Description
Multiple serious vulnerabilitieswere found in Mozilla Firefox and Mozilla Firefox ESR. Malicious users can exploit these vulnerabilities to bypass security restrictions, execute arbitrary code, gain privileges, perform cross-site scripting attack, spoof user interface, cause denial of service.
Below is a complete list of vulnerabilities:
- Buffer overflow vulnerability can be exploited remotely via manipulating the SVG animatedPathSegList through script to cause denial of service;
- A use-after-free vulnerability can be exploited remotely to cause denial of service;
- An unspecified vulnerability in parameters of IPC messegas can be exploited remotely to cause denial of service;
- An unspecified vulnerability in WebRTC connections can be exploited remotely to cause denial of service;
- An unspecified vulnerability in fetch() API can be exploited remotely to bypass security restrictions;
- An unspecified vulnerability in the Find API for WebExtensions can be exploited remotely to obtain sensitive information;
- An unspecified vulnerability related to changing of app.support.baseURL preference can be exploited remotely to perform cross site scripting (XSS) attack;
- An unspecified vulnerability in WebExtensions can be exploited remotely to bypass security restrictions;
- An unspecified vulnerability in WebExtensions can be exploited remotely to perform cross site scripting (XSS) attack;
- An unspecified vulnerability related to creating of shared worker from
data:URL can be exploited remotely to bypass security restrictions; - A spoofing vulnerability related to opening malicious site in Android Custom Tab with extremely long domain name can be exploited remotely to spoof user interface;
- An unspecified vulnerability related to
moz-icon:protocol can be exploited remotely to obtain sensitive information; - An unspecified vulnerability in the notifications Push API can be exploited remotely to cause denial of service;
- An unspecified vulnerability related to Media Capture and Streams API permissions can be exploited remotely to spoof user interface;
- An unspecified vulnerability related to URLs using
javascript:can be exploited remotely to perform cross site scripting (XSS) attack; - Multiple memory corruption vulnerabilities can be exploited remotely to execute arbitrary code;
- An integer overflow vulnerability related to conversion of text to some Unicode characters can be exploited remotely to cause denial of service;
- An integer overflow vulnerability can be exploited remotely to cause denial of service;
- An out-of-bounds memory write in libvorbis can be exploited remotely possibly to execute arbitrary code;
- Memory corruption vulnerability can be exploited remotely to execute arbitrary code;
- A buffer overflow vulnerability can be exploited remotely via specially crafted script to cause denial of service;
- An out-of-bounds memory write vulnerability can be exploited remotely via specially crafted IPC messages to bypass security restrictions and execute arbitrary code.
Technical details
Vulnerabilities (2), (6)-(15) affects only Mozilla Firefox. Vulnerabilities (17, 18, 20) affects only Mozilla Firefox ESR. NB: This vulnerability does not have any public CVSS rating, so rating can be changed by the time.
Original advisories
Related products
CVE list
- CVE-2018-5127 high
- CVE-2018-5129 warning
- CVE-2018-5144 critical
- CVE-2018-5125 high
- CVE-2018-5145 critical
- CVE-2018-5136 warning
- CVE-2018-5126 critical
- CVE-2018-5134 warning
- CVE-2018-5137 warning
- CVE-2018-5132 warning
- CVE-2018-5133 warning
- CVE-2018-5142 warning
- CVE-2018-5138 warning
- CVE-2018-5143 warning
- CVE-2018-5130 high
- CVE-2018-5128 critical
- CVE-2018-5131 warning
- CVE-2018-5140 warning
- CVE-2018-5141 high
- CVE-2018-5135 warning
Read more
Find out the statistics of the vulnerabilities spreading in your region on statistics.securelist.com
Found an inaccuracy in the description of this vulnerability? Let us know!