Lucene search

K
MozillaThunderbird

1553 matches found

CVE
CVE
added 2025/05/27 1:15 p.m.49 views

CVE-2025-5265

Due to insufficient escaping of the ampersand character in the “Copy as cURL” feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system.This bug only affects Firefox for Windows. Other versions of Firefox are unaffected. This v...

4.8CVSS5.3AI score0.00017EPSS
CVE
CVE
added 2005/07/17 4:0 a.m.48 views

CVE-2004-2226

Mozilla Mail 1.7.1 and 1.7.3, and Thunderbird before 0.9, when HTML-Mails is enabled, allows remote attackers to determine valid e-mail addresses via an HTML e-mail that references a Cascading Style Sheets (CSS) document on the attacker's server.

5CVSS6.9AI score0.00404EPSS
CVE
CVE
added 2011/11/09 11:55 a.m.48 views

CVE-2011-3652

The browser engine in Mozilla Firefox before 8.0 and Thunderbird before 8.0 does not properly allocate memory, which allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unspecified vectors.

10CVSS9.8AI score0.05919EPSS
CVE
CVE
added 2011/12/21 4:2 a.m.48 views

CVE-2011-3660

Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox 4.x through 8.0, Thunderbird 5.0 through 8.0, and SeaMonkey before 2.6 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors that trig...

10CVSS9.8AI score0.03749EPSS
CVE
CVE
added 2025/04/01 1:15 p.m.48 views

CVE-2025-3032

Leaking of file descriptors from the fork server to web content processes could allow for privilege escalation attacks. This vulnerability affects Firefox < 137 and Thunderbird < 137.

7.4CVSS6.7AI score0.00043EPSS
CVE
CVE
added 2025/05/14 5:15 p.m.48 views

CVE-2025-3875

Thunderbird parses addresses in a way that can allow sender spoofing in case the server allows an invalid From address to be used. For example, if the From header contains an (invalid) value "Spoofed Name ", Thunderbird treats [email protected] as the actual address. This vulnerability affects Th...

7.5CVSS6.5AI score0.00047EPSS
CVE
CVE
added 2004/12/31 5:0 a.m.47 views

CVE-2004-0907

The Linux install .tar.gz archives for Mozilla Firefox before the Preview Release, Mozilla before 1.7.3, and Thunderbird before 0.8, create certain files with insecure permissions, which could allow local users to overwrite those files and execute arbitrary code.

4.6CVSS6.9AI score0.00077EPSS
CVE
CVE
added 2005/05/02 4:0 a.m.47 views

CVE-2005-0148

Thunderbird before 0.9, when running on Windows systems, uses the default handler when processing javascript: links, which invokes Internet Explorer and may expose the Thunderbird user to vulnerabilities in the version of Internet Explorer that is installed on the user's system. NOTE: since the inv...

5CVSS7.1AI score0.00488EPSS
CVE
CVE
added 2025/03/10 7:15 p.m.47 views

CVE-2025-26696

Certain crafted MIME email messages that claimed to contain an encrypted OpenPGP message, which instead contained an OpenPGP signed message, were wrongly shown as being encrypted. This vulnerability affects Thunderbird < 136 and Thunderbird < 128.8.

7CVSS7AI score0.00129EPSS
CVE
CVE
added 2006/08/30 1:0 a.m.46 views

CVE-2005-4809

Mozilla Firefox 1.0.1 and possibly other versions, including Mozilla and Thunderbird, allows remote attackers to spoof the URL in the Status Bar via an A HREF tag that contains a TABLE tag that contains another A tag.

5CVSS6.6AI score0.10377EPSS
CVE
CVE
added 2011/11/09 11:55 a.m.46 views

CVE-2011-3653

Mozilla Firefox before 8.0 and Thunderbird before 8.0 on Mac OS X do not properly interact with the GPU memory behavior of a certain driver for Intel integrated GPUs, which allows remote attackers to bypass the Same Origin Policy and read image data via vectors related to WebGL textures.

5CVSS8.9AI score0.00234EPSS
CVE
CVE
added 2025/04/29 2:15 p.m.46 views

CVE-2025-4085

An attacker with control over a content process could potentially leverage the privileged UITour actor to leak sensitive information or escalate privileges. This vulnerability affects Firefox < 138 and Thunderbird < 138.

7.1CVSS5.5AI score0.00042EPSS
CVE
CVE
added 2025/04/29 2:15 p.m.46 views

CVE-2025-4086

A specially crafted filename containing a large number of encoded newline characters could obscure the file's extension when displayed in the download dialog.This bug only affects Thunderbird for Android. Other versions of Thunderbird are unaffected. This vulnerability affects Firefox < 138 and ...

6.5CVSS6.2AI score0.00045EPSS
CVE
CVE
added 2025/04/29 2:15 p.m.46 views

CVE-2025-4089

Due to insufficient escaping of special characters in the "copy as cURL" feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system. This vulnerability affects Firefox < 138 and Thunderbird < 138.

5.1CVSS4.8AI score0.00027EPSS
CVE
CVE
added 2025/04/29 2:15 p.m.46 views

CVE-2025-4090

A vulnerability existed in Thunderbird for Android where potentially sensitive library locations were logged via Logcat. This vulnerability affects Firefox < 138 and Thunderbird < 138.

6.5CVSS5.4AI score0.00043EPSS
CVE
CVE
added 2025/05/27 1:15 p.m.46 views

CVE-2025-5270

In certain cases, SNI could have been sent unencrypted even when encrypted DNS was enabled. This vulnerability affects Firefox < 139 and Thunderbird < 139.

7.5CVSS4.7AI score0.00018EPSS
CVE
CVE
added 2025/05/27 1:15 p.m.46 views

CVE-2025-5272

Memory safety bugs present in Firefox 138 and Thunderbird 138. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 139 and Thunderbird < 139.

7.3CVSS7.1AI score0.00056EPSS
CVE
CVE
added 2011/12/07 7:55 p.m.45 views

CVE-2002-2437

The JavaScript implementation in Mozilla Firefox before 4.0, Thunderbird before 3.3, and SeaMonkey before 2.1 does not properly restrict the set of values contained in the object returned by the getComputedStyle method, which allows remote attackers to obtain sensitive information about visited web...

5CVSS6.1AI score0.00294EPSS
CVE
CVE
added 2011/12/21 4:2 a.m.45 views

CVE-2011-3664

Mozilla Firefox before 9.0, Thunderbird before 9.0, and SeaMonkey before 2.6 on Mac OS X do not properly handle certain DOM frame deletions by plugins, which allows remote attackers to cause a denial of service (incorrect pointer dereference and application crash) or possibly have unspecified other...

6.8CVSS7.2AI score0.01153EPSS
CVE
CVE
added 2012/06/05 11:55 p.m.45 views

CVE-2012-1943

Untrusted search path vulnerability in Updater.exe in the Windows Updater Service in Mozilla Firefox 12.0, Thunderbird 12.0, and SeaMonkey 2.9 on Windows allows local users to gain privileges via a Trojan horse wsock32.dll file in an application directory.

6.9CVSS6.2AI score0.00053EPSS
CVE
CVE
added 2005/11/01 12:47 p.m.44 views

CVE-2005-3402

The SMTP client in Mozilla Thunderbird 1.0.5 BETA, 1.0.7, and possibly other versions, does not notify users when it cannot establish a secure channel with the server, which allows remote attackers to obtain authentication information without detection via a man-in-the-middle (MITM) attack that byp...

2.6CVSS6.5AI score0.00286EPSS
CVE
CVE
added 2006/02/22 2:2 a.m.44 views

CVE-2006-0836

Mozilla Thunderbird 1.5 allows user-assisted attackers to cause an unspecified denial of service by tricking the user into importing an LDIF file with a long field into the address book, as demonstrated by a long homePhone field.

2.6CVSS6.5AI score0.04489EPSS
CVE
CVE
added 2008/12/13 8:40 a.m.44 views

CVE-2008-5430

Mozilla Thunderbird 2.0.14 does not properly handle (1) multipart/mixed e-mail messages with many MIME parts and possibly (2) e-mail messages with many "Content-type: message/rfc822;" headers, which might allow remote attackers to cause a denial of service (stack consumption or other resource consu...

4.3CVSS7.5AI score0.21456EPSS
CVE
CVE
added 2010/03/23 12:53 a.m.44 views

CVE-2010-0161

The nsAuthSSPI::Unwrap function in extensions/auth/nsAuthSSPI.cpp in Mozilla Thunderbird before 2.0.0.24 and SeaMonkey before 1.1.19 on Windows Vista, Windows Server 2008 R2, and Windows 7 allows remote SMTP, IMAP, and POP servers to cause a denial of service (heap memory corruption and application...

4.3CVSS7.2AI score0.01503EPSS
CVE
CVE
added 2010/01/29 6:30 p.m.40 views

CVE-2009-4629

Mozilla Necko, as used in Thunderbird 3.0.1, SeaMonkey, and other applications, performs DNS prefetching even when the app type is APP_TYPE_MAIL or APP_TYPE_EDITOR, which makes it easier for remote attackers to determine the network location of the application's user by logging DNS requests, as dem...

5CVSS6.6AI score0.0025EPSS
CVE
CVE
added 2025/05/27 1:15 p.m.39 views

CVE-2025-5271

Previewing a response in Devtools ignored CSP headers, which could have allowed content injection attacks. This vulnerability affects Firefox < 139 and Thunderbird < 139.

6.5CVSS4.8AI score0.00055EPSS
CVE
CVE
added 2025/06/24 1:15 p.m.36 views

CVE-2025-6436

Memory safety bugs present in Firefox 139 and Thunderbird 139. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 140 and Thunderbird < 140.

8.1CVSS6.7AI score0.00077EPSS
CVE
CVE
added 2025/06/24 1:15 p.m.31 views

CVE-2025-6424

A use-after-free in FontFaceSet resulted in a potentially exploitable crash. This vulnerability affects Firefox < 140, Firefox ESR < 115.25, Firefox ESR < 128.12, Thunderbird < 140, and Thunderbird < 128.12.

9.8CVSS5.5AI score0.00092EPSS
CVE
CVE
added 2025/06/24 1:15 p.m.23 views

CVE-2025-6430

When a file download is specified via the Content-Disposition header, that directive would be ignored if the file was included via a <embed> or <object> tag, potentially making a website vulnerable to a cross-site scripting attack. This vulnerability affects Firefox < 140, Firefox ES...

6.1CVSS4.8AI score0.00064EPSS
CVE
CVE
added 2025/06/24 1:15 p.m.22 views

CVE-2025-6426

The executable file warning did not warn users before opening files with the terminal extension.This bug only affects Firefox for macOS. Other versions of Firefox are unaffected. This vulnerability affects Firefox < 140, Firefox ESR < 128.12, Thunderbird < 140, and Thunderbird < 128.12.

8.8CVSS5.3AI score0.0002EPSS
CVE
CVE
added 2025/06/24 1:15 p.m.20 views

CVE-2025-6429

Firefox could have incorrectly parsed a URL and rewritten it to the youtube.com domain when parsing the URL specified in an embed tag. This could have bypassed website security checks that restricted which domains users were allowed to embed. This vulnerability affects Firefox < 140, Firefox ESR...

6.5CVSS5.3AI score0.00062EPSS
CVE
CVE
added 2025/06/24 1:15 p.m.20 views

CVE-2025-6435

If a user saved a response from the Network tab in Devtools using the Save As context menu option, that file may not have been saved with the .download file extension. This could have led to the user inadvertently running a malicious executable. This vulnerability affects Firefox < 140 and Thund...

8.1CVSS5.4AI score0.00061EPSS
CVE
CVE
added 2025/06/24 1:15 p.m.19 views

CVE-2025-6425

An attacker who enumerated resources from the WebCompat extension could have obtained a persistent UUID that identified the browser, and persisted between containers and normal/private browsing mode, but not profiles. This vulnerability affects Firefox < 140, Firefox ESR < 115.25, Firefox ESR...

4.3CVSS5.1AI score0.00064EPSS
CVE
CVE
added 2025/06/24 1:15 p.m.18 views

CVE-2025-6427

An attacker was able to bypass the connect-src directive of a Content Security Policy by manipulating subdocuments. This would have also hidden the connections from the Network tab in Devtools. This vulnerability affects Firefox < 140 and Thunderbird < 140.

9.1CVSS5.3AI score0.00052EPSS
CVE
CVE
added 2025/06/24 1:15 p.m.18 views

CVE-2025-6433

If a user visited a webpage with an invalid TLS certificate, and granted an exception, the webpage was able to provide a WebAuthn challenge that the user would be prompted to complete. This is in violation of the WebAuthN spec which requires "a secure transport established without errors". This vul...

9.8CVSS5.2AI score0.00031EPSS
CVE
CVE
added 2025/06/24 1:15 p.m.17 views

CVE-2025-6432

When Multi-Account Containers was enabled, DNS requests could have bypassed a SOCKS proxy when the domain name was invalid or the SOCKS proxy was not responding. This vulnerability affects Firefox < 140 and Thunderbird < 140.

8.6CVSS5.3AI score0.00055EPSS
CVE
CVE
added 2025/06/24 1:15 p.m.17 views

CVE-2025-6434

The exception page for the HTTPS-Only feature, displayed when a website is opened via HTTP, lacked an anti-clickjacking delay, potentially allowing an attacker to trick a user into granting an exception and loading a webpage over HTTP. This vulnerability affects Firefox < 140 and Thunderbird &lt...

4.3CVSS5.3AI score0.0003EPSS
CVE
CVE
added 15 minutes ago0 views

CVE-2025-8027

On 64-bit platforms IonMonkey-JIT only wrote 32 bits of the 64-bit return value space on the stack. Baseline-JIT, however, read the entire 64 bits. This vulnerability affects Firefox < 141, Firefox ESR < 115.26, Firefox ESR < 128.13, Firefox ESR < 140.1, Thunderbird < 141, Thunderbir...

6.3AI score
CVE
CVE
added 15 minutes ago0 views

CVE-2025-8028

On arm64, a WASM br_table instruction with a lot of entries could lead to the label being too far from the instruction causing truncation and incorrect computation of the branch address. This vulnerability affects Firefox < 141, Firefox ESR < 115.26, Firefox ESR < 128.13, Firefox ESR < ...

6.3AI score
CVE
CVE
added 15 minutes ago0 views

CVE-2025-8029

Thunderbird executed javascript: URLs when used in object and embed tags. This vulnerability affects Firefox < 141, Firefox ESR < 128.13, Firefox ESR < 140.1, Thunderbird < 141, Thunderbird < 128.13, and Thunderbird < 140.1.

6.4AI score
CVE
CVE
added 15 minutes ago0 views

CVE-2025-8030

Insufficient escaping in the “Copy as cURL” feature could potentially be used to trick a user into executing unexpected code. This vulnerability affects Firefox < 141, Firefox ESR < 128.13, Firefox ESR < 140.1, Thunderbird < 141, Thunderbird < 128.13, and Thunderbird < 140.1.

6.3AI score
CVE
CVE
added 15 minutes ago0 views

CVE-2025-8031

The username:password part was not correctly stripped from URLs in CSP reports potentially leaking HTTP Basic Authentication credentials. This vulnerability affects Firefox < 141, Firefox ESR < 128.13, Firefox ESR < 140.1, Thunderbird < 141, Thunderbird < 128.13, and Thunderbird <...

6.5AI score
CVE
CVE
added 15 minutes ago0 views

CVE-2025-8032

XSLT document loading did not correctly propagate the source document which bypassed its CSP. This vulnerability affects Firefox < 141, Firefox ESR < 128.13, Firefox ESR < 140.1, Thunderbird < 141, Thunderbird < 128.13, and Thunderbird < 140.1.

6.3AI score
CVE
CVE
added 15 minutes ago0 views

CVE-2025-8033

The JavaScript engine did not handle closed generators correctly and it was possible to resume them leading to a nullptr deref. This vulnerability affects Firefox < 141, Firefox ESR < 115.26, Firefox ESR < 128.13, Firefox ESR < 140.1, Thunderbird < 141, Thunderbird < 128.13, and T...

6.2AI score
CVE
CVE
added 15 minutes ago0 views

CVE-2025-8034

Memory safety bugs present in Firefox ESR 115.25, Firefox ESR 128.12, Thunderbird ESR 128.12, Firefox ESR 140.0, Thunderbird ESR 140.0, Firefox 140 and Thunderbird 140. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been explo...

7.5AI score
CVE
CVE
added 15 minutes ago0 views

CVE-2025-8035

Memory safety bugs present in Firefox ESR 128.12, Thunderbird ESR 128.12, Firefox ESR 140.0, Thunderbird ESR 140.0, Firefox 140 and Thunderbird 140. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrar...

7.5AI score
CVE
CVE
added 15 minutes ago0 views

CVE-2025-8036

Thunderbird cached CORS preflight responses across IP address changes. This allowed circumventing CORS with DNS rebinding. This vulnerability affects Firefox < 141, Firefox ESR < 140.1, Thunderbird < 141, and Thunderbird < 140.1.

6.4AI score
CVE
CVE
added 15 minutes ago0 views

CVE-2025-8037

Setting a nameless cookie with an equals sign in the value shadowed other cookies. Even if the nameless cookie was set over HTTP and the shadowed cookie included the Secure attribute. This vulnerability affects Firefox < 141, Firefox ESR < 140.1, Thunderbird < 141, and Thunderbird < 140...

6.4AI score
CVE
CVE
added 15 minutes ago0 views

CVE-2025-8038

Thunderbird ignored paths when checking the validity of navigations in a frame. This vulnerability affects Firefox < 141, Firefox ESR < 140.1, Thunderbird < 141, and Thunderbird < 140.1.

6.4AI score
CVE
CVE
added 15 minutes ago0 views

CVE-2025-8039

In some cases search terms persisted in the URL bar even after navigating away from the search page. This vulnerability affects Firefox < 141, Firefox ESR < 140.1, Thunderbird < 141, and Thunderbird < 140.1.

6.4AI score
Total number of security vulnerabilities1553