookie leakage during fetching add-ons across private browsing boundaries.
- Unnecessary troubleshooting permissions.
- Bypassing of safebrowsing protections through websockets.
- Port scanning through Alt-Svc header.
- Memory safety bugs.
Vulnerability Impact:
Successful exploitation allows attackers to
execute arbitrary code in the context of the browser, bypass certain security
restrictions to perform unauthorized actions, or to steal cookie-based
authentication credentials.
Affected Software/OS:
Mozilla Firefox versions before 68 on Windows.
Solution:
Update to Mozilla Firefox 68 or later. Please see the references for more information.
CVSS Score:
7.5
CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P
|
