Beschreibung: | Summary: Mozilla Firefox is prone to multiple vulnerabilities.
Vulnerability Insight: Multiple flaws exist due to:
- Multiple Use-after-free errors, buffer overflow errors, memory safety bugs and integer overflow errors.
- WebExtensions can save and execute files on local file system without user prompts.
- Developer Tools can expose style editor information cross-origin through service worker.
- Printing process will follow symlinks for local file access.
- Manually entered blob URL can be accessed by subsequent private browsing tabs.
- Audio capture prompts and starts with incorrect origin attribution.
- URL spoofing in addressbar through drag and drop.
- Extension development tools panel can open a non-relative URL in the panel.
- WebExtensions can load non-HTTPS pages with browser.identity.launchWebAuthFlow.
- The old value of a cookie changed to HttpOnly remains accessible to scripts.
- Background network requests can open HTTP authentication in unrelated foreground tabs.
- WebExtension ActiveTab permission allows cross-origin frame content access.
- URL spoofing with right-to-left text aligned left-to-right.
- Activity Stream images can attempt to load local content through file:.
- Reader view will load cross-origin content in violation of CORS headers.
Vulnerability Impact: Successful exploitation of these vulnerabilities will allow remote attackers to execute arbitrary code on affected system or conduct a denial-of-service condition, gain escalated privileges, gain access to sensitive data, conduct phishing attacks, make use of old cookie value, get cross-origin frame content access, conduct spoofing and domain name spoofing attacks.
Affected Software/OS: Mozilla Firefox versions before 58.
Solution: Update to version 58 or later.
CVSS Score: 10.0
CVSS Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C
|