Security Vulnerabilities fixed in Thunderbird 78.14 — Mozilla

When delegating navigations to the operating system, Thunderbird would accept the mk scheme which might allow attackers to launch pages and execute scripts in Internet Explorer in unprivileged mode. This bug only affects Thunderbird for Windows. Other operating systems are unaffected. Mozilla...

Security Vulnerabilities fixed in Thunderbird 91.12 — Mozilla

When combining CSS properties for overflow and transform, the mouse cursor could interact with different coordinates than displayed. When visiting directory listings for chrome:// URLs as source text, some parameters were reflected...

Security Vulnerabilities fixed in Thunderbird 78.10.1 — Mozilla

The Maintenance Service granted SERVICESTART access to BUILTIN|Users which, in a domain network, grants normal remote users access to start or stop the service. This could be used to prevent the browser update service from operating if an attacker spammed the 'Stop' command; but also exposed atta...

Security Vulnerabilities fixed in Firefox 95 — Mozilla

Under certain circumstances, asynchronous functions could have caused a navigation to fail but expose the target URL. An incorrect type conversion of sizes from 64bit to 32bit integers allowed an attacker to corrupt memory leading to a potentially exploitable crash. By misusing a race in our...

Security Vulnerabilities fixed in Thunderbird 102.3 — Mozilla

An out-of-bounds read can occur when decoding H264 video. This results in a potentially exploitable crash. During iframe navigation, certain pages did not have their FeaturePolicy fully initialized leading to a bypass that leaked device permissions into untrusted subdocuments. Concurrent use of t...

Security Vulnerabilities fixed in Firefox 72 — Mozilla

During the initialization of a new content process, a pointer offset can be manipulated leading to memory corruption and a potentially exploitable crash in the parent process. Note: this issue only occurs on Windows. Other operating systems are unaffected. When pasting a Due to a missing case...

Security Vulnerabilities fixed in Firefox 87 — Mozilla

A transient execution vulnerability, named Floating Point Value Injection FPVI allowed an attacker to leak arbitrary memory addresses and may have also enabled JIT type confusion attacks. A related vulnerability, Speculative Code Store Bypass SCSB, did not affect Firefox. A texture upload of a...

Security Vulnerabilities fixed in Thunderbird 102.7 — Mozilla

An out of date library libusrsctp contained vulnerabilities that could potentially be exploited. Due to the Thunderbird GTK wrapper code's use of text/plain for drag data and GTK treating all text/plain MIMEs containing file URLs as being dragged a website could arbitrarily read a file via a call...

Security Vulnerabilities fixed in Thunderbird 78.13 — Mozilla

A suspected race condition when calling getaddrinfo led to memory corruption and a potentially exploitable crash. Note: This issue only affected Linux operating systems. Other operating systems are unaffected. Thunderbird incorrectly treated an inline list-item element as a block element, resulti...

Security Vulnerabilities fixed in Firefox ESR 78.10 — Mozilla

A WebGL framebuffer was not initialized early enough, resulting in memory corruption and an out of bound write. When Responsive Design Mode was enabled, it used references to objects that were previously freed. We presume that with enough effort this could have been exploited to run arbitrary cod...

Security Vulnerabilities fixed in Firefox 82.0.3, Firefox ESR 78.4.1, and Thunderbird 78.4.2 — Mozilla

In certain circumstances, the MCallGetProperty opcode can be emitted with unmet assumptions resulting in an exploitable use-after-free condition...

Security Vulnerabilities fixed in Firefox 114 — Mozilla

The error page for sites with invalid TLS certificates was missing the activation-delay Firefox uses to protect prompts and permission dialogs from attacks that exploit human response time delays. If a malicious page elicited user clicks in precise locations immediately before navigating to a sit...

Security Vulnerabilities fixed in Thunderbird 78.11 — Mozilla

A locally-installed hostile program could send WMCOPYDATA messages that Thunderbird would processing incorrectly, leading to an out-of-bounds read. This bug only affects Thunderbird on Windows. Other operating systems are unaffected. Mozilla developers Gabriele Svelto, Anny Gakhokidze, Alexandru...

Security Vulnerabilities fixed in Thunderbird 102.5 — Mozilla

Service Workers should not be able to infer information about opaque cross-origin responses; but timing information for cross-origin media combined with Range requests might have allowed them to determine the presence or length of a media file. Through a series of popup and window.print calls, an...

Security Vulnerabilities fixed in Thunderbird 102.6 — Mozilla

A missing check related to tex units could have led to a use-after-free and potentially exploitable crash. An attacker who compromised a content process could have partially escaped the sandbox to read arbitrary files via clipboard-related IPC messages.This bug only affects Thunderbird for Linux...

Security Vulnerabilities fixed in Thunderbird 91.11 and Thunderbird 102 — Mozilla

A malicious website that could create a popup could have resized the popup to overlay the address bar with its own content, resulting in potential user confusion or spoofing attacks. This bug only affects Thunderbird for Linux. Other operating systems are unaffected. Session history navigations m...

Security Vulnerabilities fixed in Thunderbird 91.8 — Mozilla

NSSToken objects were referenced via direct points, and could have been accessed in an unsafe way on different threads, leading to a use-after-free and potentially exploitable crash. If a compromised content process sent an unexpected number of WebAuthN Extensions in a Register command to the...

Security Vulnerabilities fixed in Firefox 74.0.1 and Firefox ESR 68.6.1 — Mozilla

Under certain conditions, when running the nsDocShell destructor, a race condition can cause a use-after-free. We are aware of targeted attacks in the wild abusing this flaw. Under certain conditions, when handling a ReadableStream, a race condition can cause a use-after-free. We are aware of...

Security Vulnerabilities fixed in Firefox 85 — Mozilla

If a user clicked into a specifically crafted PDF, the PDF reader could be confused into leaking cross-origin information, when said information is served as chunked data. Using the new logical assignment operators in a JavaScript switch statement could have caused a type confusion, leading to a...

Security Vulnerabilities fixed in Thunderbird 102.1 — Mozilla

When combining CSS properties for overflow and transform, the mouse cursor could interact with different coordinates than displayed. When visiting directory listings for chrome:// URLs as source text, some parameters were reflected. When opening a Windows shortcut from the local filesystem, an...

Security Vulnerabilities fixed in Thunderbird 78.9 — Mozilla

A texture upload of a Pixel Buffer Object could have confused the WebGL code to skip binding the buffer used to unpack it, resulting in memory corruption and a potentially exploitable information leak or crash. An out of date graphics library Angle likely contained vulnerabilities that could...

Security Vulnerabilities fixed in Thunderbird 102.11 — Mozilla

In multiple cases browser prompts could have been obscured by popups controlled by content. These could have led to potential user confusion and spoofing attacks. An out-of-bound read could have led to a crash in the RLBox Expat driver. A missing delay in popup notifications could have made it...

Security vulnerabilities fixed in - Thunderbird 60.9 — Mozilla

Encrypted S/MIME parts in a crafted multipart/alternative message can leak plaintext when included in a a HTML reply/forward. A use-after-free vulnerability can occur while manipulating video elements if the body is freed while still in use. This results in a potentially exploitable crash. Some...

Security vulnerabilities fixed in Firefox 66 — Mozilla

A use-after-free vulnerability can occur when a raw pointer to a DOM element on a page is obtained using JavaScript and the element is then removed while still in use. This results in a potentially exploitable crash. The type inference system allows the compilation of functions that can cause typ...

Security Vulnerabilities fixed in Firefox 115 — Mozilla

When Firefox is configured to block storage of all cookies, it was still possible to store data in localstorage by using an iframe with a source of 'about:blank'. This could have led to malicious websites storing tracking data without permission. An attacker could have triggered a use-after-free...

Security Vulnerabilities fixed in Firefox 83 — Mozilla

A parsing and event loading mismatch in Firefox's SVG code could have allowed load events to fire, even after sanitization. An attacker already capable of exploiting an XSS vulnerability in privileged internal pages could have used this attack to bypass our built-in sanitizer. Incorrect bookkeepi...

Security Vulnerabilities fixed in Firefox 110 — Mozilla

The Content-Security-Policy-Report-Only header could allow an attacker to leak a child iframe's unredacted URI when interaction with that iframe triggers a redirect. A background script invoking requestFullscreen and then blocking the main thread could force the browser into fullscreen mode...

Security Vulnerabilities fixed in Thunderbird 102.4 — Mozilla

A same-origin policy violation could have allowed the theft of cross-origin URL entries, leaking the result of a redirect, via performance.getEntries. Certain types of allocations were missing annotations that, if the Garbage Collector was in a specific state, could have lead to memory corruption...

Security Vulnerabilities fixed in Thunderbird 91.13 — Mozilla

An attacker could have abused XSLT error handling to associate attacker-controlled content with another origin which was displayed in the address bar. This could have been used to fool the user into submitting data intended for the spoofed origin. A cross-origin iframe referencing an XSLT documen...

Security Vulnerabilities fixed in Thunderbird 102.9 — Mozilla

Sometimes, when invalidating JIT code while following an iterator, the newly generated code could be overwritten incorrectly. This could lead to a potentially exploitable crash. Dragging a URL from a cross-origin iframe that was removed during the drag could have led to user confusion and website...

Security Vulnerabilities fixed in Thunderbird 78.9.1 — Mozilla

If a Thunderbird user has previously imported Alice's OpenPGP key, and Alice has extended the validity period of her key, but Alice's updated key has not yet been imported, an attacker may send an email containing a crafted version of Alice's key with an invalid subkey, Thunderbird might...

Security Vulnerabilities fixed in Thunderbird 78.6 — Mozilla

When a BigInt was right-shifted the backing store was not properly cleared, allowing uninitialized memory to be read. Certain blit values provided by the user were not properly constrained leading to a heap buffer overflow on some video drivers. Certain input to the CSS Sanitizer confused it,...

Security Vulnerabilities fixed in Firefox 84 — Mozilla

When a BigInt was right-shifted the backing store was not properly cleared, allowing uninitialized memory to be read. Certain blit values provided by the user were not properly constrained leading to a heap buffer overflow on some video drivers. The lifecycle of IPC Actors allows managed actors t...

Security vulnerabilities fixed in Thunderbird 60.7.1 — Mozilla

A flaw in Thunderbird's implementation of iCal causes a heap buffer overflow in parsergetnextchar when processing certain email messages, resulting in a potentially exploitable crash. A flaw in Thunderbird's implementation of iCal causes a heap buffer overflow in icalmemorystrdupanddequote when...

Security Vulnerabilities fixed in Thunderbird 91.10 — Mozilla

A malicious website could have learned the size of a cross-origin resource that supported Range requests. A malicious webpage could have caused an out-of-bounds write in WebGL, leading to memory corruption and a potentially exploitable crash. When exiting fullscreen mode, an iframe could have...

Security vulnerabilities fixed in Firefox ESR 60.6 — Mozilla

A use-after-free vulnerability can occur when a raw pointer to a DOM element on a page is obtained using JavaScript and the element is then removed while still in use. This results in a potentially exploitable crash. The type inference system allows the compilation of functions that can cause typ...

Security Vulnerabilities fixed in Thunderbird 78.5 — Mozilla

A parsing and event loading mismatch in Thunderbird's SVG code could have allowed load events to fire, even after sanitization. An attacker already capable of exploiting an XSS vulnerability in privileged internal pages could have used this attack to bypass our built-in sanitizer. When drawing a...

Security Vulnerabilities fixed in Firefox 121 — Mozilla

The WebGL DrawElementsInstanced method was susceptible to a heap buffer overflow when used on systems with the Mesa VM driver. This issue could allow an attacker to perform remote code execution and sandbox escape. Multiple NSS NIST curves were susceptible to a side-channel attack known as...

Security Vulnerabilities fixed in Firefox 106 — Mozilla

A same-origin policy violation could have allowed the theft of cross-origin URL entries, leaking the result of a redirect, via performance.getEntries. Certain types of allocations were missing annotations that, if the Garbage Collector was in a specific state, could have lead to memory corruption...

Security vulnerabilities fixed in Firefox 68 — Mozilla

As part of his winning Pwn2Own entry, Niklas Baumstark demonstrated a sandbox escape by installing a malicious language pack and then opening a browser feature that used the compromised translation. When an inner window is reused, it does not consider the use of document.domain for cross-origin...

Security Vulnerabilities fixed in Firefox 120 — Mozilla

On some systems—depending on the graphics settings and drivers—it was possible to force an out-of-bounds read and leak memory data into the images created on the canvas element. It was possible to cause the use of a MessagePort after it had already been freed, which could potentially have led to ...

Security vulnerabilities fixed in Firefox ESR 60.8 — Mozilla

As part of his winning Pwn2Own entry, Niklas Baumstark demonstrated a sandbox escape by installing a malicious language pack and then opening a browser feature that used the compromised translation. When an inner window is reused, it does not consider the use of document.domain for cross-origin...

Security vulnerabilities fixed in Firefox ESR 60.7 — Mozilla

If hyperthreading is not disabled, a timing attack vulnerability exists, similar to previous Spectre attacks. Apple has shipped macOS 10.14.5 with an option to disable hyperthreading in applications running untrusted code in a thread through a new sysctl. Firefox now makes use of it on the main...

Security vulnerabilities fixed in Firefox 67 — Mozilla

If hyperthreading is not disabled, a timing attack vulnerability exists, similar to previous Spectre attacks. Apple has shipped macOS 10.14.5 with an option to disable hyperthreading in applications running untrusted code in a thread through a new sysctl. Firefox now makes use of it on the main...

Security Vulnerabilities fixed in Firefox ESR 78.7 — Mozilla

If a user clicked into a specifically crafted PDF, the PDF reader could be confused into leaking cross-origin information, when said information is served as chunked data. Using the new logical assignment operators in a JavaScript switch statement could have caused a type confusion, leading to a...

Security vulnerabilities fixed in - Firefox 70 — Mozilla

Incorrect derivation of a packet length in WebRTC caused heap corruption via a crafted video file. This resulted in a potentially exploitable crash. In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early. A subsequent call to...

Security vulnerabilities fixed in Firefox 67.0.3 and Firefox ESR 60.7.1 — Mozilla

A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash. We are aware of targeted attacks in the wild abusing this flaw...

Security Vulnerabilities fixed in Thunderbird 78.10.2 — Mozilla

If a MIME encoded email contains an OpenPGP inline signed or encrypted message part, but also contains an additional unprotected part, Thunderbird did not indicate that only parts of the message are protected. OpenPGP secret keys that were imported using Thunderbird version 78.8.1 up to version...

Security Vulnerabilities fixed in Firefox ESR 68.4 — Mozilla

During the initialization of a new content process, a pointer offset can be manipulated leading to memory corruption and a potentially exploitable crash in the parent process. Note: this issue only occurs on Windows. Other operating systems are unaffected. When pasting a Due to a missing case...

Security vulnerabilities fixed in Thunderbird 60.7 — Mozilla

If hyperthreading is not disabled, a timing attack vulnerability exists, similar to previous Spectre attacks. Apple has shipped macOS 10.14.5 with an option to disable hyperthreading in applications running untrusted code in a thread through a new sysctl. Firefox now makes use of it on the main...