FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-09-18 07:05:22 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML ID	Description
5e4d7172-66b8-11ef-b104-b42e991fc52e	firefox -- multiple vulnerabilities security@mozilla.org reports: Firefox adds web-compatibility shims in place of some tracking scripts blocked by Enhanced Tracking Protection. On a site protected by Content Security Policy in "strict-dynamic" mode, an attacker able to inject an HTML element could have used a DOM Clobbering attack on some of the shims and achieved XSS, bypassing the CSP strict-dynamic protection. Form validation popups could capture escape key presses. Therefore, spamming form validation messages could be used to prevent users from exiting full-screen mode. When almost out-of-memory an elliptic curve key which was never allocated could have been freed again. It was possible to move the cursor using pointerlock from an iframe. This allowed moving the cursor outside of the viewport and the Firefox window. Discovery 2024-08-06 Entry 2024-08-30 firefox < 129.0,2 CVE-2024-7524 https://nvd.nist.gov/vuln/detail/CVE-2024-7524 CVE-2024-6610 https://nvd.nist.gov/vuln/detail/CVE-2024-6610 CVE-2024-6609 https://nvd.nist.gov/vuln/detail/CVE-2024-6609 CVE-2024-6608 https://nvd.nist.gov/vuln/detail/CVE-2024-6608
a3a1caf5-6ba1-11ef-b9e8-b42e991fc52e	firefox -- multiple vulnerabilities security@mozilla.org reports: This entry contains 8 vulnerabilities: CVE-2024-8381: A potentially exploitable type confusion could be triggered when looking up a property name on an object being used as the `with` environment. CVE-2024-8382: Internal browser event interfaces were exposed to web content when privileged EventHandler listener callbacks ran for those events. Web content that tried to use those interfaces would not be able to use them with elevated privileges, but their presence would indicate certain browser features had been used, such as when a user opened the Dev Tools console. CVE-2024-8383: Firefox normally asks for confirmation before asking the operating system to find an application to handle a scheme that the browser does not support. It did not ask before doing so for the Usenet-related schemes news: and snews:. Since most operating systems don't have a trusted newsreader installed by default, an unscrupulous program that the user downloaded could register itself as a handler. The website that served the application download could then launch that application at will. CVE-2024-8384: The JavaScript garbage collector could mis-color cross-compartment objects if OOM conditions were detected at the right point between two passes. This could have led to memory corruption. CVE-2024-8385: A difference in the handling of StructFields and ArrayTypes in WASM could be used to trigger an exploitable type confusion vulnerability. CVE-2024-8386: If a site had been granted the permission to open popup windows, it could cause Select elements to appear on top of another site to perform a spoofing attack. CVE-2024-8387: Memory safety bugs present in Firefox 129, Firefox ESR 128.1, and Thunderbird 128.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. CVE-2024-8389: Memory safety bugs present in Firefox 129. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. Discovery 2024-09-03 Entry 2024-09-05 firefox < 130.0_1,2 CVE-2024-8381 https://nvd.nist.gov/vuln/detail/CVE-2024-8381 CVE-2024-8382 https://nvd.nist.gov/vuln/detail/CVE-2024-8382 CVE-2024-8383 https://nvd.nist.gov/vuln/detail/CVE-2024-8383 CVE-2024-8384 https://nvd.nist.gov/vuln/detail/CVE-2024-8384 CVE-2024-8385 https://nvd.nist.gov/vuln/detail/CVE-2024-8385 CVE-2024-8386 https://nvd.nist.gov/vuln/detail/CVE-2024-8386 CVE-2024-8387 https://nvd.nist.gov/vuln/detail/CVE-2024-8387 CVE-2024-8389 https://nvd.nist.gov/vuln/detail/CVE-2024-8389
d0ac9a17-5e68-11ef-b8cc-b42e991fc52e	mozilla products -- spoofing attack security@mozilla.org reports: Select options could obscure the fullscreen notification dialog. This could be used by a malicious site to perform a spoofing attack. This vulnerability affects Firefox < 129, Firefox ESR < 128.1, and Thunderbird < 128.1. Discovery 2024-08-06 Entry 2024-08-19 firefox < 129,2 CVE-2024-7518 https://nvd.nist.gov/vuln/detail/CVE-2024-7518

VuXML ID

Description

5e4d7172-66b8-11ef-b104-b42e991fc52e

firefox -- multiple vulnerabilities

security@mozilla.org reports:

Firefox adds web-compatibility shims in place of some tracking scripts blocked by Enhanced Tracking Protection. On a site protected by Content Security Policy in "strict-dynamic" mode, an attacker able to inject an HTML element could have used a DOM Clobbering attack on some of the shims and achieved XSS, bypassing the CSP strict-dynamic protection.

Form validation popups could capture escape key presses. Therefore, spamming form validation messages could be used to prevent users from exiting full-screen mode.

When almost out-of-memory an elliptic curve key which was never allocated could have been freed again.

It was possible to move the cursor using pointerlock from an iframe. This allowed moving the cursor outside of the viewport and the Firefox window.

Discovery 2024-08-06
Entry 2024-08-30
firefox

< 129.0,2

CVE-2024-7524
https://nvd.nist.gov/vuln/detail/CVE-2024-7524
CVE-2024-6610
https://nvd.nist.gov/vuln/detail/CVE-2024-6610
CVE-2024-6609
https://nvd.nist.gov/vuln/detail/CVE-2024-6609
CVE-2024-6608
https://nvd.nist.gov/vuln/detail/CVE-2024-6608

a3a1caf5-6ba1-11ef-b9e8-b42e991fc52e

firefox -- multiple vulnerabilities

security@mozilla.org reports:

This entry contains 8 vulnerabilities:

CVE-2024-8381: A potentially exploitable type confusion could be triggered when looking up a property name on an object being used as the `with` environment.

CVE-2024-8382: Internal browser event interfaces were exposed to web content when privileged EventHandler listener callbacks ran for those events. Web content that tried to use those interfaces would not be able to use them with elevated privileges, but their presence would indicate certain browser features had been used, such as when a user opened the Dev Tools console.

CVE-2024-8383: Firefox normally asks for confirmation before asking the operating system to find an application to handle a scheme that the browser does not support. It did not ask before doing so for the Usenet-related schemes news: and snews:. Since most operating systems don't have a trusted newsreader installed by default, an unscrupulous program that the user downloaded could register itself as a handler. The website that served the application download could then launch that application at will.

CVE-2024-8384: The JavaScript garbage collector could mis-color cross-compartment objects if OOM conditions were detected at the right point between two passes. This could have led to memory corruption.

CVE-2024-8385: A difference in the handling of StructFields and ArrayTypes in WASM could be used to trigger an exploitable type confusion vulnerability.

CVE-2024-8386: If a site had been granted the permission to open popup windows, it could cause Select elements to appear on top of another site to perform a spoofing attack.

CVE-2024-8387: Memory safety bugs present in Firefox 129, Firefox ESR 128.1, and Thunderbird 128.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

CVE-2024-8389: Memory safety bugs present in Firefox 129. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

Discovery 2024-09-03
Entry 2024-09-05
firefox

< 130.0_1,2

CVE-2024-8381
https://nvd.nist.gov/vuln/detail/CVE-2024-8381
CVE-2024-8382
https://nvd.nist.gov/vuln/detail/CVE-2024-8382
CVE-2024-8383
https://nvd.nist.gov/vuln/detail/CVE-2024-8383
CVE-2024-8384
https://nvd.nist.gov/vuln/detail/CVE-2024-8384
CVE-2024-8385
https://nvd.nist.gov/vuln/detail/CVE-2024-8385
CVE-2024-8386
https://nvd.nist.gov/vuln/detail/CVE-2024-8386
CVE-2024-8387
https://nvd.nist.gov/vuln/detail/CVE-2024-8387
CVE-2024-8389
https://nvd.nist.gov/vuln/detail/CVE-2024-8389

d0ac9a17-5e68-11ef-b8cc-b42e991fc52e

mozilla products -- spoofing attack

security@mozilla.org reports:

Select options could obscure the fullscreen notification dialog. This could be used by a malicious site to perform a spoofing attack. This vulnerability affects Firefox < 129, Firefox ESR < 128.1, and Thunderbird < 128.1.

Discovery 2024-08-06
Entry 2024-08-19
firefox

< 129,2

CVE-2024-7518
https://nvd.nist.gov/vuln/detail/CVE-2024-7518