 |
Home ▼ Bookkeeping
Online ▼ Security
Audits ▼
Managed
DNS ▼
About
Order
FAQ
Acceptable Use Policy
Dynamic DNS Clients
Configure Domains Dyanmic DNS Update Password Network
Monitor ▼
Enterprise Package
Advanced Package
Standard Package
Free Trial
FAQ
Price/Feature Summary
Order/Renew
Examples
Configure/Status Alert Profiles | ||
| Test ID: | 1.3.6.1.4.1.25623.1.2.1.2018.26 |
| Category: | General |
| Title: | Mozilla Firefox Security Advisory (MFSA2018-26) - Linux |
| Summary: | This host is missing a security update for Mozilla Firefox. |
| Description: | Summary: This host is missing a security update for Mozilla Firefox. Vulnerability Insight: CVE-2018-12392: Crash with nested event loops When manipulating user events in nested loops while opening a document through script, it is possible to trigger a potentially exploitable crash due to poor event handling. CVE-2018-12393: Integer overflow during Unicode conversion while loading JavaScript A potential vulnerability was found in 32-bit builds where an integer overflow during the conversion of scripts to an internal UTF-16 representation could result in allocating a buffer too small for the conversion. This leads to a possible out-of-bounds write. Note: 64-bit builds are not vulnerable to this issue. CVE-2018-12395: WebExtension bypass of domain restrictions through header rewriting By rewriting the Host request headers using the webRequest API, a WebExtension can bypass domain restrictions through domain fronting. This would allow access to domains that share a host that are otherwise restricted. CVE-2018-12396: WebExtension content scripts can execute in disallowed contexts A vulnerability where a WebExtension can run content scripts in disallowed contexts following navigation or other events. This allows for potential privilege escalation by the WebExtension on sites where content scripts should not be run. CVE-2018-12397: Missing warning prompt when WebExtension requests local file access A WebExtension can request access to local files without the warning prompt stating that the extension will 'Access your data for all websites' being displayed to the user. This allows extensions to run content scripts in local pages without permission warnings when a local file is opened. CVE-2018-12398: CSP bypass through stylesheet injection in resource URIs By using the reflected URL in some special resource URIs, such as chrome:, it is possible to inject stylesheets and bypass Content Security Policy (CSP). CVE-2018-12402: WebBrowserPersist uses incorrect origin information The internal WebBrowserPersist code does not use correct origin context for a resource being saved. This manifests when sub-resources are loaded as part of 'Save Page As...' functionality. For example, a malicious page could recover a visitor's Windows username and NTLM hash by including resources otherwise unreachable to the malicious page, if they can convince the visitor to save the complete web page. Similarly, SameSite cookies are sent on cross-origin requests when the 'Save Page As...' menu item is selected to save a page, which can result in ... [Please see the references for more information on the vulnerabilities] Affected Software/OS: Firefox version(s) below 63. Solution: The vendor has released an update. Please see the reference(s) for more information. CVSS Score: 7.5 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P |
| Cross-Ref: |
Common Vulnerability Exposure (CVE) ID: CVE-2018-12388 BugTraq ID: 105721 http://www.securityfocus.com/bid/105721 http://www.securitytracker.com/id/1041944 https://usn.ubuntu.com/3801-1/ Common Vulnerability Exposure (CVE) ID: CVE-2018-12390 BugTraq ID: 105718 http://www.securityfocus.com/bid/105718 BugTraq ID: 105769 http://www.securityfocus.com/bid/105769 Debian Security Information: DSA-4324 (Google Search) https://www.debian.org/security/2018/dsa-4324 Debian Security Information: DSA-4337 (Google Search) https://www.debian.org/security/2018/dsa-4337 https://security.gentoo.org/glsa/201811-04 https://security.gentoo.org/glsa/201811-13 https://lists.debian.org/debian-lts-announce/2018/11/msg00008.html https://lists.debian.org/debian-lts-announce/2018/11/msg00011.html RedHat Security Advisories: RHSA-2018:3005 https://access.redhat.com/errata/RHSA-2018:3005 RedHat Security Advisories: RHSA-2018:3006 https://access.redhat.com/errata/RHSA-2018:3006 RedHat Security Advisories: RHSA-2018:3531 https://access.redhat.com/errata/RHSA-2018:3531 RedHat Security Advisories: RHSA-2018:3532 https://access.redhat.com/errata/RHSA-2018:3532 https://usn.ubuntu.com/3868-1/ Common Vulnerability Exposure (CVE) ID: CVE-2018-12392 Common Vulnerability Exposure (CVE) ID: CVE-2018-12393 Common Vulnerability Exposure (CVE) ID: CVE-2018-12395 Common Vulnerability Exposure (CVE) ID: CVE-2018-12396 Common Vulnerability Exposure (CVE) ID: CVE-2018-12397 Common Vulnerability Exposure (CVE) ID: CVE-2018-12398 Common Vulnerability Exposure (CVE) ID: CVE-2018-12399 Common Vulnerability Exposure (CVE) ID: CVE-2018-12401 Common Vulnerability Exposure (CVE) ID: CVE-2018-12402 Common Vulnerability Exposure (CVE) ID: CVE-2018-12403 |
| Copyright | Copyright (C) 2021 Greenbone Networks GmbH |
| This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below. |