RHEL 6 : mozilla (Unpatched Vulnerability)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Red Hat Security Advisory mozilla. The text
# itself is copyright (C) Red Hat, Inc.
##

include('compat.inc');

if (description)
{
  script_id(196863);
  script_version("1.0");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/05/11");

  script_cve_id(
    "CVE-2017-7781",
    "CVE-2018-5146",
    "CVE-2020-6823",
    "CVE-2020-6824",
    "CVE-2020-15685",
    "CVE-2020-16044",
    "CVE-2020-26970",
    "CVE-2020-26971",
    "CVE-2020-26973",
    "CVE-2020-26974",
    "CVE-2020-26976",
    "CVE-2020-26978",
    "CVE-2020-35111",
    "CVE-2020-35113",
    "CVE-2021-4127",
    "CVE-2021-4129",
    "CVE-2021-4140",
    "CVE-2021-23953",
    "CVE-2021-23954",
    "CVE-2021-23960",
    "CVE-2021-23961",
    "CVE-2021-23964",
    "CVE-2021-23968",
    "CVE-2021-23969",
    "CVE-2021-23973",
    "CVE-2021-23978",
    "CVE-2021-23981",
    "CVE-2021-23982",
    "CVE-2021-23984",
    "CVE-2021-23987",
    "CVE-2021-23991",
    "CVE-2021-23992",
    "CVE-2021-23993",
    "CVE-2021-23994",
    "CVE-2021-23995",
    "CVE-2021-23998",
    "CVE-2021-23999",
    "CVE-2021-24002",
    "CVE-2021-29945",
    "CVE-2021-29946",
    "CVE-2021-29948",
    "CVE-2021-29949",
    "CVE-2021-29950",
    "CVE-2021-29956",
    "CVE-2021-29957",
    "CVE-2021-29964",
    "CVE-2021-29967",
    "CVE-2021-29969",
    "CVE-2021-29970",
    "CVE-2021-29976",
    "CVE-2021-29980",
    "CVE-2021-29984",
    "CVE-2021-29985",
    "CVE-2021-29986",
    "CVE-2021-29988",
    "CVE-2021-29989",
    "CVE-2021-29991",
    "CVE-2021-38493",
    "CVE-2021-38496",
    "CVE-2021-38497",
    "CVE-2021-38498",
    "CVE-2021-38500",
    "CVE-2021-38501",
    "CVE-2021-38502",
    "CVE-2021-38503",
    "CVE-2021-38504",
    "CVE-2021-38505",
    "CVE-2021-38506",
    "CVE-2021-38507",
    "CVE-2021-38508",
    "CVE-2021-38509",
    "CVE-2021-38510",
    "CVE-2021-43528",
    "CVE-2021-43534",
    "CVE-2021-43535",
    "CVE-2021-43536",
    "CVE-2021-43537",
    "CVE-2021-43538",
    "CVE-2021-43539",
    "CVE-2021-43541",
    "CVE-2021-43542",
    "CVE-2021-43543",
    "CVE-2021-43545",
    "CVE-2021-43546",
    "CVE-2022-1097",
    "CVE-2022-1196",
    "CVE-2022-1197",
    "CVE-2022-1520",
    "CVE-2022-1529",
    "CVE-2022-1802",
    "CVE-2022-1834",
    "CVE-2022-2200",
    "CVE-2022-2226",
    "CVE-2022-2505",
    "CVE-2022-3032",
    "CVE-2022-3033",
    "CVE-2022-3034",
    "CVE-2022-3266",
    "CVE-2022-22737",
    "CVE-2022-22738",
    "CVE-2022-22739",
    "CVE-2022-22740",
    "CVE-2022-22741",
    "CVE-2022-22742",
    "CVE-2022-22743",
    "CVE-2022-22745",
    "CVE-2022-22747",
    "CVE-2022-22748",
    "CVE-2022-22751",
    "CVE-2022-22754",
    "CVE-2022-22756",
    "CVE-2022-22759",
    "CVE-2022-22760",
    "CVE-2022-22761",
    "CVE-2022-22763",
    "CVE-2022-22764",
    "CVE-2022-24713",
    "CVE-2022-26381",
    "CVE-2022-26383",
    "CVE-2022-26384",
    "CVE-2022-26386",
    "CVE-2022-26387",
    "CVE-2022-26486",
    "CVE-2022-28281",
    "CVE-2022-28282",
    "CVE-2022-28285",
    "CVE-2022-28286",
    "CVE-2022-28289",
    "CVE-2022-29909",
    "CVE-2022-29911",
    "CVE-2022-29912",
    "CVE-2022-29913",
    "CVE-2022-29914",
    "CVE-2022-29916",
    "CVE-2022-29917",
    "CVE-2022-31736",
    "CVE-2022-31737",
    "CVE-2022-31738",
    "CVE-2022-31740",
    "CVE-2022-31741",
    "CVE-2022-31742",
    "CVE-2022-31744",
    "CVE-2022-31747",
    "CVE-2022-34468",
    "CVE-2022-34470",
    "CVE-2022-34472",
    "CVE-2022-34479",
    "CVE-2022-34481",
    "CVE-2022-34484",
    "CVE-2022-36059",
    "CVE-2022-36318",
    "CVE-2022-36319",
    "CVE-2022-38472",
    "CVE-2022-38473",
    "CVE-2022-38476",
    "CVE-2022-38477",
    "CVE-2022-38478",
    "CVE-2022-39236",
    "CVE-2022-39249",
    "CVE-2022-39250",
    "CVE-2022-39251",
    "CVE-2022-40956",
    "CVE-2022-40957",
    "CVE-2022-40958",
    "CVE-2022-40959",
    "CVE-2022-40960",
    "CVE-2022-40962",
    "CVE-2022-42927",
    "CVE-2022-42928",
    "CVE-2022-42929",
    "CVE-2022-42932",
    "CVE-2022-45403",
    "CVE-2022-45404",
    "CVE-2022-45405",
    "CVE-2022-45406",
    "CVE-2022-45408",
    "CVE-2022-45409",
    "CVE-2022-45410",
    "CVE-2022-45411",
    "CVE-2022-45412",
    "CVE-2022-45414",
    "CVE-2022-45416",
    "CVE-2022-45418",
    "CVE-2022-45420",
    "CVE-2022-45421",
    "CVE-2022-46871",
    "CVE-2022-46872",
    "CVE-2022-46874",
    "CVE-2022-46877",
    "CVE-2022-46878",
    "CVE-2022-46880",
    "CVE-2022-46881",
    "CVE-2022-46882",
    "CVE-2023-0430",
    "CVE-2023-0616",
    "CVE-2023-1945",
    "CVE-2023-1999",
    "CVE-2023-4045",
    "CVE-2023-4046",
    "CVE-2023-4047",
    "CVE-2023-4048",
    "CVE-2023-4049",
    "CVE-2023-4050",
    "CVE-2023-4051",
    "CVE-2023-4053",
    "CVE-2023-4055",
    "CVE-2023-4056",
    "CVE-2023-4057",
    "CVE-2023-4573",
    "CVE-2023-4574",
    "CVE-2023-4575",
    "CVE-2023-4577",
    "CVE-2023-4578",
    "CVE-2023-4580",
    "CVE-2023-4581",
    "CVE-2023-4583",
    "CVE-2023-4584",
    "CVE-2023-4585",
    "CVE-2023-5169",
    "CVE-2023-5171",
    "CVE-2023-5176",
    "CVE-2023-5721",
    "CVE-2023-5724",
    "CVE-2023-5725",
    "CVE-2023-5728",
    "CVE-2023-5730",
    "CVE-2023-5732",
    "CVE-2023-6204",
    "CVE-2023-6205",
    "CVE-2023-6206",
    "CVE-2023-6207",
    "CVE-2023-6208",
    "CVE-2023-6209",
    "CVE-2023-6212",
    "CVE-2023-6856",
    "CVE-2023-6857",
    "CVE-2023-6858",
    "CVE-2023-6859",
    "CVE-2023-6860",
    "CVE-2023-6861",
    "CVE-2023-6862",
    "CVE-2023-6863",
    "CVE-2023-6864",
    "CVE-2023-6865",
    "CVE-2023-6867",
    "CVE-2023-23598",
    "CVE-2023-23599",
    "CVE-2023-23601",
    "CVE-2023-23602",
    "CVE-2023-23603",
    "CVE-2023-23605",
    "CVE-2023-25728",
    "CVE-2023-25729",
    "CVE-2023-25730",
    "CVE-2023-25732",
    "CVE-2023-25735",
    "CVE-2023-25737",
    "CVE-2023-25739",
    "CVE-2023-25742",
    "CVE-2023-25743",
    "CVE-2023-25744",
    "CVE-2023-25746",
    "CVE-2023-25751",
    "CVE-2023-25752",
    "CVE-2023-28162",
    "CVE-2023-28164",
    "CVE-2023-28176",
    "CVE-2023-28427",
    "CVE-2023-29533",
    "CVE-2023-29535",
    "CVE-2023-29536",
    "CVE-2023-29539",
    "CVE-2023-29541",
    "CVE-2023-29548",
    "CVE-2023-29550",
    "CVE-2023-32205",
    "CVE-2023-32206",
    "CVE-2023-32207",
    "CVE-2023-32211",
    "CVE-2023-32212",
    "CVE-2023-32213",
    "CVE-2023-32215",
    "CVE-2023-34414",
    "CVE-2023-34416",
    "CVE-2023-37201",
    "CVE-2023-37202",
    "CVE-2023-37207",
    "CVE-2023-37208",
    "CVE-2023-37211",
    "CVE-2023-50761",
    "CVE-2023-50762",
    "CVE-2024-0741",
    "CVE-2024-0742",
    "CVE-2024-0743",
    "CVE-2024-0746",
    "CVE-2024-0747",
    "CVE-2024-0749",
    "CVE-2024-0750",
    "CVE-2024-0751",
    "CVE-2024-0753",
    "CVE-2024-0755",
    "CVE-2024-1546",
    "CVE-2024-1547",
    "CVE-2024-1548",
    "CVE-2024-1549",
    "CVE-2024-1550",
    "CVE-2024-1551",
    "CVE-2024-1552",
    "CVE-2024-1553",
    "CVE-2024-1936",
    "CVE-2024-2607",
    "CVE-2024-2608",
    "CVE-2024-2609",
    "CVE-2024-2610",
    "CVE-2024-2611",
    "CVE-2024-2612",
    "CVE-2024-2614",
    "CVE-2024-2616",
    "CVE-2024-3302",
    "CVE-2024-3852",
    "CVE-2024-3854",
    "CVE-2024-3857",
    "CVE-2024-3859",
    "CVE-2024-3861",
    "CVE-2024-3864",
    "CVE-2024-29944"
  );
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/03/21");

  script_name(english:"RHEL 6 : mozilla (Unpatched Vulnerability)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Red Hat 6 host is affected by multiple vulnerabilities that will not be patched.");
  script_set_attribute(attribute:"description", value:
"The remote Redhat Enterprise Linux 6 host has one or more packages installed that are affected by multiple
vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - Mozilla: Stack overflow due to incorrect parsing of SMTP server response codes (CVE-2020-26970)

  - Mozilla: Iframe sandbox bypass with XSLT (CVE-2021-4140)

  - An error occurs in the elliptic curve point addition algorithm that uses mixed Jacobian-affine coordinates
    where it can yield a result POINT_AT_INFINITY when it should not. A man-in-the-middle attacker could use
    this to interfere with a connection, resulting in an attacked party computing an incorrect shared secret.
    This vulnerability affects Firefox < 55. (CVE-2017-7781)

  - An out of bounds memory write while processing Vorbis audio data was reported through the Pwn2Own contest.
    This vulnerability affects Firefox < 59.0.1, Firefox ESR < 52.7.2, and Thunderbird < 52.7. (CVE-2018-5146)

  - During the plaintext phase of the STARTTLS connection setup, protocol commands could have been injected
    and evaluated within the encrypted session. This vulnerability affects Thunderbird < 78.7.
    (CVE-2020-15685)

  - Use after free in WebRTC in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to potentially
    exploit heap corruption via a crafted SCTP packet. (CVE-2020-16044)

  - Certain blit values provided by the user were not properly constrained leading to a heap buffer overflow
    on some video drivers. This vulnerability affects Firefox < 84, Thunderbird < 78.6, and Firefox ESR <
    78.6. (CVE-2020-26971)

  - Certain input to the CSS Sanitizer confused it, resulting in incorrect components being removed. This
    could have been used as a sanitizer bypass. This vulnerability affects Firefox < 84, Thunderbird < 78.6,
    and Firefox ESR < 78.6. (CVE-2020-26973)

  - When flex-basis was used on a table wrapper, a StyleGenericFlexBasis object could have been incorrectly
    cast to the wrong type. This resulted in a heap user-after-free, memory corruption, and a potentially
    exploitable crash. This vulnerability affects Firefox < 84, Thunderbird < 78.6, and Firefox ESR < 78.6.
    (CVE-2020-26974)

  - When a HTTPS pages was embedded in a HTTP page, and there was a service worker registered for the former,
    the service worker could have intercepted the request for the secure page despite the iframe not being a
    secure context due to the (insecure) framing. This vulnerability affects Firefox < 84. (CVE-2020-26976)

  - Using techniques that built on the slipstream research, a malicious webpage could have exposed both an
    internal network's hosts as well as services running on the user's local machine. This vulnerability
    affects Firefox < 84, Thunderbird < 78.6, and Firefox ESR < 78.6. (CVE-2020-26978)

  - When an extension with the proxy permission registered to receive <all_urls>, the proxy.onRequest callback
    was not triggered for view-source URLs. While web content cannot navigate to such URLs, a user opening
    View Source could have inadvertently leaked their IP address. This vulnerability affects Firefox < 84,
    Thunderbird < 78.6, and Firefox ESR < 78.6. (CVE-2020-35111)

  - Mozilla developers reported memory safety bugs present in Firefox 83 and Firefox ESR 78.5. Some of these
    bugs showed evidence of memory corruption and we presume that with enough effort some of these could have
    been exploited to run arbitrary code. This vulnerability affects Firefox < 84, Thunderbird < 78.6, and
    Firefox ESR < 78.6. (CVE-2020-35113)

  - A malicious extension could have called <code>browser.identity.launchWebAuthFlow</code>, controlling the
    redirect_uri, and through the Promise returned, obtain the Auth code and gain access to the user's account
    at the service provider. This vulnerability affects Firefox < 75. (CVE-2020-6823)

  - Initially, a user opens a Private Browsing Window and generates a password for a site, then closes the
    Private Browsing Window but leaves Firefox open. Subsequently, if the user had opened a new Private
    Browsing Window, revisited the same site, and generated a new password - the generated passwords would
    have been identical, rather than independent. This vulnerability affects Firefox < 75. (CVE-2020-6824)

  - If a user clicked into a specifically crafted PDF, the PDF reader could be confused into leaking cross-
    origin information, when said information is served as chunked data. This vulnerability affects Firefox <
    85, Thunderbird < 78.7, and Firefox ESR < 78.7. (CVE-2021-23953)

  - Using the new logical assignment operators in a JavaScript switch statement could have caused a type
    confusion, leading to a memory corruption and a potentially exploitable crash. This vulnerability affects
    Firefox < 85, Thunderbird < 78.7, and Firefox ESR < 78.7. (CVE-2021-23954)

  - Performing garbage collection on re-declared JavaScript variables resulted in a user-after-poison, and a
    potentially exploitable crash. This vulnerability affects Firefox < 85, Thunderbird < 78.7, and Firefox
    ESR < 78.7. (CVE-2021-23960)

  - Further techniques that built on the slipstream research combined with a malicious webpage could have
    exposed both an internal network's hosts as well as services running on the user's local machine. This
    vulnerability affects Firefox < 85. (CVE-2021-23961)

  - Mozilla developers reported memory safety bugs present in Firefox 84 and Firefox ESR 78.6. Some of these
    bugs showed evidence of memory corruption and we presume that with enough effort some of these could have
    been exploited to run arbitrary code. This vulnerability affects Firefox < 85, Thunderbird < 78.7, and
    Firefox ESR < 78.7. (CVE-2021-23964)

  - If Content Security Policy blocked frame navigation, the full destination of a redirect served in the
    frame was reported in the violation report; as opposed to the original frame URI. This could be used to
    leak sensitive information contained in such URIs. This vulnerability affects Firefox < 86, Thunderbird <
    78.8, and Firefox ESR < 78.8. (CVE-2021-23968)

  - As specified in the W3C Content Security Policy draft, when creating a violation report, User agents need
    to ensure that the source file is the URL requested by the page, pre-redirects. If that's not possible,
    user agents need to strip the URL down to an origin to avoid unintentional leakage. Under certain types
    of redirects, Firefox incorrectly set the source file to be the destination of the redirects. This was
    fixed to be the redirect destination's origin. This vulnerability affects Firefox < 86, Thunderbird <
    78.8, and Firefox ESR < 78.8. (CVE-2021-23969)

  - When trying to load a cross-origin resource in an audio/video context a decoding error may have resulted,
    and the content of that error may have revealed information about the resource. This vulnerability affects
    Firefox < 86, Thunderbird < 78.8, and Firefox ESR < 78.8. (CVE-2021-23973)

  - Mozilla developers reported memory safety bugs present in Firefox 85 and Firefox ESR 78.7. Some of these
    bugs showed evidence of memory corruption and we presume that with enough effort some of these could have
    been exploited to run arbitrary code. This vulnerability affects Firefox < 86, Thunderbird < 78.8, and
    Firefox ESR < 78.8. (CVE-2021-23978)

  - A texture upload of a Pixel Buffer Object could have confused the WebGL code to skip binding the buffer
    used to unpack it, resulting in memory corruption and a potentially exploitable information leak or crash.
    This vulnerability affects Firefox ESR < 78.9, Firefox < 87, and Thunderbird < 78.9. (CVE-2021-23981)

  - Using techniques that built on the slipstream research, a malicious webpage could have scanned both an
    internal network's hosts as well as services running on the user's local machine utilizing WebRTC
    connections. This vulnerability affects Firefox ESR < 78.9, Firefox < 87, and Thunderbird < 78.9.
    (CVE-2021-23982)

  - A malicious extension could have opened a popup window lacking an address bar. The title of the popup
    lacking an address bar should not be fully controllable, but in this situation was. This could have been
    used to spoof a website and attempt to trick the user into providing credentials. This vulnerability
    affects Firefox ESR < 78.9, Firefox < 87, and Thunderbird < 78.9. (CVE-2021-23984)

  - Mozilla developers and community members reported memory safety bugs present in Firefox 86 and Firefox ESR
    78.8. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some
    of these could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 78.9,
    Firefox < 87, and Thunderbird < 78.9. (CVE-2021-23987)

  - If a Thunderbird user has previously imported Alice's OpenPGP key, and Alice has extended the validity
    period of her key, but Alice's updated key has not yet been imported, an attacker may send an email
    containing a crafted version of Alice's key with an invalid subkey, Thunderbird might subsequently attempt
    to use the invalid subkey, and will fail to send encrypted email to Alice. This vulnerability affects
    Thunderbird < 78.9.1. (CVE-2021-23991)

  - Thunderbird did not check if the user ID associated with an OpenPGP key has a valid self signature. An
    attacker may create a crafted version of an OpenPGP key, by either replacing the original user ID, or by
    adding another user ID. If Thunderbird imports and accepts the crafted key, the Thunderbird user may
    falsely conclude that the false user ID belongs to the correspondent. This vulnerability affects
    Thunderbird < 78.9.1. (CVE-2021-23992)

  - An attacker may perform a DoS attack to prevent a user from sending encrypted email to a correspondent. If
    an attacker creates a crafted OpenPGP key with a subkey that has an invalid self signature, and the
    Thunderbird user imports the crafted key, then Thunderbird may try to use the invalid subkey, but the RNP
    library rejects it from being used, causing encryption to fail. This vulnerability affects Thunderbird <
    78.9.1. (CVE-2021-23993)

  - A WebGL framebuffer was not initialized early enough, resulting in memory corruption and an out of bound
    write. This vulnerability affects Firefox ESR < 78.10, Thunderbird < 78.10, and Firefox < 88.
    (CVE-2021-23994)

  - When Responsive Design Mode was enabled, it used references to objects that were previously freed. We
    presume that with enough effort this could have been exploited to run arbitrary code. This vulnerability
    affects Firefox ESR < 78.10, Thunderbird < 78.10, and Firefox < 88. (CVE-2021-23995)

  - Through complicated navigations with new windows, an HTTP page could have inherited a secure lock icon
    from an HTTPS page. This vulnerability affects Firefox ESR < 78.10, Thunderbird < 78.10, and Firefox < 88.
    (CVE-2021-23998)

  - If a Blob URL was loaded through some unusual user interaction, it could have been loaded by the System
    Principal and granted additional privileges that should not be granted to web content. This vulnerability
    affects Firefox ESR < 78.10, Thunderbird < 78.10, and Firefox < 88. (CVE-2021-23999)

  - When a user clicked on an FTP URL containing encoded newline characters (%0A and %0D), the newlines would
    have been interpreted as such and allowed arbitrary commands to be sent to the FTP server. This
    vulnerability affects Firefox ESR < 78.10, Thunderbird < 78.10, and Firefox < 88. (CVE-2021-24002)

  - The WebAssembly JIT could miscalculate the size of a return type, which could lead to a null read and
    result in a crash. *Note: This issue only affected x86-32 platforms. Other platforms are unaffected.*.
    This vulnerability affects Firefox ESR < 78.10, Thunderbird < 78.10, and Firefox < 88. (CVE-2021-29945)

  - Ports that were written as an integer overflow above the bounds of a 16-bit integer could have bypassed
    port blocking restrictions when used in the Alt-Svc header. This vulnerability affects Firefox ESR <
    78.10, Thunderbird < 78.10, and Firefox < 88. (CVE-2021-29946)

  - Signatures are written to disk before and read during verification, which might be subject to a race
    condition when a malicious local process or user is replacing the file. This vulnerability affects
    Thunderbird < 78.10. (CVE-2021-29948)

  - When loading the shared library that provides the OTR protocol implementation, Thunderbird will initially
    attempt to open it using a filename that isn't distributed by Thunderbird. If a computer has already been
    infected with a malicious library of the alternative filename, and the malicious library has been copied
    to a directory that is contained in the search path for executable libraries, then Thunderbird will load
    the incorrect library. This vulnerability affects Thunderbird < 78.9.1. (CVE-2021-29949)

  - Thunderbird unprotects a secret OpenPGP key prior to using it for a decryption, signing or key import
    task. If the task runs into a failure, the secret key may remain in memory in its unprotected state. This
    vulnerability affects Thunderbird < 78.8.1. (CVE-2021-29950)

  - OpenPGP secret keys that were imported using Thunderbird version 78.8.1 up to version 78.10.1 were stored
    unencrypted on the user's local disk. The master password protection was inactive for those keys. Version
    78.10.2 will restore the protection mechanism for newly imported keys, and will automatically protect keys
    that had been imported using affected Thunderbird versions. This vulnerability affects Thunderbird <
    78.10.2. (CVE-2021-29956)

  - If a MIME encoded email contains an OpenPGP inline signed or encrypted message part, but also contains an
    additional unprotected part, Thunderbird did not indicate that only parts of the message are protected.
    This vulnerability affects Thunderbird < 78.10.2. (CVE-2021-29957)

  - A locally-installed hostile program could send `WM_COPYDATA` messages that Firefox would process
    incorrectly, leading to an out-of-bounds read. *This bug only affects Firefox on Windows. Other operating
    systems are unaffected.*. This vulnerability affects Thunderbird < 78.11, Firefox < 89, and Firefox ESR <
    78.11. (CVE-2021-29964)

  - Mozilla developers reported memory safety bugs present in Firefox 88 and Firefox ESR 78.11. Some of these
    bugs showed evidence of memory corruption and we presume that with enough effort some of these could have
    been exploited to run arbitrary code. This vulnerability affects Thunderbird < 78.11, Firefox < 89, and
    Firefox ESR < 78.11. (CVE-2021-29967)

  - If Thunderbird was configured to use STARTTLS for an IMAP connection, and an attacker injected IMAP server
    responses prior to the completion of the STARTTLS handshake, then Thunderbird didn't ignore the injected
    data. This could have resulted in Thunderbird showing incorrect information, for example the attacker
    could have tricked Thunderbird to show folders that didn't exist on the IMAP server. This vulnerability
    affects Thunderbird < 78.12. (CVE-2021-29969)

  - A malicious webpage could have triggered a use-after-free, memory corruption, and a potentially
    exploitable crash. *This bug could only be triggered when accessibility was enabled.*. This vulnerability
    affects Thunderbird < 78.12, Firefox ESR < 78.12, and Firefox < 90. (CVE-2021-29970)

  - Mozilla developers reported memory safety bugs present in code shared between Firefox and Thunderbird.
    Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of
    these could have been exploited to run arbitrary code. This vulnerability affects Thunderbird < 78.12,
    Firefox ESR < 78.12, and Firefox < 90. (CVE-2021-29976)

  - Uninitialized memory in a canvas object could have caused an incorrect free() leading to memory corruption
    and a potentially exploitable crash. This vulnerability affects Thunderbird < 78.13, Thunderbird < 91,
    Firefox ESR < 78.13, and Firefox < 91. (CVE-2021-29980)

  - Instruction reordering resulted in a sequence of instructions that would cause an object to be incorrectly
    considered during garbage collection. This led to memory corruption and a potentially exploitable crash.
    This vulnerability affects Thunderbird < 78.13, Thunderbird < 91, Firefox ESR < 78.13, and Firefox < 91.
    (CVE-2021-29984)

  - A use-after-free vulnerability in media channels could have led to memory corruption and a potentially
    exploitable crash. This vulnerability affects Thunderbird < 78.13, Thunderbird < 91, Firefox ESR < 78.13,
    and Firefox < 91. (CVE-2021-29985)

  - A suspected race condition when calling getaddrinfo led to memory corruption and a potentially exploitable
    crash. *Note: This issue only affected Linux operating systems. Other operating systems are unaffected.*
    This vulnerability affects Thunderbird < 78.13, Thunderbird < 91, Firefox ESR < 78.13, and Firefox < 91.
    (CVE-2021-29986)

  - Firefox incorrectly treated an inline list-item element as a block element, resulting in an out of bounds
    read or memory corruption, and a potentially exploitable crash. This vulnerability affects Thunderbird <
    78.13, Thunderbird < 91, Firefox ESR < 78.13, and Firefox < 91. (CVE-2021-29988)

  - Mozilla developers reported memory safety bugs present in Firefox 90 and Firefox ESR 78.12. Some of these
    bugs showed evidence of memory corruption and we presume that with enough effort some of these could have
    been exploited to run arbitrary code. This vulnerability affects Thunderbird < 78.13, Firefox ESR < 78.13,
    and Firefox < 91. (CVE-2021-29989)

  - Firefox incorrectly accepted a newline in a HTTP/3 header, interpretting it as two separate headers. This
    allowed for a header splitting attack against servers using HTTP/3. This vulnerability affects Firefox <
    91.0.1 and Thunderbird < 91.0.1. (CVE-2021-29991)

  - Mozilla developers reported memory safety bugs present in Firefox 91 and Firefox ESR 78.13. Some of these
    bugs showed evidence of memory corruption and we presume that with enough effort some of these could have
    been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 78.14, Thunderbird < 78.14,
    and Firefox < 92. (CVE-2021-38493)

  - During operations on MessageTasks, a task may have been removed while it was still scheduled, resulting in
    memory corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 78.15,
    Thunderbird < 91.2, Firefox ESR < 91.2, Firefox ESR < 78.15, and Firefox < 93. (CVE-2021-38496)

  - Through use of reportValidity() and window.open(), a plain-text validation message could have been
    overlaid on another origin, leading to possible user confusion and spoofing attacks. This vulnerability
    affects Firefox < 93, Thunderbird < 91.2, and Firefox ESR < 91.2. (CVE-2021-38497)

  - During process shutdown, a document could have caused a use-after-free of a languages service object,
    leading to memory corruption and a potentially exploitable crash. This vulnerability affects Firefox < 93,
    Thunderbird < 91.2, and Firefox ESR < 91.2. (CVE-2021-38498)

  - Mozilla developers reported memory safety bugs present in Firefox 92 and Firefox ESR 91.1. Some of these
    bugs showed evidence of memory corruption and we presume that with enough effort some of these could have
    been exploited to run arbitrary code. This vulnerability affects Thunderbird < 78.15, Thunderbird < 91.2,
    Firefox ESR < 91.2, Firefox ESR < 78.15, and Firefox < 93. (CVE-2021-38500)

  - Mozilla developers reported memory safety bugs present in Firefox 92 and Firefox ESR 91.1. Some of these
    bugs showed evidence of memory corruption and we presume that with enough effort some of these could have
    been exploited to run arbitrary code. This vulnerability affects Firefox < 93, Thunderbird < 91.2, and
    Firefox ESR < 91.2. (CVE-2021-38501)

  - Thunderbird ignored the configuration to require STARTTLS security for an SMTP connection. A MITM could
    perform a downgrade attack to intercept transmitted messages, or could take control of the authenticated
    session to execute SMTP commands chosen by the MITM. If an unprotected authentication method was
    configured, the MITM could obtain the authentication credentials, too. This vulnerability affects
    Thunderbird < 91.2. (CVE-2021-38502)

  - The iframe sandbox rules were not correctly applied to XSLT stylesheets, allowing an iframe to bypass
    restrictions such as executing scripts or navigating the top-level frame. This vulnerability affects
    Firefox < 94, Thunderbird < 91.3, and Firefox ESR < 91.3. (CVE-2021-38503)

  - When interacting with an HTML input element's file picker dialog with webkitdirectory set, a use-after-
    free could have resulted, leading to memory corruption and a potentially exploitable crash. This
    vulnerability affects Firefox < 94, Thunderbird < 91.3, and Firefox ESR < 91.3. (CVE-2021-38504)

  - Microsoft introduced a new feature in Windows 10 known as Cloud Clipboard which, if enabled, will record
    data copied to the clipboard to the cloud, and make it available on other computers in certain scenarios.
    Applications that wish to prevent copied data from being recorded in Cloud History must use specific
    clipboard formats; and Firefox before versions 94 and ESR 91.3 did not implement them. This could have
    caused sensitive data to be recorded to a user's Microsoft account. *This bug only affects Firefox for
    Windows 10+ with Cloud Clipboard enabled. Other operating systems are unaffected.*. This vulnerability
    affects Firefox < 94, Thunderbird < 91.3, and Firefox ESR < 91.3. (CVE-2021-38505)

  - Through a series of navigations, Firefox could have entered fullscreen mode without notification or
    warning to the user. This could lead to spoofing attacks on the browser UI including phishing. This
    vulnerability affects Firefox < 94, Thunderbird < 91.3, and Firefox ESR < 91.3. (CVE-2021-38506)

  - The Opportunistic Encryption feature of HTTP2 (RFC 8164) allows a connection to be transparently upgraded
    to TLS while retaining the visual properties of an HTTP connection, including being same-origin with
    unencrypted connections on port 80. However, if a second encrypted port on the same IP address (e.g. port
    8443) did not opt-in to opportunistic encryption; a network attacker could forward a connection from the
    browser to port 443 to port 8443, causing the browser to treat the content of port 8443 as same-origin
    with HTTP. This was resolved by disabling the Opportunistic Encryption feature, which had low usage. This
    vulnerability affects Firefox < 94, Thunderbird < 91.3, and Firefox ESR < 91.3. (CVE-2021-38507)

  - By displaying a form validity message in the correct location at the same time as a permission prompt
    (such as for geolocation), the validity message could have obscured the prompt, resulting in the user
    potentially being tricked into granting the permission. This vulnerability affects Firefox < 94,
    Thunderbird < 91.3, and Firefox ESR < 91.3. (CVE-2021-38508)

  - Due to an unusual sequence of attacker-controlled events, a Javascript alert() dialog with arbitrary
    (although unstyled) contents could be displayed over top an uncontrolled webpage of the attacker's
    choosing. This vulnerability affects Firefox < 94, Thunderbird < 91.3, and Firefox ESR < 91.3.
    (CVE-2021-38509)

  - The executable file warning was not presented when downloading .inetloc files, which, due to a flaw in Mac
    OS, can run commands on a user's computer.*Note: This issue only affected Mac OS operating systems. Other
    operating systems are unaffected.*. This vulnerability affects Firefox < 94, Thunderbird < 91.3, and
    Firefox ESR < 91.3. (CVE-2021-38510)

  - An out of date graphics library (Angle) likely contained vulnerabilities that could potentially be
    exploited. This vulnerability affects Thunderbird < 78.9 and Firefox ESR < 78.9. (CVE-2021-4127)

  - Mozilla developers and community members Julian Hector, Randell Jesup, Gabriele Svelto, Tyson Smith,
    Christian Holler, and Masayuki Nakano reported memory safety bugs present in Firefox 94. Some of these
    bugs showed evidence of memory corruption and we presume that with enough effort some of these could have
    been exploited to run arbitrary code. This vulnerability affects Firefox < 95, Firefox ESR < 91.4.0, and
    Thunderbird < 91.4.0. (CVE-2021-4129)

  - Thunderbird unexpectedly enabled JavaScript in the composition area. The JavaScript execution context was
    limited to this area and did not receive chrome-level privileges, but could be used as a stepping stone to
    further an attack with other vulnerabilities. This vulnerability affects Thunderbird < 91.4.0.
    (CVE-2021-43528)

  - Mozilla developers and community members reported memory safety bugs present in Firefox 93 and Firefox ESR
    91.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some
    of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 94,
    Thunderbird < 91.3, and Firefox ESR < 91.3. (CVE-2021-43534)

  - A use-after-free could have occured when an HTTP2 session object was released on a different thread,
    leading to memory corruption and a potentially exploitable crash. This vulnerability affects Firefox < 93,
    Thunderbird < 91.3, and Firefox ESR < 91.3. (CVE-2021-43535)

  - Under certain circumstances, asynchronous functions could have caused a navigation to fail but expose the
    target URL. This vulnerability affects Thunderbird < 91.4.0, Firefox ESR < 91.4.0, and Firefox < 95.
    (CVE-2021-43536)

  - An incorrect type conversion of sizes from 64bit to 32bit integers allowed an attacker to corrupt memory
    leading to a potentially exploitable crash. This vulnerability affects Thunderbird < 91.4.0, Firefox ESR <
    91.4.0, and Firefox < 95. (CVE-2021-43537)

  - By misusing a race in our notification code, an attacker could have forcefully hidden the notification for
    pages that had received full screen and pointer lock access, which could have been used for spoofing
    attacks. This vulnerability affects Thunderbird < 91.4.0, Firefox ESR < 91.4.0, and Firefox < 95.
    (CVE-2021-43538)

  - Failure to correctly record the location of live pointers across wasm instance calls resulted in a GC
    occurring within the call not tracing those live pointers. This could have led to a use-after-free causing
    a potentially exploitable crash. This vulnerability affects Thunderbird < 91.4.0, Firefox ESR < 91.4.0,
    and Firefox < 95. (CVE-2021-43539)

  - When invoking protocol handlers for external protocols, a supplied parameter URL containing spaces was not
    properly escaped. This vulnerability affects Thunderbird < 91.4.0, Firefox ESR < 91.4.0, and Firefox < 95.
    (CVE-2021-43541)

  - Using XMLHttpRequest, an attacker could have identified installed applications by probing error messages
    for loading external protocols. This vulnerability affects Thunderbird < 91.4.0, Firefox ESR < 91.4.0, and
    Firefox < 95. (CVE-2021-43542)

  - Documents loaded with the CSP sandbox directive could have escaped the sandbox's script restriction by
    embedding additional content. This vulnerability affects Thunderbird < 91.4.0, Firefox ESR < 91.4.0, and
    Firefox < 95. (CVE-2021-43543)

  - Using the Location API in a loop could have caused severe application hangs and crashes. This
    vulnerability affects Thunderbird < 91.4.0, Firefox ESR < 91.4.0, and Firefox < 95. (CVE-2021-43545)

  - It was possible to recreate previous cursor spoofing attacks against users with a zoomed native cursor.
    This vulnerability affects Thunderbird < 91.4.0, Firefox ESR < 91.4.0, and Firefox < 95. (CVE-2021-43546)

  - <code>NSSToken</code> objects were referenced via direct points, and could have been accessed in an unsafe
    way on different threads, leading to a use-after-free and potentially exploitable crash. This
    vulnerability affects Thunderbird < 91.8, Firefox < 99, and Firefox ESR < 91.8. (CVE-2022-1097)

  - After a VR Process is destroyed, a reference to it may have been retained and used, leading to a use-
    after-free and potentially exploitable crash. This vulnerability affects Thunderbird < 91.8 and Firefox
    ESR < 91.8. (CVE-2022-1196)

  - When importing a revoked key that specified key compromise as the revocation reason, Thunderbird did not
    update the existing copy of the key that was not yet revoked, and the existing key was kept as non-
    revoked. Revocation statements that used another revocation reason, or that didn't specify a revocation
    reason, were unaffected. This vulnerability affects Thunderbird < 91.8. (CVE-2022-1197)

  - When viewing an email message A, which contains an attached message B, where B is encrypted or digitally
    signed or both, Thunderbird may show an incorrect encryption or signature status. After opening and
    viewing the attached message B, when returning to the display of message A, the message A might be shown
    with the security status of message B. This vulnerability affects Thunderbird < 91.9. (CVE-2022-1520)

  - An attacker could have sent a message to the parent process where the contents were used to double-index
    into a JavaScript object, leading to prototype pollution and ultimately attacker-controlled JavaScript
    executing in the privileged parent process. This vulnerability affects Firefox ESR < 91.9.1, Firefox <
    100.0.2, Firefox for Android < 100.3.0, and Thunderbird < 91.9.1. (CVE-2022-1529)

  - If an attacker was able to corrupt the methods of an Array object in JavaScript via prototype pollution,
    they could have achieved execution of attacker-controlled JavaScript code in a privileged context. This
    vulnerability affects Firefox ESR < 91.9.1, Firefox < 100.0.2, Firefox for Android < 100.3.0, and
    Thunderbird < 91.9.1. (CVE-2022-1802)

  - When displaying the sender of an email, and the sender name contained the Braille Pattern Blank space
    character multiple times, Thunderbird would have displayed all the spaces. This could have been used by an
    attacker to send an email message with the attacker's digital signature, that was shown with an arbitrary
    sender email address chosen by the attacker. If the sender name started with a false email address,
    followed by many Braille space characters, the attacker's email address was not visible. Because
    Thunderbird compared the invisible sender address with the signature's email address, if the signing key
    or certificate was accepted by Thunderbird, the email was shown as having a valid digital signature. This
    vulnerability affects Thunderbird < 91.10. (CVE-2022-1834)

  - If an object prototype was corrupted by an attacker, they would have been able to set undesired attributes
    on a JavaScript object, leading to privileged code execution. This vulnerability affects Firefox < 102,
    Firefox ESR < 91.11, Thunderbird < 102, and Thunderbird < 91.11. (CVE-2022-2200)

  - An OpenPGP digital signature includes information about the date when the signature was created. When
    displaying an email that contains a digital signature, the email's date will be shown. If the dates were
    different, then Thunderbird didn't report the email as having an invalid signature. If an attacker
    performed a replay attack, in which an old email with old contents are resent at a later time, it could
    lead the victim to believe that the statements in the email are current. Fixed versions of Thunderbird
    will require that the signature's date roughly matches the displayed date of the email. This vulnerability
    affects Thunderbird < 102 and Thunderbird < 91.11. (CVE-2022-2226)

  - Constructing audio sinks could have lead to a race condition when playing audio files and closing windows.
    This could have lead to a use-after-free causing a potentially exploitable crash. This vulnerability
    affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5. (CVE-2022-22737)

  - Applying a CSS filter effect could have accessed out of bounds memory. This could have lead to a heap-
    buffer-overflow causing a potentially exploitable crash. This vulnerability affects Firefox ESR < 91.5,
    Firefox < 96, and Thunderbird < 91.5. (CVE-2022-22738)

  - Malicious websites could have tricked users into accepting launching a program to handle an external URL
    protocol. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5.
    (CVE-2022-22739)

  - Certain network request objects were freed too early when releasing a network request handle. This could
    have lead to a use-after-free causing a potentially exploitable crash. This vulnerability affects Firefox
    ESR < 91.5, Firefox < 96, and Thunderbird < 91.5. (CVE-2022-22740)

  - When resizing a popup while requesting fullscreen access, the popup would have become unable to leave
    fullscreen mode. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5.
    (CVE-2022-22741)

  - When inserting text while in edit mode, some characters might have lead to out-of-bounds memory access
    causing a potentially exploitable crash. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and
    Thunderbird < 91.5. (CVE-2022-22742)

  - When navigating from inside an iframe while requesting fullscreen access, an attacker-controlled tab could
    have made the browser unable to leave fullscreen mode. This vulnerability affects Firefox ESR < 91.5,
    Firefox < 96, and Thunderbird < 91.5. (CVE-2022-22743)

  - Securitypolicyviolation events could have leaked cross-origin information for frame-ancestors violations.
    This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5. (CVE-2022-22745)

  - After accepting an untrusted certificate, handling an empty pkcs7 sequence as part of the certificate data
    could have lead to a crash. This crash is believed to be unexploitable. This vulnerability affects Firefox
    ESR < 91.5, Firefox < 96, and Thunderbird < 91.5. (CVE-2022-22747)

  - Malicious websites could have confused Firefox into showing the wrong origin when asking to launch a
    program and handling an external URL protocol. This vulnerability affects Firefox ESR < 91.5, Firefox <
    96, and Thunderbird < 91.5. (CVE-2022-22748)

  - Mozilla developers Calixte Denizet, Kershaw Chang, Christian Holler, Jason Kratzer, Gabriele Svelto, Tyson
    Smith, Simon Giesecke, and Steve Fink reported memory safety bugs present in Firefox 95 and Firefox ESR
    91.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some
    of these could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 91.5,
    Firefox < 96, and Thunderbird < 91.5. (CVE-2022-22751)

  - If a user installed an extension of a particular type, the extension could have auto-updated itself and
    while doing so, bypass the prompt which grants the new version the new requested permissions. This
    vulnerability affects Firefox < 97, Thunderbird < 91.6, and Firefox ESR < 91.6. (CVE-2022-22754)

  - If a user was convinced to drag and drop an image to their desktop or other folder, the resulting object
    could have been changed into an executable script which would have run arbitrary code after the user
    clicked on it. This vulnerability affects Firefox < 97, Thunderbird < 91.6, and Firefox ESR < 91.6.
    (CVE-2022-22756)

  - If a document created a sandboxed iframe without <code>allow-scripts</code>, and subsequently appended an
    element to the iframe's document that e.g. had a JavaScript event handler - the event handler would have
    run despite the iframe's sandbox. This vulnerability affects Firefox < 97, Thunderbird < 91.6, and Firefox
    ESR < 91.6. (CVE-2022-22759)

  - When importing resources using Web Workers, error messages would distinguish the difference between
    <code>application/javascript</code> responses and non-script responses. This could have been abused to
    learn information cross-origin. This vulnerability affects Firefox < 97, Thunderbird < 91.6, and Firefox
    ESR < 91.6. (CVE-2022-22760)

  - Web-accessible extension pages (pages with a moz-extension:// scheme) were not correctly enforcing the
    frame-ancestors directive when it was used in the Web Extension's Content Security Policy. This
    vulnerability affects Firefox < 97, Thunderbird < 91.6, and Firefox ESR < 91.6. (CVE-2022-22761)

  - When a worker is shutdown, it was possible to cause script to run late in the lifecycle, at a point after
    where it should not be possible. This vulnerability affects Firefox < 96, Thunderbird < 91.6, and Firefox
    ESR < 91.6. (CVE-2022-22763)

  - Mozilla developers Paul Adenot and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox
    96 and Firefox ESR 91.5. Some of these bugs showed evidence of memory corruption and we presume that with
    enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects
    Firefox < 97, Thunderbird < 91.6, and Firefox ESR < 91.6. (CVE-2022-22764)

  - regex is an implementation of regular expressions for the Rust language. The regex crate features built-in
    mitigations to prevent denial of service attacks caused by untrusted regexes, or untrusted input matched
    by trusted regexes. Those (tunable) mitigations already provide sane defaults to prevent attacks. This
    guarantee is documented and it's considered part of the crate's API. Unfortunately a bug was discovered in
    the mitigations designed to prevent untrusted regexes to take an arbitrary amount of time during parsing,
    and it's possible to craft regexes that bypass such mitigations. This makes it possible to perform denial
    of service attacks by sending specially crafted regexes to services accepting user-controlled, untrusted
    regexes. All versions of the regex crate before or equal to 1.5.4 are affected by this issue. The fix is
    include starting from regex 1.5.5. All users accepting user-controlled regexes are recommended to upgrade
    immediately to the latest version of the regex crate. Unfortunately there is no fixed set of problematic
    regexes, as there are practically infinite regexes that could be crafted to exploit this vulnerability.
    Because of this, it us not recommend to deny known problematic regexes. (CVE-2022-24713)

  - Mozilla developers and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 102. Some
    of these bugs showed evidence of memory corruption and we presume that with enough effort some of these
    could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 102.1, Firefox <
    103, and Thunderbird < 102.1. (CVE-2022-2505)

  - An attacker could have caused a use-after-free by forcing a text reflow in an SVG object leading to a
    potentially exploitable crash. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and
    Thunderbird < 91.7. (CVE-2022-26381)

  - When resizing a popup after requesting fullscreen access, the popup would not display the fullscreen
    notification. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
    (CVE-2022-26383)

  - If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not
    <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript
    execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and
    Thunderbird < 91.7. (CVE-2022-26384)

  - Previously Firefox for macOS and Linux would download temporary files to a user-specific directory in
    <code>/tmp</code>, but this behavior was changed to download them to <code>/tmp</code> where they could be
    affected by other local users. This behavior was reverted to the original, user-specific directory.
    <br>*This bug only affects Firefox for macOS and Linux. Other operating systems are unaffected.*. This
    vulnerability affects Firefox ESR < 91.7 and Thunderbird < 91.7. (CVE-2022-26386)

  - When installing an add-on, Firefox verified the signature before prompting the user; but while the user
    was confirming the prompt, the underlying add-on file could have been modified and Firefox would not have
    noticed. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
    (CVE-2022-26387)

  - An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox
    escape. We have had reports of attacks in the wild abusing this flaw. This vulnerability affects Firefox <
    97.0.2, Firefox ESR < 91.6.1, Firefox for Android < 97.3.0, Thunderbird < 91.6.2, and Focus < 97.3.0.
    (CVE-2022-26486)

  - If a compromised content process sent an unexpected number of WebAuthN Extensions in a Register command to
    the parent process, an out of bounds write would have occurred leading to memory corruption and a
    potentially exploitable crash. This vulnerability affects Thunderbird < 91.8, Firefox < 99, and Firefox
    ESR < 91.8. (CVE-2022-28281)

  - By using a link with <code>rel=localization</code> a use-after-free could have been triggered by
    destroying an object during JavaScript execution and then referencing the object through a freed pointer,
    leading to a potential exploitable crash. This vulnerability affects Thunderbird < 91.8, Firefox < 99, and
    Firefox ESR < 91.8. (CVE-2022-28282)

  - When generating the assembly code for <code>MLoadTypedArrayElementHole</code>, an incorrect AliasSet was
    used. In conjunction with another vulnerability this could have been used for an out of bounds memory
    read. This vulnerability affects Thunderbird < 91.8, Firefox < 99, and Firefox ESR < 91.8.
    (CVE-2022-28285)

  - Due to a layout change, iframe contents could have been rendered outside of its border. This could have
    led to user confusion or spoofing attacks. This vulnerability affects Thunderbird < 91.8, Firefox < 99,
    and Firefox ESR < 91.8. (CVE-2022-28286)

  - Mozilla developers and community members Nika Layzell, Andrew McCreight, Gabriele Svelto, and the Mozilla
    Fuzzing Team reported memory safety bugs present in Thunderbird 91.7. Some of these bugs showed evidence
    of memory corruption and we presume that with enough effort some of these could have been exploited to run
    arbitrary code. This vulnerability affects Thunderbird < 91.8, Firefox < 99, and Firefox ESR < 91.8.
    (CVE-2022-28289)

  - Documents in deeply-nested cross-origin browsing contexts could have obtained permissions granted to the
    top-level origin, bypassing the existing prompt and wrongfully inheriting the top-level permissions. This
    vulnerability affects Thunderbird < 91.9, Firefox ESR < 91.9, and Firefox < 100. (CVE-2022-29909)

  - An improper implementation of the new iframe sandbox keyword <code>allow-top-navigation-by-user-
    activation</code> could lead to script execution without <code>allow-scripts</code> being present. This
    vulnerability affects Thunderbird < 91.9, Firefox ESR < 91.9, and Firefox < 100. (CVE-2022-29911)

  - Requests initiated through reader mode did not properly omit cookies with a SameSite attribute. This
    vulnerability affects Thunderbird < 91.9, Firefox ESR < 91.9, and Firefox < 100. (CVE-2022-29912)

  - The parent process would not properly check whether the Speech Synthesis feature is enabled, when
    receiving instructions from a child process. This vulnerability affects Thunderbird < 91.9.
    (CVE-2022-29913)

  - When reusing existing popups Firefox would have allowed them to cover the fullscreen notification UI,
    which could have enabled browser spoofing attacks. This vulnerability affects Thunderbird < 91.9, Firefox
    ESR < 91.9, and Firefox < 100. (CVE-2022-29914)

  - Firefox behaved slightly differently for already known resources when loading CSS resources involving CSS
    variables. This could have been used to probe the browser history. This vulnerability affects Thunderbird
    < 91.9, Firefox ESR < 91.9, and Firefox < 100. (CVE-2022-29916)

  - Mozilla developers Andrew McCreight, Gabriele Svelto, Tom Ritter and the Mozilla Fuzzing Team reported
    memory safety bugs present in Firefox 99 and Firefox ESR 91.8. Some of these bugs showed evidence of
    memory corruption and we presume that with enough effort some of these could have been exploited to run
    arbitrary code. This vulnerability affects Thunderbird < 91.9, Firefox ESR < 91.9, and Firefox < 100.
    (CVE-2022-29917)

  - When receiving an HTML email that contained an <code>iframe</code> element, which used a
    <code>srcdoc</code> attribute to define the inner HTML document, remote objects specified in the nested
    document, for example images or videos, were not blocked. Rather, the network was accessed, the objects
    were loaded and displayed. This vulnerability affects Thunderbird < 102.2.1 and Thunderbird < 91.13.1.
    (CVE-2022-3032)

  - If a Thunderbird user replied to a crafted HTML email containing a <code>meta</code> tag, with the
    <code>meta</code> tag having the <code>http-equiv=refresh</code> attribute, and the content attribute
    specifying an URL, then Thunderbird started a network request to that URL, regardless of the configuration
    to block remote content. In combination with certain other HTML elements and attributes in the email, it
    was possible to execute JavaScript code included in the message in the context of the message compose
    document. The JavaScript code was able to perform actions including, but probably not limited to, read and
    modify the contents of the message compose document, including the quoted original message, which could
    potentially contain the decrypted plaintext of encrypted data in the crafted email. The contents could
    then be transmitted to the network, either to the URL specified in the META refresh tag, or to a different
    URL, as the JavaScript code could modify the URL specified in the document. This bug doesn't affect users
    who have changed the default Message Body display setting to 'simple html' or 'plain text'. This
    vulnerability affects Thunderbird < 102.2.1 and Thunderbird < 91.13.1. (CVE-2022-3033)

  - When receiving an HTML email that specified to load an <code>iframe</code> element from a remote location,
    a request to the remote document was sent. However, Thunderbird didn't display the document. This
    vulnerability affects Thunderbird < 102.2.1 and Thunderbird < 91.13.1. (CVE-2022-3034)

  - A malicious website could have learned the size of a cross-origin resource that supported Range requests.
    This vulnerability affects Thunderbird < 91.10, Firefox < 101, and Firefox ESR < 91.10. (CVE-2022-31736)

  - A malicious webpage could have caused an out-of-bounds write in WebGL, leading to memory corruption and a
    potentially exploitable crash. This vulnerability affects Thunderbird < 91.10, Firefox < 101, and Firefox
    ESR < 91.10. (CVE-2022-31737)

  - When exiting fullscreen mode, an iframe could have confused the browser about the current state of
    fullscreen, resulting in potential user confusion or spoofing attacks. This vulnerability affects
    Thunderbird < 91.10, Firefox < 101, and Firefox ESR < 91.10. (CVE-2022-31738)

  - On arm64, WASM code could have resulted in incorrect assembly generation leading to a register allocation
    problem, and a potentially exploitable crash. This vulnerability affects Thunderbird < 91.10, Firefox <
    101, and Firefox ESR < 91.10. (CVE-2022-31740)

  - A crafted CMS message could have been processed incorrectly, leading to an invalid memory read, and
    potentially further memory corruption. This vulnerability affects Thunderbird < 91.10, Firefox < 101, and
    Firefox ESR < 91.10. (CVE-2022-31741)

  - An attacker could have exploited a timing attack by sending a large number of allowCredential entries and
    detecting the difference between invalid key handles and cross-origin key handles. This could have led to
    cross-origin account linking in violation of WebAuthn goals. This vulnerability affects Thunderbird <
    91.10, Firefox < 101, and Firefox ESR < 91.10. (CVE-2022-31742)

  - An attacker could have injected CSS into stylesheets accessible via internal URIs, such as resource:, and
    in doing so bypass a page's Content Security Policy. This vulnerability affects Firefox ESR < 91.11,
    Thunderbird < 102, Thunderbird < 91.11, and Firefox < 101. (CVE-2022-31744)

  - Mozilla developers Andrew McCreight, Nicolas B. Pierron, and the Mozilla Fuzzing Team reported memory
    safety bugs present in Firefox 100 and Firefox ESR 91.9. Some of these bugs showed evidence of memory
    corruption and we presume that with enough effort some of these could have been exploited to run arbitrary
    code. This vulnerability affects Thunderbird < 91.10, Firefox < 101, and Firefox ESR < 91.10.
    (CVE-2022-31747)

  - An out-of-bounds read can occur when decoding H264 video. This results in a potentially exploitable crash.
    This vulnerability affects Firefox ESR < 102.3, Thunderbird < 102.3, and Firefox < 105. (CVE-2022-3266)

  - An iframe that was not permitted to run scripts could do so if the user clicked on a
    <code>javascript:</code> link. This vulnerability affects Firefox < 102, Firefox ESR < 91.11, Thunderbird
    < 102, and Thunderbird < 91.11. (CVE-2022-34468)

  - Session history navigations may have led to a use-after-free and potentially exploitable crash. This
    vulnerability affects Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102, and Thunderbird < 91.11.
    (CVE-2022-34470)

  - If there was a PAC URL set and the server that hosts the PAC was not reachable, OCSP requests would have
    been blocked, resulting in incorrect error pages being shown. This vulnerability affects Firefox < 102,
    Firefox ESR < 91.11, Thunderbird < 102, and Thunderbird < 91.11. (CVE-2022-34472)

  - A malicious website that could create a popup could have resized the popup to overlay the address bar with
    its own content, resulting in potential user confusion or spoofing attacks. <br>*This bug only affects
    Thunderbird for Linux. Other operating systems are unaffected.*. This vulnerability affects Firefox < 102,
    Firefox ESR < 91.11, Thunderbird < 102, and Thunderbird < 91.11. (CVE-2022-34479)

  - In the <code>nsTArray_Impl::ReplaceElementsAt()</code> function, an integer overflow could have occurred
    when the number of elements to replace was too large for the container. This vulnerability affects Firefox
    < 102, Firefox ESR < 91.11, Thunderbird < 102, and Thunderbird < 91.11. (CVE-2022-34481)

  - The Mozilla Fuzzing Team reported potential vulnerabilities present in Thunderbird 91.10. Some of these
    bugs showed evidence of memory corruption and we presume that with enough effort some of these could have
    been exploited to run arbitrary code. This vulnerability affects Firefox < 102, Firefox ESR < 91.11,
    Thunderbird < 102, and Thunderbird < 91.11. (CVE-2022-34484)

  - matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript. In versions prior to 19.4.0
    events sent with special strings in key places can temporarily disrupt or impede the matrix-js-sdk from
    functioning properly, potentially impacting the consumer's ability to process data safely. Note that the
    matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to
    the consumer. This issue has been fixed in matrix-js-sdk 19.4.0 and users are advised to upgrade. Users
    unable to upgrade may mitigate this issue by redacting applicable events, waiting for the sync processor
    to store data, and restarting the client. Alternatively, redacting the applicable events and clearing all
    storage will often fix most perceived issues. In some cases, no workarounds are possible. (CVE-2022-36059)

  - When visiting directory listings for `chrome://` URLs as source text, some parameters were reflected. This
    vulnerability affects Firefox ESR < 102.1, Firefox ESR < 91.12, Firefox < 103, Thunderbird < 102.1, and
    Thunderbird < 91.12. (CVE-2022-36318)

  - When combining CSS properties for overflow and transform, the mouse cursor could interact with different
    coordinates than displayed. This vulnerability affects Firefox ESR < 102.1, Firefox ESR < 91.12, Firefox <
    103, Thunderbird < 102.1, and Thunderbird < 91.12. (CVE-2022-36319)

  - An attacker could have abused XSLT error handling to associate attacker-controlled content with another
    origin which was displayed in the address bar. This could have been used to fool the user into submitting
    data intended for the spoofed origin. This vulnerability affects Thunderbird < 102.2, Thunderbird < 91.13,
    Firefox ESR < 91.13, Firefox ESR < 102.2, and Firefox < 104. (CVE-2022-38472)

  - A cross-origin iframe referencing an XSLT document would inherit the parent domain's permissions (such as
    microphone or camera access). This vulnerability affects Thunderbird < 102.2, Thunderbird < 91.13, Firefox
    ESR < 91.13, Firefox ESR < 102.2, and Firefox < 104. (CVE-2022-38473)

  - A data race could occur in the <code>PK11_ChangePW</code> function, potentially leading to a use-after-
    free vulnerability. In Firefox, this lock protected the data when a user changed their master password.
    This vulnerability affects Firefox ESR < 102.2 and Thunderbird < 102.2. (CVE-2022-38476)

  - Mozilla developer Nika Layzell and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox
    103 and Firefox ESR 102.1. Some of these bugs showed evidence of memory corruption and we presume that
    with enough effort some of these could have been exploited to run arbitrary code. This vulnerability
    affects Firefox ESR < 102.2, Thunderbird < 102.2, and Firefox < 104. (CVE-2022-38477)

  - Members the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 103, Firefox ESR 102.1,
    and Firefox ESR 91.12. Some of these bugs showed evidence of memory corruption and we presume that with
    enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects
    Thunderbird < 102.2, Thunderbird < 91.13, Firefox ESR < 91.13, Firefox ESR < 102.2, and Firefox < 104.
    (CVE-2022-38478)

  - Matrix Javascript SDK is the Matrix Client-Server SDK for JavaScript. Starting with version 17.1.0-rc.1,
    improperly formed beacon events can disrupt or impede the matrix-js-sdk from functioning properly,
    potentially impacting the consumer's ability to process data safely. Note that the matrix-js-sdk can
    appear to be operating normally but be excluding or corrupting runtime data presented to the consumer.
    This is patched in matrix-js-sdk v19.7.0. Redacting applicable events, waiting for the sync processor to
    store data, and restarting the client are possible workarounds. Alternatively, redacting the applicable
    events and clearing all storage will fix the further perceived issues. Downgrading to an unaffected
    version, noting that such a version may be subject to other vulnerabilities, will additionally resolve the
    issue. (CVE-2022-39236)

  - Matrix Javascript SDK is the Matrix Client-Server SDK for JavaScript. Prior to version 19.7.0, an attacker
    cooperating with a malicious homeserver can construct messages appearing to have come from another person.
    Such messages will be marked with a grey shield on some platforms, but this may be missing in others. This
    attack is possible due to the matrix-js-sdk implementing a too permissive key forwarding strategy on the
    receiving end. Starting with version 19.7.0, the default policy for accepting key forwards has been made
    more strict in the matrix-js-sdk. matrix-js-sdk will now only accept forwarded keys in response to
    previously issued requests and only from own, verified devices. The SDK now sets a `trusted` flag on the
    decrypted message upon decryption, based on whether the key used to decrypt the message was received from
    a trusted source. Clients need to ensure that messages decrypted with a key with `trusted = false` are
    decorated appropriately, for example, by showing a warning for such messages. This attack requires
    coordination between a malicious homeserver and an attacker, and those who trust your homeservers do not
    need a workaround. (CVE-2022-39249)

  - Matrix JavaScript SDK is the Matrix Client-Server software development kit (SDK) for JavaScript. Prior to
    version 19.7.0, an attacker cooperating with a malicious homeserver could interfere with the verification
    flow between two users, injecting its own cross-signing user identity in place of one of the users'
    identities. This would lead to the other device trusting/verifying the user identity under the control of
    the homeserver instead of the intended one. The vulnerability is a bug in the matrix-js-sdk, caused by
    checking and signing user identities and devices in two separate steps, and inadequately fixing the keys
    to be signed between those steps. Even though the attack is partly made possible due to the design
    decision of treating cross-signing user identities as Matrix devices on the server side (with their device
    ID set to the public part of the user identity key), no other examined implementations were vulnerable.
    Starting with version 19.7.0, the matrix-js-sdk has been modified to double check that the key signed is
    the one that was verified instead of just referencing the key by ID. An additional check has been made to
    report an error when one of the device ID matches a cross-signing key. As this attack requires
    coordination between a malicious homeserver and an attacker, those who trust their homeservers do not need
    a particular workaround. (CVE-2022-39250)

  - Matrix Javascript SDK is the Matrix Client-Server SDK for JavaScript. Prior to version 19.7.0, an attacker
    cooperating with a malicious homeserver can construct messages that legitimately appear to have come from
    another person, without any indication such as a grey shield. Additionally, a sophisticated attacker
    cooperating with a malicious homeserver could employ this vulnerability to perform a targeted attack in
    order to send fake to-device messages appearing to originate from another user. This can allow, for
    example, to inject the key backup secret during a self-verification, to make a targeted device start using
    a malicious key backup spoofed by the homeserver. These attacks are possible due to a protocol confusion
    vulnerability that accepts to-device messages encrypted with Megolm instead of Olm. Starting with version
    19.7.0, matrix-js-sdk has been modified to only accept Olm-encrypted to-device messages. Out of caution,
    several other checks have been audited or added. This attack requires coordination between a malicious
    home server and an attacker, so those who trust their home servers do not need a workaround.
    (CVE-2022-39251)

  - When injecting an HTML base element, some requests would ignore the CSP's base-uri settings and accept the
    injected element's base instead. This vulnerability affects Firefox ESR < 102.3, Thunderbird < 102.3, and
    Firefox < 105. (CVE-2022-40956)

  - Inconsistent data in instruction and data cache when creating wasm code could lead to a potentially
    exploitable crash.<br>*This bug only affects Firefox on ARM64 platforms.*. This vulnerability affects
    Firefox ESR < 102.3, Thunderbird < 102.3, and Firefox < 105. (CVE-2022-40957)

  - By injecting a cookie with certain special characters, an attacker on a shared subdomain which is not a
    secure context could set and thus overwrite cookies from a secure context, leading to session fixation and
    other attacks. This vulnerability affects Firefox ESR < 102.3, Thunderbird < 102.3, and Firefox < 105.
    (CVE-2022-40958)

  - During iframe navigation, certain pages did not have their FeaturePolicy fully initialized leading to a
    bypass that leaked device permissions into untrusted subdocuments. This vulnerability affects Firefox ESR
    < 102.3, Thunderbird < 102.3, and Firefox < 105. (CVE-2022-40959)

  - Concurrent use of the URL parser with non-UTF-8 data was not thread-safe. This could lead to a use-after-
    free causing a potentially exploitable crash. This vulnerability affects Firefox ESR < 102.3, Thunderbird
    < 102.3, and Firefox < 105. (CVE-2022-40960)

  - Mozilla developers Nika Layzell, Timothy Nikkel, Sebastian Hengst, Andreas Pehrson, and the Mozilla
    Fuzzing Team reported memory safety bugs present in Firefox 104 and Firefox ESR 102.2. Some of these bugs
    showed evidence of memory corruption and we presume that with enough effort some of these could have been
    exploited to run arbitrary code. This vulnerability affects Firefox ESR < 102.3, Thunderbird < 102.3, and
    Firefox < 105. (CVE-2022-40962)

  - A same-origin policy violation could have allowed the theft of cross-origin URL entries, leaking the
    result of a redirect, via `performance.getEntries()`. This vulnerability affects Firefox < 106, Firefox
    ESR < 102.4, and Thunderbird < 102.4. (CVE-2022-42927)

  - Certain types of allocations were missing annotations that, if the Garbage Collector was in a specific
    state, could have lead to memory corruption and a potentially exploitable crash. This vulnerability
    affects Firefox < 106, Firefox ESR < 102.4, and Thunderbird < 102.4. (CVE-2022-42928)

  - If a website called `window.print()` in a particular way, it could cause a denial of service of the
    browser, which may persist beyond browser restart depending on the user's session restore settings. This
    vulnerability affects Firefox < 106, Firefox ESR < 102.4, and Thunderbird < 102.4. (CVE-2022-42929)

  - Mozilla developers Ashley Hale and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox
    105 and Firefox ESR 102.3. Some of these bugs showed evidence of memory corruption and we presume that
    with enough effort some of these could have been exploited to run arbitrary code. This vulnerability
    affects Firefox < 106, Firefox ESR < 102.4, and Thunderbird < 102.4. (CVE-2022-42932)

  - Service Workers should not be able to infer information about opaque cross-origin responses; but timing
    information for cross-origin media combined with Range requests might have allowed them to determine the
    presence or length of a media file. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5,
    and Firefox < 107. (CVE-2022-45403)

  - Through a series of popup and <code>window.print()</code> calls, an attacker can cause a window to go
    fullscreen without the user seeing the notification prompt, resulting in potential user confusion or
    spoofing attacks. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107.
    (CVE-2022-45404)

  - Freeing arbitrary <code>nsIInputStream</code>'s on a different thread than creation could have led to a
    use-after-free and potentially exploitable crash. This vulnerability affects Firefox ESR < 102.5,
    Thunderbird < 102.5, and Firefox < 107. (CVE-2022-45405)

  - If an out-of-memory condition occurred when creating a JavaScript global, a JavaScript realm may be
    deleted while references to it lived on in a BaseShape. This could lead to a use-after-free causing a
    potentially exploitable crash. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and
    Firefox < 107. (CVE-2022-45406)

  - Through a series of popups that reuse windowName, an attacker can cause a window to go fullscreen without
    the user seeing the notification prompt, resulting in potential user confusion or spoofing attacks. This
    vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107. (CVE-2022-45408)

  - The garbage collector could have been aborted in several states and zones and
    <code>GCRuntime::finishCollection</code> may not have been called, leading to a use-after-free and
    potentially exploitable crash. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and
    Firefox < 107. (CVE-2022-45409)

  - When a ServiceWorker intercepted a request with <code>FetchEvent</code>, the origin of the request was
    lost after the ServiceWorker took ownership of it. This had the effect of negating SameSite cookie
    protections. This was addressed in the spec and then in browsers. This vulnerability affects Firefox ESR <
    102.5, Thunderbird < 102.5, and Firefox < 107. (CVE-2022-45410)

  - Cross-Site Tracing occurs when a server will echo a request back via the Trace method, allowing an XSS
    attack to access to authorization headers and cookies inaccessible to JavaScript (such as cookies
    protected by HTTPOnly). To mitigate this attack, browsers placed limits on <code>fetch()</code> and
    XMLHttpRequest; however some webservers have implemented non-standard headers such as <code>X-Http-Method-
    Override</code> that override the HTTP method, and made this attack possible again. Thunderbird has
    applied the same mitigations to the use of this and similar headers. This vulnerability affects Firefox
    ESR < 102.5, Thunderbird < 102.5, and Firefox < 107. (CVE-2022-45411)

  - When resolving a symlink such as <code>file:///proc/self/fd/1</code>, an error message may be produced
    where the symlink was resolved to a string containing unitialized memory in the buffer. <br>*This bug only
    affects Thunderbird on Unix-based operated systems (Android, Linux, MacOS). Windows is unaffected.*. This
    vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107. (CVE-2022-45412)

  - If a Thunderbird user quoted from an HTML email, for example by replying to the email, and the email
    contained either a VIDEO tag with the POSTER attribute or an OBJECT tag with a DATA attribute, a network
    request to the referenced remote URL was performed, regardless of a configuration to block remote content.
    An image loaded from the POSTER attribute was shown in the composer window. These issues could have given
    an attacker additional capabilities when targetting releases that did not yet have a fix for CVE-2022-3033
    which was reported around three months ago. This vulnerability affects Thunderbird < 102.5.1.
    (CVE-2022-45414)

  - Keyboard events reference strings like KeyA that were at fixed, known, and widely-spread addresses.
    Cache-based timing attacks such as Prime+Probe could have possibly figured out which keys were being
    pressed. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107.
    (CVE-2022-45416)

  - If a custom mouse cursor is specified in CSS, under certain circumstances the cursor could have been drawn
    over the browser UI, resulting in potential user confusion or spoofing attacks. This vulnerability affects
    Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107. (CVE-2022-45418)

  - Use tables inside of an iframe, an attacker could have caused iframe contents to be rendered outside the
    boundaries of the iframe, resulting in potential user confusion or spoofing attacks. This vulnerability
    affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107. (CVE-2022-45420)

  - Mozilla developers Andrew McCreight and Gabriele Svelto reported memory safety bugs present in Thunderbird
    102.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some
    of these could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 102.5,
    Thunderbird < 102.5, and Firefox < 107. (CVE-2022-45421)

  - An out of date library (libusrsctp) contained vulnerabilities that could potentially be exploited. This
    vulnerability affects Firefox < 108. (CVE-2022-46871)

  - An attacker who compromised a content process could have partially escaped the sandbox to read arbitrary
    files via clipboard-related IPC messages.<br>*This bug only affects Thunderbird for Linux. Other operating
    systems are unaffected.*. This vulnerability affects Firefox < 108, Firefox ESR < 102.6, and Thunderbird <
    102.6. (CVE-2022-46872)

  - A file with a long filename could have had its filename truncated to remove the valid extension, leaving a
    malicious extension in its place. This could potentially led to user confusion and the execution of
    malicious code.<br/>*Note*: This issue was originally included in the advisories for Thunderbird 102.6,
    but a patch (specific to Thunderbird) was omitted, resulting in it actually being fixed in Thunderbird
    102.6.1. This vulnerability affects Firefox < 108, Thunderbird < 102.6.1, Thunderbird < 102.6, and Firefox
    ESR < 102.6. (CVE-2022-46874)

  - By confusing the browser, the fullscreen notification could have been delayed or suppressed, resulting in
    potential user confusion or spoofing attacks. This vulnerability affects Firefox < 108. (CVE-2022-46877)

  - Mozilla developers Randell Jesup, Valentin Gosu, Olli Pettay, and the Mozilla Fuzzing Team reported memory
    safety bugs present in Thunderbird 102.5. Some of these bugs showed evidence of memory corruption and we
    presume that with enough effort some of these could have been exploited to run arbitrary code. This
    vulnerability affects Firefox < 108, Firefox ESR < 102.6, and Thunderbird < 102.6. (CVE-2022-46878)

  - A missing check related to tex units could have led to a use-after-free and potentially exploitable
    crash.<br />*Note*: This advisory was added on December 13th, 2022 after we better understood the impact
    of the issue. The fix was included in the original release of Firefox 105. This vulnerability affects
    Firefox ESR < 102.6, Firefox < 105, and Thunderbird < 102.6. (CVE-2022-46880)

  - An optimization in WebGL was incorrect in some cases, and could have led to memory corruption and a
    potentially exploitable crash. *Note*: This advisory was added on December 13th, 2022 after we better
    understood the impact of the issue. The fix was included in the original release of Firefox 106. This
    vulnerability affects Firefox < 106, Firefox ESR < 102.6, and Thunderbird < 102.6. (CVE-2022-46881)

  - A use-after-free in WebGL extensions could have led to a potentially exploitable crash. This vulnerability
    affects Firefox < 107, Firefox ESR < 102.6, and Thunderbird < 102.6. (CVE-2022-46882)

  - Certificate OCSP revocation status was not checked when verifying S/Mime signatures. Mail signed with a
    revoked certificate would be displayed as having a valid signature. Thunderbird versions from 68 to
    102.7.0 were affected by this bug. This vulnerability affects Thunderbird < 102.7.1. (CVE-2023-0430)

  - If a MIME email combines OpenPGP and OpenPGP MIME data in a certain way Thunderbird repeatedly attempts to
    process and display the message, which could cause Thunderbird's user interface to lock up and no longer
    respond to the user's actions. An attacker could send a crafted message with this structure to attempt a
    DoS attack. This vulnerability affects Thunderbird < 102.8. (CVE-2023-0616)

  - Unexpected data returned from the Safe Browsing API could have led to memory corruption and a potentially
    exploitable crash. This vulnerability affects Thunderbird < 102.10 and Firefox ESR < 102.10.
    (CVE-2023-1945)

  - There exists a use after free/double free in libwebp. An attacker can use the ApplyFiltersAndEncode()
    function and loop through to free best.bw and assign best = trial pointer. The second loop will then
    return 0 because of an Out of memory error in VP8 encoder, the pointer is still assigned to trial and the
    AddressSanitizer will attempt a double free. (CVE-2023-1999)

  - Due to the Firefox GTK wrapper code's use of text/plain for drag data and GTK treating all text/plain
    MIMEs containing file URLs as being dragged a website could arbitrarily read a file via a call to
    <code>DataTransfer.setData</code>. This vulnerability affects Firefox < 109, Thunderbird < 102.7, and
    Firefox ESR < 102.7. (CVE-2023-23598)

  - When copying a network request from the developer tools panel as a curl command the output was not being
    properly sanitized and could allow arbitrary commands to be hidden within. This vulnerability affects
    Firefox < 109, Thunderbird < 102.7, and Firefox ESR < 102.7. (CVE-2023-23599)

  - Navigations were being allowed when dragging a URL from a cross-origin iframe into the same tab which
    could lead to website spoofing attacks. This vulnerability affects Firefox < 109, Thunderbird < 102.7, and
    Firefox ESR < 102.7. (CVE-2023-23601)

  - A mishandled security check when creating a WebSocket in a WebWorker caused the Content Security Policy
    connect-src header to be ignored. This could lead to connections to restricted origins from inside
    WebWorkers. This vulnerability affects Firefox < 109, Thunderbird < 102.7, and Firefox ESR < 102.7.
    (CVE-2023-23602)

  - Regular expressions used to filter out forbidden properties and values from style directives in calls to
    <code>console.log</code> weren't accounting for external URLs. Data could then be potentially exfiltrated
    from the browser. This vulnerability affects Firefox < 109, Thunderbird < 102.7, and Firefox ESR < 102.7.
    (CVE-2023-23603)

  - Memory safety bugs present in Firefox 108 and Firefox ESR 102.6. Some of these bugs showed evidence of
    memory corruption and we presume that with enough effort some of these could have been exploited to run
    arbitrary code. This vulnerability affects Firefox < 109, Thunderbird < 102.7, and Firefox ESR < 102.7.
    (CVE-2023-23605)

  - The <code>Content-Security-Policy-Report-Only</code> header could allow an attacker to leak a child
    iframe's unredacted URI when interaction with that iframe triggers a redirect. This vulnerability affects
    Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8. (CVE-2023-25728)

  - Permission prompts for opening external schemes were only shown for <code>ContentPrincipals</code>
    resulting in extensions being able to open them without user interaction via
    <code>ExpandedPrincipals</code>. This could lead to further malicious actions such as downloading files or
    interacting with software already installed on the system. This vulnerability affects Firefox < 110,
    Thunderbird < 102.8, and Firefox ESR < 102.8. (CVE-2023-25729)

  - A background script invoking <code>requestFullscreen</code> and then blocking the main thread could force
    the browser into fullscreen mode indefinitely, resulting in potential user confusion or spoofing attacks.
    This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8. (CVE-2023-25730)

  - When encoding data from an <code>inputStream</code> in <code>xpcom</code> the size of the input being
    encoded was not correctly calculated potentially leading to an out of bounds memory write. This
    vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8. (CVE-2023-25732)

  - Cross-compartment wrappers wrapping a scripted proxy could have caused objects from other compartments to
    be stored in the main compartment resulting in a use-after-free after unwrapping the proxy. This
    vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8. (CVE-2023-25735)

  - An invalid downcast from <code>nsTextNode</code> to <code>SVGElement</code> could have lead to undefined
    behavior. This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8.
    (CVE-2023-25737)

  - Module load requests that failed were not being checked as to whether or not they were cancelled causing a
    use-after-free in <code>ScriptLoadContext</code>. This vulnerability affects Firefox < 110, Thunderbird <
    102.8, and Firefox ESR < 102.8. (CVE-2023-25739)

  - When importing a SPKI RSA public key as ECDSA P-256, the key would be handled incorrectly causing the tab
    to crash. This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8.
    (CVE-2023-25742)

  - A lack of in app notification for entering fullscreen mode could have lead to a malicious website spoofing
    browser chrome.<br>*This bug only affects Firefox Focus. Other versions of Firefox are unaffected.*. This
    vulnerability affects Firefox < 110 and Firefox ESR < 102.8. (CVE-2023-25743)

  - Mmemory safety bugs present in Firefox 109 and Firefox ESR 102.7. Some of these bugs showed evidence of
    memory corruption and we presume that with enough effort some of these could have been exploited to run
    arbitrary code. This vulnerability affects Firefox < 110 and Firefox ESR < 102.8. (CVE-2023-25744)

  - Memory safety bugs present in Firefox ESR 102.7. Some of these bugs showed evidence of memory corruption
    and we presume that with enough effort some of these could have been exploited to run arbitrary code. This
    vulnerability affects Thunderbird < 102.8 and Firefox ESR < 102.8. (CVE-2023-25746)

  - Sometimes, when invalidating JIT code while following an iterator, the newly generated code could be
    overwritten incorrectly. This could lead to a potentially exploitable crash. This vulnerability affects
    Firefox < 111, Firefox ESR < 102.9, and Thunderbird < 102.9. (CVE-2023-25751)

  - When accessing throttled streams, the count of available bytes needed to be checked in the calling
    function to be within bounds. This may have lead future code to be incorrect and vulnerable. This
    vulnerability affects Firefox < 111, Firefox ESR < 102.9, and Thunderbird < 102.9. (CVE-2023-25752)

  - While implementing AudioWorklets, some code may have casted one type to another, invalid, dynamic type.
    This could have led to a potentially exploitable crash. This vulnerability affects Firefox < 111, Firefox
    ESR < 102.9, and Thunderbird < 102.9. (CVE-2023-28162)

  - Dragging a URL from a cross-origin iframe that was removed during the drag could have led to user
    confusion and website spoofing attacks. This vulnerability affects Firefox < 111, Firefox ESR < 102.9, and
    Thunderbird < 102.9. (CVE-2023-28164)

  - Memory safety bugs present in Firefox 110 and Firefox ESR 102.8. Some of these bugs showed evidence of
    memory corruption and we presume that with enough effort some of these could have been exploited to run
    arbitrary code. This vulnerability affects Firefox < 111, Firefox ESR < 102.9, and Thunderbird < 102.9.
    (CVE-2023-28176)

  - matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript. In versions prior to 24.0.0
    events sent with special strings in key places can temporarily disrupt or impede the matrix-js-sdk from
    functioning properly, potentially impacting the consumer's ability to process data safely. Note that the
    matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to
    the consumer. This vulnerability is distinct from GHSA-rfv9-x7hh-xc32 which covers a similar issue. The
    issue has been patched in matrix-js-sdk 24.0.0 and users are advised to upgrade. There are no known
    workarounds for this vulnerability. (CVE-2023-28427)

  - A website could have obscured the fullscreen notification by using a combination of
    <code>window.open</code>, fullscreen requests, <code>window.name</code> assignments, and
    <code>setInterval</code> calls. This could have led to user confusion and possible spoofing attacks. This
    vulnerability affects Firefox < 112, Focus for Android < 112, Firefox ESR < 102.10, Firefox for Android <
    112, and Thunderbird < 102.10. (CVE-2023-29533)

  - Following a Garbage Collector compaction, weak maps may have been accessed before they were correctly
    traced. This resulted in memory corruption and a potentially exploitable crash. This vulnerability affects
    Firefox < 112, Focus for Android < 112, Firefox ESR < 102.10, Firefox for Android < 112, and Thunderbird <
    102.10. (CVE-2023-29535)

  - An attacker could cause the memory manager to incorrectly free a pointer that addresses attacker-
    controlled memory, resulting in an assertion, memory corruption, or a potentially exploitable crash. This
    vulnerability affects Firefox < 112, Focus for Android < 112, Firefox ESR < 102.10, Firefox for Android <
    112, and Thunderbird < 102.10. (CVE-2023-29536)

  - When handling the filename directive in the Content-Disposition header, the filename would be truncated if
    the filename contained a NULL character. This could have led to reflected file download attacks
    potentially tricking users to install malware. This vulnerability affects Firefox < 112, Focus for Android
    < 112, Firefox ESR < 102.10, Firefox for Android < 112, and Thunderbird < 102.10. (CVE-2023-29539)

  - Firefox did not properly handle downloads of files ending in <code>.desktop</code>, which can be
    interpreted to run attacker-controlled commands. <br>*This bug only affects Firefox for Linux on certain
    Distributions. Other operating systems are unaffected, and Mozilla is unable to enumerate all affected
    Linux Distributions.*. This vulnerability affects Firefox < 112, Focus for Android < 112, Firefox ESR <
    102.10, Firefox for Android < 112, and Thunderbird < 102.10. (CVE-2023-29541)

  - A wrong lowering instruction in the ARM64 Ion compiler resulted in a wrong optimization result. This
    vulnerability affects Firefox < 112, Focus for Android < 112, Firefox ESR < 102.10, Firefox for Android <
    112, and Thunderbird < 102.10. (CVE-2023-29548)

  - Memory safety bugs present in Firefox 111 and Firefox ESR 102.9. Some of these bugs showed evidence of
    memory corruption and we presume that with enough effort some of these could have been exploited to run
    arbitrary code. This vulnerability affects Firefox < 112, Focus for Android < 112, Firefox ESR < 102.10,
    Firefox for Android < 112, and Thunderbird < 102.10. (CVE-2023-29550)

  - In multiple cases browser prompts could have been obscured by popups controlled by content. These could
    have led to potential user confusion and spoofing attacks. This vulnerability affects Firefox < 113,
    Firefox ESR < 102.11, and Thunderbird < 102.11. (CVE-2023-32205)

  - An out-of-bound read could have led to a crash in the RLBox Expat driver. This vulnerability affects
    Firefox < 113, Firefox ESR < 102.11, and Thunderbird < 102.11. (CVE-2023-32206)

  - A missing delay in popup notifications could have made it possible for an attacker to trick a user into
    granting permissions. This vulnerability affects Firefox < 113, Firefox ESR < 102.11, and Thunderbird <
    102.11. (CVE-2023-32207)

  - A type checking bug would have led to invalid code being compiled. This vulnerability affects Firefox <
    113, Firefox ESR < 102.11, and Thunderbird < 102.11. (CVE-2023-32211)

  - An attacker could have positioned a <code>datalist</code> element to obscure the address bar. This
    vulnerability affects Firefox < 113, Firefox ESR < 102.11, and Thunderbird < 102.11. (CVE-2023-32212)

  - When reading a file, an uninitialized value could have been used as read limit. This vulnerability affects
    Firefox < 113, Firefox ESR < 102.11, and Thunderbird < 102.11. (CVE-2023-32213)

  - Memory safety bugs present in Firefox 112 and Firefox ESR 102.10. Some of these bugs showed evidence of
    memory corruption and we presume that with enough effort some of these could have been exploited to run
    arbitrary code. This vulnerability affects Firefox < 113, Firefox ESR < 102.11, and Thunderbird < 102.11.
    (CVE-2023-32215)

  - The error page for sites with invalid TLS certificates was missing the activation-delay Firefox uses to
    protect prompts and permission dialogs from attacks that exploit human response time delays. If a
    malicious page elicited user clicks in precise locations immediately before navigating to a site with a
    certificate error and made the renderer extremely busy at the same time, it could create a gap between
    when the error page was loaded and when the display actually refreshed. With the right timing the elicited
    clicks could land in that gap and activate the button that overrides the certificate error for that site.
    This vulnerability affects Firefox ESR < 102.12, Firefox < 114, and Thunderbird < 102.12. (CVE-2023-34414)

  - Memory safety bugs present in Firefox 113, Firefox ESR 102.11, and Thunderbird 102.12. Some of these bugs
    showed evidence of memory corruption and we presume that with enough effort some of these could have been
    exploited to run arbitrary code. This vulnerability affects Firefox ESR < 102.12, Firefox < 114, and
    Thunderbird < 102.12. (CVE-2023-34416)

  - An attacker could have triggered a use-after-free condition when creating a WebRTC connection over HTTPS.
    This vulnerability affects Firefox < 115, Firefox ESR < 102.13, and Thunderbird < 102.13. (CVE-2023-37201)

  - Cross-compartment wrappers wrapping a scripted proxy could have caused objects from other compartments to
    be stored in the main compartment resulting in a use-after-free. This vulnerability affects Firefox < 115,
    Firefox ESR < 102.13, and Thunderbird < 102.13. (CVE-2023-37202)

  - A website could have obscured the fullscreen notification by using a URL with a scheme handled by an
    external program, such as a mailto URL. This could have led to user confusion and possible spoofing
    attacks. This vulnerability affects Firefox < 115, Firefox ESR < 102.13, and Thunderbird < 102.13.
    (CVE-2023-37207)

  - When opening Diagcab files, Firefox did not warn the user that these files may contain malicious code.
    This vulnerability affects Firefox < 115, Firefox ESR < 102.13, and Thunderbird < 102.13. (CVE-2023-37208)

  - Memory safety bugs present in Firefox 114, Firefox ESR 102.12, and Thunderbird 102.12. Some of these bugs
    showed evidence of memory corruption and we presume that with enough effort some of these could have been
    exploited to run arbitrary code. This vulnerability affects Firefox < 115, Firefox ESR < 102.13, and
    Thunderbird < 102.13. (CVE-2023-37211)

  - Offscreen Canvas did not properly track cross-origin tainting, which could have been used to access image
    data from another site in violation of same-origin policy. This vulnerability affects Firefox < 116,
    Firefox ESR < 102.14, and Firefox ESR < 115.1. (CVE-2023-4045)

  - In some circumstances, a stale value could have been used for a global variable in WASM JIT analysis. This
    resulted in incorrect compilation and a potentially exploitable crash in the content process. This
    vulnerability affects Firefox < 116, Firefox ESR < 102.14, and Firefox ESR < 115.1. (CVE-2023-4046)

  - A bug in popup notifications delay calculation could have made it possible for an attacker to trick a user
    into granting permissions. This vulnerability affects Firefox < 116, Firefox ESR < 102.14, and Firefox ESR
    < 115.1. (CVE-2023-4047)

  - An out-of-bounds read could have led to an exploitable crash when parsing HTML with DOMParser in low
    memory situations. This vulnerability affects Firefox < 116, Firefox ESR < 102.14, and Firefox ESR <
    115.1. (CVE-2023-4048)

  - Race conditions in reference counting code were found through code inspection. These could have resulted
    in potentially exploitable use-after-free vulnerabilities. This vulnerability affects Firefox < 116,
    Firefox ESR < 102.14, and Firefox ESR < 115.1. (CVE-2023-4049)

  - In some cases, an untrusted input stream was copied to a stack buffer without checking its size. This
    resulted in a potentially exploitable crash which could have led to a sandbox escape. This vulnerability
    affects Firefox < 116, Firefox ESR < 102.14, and Firefox ESR < 115.1. (CVE-2023-4050)

  - A website could have obscured the full screen notification by using the file open dialog. This could have
    led to user confusion and possible spoofing attacks. This vulnerability affects Firefox < 116, Firefox ESR
    < 115.2, and Thunderbird < 115.2. (CVE-2023-4051)

  - A website could have obscured the full screen notification by using a URL with a scheme handled by an
    external program, such as a mailto URL. This could have led to user confusion and possible spoofing
    attacks. This vulnerability affects Firefox < 116, Firefox ESR < 115.2, and Thunderbird < 115.2.
    (CVE-2023-4053)

  - When the number of cookies per domain was exceeded in `document.cookie`, the actual cookie jar sent to the
    host was no longer consistent with expected cookie jar state. This could have caused requests to be sent
    with some cookies missing. This vulnerability affects Firefox < 116, Firefox ESR < 102.14, and Firefox ESR
    < 115.1. (CVE-2023-4055)

  - Memory safety bugs present in Firefox 115, Firefox ESR 115.0, Firefox ESR 102.13, Thunderbird 115.0, and
    Thunderbird 102.13. Some of these bugs showed evidence of memory corruption and we presume that with
    enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects
    Firefox < 116, Firefox ESR < 102.14, and Firefox ESR < 115.1. (CVE-2023-4056)

  - Memory safety bugs present in Firefox 115, Firefox ESR 115.0, and Thunderbird 115.0. Some of these bugs
    showed evidence of memory corruption and we presume that with enough effort some of these could have been
    exploited to run arbitrary code. This vulnerability affects Firefox < 116, Firefox ESR < 115.1, and
    Thunderbird < 115.1. (CVE-2023-4057)

  - When receiving rendering data over IPC `mStream` could have been destroyed when initialized, which could
    have led to a use-after-free causing a potentially exploitable crash. This vulnerability affects Firefox <
    117, Firefox ESR < 102.15, Firefox ESR < 115.2, Thunderbird < 102.15, and Thunderbird < 115.2.
    (CVE-2023-4573)

  - When creating a callback over IPC for showing the Color Picker window, multiple of the same callbacks
    could have been created at a time and eventually all simultaneously destroyed as soon as one of the
    callbacks finished. This could have led to a use-after-free causing a potentially exploitable crash. This
    vulnerability affects Firefox < 117, Firefox ESR < 102.15, Firefox ESR < 115.2, Thunderbird < 102.15, and
    Thunderbird < 115.2. (CVE-2023-4574)

  - When creating a callback over IPC for showing the File Picker window, multiple of the same callbacks could
    have been created at a time and eventually all simultaneously destroyed as soon as one of the callbacks
    finished. This could have led to a use-after-free causing a potentially exploitable crash. This
    vulnerability affects Firefox < 117, Firefox ESR < 102.15, Firefox ESR < 115.2, Thunderbird < 102.15, and
    Thunderbird < 115.2. (CVE-2023-4575)

  - When `UpdateRegExpStatics` attempted to access `initialStringHeap` it could already have been garbage
    collected prior to entering the function, which could potentially have led to an exploitable crash. This
    vulnerability affects Firefox < 117, Firefox ESR < 115.2, and Thunderbird < 115.2. (CVE-2023-4577)

  - When calling `JS::CheckRegExpSyntax` a Syntax Error could have been set which would end in calling
    `convertToRuntimeErrorAndClear`. A path in the function could attempt to allocate memory when none is
    available which would have caused a newly created Out of Memory exception to be mishandled as a Syntax
    Error. This vulnerability affects Firefox < 117, Firefox ESR < 115.2, and Thunderbird < 115.2.
    (CVE-2023-4578)

  - Push notifications stored on disk in private browsing mode were not being encrypted potentially allowing
    the leak of sensitive information. This vulnerability affects Firefox < 117, Firefox ESR < 115.2, and
    Thunderbird < 115.2. (CVE-2023-4580)

  - Excel `.xll` add-in files did not have a blocklist entry in Firefox's executable blocklist which allowed
    them to be downloaded without any warning of their potential harm. This vulnerability affects Firefox <
    117, Firefox ESR < 102.15, Firefox ESR < 115.2, Thunderbird < 102.15, and Thunderbird < 115.2.
    (CVE-2023-4581)

  - When checking if the Browsing Context had been discarded in `HttpBaseChannel`, if the load group was not
    available then it was assumed to have already been discarded which was not always the case for private
    channels after the private session had ended. This vulnerability affects Firefox < 117, Firefox ESR <
    115.2, and Thunderbird < 115.2. (CVE-2023-4583)

  - Memory safety bugs present in Firefox 116, Firefox ESR 102.14, Firefox ESR 115.1, Thunderbird 102.14, and
    Thunderbird 115.1. Some of these bugs showed evidence of memory corruption and we presume that with enough
    effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox <
    117, Firefox ESR < 102.15, Firefox ESR < 115.2, Thunderbird < 102.15, and Thunderbird < 115.2.
    (CVE-2023-4584)

  - Memory safety bugs present in Firefox 116, Firefox ESR 115.1, and Thunderbird 115.1. Some of these bugs
    showed evidence of memory corruption and we presume that with enough effort some of these could have been
    exploited to run arbitrary code. This vulnerability affects Firefox < 117, Firefox ESR < 115.2, and
    Thunderbird < 115.2. (CVE-2023-4585)

  - The signature of a digitally signed S/MIME email message may optionally specify the signature creation
    date and time. If present, Thunderbird did not compare the signature creation date with the message date
    and time, and displayed a valid signature despite a date or time mismatch. This could be used to give
    recipients the impression that a message was sent at a different date or time. This vulnerability affects
    Thunderbird < 115.6. (CVE-2023-50761)

  - When processing a PGP/MIME payload that contains digitally signed text, the first paragraph of the text
    was never shown to the user. This is because the text was interpreted as a MIME message and the first
    paragraph was always treated as an email header section. A digitally signed text from a different context,
    such as a signed GIT commit, could be used to spoof an email message. This vulnerability affects
    Thunderbird < 115.6. (CVE-2023-50762)

  - A compromised content process could have provided malicious data in a `PathRecording` resulting in an out-
    of-bounds write, leading to a potentially exploitable crash in a privileged process. This vulnerability
    affects Firefox < 118, Firefox ESR < 115.3, and Thunderbird < 115.3. (CVE-2023-5169)

  - During Ion compilation, a Garbage Collection could have resulted in a use-after-free condition, allowing
    an attacker to write two NUL bytes, and cause a potentially exploitable crash. This vulnerability affects
    Firefox < 118, Firefox ESR < 115.3, and Thunderbird < 115.3. (CVE-2023-5171)

  - Memory safety bugs present in Firefox 117, Firefox ESR 115.2, and Thunderbird 115.2. Some of these bugs
    showed evidence of memory corruption and we presume that with enough effort some of these could have been
    exploited to run arbitrary code. This vulnerability affects Firefox < 118, Firefox ESR < 115.3, and
    Thunderbird < 115.3. (CVE-2023-5176)

  - It was possible for certain browser prompts and dialogs to be activated or dismissed unintentionally by
    the user due to an insufficient activation-delay. This vulnerability affects Firefox < 119, Firefox ESR <
    115.4, and Thunderbird < 115.4.1. (CVE-2023-5721)

  - Drivers are not always robust to extremely large draw calls and in some cases this scenario could have led
    to a crash. This vulnerability affects Firefox < 119, Firefox ESR < 115.4, and Thunderbird < 115.4.1.
    (CVE-2023-5724)

  - A malicious installed WebExtension could open arbitrary URLs, which under the right circumstance could be
    leveraged to collect sensitive user data. This vulnerability affects Firefox < 119, Firefox ESR < 115.4,
    and Thunderbird < 115.4.1. (CVE-2023-5725)

  - During garbage collection extra operations were performed on a object that should not be. This could have
    led to a potentially exploitable crash. This vulnerability affects Firefox < 119, Firefox ESR < 115.4, and
    Thunderbird < 115.4.1. (CVE-2023-5728)

  - Memory safety bugs present in Firefox 118, Firefox ESR 115.3, and Thunderbird 115.3. Some of these bugs
    showed evidence of memory corruption and we presume that with enough effort some of these could have been
    exploited to run arbitrary code. This vulnerability affects Firefox < 119, Firefox ESR < 115.4, and
    Thunderbird < 115.4.1. (CVE-2023-5730)

  - An attacker could have created a malicious link using bidirectional characters to spoof the location in
    the address bar when visited. This vulnerability affects Firefox < 117, Firefox ESR < 115.4, and
    Thunderbird < 115.4.1. (CVE-2023-5732)

  - On some systemsdepending on the graphics settings and driversit was possible to force an out-of-bounds
    read and leak memory data into the images created on the canvas element. This vulnerability affects
    Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5. (CVE-2023-6204)

  - It was possible to cause the use of a MessagePort after it had already been freed, which could potentially
    have led to an exploitable crash. This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and
    Thunderbird < 115.5. (CVE-2023-6205)

  - The black fade animation when exiting fullscreen is roughly the length of the anti-clickjacking delay on
    permission prompts. It was possible to use this fact to surprise users by luring them to click where the
    permission grant button would be about to appear. This vulnerability affects Firefox < 120, Firefox ESR <
    115.5.0, and Thunderbird < 115.5. (CVE-2023-6206)

  - Ownership mismanagement led to a use-after-free in ReadableByteStreams This vulnerability affects Firefox
    < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5. (CVE-2023-6207)

  - When using X11, text selected by the page using the Selection API was erroneously copied into the primary
    selection, a temporary storage not unlike the clipboard. *This bug only affects Firefox on X11. Other
    systems are unaffected.* This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird
    < 115.5. (CVE-2023-6208)

  - Relative URLs starting with three slashes were incorrectly parsed, and a path-traversal /../ part in the
    path could be used to override the specified host. This could contribute to security problems in web
    sites. This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.
    (CVE-2023-6209)

  - Memory safety bugs present in Firefox 119, Firefox ESR 115.4, and Thunderbird 115.4. Some of these bugs
    showed evidence of memory corruption and we presume that with enough effort some of these could have been
    exploited to run arbitrary code. This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and
    Thunderbird < 115.5. (CVE-2023-6212)

  - The WebGL `DrawElementsInstanced` method was susceptible to a heap buffer overflow when used on systems
    with the Mesa VM driver. This issue could allow an attacker to perform remote code execution and sandbox
    escape. This vulnerability affects Firefox ESR < 115.6, Thunderbird < 115.6, and Firefox < 121.
    (CVE-2023-6856)

  - When resolving a symlink, a race may occur where the buffer passed to `readlink` may actually be smaller
    than necessary. *This bug only affects Firefox on Unix-based operating systems (Android, Linux, MacOS).
    Windows is unaffected.* This vulnerability affects Firefox ESR < 115.6, Thunderbird < 115.6, and Firefox <
    121. (CVE-2023-6857)

  - Firefox was susceptible to a heap buffer overflow in `nsTextFragment` due to insufficient OOM handling.
    This vulnerability affects Firefox ESR < 115.6, Thunderbird < 115.6, and Firefox < 121. (CVE-2023-6858)

  - A use-after-free condition affected TLS socket creation when under memory pressure. This vulnerability
    affects Firefox ESR < 115.6, Thunderbird < 115.6, and Firefox < 121. (CVE-2023-6859)

  - The `VideoBridge` allowed any content process to use textures produced by remote decoders. This could be
    abused to escape the sandbox. This vulnerability affects Firefox ESR < 115.6, Thunderbird < 115.6, and
    Firefox < 121. (CVE-2023-6860)

  - The `nsWindow::PickerOpen(void)` method was susceptible to a heap buffer overflow when running in headless
    mode. This vulnerability affects Firefox ESR < 115.6, Thunderbird < 115.6, and Firefox < 121.
    (CVE-2023-6861)

  - A use-after-free was identified in the `nsDNSService::Init`. This issue appears to manifest rarely during
    start-up. This vulnerability affects Firefox ESR < 115.6 and Thunderbird < 115.6. (CVE-2023-6862)

  - The `ShutdownObserver()` was susceptible to potentially undefined behavior due to its reliance on a
    dynamic type that lacked a virtual destructor. This vulnerability affects Firefox ESR < 115.6, Thunderbird
    < 115.6, and Firefox < 121. (CVE-2023-6863)

  - Memory safety bugs present in Firefox 120, Firefox ESR 115.5, and Thunderbird 115.5. Some of these bugs
    showed evidence of memory corruption and we presume that with enough effort some of these could have been
    exploited to run arbitrary code. This vulnerability affects Firefox ESR < 115.6, Thunderbird < 115.6, and
    Firefox < 121. (CVE-2023-6864)

  - `EncryptingOutputStream` was susceptible to exposing uninitialized data. This issue could only be abused
    in order to write data to a local disk which may have implications for private browsing mode. This
    vulnerability affects Firefox ESR < 115.6 and Firefox < 121. (CVE-2023-6865)

  - The timing of a button click causing a popup to disappear was approximately the same length as the anti-
    clickjacking delay on permission prompts. It was possible to use this fact to surprise users by luring
    them to click where the permission grant button would be about to appear. This vulnerability affects
    Firefox ESR < 115.6 and Firefox < 121. (CVE-2023-6867)

  - An out of bounds write in ANGLE could have allowed an attacker to corrupt memory leading to a potentially
    exploitable crash. This vulnerability affects Firefox < 122, Firefox ESR < 115.7, and Thunderbird < 115.7.
    (CVE-2024-0741)

  - It was possible for certain browser prompts and dialogs to be activated or dismissed unintentionally by
    the user due to an incorrect timestamp used to prevent input after page load. This vulnerability affects
    Firefox < 122, Firefox ESR < 115.7, and Thunderbird < 115.7. (CVE-2024-0742)

  - An unchecked return value in TLS handshake code could have caused a potentially exploitable crash. This
    vulnerability affects Firefox < 122, Firefox ESR < 115.9, and Thunderbird < 115.9. (CVE-2024-0743)

  - A Linux user opening the print preview dialog could have caused the browser to crash. This vulnerability
    affects Firefox < 122, Firefox ESR < 115.7, and Thunderbird < 115.7. (CVE-2024-0746)

  - When a parent page loaded a child in an iframe with `unsafe-inline`, the parent Content Security Policy
    could have overridden the child Content Security Policy. This vulnerability affects Firefox < 122, Firefox
    ESR < 115.7, and Thunderbird < 115.7. (CVE-2024-0747)

  - A phishing site could have repurposed an `about:` dialog to show phishing content with an incorrect origin
    in the address bar. This vulnerability affects Firefox < 122 and Thunderbird < 115.7. (CVE-2024-0749)

  - A bug in popup notifications delay calculation could have made it possible for an attacker to trick a user
    into granting permissions. This vulnerability affects Firefox < 122, Firefox ESR < 115.7, and Thunderbird
    < 115.7. (CVE-2024-0750)

  - A malicious devtools extension could have been used to escalate privileges. This vulnerability affects
    Firefox < 122, Firefox ESR < 115.7, and Thunderbird < 115.7. (CVE-2024-0751)

  - In specific HSTS configurations an attacker could have bypassed HSTS on a subdomain. This vulnerability
    affects Firefox < 122, Firefox ESR < 115.7, and Thunderbird < 115.7. (CVE-2024-0753)

  - Memory safety bugs present in Firefox 121, Firefox ESR 115.6, and Thunderbird 115.6. Some of these bugs
    showed evidence of memory corruption and we presume that with enough effort some of these could have been
    exploited to run arbitrary code. This vulnerability affects Firefox < 122, Firefox ESR < 115.7, and
    Thunderbird < 115.7. (CVE-2024-0755)

  - When storing and re-accessing data on a networking channel, the length of buffers may have been confused,
    resulting in an out-of-bounds memory read. This vulnerability affects Firefox < 123, Firefox ESR < 115.8,
    and Thunderbird < 115.8. (CVE-2024-1546)

  - Through a series of API calls and redirects, an attacker-controlled alert dialog could have been displayed
    on another website (with the victim website's URL shown). This vulnerability affects Firefox < 123,
    Firefox ESR < 115.8, and Thunderbird < 115.8. (CVE-2024-1547)

  - A website could have obscured the fullscreen notification by using a dropdown select input element. This
    could have led to user confusion and possible spoofing attacks. This vulnerability affects Firefox < 123,
    Firefox ESR < 115.8, and Thunderbird < 115.8. (CVE-2024-1548)

  - If a website set a large custom cursor, portions of the cursor could have overlapped with the permission
    dialog, potentially resulting in user confusion and unexpected granted permissions. This vulnerability
    affects Firefox < 123, Firefox ESR < 115.8, and Thunderbird < 115.8. (CVE-2024-1549)

  - A malicious website could have used a combination of exiting fullscreen mode and `requestPointerLock` to
    cause the user's mouse to be re-positioned unexpectedly, which could have led to user confusion and
    inadvertently granting permissions they did not intend to grant. This vulnerability affects Firefox < 123,
    Firefox ESR < 115.8, and Thunderbird < 115.8. (CVE-2024-1550)

  - Set-Cookie response headers were being incorrectly honored in multipart HTTP responses. If an attacker
    could control the Content-Type response header, as well as control part of the response body, they could
    inject Set-Cookie response headers that would have been honored by the browser. This vulnerability affects
    Firefox < 123, Firefox ESR < 115.8, and Thunderbird < 115.8. (CVE-2024-1551)

  - Incorrect code generation could have led to unexpected numeric conversions and potential undefined
    behavior.*Note:* This issue only affects 32-bit ARM devices. This vulnerability affects Firefox < 123,
    Firefox ESR < 115.8, and Thunderbird < 115.8. (CVE-2024-1552)

  - Memory safety bugs present in Firefox 122, Firefox ESR 115.7, and Thunderbird 115.7. Some of these bugs
    showed evidence of memory corruption and we presume that with enough effort some of these could have been
    exploited to run arbitrary code. This vulnerability affects Firefox < 123, Firefox ESR < 115.8, and
    Thunderbird < 115.8. (CVE-2024-1553)

  - The encrypted subject of an email message could be incorrectly and permanently assigned to an arbitrary
    other email message in Thunderbird's local cache. Consequently, when replying to the contaminated email
    message, the user might accidentally leak the confidential subject to a third party. While this update
    fixes the bug and avoids future message contamination, it does not automatically repair existing
    contaminations. Users are advised to use the repair folder functionality, which is available from the
    context menu of email folders, which will erase incorrect subject assignments. This vulnerability affects
    Thunderbird < 115.8.1. (CVE-2024-1936)

  - Return registers were overwritten which could have allowed an attacker to execute arbitrary code. *Note:*
    This issue only affected Armv7-A systems. Other operating systems are unaffected. This vulnerability
    affects Firefox < 124, Firefox ESR < 115.9, and Thunderbird < 115.9. (CVE-2024-2607)

  - `AppendEncodedAttributeValue(), ExtraSpaceNeededForAttrEncoding()` and `AppendEncodedCharacters()` could
    have experienced integer overflows, causing underallocation of an output buffer leading to an out of
    bounds write. This vulnerability affects Firefox < 124, Firefox ESR < 115.9, and Thunderbird < 115.9.
    (CVE-2024-2608)

  - The permission prompt input delay could expire while the window is not in focus. This makes it vulnerable
    to clickjacking by malicious websites. This vulnerability affects Firefox < 124, Firefox ESR < 115.10, and
    Thunderbird < 115.10. (CVE-2024-2609)

  - Using a markup injection an attacker could have stolen nonce values. This could have been used to bypass
    strict content security policies. This vulnerability affects Firefox < 124, Firefox ESR < 115.9, and
    Thunderbird < 115.9. (CVE-2024-2610)

  - A missing delay on when pointer lock was used could have allowed a malicious page to trick a user into
    granting permissions. This vulnerability affects Firefox < 124, Firefox ESR < 115.9, and Thunderbird <
    115.9. (CVE-2024-2611)

  - If an attacker could find a way to trigger a particular code path in `SafeRefPtr`, it could have triggered
    a crash or potentially be leveraged to achieve code execution. This vulnerability affects Firefox < 124,
    Firefox ESR < 115.9, and Thunderbird < 115.9. (CVE-2024-2612)

  - Memory safety bugs present in Firefox 123, Firefox ESR 115.8, and Thunderbird 115.8. Some of these bugs
    showed evidence of memory corruption and we presume that with enough effort some of these could have been
    exploited to run arbitrary code. This vulnerability affects Firefox < 124, Firefox ESR < 115.9, and
    Thunderbird < 115.9. (CVE-2024-2614)

  - To harden ICU against exploitation, the behavior for out-of-memory conditions was changed to crash instead
    of attempt to continue. This vulnerability affects Firefox ESR < 115.9 and Thunderbird < 115.9.
    (CVE-2024-2616)

  - An attacker was able to inject an event handler into a privileged object that would allow arbitrary
    JavaScript execution in the parent process. Note: This vulnerability affects Desktop Firefox only, it does
    not affect mobile versions of Firefox. This vulnerability affects Firefox < 124.0.1 and Firefox ESR <
    115.9.1. (CVE-2024-29944)

  - There was no limit to the number of HTTP/2 CONTINUATION frames that would be processed. A server could
    abuse this to create an Out of Memory condition in the browser. This vulnerability affects Firefox < 125,
    Firefox ESR < 115.10, and Thunderbird < 115.10. (CVE-2024-3302)

  - GetBoundName could return the wrong version of an object when JIT optimizations were applied. This
    vulnerability affects Firefox < 125, Firefox ESR < 115.10, and Thunderbird < 115.10. (CVE-2024-3852)

  - In some code patterns the JIT incorrectly optimized switch statements and generated code with out-of-
    bounds-reads. This vulnerability affects Firefox < 125, Firefox ESR < 115.10, and Thunderbird < 115.10.
    (CVE-2024-3854)

  - The JIT created incorrect code for arguments in certain cases. This led to potential use-after-free
    crashes during garbage collection. This vulnerability affects Firefox < 125, Firefox ESR < 115.10, and
    Thunderbird < 115.10. (CVE-2024-3857)

  - On 32-bit versions there were integer-overflows that led to an out-of-bounds-read that potentially could
    be triggered by a malformed OpenType font. This vulnerability affects Firefox < 125, Firefox ESR < 115.10,
    and Thunderbird < 115.10. (CVE-2024-3859)

  - If an AlignedBuffer were assigned to itself, the subsequent self-move could result in an incorrect
    reference count and later use-after-free. This vulnerability affects Firefox < 125, Firefox ESR < 115.10,
    and Thunderbird < 115.10. (CVE-2024-3861)

  - Memory safety bug present in Firefox 124, Firefox ESR 115.9, and Thunderbird 115.9. This bug showed
    evidence of memory corruption and we presume that with enough effort this could have been exploited to run
    arbitrary code. This vulnerability affects Firefox < 125, Firefox ESR < 115.10, and Thunderbird < 115.10.
    (CVE-2024-3864)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package
is installed.");
  script_set_attribute(attribute:"solution", value:
"The vendor has acknowledged the vulnerabilities but no solution has been provided. Refer to the vendor for remediation
guidance.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-26970");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2021-4140");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"vendor_unpatched", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/08/08");
  script_set_attribute(attribute:"plugin_publication_date", value:"2024/05/11");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:8");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:firefox");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libvorbis");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:nss");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:nss-softokn");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:thunderbird");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:xulrunner");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Red Hat Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl", "redhat_repos.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");

  exit(0);
}


include('rpm.inc');
include('rhel.inc');

if (!get_kb_item("global_settings/vendor_unpatched"))
exit(0, "Unpatched Vulnerabilities Detection not active.");

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/RedHat/release');
if (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');
var os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');
os_ver = os_ver[1];
if (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '6')) audit(AUDIT_OS_NOT, 'Red Hat 6.x', 'Red Hat ' + os_ver);

if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);

var constraints = [
  {
    'pkgs': [
      {'reference':'firefox', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'allowmaj':TRUE, 'unpatched_pkg':'firefox', 'cves':['CVE-2020-6823', 'CVE-2020-6824', 'CVE-2020-16044', 'CVE-2020-26971', 'CVE-2020-26973', 'CVE-2020-26974', 'CVE-2020-26976', 'CVE-2020-26978', 'CVE-2020-35111', 'CVE-2020-35113', 'CVE-2021-4127', 'CVE-2021-4129', 'CVE-2021-4140', 'CVE-2021-23953', 'CVE-2021-23954', 'CVE-2021-23960', 'CVE-2021-23961', 'CVE-2021-23964', 'CVE-2021-23968', 'CVE-2021-23969', 'CVE-2021-23973', 'CVE-2021-23978', 'CVE-2021-23981', 'CVE-2021-23982', 'CVE-2021-23984', 'CVE-2021-23987', 'CVE-2021-23994', 'CVE-2021-23995', 'CVE-2021-23998', 'CVE-2021-23999', 'CVE-2021-24002', 'CVE-2021-29945', 'CVE-2021-29946', 'CVE-2021-29964', 'CVE-2021-29967', 'CVE-2021-29970', 'CVE-2021-29976', 'CVE-2021-29980', 'CVE-2021-29984', 'CVE-2021-29985', 'CVE-2021-29986', 'CVE-2021-29988', 'CVE-2021-29989', 'CVE-2021-29991', 'CVE-2021-38493', 'CVE-2021-38496', 'CVE-2021-38497', 'CVE-2021-38498', 'CVE-2021-38500', 'CVE-2021-38501', 'CVE-2021-38503', 'CVE-2021-38504', 'CVE-2021-38505', 'CVE-2021-38506', 'CVE-2021-38507', 'CVE-2021-38508', 'CVE-2021-38509', 'CVE-2021-38510', 'CVE-2021-43534', 'CVE-2021-43535', 'CVE-2021-43536', 'CVE-2021-43537', 'CVE-2021-43538', 'CVE-2021-43539', 'CVE-2021-43541', 'CVE-2021-43542', 'CVE-2021-43543', 'CVE-2021-43545', 'CVE-2021-43546', 'CVE-2022-1097', 'CVE-2022-1196', 'CVE-2022-1529', 'CVE-2022-1802', 'CVE-2022-2200', 'CVE-2022-2505', 'CVE-2022-3266', 'CVE-2022-22737', 'CVE-2022-22738', 'CVE-2022-22739', 'CVE-2022-22740', 'CVE-2022-22741', 'CVE-2022-22742', 'CVE-2022-22743', 'CVE-2022-22745', 'CVE-2022-22747', 'CVE-2022-22748', 'CVE-2022-22751', 'CVE-2022-22754', 'CVE-2022-22756', 'CVE-2022-22759', 'CVE-2022-22760', 'CVE-2022-22761', 'CVE-2022-22763', 'CVE-2022-22764', 'CVE-2022-24713', 'CVE-2022-26381', 'CVE-2022-26383', 'CVE-2022-26384', 'CVE-2022-26386', 'CVE-2022-26387', 'CVE-2022-26486', 'CVE-2022-28281', 'CVE-2022-28282', 'CVE-2022-28285', 'CVE-2022-28286', 'CVE-2022-28289', 'CVE-2022-29909', 'CVE-2022-29911', 'CVE-2022-29912', 'CVE-2022-29914', 'CVE-2022-29916', 'CVE-2022-29917', 'CVE-2022-31736', 'CVE-2022-31737', 'CVE-2022-31738', 'CVE-2022-31740', 'CVE-2022-31741', 'CVE-2022-31742', 'CVE-2022-31744', 'CVE-2022-31747', 'CVE-2022-34468', 'CVE-2022-34470', 'CVE-2022-34472', 'CVE-2022-34479', 'CVE-2022-34481', 'CVE-2022-34484', 'CVE-2022-36318', 'CVE-2022-36319', 'CVE-2022-38472', 'CVE-2022-38473', 'CVE-2022-38476', 'CVE-2022-38477', 'CVE-2022-38478', 'CVE-2022-40956', 'CVE-2022-40957', 'CVE-2022-40958', 'CVE-2022-40959', 'CVE-2022-40960', 'CVE-2022-40962', 'CVE-2022-42927', 'CVE-2022-42928', 'CVE-2022-42929', 'CVE-2022-42932', 'CVE-2022-45403', 'CVE-2022-45404', 'CVE-2022-45405', 'CVE-2022-45406', 'CVE-2022-45408', 'CVE-2022-45409', 'CVE-2022-45410', 'CVE-2022-45411', 'CVE-2022-45412', 'CVE-2022-45416', 'CVE-2022-45418', 'CVE-2022-45420', 'CVE-2022-45421', 'CVE-2022-46871', 'CVE-2022-46872', 'CVE-2022-46874', 'CVE-2022-46877', 'CVE-2022-46878', 'CVE-2022-46880', 'CVE-2022-46881', 'CVE-2022-46882', 'CVE-2023-1945', 'CVE-2023-1999', 'CVE-2023-4045', 'CVE-2023-4046', 'CVE-2023-4047', 'CVE-2023-4048', 'CVE-2023-4049', 'CVE-2023-4050', 'CVE-2023-4051', 'CVE-2023-4053', 'CVE-2023-4055', 'CVE-2023-4056', 'CVE-2023-4057', 'CVE-2023-4573', 'CVE-2023-4574', 'CVE-2023-4575', 'CVE-2023-4577', 'CVE-2023-4578', 'CVE-2023-4580', 'CVE-2023-4581', 'CVE-2023-4583', 'CVE-2023-4584', 'CVE-2023-4585', 'CVE-2023-5169', 'CVE-2023-5171', 'CVE-2023-5176', 'CVE-2023-5721', 'CVE-2023-5724', 'CVE-2023-5725', 'CVE-2023-5728', 'CVE-2023-5730', 'CVE-2023-5732', 'CVE-2023-6204', 'CVE-2023-6205', 'CVE-2023-6206', 'CVE-2023-6207', 'CVE-2023-6208', 'CVE-2023-6209', 'CVE-2023-6212', 'CVE-2023-6856', 'CVE-2023-6857', 'CVE-2023-6858', 'CVE-2023-6859', 'CVE-2023-6860', 'CVE-2023-6861', 'CVE-2023-6862', 'CVE-2023-6863', 'CVE-2023-6864', 'CVE-2023-6865', 'CVE-2023-6867', 'CVE-2023-23598', 'CVE-2023-23599', 'CVE-2023-23601', 'CVE-2023-23602', 'CVE-2023-23603', 'CVE-2023-23605', 'CVE-2023-25728', 'CVE-2023-25729', 'CVE-2023-25730', 'CVE-2023-25732', 'CVE-2023-25735', 'CVE-2023-25737', 'CVE-2023-25739', 'CVE-2023-25742', 'CVE-2023-25743', 'CVE-2023-25744', 'CVE-2023-25746', 'CVE-2023-25751', 'CVE-2023-25752', 'CVE-2023-28162', 'CVE-2023-28164', 'CVE-2023-28176', 'CVE-2023-29533', 'CVE-2023-29535', 'CVE-2023-29536', 'CVE-2023-29539', 'CVE-2023-29541', 'CVE-2023-29548', 'CVE-2023-29550', 'CVE-2023-32205', 'CVE-2023-32206', 'CVE-2023-32207', 'CVE-2023-32211', 'CVE-2023-32212', 'CVE-2023-32213', 'CVE-2023-32215', 'CVE-2023-34414', 'CVE-2023-34416', 'CVE-2023-37201', 'CVE-2023-37202', 'CVE-2023-37207', 'CVE-2023-37208', 'CVE-2023-37211', 'CVE-2024-0741', 'CVE-2024-0742', 'CVE-2024-0743', 'CVE-2024-0746', 'CVE-2024-0747', 'CVE-2024-0749', 'CVE-2024-0750', 'CVE-2024-0751', 'CVE-2024-0753', 'CVE-2024-0755', 'CVE-2024-1546', 'CVE-2024-1547', 'CVE-2024-1548', 'CVE-2024-1549', 'CVE-2024-1550', 'CVE-2024-1551', 'CVE-2024-1552', 'CVE-2024-1553', 'CVE-2024-2607', 'CVE-2024-2608', 'CVE-2024-2609', 'CVE-2024-2610', 'CVE-2024-2611', 'CVE-2024-2612', 'CVE-2024-2614', 'CVE-2024-2616', 'CVE-2024-3302', 'CVE-2024-3852', 'CVE-2024-3854', 'CVE-2024-3857', 'CVE-2024-3859', 'CVE-2024-3861', 'CVE-2024-3864', 'CVE-2024-29944']},
      {'reference':'nss-softokn', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'nss-softokn', 'cves':['CVE-2017-7781']},
      {'reference':'thunderbird', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'allowmaj':TRUE, 'unpatched_pkg':'thunderbird', 'cves':['CVE-2020-15685', 'CVE-2020-16044', 'CVE-2020-26970', 'CVE-2020-26971', 'CVE-2020-26973', 'CVE-2020-26974', 'CVE-2020-26976', 'CVE-2020-26978', 'CVE-2020-35111', 'CVE-2020-35113', 'CVE-2021-4127', 'CVE-2021-4129', 'CVE-2021-4140', 'CVE-2021-23953', 'CVE-2021-23954', 'CVE-2021-23960', 'CVE-2021-23961', 'CVE-2021-23964', 'CVE-2021-23968', 'CVE-2021-23969', 'CVE-2021-23973', 'CVE-2021-23978', 'CVE-2021-23981', 'CVE-2021-23982', 'CVE-2021-23984', 'CVE-2021-23987', 'CVE-2021-23991', 'CVE-2021-23992', 'CVE-2021-23993', 'CVE-2021-23994', 'CVE-2021-23995', 'CVE-2021-23998', 'CVE-2021-23999', 'CVE-2021-24002', 'CVE-2021-29945', 'CVE-2021-29946', 'CVE-2021-29948', 'CVE-2021-29949', 'CVE-2021-29950', 'CVE-2021-29956', 'CVE-2021-29957', 'CVE-2021-29964', 'CVE-2021-29967', 'CVE-2021-29969', 'CVE-2021-29970', 'CVE-2021-29976', 'CVE-2021-29980', 'CVE-2021-29984', 'CVE-2021-29985', 'CVE-2021-29986', 'CVE-2021-29988', 'CVE-2021-29989', 'CVE-2021-29991', 'CVE-2021-38493', 'CVE-2021-38496', 'CVE-2021-38497', 'CVE-2021-38498', 'CVE-2021-38500', 'CVE-2021-38501', 'CVE-2021-38502', 'CVE-2021-38503', 'CVE-2021-38504', 'CVE-2021-38506', 'CVE-2021-38507', 'CVE-2021-38508', 'CVE-2021-38509', 'CVE-2021-43528', 'CVE-2021-43534', 'CVE-2021-43535', 'CVE-2021-43536', 'CVE-2021-43537', 'CVE-2021-43538', 'CVE-2021-43539', 'CVE-2021-43541', 'CVE-2021-43542', 'CVE-2021-43543', 'CVE-2021-43545', 'CVE-2021-43546', 'CVE-2022-1097', 'CVE-2022-1196', 'CVE-2022-1197', 'CVE-2022-1520', 'CVE-2022-1529', 'CVE-2022-1802', 'CVE-2022-1834', 'CVE-2022-2200', 'CVE-2022-2226', 'CVE-2022-2505', 'CVE-2022-3032', 'CVE-2022-3033', 'CVE-2022-3034', 'CVE-2022-3266', 'CVE-2022-22737', 'CVE-2022-22738', 'CVE-2022-22739', 'CVE-2022-22740', 'CVE-2022-22741', 'CVE-2022-22742', 'CVE-2022-22743', 'CVE-2022-22745', 'CVE-2022-22747', 'CVE-2022-22748', 'CVE-2022-22751', 'CVE-2022-22754', 'CVE-2022-22756', 'CVE-2022-22759', 'CVE-2022-22760', 'CVE-2022-22761', 'CVE-2022-22763', 'CVE-2022-22764', 'CVE-2022-24713', 'CVE-2022-26381', 'CVE-2022-26383', 'CVE-2022-26384', 'CVE-2022-26386', 'CVE-2022-26387', 'CVE-2022-26486', 'CVE-2022-28281', 'CVE-2022-28282', 'CVE-2022-28285', 'CVE-2022-28286', 'CVE-2022-28289', 'CVE-2022-29909', 'CVE-2022-29911', 'CVE-2022-29912', 'CVE-2022-29913', 'CVE-2022-29914', 'CVE-2022-29916', 'CVE-2022-29917', 'CVE-2022-31736', 'CVE-2022-31737', 'CVE-2022-31738', 'CVE-2022-31740', 'CVE-2022-31741', 'CVE-2022-31742', 'CVE-2022-31744', 'CVE-2022-31747', 'CVE-2022-34468', 'CVE-2022-34470', 'CVE-2022-34472', 'CVE-2022-34479', 'CVE-2022-34481', 'CVE-2022-34484', 'CVE-2022-36059', 'CVE-2022-36318', 'CVE-2022-36319', 'CVE-2022-38472', 'CVE-2022-38473', 'CVE-2022-38476', 'CVE-2022-38477', 'CVE-2022-38478', 'CVE-2022-39236', 'CVE-2022-39249', 'CVE-2022-39250', 'CVE-2022-39251', 'CVE-2022-40956', 'CVE-2022-40957', 'CVE-2022-40958', 'CVE-2022-40959', 'CVE-2022-40960', 'CVE-2022-40962', 'CVE-2022-42927', 'CVE-2022-42928', 'CVE-2022-42929', 'CVE-2022-42932', 'CVE-2022-45403', 'CVE-2022-45404', 'CVE-2022-45405', 'CVE-2022-45406', 'CVE-2022-45408', 'CVE-2022-45409', 'CVE-2022-45410', 'CVE-2022-45411', 'CVE-2022-45412', 'CVE-2022-45414', 'CVE-2022-45416', 'CVE-2022-45418', 'CVE-2022-45420', 'CVE-2022-45421', 'CVE-2022-46871', 'CVE-2022-46872', 'CVE-2022-46874', 'CVE-2022-46877', 'CVE-2022-46878', 'CVE-2022-46880', 'CVE-2022-46881', 'CVE-2022-46882', 'CVE-2023-0430', 'CVE-2023-0616', 'CVE-2023-1945', 'CVE-2023-1999', 'CVE-2023-4045', 'CVE-2023-4046', 'CVE-2023-4047', 'CVE-2023-4048', 'CVE-2023-4049', 'CVE-2023-4050', 'CVE-2023-4051', 'CVE-2023-4053', 'CVE-2023-4055', 'CVE-2023-4056', 'CVE-2023-4057', 'CVE-2023-4573', 'CVE-2023-4574', 'CVE-2023-4575', 'CVE-2023-4577', 'CVE-2023-4578', 'CVE-2023-4580', 'CVE-2023-4581', 'CVE-2023-4583', 'CVE-2023-4584', 'CVE-2023-4585', 'CVE-2023-5169', 'CVE-2023-5171', 'CVE-2023-5176', 'CVE-2023-5721', 'CVE-2023-5724', 'CVE-2023-5725', 'CVE-2023-5728', 'CVE-2023-5730', 'CVE-2023-5732', 'CVE-2023-6204', 'CVE-2023-6205', 'CVE-2023-6206', 'CVE-2023-6207', 'CVE-2023-6208', 'CVE-2023-6209', 'CVE-2023-6212', 'CVE-2023-6856', 'CVE-2023-6857', 'CVE-2023-6858', 'CVE-2023-6859', 'CVE-2023-6860', 'CVE-2023-6861', 'CVE-2023-6862', 'CVE-2023-6863', 'CVE-2023-6864', 'CVE-2023-23598', 'CVE-2023-23599', 'CVE-2023-23601', 'CVE-2023-23602', 'CVE-2023-23603', 'CVE-2023-23605', 'CVE-2023-25728', 'CVE-2023-25729', 'CVE-2023-25730', 'CVE-2023-25732', 'CVE-2023-25735', 'CVE-2023-25737', 'CVE-2023-25739', 'CVE-2023-25742', 'CVE-2023-25743', 'CVE-2023-25744', 'CVE-2023-25746', 'CVE-2023-25751', 'CVE-2023-25752', 'CVE-2023-28162', 'CVE-2023-28164', 'CVE-2023-28176', 'CVE-2023-28427', 'CVE-2023-29533', 'CVE-2023-29535', 'CVE-2023-29536', 'CVE-2023-29539', 'CVE-2023-29541', 'CVE-2023-29548', 'CVE-2023-29550', 'CVE-2023-32205', 'CVE-2023-32206', 'CVE-2023-32207', 'CVE-2023-32211', 'CVE-2023-32212', 'CVE-2023-32213', 'CVE-2023-32215', 'CVE-2023-34414', 'CVE-2023-34416', 'CVE-2023-37201', 'CVE-2023-37202', 'CVE-2023-37207', 'CVE-2023-37208', 'CVE-2023-37211', 'CVE-2023-50761', 'CVE-2023-50762', 'CVE-2024-0741', 'CVE-2024-0742', 'CVE-2024-0743', 'CVE-2024-0746', 'CVE-2024-0747', 'CVE-2024-0749', 'CVE-2024-0750', 'CVE-2024-0751', 'CVE-2024-0753', 'CVE-2024-0755', 'CVE-2024-1546', 'CVE-2024-1547', 'CVE-2024-1548', 'CVE-2024-1549', 'CVE-2024-1550', 'CVE-2024-1551', 'CVE-2024-1552', 'CVE-2024-1553', 'CVE-2024-1936', 'CVE-2024-2607', 'CVE-2024-2608', 'CVE-2024-2609', 'CVE-2024-2610', 'CVE-2024-2611', 'CVE-2024-2612', 'CVE-2024-2614', 'CVE-2024-2616', 'CVE-2024-3302', 'CVE-2024-3852', 'CVE-2024-3854', 'CVE-2024-3857', 'CVE-2024-3859', 'CVE-2024-3861', 'CVE-2024-3864']},
      {'reference':'xulrunner', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'xulrunner', 'cves':['CVE-2018-5146']}
    ]
  }
];


var flag = 0;
foreach var constraint_array ( constraints ) {
  var repo_relative_urls = NULL;
  var enterprise_linux_flag = rhel_repo_urls_has_content_dist_rhel(repo_urls:repo_relative_urls);
  foreach var pkg ( constraint_array['pkgs'] ) {
    var unpatched_pkg = NULL;
    var _release = NULL;
    var sp = NULL;
    var el_string = NULL;
    var rpm_spec_vers_cmp = NULL;
    var exists_check = NULL;
    var cves = NULL;
    if (!empty_or_null(pkg['unpatched_pkg'])) unpatched_pkg = pkg['unpatched_pkg'];
    if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (unpatched_pkg &&
        _release &&
        (!exists_check || rpm_exists(release:_release, rpm:exists_check)) &&
        unpatched_package_exists(release:_release, package:unpatched_pkg, cves: cves)) flag++;
  }
}

if (flag)
{
  var extra = NULL;
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : unpatched_packages_report()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'firefox / nss-softokn / thunderbird / xulrunner');
}