Opensuse: >> Opensuse >> 13.2 Security Vulnerabilities
The mozilla::layers::BufferTextureClient::AllocateForSurface function in Mozilla Firefox before 36.0 allows remote attackers to cause a denial of service (out-of-bounds write of zero values, and application crash) via vectors that trigger use of DrawTarget and the Cairo library for image drawing.
CVSS Score
5.0
EPSS Score
0.018
Published
2015-02-25
Multiple use-after-free vulnerabilities in OpenType Sanitiser, as used in Mozilla Firefox before 36.0, might allow remote attackers to trigger problematic Developer Console information or possibly have unspecified other impact by leveraging incorrect macro expansion, related to the ots::ots_gasp_parse function.
CVSS Score
7.5
EPSS Score
0.014
Published
2015-02-25
Mozilla Firefox before 36.0 allows user-assisted remote attackers to read arbitrary files or execute arbitrary JavaScript code with chrome privileges via a crafted web site that is accessed with unspecified mouse and keyboard actions.
CVSS Score
6.8
EPSS Score
0.018
Published
2015-02-25
Mozilla Firefox before 36.0 does not properly restrict transitions of JavaScript objects from a non-extensible state to an extensible state, which allows remote attackers to bypass a Caja Compiler sandbox protection mechanism or a Secure EcmaScript sandbox protection mechanism via a crafted web site.
CVSS Score
2.6
EPSS Score
0.003
Published
2015-02-25
The UITour::onPageEvent function in Mozilla Firefox before 36.0 does not ensure that an API call originates from a foreground tab, which allows remote attackers to conduct spoofing and clickjacking attacks by leveraging access to a UI Tour web site.
CVSS Score
4.3
EPSS Score
0.008
Published
2015-02-25
The nss_dns implementation of getnetbyname in GNU C Library (aka glibc) before 2.21, when the DNS backend in the Name Service Switch configuration is enabled, allows remote attackers to cause a denial of service (infinite loop) by sending a positive answer while a network name is being process.
CVSS Score
7.8
EPSS Score
0.032
Published
2015-02-24
The send_dg function in resolv/res_send.c in GNU C Library (aka glibc or libc6) before 2.20 does not properly reuse file descriptors, which allows remote attackers to send DNS queries to unintended locations via a large number of requests that trigger a call to the getaddrinfo function.
CVSS Score
5.0
EPSS Score
0.032
Published
2015-02-24
Integer underflow in the cupsRasterReadPixels function in filter/raster.c in CUPS before 2.0.2 allows remote attackers to have unspecified impact via a malformed compressed raster file, which triggers a buffer overflow.
CVSS Score
6.8
EPSS Score
0.055
Published
2015-02-19
X.Org Server (aka xserver and xorg-server) before 1.16.3 and 1.17.x before 1.17.1 allows remote attackers to obtain sensitive information from process memory or cause a denial of service (crash) via a crafted string length value in a XkbSetGeometry request.
CVSS Score
6.4
EPSS Score
0.082
Published
2015-02-13
D-Bus 1.4.x through 1.6.x before 1.6.30, 1.8.x before 1.8.16, and 1.9.x before 1.9.10 does not validate the source of ActivationFailure signals, which allows local users to cause a denial of service (activation failure error returned) by leveraging a race condition involving sending an ActivationFailure signal before systemd responds.
CVSS Score
1.9
EPSS Score
0.0
Published
2015-02-13