1885 matches found
CVE-2015-4495
CVE-2015-4495 affects Mozilla Firefox's built-in PDF viewer. The vulnerability allows remote attackers to bypass the Same Origin Policy and read arbitrary files or gain privileges via crafted JavaScript and a native setter, in Firefox versions before 39.0.3, Firefox ESR 38.x before 38.1.1, and Fi...
CVE-2023-34416
CVE-2023-34416 involves memory-safety bugs in Mozilla Firefox and Thunderbird. The vulnerability affects Firefox 113 and Firefox ESR 102.11, with possible memory corruption that could be exploited to execute arbitrary code; affected list includes Firefox < 114, ESR < 102.12, and Thunderbird
CVE-2023-23599
CVE-2023-23599 affects Firefox <109, Firefox ESR <102.7, and Thunderbird
CVE-2013-2566
CVE-2013-2566 involves RC4 biases in TLS/SSL allowing plaintext-recovery via large volumes of sessions with the same plaintext. Multiple connected sources confirm this issue affecting products such as F5 BIG-IP (various modules) and IBM Proventia/SiteProtector family. Affected in some BIG-IP rele...
CVE-2024-9680
CVE-2024-9680 is a use-after-free in the Animation timelines that enables code execution in the content process. Affected Mozilla products include Firefox and Thunderbird with the following vulnerable versions: Firefox < 131.0.2; Firefox ESR < 128.3.1; Firefox ESR < 115.16.1; Thunderbird...
CVE-2020-12402
CVE-2020-12402 describes a side-channel vulnerability in RSA key generation within the NSS cryptographic libraries where an input-dependent flow in the bignum/BinEXT Euclidean algorithm enables an attacker capable of electromagnetic side-channel measurements to recover secret primes. The issue af...
CVE-2023-34417
CVE-2023-34417 concerns memory-safety bugs in Mozilla Firefox 113 that could allow arbitrary code execution. The impact is noted for Firefox < 114, with high-severity CVSS 9.8 in the NVD entry. Public sources in connected documents confirm the issues affect Firefox prior to 114 and that fixes ...
CVE-2022-29917
CVE-2022-29917 involves memory-safety bugs in Firefox 99 and Firefox ESR 91.8 (Mozilla Fuzzing Team). Some bugs showed memory corruption and, with enough effort, could be exploited to run arbitrary code. affected products include Thunderbird < 91.9, Firefox ESR < 91.9, and Firefox
CVE-2016-9079
CVE-2016-9079 is a use-after-free vulnerability in Mozilla Firefox/Thunderbird SVG Animation. Affected: Firefox < 50.0.2, Firefox ESR < 45.5.1, Thunderbird
CVE-2022-1529
CVE-2022-1529 is a prototype-pollution vulnerability in Mozilla products triggered by an attacker sending a message to a parent process, leading to attacker-controlled JavaScript execution in a privileged context. Affected: Firefox ESR < 91.9.1, Firefox < 100.0.2, Firefox for Android < 1...
CVE-2022-26384
Summary: CVE-2022-26384 is a sandbox bypass in Firefox/Thunderbird caused by allowing popups in an iframe sandbox without allow-scripts, enabling crafted links to execute JavaScript in violation of the sandbox. Connected advisories confirm affected products (Firefox < 98, Firefox ESR < 91.7...
CVE-2022-29914
CVE-2022-29914 describes a memory-safety/logic issue in Firefox/Thunderbird where reusing existing popups could cover the fullscreen notification UI, enabling browser spoofing attacks. Affected products include Thunderbird < 91.9, Firefox ESR < 91.9, and Firefox
CVE-2022-31737
CVE-2022-31737 describes an out-of-bounds write in WebGL that could cause memory corruption and a potentially exploitable crash. Affected products include Thunderbird < 91.10, Firefox < 101, and Firefox ESR
CVE-2022-1802
CVE-2022-1802 involves prototype pollution in JavaScript arrays, enabling attacker-controlled code execution in a privileged context when methods of an Array object can be corrupted. Affected software includes Mozilla Firefox ESR < 91.9.1, Firefox < 100.0.2, Firefox for Android < 100.3.0...
CVE-2023-34414
CVE-2023-34414 describes a click-jacking risk where the error page for TLS certificate errors could be hijacked due to a rendering lag, enabling a user click to override a certificate error under precise timing conditions. Affected products and versions (per provided documents): Firefox ESR < ...
CVE-2022-28285
CVE-2022-28285 describes an incorrect AliasSet used during MLoadTypedArrayElementHole JIT codegen, enabling a potential out-of-bounds read when combined with another vulnerability. Affected products include Thunderbird < 91.8, Firefox < 99, and Firefox ESR
CVE-2025-0237
CVE-2025-0237 concerns the WebChannel API: the sending principal was accepted without validation, enabling potential privilege escalation. Affected products include Firefox (all releases before 134; including ESR
CVE-2022-26387
The CVE-2022-26387 issue is a Mozilla add-on verification weakness. A time-of-check/time-of-use (TOCTOU) bug could allow the add-on file to be altered after Firefox/Thunderbird signatures were checked but before user confirmation, leaving the user exposed. Affected products and versions per conne...
CVE-2022-28282
Summary: CVE-2022-28282 is a use-after-free in the L10n/TranslateDocument path triggered when destroying an object during JavaScript execution and then referencing it via a freed pointer, with exploits tied to Firefox/Thunderbird. Affected versions: Thunderbird < 91.8, Firefox < 99, and Fir...
CVE-2022-29911
CVE-2022-29911 is an iframe sandbox bypass vulnerability described as an improper implementation of allow-top-navigation-by-user-activation that could permit script execution without allow-scripts. Affected products include Thunderbird (<91.9), Firefox ESR (<91.9), and Firefox (
CVE-2022-26383
CVE-2022-26383 concerns a UI/UX issue in Firefox and Thunderbird where, after requesting fullscreen, resizing the popup prevented the fullscreen notification from displaying. Connected docs confirm the flaw affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird
CVE-2022-22751
CVE-2022-22751 relates to memory-safety bugs in Firefox 95 and Firefox ESR 91.4, with evidence of memory corruption and a presumption that some could be exploited to run arbitrary code. Affected: Firefox ESR < 91.5, Firefox < 96, and Thunderbird
CVE-2022-29909
CVE-2022-29909 is a Firefox/Thunderbird vulnerability described as privilege escalation via deeply-nested cross-origin browsing contexts that could inherit top-level permissions. Affected products and versions from connected advisories: Thunderbird < 91.9 and Firefox (including ESR)
CVE-2022-22747
Summary: CVE-2022-22747 describes a denial of service caused by incorrect parsing of empty PKCS#7 sequences after accepting an untrusted certificate, leading to a crash. The vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird
CVE-2022-22740
CVE-2022-22740 is confirmed in connected documents as a use-after-free caused by freeing network request objects too early, potentially enabling a crash. Affected products: Firefox ESR < 91.5, Firefox < 96, and Thunderbird
CVE-2022-29916
CVE-2022-29916 is an information-disclosure issue where Firefox behaves differently when loading CSS resources with CSS variables, potentially allowing history probing. Affected products in public advisories include Thunderbird and Firefox variants (Thunderbird < 91.9, Firefox/ ESR < 91.9, ...
CVE-2022-26381
CVE-2022-26381 describes a use-after-free risk caused by forcing a text reflow in an SVG object, potentially exploitable as a crash. Affected products include Mozilla Firefox (less than 98) and Firefox ESR (less than 91.7) and Mozilla Thunderbird (less than 91.7). External documents (Astra Linux,...
CVE-2022-22739
CVE-2022-22739 describes a vulnerability where malicious websites could lure users into launching a program to handle an external URL protocol. Public references in the provided documents indicate affected products are Mozilla Firefox (Firefox ESR < 91.5, Firefox < 96) and Thunderbird (
CVE-2022-29912
The CVE-2022-29912 issue concerns the handling of SameSite cookies in reader mode. Affected products include Thunderbird < 91.9, Firefox ESR < 91.9, and Firefox
CVE-2022-22742
CVE-2022-22742 is confirmed in connected records as an out-of-bounds memory access in Firefox/Thunderbird when inserting text in edit mode. Affected products include Firefox ESR < 91.5, Firefox < 96, and Thunderbird
CVE-2022-22738
The CVE-2022-22738 entry concerns a heap-buffer-overflow caused by applying a CSS filter, potentially exploitable via memory corruption. Affected products are Mozilla Firefox/Thunderbird: Firefox ESR < 91.5, Firefox < 96, and Thunderbird
CVE-2022-22745
CVE-2022-22745 describes a cross-origin information leak via SecurityPolicyViolation events for frame-ancestors violations. Public documents associate this with Firefox ESR versions earlier than 91.5, Firefox versions earlier than 96, and Thunderbird versions earlier than 91.5. The connected advi...
CVE-2022-22741
CVE-2022-22741 : A fullscreen-related issue in Firefox/Thunderbird where resizing a popup while requesting fullscreen could trap the popup in fullscreen and prevent exit. Affected: Firefox ESR < 91.5, Firefox < 96, Thunderbird
CVE-2022-22737
The CVE-2022-22737 entry is supported by connected advisories showing a race condition in constructing audio sinks that can lead to a use-after-free and potentially exploitable crash in Mozilla Firefox ESR < 91.5, Firefox < 96, and Thunderbird
CVE-2022-22754
CVE-2022-22754: Affects Firefox <97, Thunderbird <91.6, and Firefox ESR
CVE-2022-22760
CVE-2022-22760: A cross-origin information disclosure in Firefox/Thunderbird arises when importing resources via Web Workers, where error messages could reveal whether a response is JavaScript (application/javascript) or not. Affected: Firefox < 97, Thunderbird < 91.6, and Firefox ESR
CVE-2019-11709
CVE-2019-11709 involves memory safety bugs reported in Mozilla Firefox (67) and Firefox ESR (60.7). Some bugs show memory corruption and could potentially be exploited to run arbitrary code. Affected versions include Firefox ESR < 60.8, Firefox < 68, and Thunderbird
CVE-2022-1097
The CVE-2022-1097 entry concerns NSSToken objects that could be accessed unsafely across threads, causing a use-after-free and potentially exploitable crash. Affected products explicitly named in connected documents include Thunderbird (versions earlier than 91.8), Firefox (versions earlier than ...
CVE-2022-22743
CVE-2022-22743 affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird
CVE-2022-22756
CVE-2022-22756 describes a drag-and-drop image object that could be turned into an executable script, enabling arbitrary code execution when clicked. Affected products and versions include Firefox <97, Thunderbird <91.6, and Firefox ESR
CVE-2022-22764
CVE-2022-22764 is a set of memory-safety bugs in Mozilla Firefox (affecting Firefox < 97 and Firefox ESR < 91.6) and related Thunderbird components (Thunderbird
CVE-2022-42928
CVE-2022-42928 is a memory-corruption vulnerability affecting Firefox and Thunderbird prior to the specified versions (Firefox <106, ESR <102.4, Thunderbird
CVE-2019-11745
CVE-2019-11745 is a heap-based out-of-bounds write in Mozilla NSS (NSC_EncryptUpdate) when data smaller than the block size is encrypted. This could allow a remote attacker to trigger a crash or execute arbitrary code with the user’s privileges (attack surface includes NSS-enabled apps such as Th...
CVE-2022-22748
CVE-2022-22748 is a cross-origin spoof vulnerability in Mozilla components where malicious websites could confuse Thunderbird or a browser dialog about launching a program to handle an external URL protocol, resulting in a spoofed origin. Public documentation in connected advisories ties this to ...
CVE-2012-4929
CVE-2012-4929 (CRIME) : The vulnerability stems from TLS/SSL compression, where the TLS protocol (1.2 and earlier) used by browsers (e.g., Mozilla Firefox, Google Chrome, Qt) can encrypt compressed data without hiding the length of unencrypted data. This length leakage enables a MITM attacker to ...
CVE-2022-28286
The CVE-2022-28286 issue is a layout-related vulnerability where iframe contents could render outside their border, potentially enabling spoofing or user confusion. Affected products and versions identified in connected documents include Thunderbird < 91.8, Firefox < 99, and Firefox ESR
CVE-2022-31741
CVE-2022-31741 is a memory-safety issue triggered by processing a crafted CMS message, affecting Thunderbird < 91.10, Firefox < 101, and Firefox ESR
CVE-2022-22759
The CVE-2022-22759 issue describes a flaw where a sandboxed iframe that lacks allow-scripts could still execute an appended element’s JavaScript (e.g., event handlers) when that element is added to the iframe’s document. Affected products and versions include Firefox < 97, Thunderbird < 91....
CVE-2022-28281
CVE-2022-28281 describes a memory safety vulnerability in Mozilla Firefox/Thunderbird where a compromised content process could send an unexpected number of WebAuthN Extensions in a Register command to the parent process, causing an out-of-bounds write and memory corruption that could lead to a p...
CVE-2022-34470
CVE-2022-34470 is a real-use-after-free vulnerability in Firefox/Thunderbird related to session-history navigations that could cause a crash. The connected documents identify the affected products and versions: Firefox and Firefox ESR (Firefox < 102, ESR < 91.11) and Thunderbird (Thunderbir...