Redhat Enterprise Linux Server Eus vulnerabilities

CVE-2017-5408 [MEDIUM] CWE-200 CVE-2017-5408: Video files loaded video captions cross-origin without checking for the presence of CORS headers per Video files loaded video captions cross-origin without checking for the presence of CORS headers permitting such cross-origin use, leading to potential information disclosure for video captions. This vulnerability affects Firefox < 52, Firefox ESR < 45.8, Thunderbird < 52, and Thunderbird < 45.8.

CVE-2018-5131 [MEDIUM] CWE-200 CVE-2018-5131: Under certain circumstances the "fetch()" API can return transient local copies of resources that we Under certain circumstances the "fetch()" API can return transient local copies of resources that were sent with a "no-store" or "no-cache" cache header instead of downloading a copy from the network as it should. This can result in previously stored, locally cached data of a website being accessible to users if they share a common profile while brows

CVE-2018-5185 [MEDIUM] CWE-311 CVE-2018-5185: Plaintext of decrypted emails can leak through by user submitting an embedded form. This vulnerabili Plaintext of decrypted emails can leak through by user submitting an embedded form. This vulnerability affects Thunderbird ESR < 52.8 and Thunderbird < 52.8.

CVE-2017-5383 [MEDIUM] CWE-20 CVE-2017-5383: URLs containing certain unicode glyphs for alternative hyphens and quotes do not properly trigger pu URLs containing certain unicode glyphs for alternative hyphens and quotes do not properly trigger punycode display, allowing for domain name spoofing attacks in the location bar. This vulnerability affects Thunderbird < 45.7, Firefox ESR < 45.7, and Firefox < 51.

CVE-2018-5161 [MEDIUM] CWE-20 CVE-2018-5161: Crafted message headers can cause a Thunderbird process to hang on receiving the message. This vulne Crafted message headers can cause a Thunderbird process to hang on receiving the message. This vulnerability affects Thunderbird ESR < 52.8 and Thunderbird < 52.8.

CVE-2017-7848 [MEDIUM] CWE-74 CVE-2017-7848: RSS fields can inject new lines into the created email structure, modifying the message body. This v RSS fields can inject new lines into the created email structure, modifying the message body. This vulnerability affects Thunderbird < 52.5.2.

CVE-2017-5405 [MEDIUM] CWE-1187 CVE-2017-5405: Certain response codes in FTP connections can result in the use of uninitialized values for ports in Certain response codes in FTP connections can result in the use of uninitialized values for ports in FTP operations. This vulnerability affects Firefox < 52, Firefox ESR < 45.8, Thunderbird < 52, and Thunderbird < 45.8.

CVE-2017-5466 [MEDIUM] CWE-79 CVE-2017-5466: If a page is loaded from an original site through a hyperlink and contains a redirect to a "data:tex If a page is loaded from an original site through a hyperlink and contains a redirect to a "data:text/html" URL, triggering a reload will run the reloaded "data:text/html" page with its origin set incorrectly. This allows for a cross-site scripting (XSS) attack. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 52.1, and Firefox < 53.

CVE-2017-5451 [MEDIUM] CWE-20 CVE-2017-5451: A mechanism to spoof the addressbar through the user interaction on the addressbar and the "onblur" A mechanism to spoof the addressbar through the user interaction on the addressbar and the "onblur" event. The event could be used by script to affect text display to make the loaded site appear to be different from the one actually loaded within the addressbar. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 52.1, and Firefox < 53.

CVE-2017-7823 [MEDIUM] CWE-79 CVE-2017-7823: The content security policy (CSP) "sandbox" directive did not create a unique origin for the documen The content security policy (CSP) "sandbox" directive did not create a unique origin for the document, causing it to behave as if the "allow-same-origin" keyword were always specified. This could allow a Cross-Site Scripting (XSS) attack to be launched from unsafe content. This vulnerability affects Firefox < 56, Firefox ESR < 52.4, and Thunderbird < 5

CVE-2018-5170 [MEDIUM] CWE-20 CVE-2018-5170: It is possible to spoof the filename of an attachment and display an arbitrary attachment name. This It is possible to spoof the filename of an attachment and display an arbitrary attachment name. This could lead to a user opening a remote attachment which is a different file type than expected. This vulnerability affects Thunderbird ESR < 52.8 and Thunderbird < 52.8.

CVE-2018-5117 [MEDIUM] CVE-2018-5117: If right-to-left text is used in the addressbar with left-to-right alignment, it is possible in some If right-to-left text is used in the addressbar with left-to-right alignment, it is possible in some circumstances to scroll this text to spoof the displayed URL. This issue could result in the wrong URL being displayed as a location, which can mislead users to believe they are on a different site than the one loaded. This vulnerability affects Thunderbird <

CVE-2017-5407 [MEDIUM] CWE-200 CVE-2017-5407: Using SVG filters that don't use the fixed point math implementation on a target iframe, a malicious Using SVG filters that don't use the fixed point math implementation on a target iframe, a malicious page can extract pixel values from a targeted user. This can be used to extract history information and read text values across domains. This violates same-origin policy and leads to information disclosure. This vulnerability affects Firefox < 52, Fire

CVE-2018-5168 [MEDIUM] CVE-2018-5168: Sites can bypass security checks on permissions to install lightweight themes by manipulating the "b Sites can bypass security checks on permissions to install lightweight themes by manipulating the "baseURI" property of the theme element. This could allow a malicious site to install a theme without user interaction which could contain offensive or embarrassing images. This vulnerability affects Thunderbird < 52.8, Thunderbird ESR < 52.8, Firefox < 60, and F

CVE-2017-7830 [MEDIUM] CVE-2017-7830: The Resource Timing API incorrectly revealed navigations in cross-origin iframes. This is a same-ori The Resource Timing API incorrectly revealed navigations in cross-origin iframes. This is a same-origin policy violation and could allow for data theft of URLs loaded by users. This vulnerability affects Firefox < 57, Firefox ESR < 52.5, and Thunderbird < 52.5.

CVE-2016-9895 [MEDIUM] CWE-254 CVE-2016-9895: Event handlers on "marquee" elements were executed despite a strict Content Security Policy (CSP) th Event handlers on "marquee" elements were executed despite a strict Content Security Policy (CSP) that disallowed inline JavaScript. This vulnerability affects Firefox < 50.1, Firefox ESR < 45.6, and Thunderbird < 45.6.

CVE-2018-12020 [HIGH] CWE-706 CVE-2018-12020: mainproc.c in GnuPG before 2.2.8 mishandles the original filename during decryption and verification mainproc.c in GnuPG before 2.2.8 mishandles the original filename during decryption and verification actions, which allows remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the "--status-fd 2" option. For example, the OpenPGP data might represent an original filename that contains line feed character

CVE-2018-11235 [HIGH] CWE-22 CVE-2018-11235: In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x b In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1, remote code execution can occur. With a crafted .gitmodules file, a malicious project can execute an arbitrary script on a machine that runs "git clone --recurse-submodules" because submodule "names" are obtained from this file, and then ap

CVE-2018-1000199 [MEDIUM] CWE-119 CVE-2018-1000199: The Linux Kernel version 3.18 contains a dangerous feature vulnerability in modify_user_hw_breakpoin The Linux Kernel version 3.18 contains a dangerous feature vulnerability in modify_user_hw_breakpoint() that can result in crash and possibly memory corruption. This attack appear to be exploitable via local code execution and the ability to use ptrace. This vulnerability appears to have been fixed in git commit f67b15037a7a50c57f72e69a6d59941ad

CVE-2018-1087 [HIGH] CWE-250 CVE-2018-1087: kernel KVM before versions kernel 4.16, kernel 4.16-rc7, kernel 4.17-rc1, kernel 4.17-rc2 and kernel kernel KVM before versions kernel 4.16, kernel 4.16-rc7, kernel 4.17-rc1, kernel 4.17-rc2 and kernel 4.17-rc3 is vulnerable to a flaw in the way the Linux kernel's KVM hypervisor handled exceptions delivered after a stack switch operation via Mov SS or Pop SS instructions. During the stack switch operation, the processor did not deliver interrupts and e