1573 matches found
Mozilla Firefox XUL Linked Clones Double Free Vulnerability — Mozilla
An anonymous researcher, via TippingPoint's Zero Day Initiative program, reported a vulnerability in Mozilla's garbage collection process. The vulnerability was caused by improper memory management of a set of cloned XUL DOM elements which were linked as a parent and child. After reloading the...
Local file stealing with SessionStore — Mozilla
Mozilla security researcher mozbugra4 reported that a form input control's type could be changed during the restoration of a closed tab. An attacker could set an input control's text value to the path of a local file whose location was known to the attacker. If the tab was then closed and the...
XSS vulnerabilities in SessionStore — Mozilla
Mozilla security researcher mozbugra4 reported vulnerabilities in the session-restore feature by which content could be injected into an incorrect document storage location, including storage locations for other domains. An attacker could utilize these issues to violate the browser's same-origin...
Unauthorized access to wyciwyg:// documents — Mozilla
Michal Zalewski reported that it was possible to bypass the same-origin checks and read from cached wyciwyg documents. It is possible to access wyciwyg:// documents without proper same domain policy checks through the use of HTTP 302 redirects. This enables the attacker to steal sensitive data...
XSS using addEventListener and setTimeout — Mozilla
Mozilla contributor mozbugra4 demonstrated that the methods addEventListener and setTimeout could be used to inject script into another site in violation of the browser's same-origin policy. This could be used to access or modify private or valuable information from that other site...
XSS and local file access by opening blocked popupsand local file access by opening blocked popups — Mozilla
shutdown reported that if you could convince a user to open a blocked popup you could perform a cross-site scripting attack against any site that contains a frame whose source is a data: URL. To accomplish this the attacker's site would have to frame the target site plus another frame whose sourc...
RSS Feed-preview referrer leak — Mozilla
Jared Breland reported on LEGROOM.net that when the new "Feed Preview" feature in Firefox 2.0 retrieves the icons of the installed web-based feed viewers it is potentially informing those services of your feed-browsing habits by sending the URL of the feed in a referrer header with each icon...
RSA Signature Forgery (variant) — Mozilla
MFSA 2006-60 reported that RSA digital signatures with a low exponent typically 3 could be forged. This flaw was corrected in the Mozilla Network Security Services NSS library version 3.11.3 used by Firefox 2.0 and current development versions of Mozilla clients...
Popup-blocker cross-site scripting (XSS) — Mozilla
shutdown demonstrated that blocked popups opened from the status bar "blocked popups" icon were always opened in the context of the site listed in the Location address bar, even if the blocked popup were originally opened by a subframe loaded from another site. This allows the popup to perform a...
JavaScript execution in mail via XBL — Mozilla
Georgi Guninski demonstrated that even with JavaScript disabled in mail the default an attacker can still execute JavaScript when a mail message is viewed, replied to, or forwarded by putting the script in a remote XBL file loaded by the message. The executed script could be used to alter or chan...
Crashes with evidence of memory corruption (rv:1.8.0.5) — Mozilla
As part of the Firefox 1.5.0.5 stability and security release, developers in the Mozilla community looked for and fixed several crash bugs to improve the stability of Mozilla clients. Some of these crashes showed evidence of memory corruption that we presume could be exploited to run arbitrary co...
Web site XSS using BOM on UTF-8 pages — Mozilla
Masatoshi Kimura reports that the Unicode Byte-order-Mark BOM is stripped from UTF-8 pages during the conversion to Unicode before the parser sees the web page. As a result the parser will see and process script tags that web input sanitizers may miss because they appear as "scrBOMipt" or similar...
"View Image" local resource linking (Windows) — Mozilla
Normally Mozilla-based clients prevent web content from linking to local files but Eric Foley reports a partial bypass of this restriction by using Windows filename syntax on a Windows computer rather than a file:/// URL as the SRC= attribute. The image will not be loaded on the web page--it will...
Privilege escalation using addSelectionListener — Mozilla
Web content could access the nsISelectionPrivate interface of the Selection object and use it to add a SelectionListener. The listener would be called when the user did a "Find" on the page or a "select all", and as intended this shouldn't cause any problems. But as with escaping the PAC sandbox ...
Window Injection Spoofing — Mozilla
A website can inject content into a popup opened by another site if the target name of the popup window is known. An attacker who knows you are going to visit that other site could spoof the contents of the popup...
Security Vulnerabilities fixed in Firefox for iOS 152.0 — Mozilla
Firefox for iOS used partial domain matching when attaching cookies to PDF requests, allowing a malicious site on a suffix domain to receive cookies belonging to the target site. Firefox for iOS preserved cookies set on the initial PDF request across cross-origin HTTP redirects in...
Security Vulnerabilities fixed in Firefox 151.0.3 — Mozilla
CVE-2026-10701: Incorrect boundary conditions in the Graphics: Text component Reporter taiho kim Impact high References Bug 2038537 CVE-2026-10702: JIT miscompilation in the JavaScript Engine: JIT component Reporter Nebula Security Impact high References Bug 2040903...
Security Vulnerabilities fixed in Firefox 150 — Mozilla
Memory safety bugs present in Firefox 149 and Thunderbird 149. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. Memory safety bugs present in Firefox ESR 115.34, Firefox ESR 140.9,...
Security Vulnerabilities fixed in Thunderbird 137.0.2 — Mozilla
Thunderbird processes the X-Mozilla-External-Attachment-URL header to handle attachments which can be hosted externally. When an email is opened, Thunderbird accesses the specified URL to determine file size, and navigates to it when the user clicks the attachment. Because the URL is not validate...
Security Vulnerabilities fixed in Firefox ESR 115.14 — Mozilla
Insufficient checks when processing graphics shared memory could have led to memory corruption. This could be leveraged by an attacker to perform a sandbox escape. Incomplete WebAssembly exception handing could have led to a use-after-free. Editor code failed to check an attribute value. This cou...
Security Vulnerabilities fixed in Firefox for iOS 127 — Mozilla
In certain scenarios a malicious website could attempt to display a fake location URL bar which could mislead users as to the actual website address When browsing private tabs, some data related to location history or webpage thumbnails could be persisted incorrectly within the sandboxed app bund...
Security Vulnerabilities fixed in Firefox for iOS 119 — Mozilla
When opening a page in reader mode, the redirect URL could have caused attacker-controlled script to execute in a reflected Cross-Site Scripting XSS attack...
Scriptable plugin execution in SeaMonkey mail — Mozilla
Security researcher Georgi Guninski reported that scriptable plugin content, such as Flash objects, could be loaded and executed in SeaMonkey mail messages by embedding the content in an iframe inside the message. If a user were to reply to or forward such a message, malicious JavaScript embedded...
Malicious search plugins can inject code into arbitrary sites — Mozilla
Security researcher Prateek Saxena reported that a malicious MozSearch plugin could be created using a javascript: URI in the SearchForm value. This URI is used as the default landing page when an empty search is performed. If an attacker could get a user to install the malicious plugin and perfo...
Arbitrary code execution via XUL tree element — Mozilla
Security researcher Nils reported via TippingPoint's Zero Day Initiative that the XUL tree method moveToEdgeShift was in some cases triggering garbage collection routines on objects which were still in use. In such cases, the browser would crash when attempting to access a previously destroyed...
Faulty .properties file results in uninitialized memory being used — Mozilla
Mozilla developer Daniel Glazman demonstrated that an improperly encoded .properties file in an add-on can result in uninitialized memory being used. This could potentially result in small chunks of data formerly used by other programs being exposed to the add-on code. If the localized string wer...
Signed JAR tampering — Mozilla
Security researchers Collin Jackson and Adam Barth reported a series of vulnerabilities which allow JavaScript to be injected into the context of signed JARs and executed under the context of the JAR's signer. This could allow an attacker to run JavaScript in a victim's browser with the privilege...
URL token stealing via stylesheet redirect — Mozilla
Security researcher Martin Straka reported that Gecko-based browsers update the .href property of stylesheet DOM nodes to reflect the final URI of the stylesheet after following any 302 redirects much as the document.location property is updated. This differs from other browsers and could...
Referer-spoofing via window.location race condition — Mozilla
Gregory Fleischer demonstrated that it was possible to generate a fake HTTP Referer header by exploiting a timing condition when setting the window.location property. This could be used to conduct a Cross-site Request Forgery CSRF attack against websites that rely only on the Referer header as...
onUnload Tailgating — Mozilla
Michal Zalewski demonstrated that onUnload event handlers had access to the address of the new page about to be loaded, even if the navigation was triggered from outside the page content such as by using a bookmark, pressing the back button, or typing an address into the location bar. If the...
Code execution via QuickTime Media-link files — Mozilla
On his blog Petko D. Petkov reported that QuickTime Media-Link files contain a qtnext attribute that could be used on Windows systems to launch the default browser with arbitrary command-line options. When the default browser is Firefox 2.0.0.6 or earlier use of the -chrome option allowed a remot...
XUL Popup Spoofing — Mozilla
Chris Thomas demonstrated that XUL popups opened by web content could be placed outside the boundaries of the content area. This could be used to spoof or hide parts of the browser chrome such as the location bar...
Path Abuse in Cookies — Mozilla
Nicolas Derouet reported two problems with cookie handling in Mozilla clients. The first was that the cookie path parameter was not subject to any length checks, and this could be abused to cause the victim's browser to use excessive amounts of memory while it was running as well as waste the dis...
Crashes with evidence of memory corruption (rv:1.8.0.12/1.8.1.4) — Mozilla
As part of the Firefox 2.0.0.4 and 1.5.0.12 update releases Mozilla developers fixed many bugs to improve the stability of the product. Some of these crashes that showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could b...
JavaScript new Function race condition — Mozilla
H. D. Moore reported a testcase that was able to trigger a race condition where JavaScript garbage collection deleted a temporary variable still being used in the creation of a new Function object. The resulting use of a deleted object may be potentially exploitable to run native code provided by...
PAC privilege escalation using Function.prototype.call — Mozilla
mozbugra4 reports that a malicious Proxy AutoConfig PAC server could serve a PAC script that can execute code with elevated privileges by setting the required FindProxyForURL function to the eval method on a privileged object that leaked into the PAC sandbox. By redirecting the victim to a...
Double-free on malformed VCard — Mozilla
Masatoshi Kimura reported a hang caused by a double-free in Thunderbird when processing a large VCard with invalid base64 characters in it. Since an attacker can supply an arbitrary amount of well-formed VCard data before introducing the error we presume this could be exploited to run code of the...
HTTP response smuggling — Mozilla
Kazuho Oku of Cybozu Labs reports via the Information-technology Promotion Agency, Japan, that Firefox is vulnerable to HTTP response smuggling when used with certain proxy servers...
Privilege escalation using a JavaScript function's cloned parent — Mozilla
shutdown discovered it was possible to use the Object.watch method to access an internal function object the "clone parent" which could then be used to run arbitrary JavaScript code with full permission. This could be used to install malware such as password sniffers or viruses...
Integer overflows in E4X, SVG, and Canvas — Mozilla
Georgi Guninski reports integer overflows in the new E4X, SVG, and Canvas features. These lead to memory corruption that is potentially exploitable to run arbitrary code...
Security Vulnerabilities fixed in Firefox ESR 115.21 — Mozilla
In resizeToAtLeast of SkRegion.cpp, there was a possible out of bounds write due to an integer overflow On Windows, a compromised content process could use bad StreamData sent over AudioIPC to trigger a use-after-free in the Browser process. This could have led to a sandbox escape. It was possibl...
Security Vulnerabilities fixed in Thunderbird 128.2 — Mozilla
When aborting the verification of an OTR chat session, an attacker could have caused a use-after-free bug leading to a potentially exploitable crash. A difference in the handling of StructFields and ArrayTypes in WASM could be used to trigger an exploitable type confusion vulnerability. A...
Security Vulnerabilities fixed in Firefox ESR 115.15 — Mozilla
A potentially exploitable type confusion could be triggered when looking up a property name on an object being used as the with environment. Internal browser event interfaces were exposed to web content when privileged EventHandler listener callbacks ran for those events. Web content that tried t...
Security Vulnerabilities fixed in Firefox for iOS 115 — Mozilla
The permission request prompt from the site in the background tab was overlaid on top of the site in the foreground tab. The session restore helper crashed whenever there was no parameter sent to the message handler...
Insecure Sharing of HTML/JS Files in Hubs Cloud Reticulum — Mozilla
Hubs Cloud allows users to download shared content, specifically HTML and JS, which could allow javascript execution in the Hub Cloud instance’s primary hosting domain...
Insecure Proxy Configuration in Hubs Cloud Reticulum — Mozilla
Proxy functionality built into Hubs Cloud’s Reticulum software allowed access to internal URLs, including the metadata service...
Security Vulnerabilities fixed in Firefox for iOS 27 — Mozilla
IndexedDB should be cleared when leaving private browsing mode and it is not, the API for WKWebViewConfiguration was being used incorrectly and requires the private instance of this object be deleted when leaving private mode...
Remote HTML tag injection in Gaia System app — Mozilla
Security researcher Muneaki Nishimura reported an issue with Gaia's System app which allows an attacker to inject HTML code into the System app's context via specially-crafted search links. The injection occurs when the user opens such malicious link in the browser and then presses the HOME butto...
Upper bound check bypass due to signed compare in SharedBufferManagerParent::RecvAllocateGrallocBuffer — Mozilla
Mozilla intern Julian Hector discovered a regression in the graphics buffer management of Firefox OS's graphics layer that would lead to graphics memory corruption by providing negative size parameters. JavaScript can not access the graphics layer in a way required to trigger this vulnerability,...
Information stealing via form history — Mozilla
Security researcher Paul Stone reported that a Java applet could be used to mimic interaction with form autocomplete controls and steal entries from the form history...