The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by DHE_EXPORT and then ...
Race condition in the Mozilla Maintenance Service in Mozilla Firefox before 40.0 and Firefox ESR 38.x before 38.2 on Windows allows local users to write to arbitrary files and consequently gain privileges via vectors involving a hard link to a log file during an update.
8.5AI Score
0.001EPSS
Navigation events were not fully adhering to the W3C's "Navigation-Timing Level 2" draft specification in some instances for the unload event, which restricts access to detailed timing attributes to only be same-origin. This resulted in potential cross-origin information exposure of history through...
3.7CVSS
5.9AI Score
0.013EPSS
The error page for sites with invalid TLS certificates was missing theactivation-delay Firefox uses to protect prompts and permission dialogsfrom attacks that exploit human response time delays. If a maliciouspage elicited user clicks in precise locations immediately beforenavigating to a site with...
3.1CVSS
5.6AI Score
0.001EPSS
There was no limit to the number of HTTP/2 CONTINUATION frames that would be processed. A server could abuse this to create an Out of Memory condition in the browser. This vulnerability affects Firefox < 125, Firefox ESR < 115.10, and Thunderbird < 115.10.
3.7CVSS
5.6AI Score
0.0004EPSS