1214 matches found
CVE-2021-23982
CVE-2021-23982 is a concrete WebRTC-based information-disclosure vulnerability affecting Mozilla products. The connected documents confirm that a malicious webpage could probe an internal network’s hosts and services running on the user’s machine via WebRTC. Affected products/versions: Firefox ES...
CVE-2022-34478
Summary: CVE-2022-34478 affects Thunderbird on Windows, where the ms-msdt, search, and search-ms protocols could deliver content to Microsoft apps via prompts opened by user interaction. The underlying risk is exploitation of a prompt-based handling in these protocols that bypasses the browser. T...
CVE-2024-10458
CVE-2024-10458 describes a permission leak from a trusted site to an untrusted site via embed/object in Firefox and Thunderbird. Affected products and ranges shown in the connected documents include Firefox and Thunderbird before 132 (and ESR before 128.4/115.17 for Firefox, and Thunderbird befor...
CVE-2024-5691
The CVE-2024-5691 entry describes a vulnerability where an attacker could trick a sandboxed iframe using an X-Frame-Options header to present a button that, if clicked, bypasses sandbox restrictions and opens a new window. Affected products (per the provided documents) include Mozilla Firefox and...
CVE-2019-9813
CVE-2019-9813 describes an IonMonkey JIT type confusion caused by incorrect handling of proto mutations, enabling potential arbitrary memory read/write. Affected products include Firefox prior to 66.0.1, Firefox ESR prior to 60.6.1, and Thunderbird prior to 60.6.1. The underlying issue is a type-...
CVE-2021-29976
CVE-2021-29976 is a memory-safety issue affecting Mozilla code shared by Firefox and Thunderbird. The advisory details indicate memory-safety bugs that could be exploited to run arbitrary code, impacting Thunderbird < 78.12, Firefox ESR < 78.12, and Firefox
CVE-2025-1012
CVE-2025-1012 describes a race during concurrent delazification that can cause a use-after-free in Firefox and Thunderbird. Affected products include Firefox <135, Firefox ESR <115.20, Firefox ESR <128.7, Thunderbird <128.7, and Thunderbird
CVE-2019-9800
CVE-2019-9800 is supported by multiple connected advisories indicating memory safety bugs in Mozilla products (Thunderbird 60.x, Firefox ESR 60.x, Firefox 66–67 range) that could allow arbitrary code execution. The root cause is memory safety issues leading to memory corruption; affected versions...
CVE-2020-15683
CVE-2020-15683 : Mozilla Firefox and Thunderbird memory-safety issues reported affecting Firefox ESR < 78.4, Firefox < 82, and Thunderbird
CVE-2021-23981
CVE-2021-23981 describes a memory-safety issue in WebGL where uploading a Texture into a Pixel Buffer Object could confuse WebGL and skip binding the buffer used to unpack it, leading to an out-of-bounds read and potential information leak or crash. Affected software includes Firefox ESR < 78....
CVE-2021-23984
The CVE-2021-23984 entry describes a vulnerability in which a malicious extension could open a popup window without an address bar, allowing spoofing of a site and credential theft. Affected products include Firefox ESR < 78.9, Firefox < 87, and Thunderbird
CVE-2023-6209
CVE-2023-6209 corresponds to a parsing vulnerability where relative URLs starting with three slashes and a "/../" path could override the specified host, potentially enabling security issues on affected sites. The issue is documented for Firefox and Thunderbird, with affected versions cited as Fi...
CVE-2024-10459
CVE-2024-10459 is a use-after-free vulnerability triggered when accessibility features are enabled, potentially causing a crash. The issue affects Firefox versions earlier than 132, Firefox ESR prior to 128.4 and 115.17, and Thunderbird versions earlier than 132 or 128.4, as noted across multiple...
CVE-2024-5690
Vulnerability CVE-2024-5690 affects Mozilla Firefox and Thunderbird components via a timing-attack on external protocol handler detection. Affected products explicitly include Firefox < 127, Firefox ESR < 115.12, and Thunderbird
CVE-2024-6603
The CVE-2024-6603 entry describes an out-of-memory scenario where an allocation can fail but the pointer is free’d afterward, leading to memory corruption. Affected software: Firefox < 128, Firefox ESR < 115.13, Thunderbird < 115.13, and Thunderbird
CVE-2024-9401
CVE-2024-9401 affects Firefox and Thunderbird memory-safety bugs (memory corruption) in Firefox 130, ESR 115.15, ESR 128.2, and Thunderbird 128.2; vulnerable ranges extend to Firefox < 131, ESR < 128.3, ESR < 115.16, Thunderbird < 128.3, and Thunderbird
CVE-2019-11743
CVE-2019-11743 describes cross-origin access to unload event attributes, enabling timing-side-channel exposure of history in certain browsers. Connected docs confirm affected products and versions, with fixes noted in Thunderbird updates (e.g., Thunderbird 60.9.0) and Firefox/ESR advisories addre...
CVE-2020-6797
CVE-2020-6797 describes a macOS-specific issue where downloading a file with the .fileloc extension could cause a semi-privileged extension to launch an arbitrary application on the user’s Mac. The attacker is constrained by the ability to download only quarantined files and cannot pass command-l...
CVE-2021-29984
CVE-2021-29984 involves instruction reordering that allowed a GC-related object misevaluation, causing memory corruption and potentially exploitable crashes in Mozilla components. Affected products include Thunderbird and Firefox ESR/Firefox releases prior to 78.13/91; the exploit would require m...
CVE-2024-11698
CVE-2024-11698 is a macOS-specific fullscreen lock-up in Firefox/Thunderbird when a modal dialog interrupts a fullscreen transition. Affected products are Firefox and Thunderbird desktop releases older than Firefox 133, Firefox ESR 128.5, Thunderbird 133, and Thunderbird ESR 128.5. The issue can ...
CVE-2024-6611
In CVE-2024-6611, a nested iframe could trigger cross-site navigation and allow cookies with SameSite=Strict or Lax to be sent. Affected products are Mozilla Firefox and Thunderbird prior to version 128. root cause: improper handling of SameSite cookies in nested iframes; impact includes potentia...
CVE-2019-11730
CVE-2019-11730 describes a same-origin policy violation where opening a locally saved HTML file could allow file: URIs to access files in the same directory or subdirectories, enabling the Fetch API to read contents and potentially exfiltrate them. The issue affects Firefox ESR < 60.8, Firefox...
CVE-2024-5692
The CVE-2024-5692 entry affects Mozilla Firefox and Thunderbird on Windows 10, where the Save As flow could bypass filename extension restrictions by including an invalid character in the extension, enabling saving with a disallowed extension like .url. Connected Mozilla advisories (MFSA) corrobo...
CVE-2024-6607
CVE-2024-6607 affects Mozilla Firefox (pre-128) and Mozilla Thunderbird (pre-128). The issue allows a user flow disruption where a user can be prevented from exiting pointerlock by pressing Escape and can overlay customValidity notifications from a element over permission prompts, potentially co...
CVE-2025-0240
CVE-2025-0240 affects Mozilla Firefox and Thunderbird (Firefox < 134, Firefox ESR < 128.6, Thunderbird < 134, Thunderbird
CVE-2020-6814
CVE-2020-6814 refers to memory-safety bugs in Mozilla Firefox and Thunderbird (68.5 timeframe) with potential to run arbitrary code. Affected products/versions: Thunderbird < 68.6, Firefox < 74, Firefox ESR < 68.6, and Firefox ESR
CVE-2024-6614
CVE-2024-6614 impacts Mozilla Firefox and Thunderbird before version 128, where the frame iterator could loop when processing certain wasm frames, causing incorrect stack traces. The issue, confirmed in Mozilla advisories, is addressed by upgrading to the 128.* release series (Firefox 128 / Thund...
CVE-2019-11717
CVE-2019-11717 affects Firefox ESR <60.8, Firefox <68, and Thunderbird
CVE-2019-11742
CVE-2019-11742 describes a same-origin policy violation enabling theft of cross-origin images via a combination of SVG filters and a element, due to an error in how cached image content is treated. Affected: Firefox versions before 69, Thunderbird before 68.1 (and before 60.9 for ESR branches), ...
CVE-2019-17011
CVE-2019-17011 : A race condition in DocShell antitracking can cause a use-after-free and potentially crash the process. Affected: Thunderbird < 68.3, Firefox ESR < 68.3, Firefox
CVE-2020-12392
CVE-2020-12392 is a local vulnerability in Mozilla products where the “Copy as cURL” feature in DevTools network tab could improperly escape HTTP POST data, enabling potential arbitrary local file disclosure when the generated curl command is pasted and run. Affected are Firefox ESR < 68.8, Fi...
CVE-2024-11696
CVE-2024-11696 describes an Unhandled Exception in Add-on Signature Verification due to how loadManifestFromFile handles invalid/unsupported extension manifests, potentially bypassing enforcement of signature validation for unrelated Firefox/Thunderbird add-ons. Affected software and versions per...
CVE-2024-4769
CVE-2024-4769 : In Firefox and Thunderbird, Web Workers handling could reveal cross-origin information by distinguishing between responses with the content-type application/javascript vs non-script types. This could lead to information disclosure across origins. Affected products are Firefox befo...
CVE-2025-0239
CVE-2025-0239 affects Mozilla Firefox and Thunderbird components via Alt-Svc with ALPN: certificates were not properly validated when the original server redirects to an insecure site. Affected versions are Firefox < 134, Firefox ESR < 128.6, Thunderbird < 134, and Thunderbird
CVE-2019-17008
CVE-2019-17008 describes a use-after-free vulnerability that can occur during the destruction of nested workers, leading to a potentially exploitable crash. Affected products include Thunderbird < 68.3, Firefox ESR < 68.3, and Firefox
CVE-2019-9795
CVE-2019-9795 describes a vulnerability in the IonMonkey JIT compiler where a type-confusion could be exploited by malicious JavaScript to trigger a crash. Public references indicate affected products include Thunderbird < 60.6, Firefox ESR < 60.6, and Firefox
CVE-2024-11693
The CVE-2024-11693 issue is a Windows-only vulnerability in Mozilla Firefox/Thunderbird where the executable warning was not shown when downloading .library-ms files. Affected products and versions are Firefox < 133, Firefox ESR < 128.5, Thunderbird < 133, and Thunderbird
CVE-2019-11746
CVE-2019-11746 is a use-after-free in video element handling that can cause a crash. Public sources in connected advisories confirm impact on Firefox versions below 69, Thunderbird <68.1 and <60.9 (and ESR branches
CVE-2024-5693
Offscreen Canvas cross-origin tainting tracked incorrectly, enabling potential access to image data from other sites. Affected: Firefox <127, Firefox ESR <115.12, Thunderbird
CVE-2018-18500
CVE-2018-18500 is a use-after-free in the HTML5 stream parser when handling custom HTML elements, causing the parser object to be freed while still in use. Affected products include Thunderbird < 60.5, Firefox ESR < 60.5, and Firefox
CVE-2019-11712
CVE-2019-11712 describes a vulnerability where NPAPI plugins (e.g., Flash) performing POST requests that follow a 308 redirect can bypass CORS, enabling CSRF. Affected products include Mozilla Firefox ESR < 60.8, Firefox < 68, and Thunderbird
CVE-2019-9819
The CVE-2019-9819 issue is a JavaScript compartment mismatch involving the fetch API that can cause a crash. Affected products include Thunderbird (and Firefox components) with versions below 60.7 for Thunderbird and below 67 for Firefox/Firefox ESR; impact is described as potentially exploitable...
CVE-2021-23999
CVE-2021-23999 describes a sandbox/privilege issue where a Blob URL loaded via an unusual user interaction could be executed with System Principal privileges, affecting Firefox ESR < 78.10, Thunderbird < 78.10, and Firefox
CVE-2024-4777
CVE-2024-4777 concerns memory-safety bugs in Firefox 125, Firefox ESR 115.10, and Thunderbird 115.10, potentially allowing arbitrary code execution. Public sources in connected documents confirm affected products and versions: Firefox < 126, Firefox ESR < 115.11, and Thunderbird
CVE-2021-23998
CVE-2021-23998 describes a content spoofing vulnerability in Firefox/Thunderbird: through complex navigation involving new windows, an HTTP page could inherit the lock icon from an HTTPS page. Affected products are Firefox ESR < 78.10, Thunderbird < 78.10, and Firefox
CVE-2023-23601
CVE-2023-23601 is a browser navigation/vulnerability caused by dragging a URL from a cross-origin iframe into the same tab, enabling potential spoofing. Public records confirm impact on Firefox (less than 109) and Firefox ESR (less than 102.7) and Thunderbird (less than 102.7). Multiple advisorie...
CVE-2024-6609
The CVE-2024-6609 entry concerns NSS memory management: when memory is nearly exhausted, an elliptic curve key that was never allocated could be freed again, potentially enabling memory corruption or related instability. Affected products cited in connected docs include Mozilla Firefox and Mozill...
CVE-2019-11692
CVE-2019-11692 is a use-after-free in the event listener manager that can occur when listeners are removed while still in use, causing a crash in Thunderbird <=60.6.x/60.7.0, Firefox <=66-67 (and ESR
CVE-2023-23603
CVE-2023-23603 describes that Regular expressions used to filter forbidden properties/values from style directives in calls to console.log did not account for external URLs, enabling potential data exfiltration from the browser. Affected: Firefox <= 108/109 and Firefox ESR <= 102.7, Thunder...
CVE-2020-12395
CVE-2020-12395 refers to memory-safety bugs reported in Mozilla Firefox and Thunderbird. Mozilla noted memory corruption in bugs affecting Firefox 75/ESR 68.7 and stated that with enough effort some bugs could be exploited to run arbitrary code. The vulnerability impacts Firefox ESR < 68.8, Fi...