Beschreibung
Multiple serious vulnerabilities have been found in Mozilla Firefox and Mozilla Firefox ESR. Malicious users can exploit these vulnerabilities to cause a denial of service, spoof user interface, obtain sensitive information, execute arbitrary code, perform cross-site scripting attacks and bypass security restrictions.
Below is a complete list of vulnerabilities:
- Buffer overflow vulnerability can be exploited remotely via manipulating the SVG animatedPathSegList through script to cause denial of service;
- A use-after-free vulnerability can be exploited remotely to cause denial of service;
- An unspecified vulnerability in parameters of IPC messegas can be exploited remotely to cause denial of service;
- An unspecified vulnerability in WebRTC connections can be exploited remotely to cause denial of service;
- An unspecified vulnerability in fetch() API can be exploited remotely to bypass security restrictions;
- An unspecified vulnerability in the Find API for WebExtensions can be exploited remotely to obtain sensitive information;
- An unspecified vulnerability related to changing of app.support.baseURL preference can be exploited remotely to perform cross site scripting (XSS) attack;
- An unspecified vulnerability in WebExtensions can be exploited remotely to bypass security restrictions;
- An unspecified vulnerability in WebExtensions can be exploited remotely to perform cross site scripting (XSS) attack;
- An unspecified vulnerability related to creating of shared worker from
data:URL can be exploited remotely to bypass security restrictions; - A spoofing vulnerability related to opening malicious site in Android Custom Tab with extremely long domain name can be exploited remotely to spoof user interface;
- An unspecified vulnerability related to
moz-icon:protocol can be exploited remotely to obtain sensitive information; - An unspecified vulnerability in the notifications Push API can be exploited remotely to cause denial of service;
- An unspecified vulnerability related to Media Capture and Streams API permissions can be exploited remotely to spoof user interface;
- An unspecified vulnerability related to URLs using
javascript:can be exploited remotely to perform cross site scripting (XSS) attack; - Multiple memory corruption vulnerabilities can be exploited remotely to execute arbitrary code;
- An integer overflow vulnerability related to conversion of text to some Unicode characters can be exploited remotely to cause denial of service.
Technical details
Vulnerabilities (2), (6)-(15) affects only Mozilla Firefox.
Vulnerability (17) affects only Mozilla Firefox ESR.
NB: This vulnerability does not have any public CVSS rating, so rating can be changed by the time.
Ursprüngliche Informationshinweise
CVE Liste
- CVE-2018-2125 critical
- CVE-2018-2144 critical
- CVE-2018-2145 critical
- CVE-2018-2127 critical
- CVE-2018-2128 critical
- CVE-2018-2129 critical
- CVE-2018-2130 critical
- CVE-2018-2131 critical
- CVE-2018-2132 critical
- CVE-2018-2133 critical
- CVE-2018-2134 critical
- CVE-2018-2135 critical
- CVE-2018-2136 critical
- CVE-2018-2137 critical
- CVE-2018-2138 critical
- CVE-2018-2140 critical
- CVE-2018-2141 critical
- CVE-2018-2142 critical
- CVE-2018-2143 critical
- CVE-2018-2126 critical
Mehr erfahren
Informieren Sie sich über die Statistiken der in Ihrer Region verbreiteten Sicherheitslücken statistics.securelist.com