Filtered by vendor Mozilla
Subscribe
Total
3042 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2016-9066 | 2 Debian, Mozilla | 4 Debian Linux, Firefox, Firefox Esr and 1 more | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
| A buffer overflow resulting in a potentially exploitable crash due to memory allocation issues when handling large amounts of incoming data. This vulnerability affects Thunderbird < 45.5, Firefox ESR < 45.5, and Firefox < 50. | |||||
| CVE-2018-5154 | 4 Canonical, Debian, Mozilla and 1 more | 12 Ubuntu Linux, Debian Linux, Firefox and 9 more | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
| A use-after-free vulnerability can occur while enumerating attributes during SVG animations with clip paths. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.8, Thunderbird ESR < 52.8, Firefox < 60, and Firefox ESR < 52.8. | |||||
| CVE-2017-7819 | 3 Debian, Mozilla, Redhat | 9 Debian Linux, Firefox, Firefox Esr and 6 more | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
| A use-after-free vulnerability can occur in design mode when image objects are resized if objects referenced during the resizing have been freed from memory. This results in a potentially exploitable crash. This vulnerability affects Firefox < 56, Firefox ESR < 52.4, and Thunderbird < 52.4. | |||||
| CVE-2018-5111 | 2 Canonical, Mozilla | 2 Ubuntu Linux, Firefox | 2024-02-28 | 4.3 MEDIUM | 6.5 MEDIUM |
| When the text of a specially formatted URL is dragged to the addressbar from page content, the displayed URL can be spoofed to show a different site than the one loaded. This allows for phishing attacks where a malicious page can spoof the identify of another site. This vulnerability affects Firefox < 58. | |||||
| CVE-2017-7843 | 3 Debian, Mozilla, Redhat | 8 Debian Linux, Firefox, Firefox Esr and 5 more | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
| When Private Browsing mode is used, it is possible for a web worker to write persistent data to IndexedDB and fingerprint a user uniquely. IndexedDB should not be available in Private Browsing mode and this stored data will persist across multiple private browsing mode sessions because it is not cleared when exiting. This vulnerability affects Firefox ESR < 52.5.2 and Firefox < 57.0.1. | |||||
| CVE-2017-5390 | 3 Debian, Mozilla, Redhat | 10 Debian Linux, Firefox, Firefox Esr and 7 more | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
| The JSON viewer in the Developer Tools uses insecure methods to create a communication channel for copying and viewing JSON or HTTP headers data, allowing for potential privilege escalation. This vulnerability affects Thunderbird < 45.7, Firefox ESR < 45.7, and Firefox < 51. | |||||
| CVE-2018-5090 | 2 Canonical, Mozilla | 2 Ubuntu Linux, Firefox | 2024-02-28 | 10.0 HIGH | 9.8 CRITICAL |
| Memory safety bugs were reported in Firefox 57. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Firefox < 58. | |||||
| CVE-2017-7778 | 3 Debian, Mozilla, Sil | 5 Debian Linux, Firefox, Firefox Esr and 2 more | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
| A number of security vulnerabilities in the Graphite 2 library including out-of-bounds reads, buffer overflow reads and writes, and the use of uninitialized memory. These issues were addressed in Graphite 2 version 1.3.10. This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2. | |||||
| CVE-2017-5463 | 2 Google, Mozilla | 2 Android, Firefox | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
| Android intents can be used to launch Firefox for Android in reader mode with a user specified URL. This allows an attacker to spoof the contents of the addressbar as displayed to users. Note: This attack only affects Firefox for Android. Other operating systems are not affected. This vulnerability affects Firefox < 53. | |||||
| CVE-2017-7838 | 1 Mozilla | 1 Firefox | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
| Punycode format text will be displayed for entire qualified international domain names in some instances when a sub-domain triggers the punycode display instead of the primary domain being displayed in native script and the sub-domain only displaying as punycode. This could be used for limited spoofing attacks due to user confusion. This vulnerability affects Firefox < 57. | |||||
| CVE-2016-5294 | 2 Microsoft, Mozilla | 4 Windows, Firefox, Firefox Esr and 1 more | 2024-02-28 | 2.1 LOW | 5.5 MEDIUM |
| The Mozilla Updater can be made to choose an arbitrary target working directory for output files resulting from the update process. This vulnerability requires local system access. Note: this issue only affects Windows operating systems. This vulnerability affects Thunderbird < 45.5, Firefox ESR < 45.5, and Firefox < 50. | |||||
| CVE-2016-9900 | 3 Debian, Mozilla, Redhat | 10 Debian Linux, Firefox, Firefox Esr and 7 more | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
| External resources that should be blocked when loaded by SVG images can bypass security restrictions through the use of "data:" URLs. This could allow for cross-domain data leakage. This vulnerability affects Firefox < 50.1, Firefox ESR < 45.6, and Thunderbird < 45.6. | |||||
| CVE-2018-5151 | 2 Canonical, Mozilla | 2 Ubuntu Linux, Firefox | 2024-02-28 | 10.0 HIGH | 9.8 CRITICAL |
| Memory safety bugs were reported in Firefox 59. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Firefox < 60. | |||||
| CVE-2017-5417 | 1 Mozilla | 1 Firefox | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
| When dragging content from the primary browser pane to the addressbar on a malicious site, it is possible to change the addressbar so that the displayed location following navigation does not match the URL of the newly loaded page. This allows for spoofing attacks. This vulnerability affects Firefox < 52. | |||||
| CVE-2017-5414 | 1 Mozilla | 2 Firefox, Thunderbird | 2024-02-28 | 4.9 MEDIUM | 5.5 MEDIUM |
| The file picker dialog can choose and display the wrong local default directory when instantiated. On some operating systems, this can lead to information disclosure, such as the operating system or the local account name. This vulnerability affects Firefox < 52 and Thunderbird < 52. | |||||
| CVE-2017-7791 | 3 Debian, Mozilla, Redhat | 10 Debian Linux, Firefox, Firefox Esr and 7 more | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
| On pages containing an iframe, the "data:" protocol can be used to create a modal alert that will render over arbitrary domains following page navigation, spoofing of the origin of the modal alert from the iframe content. This vulnerability affects Thunderbird < 52.3, Firefox ESR < 52.3, and Firefox < 55. | |||||
| CVE-2018-5117 | 4 Canonical, Debian, Mozilla and 1 more | 11 Ubuntu Linux, Debian Linux, Firefox and 8 more | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
| If right-to-left text is used in the addressbar with left-to-right alignment, it is possible in some circumstances to scroll this text to spoof the displayed URL. This issue could result in the wrong URL being displayed as a location, which can mislead users to believe they are on a different site than the one loaded. This vulnerability affects Thunderbird < 52.6, Firefox ESR < 52.6, and Firefox < 58. | |||||
| CVE-2017-7834 | 1 Mozilla | 1 Firefox | 2024-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| A "data:" URL loaded in a new tab did not inherit the Content Security Policy (CSP) of the original page, allowing for bypasses of the policy including the execution of JavaScript. In prior versions when "data:" documents also inherited the context of the original page this would allow for potential cross-site scripting (XSS) attacks. This vulnerability affects Firefox < 57. | |||||
| CVE-2018-5112 | 2 Canonical, Mozilla | 2 Ubuntu Linux, Firefox | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
| Development Tools panels of an extension are required to load URLs for the panels as relative URLs from the extension manifest file but this requirement was not enforced in all instances. This could allow the development tools panel for the extension to load a URL that it should not be able to access, including potentially privileged pages. This vulnerability affects Firefox < 58. | |||||
| CVE-2017-7789 | 1 Mozilla | 1 Firefox | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
| If a server sends two Strict-Transport-Security (STS) headers for a single connection, they will be rejected as invalid and HTTP Strict Transport Security (HSTS) will not be enabled for the connection. This vulnerability affects Firefox < 55. | |||||