1573 matches found
nsXMLHttpRequest::NotifyEventListeners() same-origin violation — Mozilla
Mozilla security researcher mozbugra4 reported that the same-origin check in nsXMLHttpRequest::NotifyEventListeners could be bypassed. This vulnerability could be used to execute JavaScript in the context of a different website...
XSS and JavaScript privilege escalation via session restore — Mozilla
Security researcher David Bloom reported that the browser's session restore feature can be used to violate the same-origin policy and run JavaScript in the context of another site. Any otherwise unexploitable crash can be used to force the user into the session restore state...
Heap overflow when canceling newsgroup message — Mozilla
Georgi Guninski reported a buffer overflow in the handling of cancelled newsgroup messages. The error was caused by too small a heap buffer being allocated to store message header information. This buffer could be overrun by an attacker using a specially crafted message which could crash the mail...
XSS through JavaScript same-origin violation — Mozilla
Mozilla contributor mozbugra4 submitted a set of vulnerabilities which allow scripts from one document to be executed in the context of a different document. These vulnerabilities could be used by an attacker to violate the same-origin policy and perform an XSS attack against arbitrary sites,...
Signed JAR tampering — Mozilla
Security researchers Collin Jackson and Adam Barth reported a series of vulnerabilities which allow JavaScript to be injected into the context of signed JARs and executed under the context of the JAR's signer. This could allow an attacker to run JavaScript in a victim's browser with the privilege...
Multiple XSS vulnerabilities from character encoding — Mozilla
WebKit developer Alexey Proskuryakov reported that the Mozilla HTML parser treated the backspace character as whitespace contrary to the HTML specification and different from other browsers. This difference might lead to Cross-site Scripting XSS risks on sites which filtered input in accordance...
Crashes with evidence of memory corruption (rv:1.8.1.8) — Mozilla
As part of the Firefox 2.0.0.8 update releases Mozilla developers fixed many bugs to improve the stability of the product. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run...
Privilege escallation using an event handler attached to an element not in the document — Mozilla
An attacker can use an element outside of a document to call an event handler allowing content to run arbitrary code with chrome privileges...
XUL Popup Spoofing — Mozilla
Chris Thomas demonstrated that XUL popups opened by web content could be placed outside the boundaries of the content area. This could be used to spoof or hide parts of the browser chrome such as the location bar...
JavaScript new Function race condition — Mozilla
H. D. Moore reported a testcase that was able to trigger a race condition where JavaScript garbage collection deleted a temporary variable still being used in the creation of a new Function object. The resulting use of a deleted object may be potentially exploitable to run native code provided by...
PAC privilege escalation using Function.prototype.call — Mozilla
mozbugra4 reports that a malicious Proxy AutoConfig PAC server could serve a PAC script that can execute code with elevated privileges by setting the required FindProxyForURL function to the eval method on a privileged object that leaked into the PAC sandbox. By redirecting the victim to a...
PLUGINSPAGE privileged JavaScript execution II — Mozilla
Paul Nickerson reports that the fix for MFSA 2005-34 can be bypassed using nested javascript: URLs, again allowing the attacker to execute privileged code. The attacker must first convince the user to first click on the missing-plugin icon in the page or the "Install Missing Plugins..." button in...
HTTP response smuggling — Mozilla
Kazuho Oku of Cybozu Labs reports via the Information-technology Promotion Agency, Japan, that Firefox is vulnerable to HTTP response smuggling when used with certain proxy servers...
Double-free on malformed VCard — Mozilla
Masatoshi Kimura reported a hang caused by a double-free in Thunderbird when processing a large VCard with invalid base64 characters in it. Since an attacker can supply an arbitrary amount of well-formed VCard data before introducing the error we presume this could be exploited to run code of the...
Deleted object reference when designMode="on" — Mozilla
Martijn Wargers and Nick Mott each described crashes that were discovered to ultimately stem from the same root cause: attempting to use a deleted controller context when designMode was turned on. This generally results in crashing the browser, but in theory references to deleted objects can be...
Mozilla Firefox Tag Order Vulnerability — Mozilla
A particular sequence of HTML tags that reliably crash Mozilla clients was reported by an anonymous researcher via TippingPoint and the Zero Day Initiative. The crash is due to memory corruption that can be exploited to run arbitrary code...
cross-site scripting through window.controllers — Mozilla
shutdown demonstrated how to use the window.controllers array to bypass same-origin protections, allowing a malicious site to inject script into content from another site. This could allow the malicious page to steal information such as cookies or passwords from the other site, or perform...
Integer overflows in E4X, SVG, and Canvas — Mozilla
Georgi Guninski reports integer overflows in the new E4X, SVG, and Canvas features. These lead to memory corruption that is potentially exploitable to run arbitrary code...
Security Vulnerabilities fixed in Thunderbird 115.14 — Mozilla
Insufficient checks when processing graphics shared memory could have led to memory corruption. This could be leveraged by an attacker to perform a sandbox escape. Incomplete WebAssembly exception handing could have led to a use-after-free. Editor code failed to check an attribute value. This cou...
Security Vulnerabilities fixed in Thunderbird 128.1 — Mozilla
Select options could obscure the fullscreen notification dialog. This could be used by a malicious site to perform a spoofing attack. Insufficient checks when processing graphics shared memory could have led to memory corruption. This could be leveraged by an attacker to perform a sandbox escape....
Security Vulnerabilities fixed in Firefox ESR 115.13 — Mozilla
An error in the ECMA-262 specification relating to Async Generators could have resulted in a type confusion, potentially leading to memory corruption and an exploitable crash. Due to large allocation checks in Angle for GLSL shaders being too lenient an out-of-bounds access could occur when...
Security Vulnerabilities fixed in Firefox for iOS 124 — Mozilla
Dragging Javascript URLs to the address bar could cause them to be loaded, bypassing restrictions and security protections If an insecure element was added to a page after a delay, Firefox would not replace the secure icon with a mixed content security status...
JavaScript immutable property enforcement can be bypassed — Mozilla
Mozilla developer Jeff Walden reported that in Gecko's implementation of ECMAScript 5 API's enforces non-configurable properties with logic specific to each API. Scripts that do not go through these APIs can bypass these protections and make changes to the immutable properties in violation of...
Upper bound check bypass due to signed compare in SharedBufferManagerParent::RecvAllocateGrallocBuffer — Mozilla
Mozilla intern Julian Hector discovered a regression in the graphics buffer management of Firefox OS's graphics layer that would lead to graphics memory corruption by providing negative size parameters. JavaScript can not access the graphics layer in a way required to trigger this vulnerability,...
Cookie isolation error — Mozilla
Mozilla security researcher David Chan reported that cookies set for example.com. note the trailing dot and example.com were treated as interchangeable. This is a violation of same-origin conventions and could potentially lead to leakage of cookie data to the wrong party...
Same-origin bypass using canvas context — Mozilla
Mozilla developer Vladimir Vukicevic reported that a canvas element can be used to read data from another site, violating the same-origin policy. The read restriction placed on a canvas element which has had cross-origin data rendered into it can be bypassed by retaining a reference to the canvas...
Arbitrary code execution using SJOW and fast native function — Mozilla
Mozilla security researcher mozbugra4 reported that when content script which is running in a chrome context accesses a content object via SJOW, the content code can gain access to an object from the chrome scope and use that object to run arbitrary JavaScript with chrome privileges...
Content policy bypass with image preloading — Mozilla
Mozilla developer Josh Soref of Nokia reported that documents failed to call certain security checks when attempting to preload images. Although the image content is not available to the page, it is possible to specify protocols that are normally not allowed in a web page such as file:. This...
setTimeout loses XPCNativeWrappers — Mozilla
Mozilla developer Blake Kaplan reported that setTimeout, when called with certain object parameters which should be protected with a XPCNativeWrapper, will fail to keep the object wrapped when compiling the new function to be executed. If chrome privileged code were to call setTimeout using this ...
Incorrect principal set for file: resources loaded via location bar — Mozilla
Security researchers Adam Barth and Collin Jackson reported that when a file: resource is loaded via the location bar it inherits the principal of the previously loaded document. This vulnerability can potentially give the newly loaded document additional privileges to access the contents of othe...
Chrome privilege escalation via local .desktop files — Mozilla
Mozilla security researcher Georgi Guninski reported that the fix for an earlier vulnerability reported by Liu Die Yu using local internet shortcut files to access other sites MFSA 2008-47 could be bypassed by redirecting to a privileged about: URI such as about:plugins. If an attacker could get ...
Crashes with evidence of memory corruption (rv:1.9.0.5/1.8.1.19) — Mozilla
Mozilla developers identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be...
Privilege escalation using feed preview page and XSS flaw — Mozilla
Mozilla security researcher mozbugra4 reported a series of vulnerabilities in feedWriter which allow scripts from page content to run with chrome privileges...
Arbitrary file upload via originalTarget and DOM Range — Mozilla
Opera Software reported a vulnerability which allows malicious content to force the browser into uploading local files to the remote server. This could be used by an attacker to steal files from known locations on a victim's computer...
Multiple file input focus stealing vulnerabilities — Mozilla
Security researchers hong and Gregory Fleischer each reported a variant on earlier reported bugs regarding focus shifting in file input controls. Their variants used file input controls nested inside tags to take advantage of automatic focus shifting into the file input field noted on the Hacker...
Upgraded Thunderbird 1.5.0.13 missing fix for MFSA 2007-23 — Mozilla
Mozilla tester Stephen Donner reported that only users who installed Thunderbird 1.5.0.13 using the install package received the fix for MFSA 2007-23. Users who upgraded to Thunderbird 1.5.0.13 from an earlier version using the automatic update mechanism were not protected. If those users browsed...
Crashes with evidence of memory corruption (rv:1.8.0.10/1.8.1.2) — Mozilla
As part of the Firefox 2.0.0.2 and 1.5.0.10 update releases we fixed several bugs to improve the stability of the product. Some of these were crashes that showed evidence of memory corruption and we presume that with enough effort at least some of these could be exploited to run arbitrary code...
JavaScript Regular Expression Heap Corruption — Mozilla
Priit Laes reported a crash due to a heap buffer overflow triggered by a JavaScript regular expression containing a minimal quantifier. We presume this could be exploited to run arbitrary code...
Javascript navigator Object Vulnerability — Mozilla
An anonymous researcher for TippingPoint and the Zero Day Initiative showed that when used in a web page Java would reference properties of the window.navigator object as it started up. If the page replaced the navigator object before starting Java then the browser would crash in a way that could...
Security Vulnerabilities fixed in Firefox for iOS 151.2 — Mozilla
Firefox for iOS Reader View replaced page content in its HTML template before replacing other internal placeholders. A malicious page could include a placeholder string that was later substituted with JSON-LD data, potentially resulting in arbitrary JavaScript execution. Firefox for iOS Reader Vi...
Security Vulnerabilities fixed in Firefox 138.0.4 — Mozilla
An attacker was able to perform an out-of-bounds read or write on a JavaScript Promise object. An attacker was able to perform an out-of-bounds read or write on a JavaScript object by confusing array index sizes...
Security Vulnerabilities fixed in Thunderbird 128.10.1 — Mozilla
Thunderbird parses addresses in a way that can allow sender spoofing in case the server allows an invalid From address to be used. For example, if the From header contains an invalid value "Spoofed Name [email protected] [email protected]", Thunderbird treats [email protected] as the...
Security Vulnerabilities fixed in Thunderbird 138 — Mozilla
Thunderbird's update mechanism allowed a medium-integrity user process to interfere with the SYSTEM-level updater by manipulating the file-locking behavior. By injecting code into the user-privileged process, an attacker could bypass intended access controls, allowing SYSTEM-level file operations...
Security Vulnerability fixed in Firefox 136.0.4, Firefox ESR 128.8.1, Firefox ESR 115.21.1 — Mozilla
Following the recent Chrome sandbox escape CVE-2025-2783, various Firefox developers identified a similar pattern in our IPC code. A compromised child process could cause the parent process to return an unintentionally powerful handle, leading to a sandbox escape. The original vulnerability was...
Security Vulnerabilities fixed in Thunderbird 133 — Mozilla
Certain WebGL operations on Apple silicon M series devices could have lead to an out-of-bounds write and memory corruption due to a flaw in Apple's GPU driver. This bug only affected the application on Apple M series hardware. Other platforms were unaffected. Malicious websites may have been able...
Security Vulnerabilities fixed in Thunderbird 115.15 — Mozilla
A potentially exploitable type confusion could be triggered when looking up a property name on an object being used as the with environment. Internal browser event interfaces were exposed to web content when privileged EventHandler listener callbacks ran for those events. Web content that tried t...
Reading sensitive profile files through local HTML file on Android — Mozilla
Security researcher Jordi Chancel reported an issue in Firefox for Android where a locally saved HTML file could use file: URIs to trigger the download of additional files or opening of cached profile data without user awareness...
GC hazard with default compartments and frame chain restoration — Mozilla
Security researcher Nils reported a potentially exploitable use-after-free in an early test version of Firefox 25. Mozilla developer Bobby Holley found that the cause was an older garbage collection bug that a more recent change made easier to trigger...
Escalation of privilege through Java Embedding Plugin — Mozilla
David Remahl of Apple Product Security reported that the Java Embedding Plugin JEP shipped with the Mac OS X versions of Firefox could be exploited to obtain elevated access to resources on a user's system...
Browser chrome defacement via cached XUL stylesheets — Mozilla
Mozilla developer Wladimir Palant reported that stylesheets used in remote XUL documents can wind up in the XUL cache where it can later be accessed by browser chrome for use in styling the user interface. A malicious website could use this issue to pollute a user's XUL cache and change style...