SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Browser)  >   Mozilla Firefox Vendors:   Mozilla.org
Mozilla Firefox Multiple Bugs Let Remote Users Conduct Cross-Site Request Forgery Attacks, Bypass Security Restrictions, Obtain Potentially Sensitive Information, and Execute Arbitrary Code
SecurityTracker Alert ID:  1041193
SecurityTracker URL:  http://securitytracker.com/id/1041193
CVE Reference:   CVE-2018-12358, CVE-2018-12359, CVE-2018-12360, CVE-2018-12361, CVE-2018-12362, CVE-2018-12363, CVE-2018-12364, CVE-2018-12365, CVE-2018-12366, CVE-2018-12367, CVE-2018-12368, CVE-2018-12369, CVE-2018-12370, CVE-2018-12371, CVE-2018-5156, CVE-2018-5186   (Links to External Site)
Updated:  Jun 27 2018
Original Entry Date:  Jun 27 2018
Impact:   Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 61.0
Description:   Multiple vulnerabilities were reported in Mozilla Firefox. A remote user can cause arbitrary code to be executed on the target user's system. A remote user can conduct cross-site request forgery attacks. A remote user can bypass security controls on the target system. A remote user can obtain potentially sensitive information on the target system.

A remote user can create specially crafted content that, when loaded by the target user, will execute arbitrary code on the target user's system.

A buffer overflow may occur when rendering canvas content [CVE-2018-12359].

A use-after-free memory error may occur when using focus() [CVE-2018-12360].

An integer overflow may occur in the SwizzleData code while calculating buffer sizes [CVE-2018-12361].

An integer overflow may occur during graphics operations in the Supplemental Streaming SIMD Extensions 3 (SSSE3) scaler [CVE-2018-12362].

A segmentation fault may occur in the media recorder when the track type is changed during capture [CVE-2018-5156].

A use-after-free memory error may occur when script uses mutation events to append DOM nodes [CVE-2018-12363].

An integer overflow may occur in the Skia library when allocating memory for edge builders on some systems with at least 16 GB of RAM [CVE-2018-12371].

Other memory corruption errors may occur [CVE-2018-5186].

The browser does not warn users when opening executable files with the SettingContent-ms extension [CVE-2018-12368]. Windows-based systems are affected.

WebExtensions bundled with embedded experiments do not properly check access controls. A WebExtension can gain full browser permissions [CVE-2018-12369].

An NPAPI plugin can send non-simple requests to bypass cross-origin restrictions and conduct cross-site request forgery (CSRF) attacks [CVE-2018-12364].

An IPC child process can escape the content sandbox and list the names of arbitrary files on the file system [CVE-2018-12365].

An out-of-bounds memory read error may occur during QCMS color profile transformations [CVE-2018-12366].

The PerformanceNavigationTiming method can be used as a precision timer to attempt to bypass Spectre mitigations [CVE-2018-12367].

SameSite cookie protections are not validated in Reader View. A user can bypass cross-site request forgery protection [CVE-2018-12370].

A remote user can bypass same-origin restrictions via service workers and redirection [CVE-2018-12358].

Abdulrahman Alqabandi, Alex Gaynor, Andrea Marchesini, Ben Kelly, Boris Zbarsky, Christian Holler, Christoph Diehl, David Black, David Major, F. Alonso (revskills), Gary Kwong, Jason Kratzer, Jean-Yves Avenard, Jon Coppeard, Jonathan Kingston, Jun Kokatsu, Marcia Knous, Nicolas B. Pierron, Nils, Nils Ohlmeier, OSS-Fuzz, R, Randell Jesup, Ronald Crane, Sebastian Hengst, Ted Campbell, and anonymous reported these vulnerabilities.

Impact:   A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.

A remote user can take actions on the target system acting as the target authenticated user.

A remote user can bypass security controls on the target system.

A remote user can obtain potentially sensitive information on the target system.

Solution:   The vendor has issued a fix (61.0).

The vendor has issued a fix for CVE-2018-12359, CVE-2018-12360, CVE-2018-12361, CVE-2018-12362, CVE-2018-12363, CVE-2018-12364, CVE-2018-12365, CVE-2018-12366, CVE-2018-12367, CVE-2018-12368, CVE-2018-12369, CVE-2018-12371, and CVE-2018-5156 (ESR 60.1).

The vendor has issued a fix for CVE-2018-12359, CVE-2018-12360, CVE-2018-12362, CVE-2018-12363, CVE-2018-12364, CVE-2018-12365, CVE-2018-12366, CVE-2018-12368, and CVE-2018-5156 (ESR 52.9).

The vendor advisories are available at:

https://www.mozilla.org/en-US/security/advisories/mfsa2018-15/
https://www.mozilla.org/en-US/security/advisories/mfsa2018-16/
https://www.mozilla.org/en-US/security/advisories/mfsa2018-17/

Vendor URL:  www.mozilla.org/en-US/security/advisories/mfsa2018-15/ (Links to External Site)
Cause:   Access control error, Boundary error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jun 28 2018 (Red Hat Issues Fix) Mozilla Firefox Multiple Bugs Let Remote Users Conduct Cross-Site Request Forgery Attacks, Bypass Security Restrictions, Obtain Potentially Sensitive Information, and Execute Arbitrary Code
Red Hat has issued a fix for Red Hat Enterprise Linux 6.
Jun 28 2018 (Red Hat Issues Fix) Mozilla Firefox Multiple Bugs Let Remote Users Conduct Cross-Site Request Forgery Attacks, Bypass Security Restrictions, Obtain Potentially Sensitive Information, and Execute Arbitrary Code
Red Hat has issued a fix for Red Hat Enterprise Linux 7.
Jul 3 2018 (Oracle Issues Fix for Oracle Linux) Mozilla Firefox Multiple Bugs Let Remote Users Conduct Cross-Site Request Forgery Attacks, Bypass Security Restrictions, Obtain Potentially Sensitive Information, and Execute Arbitrary Code
Oracle has issued a fix for Oracle Linux 7.
Jul 5 2018 (Ubuntu Issues Fix) Mozilla Firefox Multiple Bugs Let Remote Users Conduct Cross-Site Request Forgery Attacks, Bypass Security Restrictions, Obtain Potentially Sensitive Information, and Execute Arbitrary Code
Ubuntu has issued a fix for Ubuntu Linux 14.04 LTS, 16.04 LTS, 17.10, and 18.04 LTS.
Jul 25 2018 (Red Hat Issues Fix for Mozilla Thunderbird) Mozilla Firefox Multiple Bugs Let Remote Users Conduct Cross-Site Request Forgery Attacks, Bypass Security Restrictions, Obtain Potentially Sensitive Information, and Execute Arbitrary Code
Red Hat has issued a fix for Mozilla Thunderbird for Red Hat Enterprise Linux 6.
Jul 25 2018 (Red Hat Issues Fix for Mozilla Thunderbird) Mozilla Firefox Multiple Bugs Let Remote Users Conduct Cross-Site Request Forgery Attacks, Bypass Security Restrictions, Obtain Potentially Sensitive Information, and Execute Arbitrary Code
Red Hat has issued a fix for Mozilla Thunderbird for Red Hat Enterprise Linux 7.
Jul 26 2018 (Oracle Issues Fix for Oracle Linux for Mozilla Thunderbird) Mozilla Firefox Multiple Bugs Let Remote Users Conduct Cross-Site Request Forgery Attacks, Bypass Security Restrictions, Obtain Potentially Sensitive Information, and Execute Arbitrary Code
Oracle has issued a fix for Mozilla Thunderbird for Oracle Linux 7.
Jul 26 2018 (Oracle Issues Fix for Oracle Linux for Mozilla Thunderbird) Mozilla Firefox Multiple Bugs Let Remote Users Conduct Cross-Site Request Forgery Attacks, Bypass Security Restrictions, Obtain Potentially Sensitive Information, and Execute Arbitrary Code
Oracle has issued a fix for Mozilla Thunderbird for Oracle Linux 6.
Jul 26 2018 (Oracle Issues Fix for Oracle Linux for Mozilla Thunderbird) Mozilla Firefox Multiple Bugs Let Remote Users Conduct Cross-Site Request Forgery Attacks, Bypass Security Restrictions, Obtain Potentially Sensitive Information, and Execute Arbitrary Code
Oracle has issued a fix for Mozilla Thunderbird for Oracle Linux 7.
Aug 8 2018 (Mozilla Issues Fix for Mozilla Thunderbird) Mozilla Firefox Multiple Bugs Let Remote Users Conduct Cross-Site Request Forgery Attacks, Bypass Security Restrictions, Obtain Potentially Sensitive Information, and Execute Arbitrary Code
Mozilla has issued a fix for Mozilla Thunderbird.



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC