Explore top 10 tips to secure your open-source projects now. Read More
×A process isolation vulnerability in Firefox stemmed from improper handling of javascript: URIs, which could allow content to execute in the top-level document's process instead of the intended frame, potentially enabling a sandbox escape, CVE-2025-4083. A vulnerability was identified in Firefox where XPath parsing could . MGASA-2025-0150 - Updated firefox packages fix security vulnerabilities Publication date: 08 May 2025 URL: https://advisories.mageia.org/MGASA-2025-0150.html Type: security Affected Mageia releases: 9 CVE: CVE-2025-4083, CVE-2025-4087, CVE-2025-4091, CVE-2025-4093 A process isolation vulnerability in Firefox stemmed from improper handling of javascript: URIs, which could allow content to execute in the top-level document's process instead of the intended frame, potentially enabling a sandbox escape, CVE-2025-4083. A vulnerability was identified in Firefox where XPath parsing could trigger undefined behavior due to missing null checks during attribute access. This could lead to out-of-bounds read access and potentially, memory corruption, CVE-2025-4087. Memory safety bugs present in Firefox 137, Thunderbird 137, Firefox ESR 128.9, and Thunderbird 128.9. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code, CVE-2025-4091. Memory safety bug present in Firefox ESR 128.9, and Thunderbird 128.9. This bug showed evidence of memory corruption and we presume that with enough effort this could have been exploited to run arbitrary code, CVE-2025-4093. References: - https://bugs.mageia.org/show_bug.cgi?id=34232 - https://www.firefox.com/en-US/firefox/128.10.0/releasenotes/?redirect_source=mozilla-org - https://www.mozilla.org/en-US/security/advisories/mfsa2025-29/ - https://www.cve.org/CVERecord?id=CVE-2025-4083 - https://www.cve.org/CVERecord?id=CVE-2025-4087 - https://www.cve.org/CVERecord?id=CVE-2025-4091 - https://www.cve.org/CVERecord?id=CVE-2025-4093 SRPMS: -9/core/firefox-128.10.0-1.mga9 - 9/core/firefox-l10n-128.10.0-1.mga9 . A flaw in Firefox permits a sandbox escape through Javascript URIs, necessitating a prompt security patch and upgrade for Mageia.. Firefox vulnerabilities, Mageia security advisory, javascript process isolation, memory safety issues, security updates. . Severity: Critical. LinuxSecurity.com Team
It was discovered that roundcube, a skinnable AJAX based webmail solution for IMAP servers, did not properly sanitize HTML messages. This would allow an attacker to load arbitrary JavaScript code. . - ------------------------------------------------------------------------- Debian Security Advisory DSA-5531-1
rubygem-rack: crafted requests can cause shell escape sequences (CVE-2022-30123) * jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection (CVE-2019-11358) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE SL7 x86_64 pcs- [More...]. Synopsis: Important: pcs security update Advisory ID: SLSA-2022:7343-1 Issue Date: 2022-11-03 CVE Numbers: CVE-2019-11358 CVE-2022-30123 -- Security Fix(es): * rubygem-rack: crafted requests can cause shell escape sequences (CVE-2022-30123) * jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection (CVE-2019-11358) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE -- SL7 x86_64 pcs-0.9.169-3.el7_9.3.x86_64.rpm pcs-debuginfo-0.9.169-3.el7_9.3.x86_64.rpm pcs-snmp-0.9.169-3.el7_9.3.x86_64.rpm - Scientific Linux Development Team . Crucial pcs security patch for Scientific Linux SL7.x focusing on severe vulnerabilities impacting rubygem and jquery.. pcs security advisory, Scientific Linux SLSA, rubygem fix. . Severity: Important. LinuxSecurity.com Team
An update for firefox is now available for Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Critical: firefox security update Advisory ID: RHSA-2022:4767-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2022:4767 Issue date: 2022-05-27 CVE Names: CVE-2022-1529 CVE-2022-1802 ==================================================================== 1. Summary: An update for firefox is now available for Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream E4S (v. 8.1) - ppc64le, x86_64 3. Description: Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 91.9.1 ESR. Security Fix(es): * Mozilla: Untrusted input used in JavaScript object indexing, leading to prototype pollution (CVE-2022-1529) * Mozilla: Prototype pollution in Top-Level Await implementation (CVE-2022-1802) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing the update,Firefox must be restarted for the changes to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 2089217 - CVE-2022-1802 Mozilla: Prototype pollution in Top-Level Await implementation 2089218 - CVE-2022-1529 Mozilla: Untrusted input used in JavaScript object indexing, leading to prototype pollution 6. Package List: Red Hat Enterprise Linux AppStream E4S (v. 8.1): Source: firefox-91.9.1-1.el8_1.src.rpm ppc64le: firefox-91.9.1-1.el8_1.ppc64le.rpm firefox-debuginfo-91.9.1-1.el8_1.ppc64le.rpm firefox-debugsource-91.9.1-1.el8_1.ppc64le.rpm x86_64: firefox-91.9.1-1.el8_1.x86_64.rpm firefox-debuginfo-91.9.1-1.el8_1.x86_64.rpm firefox-debugsource-91.9.1-1.el8_1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key 7. References: https://access.redhat.com/security/cve/CVE-2022-1529 https://access.redhat.com/security/cve/CVE-2022-1802 https://access.redhat.com/security/updates/classification#critical 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYpDdaNzjgjWX9erEAQhg8w/+MwTD0UuEiKfU+yTFzJVSPGUkCcaPEXY9 5fkdH5Qj/BtMJ3zY1UwEegYlQhcFYH1yo7YG/ctguAmEPU3ll8a3bxsGNQgPdHX8 f+FvTktNha7JBEcUlWuz9V/YOrdK9XbzC/jdjl85Fsf+q9yZiPBhdRTnnzJhltUW nMkp88bWf1iUaQBXmHMCBq/dDvTJe9zDn9kJz3PvwVGygOmRpXX8/wZrs/tLq74c K1lISiF48wH+9T05KlOTMqFXrxdHhUUrN/vaUqq2YPCuEKrs6s9gh9ZCYqtgKPoX dxKSGt75cjTtC+3ensrA/BKaipa53JvfowAEUTXzEodKQPfYGw11asIYfC4VRUyh 0WEn/h7ayda7GQ+wo14w7zJyDW6u5dG57cy3zMCV9cr1CQmHT6ptIMd5xKqpjmtn OxHdZAScqjFkBERwBWy7xOeyuJyUExN/t7XJbxGwQVhh+egOOlI8PhG16Mv6CyOp 80Lan0523gA/oLX4f8nxzzZ60UwFOCihToUPswRJxp1cv454BDohQWWAgZzG8yTN QhI8OCOsKBXAxObC5tl/cEQz/0xlBH+s4oHoJPUfvD0uwXY6cA0RpAk0caqcuWEc utFNUFdoo3Rrygjc7YZIVyjs08egso9vxHYi380x/P/XoCwR+oIov8rh++NiIzXk e/WdF09/scQ=BXVw -----END PGP SIGNATURE----- -- RHSA-announce mailinglist
Prototype pollution in Top-Level Await implementation. (CVE-2022-1802) Untrusted input used in JavaScript object indexing, leading to prototype pollution. (CVE-2022-1529) . MGASA-2022-0207 - Updated firefox/thunderbird packages fix security vulnerability Publication date: 25 May 2022 URL: https://advisories.mageia.org/MGASA-2022-0207.html Type: security Affected Mageia releases: 8 CVE: CVE-2022-1802, CVE-2022-1529 Prototype pollution in Top-Level Await implementation. (CVE-2022-1802) Untrusted input used in JavaScript object indexing, leading to prototype pollution. (CVE-2022-1529) References: - https://bugs.mageia.org/show_bug.cgi?id=30463 - https://www.firefox.com/en-US/firefox/91.9.1/releasenotes/?redirect_source=mozilla-org - https://www.thunderbird.net/en-US/thunderbird/91.9.1/releasenotes/ - https://www.mozilla.org/en-US/security/advisories/mfsa2022-19/ - https://www.cve.org/CVERecord?id=CVE-2022-1802 - https://www.cve.org/CVERecord?id=CVE-2022-1529 SRPMS: - 8/core/firefox-91.9.1-1.mga8 - 8/core/firefox-l10n-91.9.1-1.mga8 - 8/core/thunderbird-91.9.1-1.mga8 - 8/core/thunderbird-l10n-91.9.1-1.mga8 . The latest releases of Firefox and Thunderbird address critical security issues, focusing on mitigating risks associated with remote code execution and insecure authentication practices.. prototype Pollution, Javascript Security, Firefox Update, Thunderbird Update. . LinuxSecurity.com Team
Several security issues were fixed in WebKitGTK.. =========================================================================Ubuntu Security Notice USN-5394-1 April 28, 2022 webkit2gtk vulnerabilities ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 21.10 - Ubuntu 20.04 LTS Summary: Several security issues were fixed in WebKitGTK. Software Description: - webkit2gtk: Web content engine library for GTK+ Details: A large number of security issues were discovered in the WebKitGTK Web and JavaScript engines. If a user were tricked into viewing a malicious website, a remote attacker could exploit a variety of issues related to web browser security, including cross-site scripting attacks, denial of service attacks, and arbitrary code execution. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 21.10: libjavascriptcoregtk-4.0-18 2.36.0-0ubuntu0.21.10.3 libwebkit2gtk-4.0-37 2.36.0-0ubuntu0.21.10.3 Ubuntu 20.04 LTS: libjavascriptcoregtk-4.0-18 2.36.0-0ubuntu0.20.04.3 libwebkit2gtk-4.0-37 2.36.0-0ubuntu0.20.04.3 This update uses a new upstream release, which includes additional bug fixes. After a standard system update you need to restart any applications that use WebKitGTK, such as Epiphany, to make all the necessary changes. References: CVE-2022-22624, CVE-2022-22628, CVE-2022-22629, CVE-2022-22637 Package Information: https://launchpad.net/ubuntu/+source/webkit2gtk/2.36.0-0ubuntu0.21.10.3 https://launchpad.net/ubuntu/+source/webkit2gtk/2.36.0-0ubuntu0.20.04.3 . Addressed vulnerabilities in WebKitGTK within Ubuntu patches mitigate risks of possible exploitation, enhancing vital security protocols.. WebKitGTK Security, Ubuntu Updates, App Security Fixes. . Severity: Critical. LinuxSecurity.com Team
Processing a maliciously crafted mail message may lead to running arbitrary javascript. Description: A validation issue was addressed with improved input sanitization. (CVE-2022-22589) Processing maliciously crafted web content may lead to arbitrary code . MGASA-2022-0059 - Updated webkit2 packages fix security vulnerability Publication date: 12 Feb 2022 URL: https://advisories.mageia.org/MGASA-2022-0059.html Type: security Affected Mageia releases: 8 CVE: CVE-2022-22589, CVE-2022-22590, CVE-2022-22592 Processing a maliciously crafted mail message may lead to running arbitrary javascript. Description: A validation issue was addressed with improved input sanitization. (CVE-2022-22589) Processing maliciously crafted web content may lead to arbitrary code execution. Description: A use after free issue was addressed with improved memory management. (CVE-2022-22590) Processing maliciously crafted web content may prevent Content Security Policy from being enforced. Description: A logic issue was addressed with improved state management. (CVE-2022-22592) References: - https://bugs.mageia.org/show_bug.cgi?id=30018 - https://webkitgtk.org/security/WSA-2022-0002.html - https://webkitgtk.org/2022/02/09/webkitgtk2.34.5-released.html - https://www.cve.org/CVERecord?id=CVE-2022-22589 - https://www.cve.org/CVERecord?id=CVE-2022-22590 - https://www.cve.org/CVERecord?id=CVE-2022-22592 SRPMS: - 8/core/webkit2-2.34.5-1.mga8 . Mageia 2022-0060 security bulletin tackles weaknesses in input assessment and resource management within webkit2 to avert potential exploits.. Mageia Security, Webkit2 Update, Code Execution Fix, Input Validation, Memory Management. . Severity: Critical. LinuxSecurity.com Team
An issue has been found in highlight.js, a JavaScript library for syntax highlighting. If a website or application renders user provided data it might be affected by a Prototype Pollution. This might result in strange . - ------------------------------------------------------------------------- Debian LTS Advisory DLA-2511-1
Get the latest Linux and open source security news straight to your inbox.