CVE-2018-5130
- EPSS 2.39%
- Veröffentlicht 11.06.2018 21:29:14
- Zuletzt bearbeitet 25.11.2025 17:50:16
When packets with a mismatched RTP payload type are sent in WebRTC connections, in some circumstances a potentially exploitable crash is triggered. This vulnerability affects Firefox ESR < 52.7 and Firefox < 59.
CVE-2018-5131
- EPSS 2.32%
- Veröffentlicht 11.06.2018 21:29:14
- Zuletzt bearbeitet 25.11.2025 17:50:16
Under certain circumstances the "fetch()" API can return transient local copies of resources that were sent with a "no-store" or "no-cache" cache header instead of downloading a copy from the network as it should. This can result in previously stored...
CVE-2018-5132
- EPSS 1.49%
- Veröffentlicht 11.06.2018 21:29:14
- Zuletzt bearbeitet 21.11.2024 04:08:10
The Find API for WebExtensions can search some privileged pages, such as "about:debugging", if these pages are open in a tab. This could allow a malicious WebExtension to search for otherwise protected data if a user has it open. This vulnerability a...
CVE-2018-5133
- EPSS 1.54%
- Veröffentlicht 11.06.2018 21:29:14
- Zuletzt bearbeitet 21.11.2024 04:08:10
If the "app.support.baseURL" preference is changed by a malicious local program to contain HTML and script content, this content is not sanitized. It will be executed if a user loads "chrome://browser/content/preferences/in-content/preferences.xul" d...
CVE-2018-5136
- EPSS 1.64%
- Veröffentlicht 11.06.2018 21:29:14
- Zuletzt bearbeitet 21.11.2024 04:08:11
A shared worker created from a "data:" URL in one tab can be shared by another tab with a different origin, bypassing the same-origin policy. This vulnerability affects Firefox < 59.
CVE-2018-5137
- EPSS 1.68%
- Veröffentlicht 11.06.2018 21:29:14
- Zuletzt bearbeitet 21.11.2024 04:08:11
A legacy extension's non-contentaccessible, defined resources can be loaded by an arbitrary web page through script. This script does this by using a maliciously crafted path string to reference the resources. Note: this vulnerability does not affect...
CVE-2018-5140
- EPSS 1.32%
- Veröffentlicht 11.06.2018 21:29:14
- Zuletzt bearbeitet 21.11.2024 04:08:11
Image for moz-icons can be accessed through the "moz-icon:" protocol through script in web content even when otherwise prohibited. This could allow for information leakage of which applications are associated with specific MIME types by a malicious p...
CVE-2018-5141
- EPSS 1.61%
- Veröffentlicht 11.06.2018 21:29:14
- Zuletzt bearbeitet 21.11.2024 04:08:11
A vulnerability in the notifications Push API where notifications can be sent through service workers by web content without direct user interaction. This could be used to open new tabs in a denial of service (DOS) attack or to display unwanted conte...
CVE-2018-5142
- EPSS 1.21%
- Veröffentlicht 11.06.2018 21:29:14
- Zuletzt bearbeitet 21.11.2024 04:08:11
If Media Capture and Streams API permission is requested from documents with "data:" or "blob:" URLs, the permission notifications do not properly display the originating domain. The notification states "Unknown protocol" as the requestee, leading to...
CVE-2018-5143
- EPSS 0.94%
- Veröffentlicht 11.06.2018 21:29:14
- Zuletzt bearbeitet 21.11.2024 04:08:11
URLs using "javascript:" have the protocol removed when pasted into the addressbar to protect users from cross-site scripting (XSS) attacks, but if a tab character is embedded in the "javascript:" URL the protocol is not removed and the script will e...