Security Vulnerabilities fixed in Firefox 122 — Mozilla

An out of bounds write in ANGLE could have allowed an attacker to corrupt memory leading to a potentially exploitable crash. It was possible for certain browser prompts and dialogs to be activated or dismissed unintentionally by the user due to an incorrect timestamp used to prevent input after...

Security vulnerabilities fixed in Firefox 67.0.2 — Mozilla

A hyperlink using protocols associated with Internet Explorer, such as IE.HTTP:, can be used to open local files at a known location with Internet Explorer if a user approves execution when prompted. Note: this issue only occurs on Windows. Other operating systems are unaffected...

Security Vulnerabilities fixed in Thunderbird 102.2.1 — Mozilla

If a Thunderbird user replied to a crafted HTML email containing a meta tag, with the meta tag having the http-equiv="refresh" attribute, and the content attribute specifying an URL, then Thunderbird started a network request to that URL, regardless of the configuration to block remote content. I...

Security Vulnerabilities fixed in Thunderbird 91.9 — Mozilla

When viewing an email message A, which contains an attached message B, where B is encrypted or digitally signed or both, Thunderbird may show an incorrect encryption or signature status. After opening and viewing the attached message B, when returning to the display of message A, the message A...

Security Vulnerabilities fixed in Thunderbird 102.2 — Mozilla

An attacker could have abused XSLT error handling to associate attacker-controlled content with another origin which was displayed in the address bar. This could have been used to fool the user into submitting data intended for the spoofed origin. A cross-origin iframe referencing an XSLT documen...

Security Vulnerabilities fixed in Thunderbird 115.5 — Mozilla

On some systems—depending on the graphics settings and drivers—it was possible to force an out-of-bounds read and leak memory data into the images created on the canvas element. It was possible to cause the use of a MessagePort after it had already been freed, which could potentially have led to ...

Security Vulnerabilities fixed in Thunderbird 102.8 — Mozilla

If a MIME email combines OpenPGP and OpenPGP MIME data in a certain way Thunderbird repeatedly attempts to process and display the message, which could cause Thunderbird's user interface to lock up and no longer respond to the user's actions. An attacker could send a crafted message with this...

Security vulnerabilities fixed in Firefox 66.0.1 — Mozilla

Incorrect alias information in IonMonkey JIT compiler for Array.prototype.slice method may lead to missing bounds check and a buffer overflow. Incorrect handling of proto mutations may lead to type confusion in IonMonkey JIT code and can be leveraged for arbitrary memory read and write...

Security Vulnerabilities fixed in Thunderbird 78.12 — Mozilla

If Thunderbird was configured to use STARTTLS for an IMAP connection, and an attacker injected IMAP server responses prior to the completion of the STARTTLS handshake, then Thunderbird didn't ignore the injected data. This could have resulted in Thunderbird showing incorrect information, for...

Security Vulnerabilities fixed in Thunderbird 102.5.1 — Mozilla

If a Thunderbird user quoted from an HTML email, for example by replying to the email, and the email contained either a VIDEO tag with the POSTER attribute or an OBJECT tag with a DATA attribute, a network request to the referenced remote URL was performed, regardless of a configuration to block...

Security Vulnerabilities fixed in Firefox for iOS 26 — Mozilla

For native-to-JS bridging the app requires a unique token to be passed that ensures non-app code can't call the bridging functions. That token could leak when used for downloading files...

Security vulnerabilities fixed in Firefox 69 — Mozilla

Logging-related command line parameters are not properly sanitized when Firefox is launched by another program, such as when a user clicks on malicious links in a chat application. This can be used to write a log file to an arbitrary location such as the Windows 'Startup' folder. Note: this issue...

Security Vulnerabilities fixed in Thunderbird 102.10 — Mozilla

An attacker could have caused an out of bounds memory access using WebGL APIs, leading to memory corruption and a potentially exploitable crash.This bug only affects Thunderbird for macOS. Other operating systems are unaffected. A local attacker can trick the Mozilla Maintenance Service into...

Security Vulnerabilities fixed in Thunderbird 102.7.1 — Mozilla

Certificate OCSP revocation status was not checked when verifying S/Mime signatures. Mail signed with a revoked certificate would be displayed as having a valid signature. Thunderbird versions from 68 to 102.7.0 were affected by this bug...

Security Vulnerabilities fixed in Firefox 107 — Mozilla

Service Workers should not be able to infer information about opaque cross-origin responses; but timing information for cross-origin media combined with Range requests might have allowed them to determine the presence or length of a media file. Through a series of popup and window.print calls, an...

Security Vulnerabilities fixed in Firefox 78.0.2 — Mozilla

Using object or embed tags, it was possible to frame other websites, even if they disallowed framing using the X-Frame-Options header...

Security Vulnerabilities fixed in Thunderbird 115.6 — Mozilla

When processing a PGP/MIME payload that contains digitally signed text, the first paragraph of the text was never shown to the user. This is because the text was interpreted as a MIME message and the first paragraph was always treated as an email header section. A digitally signed text from a...

Security Vulnerabilities fixed in Firefox 72.0.1 and Firefox ESR 68.4.1 — Mozilla

Incorrect alias information in IonMonkey JIT compiler for setting array elements could lead to a type confusion. We are aware of targeted attacks in the wild abusing this flaw...

Security Vulnerabilities fixed in Firefox 75 — Mozilla

When reading from areas partially or fully outside the source resource with WebGL's copyTexSubImage method, the specification requires the returned values be zero. Previously, this memory was uninitialized, leading to potentially sensitive data disclosure. On 32-bit builds, an out of bounds write...

Security vulnerabilities fixed in Firefox ESR 68.1 — Mozilla

Logging-related command line parameters are not properly sanitized when Firefox is launched by another program, such as when a user clicks on malicious links in a chat application. This can be used to write a log file to an arbitrary location such as the Windows 'Startup' folder. Note: this issue...

Security Vulnerabilities fixed in Thunderbird 91.2 — Mozilla

Thunderbird ignored the configuration to require STARTTLS security for an SMTP connection. A MITM could perform a downgrade attack to intercept transmitted messages, or could take control of the authenticated session to execute SMTP commands chosen by the MITM. If an unprotected authentication...

Security Vulnerabilities fixed in Firefox ESR 78.5 — Mozilla

A parsing and event loading mismatch in Firefox's SVG code could have allowed load events to fire, even after sanitization. An attacker already capable of exploiting an XSS vulnerability in privileged internal pages could have used this attack to bypass our built-in sanitizer. When drawing a...

Security Vulnerabilities fixed in Thunderbird 115.8.1 — Mozilla

The encrypted subject of an email message could be incorrectly and permanently assigned to an arbitrary other email message in Thunderbird's local cache. Consequently, when replying to the contaminated email message, the user might accidentally leak the confidential subject to a third-party. Whil...

Security Vulnerabilities fixed in Firefox 117 — Mozilla

When receiving rendering data over IPC mStream could have been destroyed when initialized, which could have led to a use-after-free causing a potentially exploitable crash. When creating a callback over IPC for showing the Color Picker window, multiple of the same callbacks could have been create...

Security Vulnerabilities fixed in Firefox 125 — Mozilla

GetBoundName could return the wrong version of an object when JIT optimizations were applied. Memory corruption in the networking stack could have led to a potentially exploitable crash. A use-after-free could result if a JavaScript realm was in the process of being initialized when a garbage...

Security Vulnerabilities fixed in Firefox 109 — Mozilla

A compromised web child process could disable web security opening restrictions, leading to a new child process being spawned within the file:// context. Given a reliable exploit primitive, this new process could be exploited again leading to arbitrary file read. Due to the Firefox GTK wrapper...

Security Vulnerabilities fixed in Firefox 123 — Mozilla

When storing and re-accessing data on a networking channel, the length of buffers may have been confused, resulting in an out-of-bounds memory read. Through a series of API calls and redirects, an attacker-controlled alert dialog could have been displayed on another website with the victim...

Security Vulnerabilities fixed in Thunderbird 68.5 — Mozilla

When processing an email message with an ill-formed envelope, Thunderbird could read data from a random memory location. If a user saved passwords before Thunderbird 60 and then later set a master password, an unencrypted copy of these passwords is still accessible. This is because the older stor...

Security vulnerabilities fixed in Thunderbird 60.6.1 — Mozilla

Incorrect alias information in IonMonkey JIT compiler for Array.prototype.slice method may lead to missing bounds check and a buffer overflow. Incorrect handling of proto mutations may lead to type confusion in IonMonkey JIT code and can be leveraged for arbitrary memory read and write...

Security Vulnerabilities fixed in Thunderbird 78.7 — Mozilla

If a user clicked into a specifically crafted PDF, the PDF reader could be confused into leaking cross-origin information, when said information is served as chunked data. Using the new logical assignment operators in a JavaScript switch statement could have caused a type confusion, leading to a...

Security vulnerabilities fixed in Firefox ESR 60.9 — Mozilla

A use-after-free vulnerability can occur while manipulating video elements if the body is freed while still in use. This results in a potentially exploitable crash. Some HTML elements, such as and , can contain literal angle brackets without treating them as markup. It is possible to pass a liter...

Security vulnerabilities fixed in Firefox 49.0.2 — Mozilla

A potentially exploitable use-after-free crash during actor destruction with service workers. This issue does not affect releases earlier than Firefox 49. A Cliqz.com developer demonstrated that web content could access information in the HTTP cache if e10s is disabled. This can reveal some visit...

Security Vulnerabilities fixed in Firefox 126 — Mozilla

Multiple WebRTC threads could have claimed a newly connected audio input leading to use-after-free. A type check was missing when handling fonts in PDF.js, which would allow arbitrary JavaScript execution in the PDF.js context. Web application manifests were stored by using an insecure MD5 hash...

Security Vulnerabilities fixed in Thunderbird 115.3 — Mozilla

A compromised content process could have provided malicious data to FilterNodeD2D1 resulting in an out-of-bounds write, leading to a potentially exploitable crash in a privileged process.This bug only affects Firefox on Windows. Other operating systems are unaffected. A compromised content proces...

Security Vulnerabilities fixed in Firefox for Android 80 — Mozilla

By holding a reference to the eval function from an about:blank window, a malicious webpage could have gained access to the InstallTrigger object which would allow them to prompt the user to install an extension. Combined with user confusion, this could result in an unintended or malicious...

Security vulnerabilities fixed in Thunderbird 60.5 — Mozilla

A use-after-free vulnerability can occur while parsing an HTML5 stream in concert with custom HTML elements. This results in the stream parser object being freed while still in use, leading to a potentially exploitable crash. An earlier fix for an Inter-process Communication IPC vulnerability,...

Cross-origin restriction bypass using Fetch — Mozilla

Security researcher Abdulrahman Alqabandi reported that the fetch API did not correctly implement the Cross-Origin Resource Sharing CORS specification, allowing a malicious page to access private data from other origins. Mozilla developer Ben Kelly independently reported the same issue...

Security Vulnerabilities fixed in Thunderbird 102.15 — Mozilla

When receiving rendering data over IPC mStream could have been destroyed when initialized, which could have led to a use-after-free causing a potentially exploitable crash. When creating a callback over IPC for showing the Color Picker window, multiple of the same callbacks could have been create...

Security Vulnerabilities fixed in Thunderbird 102.12 — Mozilla

The error page for sites with invalid TLS certificates was missing the activation-delay Thunderbird uses to protect prompts and permission dialogs from attacks that exploit human response time delays. If a malicious page elicited user clicks in precise locations immediately before navigating to a...

Security vulnerabilities fixed in Firefox 67.0.4 and Firefox ESR 60.7.2 — Mozilla

Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes can result in the non-sandboxed parent process opening web content chosen by a compromised child process. When combined with additional vulnerabilities this could result in executing...

Security vulnerabilities fixed in - Firefox ESR 68.2 — Mozilla

In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early. A subsequent call to XMLGetCurrentLineNumber or XMLGetCurrentColumnNumber then resulted in a heap-based buffer over-read. When following the value's prototype chain, it...

Security vulnerabilities fixed in Firefox 65.0.1 — Mozilla

A use-after-free vulnerability in the Skia library can occur when creating a path, leading to a potentially exploitable crash. An integer overflow vulnerability in the Skia library can occur after specific transform operations, leading to a potentially exploitable crash. Cross-origin images can b...

Security Vulnerability fixed in Firefox 118.0.1, Firefox ESR 115.3.1, Firefox for Android 118.1.0, Firefox Focus for Android 118.1.0, and Thunderbird 115.3.1. — Mozilla

Specific handling of an attacker-controlled VP8 media stream could lead to a heap buffer overflow in the content process. We are aware of this issue being exploited in other products in the wild...

Security Vulnerabilities fixed in Firefox 116 — Mozilla

Offscreen Canvas did not properly track cross-origin tainting, which could have been used to access image data from another site in violation of same-origin policy. In some circumstances, a stale value could have been used for a global variable in WASM JIT analysis. This resulted in incorrect...

Security Vulnerability fixed in Firefox 117.0.1, Firefox ESR 115.2.1, Firefox ESR 102.15.1, Thunderbird 102.15.1, and Thunderbird 115.2.2 — Mozilla

Opening a malicious WebP image could lead to a heap buffer overflow in the content process. We are aware of this issue being exploited in other products in the wild. Note: This advisory was previously also tracked as CVE-2023-5129...

Stored passwords in 'Saved Logins' can be copied without master password entry — Mozilla

When a master password is set, it is required to be entered again before stored passwords can be accessed in the 'Saved Logins' dialog. It was found that locally stored passwords can be copied to the clipboard thorough the 'copy password' context menu item without re-entering the master password ...

Security Vulnerabilities fixed in Firefox 77 — Mozilla

NSS has shown timing differences when performing DSA signatures, which was exploitable and could eventually leak private keys. When browsing a malicious page, a race condition in our SharedWorkerService could occur and lead to a potentially exploitable crash. Mozilla Developer Iain Ireland...

Security Vulnerabilities fixed in Firefox 76 — Mozilla

A race condition when running shutdown code for Web Worker led to a use-after-free vulnerability. This resulted in a potentially exploitable crash. The Firefox content processes did not sufficiently lockdown access control which could result in a sandbox escape.Note: this issue only affects Firef...

sendBeacon requests lack an Origin header — Mozilla

Security researcher Muneaki Nishimura reported that navigator.sendBeacon does not follow the cross-origin resource sharing CORS specification. This results in the request from sendBeacon lacking an origin header in violation of the W3C Beacon specification and not being treated as a CORS request...

Security Vulnerabilities fixed in Firefox 108 — Mozilla

An out of date library libusrsctp contained vulnerabilities that could potentially be exploited. An attacker who compromised a content process could have partially escaped the sandbox to read arbitrary files via clipboard-related IPC messages.This bug only affects Firefox for Linux. Other operati...