Security Vulnerabilities fixed in Firefox 93 — Mozilla

During operations on MessageTasks, a task may have been removed while it was still scheduled, resulting in memory corruption and a potentially exploitable crash. Through use of reportValidity and window.open, a plain-text validation message could have been overlaid on another origin, leading to...

Security Vulnerabilities fixed in Firefox ESR 78.15 — Mozilla

During operations on MessageTasks, a task may have been removed while it was still scheduled, resulting in memory corruption and a potentially exploitable crash. Mozilla developers and community members Andreas Pehrson and Christian Holler reported memory safety bugs present in Firefox 92 and...

Security Vulnerabilities fixed in Thunderbird 78.14 — Mozilla

When delegating navigations to the operating system, Thunderbird would accept the mk scheme which might allow attackers to launch pages and execute scripts in Internet Explorer in unprivileged mode. This bug only affects Thunderbird for Windows. Other operating systems are unaffected. Mozilla...

Security Vulnerabilities fixed in Firefox 92 — Mozilla

Firefox for Android allowed navigations through the intent:// protocol, which could be used to cause crashes and UI spoofs. This bug only affects Firefox for Android. Other operating systems are unaffected. Mixed-content checks were unable to analyze opaque origins which led to some mixed content...

Security Vulnerabilities fixed in Firefox ESR 78.14 — Mozilla

When delegating navigations to the operating system, Firefox would accept the mk scheme which might allow attackers to launch pages and execute scripts in Internet Explorer in unprivileged mode. This bug only affects Firefox for Windows. Other operating systems are unaffected. Mozilla developers...

Security Vulnerabilities fixed in Thunderbird 91.1 — Mozilla

When delegating navigations to the operating system, Thunderbird would accept the mk scheme which might allow attackers to launch pages and execute scripts in Internet Explorer in unprivileged mode. This bug only affects Thunderbird for Windows. Other operating systems are unaffected. Mozilla...

Security Vulnerabilities fixed in Firefox ESR 91.1 — Mozilla

When delegating navigations to the operating system, Firefox would accept the mk scheme which might allow attackers to launch pages and execute scripts in Internet Explorer in unprivileged mode. This bug only affects Firefox for Windows. Other operating systems are unaffected. Mozilla developers...

Security Vulnerabilities fixed in Firefox 91.0.1 and Thunderbird 91.0.1 — Mozilla

Firefox incorrectly accepted a newline in a HTTP/3 header, interpreting it as two separate headers. This allowed for a header splitting attack against servers using HTTP/3...

Security Vulnerabilities fixed in Thunderbird 91 — Mozilla

A suspected race condition when calling getaddrinfo led to memory corruption and a potentially exploitable crash. Note: This issue only affected Linux operating systems. Other operating systems are unaffected. An issue present in lowering/register allocation could have led to obscure but...

Security Vulnerabilities fixed in Thunderbird 78.13 — Mozilla

A suspected race condition when calling getaddrinfo led to memory corruption and a potentially exploitable crash. Note: This issue only affected Linux operating systems. Other operating systems are unaffected. Thunderbird incorrectly treated an inline list-item element as a block element, resulti...

Security Vulnerabilities fixed in Firefox 91 — Mozilla

A suspected race condition when calling getaddrinfo led to memory corruption and a potentially exploitable crash. Note: This issue only affected Linux operating systems. Other operating systems are unaffected. An issue present in lowering/register allocation could have led to obscure but...

Security Vulnerabilities fixed in Firefox ESR 78.13 — Mozilla

A suspected race condition when calling getaddrinfo led to memory corruption and a potentially exploitable crash. Note: This issue only affected Linux operating systems. Other operating systems are unaffected. Firefox incorrectly treated an inline list-item element as a block element, resulting i...

Multiple Low Security Issues in Mozilla VPN — Mozilla

Multiple low security issues were discovered and fixed in a security audit of Mozilla VPN 2.x branch as part of a 3rd party security audit...

Insecure Sharing of HTML/JS Files in Hubs Cloud Reticulum — Mozilla

Hubs Cloud allows users to download shared content, specifically HTML and JS, which could allow javascript execution in the Hub Cloud instance’s primary hosting domain...

Security Vulnerabilities fixed in Firefox 90 — Mozilla

A malicious webpage could have triggered a use-after-free, memory corruption, and a potentially exploitable crash. This bug only affected Firefox when accessibility was enabled. If a user had granted a permission to a webpage and saved that grant, any webpage running on the same host - irrespecti...

Security Vulnerabilities fixed in Thunderbird 78.12 — Mozilla

If Thunderbird was configured to use STARTTLS for an IMAP connection, and an attacker injected IMAP server responses prior to the completion of the STARTTLS handshake, then Thunderbird didn't ignore the injected data. This could have resulted in Thunderbird showing incorrect information, for...

Security Vulnerabilities fixed in Firefox ESR 78.12 — Mozilla

A malicious webpage could have triggered a use-after-free, memory corruption, and a potentially exploitable crash. This bug only affected Firefox when accessibility was enabled. An out of bounds write in ANGLE could have allowed an attacker to corrupt memory leading to a potentially exploitable...

Security Vulnerabilities fixed in Firefox 89.0.1 — Mozilla

When drawing text onto a canvas with WebRender disabled, an out of bounds read could occur. This bug only affects Firefox on Windows. Other operating systems are unaffected...

Security Vulnerabilities fixed in Thunderbird 78.11 — Mozilla

A locally-installed hostile program could send WMCOPYDATA messages that Thunderbird would processing incorrectly, leading to an out-of-bounds read. This bug only affects Thunderbird on Windows. Other operating systems are unaffected. Mozilla developers Gabriele Svelto, Anny Gakhokidze, Alexandru...

Security Vulnerabilities fixed in Firefox for iOS 34 — Mozilla

When a download was initiated, the client did not check whether it was in normal or private browsing mode, which led to private mode cookies being shared in normal browsing mode...

Security Vulnerabilities fixed in Firefox 89 — Mozilla

A malicious website that causes an HTTP Authentication dialog to be spawned could trick the built-in password manager to suggest passwords for the currently active website instead of the website that triggered the dialog. This bug only affects Firefox for Android. Other operating systems are...

Security Vulnerabilities fixed in Firefox ESR 78.11 — Mozilla

A locally-installed hostile program could send WMCOPYDATA messages that Firefox would processing incorrectly, leading to an out-of-bounds read. This bug only affects Firefox on Windows. Other operating systems are unaffected. Mozilla developers Gabriele Svelto, Anny Gakhokidze, Alexandru Michis,...

Security Vulnerabilities fixed in Thunderbird 78.10.2 — Mozilla

If a MIME encoded email contains an OpenPGP inline signed or encrypted message part, but also contains an additional unprotected part, Thunderbird did not indicate that only parts of the message are protected. OpenPGP secret keys that were imported using Thunderbird version 78.8.1 up to version...

Insecure Proxy Configuration in Hubs Cloud Reticulum — Mozilla

Proxy functionality built into Hubs Cloud’s Reticulum software allowed access to internal URLs, including the metadata service...

Security Vulnerabilities fixed in Firefox 88.0.1, Firefox for Android 88.1.3 — Mozilla

By triggering multiple pop-up prompts containing javascript: URLs, a malicious webpage could have forced a Firefox for Android user into executing attacker-controlled JavaScript in the context of another domain, resulting in a Universal Cross-Site Scripting vulnerability.Note: This issue only...

Security Vulnerabilities fixed in Thunderbird 78.10.1 — Mozilla

The Maintenance Service granted SERVICESTART access to BUILTIN|Users which, in a domain network, grants normal remote users access to start or stop the service. This could be used to prevent the browser update service from operating if an attacker spammed the 'Stop' command; but also exposed atta...

Security Vulnerabilities fixed in Firefox ESR 78.10.1 — Mozilla

The Mozilla Maintenance Service granted SERVICESTART access to BUILTIN|Users which, in a domain network, grants normal remote users access to start or stop the service. This could be used to prevent the browser update service from operating if an attacker spammed the 'Stop' command; but also...

Security Vulnerabilities fixed in Firefox 88 — Mozilla

A WebGL framebuffer was not initialized early enough, resulting in memory corruption and an out of bound write. When Responsive Design Mode was enabled, it used references to objects that were previously freed. We presume that with enough effort this could have been exploited to run arbitrary cod...

Security Vulnerabilities fixed in Thunderbird 78.10 — Mozilla

A WebGL framebuffer was not initialized early enough, resulting in memory corruption and an out of bound write. When Responsive Design Mode was enabled, it used references to objects that were previously freed. We presume that with enough effort this could have been exploited to run arbitrary cod...

Security Vulnerabilities fixed in Firefox ESR 78.10 — Mozilla

A WebGL framebuffer was not initialized early enough, resulting in memory corruption and an out of bound write. When Responsive Design Mode was enabled, it used references to objects that were previously freed. We presume that with enough effort this could have been exploited to run arbitrary cod...

Security Vulnerabilities fixed in Thunderbird 78.9.1 — Mozilla

If a Thunderbird user has previously imported Alice's OpenPGP key, and Alice has extended the validity period of her key, but Alice's updated key has not yet been imported, an attacker may send an email containing a crafted version of Alice's key with an invalid subkey, Thunderbird might...

Security Vulnerabilities fixed in Firefox ESR 78.9 — Mozilla

A transient execution vulnerability, named Floating Point Value Injection FPVI allowed an attacker to leak arbitrary memory addresses and may have also enabled JIT type confusion attacks. A related vulnerability, Speculative Code Store Bypass SCSB, did not affect Firefox. A texture upload of a...

Security Vulnerabilities fixed in Thunderbird 78.9 — Mozilla

A texture upload of a Pixel Buffer Object could have confused the WebGL code to skip binding the buffer used to unpack it, resulting in memory corruption and a potentially exploitable information leak or crash. An out of date graphics library Angle likely contained vulnerabilities that could...

Security Vulnerabilities fixed in Firefox 87 — Mozilla

A transient execution vulnerability, named Floating Point Value Injection FPVI allowed an attacker to leak arbitrary memory addresses and may have also enabled JIT type confusion attacks. A related vulnerability, Speculative Code Store Bypass SCSB, did not affect Firefox. A texture upload of a...

Security Vulnerabilities fixed in Thunderbird 78.8.1 — Mozilla

Thunderbird unprotects a secret OpenPGP key prior to using it for a decryption, signing or key import task. If the task runs into a failure, the secret key may remain in memory in its unprotected state...

Security Vulnerabilities fixed in Firefox 86 — Mozilla

As specified in the W3C Content Security Policy draft, when creating a violation report, "User agents need to ensure that the source file is the URL requested by the page, pre-redirects. If that’s not possible, user agents need to strip the URL down to an origin to avoid unintentional leakage."...

Security Vulnerabilities fixed in Thunderbird 78.8 — Mozilla

As specified in the W3C Content Security Policy draft, when creating a violation report, "User agents need to ensure that the source file is the URL requested by the page, pre-redirects. If that’s not possible, user agents need to strip the URL down to an origin to avoid unintentional leakage."...

Security Vulnerabilities fixed in Firefox ESR 78.8 — Mozilla

As specified in the W3C Content Security Policy draft, when creating a violation report, "User agents need to ensure that the source file is the URL requested by the page, pre-redirects. If that’s not possible, user agents need to strip the URL down to an origin to avoid unintentional leakage."...

Security Vulnerabilities fixed in Firefox 85.0.1 and Firefox ESR 78.7.1 — Mozilla

In the Angle graphics library, depth pitch computations did not take into account the block size and simply multiplied the row pitch with the pixel height. This caused the load functions to use a very high depth pitch, reading past the end of the user-supplied buffer.Note: This issue only affecte...

Security Vulnerabilities fixed in Thunderbird 78.7 — Mozilla

If a user clicked into a specifically crafted PDF, the PDF reader could be confused into leaking cross-origin information, when said information is served as chunked data. Using the new logical assignment operators in a JavaScript switch statement could have caused a type confusion, leading to a...

Security Vulnerabilities fixed in Firefox ESR 78.7 — Mozilla

If a user clicked into a specifically crafted PDF, the PDF reader could be confused into leaking cross-origin information, when said information is served as chunked data. Using the new logical assignment operators in a JavaScript switch statement could have caused a type confusion, leading to a...

Security Vulnerabilities fixed in Firefox 85 — Mozilla

If a user clicked into a specifically crafted PDF, the PDF reader could be confused into leaking cross-origin information, when said information is served as chunked data. Using the new logical assignment operators in a JavaScript switch statement could have caused a type confusion, leading to a...

Security Vulnerabilities fixed in Thunderbird 78.6.1 — Mozilla

A malicious peer could have modified a COOKIE-ECHO chunk in a SCTP packet in a way that potentially resulted in a use-after-free. We presume that with enough effort it could have been exploited to run arbitrary code...

Security Vulnerabilities fixed in Firefox 84.0.2, Firefox for Android 84.1.3, and Firefox ESR 78.6.1 — Mozilla

A malicious peer could have modified a COOKIE-ECHO chunk in a SCTP packet in a way that potentially resulted in a use-after-free. We presume that with enough effort it could have been exploited to run arbitrary code...

Security Vulnerabilities fixed in Firefox 84 — Mozilla

When a BigInt was right-shifted the backing store was not properly cleared, allowing uninitialized memory to be read. Certain blit values provided by the user were not properly constrained leading to a heap buffer overflow on some video drivers. The lifecycle of IPC Actors allows managed actors t...

Security Vulnerabilities fixed in Thunderbird 78.6 — Mozilla

When a BigInt was right-shifted the backing store was not properly cleared, allowing uninitialized memory to be read. Certain blit values provided by the user were not properly constrained leading to a heap buffer overflow on some video drivers. Certain input to the CSS Sanitizer confused it,...

Security Vulnerabilities fixed in Firefox ESR 78.6 — Mozilla

When a BigInt was right-shifted the backing store was not properly cleared, allowing uninitialized memory to be read. Certain blit values provided by the user were not properly constrained leading to a heap buffer overflow on some video drivers. Certain input to the CSS Sanitizer confused it,...

Security Vulnerabilities fixed in Thunderbird 78.5.1 — Mozilla

When reading SMTP server status codes, Thunderbird writes an integer value to a position on the stack that is intended to contain just one byte. Depending on processor architecture and stack layout, this leads to stack corruption that may be exploitable...

Security Vulnerabilities fixed in Firefox 83 — Mozilla

A parsing and event loading mismatch in Firefox's SVG code could have allowed load events to fire, even after sanitization. An attacker already capable of exploiting an XSS vulnerability in privileged internal pages could have used this attack to bypass our built-in sanitizer. Incorrect bookkeepi...

Security Vulnerabilities fixed in Firefox ESR 78.5 — Mozilla

A parsing and event loading mismatch in Firefox's SVG code could have allowed load events to fire, even after sanitization. An attacker already capable of exploiting an XSS vulnerability in privileged internal pages could have used this attack to bypass our built-in sanitizer. When drawing a...