Lucene search

K
MozillaFirefox

50 matches found

CVE
CVE
added 2024/03/19 12:15 p.m.3977 views

CVE-2024-2616

To harden ICU against exploitation, the behavior for out-of-memory conditions was changed to crash instead of attempt to continue. This vulnerability affects Firefox ESR < 115.9 and Thunderbird < 115.9.

2.7CVSS6.9AI score0.00064EPSS
CVE
CVE
added 2012/09/15 6:55 p.m.427 views

CVE-2012-4929

The TLS protocol 1.2 and earlier, as used in Mozilla Firefox, Google Chrome, Qt, and other products, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which allows man-in-the-middle attackers to obtain plaintext HTTP headers by observing length differences...

2.6CVSS4.9AI score0.13867EPSS
CVE
CVE
added 2005/01/29 5:0 a.m.259 views

CVE-2005-0145

Firefox before 1.0 does not properly distinguish between user-generated and synthetic click events, which allows remote attackers to use Javascript to bypass the file download prompt when the user uses the Alt-click feature.

2.6CVSS6.4AI score0.01029EPSS
CVE
CVE
added 2012/09/15 6:55 p.m.161 views

CVE-2012-4930

The SPDY protocol 3 and earlier, as used in Mozilla Firefox, Google Chrome, and other products, can perform TLS encryption of compressed data without properly obfuscating the length of the unencrypted data, which allows man-in-the-middle attackers to obtain plaintext HTTP headers by observing lengt...

2.6CVSS8.9AI score0.00236EPSS
CVE
CVE
added 2020/04/24 4:15 p.m.159 views

CVE-2020-6824

Initially, a user opens a Private Browsing Window and generates a password for a site, then closes the Private Browsing Window but leaves Firefox open. Subsequently, if the user had opened a new Private Browsing Window, revisited the same site, and generated a new password - the generated passwords...

2.8CVSS5.6AI score0.00127EPSS
CVE
CVE
added 2005/05/02 4:0 a.m.138 views

CVE-2005-0402

Firefox before 1.0.2 allows remote attackers to execute arbitrary code by tricking a user into saving a page as a Firefox sidebar panel, then using the sidebar panel to inject Javascript into a privileged page.

2.6CVSS6.7AI score0.01444EPSS
CVE
CVE
added 2006/09/15 6:7 p.m.83 views

CVE-2006-4567

Mozilla Firefox before 1.5.0.7 and Thunderbird before 1.5.0.7 makes it easy for users to accept self-signed certificates for the auto-update mechanism, which might allow remote user-assisted attackers to use DNS spoofing to trick users into visiting a malicious site and accepting a malicious certif...

2.6CVSS6.4AI score0.01859EPSS
CVE
CVE
added 2006/04/14 10:2 a.m.77 views

CVE-2006-1736

Mozilla Firefox 1.x before 1.5 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0 allows remote attackers to trick users into downloading and saving an executable file via an image that is overlaid by a transparent image link that points to the executable, which causes th...

2.6CVSS6AI score0.01623EPSS
CVE
CVE
added 2006/06/02 8:2 p.m.77 views

CVE-2006-2786

HTTP response smuggling vulnerability in Mozilla Firefox and Thunderbird before 1.5.0.4, when used with certain proxy servers, allows remote attackers to cause Firefox to interpret certain responses as if they were responses from two different sites via (1) invalid HTTP response headers with spaces...

2.6CVSS6.2AI score0.02439EPSS
CVE
CVE
added 2008/07/17 1:41 p.m.73 views

CVE-2008-2933

Mozilla Firefox before 2.0.0.16, and 3.x before 3.0.1, interprets '|' (pipe) characters in a command-line URI as requests to open multiple tabs, which allows remote attackers to access chrome:i URIs, or read arbitrary local files via manipulations involving a series of URIs that is not entirely han...

2.6CVSS8.8AI score0.52924EPSS
CVE
CVE
added 2008/12/17 11:30 p.m.73 views

CVE-2008-5503

The loadBindingDocument function in Mozilla Firefox 2.x before 2.0.0.19, Thunderbird 2.x before 2.0.0.19, and SeaMonkey 1.x before 1.1.14 does not perform any security checks related to the same-domain policy, which allows remote attackers to read or access data from other domains via crafted XBL b...

2.6CVSS9.6AI score0.00842EPSS
CVE
CVE
added 2005/06/14 4:0 a.m.70 views

CVE-2005-1937

A regression error in Firefox 1.0.3 and Mozilla 1.7.7 allows remote attackers to inject arbitrary Javascript from one page into the frameset of another site, aka the frame injection spoofing vulnerability, a re-introduction of a vulnerability that was originally identified and addressed by CVE-2004...

2.6CVSS6.5AI score0.0191EPSS
CVE
CVE
added 2005/05/02 4:0 a.m.68 views

CVE-2005-0586

Firefox before 1.0.1 and Mozilla before 1.7.6 allows remote malicious web sites to spoof the extensions of files to download via the Content-Disposition header, which could be used to trick users into downloading dangerous content.

2.6CVSS6.2AI score0.00689EPSS
CVE
CVE
added 2005/07/13 4:0 a.m.68 views

CVE-2005-2268

Firefox before 1.0.5 and Mozilla before 1.7.9 does not clearly associate a Javascript dialog box with the web page that generated it, which allows remote attackers to spoof a dialog box from a trusted site and facilitates phishing attacks, aka the "Dialog Origin Spoofing Vulnerability."

2.6CVSS6.2AI score0.02156EPSS
CVE
CVE
added 2012/02/01 4:55 p.m.66 views

CVE-2012-0450

Mozilla Firefox 4.x through 9.0 and SeaMonkey before 2.7 on Linux and Mac OS X set weak permissions for Firefox Recovery Key.html, which might allow local users to read a Firefox Sync key via standard filesystem operations.

2.1CVSS8.5AI score0.00058EPSS
CVE
CVE
added 2006/04/14 10:2 a.m.65 views

CVE-2006-1740

Mozilla Firefox 1.x before 1.5 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0 allows remote attackers to spoof secure site indicators such as the locked icon by opening the trusted site in a popup window, then changing the location to a malicious site.

2.6CVSS5.9AI score0.0219EPSS
CVE
CVE
added 2006/07/29 12:4 a.m.65 views

CVE-2006-3812

Mozilla Firefox before 1.5.0.5, Thunderbird before 1.5.0.5, and SeaMonkey before 1.0.3 allows remote attackers to reference remote files and possibly load chrome: URLs by tricking the user into copying or dragging links.

2.6CVSS6.2AI score0.13369EPSS
CVE
CVE
added 2009/02/04 7:30 p.m.64 views

CVE-2009-0354

Cross-domain vulnerability in js/src/jsobj.cpp in Mozilla Firefox 3.x before 3.0.6 allows remote attackers to bypass the Same Origin Policy, and access the properties of an arbitrary window and conduct cross-site scripting (XSS) attacks, via vectors involving a chrome XBL method and the window.eval...

2.6CVSS8.4AI score0.00582EPSS
CVE
CVE
added 2005/03/04 5:0 a.m.63 views

CVE-2005-0593

Firefox before 1.0.1 and Mozilla before 1.7.6 allows remote attackers to spoof the SSL "secure site" lock icon via (1) a web site that does not finish loading, which shows the lock of the previous site, (2) a non-HTTP server that uses SSL, which causes the lock to be displayed when the SSL handshak...

2.6CVSS6.2AI score0.01252EPSS
CVE
CVE
added 2005/05/02 4:0 a.m.62 views

CVE-2005-0591

Firefox before 1.0.1 allows remote attackers to spoof the (1) security and (2) download modal dialog boxes, which could be used to trick users into executing script or downloading and executing a file, aka "Firespoofing."

2.6CVSS6.2AI score0.02392EPSS
CVE
CVE
added 2010/07/30 8:30 p.m.62 views

CVE-2010-2751

The nsDocShell::OnRedirectStateChange function in docshell/base/nsDocShell.cpp in Mozilla Firefox 3.5.x before 3.5.11 and 3.6.x before 3.6.7, and SeaMonkey before 2.0.6, allows remote attackers to spoof the SSL security status of a document via vectors involving multiple requests, a redirect, and t...

2.6CVSS8.9AI score0.00254EPSS
CVE
CVE
added 2012/06/05 11:55 p.m.62 views

CVE-2012-1945

Mozilla Firefox 4.x through 12.0, Firefox ESR 10.x before 10.0.5, Thunderbird 5.0 through 12.0, Thunderbird ESR 10.x before 10.0.5, and SeaMonkey before 2.10 allow local users to obtain sensitive information via an HTML document that loads a shortcut (aka .lnk) file for display within an IFRAME ele...

2.9CVSS8.4AI score0.00192EPSS
CVE
CVE
added 2015/02/25 11:59 a.m.62 views

CVE-2015-0820

Mozilla Firefox before 36.0 does not properly restrict transitions of JavaScript objects from a non-extensible state to an extensible state, which allows remote attackers to bypass a Caja Compiler sandbox protection mechanism or a Secure EcmaScript sandbox protection mechanism via a crafted web sit...

2.6CVSS9.1AI score0.00305EPSS
CVE
CVE
added 2005/05/02 4:0 a.m.61 views

CVE-2005-0232

Firefox 1.0 allows remote attackers to modify Boolean configuration parameters for the about:config site by using a plugin such as Flash, and the -moz-opacity filter, to display the about:config site then cause the user to double-click at a certain screen position, aka "Fireflashing."

2.6CVSS6.2AI score0.01324EPSS
CVE
CVE
added 2006/09/15 7:7 p.m.60 views

CVE-2006-4569

The popup blocker in Mozilla Firefox before 1.5.0.7 opens the "blocked popups" display in the context of the Location bar instead of the subframe from which the popup originated, which might make it easier for remote user-assisted attackers to conduct cross-site scripting (XSS) attacks.

2.6CVSS5.3AI score0.02107EPSS
CVE
CVE
added 2005/03/23 5:0 a.m.59 views

CVE-2005-0143

Firefox before 1.0 and Mozilla before 1.7.5 display the SSL lock icon when an insecure page loads a binary file from a trusted site, which could facilitate phishing attacks.

2.6CVSS6.2AI score0.00774EPSS
CVE
CVE
added 2005/02/08 5:0 a.m.59 views

CVE-2005-0231

Firefox 1.0 does not invoke the Javascript Security Manager when a user drags a javascript: or data: URL to a tab, which allows remote attackers to bypass the security model, aka "firetabbing."

2.6CVSS6.3AI score0.02663EPSS
CVE
CVE
added 2014/03/19 10:55 a.m.59 views

CVE-2014-1504

The session-restore feature in Mozilla Firefox before 28.0 and SeaMonkey before 2.25 does not consider the Content Security Policy of a data: URL, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via a crafted document that is accessed after a browser restart...

2.6CVSS8.1AI score0.00606EPSS
CVE
CVE
added 2015/05/14 10:59 a.m.58 views

CVE-2015-2714

Mozilla Firefox before 38.0 on Android does not properly restrict writing URL data to the Android logging system, which allows attackers to obtain sensitive information via a crafted application that has a required permission for reading a log, as demonstrated by the READ_LOGS permission for the mi...

2.1CVSS8.4AI score0.00101EPSS
CVE
CVE
added 2005/05/02 4:0 a.m.57 views

CVE-2005-0578

Firefox before 1.0.1 and Mozilla Suite before 1.7.6 use a predictable filename for the plugin temporary directory, which allows local users to delete arbitrary files of other users via a symlink attack on the plugtmp directory.

2.1CVSS6.2AI score0.00074EPSS
CVE
CVE
added 2005/05/02 4:0 a.m.56 views

CVE-2005-0141

Firefox before 1.0 and Mozilla before 1.7.5 allow remote attackers to load local files via links "with a custom getter and toString method" that are middle-clicked by the user to be opened in a new tab.

2.6CVSS6.2AI score0.00749EPSS
CVE
CVE
added 2005/08/17 4:0 a.m.55 views

CVE-2005-2602

Mozilla Thunderbird 1.0 and Firefox 1.0.6 allows remote attackers to obfuscate URIs via a long URI, which causes the address bar to go blank and could facilitate phishing attacks.

2.6CVSS6.5AI score0.00448EPSS
CVE
CVE
added 2011/11/09 11:55 a.m.55 views

CVE-2011-3649

Mozilla Firefox 7.0 and Thunderbird 7.0, when the Direct2D (aka D2D) API is used on Windows in conjunction with the Azure graphics back-end, allow remote attackers to bypass the Same Origin Policy, and obtain sensitive image data from a different domain, by inserting this data into a canvas. NOTE: ...

2.6CVSS9.2AI score0.00379EPSS
CVE
CVE
added 2005/05/02 4:0 a.m.54 views

CVE-2005-0142

Firefox 0.9, Thunderbird 0.6 and other versions before 0.9, and Mozilla 1.7 before 1.7.5 save temporary files with world-readable permissions, which allows local users to read certain web content or attachments that belong to other users, e.g. content that is managed by helper applications such as ...

2.1CVSS6.1AI score0.00059EPSS
CVE
CVE
added 2005/05/02 4:0 a.m.54 views

CVE-2005-0584

Firefox before 1.0.1 and Mozilla before 1.7.6, when displaying the HTTP Authentication dialog, do not change the focus to the tab that generated the prompt, which could facilitate spoofing and phishing attacks.

2.6CVSS6.2AI score0.00575EPSS
CVE
CVE
added 2005/03/25 5:0 a.m.54 views

CVE-2005-0585

Firefox before 1.0.1 and Mozilla before 1.7.6 truncates long sub-domains or paths for display, which may allow remote malicious web sites to spoof legitimate sites and facilitate phishing attacks.

2.6CVSS6.2AI score0.01346EPSS
CVE
CVE
added 2012/04/25 10:10 a.m.54 views

CVE-2012-0475

Mozilla Firefox 4.x through 11.0, Thunderbird 5.0 through 11.0, and SeaMonkey before 2.9 do not properly construct the Origin and Sec-WebSocket-Origin HTTP headers, which might allow remote attackers to bypass an IPv6 literal ACL via a cross-site (1) XMLHttpRequest or (2) WebSocket operation involv...

2.6CVSS9AI score0.00289EPSS
CVE
CVE
added 2014/12/11 11:59 a.m.52 views

CVE-2014-1595

Mozilla Firefox before 34.0, Firefox ESR 31.x before 31.3, and Thunderbird before 31.3 on Apple OS X 10.10 omit a CoreGraphics disable-logging action that is needed by jemalloc-based applications, which allows local users to obtain sensitive information by reading /tmp files, as demonstrated by cre...

2.1CVSS2.8AI score0.00085EPSS
CVE
CVE
added 2015/09/24 4:59 a.m.52 views

CVE-2015-4508

Mozilla Firefox before 41.0, when reader mode is enabled, allows remote attackers to spoof the relationship between address-bar URLs and web content via a crafted web site.

2.6CVSS6.2AI score0.00581EPSS
CVE
CVE
added 2005/05/02 4:0 a.m.51 views

CVE-2005-0144

Firefox before 1.0 and Mozilla before 1.7.5 display the secure site lock icon when a view-source: URL references a secure SSL site while an insecure page is being loaded, which could facilitate phishing attacks.

2.6CVSS6.2AI score0.00637EPSS
CVE
CVE
added 2006/04/14 10:2 a.m.50 views

CVE-2006-1725

Mozilla Firefox 1.5 before 1.5.0.2 and SeaMonkey before 1.0.1 causes certain windows to become translucent due to an interaction between XUL content windows and the history mechanism, which might allow user-assisted remote attackers to trick users into executing arbitrary code.

2.6CVSS6.3AI score0.02534EPSS
CVE
CVE
added 2009/01/08 7:30 p.m.50 views

CVE-2009-0071

Mozilla Firefox 3.0.5 and earlier 3.0.x versions, when designMode is enabled, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a certain (a) replaceChild or (b) removeChild call, followed by a (1) queryCommandValue, (2) queryCommandState, or ...

2.6CVSS8.9AI score0.07151EPSS
CVE
CVE
added 2005/09/28 6:3 p.m.49 views

CVE-2005-3089

Firefox 1.0.6 allows attackers to cause a denial of service (crash) via a Proxy Auto-Config (PAC) script that uses an eval statement. NOTE: it is not clear whether an untrusted party has any role in triggering this issue, so it might not be a vulnerability.

2.6CVSS6AI score0.00719EPSS
CVE
CVE
added 2006/05/12 12:2 a.m.49 views

CVE-2006-2332

Mozilla Firefox 1.5.0.3 allows remote attackers to cause a denial of service via a web page with a large number of IMG elements in which the SRC attribute is a mailto URI. NOTE: another researcher found that the web page caused a temporary browser slowdown instead of a crash.

2.6CVSS6.5AI score0.00804EPSS
CVE
CVE
added 2006/07/21 2:3 p.m.45 views

CVE-2006-3731

Mozilla Firefox 1.5.0.4 and earlier allows remote user-assisted attackers to cause a denial of service (crash) via a form with a multipart/form-data encoding and a user-uploaded file. NOTE: a third party has claimed that this issue might be related to the LiveHTTPHeaders extension.

2.6CVSS6.5AI score0.0063EPSS
CVE
CVE
added 2005/05/14 4:0 a.m.43 views

CVE-2005-1576

The file download dialog in Mozilla Firefox 0.10.1 and 1.0 for Windows uses the Content-Type HTTP header to determine the file type, but saves the original file extension when "Save to Disk" is selected, which allows remote attackers to hide the real file types of downloaded files.

2.6CVSS7.1AI score0.00486EPSS
CVE
CVE
added 2013/09/18 10:8 a.m.43 views

CVE-2013-1729

The WebGL implementation in Mozilla Firefox before 24.0, when NVIDIA graphics drivers are used on Mac OS X, allows remote attackers to obtain desktop-screenshot data by reading from a CANVAS element.

2.6CVSS6.3AI score0.00426EPSS
CVE
CVE
added 2005/02/26 5:0 a.m.42 views

CVE-2004-1753

The Apple Java plugin, as used in Netscape 7.1 and 7.2, Mozilla 1.7.2, and Firefox 0.9.3 on MacOS X 10.3.5, when tabbed browsing is enabled, does not properly handle SetWindow(NULL) calls, which allows Java applets from one tab to draw to other tabs and facilitates phishing attacks that spoof tabs.

2.6CVSS6.5AI score0.00868EPSS
CVE
CVE
added 2006/05/22 11:10 p.m.41 views

CVE-2006-2538

IE Tab 1.0.9 plugin for Mozilla Firefox 1.5.0.3 allows remote user-assisted attackers to cause a denial of service (application crash), possibly due to a null dereference, via certain Javascript, as demonstrated using a url parameter to the content/reloaded.html page in a chrome:// URI. Some third-...

2.6CVSS6.8AI score0.00739EPSS
CVE
CVE
added 2007/10/12 9:17 p.m.41 views

CVE-2007-5414

Cross-site scripting (XSS) vulnerability in Mozilla Firefox before 2.0, when UTF-7 document content is rendered directly in UTF-7, allows remote attackers to inject arbitrary web script or HTML via a gopher URI that uses single quote characters to delimit a literal string within an XSS sequence, a ...

2.6CVSS5.2AI score0.00254EPSS