A race condition when running shutdown code for Web Worker led to a use-after-free vulnerability. This resulted in a potentially exploitable crash.
The Firefox content processes did not sufficiently lockdown access control which could result in a sandbox escape.
A buffer overflow could occur when parsing and validating SCTP chunks in WebRTC. This could have led to memory corruption and a potentially exploitable crash.
Incorrect origin serialization of URLs with IPv6 addresses could lead to incorrect security checks.
Documents formed using data: URLs in an object element failed to inherit the CSP of the creating context. This allowed the execution of scripts that should have been blocked, albeit with a unique opaque origin.
The ‘Copy as cURL’ feature of Devtools’ network tab did not properly escape the HTTP POST data of a request, which can be controlled by the website. If a user used the ‘Copy as cURL’ feature and pasted the command into a terminal, it could have resulted in the disclosure of local files.
The ‘Copy as cURL’ feature of Devtools’ network tab did not properly escape the HTTP method of a request, which can be controlled by the website. If a user used the ‘Copy as cURL’ feature and pasted the command into a terminal, it could have resulted in command injection and arbitrary command execution.
A logic flaw in our location bar implementation could have allowed a local attacker to spoof the current location by selecting a different origin and removing focus from the input element.
Mozilla Firefox could allow a remote malicious user to execute arbitrary code on the system, caused by memory safety bugs within the browser engine. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
A vulnerability where a WebExtension can run content scripts in disallowed contexts following navigation or other events. This allows for potential privilege escalation by the WebExtension on sites where content scripts should not be run.
Users are advised to update to the latest vesions of the affected products.
Mozilla Firefox ESR 68.8.
Mozilla Firefox 76.