1573 matches found
Integer overflow, crash in libtheora video library — Mozilla
Security researcher Dan Kaminsky reported an integer overflow in the Theora video library. A video's dimensions were being multiplied together and used in particular memory allocations. When the video dimensions were sufficiently large, the multiplication could overflow a 32-bit integer resulting...
Form history vulnerable to stealing — Mozilla
Security researcher Paul Stone reported that a user's form history, both from web content as well as the smart location bar, was vulnerable to theft. A malicious web page could synthesize events such as mouse focus and key presses on behalf of the victim and trick the browser into auto-filling th...
Chrome privilege escalation in XPCVariant::VariantDataToJS() — Mozilla
Mozilla security researcher mozbugra4 reported that the XPCOM utility XPCVariant::VariantDataToJS unwrapped doubly-wrapped objects before returning them to chrome callers. This could result in chrome privileged code calling methods on an object which had previously been created or modified by web...
Cross-origin data theft through document.getSelection() — Mozilla
Security researcher Gregory Fleischer reported that text within a selection on a web page can be read by JavaScript in a different domain using the document.getSelection function, violating the same-origin policy. Since this vulnerability requires user interaction to exploit, its severity was...
URL spoofing with invalid unicode characters — Mozilla
Mozilla add-on developer Pavel Cvrcek reported that certain invalid unicode characters, when used as part of an IDN, are displayed as whitespace in the location bar. This whitespace could be used to force part of the URL out of view in the location bar. An attacker could use this vulnerability to...
Security Vulnerabilities fixed in Firefox 151 — Mozilla
Memory safety bugs present in Firefox 150. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. Memory safety bugs present in Firefox ESR 140.10 and Firefox 150. Some of these bugs showed...
Security Vulnerabilities fixed in Thunderbird 128.10 — Mozilla
Thunderbird's update mechanism allowed a medium-integrity user process to interfere with the SYSTEM-level updater by manipulating the file-locking behavior. By injecting code into the user-privileged process, an attacker could bypass intended access controls, allowing SYSTEM-level file operations...
Buffer overflow in Gamepad API — Mozilla
Security researcher Looben Yang reported a buffer overflow in Gamepad API when it is exercised with a gamepad device with non-contiguous axes. This can be either an actual physical device or by the installation of a virtual gamepad. This results in a potentially exploitable crash. The Gamepad API...
Non-whitelisted site can trigger xpinstall — Mozilla
Mozilla security researcher mozbugra4 reported that it was possible for a non-whitelisted site to trigger an install dialog for add-ons and themes...
Multiple location bar spoofing vulnerabilities — Mozilla
Google security researcher Michal Zalewski reported two methods for spoofing the contents of the location bar. The first method works by opening a new window containing a resource that responds with an HTTP 204 no content and then using the reference to the new window to insert HTML content into...
Crash with recursive web-worker calls — Mozilla
Security researcher Orlando Berrera of Sec Theory reported that recursive creation of JavaScript web-workers can be used to create a set of objects whose memory could be freed prior to their use. These conditions often result in a crash which could potentially be used by an attacker to run...
Data corruption with SOCKS5 reply containing DNS name longer than 15 characters — Mozilla
Andrej Andolsek reported that when Firefox receives a reply from a SOCKS5 proxy which contains a DNS name longer than 15 characters, the subsequent data stream in the response can become corrupted. There was no evidence of memory corruption, however, and the severity of the issue was determined t...
Crashes with evidence of memory corruption (rv:1.9.0.6) — Mozilla
Mozilla developers identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be...
Information stealing via local shortcut files — Mozilla
Security researcher Liu Die Yu of TopsecTianRongXin reported that locally saved .url shortcut files could be used to read information stored in the local cache. An attacker could use this vulnerability to steal information from a victim's browser cache if they were able to get the victim to...
XPCNativeWrapper pollution — Mozilla
Mozilla security researchers shutdown and mozbugra4 reported two separate ways to modify an XPCNativeWrapper such that subsequent access by the browser would result in executing user-supplied code...
Privilege escalation via non-DOM property overrides — Mozilla
Additional checks were added to make sure Javascript eval and Script objects are run with the privileges of the context that created them, not the potentially elevated privilege of the context calling them in order to protect against an additional variant of MFSA 2005-41...
Security Vulnerabilities fixed in Firefox for iOS 151.0 — Mozilla
Firefox for iOS hosted Reader mode on an unauthenticated local web server, allowing another application on the same device to request arbitrary URLs and receive the response rendered with the signed-in user's cookies...
Security Vulnerabilities fixed in Thunderbird 140.1 — Mozilla
On 64-bit platforms IonMonkey-JIT only wrote 32 bits of the 64-bit return value space on the stack. Baseline-JIT, however, read the entire 64 bits. On arm64, a WASM brtable instruction with a lot of entries could lead to the label being too far from the instruction causing truncation and incorrec...
Security Vulnerabilities fixed in Firefox for Android 130.0.1 — Mozilla
Under certain conditions, an attacker with the ability to redirect users to a malicious site via an open redirect on a trusted site, may be able to spoof the address bar contents. This can lead to a malicious site to appear to have the same URL as the trusted site.This bug only affects Firefox fo...
Security Vulnerabilities fixed in Firefox ESR 128.1 — Mozilla
Select options could obscure the fullscreen notification dialog. This could be used by a malicious site to perform a spoofing attack. Insufficient checks when processing graphics shared memory could have led to memory corruption. This could be leveraged by an attacker to perform a sandbox escape....
Security Vulnerabilities fixed in Firefox ESR 115.4 — Mozilla
It was possible for certain browser prompts and dialogs to be activated or dismissed unintentionally by the user due to an insufficient activation-delay. An attacker could have created a malicious link using bidirectional characters to spoof the location in the address bar when visited. Drivers a...
Addressbar spoofing through stored data url shortcuts on Firefox for Android — Mozilla
Security researcher Muneaki Nishimura reported an issue with displayed URLs and bookmarks on Firefox for Android. If a data: URL is opened from a stored shortcut on the homescreen or from a BOOKMARK intent from another installed Android application, the addressbar continues to show the data: url...
Use-after-free error with nsDOMAttribute MutationObserver — Mozilla
Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that a nsDOMAttribute node can be modified without informing the iterator object responsible for various DOM traversals. This flaw could lead to a inconsistent state where the iterator points to an object it believes i...
Arbitrary code execution via Flash Player dynamic module unloading — Mozilla
An anonymous security researcher reported via TippingPoint's Zero Day Initiative that insufficient checks were being performed to test whether the Flash module was properly dynamically unloaded. The researcher demonstrated that a SWF file which dynamically unloads itself from an outside JavaScrip...
File location URL in directory listings not escaped properly — Mozilla
Mozilla contributor Masahiro Yamada reported that file URLs in directory listings were not being HTML escaped properly when the filenames contained particular characters. This resulted in files from directory listings being opened in unintended ways or files not being able to be opened by the...
Mail header processing heap overflows — Mozilla
Georgi Guninski reported that long Content-Type headers in external message bodies could cause a heap buffer overflow when processing mail headers. While working on that code David Bienvenu discovered a similar overflow could occur when processing long rfc2047-encoded headers...
Memory corruption with simultaneous events — Mozilla
Secunia Research has discovered a vulnerability in Mozilla Firefox 1.5 branch, which can be exploited by malicious people to compromise a user's system...
Remote compromise via content-defined setter on object prototypes — Mozilla
Paul Nickerson discovered that content-defined setters on an object prototype were getting called by privileged UI code, and mozbugra4 was able to develop an exploit PoC that demonstrated that the higher privilege level could be passed along to the content-defined attack code...
Spoofing with translucent windows — Mozilla
An interaction between XUL content windows and the new faster history mechanism in Firefox 1.5 caused those windows to become translucent. This could be used to construct spoofs that could trick users into interacting with browser UI they can't see. It's possible a clever game-type presentation...
Read beyond buffer while parsing XML — Mozilla
An upgrade in the XML parser introduced a bug that could read beyond the end of the buffer, often causing a crash. We don't know if this could be exploited to incorporate private data into the DOM of an XML document, but could be a privacy risk if so. Firefox 1.0, Thunderbird 1.0 and Mozilla Suit...
Opened attachments are temporarily saved world-readable — Mozilla
Mozilla software released after March 2004 saves some temporary files with world-readable permissions. In the browser this is primarily content fed to helper applications for example, PDF files, and in the mail clients it is attachments...
javascript: Livefeed bookmarks can steal cookies — Mozilla
Earlier versions of Firefox allowed javascript: and data: URLs as Livefeed bookmarks. When they updated the URL would be run in the context of the current page and could be used to steal cookies or data displayed on the page...
Security Vulnerabilities fixed in Firefox 135 — Mozilla
An attacker could have caused a use-after-free via crafted XSLT data, leading to a potentially exploitable crash. An attacker could have caused a use-after-free via the Custom Highlight API, leading to a potentially exploitable crash. The fullscreen notification is prematurely hidden when...
Security Vulnerabilities fixed in Thunderbird 134 — Mozilla
The Matrix specification demands homeservers to perform validation of the server-name and media-id components of MXC URIs with the intent to prevent path traversal. However, it is not mentioned that a similar check must also be performed on the client to prevent client-side path traversal...
Security Vulnerabilities fixed in Firefox ESR 128.2 — Mozilla
A difference in the handling of StructFields and ArrayTypes in WASM could be used to trigger an exploitable type confusion vulnerability. A potentially exploitable type confusion could be triggered when looking up a property name on an object being used as the with environment. Internal browser...
use after free in nsXBLDocumentInfo::ReadPrototypeBindings — Mozilla
Mozilla developers Andrew McCreight and Olli Pettay found that ReadPrototypeBindings will leave a XBL binding in a hash table even when the function fails. If this occurs, when the cycle collector reads this hash table and attempts to do a virtual method on this binding a crash will occur. This...
Dangling pointer crash regression from plugin parameter array fix — Mozilla
Mozilla developer Daniel Holbert reported that the fix to the plugin parameter array crash that was fixed in Firefox 3.6.7 caused a crash showing signs of memory corruption. In certain circumstances, properties in the plugin instance's parameter array could be freed prematurely leaving a dangling...
Information stealing via loadBindingDocument — Mozilla
Mozilla developer Boris Zbarsky reported that XBL bindings could be used to read data from other domains, a violation of the same-origin policy. The severity of this issue was determined to be moderate due to several mitigating factors:...
User tracking via XUL persist attribute — Mozilla
Security researcher Hish reported that the persist attribute in XUL elements can be used to store cookie-like information on a user's computer which could later be read by a website. This creates a privacy issue for users who have a non-standard cookie preference and wish to prevent sites from...
XBM image uninitialized memory reading — Mozilla
Security researcher Billy Hoffman discovered a bug in the XBM decoder that allowed random small chunks of uninitialized memory to be read. The severity of this bug was low and did not appear to cause any memory corruption...
Javascript prompt origin spoofing — Mozilla
Alerts and prompts created by scripts in web pages are presented with the generic title JavaScript Application which sometimes makes it difficult to know which site created them. A malicious page could attempt to cause a prompt to appear in front of a trusted site in an attempt to extract...
Heap overrun handling malicious news: URL — Mozilla
Maurycy Prodeus of iSEC Security Research reports a heap overrun in processing certain news: URLs. Thunderbird and the Mozilla Suite are affected; Firefox does not support the news: scheme...
Security Vulnerabilities fixed in Firefox for iOS 151.1 — Mozilla
Firefox for iOS displayed specially crafted right-to-left RTL and internationalized domain names IDNs incorrectly in link preview UI surfaces. A crafted RTL hostname could visually reorder portions of the displayed domain, causing attacker-controlled sites to appear as trusted origins...
Security Vulnerabilities fixed in Thunderbird 151 — Mozilla
Memory safety bugs present in Thunderbird 150. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. Memory safety bugs present in Thunderbird 140.10 and Thunderbird 150. Some of these bugs...
Security Vulnerabilities fixed in Firefox ESR 115.35 — Mozilla
Memory safety bugs present in Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird ESR 140.9, Firefox 149 and Thunderbird 149. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code...
Security Vulnerabilities fixed in Thunderbird 140 — Mozilla
A use-after-free in FontFaceSet resulted in a potentially exploitable crash. An attacker who enumerated resources from the WebCompat extension could have obtained a persistent UUID that identified the browser, and persisted between containers and normal/private browsing mode, but not profiles. Th...
Security Vulnerabilities fixed in Thunderbird 137 — Mozilla
JavaScript code running while transforming a document with the XSLTProcessor could lead to a use-after-free. An attacker could read 32 bits of values spilled onto the stack in a JIT compiled function. Leaking of file descriptors from the fork server to web content processes could allow for...
Security Vulnerabilities fixed in Firefox 132 — Mozilla
A permission leak could have occurred from a trusted site to an untrusted site via embed or object elements. An attacker could have caused a use-after-free when accessibility was enabled, leading to a potentially exploitable crash. The origin of an external protocol handler prompt could have been...
Security Vulnerabilities fixed in Focus for iOS 130 — Mozilla
Websites could utilize Javascript links to spoof URL addresses in the Focus navigation bar...
Multiple Low Security Issues in Mozilla VPN — Mozilla
Multiple low security issues were discovered and fixed in a security audit of Mozilla VPN 2.x branch as part of a 3rd party security audit...