Vulnerabilities (CVE)

Filtered by vendor Mozilla Subscribe
Filtered by product Firefox
Total 2647 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2017-5373 3 Debian, Mozilla, Redhat 7 Debian Linux, Firefox, Firefox Esr and 4 more 2024-02-28 7.5 HIGH 9.8 CRITICAL
Memory safety bugs were reported in Firefox 50.1 and Firefox ESR 45.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Thunderbird < 45.7, Firefox ESR < 45.7, and Firefox < 51.
CVE-2017-5413 1 Mozilla 2 Firefox, Thunderbird 2024-02-28 7.5 HIGH 9.8 CRITICAL
A segmentation fault can occur during some bidirectional layout operations. This vulnerability affects Firefox < 52 and Thunderbird < 52.
CVE-2017-5456 2 Mozilla, Redhat 8 Firefox, Firefox Esr, Enterprise Linux and 5 more 2024-02-28 7.5 HIGH 9.8 CRITICAL
A mechanism to bypass file system access protections in the sandbox using the file system request constructor through an IPC message. This allows for read and write access to the local file system. This vulnerability affects Firefox ESR < 52.1 and Firefox < 53.
CVE-2017-7752 3 Debian, Mozilla, Redhat 10 Debian Linux, Firefox, Firefox Esr and 7 more 2024-02-28 6.8 MEDIUM 8.8 HIGH
A use-after-free vulnerability during specific user interactions with the input method editor (IME) in some languages due to how events are handled. This results in a potentially exploitable crash but would require specific user interaction to trigger. This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2.
CVE-2018-5116 2 Canonical, Mozilla 2 Ubuntu Linux, Firefox 2024-02-28 7.5 HIGH 9.8 CRITICAL
WebExtensions with the "ActiveTab" permission are able to access frames hosted within the active tab even if the frames are cross-origin. Malicious extensions can inject frames from arbitrary origins into the loaded page and then interact with them, bypassing same-origin user expectations with this permission. This vulnerability affects Firefox < 58.
CVE-2016-9901 2 Mozilla, Redhat 7 Firefox, Firefox Esr, Enterprise Linux Aus and 4 more 2024-02-28 7.5 HIGH 9.8 CRITICAL
HTML tags received from the Pocket server will be processed without sanitization and any JavaScript code executed will be run in the "about:pocket-saved" (unprivileged) page, giving it access to Pocket's messaging API through HTML injection. This vulnerability affects Firefox ESR < 45.6 and Firefox < 50.1.
CVE-2017-7794 2 Linux, Mozilla 2 Linux Kernel, Firefox 2024-02-28 4.6 MEDIUM 7.8 HIGH
On Linux systems, if the content process is compromised, the sandbox broker will allow files to be truncated even though the sandbox explicitly only has read access to the local file system and no write permissions. Note: This attack only affects the Linux operating system. Other operating systems are not affected. This vulnerability affects Firefox < 55.
CVE-2016-9079 5 Debian, Microsoft, Mozilla and 2 more 12 Debian Linux, Windows, Firefox and 9 more 2024-02-28 5.0 MEDIUM 7.5 HIGH
A use-after-free vulnerability in SVG Animation has been discovered. An exploit built on this vulnerability has been discovered in the wild targeting Firefox and Tor Browser users on Windows. This vulnerability affects Firefox < 50.0.2, Firefox ESR < 45.5.1, and Thunderbird < 45.5.1.
CVE-2016-9061 2 Google, Mozilla 2 Android, Firefox 2024-02-28 5.0 MEDIUM 7.5 HIGH
A previously installed malicious Android application which defines a specific signature-level permissions used by Firefox can access API keys meant for Firefox only. Note: This issue only affects Firefox for Android. Other versions and operating systems are unaffected. This vulnerability affects Firefox < 50.
CVE-2018-5128 2 Canonical, Mozilla 2 Ubuntu Linux, Firefox 2024-02-28 7.5 HIGH 9.8 CRITICAL
A use-after-free vulnerability can occur when manipulating elements, events, and selection ranges during editor operations. This results in a potentially exploitable crash. This vulnerability affects Firefox < 59.
CVE-2017-7758 3 Debian, Mozilla, Redhat 9 Debian Linux, Firefox, Firefox Esr and 6 more 2024-02-28 6.4 MEDIUM 9.1 CRITICAL
An out-of-bounds read vulnerability with the Opus encoder when the number of channels in an audio stream changes while the encoder is in use. This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2.
CVE-2018-5131 4 Canonical, Debian, Mozilla and 1 more 9 Ubuntu Linux, Debian Linux, Firefox and 6 more 2024-02-28 4.3 MEDIUM 5.9 MEDIUM
Under certain circumstances the "fetch()" API can return transient local copies of resources that were sent with a "no-store" or "no-cache" cache header instead of downloading a copy from the network as it should. This can result in previously stored, locally cached data of a website being accessible to users if they share a common profile while browsing. This vulnerability affects Firefox ESR < 52.7 and Firefox < 59.
CVE-2017-7832 1 Mozilla 1 Firefox 2024-02-28 5.0 MEDIUM 5.3 MEDIUM
The combined, single character, version of the letter 'i' with any of the potential accents in unicode, such as acute or grave, can be spoofed in the addressbar by the dotless version of 'i' followed by the same accent as a second character with most font sets. This allows for domain spoofing attacks because these combined domain names do not display as punycode. This vulnerability affects Firefox < 57.
CVE-2017-7816 1 Mozilla 1 Firefox 2024-02-28 5.0 MEDIUM 5.3 MEDIUM
WebExtensions could use popups and panels in the extension UI to load an "about:" privileged URL, violating security checks that disallow this behavior. This vulnerability affects Firefox < 56.
CVE-2017-7800 3 Debian, Mozilla, Redhat 10 Debian Linux, Firefox, Firefox Esr and 7 more 2024-02-28 7.5 HIGH 9.8 CRITICAL
A use-after-free vulnerability can occur in WebSockets when the object holding the connection is freed before the disconnection operation is finished. This results in an exploitable crash. This vulnerability affects Thunderbird < 52.3, Firefox ESR < 52.3, and Firefox < 55.
CVE-2017-5426 2 Linux, Mozilla 3 Linux Kernel, Firefox, Thunderbird 2024-02-28 5.0 MEDIUM 5.3 MEDIUM
On Linux, if the secure computing mode BPF (seccomp-bpf) filter is running when the Gecko Media Plugin sandbox is started, the sandbox fails to be applied and items that would run within the sandbox are run protected only by the running filter which is typically weak compared to the sandbox. Note: this issue only affects Linux. Other operating systems are not affected. This vulnerability affects Firefox < 52 and Thunderbird < 52.
CVE-2018-5113 2 Canonical, Mozilla 2 Ubuntu Linux, Firefox 2024-02-28 5.0 MEDIUM 7.5 HIGH
The "browser.identity.launchWebAuthFlow" function of WebExtensions is only allowed to load content over "https:" but this requirement was not properly enforced. This can potentially allow privileged pages to be loaded by the extension. This vulnerability affects Firefox < 58.
CVE-2018-5176 2 Canonical, Mozilla 2 Ubuntu Linux, Firefox 2024-02-28 4.3 MEDIUM 6.1 MEDIUM
The JSON Viewer displays clickable hyperlinks for strings that are parseable as URLs, including "javascript:" links. If a JSON file contains malicious JavaScript script embedded as "javascript:" links, users may be tricked into clicking and running this code in the context of the JSON Viewer. This can allow for the theft of cookies and authorization tokens which are accessible to that context. This vulnerability affects Firefox < 60.
CVE-2018-5134 1 Mozilla 1 Firefox 2024-02-28 5.0 MEDIUM 7.5 HIGH
WebExtensions may use "view-source:" URLs to view local "file:" URL content, as well as content stored in "about:cache", bypassing restrictions that only allow WebExtensions to view specific content. This vulnerability affects Firefox < 59.
CVE-2017-7839 1 Mozilla 1 Firefox 2024-02-28 4.3 MEDIUM 6.1 MEDIUM
Control characters prepended before "javascript:" URLs pasted in the addressbar can cause the leading characters to be ignored and the pasted JavaScript to be executed instead of being blocked. This could be used in social engineering and self-cross-site-scripting (self-XSS) attacks where users are convinced to copy and paste text into the addressbar. This vulnerability affects Firefox < 57.