If an object prototype was corrupted by an attacker, they would have been able to set undesired attributes on a JavaScript object, leading to privileged code execution. This vulnerability affects Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102, and Thunderbird <...
8.8CVSS
8.6AI Score
0.004EPSS
Mozilla developers and community members Gabriele Svelto, Sebastian Hengst, Randell Jesup, Luan Herrera, Lars T Hansen, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 96. Some of these bugs showed evidence of memory corruption and we presume that with enough effort...
8.8CVSS
8.9AI Score
0.002EPSS
Concurrent use of the URL parser with non-UTF-8 data was not thread-safe. This could lead to a use-after-free causing a potentially exploitable crash. This vulnerability affects Firefox ESR < 102.3, Thunderbird < 102.3, and Firefox <...
6.5CVSS
6.5AI Score
0.001EPSS
Mozilla developers Nika Layzell, Timothy Nikkel, Sebastian Hengst, Andreas Pehrson, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 104 and Firefox ESR 102.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these...
8.8CVSS
8.9AI Score
0.002EPSS
A same-origin policy violation could have allowed the theft of cross-origin URL entries, leaking the result of a redirect, via performance.getEntries(). This vulnerability affects Firefox < 106, Firefox ESR < 102.4, and Thunderbird <...
8.1CVSS
7.5AI Score
0.001EPSS
Certain types of allocations were missing annotations that, if the Garbage Collector was in a specific state, could have lead to memory corruption and a potentially exploitable crash. This vulnerability affects Firefox < 106, Firefox ESR < 102.4, and Thunderbird <...
8.8CVSS
8.3AI Score
0.001EPSS
If a compromised content process sent an unexpected number of WebAuthN Extensions in a Register command to the parent process, an out of bounds write would have occurred leading to memory corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 91.8, Firefox < ...
8.8CVSS
8.5AI Score
0.001EPSS
SVG's <use> element could have been used to load unexpected content that could have executed script in certain circumstances. While the specification seems to allow this, other browsers do not, and web developers relied on this property for script security so gecko's implementation was aligne...
8.8CVSS
8AI Score
0.002EPSS
Requests initiated through reader mode did not properly omit cookies with a SameSite attribute. This vulnerability affects Thunderbird < 91.9, Firefox ESR < 91.9, and Firefox <...
6.1CVSS
6.9AI Score
0.001EPSS
Mozilla developers Andrew McCreight, Gabriele Svelto, Tom Ritter and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 99 and Firefox ESR 91.8. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been...
9.8CVSS
9.8AI Score
0.001EPSS
SVG <use> tags that referenced a same-origin document could have resulted in script execution if attacker input was sanitized via the HTML Sanitizer API. This would have required the attacker to reference a same-origin JavaScript file containing the script to be executed. This vulnerability.....
6.1CVSS
5.4AI Score
0.001EPSS
Logins saved by Firefox should be managed by the Password Manager component which uses encryption to save files on-disk. Instead, the username (not password) was saved by the Form Manager to an unencrypted file on disk. This vulnerability affects Firefox <...
3.3CVSS
5AI Score
0.0004EPSS
Mozilla developers Ashley Hale and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 105 and Firefox ESR 102.3. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This...
8.8CVSS
8.9AI Score
0.002EPSS
Cross-Site Tracing occurs when a server will echo a request back via the Trace method, allowing an XSS attack to access to authorization headers and cookies inaccessible to JavaScript (such as cookies protected by HTTPOnly). To mitigate this attack, browsers placed limits on fetch() and...
6.1CVSS
6.6AI Score
0.001EPSS
An attacker who compromised a content process could have partially escaped the sandbox to read arbitrary files via clipboard-related IPC messages.This bug only affects Thunderbird for Linux. Other operating systems are unaffected.. This vulnerability affects Firefox < 108, Firefox ESR < 102.6...
8.6CVSS
8.5AI Score
0.001EPSS
Mozilla developers and community members Lukas Bernhard, Gabriele Svelto, Randell Jesup, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 107. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been...
8.8CVSS
8.9AI Score
0.002EPSS
Due to a layout change, iframe contents could have been rendered outside of its border. This could have led to user confusion or spoofing attacks. This vulnerability affects Thunderbird < 91.8, Firefox < 99, and Firefox ESR <...
5.4CVSS
6AI Score
0.001EPSS
Mozilla developers and community members Randell Jesup, Sebastian Hengst, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 98. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run...
8.8CVSS
8.9AI Score
0.002EPSS
When resizing a popup after requesting fullscreen access, the popup would not display the fullscreen notification. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird <...
4.3CVSS
5.5AI Score
0.001EPSS
A cross-origin iframe referencing an XSLT document would inherit the parent domain's permissions (such as microphone or camera access). This vulnerability affects Thunderbird < 102.2, Thunderbird < 91.13, Firefox ESR < 91.13, Firefox ESR < 102.2, and Firefox <...
8.8CVSS
8.2AI Score
0.002EPSS
When closed or sent to the background, Firefox for Android would not properly record and persist HSTS settings.Note: This issue only affected Firefox for Android. Other operating systems are unaffected.. This vulnerability affects Firefox <...
6.1CVSS
5.6AI Score
0.001EPSS
An improper implementation of the new iframe sandbox keyword allow-top-navigation-by-user-activation could lead to script execution without allow-scripts being present. This vulnerability affects Thunderbird < 91.9, Firefox ESR < 91.9, and Firefox <...
6.1CVSS
7AI Score
0.001EPSS
Mozilla developers and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 102. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR &l...
8.8CVSS
8.9AI Score
0.001EPSS
The search term could have been specified externally to trigger SQL injection. This vulnerability affects Firefox for iOS <...
9.8CVSS
9.2AI Score
0.001EPSS
Mozilla developers Kershaw Chang, Ryan VanderMeulen, and Randell Jesup reported memory safety bugs present in Firefox 97. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability....
8.8CVSS
9.3AI Score
0.002EPSS
After a VR Process is destroyed, a reference to it may have been retained and used, leading to a use-after-free and potentially exploitable crash. This vulnerability affects Thunderbird < 91.8 and Firefox ESR <...
6.5CVSS
7AI Score
0.001EPSS
When opening a Windows shortcut from the local filesystem, an attacker could supply a remote path that would lead to unexpected network requests from the operating system.This bug only affects Firefox for Windows. Other operating systems are unaffected.*. This vulnerability affects Firefox ESR <...
5.5CVSS
5.5AI Score
0.001EPSS
Malicious websites could have tricked users into accepting launching a program to handle an external URL protocol. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird <...
6.5CVSS
6.8AI Score
0.001EPSS
Certain network request objects were freed too early when releasing a network request handle. This could have lead to a use-after-free causing a potentially exploitable crash. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird <...
8.8CVSS
8.7AI Score
0.001EPSS
The constructed curl command from the "Copy as curl" feature in DevTools was not properly escaped for PowerShell. This could have lead to command injection if pasted into a Powershell prompt.This bug only affects Thunderbird for Windows. Other operating systems are unaffected.. This vulnerability.....
8.8CVSS
8.5AI Score
0.001EPSS
By using XSL Transforms, a malicious webserver could have served a user an XSL document that would continue to execute JavaScript (within the bounds of the same-origin policy) even after the tab was closed. This vulnerability affects Firefox <...
8.8CVSS
8AI Score
0.002EPSS
When a worker is shutdown, it was possible to cause script to run late in the lifecycle, at a point after where it should not be possible. This vulnerability affects Firefox < 96, Thunderbird < 91.6, and Firefox ESR <...
8.8CVSS
8.1AI Score
0.001EPSS
When downloading files on Windows, the % character was not escaped, which could have lead to a download incorrectly being saved to attacker-influenced paths that used variables such as %HOMEPATH% or %APPDATA%.This bug only affects Firefox for Windows. Other operating systems are unaffected.. This.....
8.8CVSS
8.2AI Score
0.001EPSS
Mozilla developers Gabriele Svelto, Timothy Nikkel, Randell Jesup, Jon Coppeard, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 100. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited...
9.8CVSS
9.7AI Score
0.002EPSS
Mozilla developers and community members Julian Hector, Randell Jesup, Gabriele Svelto, Tyson Smith, Christian Holler, and Masayuki Nakano reported memory safety bugs present in Firefox 94. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these....
9.8CVSS
9.6AI Score
0.001EPSS
During startup, a graphics driver with an unexpected name could lead to a stack-buffer overflow causing a potentially exploitable crash.This issue only affects Firefox for Android. Other operating systems are not affected.. This vulnerability affects Firefox <...
6.5CVSS
6.2AI Score
0.001EPSS
When loading a script with Subresource Integrity, attackers with an injection capability could trigger the reuse of previously cached entries with incorrect, different integrity metadata. This vulnerability affects Firefox <...
4.3CVSS
4.1AI Score
0.001EPSS
When using the Performance API, an attacker was able to notice subtle differences between PerformanceEntries and thus learn whether the target URL had been subject to a redirect. This vulnerability affects Firefox <...
6.1CVSS
5.5AI Score
0.001EPSS
An out of date graphics library (Angle) likely contained vulnerabilities that could potentially be exploited. This vulnerability affects Thunderbird < 78.9 and Firefox ESR <...
9.8CVSS
9.2AI Score
0.001EPSS
An attacker who could have convinced a user to drag and drop an image to a filesystem could have manipulated the resulting filename to contain an executable extension, and by extension potentially tricked the user into executing malicious code. While very similar, this is a separate issue from...
8.8CVSS
8AI Score
0.002EPSS
The MediaError message property should be consistent to avoid leaking information about cross-origin resources; however for a same-site cross-origin resource, the message could have leaked information enabling XS-Leaks attacks. This vulnerability affects Firefox <...
7.5CVSS
6.6AI Score
0.001EPSS
If an attacker could control the contents of an iframe sandboxed with allow-popups but not allow-scripts, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunder...
9.6CVSS
8.5AI Score
0.002EPSS
In unusual circumstances, an individual thread may outlive the thread's manager during shutdown. This could have led to a use-after-free causing a potentially exploitable crash. This vulnerability affects Firefox <...
6.5CVSS
6.8AI Score
0.001EPSS
If Firefox was installed to a world-writable directory, a local privilege escalation could occur when Firefox searched the current directory for system libraries. However the install directory is not world-writable by default.This bug only affects Firefox for Windows in a non-default installation.....
7CVSS
6.3AI Score
0.0004EPSS
By generally accepting and passing resource handles across processes, a compromised content process might have confused higher privileged processes to interact with handles that the unprivileged process should not have access to.This bug only affects Firefox for Windows and MacOS. Other operating.....
6.5CVSS
5.8AI Score
0.002EPSS
A Time-of-Check Time-of-Use bug existed in the Maintenance (Updater) Service that could be abused to grant Users write access to an arbitrary directory. This could have been used to escalate to SYSTEM access.This bug only affects Firefox on Windows. Other operating systems are unaffected.. This...
7.1CVSS
7.2AI Score
0.001EPSS
When clicking on a tel: link, USSD codes, specified after a * character, would be included in the phone number. On certain phones, or on certain carriers, if the number was dialed this could perform actions on a user's account, similar to a cross-site request forgery attack.This bug only affects...
8.8CVSS
7.9AI Score
0.002EPSS
An out-of-bounds read can occur when decoding H264 video. This results in a potentially exploitable crash. This vulnerability affects Firefox ESR < 102.3, Thunderbird < 102.3, and Firefox <...
5.5CVSS
5.8AI Score
0.001EPSS
Within the lg_init() function, if several allocations succeed but then one fails, an uninitialized pointer would have been freed despite never being allocated. This vulnerability affects Firefox <...
8.8CVSS
8AI Score
0.002EPSS
When injecting an HTML base element, some requests would ignore the CSP's base-uri settings and accept the injected element's base instead. This vulnerability affects Firefox ESR < 102.3, Thunderbird < 102.3, and Firefox <...
6.1CVSS
6.2AI Score
0.001EPSS