1887 matches found
CVE-2024-38313
CVE-2024-38313 describes a spoofing vulnerability in Firefox for iOS where, in certain scenarios, a malicious website could attempt to display a fake location URL bar to mislead users about the actual website address. The vulnerability is documented to affect Firefox for iOS versions prior to 127...
CVE-2024-6605
CVE-2024-6605 affects Firefox for Android, where an immediate interaction with permission prompts can enable tapjacking. The description in sources states Firefox Android
CVE-2024-9402
CVE-2024-9402 concerns memory safety bugs in Firefox 130, Firefox ESR 128.2, and Thunderbird 128.2, with evidence of memory corruption that could potentially be exploited to run arbitrary code. Affected products and versions include Firefox < 131, Firefox ESR < 128.3, Thunderbird < 128.3...
CVE-2021-23978
CVE-2021-23978 affects Mozilla products (Firefox and Thunderbird/Firefox ESR). The connected documents confirm memory safety bugs in Firefox 85 and ESR 78.7, with potential memory corruption that could lead to arbitrary code execution. Impact is described for Firefox < 86, Thunderbird < 78....
CVE-2024-11702
CVE-2024-11702 concerns Mozilla Firefox and Mozilla Thunderbird information disclosure due to insufficient clipboard protection in Android Private Browsing mode. Affected products: Firefox and Thunderbird with versions prior to 133. Root cause: clipboard data (sensitive data such as passwords) co...
CVE-2024-5689
Mozilla Firefox before 127 had multiple vulnerabilities including a UI spoofing issue where an overlay of the My Shots button could direct users to a phishing replica Firefox Screenshots page; this CVE-2024-5689 is identified in MFSA2024-25 as part of the fixes for Firefox 127. The affected produ...
CVE-2024-7520
CVE-2024-7520 is a type confusion vulnerability in WebAssembly that could enable code execution. The available documents confirm impact on Mozilla Firefox (pre-129 and ESR pre-128.1) and Mozilla Thunderbird (pre-128.1). The underlying issue is a WebAssembly type confusion, with several advisories...
CVE-2024-9396
The CVE-2024-9396 issue is a memory safety concern arising from cloning certain objects via the structured clone algorithm, potentially causing memory corruption. Affected products include Firefox (versions earlier than 131), Firefox ESR (earlier than 128.3), Thunderbird (earlier than 128.3), and...
CVE-2020-6806
CVE-2020-6806 is a memory-safety bug causing an out-of-bounds read during promise resolution that could lead to memory corruption and a potentially exploitable crash. The vulnerability affects Thunderbird < 68.6, Firefox < 74, Firefox ESR < 68.6, and Firefox ESR
CVE-2024-11705
The CVE-2024-11705 issue is due to NSC_DeriveKey assuming phKey is non-NULL; passing NULL leads to a segmentation fault (crash). Affected products reported across sources include Firefox and Thunderbird prior to version 133. The vulnerability description and linked advisories indicate this NULL d...
CVE-2019-11698
CVE-2019-11698 concerns theft of browser history via drag-and-drop of crafted hyperlinks to bookmarks that are dragged into web content. Public documents confirm affected products and versions: Thunderbird < 60.7, Firefox < 67, and Firefox ESR
CVE-2024-11695
CVE-2024-11695 describes a spoofing vulnerability in Mozilla Firefox and Thunderbird where a crafted URL containing Arabic script and whitespace could hide the page’s true origin, enabling spoofing. Affected versions: Firefox < 133 and Firefox ESR < 128.5; Thunderbird < 133 and Thunderbird
CVE-2024-11700
The CVE-2024-11700 issue concerns Firefox and Thunderbird with versions earlier than 133, where tapjacking could let malicious sites synthesize user intent confirmations to launch external applications. This is described across multiple connected advisories (e.g., Gentoo GLSA references and Alpin...
CVE-2024-7521
CVE-2024-7521 is a Firefox/Thunderbird vulnerability caused by incomplete WebAssembly exception handling that could lead to a use-after-free and memory corruption. Affected: Firefox <129, ESR <115.14, ESR <128.1, Thunderbird <128.1, Thunderbird
CVE-2024-7522
Concrete details from connected documents show CVE-2024-7522: an editor component failed to check an attribute value, causing an out-of-bounds read. Affected products include Firefox (versions before 129) and Thunderbird (before 128.1/115.14 ESR). The issue is consistent with Mozilla advisories a...
CVE-2018-18501
CVE-2018-18501 corresponds to multiple memory-safety issues in Mozilla products, affecting Thunderbird < 60.5, Firefox ESR < 60.5, and Firefox
CVE-2019-9811
CVE-2019-9811 corresponds to a sandbox-escape vulnerability demonstrated in a Pwn2Own entry. The issue affects Mozilla products: Firefox ESR before 60.8, Firefox before 68, and Thunderbird before 60.8, with a malicious language-pack installation used to compromise the translation feature to escap...
CVE-2024-10004
CVE-2024-10004 technical details are not publicly provided in the supplied documents. Monitor for updates.
CVE-2021-24002
CVE-2021-24002 is a vulnerability observed in Firefox before 88 and Thunderbird before 78.10 where clicking an FTP URL containing encoded newline characters (%0A, %0D) could cause the server to interpret newlines and execute arbitrary commands. Affected products include Firefox ESR < 78.10, Fi...
CVE-2024-7518
CVE-2024-7518 describes that select options could obscure the fullscreen notification dialog, enabling spoofing by a malicious site. Affected products and versions identified in connected docs include Mozilla Firefox (older builds: Firefox < 129 and Firefox ESR < 128.1) and Mozilla Thunderb...
CVE-2024-9394
CVE-2024-9394 describes a cross-origin information disclosure in Mozilla Firefox/Thunderbird via specially crafted multipart responses that can execute JavaScript under resource://devtools. Desktop Site Isolation limits cross-origin access, but Android versions may enable full cross-origin access...
CVE-2024-9398
CVE-2024-9398 affects Mozilla Firefox and Thunderbird: an attacker could enumerate external protocol handlers by exploiting a check of window.open results, effectively testing whether a protocol handler is installed. Affected: Firefox < 131, Firefox ESR < 128.3, Thunderbird < 128.3, and ...
CVE-2025-1019
CVE-2025-1019 affects Firefox and Thunderbird where the z-order of fullscreen notifications can be manipulated to hide the notification, enabling a potential spoofing attack. Affected versions are Firefox and Thunderbird prior to 135. The underlying issue is the fullscreen notification display or...
CVE-2025-2857
Firefox on Windows was vulnerable to a sandbox-escape in the IPC code where a compromised child process could cause the parent to return an unintentionally powerful handle. This pattern mirrors the Chrome/CVE-2025-2783 lineage and was exploited in the wild. The issue affected Firefox on Windows o...
CVE-2019-11693
CVE-2019-11693 describes a Linux-specific buffer overflow in WebGL’s bufferdata, affecting Thunderbird and Firefox (Thunderbird <60.7, Firefox <67, ESR
CVE-2019-17005
The CVE-2019-17005 issue is a memory safety vulnerability in Mozilla’s plain text serializer where a fixed-size array for the number of elements could overflow, causing memory corruption and a potentially exploitable crash. Affected products include Thunderbird, Firefox ESR, and Firefox (all ver...
CVE-2021-23960
CVE-2021-23960 is corroborated by connected documents: a memory-safety issue in Firefox/Thunderbird where garbage collection on re-declared JavaScript variables can cause a use-after-poison and potentially crash the process. Affected versions are Firefox < 85, Thunderbird < 78.7, and Firefo...
CVE-2024-10462
CVE-2024-10462 describes a truncation of long URLs that could allow origin spoofing in a permission prompt for Mozilla Firefox and Thunderbird. The connected documents confirm affected products and versions: Firefox and Firefox ESR up to certain releases (Firefox < 132; ESR < 128.4), Thunde...
CVE-2024-11708
The CVE-2024-11708 entry concerns Firefox and Thunderbird: a missing thread synchronization primitive could cause a data race in the PlaybackParams structure, affecting Firefox < 133 and Thunderbird
CVE-2024-8386
CVE-2024-8386 : A spoofing vulnerability where, if a site has permission to open popup windows, Select elements can appear on top of another site. Affected: Firefox versions before 130, Firefox ESR before 128.2, and Thunderbird before 128.2. Impact is described in external advisories; no exploita...
CVE-2024-8388
CVE-2024-8388 affects Mozilla Firefox for Android. A masked/overlapped notification sequence (Android Toast) used to announce fullscreen transition after the CVE-2023-6870 fix can be leveraged to spoof the browser UI. Root cause: prompts/panels from Firefox and Android OS obscuring the transition...
CVE-2025-0246
CVE-2025-0246 describes a vulnerability where an invalid protocol scheme could allow spoofing of the address bar. The most concrete detail across sources is that this issue affected Firefox on Android and Firefox versions earlier than 134; the Android-specific note is repeated in multiple entries...
CVE-2020-12406
CVE-2020-12406 involves a missing type check during unboxed objects removal in Mozilla code, leading to a crash that could be exploited to run arbitrary code. Affected products/versions from the provided documents include Thunderbird < 68.9.0, Firefox < 77, and Firefox ESR
CVE-2021-4140
CVE-2021-4140 is a vulnerability where crafted XSLT markup could bypass the iframe sandbox, affecting Mozilla Firefox/Thunderbird products. Connected advisories consistently describe an iframe sandbox bypass with XSLT as the issue (CVE-2021-4140) and document affected versions such as Firefox ESR...
CVE-2018-18492
CVE-2018-18492 is a use-after-free in the Firefox/ Thunderbird codebase: after deleting a selection element, a weak reference in the options collection can lead to a potentially exploitable crash. Affected products include Thunderbird < 60.4, Firefox ESR < 60.4, and Firefox
CVE-2019-11764
CVE-2019-11764 refers to memory safety bugs in Mozilla Firefox (including ESR) and Thunderbird. The issues show evidence of memory corruption and, with sufficient effort, could be exploited to run arbitrary code. Affected products/versions (as stated): Firefox versions before 70, Thunderbird befo...
CVE-2020-6807
CVE-2020-6807 describes a use-after-free in Thunderbird involving stream-reinit when a device/stream is modified as it is being destroyed. Affected products include Thunderbird
CVE-2023-23602
CVE-2023-23602 describes a mishandled security check when creating a WebSocket in a WebWorker, causing the Content Security Policy connect-src header to be ignored. Affected products in the provided sources include Firefox (versions before 109), Firefox ESR (before 102.7), and Thunderbird (before...
CVE-2024-7529
CVE-2024-7529: The date picker can partially obscure security prompts in Mozilla Firefox and Thunderbird up to specific versions (Firefox < 129, ESR < 115.14/128.1; Thunderbird
CVE-2020-26976
The CVE-2020-26976 entry describes a vulnerability in Firefox where, if a HTTPS page is embedded in HTTP and a service worker exists for the secure page, the service worker could intercept the secure page request despite the iframe not being in a secure context. Affected product: Firefox (version...
CVE-2021-38507
CVE-2021-38507 describes a vulnerability in HTTP/2 Opportunistic Encryption (RFC 8164) where, if a second encrypted port on the same IP (e.g., 8443) did not opt in, a network attacker could forward 443 to 8443 and trick the browser into treating the content as same-origin with HTTP. The issue was...
CVE-2023-4579
CVE-2023-4579 affects Mozilla Firefox when the default search engine may render a well-formed URL from a query as the navigated URL, enabling potential spoofing. Connected advisories confirm the issue targets Firefox versions prior to 117 and involve the default search engine handling, across mul...
CVE-2024-7524
CVE-2024-7524 affects Mozilla Firefox and Firefox ESR prior to 129/115.14-128.1. The issue arises when Firefox’s web-compatibility shims, used for blocked tracking scripts by Enhanced Tracking Protection, are injected on a site protected by CSP in strict-dynamic mode. An attacker who can inject a...
CVE-2019-17012
Mozilla reported memory safety bugs in Firefox 70 and Firefox ESR 68.2, with potential to exploit for arbitrary code. Affected: Thunderbird < 68.3, Firefox ESR < 68.3, Firefox
CVE-2019-11762
The CVE-2019-11762 issue is a cross-origin origin isolation bug where two same-origin documents setting document.domain differently could allow calling arbitrary DOM methods/getters/setters on the now-cross-origin window. Affected products include Firefox (<70) and Firefox ESR (<68.2), and ...
CVE-2019-9817
CVE-2019-9817 describes cross-origin image access via canvas that can leak image data across domains. Publicly reported impact affects Mozilla products including Thunderbird and Firefox (non-ESR and ESR lines) prior to version thresholds: Thunderbird <60.7, Firefox <67, ESR
CVE-2020-26959
CVE-2020-26959 is a use-after-free in the WebRequestService during browser shutdown, potentially enabling memory corruption and a crash in Firefox/Thunderbird prior to the fixed versions. Connected advisories confirm this affects Firefox <83, Firefox ESR <78.5, and Thunderbird
CVE-2024-11697
The CVE-2024-11697 entry concerns Mozilla Firefox and Thunderbird and involves improper handling of keypresses in the Executable File Confirmation dialog. Affected versions are Firefox < 133, Firefox ESR < 128.5, Thunderbird < 133, and Thunderbird
CVE-2020-12388
CVE-2020-12388 concerns Firefox on Windows where the content-process sandbox was not sufficiently lockdown, enabling a sandbox escape. Public writeups describe this as a sandbox-escape chain that abuses the Windows token/ACL handling of the content process to break out of the sandbox; the issue a...
CVE-2020-26956
CVE-2020-26956 is an XSS issue caused by removing HTML elements during sanitization, which could leave SVG event handlers active. Affected: Firefox <83, Firefox ESR <78.5, Thunderbird