Skip to main content
CVE-2018-5163 HIGH This Week

If a malicious attacker has used another vulnerability to gain full control over a content process, they may be able to replace the alternate data resources stored in the JavaScript Start-up Bytecode. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Mozilla Information Disclosure Ubuntu Linux Firefox
NVD
CVSS 3.0
8.1
EPSS
2.1%
CVE-2018-5105 HIGH This Week

WebExtensions can bypass user prompts to first save and then open an arbitrarily downloaded file. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Mozilla Authentication Bypass Firefox Ubuntu Linux
NVD
CVSS 3.0
7.8
EPSS
0.4%
CVE-2018-6515 HIGH This Week

Puppet Agent 1.10.x prior to 1.10.13, Puppet Agent 5.3.x prior to 5.3.7, and Puppet Agent 5.5.x prior to 5.5.2 on Windows only, with a specially crafted configuration file an attacker could get. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation Microsoft RCE Puppet
NVD
CVSS 3.0
7.8
EPSS
0.8%
CVE-2018-6514 HIGH This Week

In Puppet Agent 1.10.x prior to 1.10.13, Puppet Agent 5.3.x prior to 5.3.7, Puppet Agent 5.5.x prior to 5.5.2, Facter on Windows is vulnerable to a DLL preloading attack, which could lead to a. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation Microsoft Puppet
NVD
CVSS 3.0
7.8
EPSS
0.8%
CVE-2018-5184 HIGH This Week

Using remote content in encrypted messages can lead to the disclosure of plaintext. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Debian Linux Thunderbird Thunderbird Esr +8
NVD
CVSS 3.0
7.5
EPSS
1.8%
CVE-2018-5182 HIGH This Week

If a text string that happens to be a filename in the operating system's native format is dragged and dropped onto the addressbar the specified local file will be opened. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Ubuntu Linux Firefox
NVD
CVSS 3.0
7.5
EPSS
2.1%
CVE-2018-5180 HIGH This Week

A use-after-free vulnerability can occur during WebGL operations. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Memory Corruption Denial Of Service Use After Free Firefox +1
NVD
CVSS 3.0
7.5
EPSS
2.3%
CVE-2018-5177 HIGH This Week

A vulnerability exists in XSLT during number formatting where a negative buffer size may be allocated in some instances, leading to a buffer overflow and crash if it occurs. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Buffer Overflow Ubuntu Linux Firefox
NVD
CVSS 3.0
7.5
EPSS
3.9%
CVE-2018-5174 HIGH This Week

In the Windows 10 April 2018 Update, Windows Defender SmartScreen honors the "SEE_MASK_FLAG_NO_UI" flag associated with downloaded files and will not show any UI. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Microsoft Information Disclosure Firefox Thunderbird +1
NVD
CVSS 3.0
7.5
EPSS
1.9%
CVE-2018-5166 HIGH This Week

WebExtensions can use request redirection and a "filterReponseData" filter to bypass host permission settings to redirect network traffic and access content from a host for which they do not have. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Privilege Escalation Ubuntu Linux Firefox
NVD
CVSS 3.0
7.5
EPSS
2.4%
CVE-2018-5162 HIGH This Week

Plaintext of decrypted emails can leak through the src attribute of remote images, or links. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Enterprise Linux Desktop Enterprise Linux Server Enterprise Linux Server Aus +7
NVD
CVSS 3.0
7.5
EPSS
2.0%
CVE-2018-5160 HIGH This Week

WebRTC can use a "WrappedI420Buffer" pixel buffer but the owning image object can be freed while it is still in use. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Memory Corruption Denial Of Service Use After Free Ubuntu Linux +1
NVD
CVSS 3.0
7.5
EPSS
2.7%
CVE-2018-5157 HIGH This Week

Same-origin protections for the PDF viewer can be bypassed, allowing a malicious site to intercept messages meant for the viewer. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Enterprise Linux Desktop Enterprise Linux Server Enterprise Linux Server Aus +6
NVD
CVSS 3.0
7.5
EPSS
1.6%
CVE-2018-5153 HIGH This Week

If websocket data is sent with mixed text and binary in a single message, the binary data can be corrupted. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Buffer Overflow Firefox Ubuntu Linux
NVD
CVSS 3.0
7.5
EPSS
1.7%
CVE-2018-5137 HIGH This Week

A legacy extension's non-contentaccessible, defined resources can be loaded by an arbitrary web page through script. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Firefox Ubuntu Linux
NVD
CVSS 3.0
7.5
EPSS
1.7%
CVE-2018-5136 HIGH This Week

A shared worker created from a "data:" URL in one tab can be shared by another tab with a different origin, bypassing the same-origin policy. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Authentication Bypass Ubuntu Linux Firefox
NVD
CVSS 3.0
7.5
EPSS
1.6%
CVE-2018-5135 HIGH This Week

WebExtensions can bypass normal restrictions in some circumstances and use "browser.tabs.executeScript" to inject scripts into contexts where this should not be allowed, such as pages from other. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Mozilla Firefox
NVD
CVSS 3.0
7.5
EPSS
1.5%
CVE-2018-5134 HIGH This Week

WebExtensions may use "view-source:" URLs to view local "file:" URL content, as well as content stored in "about:cache", bypassing restrictions that only allow WebExtensions to view specific content. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Firefox
NVD
CVSS 3.0
7.5
EPSS
1.7%
CVE-2018-5115 HIGH This Week

If an HTTP authentication prompt is triggered by a background network request from a page or extension, it is displayed over the currently loaded foreground page. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Firefox Ubuntu Linux
NVD
CVSS 3.0
7.5
EPSS
2.6%
CVE-2018-5113 HIGH This Week

The "browser.identity.launchWebAuthFlow" function of WebExtensions is only allowed to load content over "https:" but this requirement was not properly enforced. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Mozilla Firefox Ubuntu Linux
NVD
CVSS 3.0
7.5
EPSS
2.1%
CVE-2018-5112 HIGH This Week

Development Tools panels of an extension are required to load URLs for the panels as relative URLs from the extension manifest file but this requirement was not enforced in all instances. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Path Traversal Firefox Ubuntu Linux
NVD
CVSS 3.0
7.5
EPSS
2.0%
CVE-2018-5101 HIGH This Week

A use-after-free vulnerability can occur when manipulating floating "first-letter" style elements, resulting in a potentially exploitable crash. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Memory Corruption Denial Of Service Use After Free Firefox +1
NVD
CVSS 3.0
7.5
EPSS
1.8%
CVE-2018-5100 HIGH This Week

A use-after-free vulnerability can occur when arguments passed to the "IsPotentiallyScrollable" function are freed while still in use by scripts. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Memory Corruption Denial Of Service Use After Free Firefox +1
NVD
CVSS 3.0
7.5
EPSS
5.4%
CVE-2018-5094 HIGH This Week

A heap buffer overflow vulnerability may occur in WebAssembly when "shrinkElements" is called followed by garbage collection on memory that is now uninitialized. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Buffer Overflow Firefox Ubuntu Linux
NVD
CVSS 3.0
7.5
EPSS
15.4%
CVE-2018-5093 HIGH This Week

A heap buffer overflow vulnerability may occur in WebAssembly during Memory/Table resizing, resulting in a potentially exploitable crash. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Buffer Overflow Firefox Ubuntu Linux
NVD
CVSS 3.0
7.5
EPSS
20.0%
CVE-2018-12093 HIGH This Week

tinyexr 0.9.5 has a memory leak in ParseEXRHeaderFromMemory in tinyexr.h. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Tinyexr
NVD GitHub
CVSS 3.0
7.5
EPSS
1.4%
CVE-2018-12089 HIGH This Week

In Octopus Deploy version 2018.5.1 to 2018.5.7, a user with Task View is able to view a password for a Service Fabric Cluster, when the Service Fabric Cluster target is configured in Azure Active. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Microsoft Information Disclosure Octopus Server
NVD GitHub
CVSS 3.0
7.5
EPSS
0.9%
CVE-2018-12025 HIGH This Week

The transferFrom function of a smart contract implementation for FuturXE (FXE), an Ethereum ERC20 token, allows attackers to accomplish an unauthorized transfer of digital assets because of a logic. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Futurxe
NVD
CVSS 3.0
7.5
EPSS
1.6%
CVE-2018-5144 HIGH This Week

An integer overflow can occur during conversion of text to some Unicode character sets due to an unchecked length parameter. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Integer Overflow Mozilla Buffer Overflow Enterprise Linux Desktop Enterprise Linux Server +7
NVD
CVSS 3.0
7.3
EPSS
3.3%
CVE-2018-5185 MEDIUM This Month

Plaintext of decrypted emails can leak through by user submitting an embedded form. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Enterprise Linux Desktop Enterprise Linux Server Enterprise Linux Server Aus +7
NVD
CVSS 3.0
6.5
EPSS
1.6%
CVE-2018-5169 MEDIUM This Month

If manipulated hyperlinked text with "chrome:" URL contained in it is dragged and dropped on the "home" icon, the home page can be reset to include a normally-unlinkable chrome page as one of the. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google Mozilla Information Disclosure Ubuntu Linux Firefox
NVD
CVSS 3.0
6.5
EPSS
1.4%
CVE-2018-5152 MEDIUM PATCH This Month

WebExtensions with the appropriate permissions can attach content scripts to Mozilla sites such as accounts.firefox.com and listen to network traffic to the site through the "webRequest" API. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Mozilla Information Disclosure Firefox Ubuntu Linux
NVD
CVSS 3.0
6.5
EPSS
1.7%
CVE-2018-5133 MEDIUM This Month

If the "app.support.baseURL" preference is changed by a malicious local program to contain HTML and script content, this content is not sanitized. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google Mozilla Information Disclosure Firefox Ubuntu Linux
NVD
CVSS 3.0
6.5
EPSS
1.5%
CVE-2018-5132 MEDIUM This Month

The Find API for WebExtensions can search some privileged pages, such as "about:debugging", if these pages are open in a tab. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Firefox Ubuntu Linux
NVD
CVSS 3.0
6.5
EPSS
1.5%
CVE-2018-5111 MEDIUM This Month

When the text of a specially formatted URL is dragged to the addressbar from page content, the displayed URL can be spoofed to show a different site than the one loaded. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Firefox Ubuntu Linux
NVD
CVSS 3.0
6.5
EPSS
1.6%
CVE-2018-10360 MEDIUM PATCH This Month

The do_core_note function in readelf.c in libmagic.a in file 5.33 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted ELF file. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Denial Of Service Buffer Overflow File Ubuntu Linux +1
NVD GitHub
CVSS 3.0
6.5
EPSS
3.4%
CVE-2018-5176 MEDIUM This Month

The JSON Viewer displays clickable hyperlinks for strings that are parseable as URLs, including "javascript:" links. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Ubuntu Linux Firefox
NVD
CVSS 3.0
6.1
EPSS
1.4%
CVE-2018-5175 MEDIUM This Month

A mechanism to bypass Content Security Policy (CSP) protections on sites that have a "script-src" policy of "'strict-dynamic'". Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla XSS Ubuntu Linux Firefox
NVD
CVSS 3.0
6.1
EPSS
1.5%
CVE-2018-5164 MEDIUM This Month

Content Security Policy (CSP) is not applied correctly to all parts of multipart content sent with the "multipart/x-mixed-replace" MIME type. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla XSS Firefox Ubuntu Linux
NVD
CVSS 3.0
6.1
EPSS
1.6%
CVE-2018-5143 MEDIUM This Month

URLs using "javascript:" have the protocol removed when pasted into the addressbar to protect users from cross-site scripting (XSS) attacks, but if a tab character is embedded in the "javascript:". Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla XSS Firefox Ubuntu Linux
NVD
CVSS 3.0
6.1
EPSS
0.9%
CVE-2018-5131 MEDIUM This Month

Under certain circumstances the "fetch()" API can return transient local copies of resources that were sent with a "no-store" or "no-cache" cache header instead of downloading a copy from the network. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Mozilla Information Disclosure Debian Linux Firefox Enterprise Linux Desktop +5
NVD
CVSS 3.0
5.9
EPSS
2.3%
CVE-2018-5173 MEDIUM This Month

The filename appearing in the "Downloads" panel improperly renders some Unicode characters, allowing for the file name to be spoofed. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Ubuntu Linux Firefox
NVD
CVSS 3.0
5.3
EPSS
1.8%
CVE-2018-5168 MEDIUM This Month

Sites can bypass security checks on permissions to install lightweight themes by manipulating the "baseURI" property of the theme element. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Authentication Bypass Debian Linux Firefox Thunderbird +8
NVD
CVSS 3.0
5.3
EPSS
2.4%
CVE-2018-5142 MEDIUM This Month

If Media Capture and Streams API permission is requested from documents with "data:" or "blob:" URLs, the permission notifications do not properly display the originating domain. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Firefox Ubuntu Linux
NVD
CVSS 3.0
5.3
EPSS
1.2%
CVE-2018-5140 MEDIUM This Month

Image for moz-icons can be accessed through the "moz-icon:" protocol through script in web content even when otherwise prohibited. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Firefox Ubuntu Linux
NVD
CVSS 3.0
5.3
EPSS
1.3%
CVE-2018-5138 MEDIUM This Month

A spoofing vulnerability can occur when a malicious site with an extremely long domain name is opened in an Android Custom Tab (a browser panel inside another app) and the default browser is Firefox. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google Mozilla Information Disclosure Firefox
NVD
CVSS 3.0
5.3
EPSS
1.1%
CVE-2018-5121 MEDIUM This Month

Low descenders on some Tibetan characters in several fonts on OS X are clipped when rendered in the addressbar. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Firefox
NVD
CVSS 3.0
5.3
EPSS
1.5%
CVE-2018-5119 MEDIUM This Month

The reader view will display cross-origin content when CORS headers are set to prohibit the loading of cross-origin content by a site. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Firefox Ubuntu Linux
NVD
CVSS 3.0
5.3
EPSS
1.6%
CVE-2018-5118 MEDIUM This Month

The screenshot images displayed in the Activity Stream page displayed when a new tab is opened is created from the meta tags of websites. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Firefox Ubuntu Linux
NVD
CVSS 3.0
5.3
EPSS
1.6%
CVE-2018-5117 MEDIUM PATCH This Month

If right-to-left text is used in the addressbar with left-to-right alignment, it is possible in some circumstances to scroll this text to spoof the displayed URL. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Mozilla Information Disclosure Debian Linux Enterprise Linux Enterprise Linux Desktop +7
NVD
CVSS 3.0
5.3
EPSS
2.4%
Prev Page 2 of 3 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy