Severity
High
Analysis Summary
CVE-2020-12426
Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by memory safety bugs within the browser engine. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CVE-2020-12425
Mozilla Firefox could allow a remote attacker to obtain sensitive information, caused by an out-of-bounds read in Date.parse(). By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to obtain sensitive information.
CVE-2020-12424
Mozilla Firefox could allow a remote attacker to bypass security restrictions, caused by an error when constructing a permission prompt for WebRTC. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to bypass the prompt.
CVE-2020-12423
Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by improper loading of Dynamic Link Libraries due to searching %PATH% for a library. By persuading a victim to open a specially-crafted .DLL file, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVE-2020-12422
Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by an integer overflow in nsJPEGEncoder::emptyOutputBuffer. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CVE-2020-12421
Mozilla Firefox could allow a remote attacker to bypass security restrictions. The Add-On updates did not respect the same certificate trust rules as software updates. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to cause add-ons to become out-of-date silently without notification to the user.
CVE-2020-12402
Mozilla Firefox could allow a remote attacker to obtain sensitive information, caused by a side channel attack during RSA key generation. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to perform electromagnetic-based side channel attacks to record traces leading to the recovery of the secret primes.
CVE-2020-12420
Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free when trying to connect to a STUN server. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CVE-2020-12419
Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free in nsGlobalWindowInner. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CVE-2020-12418
Mozilla Firefox could allow a remote attacker to obtain sensitive information, caused by an out-of-bounds read when manipulating individual parts of a URL object. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to obtain sensitive information.
CVE-2020-12416
Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free in WebRTC VideoBroadcaster. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CVE-2020-12415
Mozilla Firefox could allow a remote attacker to bypass security restrictions, caused by AppCache manifest poisoning due to url encoded character processing. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to cause the appcache to be used to service requests for the top level directory.
CVE-2020-12417
Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by memory corruption when missing sign-extension for ValueTags on ARM64. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
Impact
- Denial of service
- Exposure of sensitive data
- Execute arbitrary code on the system
- Security bypass
Affected Vendors
Mozilla
Affected Products
- Mozilla Firefox 77
- Firefox ESR
Remediation
Refer to Mozilla Security advisories for the list of respective patches.