Lucene search

K
MozillaFirefox

364 matches found

CVE
CVE
added 2014/02/06 5:44 a.m.12369 views

CVE-2014-1491

Mozilla Network Security Services (NSS) before 3.15.4, as used in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, SeaMonkey before 2.24, and other products, does not properly restrict public values in Diffie-Hellman key exchanges, which makes it easier for remote...

4.3CVSS8.4AI score0.00607EPSS
CVE
CVE
added 2024/02/22 3:15 p.m.6503 views

CVE-2024-26281

Upon scanning a JavaScript URI with the QR code scanner, an attacker could have executed unauthorized scripts on the current top origin sites in the URL bar. This vulnerability affects Firefox for iOS < 123.

4.7CVSS6.2AI score0.0027EPSS
CVE
CVE
added 2024/02/20 2:15 p.m.6425 views

CVE-2024-1548

A website could have obscured the fullscreen notification by using a dropdown select input element. This could have led to user confusion and possible spoofing attacks. This vulnerability affects Firefox < 123, Firefox ESR < 115.8, and Thunderbird < 115.8.

4.3CVSS7.2AI score0.00357EPSS
CVE
CVE
added 2021/01/08 7:15 p.m.1269 views

CVE-2020-16012

Side-channel information leakage in graphics in Google Chrome prior to 87.0.4280.66 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

4.3CVSS5.5AI score0.03181EPSS
CVE
CVE
added 2019/04/26 5:29 p.m.1160 views

CVE-2018-18511

Cross-origin images can be read from a canvas element in violation of the same-origin policy using the transferFromImageBitmap method. Note: This only affects Firefox 65. Previous versions are unaffected. . This vulnerability affects Firefox < 65.0.1.

4.3CVSS5.5AI score0.00883EPSS
CVE
CVE
added 2015/05/21 12:59 a.m.1130 views

CVE-2015-4000

The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by DHE_EXPORT and then ...

4.3CVSS4.8AI score0.94027EPSS
CVE
CVE
added 2024/04/16 4:15 p.m.998 views

CVE-2024-3861

If an AlignedBuffer were assigned to itself, the subsequent self-move could result in an incorrect reference count and later use-after-free. This vulnerability affects Firefox < 125, Firefox ESR < 115.10, and Thunderbird < 115.10.

4CVSS5.7AI score0.00098EPSS
CVE
CVE
added 2020/07/09 3:15 p.m.663 views

CVE-2020-12402

During RSA key generation, bignum implementations used a variation of the Binary Extended Euclidean Algorithm which entailed significantly input-dependent flow. This allowed an attacker able to perform electromagnetic-based side channel attacks to record traces leading to the recovery of the secret...

4.4CVSS5.8AI score0.00025EPSS
CVE
CVE
added 2011/09/06 7:55 p.m.608 views

CVE-2011-3389

The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP...

4.3CVSS6.5AI score0.05563EPSS
CVE
CVE
added 2022/12/22 8:15 p.m.488 views

CVE-2022-26383

When resizing a popup after requesting fullscreen access, the popup would not display the fullscreen notification. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.

4.3CVSS6AI score0.00247EPSS
CVE
CVE
added 2022/12/22 8:15 p.m.456 views

CVE-2022-22743

When navigating from inside an iframe while requesting fullscreen access, an attacker-controlled tab could have made the browser unable to leave fullscreen mode. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5.

4.3CVSS6AI score0.00112EPSS
CVE
CVE
added 2022/12/22 8:15 p.m.371 views

CVE-2022-26382

While the text displayed in Autofill tooltips cannot be directly read by JavaScript, the text was rendered using page fonts. Side-channel attacks on the text by using specially crafted fonts could have lead to this text being inferred by the webpage. This vulnerability affects Firefox < 98.

4.3CVSS5.4AI score0.00182EPSS
CVE
CVE
added 2022/12/22 8:15 p.m.370 views

CVE-2022-29915

The Performance API did not properly hide the fact whether a request cross-origin resource has observed redirects. This vulnerability affects Firefox < 100.

4.3CVSS5.6AI score0.00121EPSS
CVE
CVE
added 2020/07/09 3:15 p.m.360 views

CVE-2020-12399

NSS has shown timing differences when performing DSA signatures, which was exploitable and could eventually leak private keys. This vulnerability affects Thunderbird < 68.9.0, Firefox < 77, and Firefox ESR < 68.9.

4.4CVSS5.9AI score0.0008EPSS
CVE
CVE
added 2021/02/26 2:15 a.m.298 views

CVE-2021-23968

If Content Security Policy blocked frame navigation, the full destination of a redirect served in the frame was reported in the violation report; as opposed to the original frame URI. This could be used to leak sensitive information contained in such URIs. This vulnerability affects Firefox < 86...

4.3CVSS5.4AI score0.01004EPSS
CVE
CVE
added 2016/01/31 6:59 p.m.292 views

CVE-2016-1947

Mozilla Firefox 43.x mishandles attempts to connect to the Application Reputation service, which makes it easier for remote attackers to trigger an unintended download by leveraging the absence of reputation data.

4.7CVSS6.6AI score0.00597EPSS
CVE
CVE
added 2020/10/08 2:15 p.m.280 views

CVE-2020-12401

During ECDSA signature generation, padding applied in the nonce designed to ensure constant-time scalar multiplication was removed, resulting in variable-time execution dependent on secret data. This vulnerability affects Firefox < 80 and Firefox for Android < 80.

4.7CVSS5.6AI score0.00066EPSS
CVE
CVE
added 2021/02/26 2:15 a.m.277 views

CVE-2021-23969

As specified in the W3C Content Security Policy draft, when creating a violation report, "User agents need to ensure that the source file is the URL requested by the page, pre-redirects. If that’s not possible, user agents need to strip the URL down to an origin to avoid unintentional leakage." Und...

4.3CVSS5.6AI score0.01163EPSS
CVE
CVE
added 2023/06/02 5:15 p.m.276 views

CVE-2023-32205

In multiple cases browser prompts could have been obscured by popups controlled by content. These could have led to potential user confusion and spoofing attacks. This vulnerability affects Firefox < 113, Firefox ESR < 102.11, and Thunderbird < 102.11.

4.3CVSS5.8AI score0.00143EPSS
CVE
CVE
added 2020/03/02 5:15 a.m.259 views

CVE-2020-6797

By downloading a file with the .fileloc extension, a semi-privileged extension could launch an arbitrary application on the user's computer. The attacker is restricted as they are unable to download non-quarantined files or supply command line arguments to the application, limiting the impact. Note...

4.3CVSS5.5AI score0.0102EPSS
CVE
CVE
added 2019/09/27 6:15 p.m.255 views

CVE-2019-11743

Navigation events were not fully adhering to the W3C's "Navigation-Timing Level 2" draft specification in some instances for the unload event, which restricts access to detailed timing attributes to only be same-origin. This resulted in potential cross-origin information exposure of history through...

4.3CVSS5.9AI score0.00989EPSS
CVE
CVE
added 2021/02/26 3:15 a.m.252 views

CVE-2021-23953

If a user clicked into a specifically crafted PDF, the PDF reader could be confused into leaking cross-origin information, when said information is served as chunked data. This vulnerability affects Firefox < 85, Thunderbird < 78.7, and Firefox ESR < 78.7.

4.3CVSS5.5AI score0.00382EPSS
CVE
CVE
added 2024/05/14 6:15 p.m.252 views

CVE-2024-4767

If the browser.privatebrowsing.autostart preference is enabled, IndexedDB files were not properly deleted when the window was closed. This preference is disabled by default in Firefox. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11.

4.3CVSS5.7AI score0.0038EPSS
CVE
CVE
added 2020/10/08 2:15 p.m.240 views

CVE-2020-12400

When converting coordinates from projective to affine, the modular inversion was not performed in constant time, resulting in a possible timing-based side channel attack. This vulnerability affects Firefox < 80 and Firefox for Android < 80.

4.7CVSS5.7AI score0.00061EPSS
CVE
CVE
added 2024/07/09 3:15 p.m.238 views

CVE-2024-6601

A race condition could lead to a cross-origin container obtaining permissions of the top-level origin. This vulnerability affects Firefox < 128, Firefox ESR < 115.13, Thunderbird < 115.13, and Thunderbird < 128.

4.7CVSS7.5AI score0.00265EPSS
CVE
CVE
added 2024/06/11 1:15 p.m.226 views

CVE-2024-5691

By tricking the browser with a X-Frame-Options header, a sandboxed iframe could have presented a button that, if clicked by a user, would bypass restrictions to open a new window. This vulnerability affects Firefox < 127, Firefox ESR < 115.12, and Thunderbird < 115.12.

4.7CVSS5.2AI score0.00148EPSS
CVE
CVE
added 2025/01/07 4:15 p.m.224 views

CVE-2025-0239

When using Alt-Svc, ALPN did not properly validate certificates when the original server is redirecting to an insecure site. This vulnerability affects Firefox < 134, Firefox ESR < 128.6, Thunderbird < 134, and Thunderbird < 128.6.

4CVSS4.8AI score0.0003EPSS
CVE
CVE
added 2024/06/11 1:15 p.m.221 views

CVE-2024-5690

By monitoring the time certain operations take, an attacker could have guessed which external protocol handlers were functional on a user's system. This vulnerability affects Firefox < 127, Firefox ESR < 115.12, and Thunderbird < 115.12.

4.3CVSS5.3AI score0.03218EPSS
CVE
CVE
added 2021/01/07 2:15 p.m.219 views

CVE-2020-35111

When an extension with the proxy permission registered to receive <all_urls>, the proxy.onRequest callback was not triggered for view-source URLs. While web content cannot navigate to such URLs, a user opening View Source could have inadvertently leaked their IP address. This vulnerability af...

4.3CVSS5.6AI score0.00455EPSS
CVE
CVE
added 2025/01/07 4:15 p.m.219 views

CVE-2025-0240

Parsing a JavaScript module as JSON could, under some circumstances, cause cross-compartment access, which may result in a use-after-free. This vulnerability affects Firefox < 134, Firefox ESR < 128.6, Thunderbird < 134, and Thunderbird < 128.6.

4CVSS5.5AI score0.00047EPSS
CVE
CVE
added 2024/07/09 3:15 p.m.218 views

CVE-2024-6614

The frame iterator could get stuck in a loop when encountering certain wasm frames leading to incorrect stack traces. This vulnerability affects Firefox < 128 and Thunderbird < 128.

4.3CVSS8.6AI score0.00067EPSS
CVE
CVE
added 2024/06/11 1:15 p.m.217 views

CVE-2024-5689

In addition to detecting when a user was taking a screenshot (XXX), a website was able to overlay the 'My Shots' button that appeared, and direct the user to a replica Firefox Screenshots page that could be used for phishing. This vulnerability affects Firefox < 127.

4.3CVSS6.2AI score0.00776EPSS
CVE
CVE
added 2021/12/08 10:15 p.m.214 views

CVE-2021-38508

By displaying a form validity message in the correct location at the same time as a permission prompt (such as for geolocation), the validity message could have obscured the prompt, resulting in the user potentially being tricked into granting the permission. This vulnerability affects Firefox <...

4.3CVSS6.1AI score0.00384EPSS
CVE
CVE
added 2024/07/09 3:15 p.m.213 views

CVE-2024-6608

It was possible to move the cursor using pointerlock from an iframe. This allowed moving the cursor outside of the viewport and the Firefox window. This vulnerability affects Firefox < 128 and Thunderbird < 128.

4.3CVSS8.6AI score0.00141EPSS
CVE
CVE
added 2020/12/09 1:15 a.m.211 views

CVE-2020-26953

It was possible to cause the browser to enter fullscreen mode without displaying the security UI; thus making it possible to attempt a phishing attack or otherwise confuse the user. This vulnerability affects Firefox < 83, Firefox ESR < 78.5, and Thunderbird < 78.5.

4.3CVSS5.7AI score0.00283EPSS
CVE
CVE
added 2024/06/13 8:15 p.m.211 views

CVE-2024-38313

In certain scenarios a malicious website could attempt to display a fake location URL bar which could mislead users as to the actual website address This vulnerability affects Firefox for iOS < 127.

4.3CVSS6.3AI score0.00331EPSS
CVE
CVE
added 2025/02/04 2:15 p.m.210 views

CVE-2025-1019

The z-order of the browser windows could be manipulated to hide the fullscreen notification. This could potentially be leveraged to perform a spoofing attack. This vulnerability affects Firefox < 135 and Thunderbird < 135.

4.3CVSS6.1AI score0.00059EPSS
CVE
CVE
added 2021/12/08 10:15 p.m.207 views

CVE-2021-43546

It was possible to recreate previous cursor spoofing attacks against users with a zoomed native cursor. This vulnerability affects Thunderbird < 91.4.0, Firefox ESR < 91.4.0, and Firefox < 95.

4.3CVSS6.1AI score0.00204EPSS
CVE
CVE
added 2024/11/26 2:15 p.m.204 views

CVE-2024-11692

An attacker could cause a select dropdown to be shown over another tab; this could have led to user confusion and possible spoofing attacks. This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Thunderbird < 133, and Thunderbird < 128.5.

4.3CVSS6AI score0.00118EPSS
CVE
CVE
added 2021/12/08 10:15 p.m.202 views

CVE-2021-43538

By misusing a race in our notification code, an attacker could have forcefully hidden the notification for pages that had received full screen and pointer lock access, which could have been used for spoofing attacks. This vulnerability affects Thunderbird < 91.4.0, Firefox ESR < 91.4.0, and F...

4.3CVSS6.4AI score0.00195EPSS
CVE
CVE
added 2024/11/26 2:15 p.m.198 views

CVE-2024-11701

The incorrect domain may have been displayed in the address bar during an interrupted navigation attempt. This could have led to user confusion and possible spoofing attacks. This vulnerability affects Firefox < 133 and Thunderbird < 133.

4.3CVSS6.2AI score0.00063EPSS
CVE
CVE
added 2021/12/08 10:15 p.m.195 views

CVE-2021-38506

Through a series of navigations, Firefox could have entered fullscreen mode without notification or warning to the user. This could lead to spoofing attacks on the browser UI including phishing. This vulnerability affects Firefox < 94, Thunderbird < 91.3, and Firefox ESR < 91.3.

4.3CVSS6AI score0.00207EPSS
CVE
CVE
added 2019/07/23 2:15 p.m.193 views

CVE-2019-11728

The HTTP Alternative Services header, Alt-Svc, can be used by a malicious site to scan all TCP ports of any host that the accessible to a user when web content is loaded. This vulnerability affects Firefox < 68.

4.7CVSS5.8AI score0.00452EPSS
CVE
CVE
added 2021/12/08 10:15 p.m.193 views

CVE-2021-38509

Due to an unusual sequence of attacker-controlled events, a Javascript alert() dialog with arbitrary (although unstyled) contents could be displayed over top an uncontrolled webpage of the attacker's choosing. This vulnerability affects Firefox < 94, Thunderbird < 91.3, and Firefox ESR < 9...

4.3CVSS6.1AI score0.00477EPSS
CVE
CVE
added 2023/10/25 6:17 p.m.193 views

CVE-2023-5721

It was possible for certain browser prompts and dialogs to be activated or dismissed unintentionally by the user due to an insufficient activation-delay. This vulnerability affects Firefox < 119, Firefox ESR < 115.4, and Thunderbird < 115.4.1.

4.3CVSS6AI score0.0027EPSS
CVE
CVE
added 2023/09/11 9:15 a.m.187 views

CVE-2023-4581

Excel .xll add-in files did not have a blocklist entry in Firefox's executable blocklist which allowed them to be downloaded without any warning of their potential harm. This vulnerability affects Firefox < 117, Firefox ESR < 102.15, Firefox ESR < 115.2, Thunderbird < 102.15, and Thunde...

4.3CVSS5.5AI score0.00169EPSS
CVE
CVE
added 2019/09/27 6:15 p.m.186 views

CVE-2019-11749

A vulnerability exists in WebRTC where malicious web content can use probing techniques on the getUserMedia API using constraints to reveal device properties of cameras on the system without triggering a user prompt or notification. This allows for the potential fingerprinting of users. This vulner...

4.3CVSS5.6AI score0.00369EPSS
CVE
CVE
added 2011/09/29 12:55 a.m.163 views

CVE-2011-3000

Mozilla Firefox before 3.6.23 and 4.x through 6, Thunderbird before 7.0, and SeaMonkey before 2.4 do not properly handle HTTP responses that contain multiple Location, Content-Length, or Content-Disposition headers, which makes it easier for remote attackers to conduct HTTP response splitting attac...

4.3CVSS9.2AI score0.01301EPSS
CVE
CVE
added 2023/10/25 6:17 p.m.154 views

CVE-2023-5725

A malicious installed WebExtension could open arbitrary URLs, which under the right circumstance could be leveraged to collect sensitive user data. This vulnerability affects Firefox < 119, Firefox ESR < 115.4, and Thunderbird < 115.4.1.

4.3CVSS6AI score0.00267EPSS
CVE
CVE
added 2022/12/22 8:15 p.m.152 views

CVE-2022-34472

If there was a PAC URL set and the server that hosts the PAC was not reachable, OCSP requests would have been blocked, resulting in incorrect error pages being shown. This vulnerability affects Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102, and Thunderbird < 91.11.

4.3CVSS6.3AI score0.00141EPSS
Total number of security vulnerabilities364