1887 matches found
CVE-2022-34470
CVE-2022-34470 is a real-use-after-free vulnerability in Firefox/Thunderbird related to session-history navigations that could cause a crash. The connected documents identify the affected products and versions: Firefox and Firefox ESR (Firefox < 102, ESR < 91.11) and Thunderbird (Thunderbir...
CVE-2022-22761
CVE-2022-22761 fixes a vulnerability where the frame-ancestors CSP directive was not enforced for moz-extension:// pages, affecting Firefox < 97, Thunderbird < 91.6, and Firefox ESR
CVE-2022-31740
CVE-2022-31740 describes a register allocation bug in arm64 WASM code that could cause an exploitable crash. Publicly listed impact covers Thunderbird < 91.10, Firefox < 101, and Firefox ESR
CVE-2022-31747
CVE-2022-31747 involves memory safety bugs in Mozilla Firefox 100 and Firefox ESR 91.9 that could lead to memory corruption and potential arbitrary code execution. Affected products include Thunderbird < 91.10, Firefox < 101, and Firefox ESR
CVE-2022-28289
CVE-2022-28289 corresponds to Mozilla Thunderbird memory-safety bugs reported by the Mozilla Fuzzing Team, with evidence of memory corruption and the possibility that, with enough effort, some flaws could be exploited to run arbitrary code. The vulnerability affects Thunderbird versions earlier t...
CVE-2019-9810
CVE-2019-9810 is an IonMonkey JIT bug in Firefox/Thunderbird where incorrect alias information for Array.prototype.slice can skip bounds checks, enabling a buffer overflow and potential remote code execution. Affected: Firefox prior to 66.0.1 and Firefox ESR prior to 60.6.1; Thunderbird prior to ...
CVE-2022-45415
This CVE affects Mozilla Firefox. When downloading an HTML file, if the page title is formatted as a filename with a malicious extension, Firefox may save the file with that extension, potentially allowing system compromise if the file is executed. Affected versions are Firefox
CVE-2022-31738
CVE-2022-31738 concerns an issue where, when exiting fullscreen mode, an iframe could mislead the browser about the current fullscreen state, enabling user confusion or spoofing. Affected: Thunderbird < 91.10, Firefox < 101, and Firefox ESR
CVE-2022-2200
CVE-2022-2200 affects Firefox and Thunderbird where an attacker could corrupt an object prototype to set undesired attributes on a JavaScript object, leading to privileged code execution. Affected versions are Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102, and Thunderbird
CVE-2023-23605
CVE-2023-23605 corresponds to memory-safety bugs in Mozilla Firefox 108 and Firefox ESR 102.6 (Thunderbird < 102.7; Firefox < 109; ESR
CVE-2019-11719
CVE-2019-11719 describes an out-of-bounds read in NSS when importing a curve25519 private key in PKCS#8 format with leading 0x00 bytes, potentially leading to information disclosure. Affected products include Mozilla Firefox ESR and Thunderbird releases prior to 60.8, and Firefox versions prior t...
CVE-2021-23954
CVE-2021-23954 : A memory corruption vulnerability in Firefox/Thunderbird was caused by using the new logical assignment operators inside a JavaScript switch, leading to a type confusion and potentially exploitable crash. Affected: Firefox <= 85.0 (fixed in 85.0+), Thunderbird
CVE-2022-34479
CVE-2022-34479 describes a vulnerability where a malicious website could create a popup that is resized to overlay the browser address bar, potentially causing user confusion or spoofing. The issue explicitly affects Thunderbird for Linux and, per the referenced advisories, Firefox and Thunderbir...
CVE-2022-34484
CVE-2022-34484 is a memory-corruption issue reported by the Mozilla Fuzzing Team affecting Mozilla Thunderbird and Firefox/Firefox ESR: Thunderbird < 102 and Thunderbird < 91.11, Firefox < 102, and Firefox ESR
CVE-2022-31739
CVE-2022-31739 is a Windows file-save path traversal in Mozilla Thunderbird (versions 91.0–91.9.1 per CNVD). An input-validation flaw could allow a downloaded file to be saved to attacker-controlled paths (e.g., using environment variables like %HOMEPATH% or %APPDATA%). No public fix/version deta...
CVE-2025-1009
CVE-2025-1009 is a use-after-free in XSLT processing that affects Firefox < 135, Firefox ESR < 115.20, Firefox ESR < 128.7, Thunderbird < 128.7, and Thunderbird
CVE-2019-11727
CVE-2019-11727 concerns Mozilla NSS and affects Firefox versions earlier than 68. The issue allows NSS to sign TLS 1.3 CertificateVerify messages with PKCS#1 v1.5 signatures when those are the only ones advertised by the server in CertificateRequest. This is inappropriate for TLS 1.3 and is the u...
CVE-2022-45418
CVE-2022-45418 describes a UI spoofing risk where a custom CSS mouse cursor could be drawn over the browser UI, potentially confusing users. Affected products include Firefox ESR and Firefox releases prior to 102.5, and Thunderbird prior to 102.5. Public sources in connected documents consistentl...
CVE-2022-34468
CVE-2022-34468: An iframe that is not allowed to run scripts could execute scripts when a user clicked a javascript: link. Affected: Firefox <102, Firefox ESR <91.11, Thunderbird <102, Thunderbird
CVE-2022-22753
CVE-2022-22753 affects Mozilla Firefox on Windows, with a Time-of-Check Time-of-Use bug in the Maintenance (Updater) Service that could grant a user write access to an arbitrary directory and escalate to SYSTEM. The umbrella set includes Firefox versions below 97 and affected Thunderbird ESR line...
CVE-2022-31736
CVE-2022-31736 is a cross-origin length disclosure in Mozilla products: a malicious site could learn the length of a cross-origin resource that supports Range requests. Affected are Thunderbird < 91.10, Firefox < 101, and Firefox ESR
CVE-2022-42927
CVE-2022-42927 is a same-origin policy violation that could leak cross-origin URL entries and the redirect result via performance.getEntries(). Connected sources confirm impact on Firefox before version 106, Firefox ESR before 102.4, and Thunderbird before 102.4. Mitigations referenced include up...
CVE-2019-9797
CVE-2019-9797: Cross-origin images can be read in violation of the same-origin policy by exporting an image after read-through createImageBitmap and rendering the bitmap on a canvas. Affected product: Mozilla Firefox; impact is cross-origin image theft via canvas rendering. The vulnerability expl...
CVE-2019-11729
CVE-2019-11729 is confirmed in the connected documents as an NSS vulnerability: empty or malformed p256-ECDH public keys may cause a segmentation fault due to improper sanitization during memory copy. The issue affects NSS-related components used by Firefox ESR (<60.8), Firefox (<68), Thund...
CVE-2024-3864
CVE-2024-3864 is a memory-safety vulnerability in Mozilla Firefox and Thunderbird. It affects Firefox <125, Firefox ESR <115.10, and Thunderbird
CVE-2022-0843
CVE-2022-0843 concerns memory safety bugs in Mozilla Firefox 97 that could be exploited to run arbitrary code, affecting Firefox versions older than 98. The issue is documented across multiple sources (including MFSA 2022-10); the practical impact is potential remote code execution with high seve...
CVE-2020-26950
CVE-2020-26950 concerns a write-side effect in the MCallGetProperty opcode causing a use-after-free in Mozilla Firefox/Thunderbird. Affected software: Firefox < 82.0.3, Firefox ESR < 78.4.1, Thunderbird
CVE-2019-17023
CVE-2019-17023 is a protocol-downgrade vulnerability in NSS (Network Security Services). After a HelloRetryRequest is sent during TLS, a client may negotiate a lower protocol than TLS 1.3, causing an invalid TLS state transition and causing subsequent Application Data records to be ignored. This ...
CVE-2021-23961
CVE-2021-23961 is an information-disclosure vulnerability affecting Mozilla Firefox prior to 85, with related entries in Thunderbird. The connected advisories describe that a malicious webpage leveraging slipstream techniques could expose internal network hosts and services on the client’s machin...
CVE-2022-45421
CVE-2022-45421 describes memory safety bugs reported in Thunderbird 102.4 (and related Gecko code paths) with evidence of memory corruption; the advisory notes these could be exploited to execute arbitrary code. Affected products include Thunderbird < 102.5, Firefox ESR < 102.5, and Firefox
CVE-2022-31748
CVE-2022-31748 affects Mozilla Firefox versions earlier than 101. The issue comprises memory-safety bugs in Firefox 100 (Mozilla Fuzzing Team reports) with evidence of memory corruption; some bugs could be exploited to run arbitrary code, according to the provided description. Affected component ...
CVE-2022-26385
CVE-2022-26385 describes a Firefox memory-safety issue where, in unusual shutdown scenarios, an individual thread may outlive its manager, causing a use-after-free that can lead to a potentially exploitable crash. Affected software: Mozilla Firefox, versions older than 98. Root cause: post-shutdo...
CVE-2022-42932
CVE-2022-42932 involves memory safety bugs in Mozilla Firefox/Thunderbird. Affected products: Firefox 105 and ESR 102.3 (and older branches) with vulnerability present in Firefox < 106, ESR < 102.4, and Thunderbird
CVE-2022-45404
CVE-2022-45404 : The vulnerability is a fullscreen notification bypass caused by a sequence of popup/window.print() calls that lets a window go fullscreen without the user prompt. Affected products include Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox
CVE-2022-45412
CVE-2022-45412 is a memory-unclear error that occurs when resolving the symlink file:///proc/self/fd/1, producing an error message with uninitialized memory content. The issue affects Thunderbird on Unix-based systems (Android, Linux, macOS) and also involves Firefox ESR <102.5 and Firefox
CVE-2022-42929
Affects Firefox and Thunderbird: CVE-2022-42929 describes a denial-of-service vulnerability triggered by a particular handling of window.print(), with exploits leading to browser DoS that may persist across restarts depending on session restore. Public sources (CVE entry, Astra Linux advisory, De...
CVE-2022-45420
CVE-2022-45420 describes a phishing/spoofing risk where iframe content could be rendered outside the iframe boundaries in Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox
CVE-2022-26382
CVE-2022-26382 concerns Mozilla Firefox versions earlier than 98.0. The issue arises from rendering text in Autofill tooltips using page fonts, enabling side‑channel inference of the displayed text. Affected product: Firefox
CVE-2020-12399
CVE-2020-12399 involves NSS showing timing differences during DSA signatures, a vulnerability that could allow leakage of DSA private keys. The connected documents consistently state affected software as Thunderbird < 68.9.0, Firefox < 77, and Firefox ESR
CVE-2022-22746
CVE-2022-22746 describes a race condition that could bypass the fullscreen notification, potentially enabling a fullscreen window spoof in Firefox on Windows. The vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird
CVE-2022-29918
CVE-2022-29918 refers to memory-safety bugs in Mozilla Firefox 99 that could potentially be exploited to run arbitrary code. The vulnerability affects Firefox versions older than 100.0. The Mozilla MFSA advisories corroborate memory-safety issues/possible code execution with Firefox 99-era builds...
CVE-2022-28283
Summary (CVE-2022-28283) : The Firefox devtools sourceMapURL feature lacked security checks, potentially allowing a webpage to access local files or otherwise inaccessible resources. Affected: Firefox versions earlier than 99. Impact as described: confidentiality impact (local file access) with n...
CVE-2022-29915
CVE-2022-29915 affects Mozilla Firefox (pre-100.0). The Performance API failed to hide whether a cross-origin resource observed redirects, enabling information disclosure. Affected: Firefox versions prior to 100.0. The issue is described in multiple advisories; upstream remediation and Arch Linux...
CVE-2016-0718
CVE-2016-0718 is evidenced in connected Apple documents as part of the Expat (libexpat) updates applied to OS X El Capitan and iTunes-related components. The Expat/libexpat entry notes that processing XML can trigger vulnerabilities in affected builds, with CVE-2016-0718 specifically associated w...
CVE-2021-29945
CVE-2021-29945 concerns the WebAssembly JIT: the JIT could miscalculate the size of a return type, causing a null read and a crash on x86-32. Affected products per the provided documents include Firefox ESR and Firefox releases prior to 78.10 and Thunderbird prior to 78.10 (Firefox
CVE-2020-6796
CVE-2020-6796 targets Mozilla Firefox: a missing bounds check on shared memory reads in the parent process could cause memory corruption via an out-of-bounds write, potentially exploitable. Affected: Firefox old releases prior to 73 and ESR prior to 68.5. Remediation per connected docs: upgrade t...
CVE-2022-45408
Summary: CVE-2022-45408 describes a web/browser UI issue where a sequence of popups that reuse the same windowName can force a window into fullscreen mode without showing the notification prompt, enabling user confusion or spoofing. Affected products/versions: Firefox ESR and Firefox, Thunderbird...
CVE-2021-29967
CVE-2021-29967 is a set of memory-safety bugs in Mozilla’s Firefox stack (affecting Firefox 88/ESR 78.11 path) that Mozilla indicated could be exploited to run arbitrary code. Affected products include Thunderbird < 78.11, Firefox < 89, and Firefox ESR
CVE-2016-9063
The CVE-2016-9063 entry concerns an integer overflow in the Expat XML parser used by Firefox up to version 50. The connected advisory explicitly notes that an overflow can lead to buffer overflows and arbitrary code execution. It also provides mitigation guidance in the cited advisory (e.g., rest...
CVE-2022-0511
CVE-2022-0511 corresponds to memory-safety bugs in Mozilla Firefox 96 that could have allowed arbitrary code execution via memory corruption. The public records indicate these issues affected Firefox versions prior to 97 and were addressed in Firefox 97+ and related ESR branches. The Mozilla advi...