mozilla: multiple vulnerabilities
| Package(s): | firefox nspr nss xulrunner seamonkey | CVE #(s): | CVE-2015-7185 CVE-2015-7186 CVE-2015-7190 CVE-2015-7191 CVE-2015-7192 | ||||||||||||||||
| Created: | November 10, 2015 | Updated: | November 30, 2015 | ||||||||||||||||
| Description: | From the CVE entries:
Mozilla Firefox before 42.0 on Android does not ensure that the address bar is restored upon fullscreen-mode exit, which allows remote attackers to spoof the address bar via crafted JavaScript code. (CVE-2015-7185) Mozilla Firefox before 42.0 on Android allows user-assisted remote attackers to bypass the Same Origin Policy and trigger (1) a download or (2) cached profile-data reading via a file: URL in a saved HTML document. (CVE-2015-7186) The Search feature in Mozilla Firefox before 42.0 on Android through 4.4 supports search-engine URL registration through an intent and can access this URL in a privileged context in conjunction with the crash reporter, which allows attackers to read log files and visit file: URLs of HTML documents via a crafted application. (CVE-2015-7190) Mozilla Firefox before 42.0 on Android improperly restricts URL strings in intents, which allows attackers to conduct cross-site scripting (XSS) attacks via vectors involving an intent: URL and fallback navigation, aka "Universal XSS (UXSS)." (CVE-2015-7191) The accessibility-tools feature in Mozilla Firefox before 42.0 on OS X improperly interacts with the implementation of the TABLE element, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code by using an NSAccessibilityIndexAttribute value to reference a row index. (CVE-2015-7192) | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||