1887 matches found
CVE-2024-8383
CVE-2024-8383 affects Mozilla Firefox and Firefox ESR. The issue arises when Firefox asks the OS to handle a scheme the browser doesn’t support and doesn’t prompt for confirmation for Usenet-related schemes (news: and snews:). This could allow a malicious webpage or downloaded application to regi...
CVE-2018-18500
CVE-2018-18500 is a use-after-free in the HTML5 stream parser when handling custom HTML elements, causing the parser object to be freed while still in use. Affected products include Thunderbird < 60.5, Firefox ESR < 60.5, and Firefox
CVE-2019-11712
CVE-2019-11712 describes a vulnerability where NPAPI plugins (e.g., Flash) performing POST requests that follow a 308 redirect can bypass CORS, enabling CSRF. Affected products include Mozilla Firefox ESR < 60.8, Firefox < 68, and Thunderbird
CVE-2019-9819
The CVE-2019-9819 issue is a JavaScript compartment mismatch involving the fetch API that can cause a crash. Affected products include Thunderbird (and Firefox components) with versions below 60.7 for Thunderbird and below 67 for Firefox/Firefox ESR; impact is described as potentially exploitable...
CVE-2024-5693
Offscreen Canvas cross-origin tainting tracked incorrectly, enabling potential access to image data from other sites. Affected: Firefox <127, Firefox ESR <115.12, Thunderbird
CVE-2021-23999
CVE-2021-23999 describes a sandbox/privilege issue where a Blob URL loaded via an unusual user interaction could be executed with System Principal privileges, affecting Firefox ESR < 78.10, Thunderbird < 78.10, and Firefox
CVE-2024-4777
CVE-2024-4777 concerns memory-safety bugs in Firefox 125, Firefox ESR 115.10, and Thunderbird 115.10, potentially allowing arbitrary code execution. Public sources in connected documents confirm affected products and versions: Firefox < 126, Firefox ESR < 115.11, and Thunderbird
CVE-2024-6610
The CVE-2024-6610 issue is disclosed across multiple sources as a UI vulnerability in Mozilla Firefox and Thunderbird prior to version 128, caused by form validation popups that can capture escape key presses and block exiting full-screen mode. Affected products: Firefox <128 and Thunderbird
CVE-2025-0245
CVE-2025-0245 affects Firefox before version 134. The issue is that an opt-in authentication setting could be bypassed under certain circumstances, enabling local access without proper authentication and with user interaction required. Root cause details are not fully disclosed in the provided do...
CVE-2021-23998
CVE-2021-23998 describes a content spoofing vulnerability in Firefox/Thunderbird: through complex navigation involving new windows, an HTTP page could inherit the lock icon from an HTTPS page. Affected products are Firefox ESR < 78.10, Thunderbird < 78.10, and Firefox
CVE-2023-23601
CVE-2023-23601 is a browser navigation/vulnerability caused by dragging a URL from a cross-origin iframe into the same tab, enabling potential spoofing. Public records confirm impact on Firefox (less than 109) and Firefox ESR (less than 102.7) and Thunderbird (less than 102.7). Multiple advisorie...
CVE-2023-23603
CVE-2023-23603 describes that Regular expressions used to filter forbidden properties/values from style directives in calls to console.log did not account for external URLs, enabling potential data exfiltration from the browser. Affected: Firefox <= 108/109 and Firefox ESR <= 102.7, Thunder...
CVE-2024-6609
The CVE-2024-6609 entry concerns NSS memory management: when memory is nearly exhausted, an elliptic curve key that was never allocated could be freed again, potentially enabling memory corruption or related instability. Affected products cited in connected docs include Mozilla Firefox and Mozill...
CVE-2024-8382
The CVE-2024-8382 entry describes a vulnerability where privileged EventHandler interfaces were exposed to web content during execution of their listener callbacks. Affected software includes Firefox (less than 130; ESR <128.2 and ESR
CVE-2019-11692
CVE-2019-11692 is a use-after-free in the event listener manager that can occur when listeners are removed while still in use, causing a crash in Thunderbird <=60.6.x/60.7.0, Firefox <=66-67 (and ESR
CVE-2020-12395
CVE-2020-12395 refers to memory-safety bugs reported in Mozilla Firefox and Thunderbird. Mozilla noted memory corruption in bugs affecting Firefox 75/ESR 68.7 and stated that with enough effort some bugs could be exploited to run arbitrary code. The vulnerability impacts Firefox ESR < 68.8, Fi...
CVE-2024-10466
CVE-2024-10466: A specially crafted push message can hang the parent process, making the browser unresponsive. Affected: Firefox < 132, Firefox ESR < 128.4, Thunderbird
CVE-2024-6613
CVE-2024-6613 affects Mozilla Firefox and Thunderbird. The issue is a bug in the frame/stack handling, where the frame iterator can loop when encountering certain wasm frames, causing incorrect stack traces. Affected products are Firefox <128 and Thunderbird
CVE-2020-12400
CVE-2020-12400 is an NSS-related timing vulnerability affecting Firefox < 80 and Firefox for Android
CVE-2021-23987
CVE-2021-23987 corresponds to memory safety bugs reported in Mozilla Firefox (including Firefox ESR 78.8 branch) that could allow memory corruption and potentially arbitrary code execution. The CVE is stated to affect Firefox ESR < 78.9, Firefox < 87, and Thunderbird
CVE-2021-38504
The CVE-2021-38504 issue is a real vulnerability affecting Firefox < 94, Thunderbird < 91.3, and Firefox ESR
CVE-2024-11692
CVE-2024-11692 describes a spoofing-related issue in Mozilla Firefox/Thunderbird where a select dropdown could be rendered over another tab, causing user confusion. The vulnerability affects Firefox versions before 133, Firefox ESR before 128.5, Thunderbird before 133, and Thunderbird before 128....
CVE-2024-38312
Concisely: CVE-2024-38312 affects Firefox for iOS versions before 127. When private tabs are used, location history data and webpage thumbnails could be persisted in the sandboxed app bundle after termination, exposing potentially sensitive information. Exploitation details are not provided in th...
CVE-2024-5695
CVE-2024-5695 describes an out-of-memory condition in Mozilla Firefox’s probabilistic heap checker allocations that could trigger an assertion and, in rarer cases, memory corruption. Affected software: Firefox versions older than 127. The root cause is tied to the probabilistic heap checker alloc...
CVE-2024-7527
The CVE-2024-7527 issue (use-after-free at the start of sweeping) affects Firefox <129 and Thunderbird
CVE-2024-8384
CVE-2024-8384 describes a memory safety issue in the JavaScript engine’s garbage collector where cross-compartment objects could be mis-colored under certain OOM timing, leading to memory corruption. Affected products per connected sources include Firefox and Thunderbird up to specific versions: ...
CVE-2025-0243
CVE-2025-0243 concerns memory-safety bugs in Mozilla Firefox and Thunderbird. Affected products include Firefox 133 and Thunderbird 133, and their ESR lines (Firefox ESR 128.5, Thunderbird ESR 128.5) with exploitation potential for memory corruption that could allow executing arbitrary code. The ...
CVE-2025-0244
CVE-2025-0244 affects Firefox on Android prior to version 134. The issue arises when redirecting to an invalid protocol scheme, enabling an attacker to spoof the address bar. Other operating systems are unaffected. The connected sources confirm a Firefox-specific Android exposure without specifyi...
CVE-2025-1018
The CVE-2025-1018 entry concerns Firefox and Thunderbird before version 135, where the fullscreen notification is prematurely hidden when fullscreen is re-requested quickly by the user. The underlying issue can allow spoofing, with a resulting impact described as partial integrity/availability co...
CVE-2019-11711
CVE-2019-11711 involves reuse of an inner window that neglects document.domain cross-origin protections, enabling script injection across subdomains. Affected software per connected docs: Firefox ESR < 60.8, Firefox < 68, and Thunderbird
CVE-2020-6812
CVE-2020-6812: Affected software includes Thunderbird
CVE-2021-29946
CVE-2021-29946 affects Firefox/Thunderbird components where ports written as an integer overflow beyond 16-bit bounds could bypass port blocking when used in the Alt-Svc header. Connected advisories show the issue is labeled as port blocking bypass (access restriction bypass) with remediation via...
CVE-2024-10465
The CVE-2024-10465 issue is confirmed in connected advisories: a clipboard “paste” button could persist across browser tabs, enabling spoofing. Affected products/versions include Firefox <132, Firefox ESR <128.4, Thunderbird <128.4, and Thunderbird
CVE-2024-7526
The connected sources confirm CVE-2024-7526 is an ANGLE initialization bug that could allow an attacker to read uninitialized memory in affected Mozilla products. Affected software include Firefox prior to 129 and Firefox ESR prior to 115.14/128.1, Thunderbird prior to 128.1/115.14, and related c...
CVE-2019-9816
Summary: CVE-2019-9816 is a type confusion vulnerability involving manipulation of JavaScript objects in object groups, affecting Mozilla products (Thunderbird and Firefox/Firefox ESR) and specifically related to UnboxedObjects, which are disabled by default on all supported releases. The issue i...
CVE-2020-26960
CVE-2020-26960 is a use-after-free vulnerability caused by reallocation during Compact() on nsTArray, affecting Firefox <83, Firefox ESR <78.5, and Thunderbird
CVE-2021-43537
CVE-2021-43537: An incorrect type conversion of sizes from 64-bit to 32-bit integers causes a heap buffer overflow during structured cloning, leading to memory corruption and potentially exploitable crashes. Affected: Firefox before 95 and Thunderbird before 91.4.0. Remediation: upgrade to Firefo...
CVE-2024-10463
CVE-2024-10463 : Video frames could be leaked between origins in certain scenarios. Affected products include Mozilla Firefox and Thunderbird families with versions older than Firefox 132, ESR 128.4/115.17, and Thunderbird 128.4/132.0.1. The connected advisories confirm the issue and provide reme...
CVE-2024-5694
The CVE-2024-5694 entry describes a use-after-free in the Firefox JavaScript engine that allows reading memory from the JavaScript string heap. Affected product: Mozilla Firefox earlier than 127. Impact: potential local memory read/unspecified escalation within the JS heap; exploitation guidance ...
CVE-2024-6608
The CVE-2024-6608 issue affects Mozilla Firefox (and related Thunderbird components) where pointerlock can move the cursor from within an iframe to outside the viewport and even outside the Firefox window. Affected versions are Firefox < 128 and Thunderbird
CVE-2024-7531
CVE-2024-7531 involves Mozilla Firefox and Firefox ESR. The connected documents confirm the underlying vulnerability: calling PK11_Encrypt() in NSS with CKM_CHACHA20 and using the same buffer for input and output can expose plaintext on Intel Sandy Bridge CPUs. In Firefox, the impact is limited t...
CVE-2024-9397
CVE-2024-9397 is a concrete issue: a missing delay in the directory upload UI could enable clickjacking to trick users into granting permissions. Affected products include Firefox (versions prior to 131 and ESR prior to 128.3) and Thunderbird (prior to 131/128.3). Connected advisories (ALSA/ALAS)...
CVE-2024-9399
CVE-2024-9399 describes a denial-of-service in Firefox/Thunderbird caused by a website initiating a specially crafted WebTransport session that crashes the browser. Affected versions: Firefox before 131 and Firefox ESR before 128.3; Thunderbird before 128.3; Thunderbird before 131. The issue is t...
CVE-2025-0238
CVE-2025-0238 describes a memory-safety issue (use-after-free) caused by a controlled failed memory allocation, potentially leading to a crash in Firefox and Thunderbird before certain versions. Affected products/versions (per connected advisories): Firefox < 134; Firefox ESR < 128.6 (and &...
CVE-2020-6822
CVE-2020-6822 is an out-of-bounds write in GMPDecodeData when processing images larger than 4 GB on 32-bit builds, potentially allowing arbitrary code execution. Affected products include Thunderbird and Firefox (Thunderbird < 68.7.0, Firefox ESR < 68.7, Firefox
CVE-2024-10460
The CVE-2024-10460 issue is a data: URL-based spoofing vulnerability in an iframe that obscures the origin of an external protocol handler prompt. Affected: Firefox <132, Firefox ESR <128.4, Thunderbird <128.4, and Thunderbird
CVE-2024-10467
Summary (CVE-2024-10467) Memory-safety bugs in Firefox 131, Firefox ESR 128.3, and Thunderbird 128.3 have shown memory corruption with potential for arbitrary code execution. Affected: Firefox < 132, Firefox ESR < 128.4, Thunderbird < 128.4, and Thunderbird
CVE-2024-10468
CVE-2024-10468 describes potential race conditions in IndexedDB that could cause memory corruption, leading to a potentially exploitable crash. Affected products are Mozilla Firefox and Mozilla Thunderbird earlier than version 132. Multiple connected sources-confirm this same issue across distrib...
CVE-2024-11706
CVE-2024-11706 involves a null pointer dereference in pk12util, specifically in SEC_ASN1DecodeItem_Util, triggered by malformed input. Affected products include Firefox <= 132/133? and Thunderbird <= 132/133? The connected sources consistently cite Firefox and Thunderbird with the vulnerabi...
CVE-2024-38313
CVE-2024-38313 describes a spoofing vulnerability in Firefox for iOS where, in certain scenarios, a malicious website could attempt to display a fake location URL bar to mislead users about the actual website address. The vulnerability is documented to affect Firefox for iOS versions prior to 127...