Filtered by vendor Mozilla
Subscribe
Total
3042 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-23976 | 1 Mozilla | 1 Firefox | 2024-02-28 | 5.8 MEDIUM | 8.1 HIGH |
| When accepting a malicious intent from other installed apps, Firefox for Android accepted manifests from arbitrary file paths and allowed declaring webapp manifests for other origins. This could be used to gain fullscreen access for UI spoofing and could also lead to cross-origin attacks on targeted websites. Note: This issue is a different issue from CVE-2020-26954 and only affected Firefox for Android. Other operating systems are unaffected. This vulnerability affects Firefox < 86. | |||||
| CVE-2021-21354 | 1 Mozilla | 1 Pollbot | 2024-02-28 | 5.8 MEDIUM | 6.1 MEDIUM |
| Pollbot is open source software which "frees its human masters from the toilsome task of polling for the state of things during the Firefox release process." In Pollbot before version 1.4.4 there is an open redirection vulnerability in the path of "https://pollbot.services.mozilla.com/". An attacker can redirect anyone to malicious sites. To Reproduce type in this URL: "https://pollbot.services.mozilla.com//evil.com/". Affected versions will redirect to that website when you inject a payload like "//evil.com/". This is fixed in version 1.4.4. | |||||
| CVE-2020-15680 | 1 Mozilla | 1 Firefox | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
| If a valid external protocol handler was referenced in an image tag, the resulting broken image size could be distinguished from a broken image size of a non-existent protocol handler. This allowed an attacker to successfully probe whether an external protocol handler was registered. This vulnerability affects Firefox < 82. | |||||
| CVE-2021-20628 | 2 Cybozu, Mozilla | 2 Office, Firefox | 2024-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in Address Book of Cybozu Office 10.0.0 to 10.8.4 allows remote attackers to inject an arbitrary script via unspecified vectors. Note that this vulnerability occurs only when using Mozilla Firefox. | |||||
| CVE-2020-26976 | 2 Debian, Mozilla | 2 Debian Linux, Firefox | 2024-02-28 | 4.3 MEDIUM | 6.5 MEDIUM |
| When a HTTPS pages was embedded in a HTTP page, and there was a service worker registered for the former, the service worker could have intercepted the request for the secure page despite the iframe not being a secure context due to the (insecure) framing. This vulnerability affects Firefox < 84. | |||||
| CVE-2021-23956 | 1 Mozilla | 1 Firefox | 2024-02-28 | 4.3 MEDIUM | 6.5 MEDIUM |
| An ambiguous file picker design could have confused users who intended to select and upload a single file into uploading a whole directory. This was addressed by adding a new prompt. This vulnerability affects Firefox < 85. | |||||
| CVE-2021-23977 | 1 Mozilla | 1 Firefox | 2024-02-28 | 2.6 LOW | 5.3 MEDIUM |
| Firefox for Android suffered from a time-of-check-time-of-use vulnerability that allowed a malicious application to read sensitive data from application directories. Note: This issue is only affected Firefox for Android. Other operating systems are unaffected. This vulnerability affects Firefox < 86. | |||||
| CVE-2020-26966 | 2 Microsoft, Mozilla | 4 Windows, Firefox, Firefox Esr and 1 more | 2024-02-28 | 4.3 MEDIUM | 6.5 MEDIUM |
| Searching for a single word from the address bar caused an mDNS request to be sent on the local network searching for a hostname consisting of that string; resulting in an information leak. *Note: This issue only affected Windows operating systems. Other operating systems are unaffected.*. This vulnerability affects Firefox < 83, Firefox ESR < 78.5, and Thunderbird < 78.5. | |||||
| CVE-2020-26953 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2024-02-28 | 4.3 MEDIUM | 4.3 MEDIUM |
| It was possible to cause the browser to enter fullscreen mode without displaying the security UI; thus making it possible to attempt a phishing attack or otherwise confuse the user. This vulnerability affects Firefox < 83, Firefox ESR < 78.5, and Thunderbird < 78.5. | |||||
| CVE-2020-26975 | 1 Mozilla | 1 Firefox | 2024-02-28 | 4.3 MEDIUM | 6.5 MEDIUM |
| When a malicious application installed on the user's device broadcast an Intent to Firefox for Android, arbitrary headers could have been specified, leading to attacks such as abusing ambient authority or session fixation. This was resolved by only allowing certain safe-listed headers. *Note: This issue only affected Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 84. | |||||
| CVE-2021-23978 | 2 Debian, Mozilla | 4 Debian Linux, Firefox, Firefox Esr and 1 more | 2024-02-28 | 6.8 MEDIUM | 8.8 HIGH |
| Mozilla developers reported memory safety bugs present in Firefox 85 and Firefox ESR 78.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 86, Thunderbird < 78.8, and Firefox ESR < 78.8. | |||||
| CVE-2021-23959 | 1 Mozilla | 1 Firefox | 2024-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| An XSS bug in internal error pages could have led to various spoofing attacks, including other error pages and the address bar. Note: This issue only affected Firefox for Android. Other operating systems are unaffected. This vulnerability affects Firefox < 85. | |||||
| CVE-2021-23962 | 1 Mozilla | 1 Firefox | 2024-02-28 | 6.8 MEDIUM | 8.8 HIGH |
| Incorrect use of the '<RowCountChanged>' method could have led to a user-after-poison and a potentially exploitable crash. This vulnerability affects Firefox < 85. | |||||
| CVE-2020-15673 | 3 Debian, Mozilla, Opensuse | 5 Debian Linux, Firefox, Firefox Esr and 2 more | 2024-02-28 | 6.8 MEDIUM | 8.8 HIGH |
| Mozilla developers reported memory safety bugs present in Firefox 80 and Firefox ESR 78.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 81, Thunderbird < 78.3, and Firefox ESR < 78.3. | |||||
| CVE-2020-26967 | 1 Mozilla | 1 Firefox | 2024-02-28 | 4.3 MEDIUM | 6.5 MEDIUM |
| When listening for page changes with a Mutation Observer, a malicious web page could confuse Firefox Screenshots into interacting with elements other than those that it injected into the page. This would lead to internal errors and unexpected behavior in the Screenshots code. This vulnerability affects Firefox < 83. | |||||
| CVE-2018-18508 | 2 Mozilla, Siemens | 17 Network Security Services, Ruggedcom Rox Mx5000, Ruggedcom Rox Mx5000 Firmware and 14 more | 2024-02-28 | 4.3 MEDIUM | 6.5 MEDIUM |
| In Network Security Services (NSS) before 3.36.7 and before 3.41.1, a malformed signature can cause a crash due to a null dereference, resulting in a Denial of Service. | |||||
| CVE-2020-26952 | 1 Mozilla | 1 Firefox | 2024-02-28 | 9.3 HIGH | 8.8 HIGH |
| Incorrect bookkeeping of functions inlined during JIT compilation could have led to memory corruption and a potentially exploitable crash when handling out-of-memory errors. This vulnerability affects Firefox < 83. | |||||
| CVE-2020-26962 | 1 Mozilla | 1 Firefox | 2024-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-origin iframes that contained a login form could have been recognized by the login autofill service, and populated. This could have been used in clickjacking attacks, as well as be read across partitions in dynamic first party isolation. This vulnerability affects Firefox < 83. | |||||
| CVE-2021-23954 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2024-02-28 | 6.8 MEDIUM | 8.8 HIGH |
| Using the new logical assignment operators in a JavaScript switch statement could have caused a type confusion, leading to a memory corruption and a potentially exploitable crash. This vulnerability affects Firefox < 85, Thunderbird < 78.7, and Firefox ESR < 78.7. | |||||
| CVE-2020-15671 | 1 Mozilla | 1 Firefox | 2024-02-28 | 2.6 LOW | 3.1 LOW |
| When typing in a password under certain conditions, a race may have occured where the InputContext was not being correctly set for the input field, resulting in the typed password being saved to the keyboard dictionary. This vulnerability affects Firefox for Android < 80. | |||||