Search Results (Refine Search)
- CPE Product Version: cpe:/a:mozilla:firefox_esr:38.1.0
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2015-4480 |
Integer overflow in the stagefright::SampleTable::isValid function in libstagefright in Mozilla Firefox before 40.0 and Firefox ESR 38.x before 38.2 allows remote attackers to execute arbitrary code via crafted MPEG-4 video data with H.264 encoding. Published: August 15, 2015; 9:59:07 PM -0400 |
V3.x:(not available) V2.0: 9.3 HIGH |
CVE-2015-4479 |
Multiple integer overflows in libstagefright in Mozilla Firefox before 40.0 and Firefox ESR 38.x before 38.2 allow remote attackers to execute arbitrary code via a crafted saio chunk in MPEG-4 video data. Published: August 15, 2015; 9:59:06 PM -0400 |
V3.x:(not available) V2.0: 10.0 HIGH |
CVE-2015-4478 |
Mozilla Firefox before 40.0 and Firefox ESR 38.x before 38.2 do not impose certain ECMAScript 6 requirements on JavaScript object properties, which allows remote attackers to bypass the Same Origin Policy via the reviver parameter to the JSON.parse method. Published: August 15, 2015; 9:59:05 PM -0400 |
V3.x:(not available) V2.0: 5.0 MEDIUM |
CVE-2015-4475 |
The mozilla::AudioSink function in Mozilla Firefox before 40.0 and Firefox ESR 38.x before 38.2 mishandles inconsistent sample formats within MP3 audio data, which allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds read) via a malformed file. Published: August 15, 2015; 9:59:03 PM -0400 |
V3.x:(not available) V2.0: 7.5 HIGH |
CVE-2015-4473 |
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 40.0 and Firefox ESR 38.x before 38.2 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Published: August 15, 2015; 9:59:00 PM -0400 |
V3.x:(not available) V2.0: 10.0 HIGH |
CVE-2015-4495 |
The PDF reader in Mozilla Firefox before 39.0.3, Firefox ESR 38.x before 38.1.1, and Firefox OS before 2.2 allows remote attackers to bypass the Same Origin Policy, and read arbitrary files or gain privileges, via vectors involving crafted JavaScript code and a native setter, as exploited in the wild in August 2015. Published: August 07, 2015; 8:59:04 PM -0400 |
V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2015-4000 |
The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by DHE_EXPORT and then rewriting a ServerHello with DHE_EXPORT replaced by DHE, aka the "Logjam" issue. Published: May 20, 2015; 8:59:00 PM -0400 |
V3.0: 3.7 LOW V2.0: 4.3 MEDIUM |