Vulnerabilities (CVE)

Filtered by vendor Mozilla Subscribe
Filtered by product Firefox Esr
Total 749 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2017-5443 3 Debian, Mozilla, Redhat 10 Debian Linux, Firefox, Firefox Esr and 7 more 2024-10-21 7.5 HIGH 9.8 CRITICAL
An out-of-bounds write vulnerability while decoding improperly formed BinHex format archives. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53.
CVE-2017-5465 3 Debian, Mozilla, Redhat 10 Debian Linux, Firefox, Firefox Esr and 7 more 2024-10-21 6.4 MEDIUM 9.1 CRITICAL
An out-of-bounds read while processing SVG content in "ConvolvePixel". This results in a crash and also allows for otherwise inaccessible memory being copied into SVG graphic content, which could then displayed. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53.
CVE-2013-5590 1 Mozilla 5 Firefox, Firefox Esr, Seamonkey and 2 more 2024-10-21 10.0 HIGH N/A
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 25.0, Firefox ESR 17.x before 17.0.10 and 24.x before 24.1, Thunderbird before 24.1, Thunderbird ESR 17.x before 17.0.10, and SeaMonkey before 2.22 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.
CVE-2014-8638 1 Mozilla 4 Firefox, Firefox Esr, Seamonkey and 1 more 2024-10-21 6.8 MEDIUM N/A
The navigator.sendBeacon implementation in Mozilla Firefox before 35.0, Firefox ESR 31.x before 31.4, Thunderbird before 31.4, and SeaMonkey before 2.32 omits the CORS Origin header, which allows remote attackers to bypass intended CORS access-control checks and conduct cross-site request forgery (CSRF) attacks via a crafted web site.
CVE-2016-10196 3 Debian, Libevent Project, Mozilla 5 Debian Linux, Libevent, Firefox and 2 more 2024-10-21 5.0 MEDIUM 7.5 HIGH
Stack-based buffer overflow in the evutil_parse_sockaddr_port function in evutil.c in libevent before 2.1.6-beta allows attackers to cause a denial of service (segmentation fault) via vectors involving a long string in brackets in the ip_as_string argument.
CVE-2013-5596 1 Mozilla 5 Firefox, Firefox Esr, Seamonkey and 2 more 2024-10-21 6.8 MEDIUM N/A
The cycle collection (CC) implementation in Mozilla Firefox before 25.0, Firefox ESR 24.x before 24.1, Thunderbird before 24.1, and SeaMonkey before 2.22 does not properly determine the thread for release of an image object, which allows remote attackers to execute arbitrary code or cause a denial of service (race condition and application crash) via a large HTML document containing IMG elements, as demonstrated by the Never-Ending Reddit on reddit.com.
CVE-2020-15652 2 Canonical, Mozilla 4 Ubuntu Linux, Firefox, Firefox Esr and 1 more 2024-10-21 4.3 MEDIUM 6.5 MEDIUM
By observing the stack trace for JavaScript errors in web workers, it was possible to leak the result of a cross-origin redirect. This applied only to content that can be parsed as script. This vulnerability affects Firefox < 79, Firefox ESR < 68.11, Firefox ESR < 78.1, Thunderbird < 68.11, and Thunderbird < 78.1.
CVE-2017-5462 2 Debian, Mozilla 5 Debian Linux, Firefox, Firefox Esr and 2 more 2024-10-21 5.0 MEDIUM 5.3 MEDIUM
A flaw in DRBG number generation within the Network Security Services (NSS) library where the internal state V does not correctly carry bits over. The NSS library has been updated to fix this issue to address this issue and Firefox ESR 52.1 has been updated with NSS version 3.28.4. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53.
CVE-2023-4574 1 Mozilla 3 Firefox, Firefox Esr, Thunderbird 2024-10-21 N/A 6.5 MEDIUM
When creating a callback over IPC for showing the Color Picker window, multiple of the same callbacks could have been created at a time and eventually all simultaneously destroyed as soon as one of the callbacks finished. This could have led to a use-after-free causing a potentially exploitable crash. This vulnerability affects Firefox < 117, Firefox ESR < 102.15, Firefox ESR < 115.2, Thunderbird < 102.15, and Thunderbird < 115.2.
CVE-2014-1595 2 Apple, Mozilla 4 Mac Os X, Firefox, Firefox Esr and 1 more 2024-10-21 2.1 LOW N/A
Mozilla Firefox before 34.0, Firefox ESR 31.x before 31.3, and Thunderbird before 31.3 on Apple OS X 10.10 omit a CoreGraphics disable-logging action that is needed by jemalloc-based applications, which allows local users to obtain sensitive information by reading /tmp files, as demonstrated by credential information.
CVE-2013-5603 1 Mozilla 5 Firefox, Firefox Esr, Seamonkey and 2 more 2024-10-21 10.0 HIGH N/A
Use-after-free vulnerability in the nsContentUtils::ContentIsHostIncludingDescendantOf function in Mozilla Firefox before 25.0, Firefox ESR 24.x before 24.1, Thunderbird before 24.1, and SeaMonkey before 2.22 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via vectors involving HTML document templates.
CVE-2013-5604 1 Mozilla 5 Firefox, Firefox Esr, Seamonkey and 2 more 2024-10-21 9.3 HIGH N/A
The txXPathNodeUtils::getBaseURI function in the XSLT processor in Mozilla Firefox before 25.0, Firefox ESR 17.x before 17.0.10 and 24.x before 24.1, Thunderbird before 24.1, Thunderbird ESR 17.x before 17.0.10, and SeaMonkey before 2.22 does not properly initialize data, which allows remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow and application crash) via crafted documents.
CVE-2018-12360 4 Canonical, Debian, Mozilla and 1 more 11 Ubuntu Linux, Debian Linux, Firefox and 8 more 2024-10-21 6.8 MEDIUM 8.8 HIGH
A use-after-free vulnerability can occur when deleting an input element during a mutation event handler triggered by focusing that element. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 60, Thunderbird < 52.9, Firefox ESR < 60.1, Firefox ESR < 52.9, and Firefox < 61.
CVE-2018-12363 4 Canonical, Debian, Mozilla and 1 more 11 Ubuntu Linux, Debian Linux, Firefox and 8 more 2024-10-21 6.8 MEDIUM 8.8 HIGH
A use-after-free vulnerability can occur when script uses mutation events to move DOM nodes between documents, resulting in the old document that held the node being freed but the node still having a pointer referencing it. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 60, Thunderbird < 52.9, Firefox ESR < 60.1, Firefox ESR < 52.9, and Firefox < 61.
CVE-2018-5156 4 Canonical, Debian, Mozilla and 1 more 11 Ubuntu Linux, Debian Linux, Firefox and 8 more 2024-10-21 7.5 HIGH 9.8 CRITICAL
A vulnerability can occur when capturing a media stream when the media source type is changed as the capture is occurring. This can result in stream data being cast to the wrong type causing a potentially exploitable crash. This vulnerability affects Thunderbird < 60, Firefox ESR < 60.1, Firefox ESR < 52.9, and Firefox < 61.
CVE-2017-5433 3 Debian, Mozilla, Redhat 10 Debian Linux, Firefox, Firefox Esr and 7 more 2024-10-21 7.5 HIGH 9.8 CRITICAL
A use-after-free vulnerability in SMIL animation functions occurs when pointers to animation elements in an array are dropped from the animation controller while still in use. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53.
CVE-2020-15663 1 Mozilla 3 Firefox, Firefox Esr, Thunderbird 2024-10-21 9.3 HIGH 8.8 HIGH
If Firefox is installed to a user-writable directory, the Mozilla Maintenance Service would execute updater.exe from the install location with system privileges. Although the Mozilla Maintenance Service does ensure that updater.exe is signed by Mozilla, the version could have been rolled back to a previous version which would have allowed exploitation of an older bug and arbitrary code execution with System Privileges. *Note: This issue only affected Windows operating systems. Other operating systems are unaffected.*. This vulnerability affects Firefox < 80, Thunderbird < 78.2, Thunderbird < 68.12, Firefox ESR < 68.12, and Firefox ESR < 78.2.
CVE-2013-5591 1 Mozilla 5 Firefox, Firefox Esr, Seamonkey and 2 more 2024-10-21 10.0 HIGH N/A
Unspecified vulnerability in the browser engine in Mozilla Firefox before 25.0, Firefox ESR 24.x before 24.1, Thunderbird before 24.1, and SeaMonkey before 2.22 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.
CVE-2018-12364 4 Canonical, Debian, Mozilla and 1 more 11 Ubuntu Linux, Debian Linux, Firefox and 8 more 2024-10-21 6.8 MEDIUM 8.8 HIGH
NPAPI plugins, such as Adobe Flash, can send non-simple cross-origin requests, bypassing CORS by making a same-origin POST that does a 307 redirect to the target site. This allows for a malicious site to engage in cross-site request forgery (CSRF) attacks. This vulnerability affects Thunderbird < 60, Thunderbird < 52.9, Firefox ESR < 60.1, Firefox ESR < 52.9, and Firefox < 61.
CVE-2020-15664 1 Mozilla 3 Firefox, Firefox Esr, Thunderbird 2024-10-21 4.3 MEDIUM 6.5 MEDIUM
By holding a reference to the eval() function from an about:blank window, a malicious webpage could have gained access to the InstallTrigger object which would allow them to prompt the user to install an extension. Combined with user confusion, this could result in an unintended or malicious extension being installed. This vulnerability affects Firefox < 80, Thunderbird < 78.2, Thunderbird < 68.12, Firefox ESR < 68.12, Firefox ESR < 78.2, and Firefox for Android < 80.