firefox-harfbuzz (SUSE:Linux Enterprise Server 11 SP4-LTSS) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the SUSE:Linux Enterprise Server 11 SP4-LTSS package firefox-harfbuzz, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (118)
CVE-2019-10160 — CVSS 9.8 (critical): A security regression of CVE-2019-9636 was discovered in python since commit d537ab0ff9767ef024f26246899728f0116b1ec3 affecting versions…
CVE-2019-11710 — CVSS 9.8 (critical): Mozilla developers and community members reported memory safety bugs present in Firefox 67. Some of these bugs showed evidence of memory…
CVE-2019-9636 — CVSS 9.8 (critical): Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during…
CVE-2019-11733 — CVSS 9.8 (critical): When a master password is set, it is required to be entered again before stored passwords can be accessed in the 'Saved Logins' dialog. It…
CVE-2019-11709 — CVSS 9.8 (critical): Mozilla developers and community members reported memory safety bugs present in Firefox 67 and Firefox ESR 60.7. Some of these bugs showed…
CVE-2019-11714 — CVSS 9.8 (critical): Necko can access a child on the wrong thread during UDP connections, resulting in a potentially exploitable crash in some instances. This…
CVE-2019-11713 — CVSS 9.8 (critical): A use-after-free vulnerability can occur in HTTP/2 when a cached HTTP/2 stream is closed while still in use, resulting in a potentially…
CVE-2019-9812 — CVSS 9.3 (critical): Given a compromised sandboxed content process due to a separate vulnerability, it is possible to escape that sandbox by loading…
CVE-2017-15896 — CVSS 9.1 (critical): Node.js was affected by OpenSSL vulnerability CVE-2017-3737 in regards to the use of SSL_read() due to TLS handshake failure. The result…
CVE-2018-7160 — CVSS 8.8 (high): The Node.js inspector, in 6.x and later is vulnerable to a DNS rebinding attack which could be exploited to perform remote code execution…
CVE-2019-11751 — CVSS 8.8 (high): Logging-related command line parameters are not properly sanitized when Firefox is launched by another program, such as when a user clicks…
CVE-2019-11759 — CVSS 8.8 (high): An attacker could have caused 4 bytes of HMAC output to be written past the end of a buffer stored on the stack. This could be used by an…
CVE-2019-11757 — CVSS 8.8 (high): When following the value's prototype chain, it was possible to retain a reference to a locale, delete it, and subsequently reference it…
CVE-2019-11764 — CVSS 8.8 (high): Mozilla developers and community members reported memory safety bugs present in Firefox 69 and Firefox ESR 68.1. Some of these bugs showed…
CVE-2019-11746 — CVSS 8.8 (high): A use-after-free vulnerability can occur while manipulating video elements if the body is freed while still in use. This results in a…
CVE-2019-11752 — CVSS 8.8 (high): It is possible to delete an IndexedDB key value and subsequently try to extract it during conversion. This results in a use-after-free and…
CVE-2019-11735 — CVSS 8.8 (high): Mozilla developers and community members reported memory safety bugs present in Firefox 68 and Firefox ESR 68. Some of these bugs showed…
CVE-2019-11760 — CVSS 8.8 (high): A fixed-size stack buffer could overflow in nrappkit when doing WebRTC signaling. This resulted in a potentially exploitable crash in some…
CVE-2019-11740 — CVSS 8.8 (high): Mozilla developers and community members reported memory safety bugs present in Firefox 68, Firefox ESR 68, and Firefox 60.8. Some of these…
CVE-2019-11758 — CVSS 8.8 (high): Mozilla community member Philipp reported a memory safety bug present in Firefox 68 when 360 Total Security was installed. This bug showed…
CVE-2019-11711 — CVSS 8.8 (high): When an inner window is reused, it does not consider the use of document.domain for cross-origin protections. If pages on different…
CVE-2019-11712 — CVSS 8.8 (high): POST requests made by NPAPI plugins, such as Flash, that receive a status 308 redirect response can bypass CORS requirements. This can…
CVE-2019-9811 — CVSS 8.3 (high): As part of a winning Pwn2Own entry, a researcher demonstrated a sandbox escape by installing a malicious language pack and then opening a…
CVE-2019-11716 — CVSS 8.3 (high): Until explicitly accessed by script, window.globalThis is not enumerable and, as a result, is not visible to code such as…
CVE-2019-11753 — CVSS 7.8 (high): The Firefox installer allows Firefox to be installed to a custom user writable location, leaving it unprotected from manipulation by…
CVE-2017-11111 — CVSS 7.8 (high): In Netwide Assembler (NASM) 2.14rc0, preproc.c allows remote attackers to cause a denial of service (heap-based buffer overflow and…
CVE-2017-10686 — CVSS 7.8 (high): In Netwide Assembler (NASM) 2.14rc0, there are multiple heap use after free vulnerabilities in the tool nasm. The related heap is allocated…
CVE-2018-0732 — CVSS 7.5 (high): During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client…
CVE-2018-1000168 — CVSS 7.5 (high): nghttp2 version >= 1.10.0 and nghttp2 <= v1.31.0 contains an Improper Input Validation CWE-20 vulnerability in ALTSVC frame handling that…
CVE-2018-12115 — CVSS 7.5 (high): In all versions of Node.js prior to 6.14.4, 8.11.4 and 10.9.0 when used with UCS-2 encoding (recognized by Node.js under the names…
CVE-2018-12116 — CVSS 7.5 (high): Node.js: All versions prior to Node.js 6.15.0 and 8.14.0: HTTP request splitting: If Node.js can be convinced to use unsanitized…
CVE-2018-12121 — CVSS 7.5 (high): Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Denial of Service with large HTTP headers: By using a…
CVE-2018-12122 — CVSS 7.5 (high): Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Slowloris HTTP Denial of Service: An attacker can cause a Denial…
CVE-2018-20406 — CVSS 7.5 (high): Modules/_pickle.c in Python before 3.7.1 has an integer overflow via a large LONG_BINPUT value that is mishandled during a "resize to twice…
CVE-2018-7158 — CVSS 7.5 (high): The `'path'` module in the Node.js 4.x release line contains a potential regular expression denial of service (ReDoS) vector. The code in…
CVE-2018-7161 — CVSS 7.5 (high): All versions of Node.js 8.x, 9.x, and 10.x are vulnerable and the severity is HIGH. An attacker can cause a denial of service (DoS) by…
CVE-2018-7167 — CVSS 7.5 (high): Calling Buffer.fill() or Buffer.alloc() with some parameters can lead to a hang which could result in a Denial of Service. In order to…
CVE-2013-6640 — CVSS 7.5 (high): The DehoistArrayIndex function in hydrogen-dehoist.cc (aka hydrogen.cc) in Google V8 before 3.22.24.7, as used in Google Chrome before…
CVE-2019-9514 — CVSS 7.5 (high): Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of…
CVE-2015-3193 — CVSS 7.5 (high): The Montgomery squaring implementation in crypto/bn/asm/x86_64-mont5.pl in OpenSSL 1.0.2 before 1.0.2e on the x86_64 platform, as used by…
CVE-2015-3194 — CVSS 7.5 (high): crypto/rsa/rsa_ameth.c in OpenSSL 1.0.1 before 1.0.1q and 1.0.2 before 1.0.2e allows remote attackers to cause a denial of service (NULL…
CVE-2015-5380 — CVSS 7.5 (high): The Utf8DecoderBase::WriteUtf16Slow function in unicode-decoder.cc in Google V8, as used in Node.js before 0.12.6, io.js before 1.8.3 and…
CVE-2016-2086 — CVSS 7.5 (high): Node.js 0.10.x before 0.10.42, 0.12.x before 0.12.10, 4.x before 4.3.0, and 5.x before 5.6.0 allow remote attackers to conduct HTTP request…
CVE-2013-2882 — CVSS 7.5 (high): Google V8, as used in Google Chrome before 28.0.1500.95, allows remote attackers to cause a denial of service or possibly have unspecified…
CVE-2016-2183 — CVSS 7.5 (high): The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of…
CVE-2016-2216 — CVSS 7.5 (high): The HTTP header parsing code in Node.js 0.10.x before 0.10.42, 0.11.6 through 0.11.16, 0.12.x before 0.12.10, 4.x before 4.3.0, and 5.x…
CVE-2013-6639 — CVSS 7.5 (high): The DehoistArrayIndex function in hydrogen-dehoist.cc (aka hydrogen.cc) in Google V8 before 3.22.24.7, as used in Google Chrome before…
CVE-2016-6304 — CVSS 7.5 (high): Multiple memory leaks in t1_lib.c in OpenSSL before 1.0.1u, 1.0.2 before 1.0.2i, and 1.1.0 before 1.1.0a allow remote attackers to cause a…
CVE-2016-7052 — CVSS 7.5 (high): crypto/x509/x509_vfy.c in OpenSSL 1.0.2i allows remote attackers to cause a denial of service (NULL pointer dereference and application…
CVE-2017-1000381 — CVSS 7.5 (high): The c-ares function `ares_parse_naptr_reply()`, which is used for parsing NAPTR responses, could be triggered to read memory outside of the…
CVE-2017-11499 — CVSS 7.5 (high): Node.js v4.0 through v4.8.3, all versions of v5.x, v6.0 through v6.11.0, v7.0 through v7.10.0, and v8.0 through v8.1.3 was susceptible to…
CVE-2017-14849 — CVSS 7.5 (high): Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was incompatible with the…
CVE-2017-14919 — CVSS 7.5 (high): Node.js before 4.8.5, 6.x before 6.11.5, and 8.x before 8.8.0 allows remote attackers to cause a denial of service (uncaught exception and…
CVE-2019-9518 — CVSS 7.5 (high): Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. The attacker sends a…
CVE-2019-9517 — CVSS 7.5 (high): Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. The…
CVE-2019-9515 — CVSS 7.5 (high): Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of…
CVE-2019-9513 — CVSS 7.5 (high): Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates multiple…
CVE-2019-9512 — CVSS 7.5 (high): Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings…
CVE-2019-9511 — CVSS 7.5 (high): Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a…
CVE-2019-5737 — CVSS 7.5 (high): In Node.js including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before 10.15.2, and 11.x before 11.10.1, an attacker can cause a Denial of…
CVE-2017-17818 — CVSS 7.5 (high): In Netwide Assembler (NASM) 2.14rc0, there is a heap-based buffer over-read that will cause a remote denial of service attack, related to a…
CVE-2019-5010 — CVSS 7.5 (high): An exploitable denial-of-service vulnerability exists in the X509 certificate parser of Python.org Python 2.7.11 / 3.6.6. A specially…
CVE-2019-15903 — CVSS 7.5 (high): In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a…
CVE-2019-13173 — CVSS 7.5 (high): fstream before 1.0.12 is vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in…
CVE-2019-11719 — CVSS 7.5 (high): When importing a curve25519 private key in PKCS#8format with leading 0x00 bytes, it is possible to trigger an out-of-bounds read in the…
CVE-2013-6668 — CVSS 7.5 (high): Multiple unspecified vulnerabilities in Google V8 before 3.24.35.10, as used in Google Chrome before 33.0.1750.146, allow attackers to…
CVE-2019-11723 — CVSS 7.5 (high): A vulnerability exists during the installation of add-ons where the initial fetch ignored the origin attributes of the browsing context…
CVE-2019-11729 — CVSS 7.5 (high): Empty or malformed p256-ECDH public keys may trigger a segmentation fault due values being improperly sanitized before being copied into…
CVE-2014-0224 — CVSS 7.4 (high): OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages…
CVE-2019-11736 — CVSS 7.0 (high): The Mozilla Maintenance Service does not guard against files being hardlinked to another file in the updates directory, allowing for the…
CVE-2019-11725 — CVSS 6.5 (medium): When a user navigates to site marked as unsafe by the Safebrowsing API, warning messages are displayed and navigation is interrupted but…
CVE-2019-9516 — CVSS 6.5 (medium): Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service. The attacker sends a stream of…
CVE-2016-5172 — CVSS 6.5 (medium): The parser in Google V8, as used in Google Chrome before 53.0.2785.113, mishandles scopes, which allows remote attackers to obtain…
CVE-2019-11750 — CVSS 6.5 (medium): A type confusion vulnerability exists in Spidermonkey, which results in a non-exploitable crash. This vulnerability affects Firefox < 69…
CVE-2019-11730 — CVSS 6.5 (medium): A vulnerability exists where if a user opens a locally saved HTML file, this file can use file: URIs to access other files in the same…
CVE-2019-11748 — CVSS 6.5 (medium): WebRTC in Firefox will honor persisted permissions given to sites for access to microphone and camera resources even when in a third-party…
CVE-2017-3736 — CVSS 6.5 (medium): There is a carry propagating bug in the x86_64 Montgomery squaring procedure in OpenSSL before 1.0.2m and 1.1.0 before 1.1.0g. No EC…
CVE-2017-18207 — CVSS 6.5 (medium): The Wave_read._read_fmt_chunk function in Lib/wave.py in Python through 3.6.4 does not ensure a nonzero channel value, which allows…
CVE-2019-11742 — CVSS 6.5 (medium): A same-origin policy violation occurs allowing the theft of cross-origin images through a combination of SVG filters and a <canvas>…
CVE-2019-11747 — CVSS 6.5 (medium): The "Forget about this site" feature in the History pane is intended to remove all saved user data that indicates a user has visited a…
CVE-2019-11721 — CVSS 6.5 (medium): The unicode latin 'kra' character can be used to spoof a standard 'k' character in the addressbar. This allows for domain spoofing attacks…
CVE-2019-11738 — CVSS 6.3 (medium): If a Content Security Policy (CSP) directive is defined that uses a hash-based source that takes the empty string as input, execution of…
CVE-2019-9947 — CVSS 6.1 (medium): An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the…
CVE-2016-5325 — CVSS 6.1 (medium): CRLF injection vulnerability in the ServerResponse#writeHead function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before…
CVE-2019-11715 — CVSS 6.1 (medium): Due to an error while parsing page content, it is possible for properly sanitized user input to be misinterpreted and lead to XSS hazards…
CVE-2019-11720 — CVSS 6.1 (medium): Some unicode characters are incorrectly treated as whitespace during the parsing of web content instead of triggering parsing errors. This…
CVE-2019-11724 — CVSS 6.1 (medium): Application permissions give additional remote troubleshooting permission to the site input.mozilla.org, which has been retired and now…
CVE-2019-11744 — CVSS 6.1 (medium): Some HTML elements, such as <title> and <textarea>, can contain literal angle brackets without treating them as markup. It is…
CVE-2019-11762 — CVSS 6.1 (medium): If two same-origin documents set document.domain differently to become cross-origin, it was possible for them to call arbitrary DOM…
CVE-2019-11763 — CVSS 6.1 (medium): Failure to correctly handle null bytes when processing HTML entities resulted in Firefox incorrectly parsing these entities. This could…
CVE-2016-7099 — CVSS 5.9 (medium): The tls.checkServerIdentity function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 does…
CVE-2017-3738 — CVSS 5.9 (medium): There is an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. No EC algorithms are…
CVE-2016-6306 — CVSS 5.9 (medium): The certificate parser in OpenSSL before 1.0.1u and 1.0.2 before 1.0.2i might allow remote attackers to cause a denial of service…
CVE-2017-14228 — CVSS 5.5 (medium): In Netwide Assembler (NASM) 2.14rc0, there is an illegal address access in the function paste_tokens() in preproc.c, aka a NULL pointer…
CVE-2017-17816 — CVSS 5.5 (medium): In Netwide Assembler (NASM) 2.14rc0, there is a use-after-free in pp_getline in asm/preproc.c that will cause a remote denial of service…
CVE-2017-17815 — CVSS 5.5 (medium): In Netwide Assembler (NASM) 2.14rc0, there is an illegal address access in is_mmacro() in asm/preproc.c that will cause a remote denial of…
CVE-2017-17814 — CVSS 5.5 (medium): In Netwide Assembler (NASM) 2.14rc0, there is a use-after-free in do_directive in asm/preproc.c that will cause a remote denial of service…
CVE-2017-17813 — CVSS 5.5 (medium): In Netwide Assembler (NASM) 2.14rc0, there is a use-after-free in the pp_list_one_macro function in asm/preproc.c that will cause a remote…
CVE-2017-17812 — CVSS 5.5 (medium): In Netwide Assembler (NASM) 2.14rc0, there is a heap-based buffer over-read in the function detoken() in asm/preproc.c that will cause a…
CVE-2017-17811 — CVSS 5.5 (medium): In Netwide Assembler (NASM) 2.14rc0, there is a heap-based buffer overflow that will cause a remote denial of service attack, related to a…
CVE-2017-17810 — CVSS 5.5 (medium): In Netwide Assembler (NASM) 2.14rc0, there is a "SEGV on unknown address" that will cause a remote denial of service attack, because…
CVE-2016-2178 — CVSS 5.5 (medium): The dsa_sign_setup function in crypto/dsa/dsa_ossl.c in OpenSSL through 1.0.2h does not properly ensure the use of constant-time…
CVE-2017-17820 — CVSS 5.5 (medium): In Netwide Assembler (NASM) 2.14rc0, there is a use-after-free in pp_list_one_macro in asm/preproc.c that will lead to a remote denial of…
CVE-2017-17819 — CVSS 5.5 (medium): In Netwide Assembler (NASM) 2.14rc0, there is an illegal address access in the function find_cc() in asm/preproc.c that will cause a remote…
CVE-2017-17817 — CVSS 5.5 (medium): In Netwide Assembler (NASM) 2.14rc0, there is a use-after-free in pp_verror in asm/preproc.c that will cause a remote denial of service…
CVE-2019-11761 — CVSS 5.4 (medium): By using a form with a data URI it was possible to gain access to the privileged JSONView object that had been cloned into content. Impact…
CVE-2018-20852 — CVSS 5.3 (medium): http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it…
CVE-2019-11717 — CVSS 5.3 (medium): A vulnerability exists where the caret ("^") character is improperly escaped constructing some URIs due to it being used as a separator…
CVE-2018-7159 — CVSS 5.3 (medium): The HTTP parser in all current versions of Node.js ignores spaces in the `Content-Length` header, allowing input such as `Content-Length: 1…
CVE-2019-11718 — CVSS 5.3 (medium): Activity Stream can display content from sent from the Snippet Service website. This content is written to innerHTML on the Activity Stream…
CVE-2017-3735 — CVSS 5.3 (medium): While parsing an IPAddressFamily extension in an X.509 certificate, it is possible to do a one-byte overread. This would result in an…
CVE-2019-11727 — CVSS 5.3 (medium): A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures…
CVE-2019-11728 — CVSS 4.7 (medium): The HTTP Alternative Services header, Alt-Svc, can be used by a malicious site to scan all TCP ports of any host that the accessible to a…
CVE-2018-12123 — CVSS 4.3 (medium): Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Hostname spoofing in URL parser for javascript protocol: If a…
CVE-2019-11749 — CVSS 4.3 (medium): A vulnerability exists in WebRTC where malicious web content can use probing techniques on the getUserMedia API using constraints to reveal…
CVE-2019-11743 — CVSS 3.7 (low): Navigation events were not fully adhering to the W3C's "Navigation-Timing Level 2" draft specification in some instances for the unload…
CVE-2017-15897 — CVSS 3.1 (low): Node.js had a bug in versions 8.X and 9.X which caused buffers to not be initialized when the encoding for the fill value did not match the…