#CVE-2019-11753: Privilege escalation with Mozilla Maintenance Service in custom Firefox installation location Reporter Holger Fuhrmannek Impact high Description Other operating systems are not affected.
Note: These attacks requires local system access and only affects Windows.
This allows for potential privilege escalation by a user with unprivileged local access. Additionally, there was a race condition during checks for junctions and symbolic links by the Maintenance Service, allowing for potential local file and directory manipulation to be undetected in some circumstances. The Mozilla Maintenance Service does not guard against files being hardlinked to another file in the updates directory, allowing for the replacement of local files, including the Maintenance Service executable, which is run with privileged access. #CVE-2019-11736: File manipulation and privilege escalation in Mozilla Maintenance Service Reporter Seb Patane Impact high Description The resulting same-origin policy violation could allow for data theft. #CVE-2019-11742: Same-origin policy violation with SVG filters and canvas to steal cross-origin images Reporter Paul Stone Impact high DescriptionĪ same-origin policy violation occurs allowing the theft of cross-origin images through a combination of SVG filters and a element due to an error in how same-origin policy is applied to cached image content. This can lead to XSS if a site does not filter user input as strictly for these elements as it does for other elements. innerHTML on these elements, and subsequent content after that will be parsed as if it were outside the tag. It is possible to pass a literal closing tag to. Some HTML elements, such as and, can contain literal angle brackets without treating them as markup. #CVE-2019-11744: XSS by breaking out of title and textarea elements using innerHTML Reporter Rakesh Mane Impact high Description This results in a potentially exploitable crash. #CVE-2019-11746: Use-after-free while manipulating video Reporter Nils Impact high DescriptionĪ use-after-free vulnerability can occur while manipulating video elements if the body is freed while still in use.
AXWAY SECURE TRANSPORT VULNERABILITIES WINDOWS
Note: this issue only affects Firefox on Windows operating systems. This can be used to write a log file to an arbitrary location such as the Windows 'Startup' folder. Logging-related command line parameters are not properly sanitized when Firefox is launched by another program, such as when a user clicks on malicious links in a chat application.
AXWAY SECURE TRANSPORT VULNERABILITIES CODE
#CVE-2019-11751: Malicious code execution through command line parameters Reporter Ping Fan (Zetta) Ke of VXRL working with iDefense Labs Impact critical Description Mozilla Foundation Security Advisory 2019-25 Security vulnerabilities fixed in Firefox 69 Announced SeptemImpact critical Products Firefox Fixed in
0 kommentar(er)
