Lucene search

K
MozillaThunderbird

163 matches found

CVE
CVE
added 2014/02/06 5:44 a.m.12369 views

CVE-2014-1491

Mozilla Network Security Services (NSS) before 3.15.4, as used in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, SeaMonkey before 2.24, and other products, does not properly restrict public values in Diffie-Hellman key exchanges, which makes it easier for remote...

4.3CVSS8.4AI score0.00607EPSS
CVE
CVE
added 2024/02/20 2:15 p.m.6425 views

CVE-2024-1548

A website could have obscured the fullscreen notification by using a dropdown select input element. This could have led to user confusion and possible spoofing attacks. This vulnerability affects Firefox < 123, Firefox ESR < 115.8, and Thunderbird < 115.8.

4.3CVSS7.2AI score0.00357EPSS
CVE
CVE
added 2015/05/21 12:59 a.m.1130 views

CVE-2015-4000

The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by DHE_EXPORT and then ...

4.3CVSS4.8AI score0.94027EPSS
CVE
CVE
added 2024/04/16 4:15 p.m.998 views

CVE-2024-3861

If an AlignedBuffer were assigned to itself, the subsequent self-move could result in an incorrect reference count and later use-after-free. This vulnerability affects Firefox < 125, Firefox ESR < 115.10, and Thunderbird < 115.10.

4CVSS5.7AI score0.00098EPSS
CVE
CVE
added 2021/06/24 2:15 p.m.530 views

CVE-2021-29956

OpenPGP secret keys that were imported using Thunderbird version 78.8.1 up to version 78.10.1 were stored unencrypted on the user's local disk. The master password protection was inactive for those keys. Version 78.10.2 will restore the protection mechanism for newly imported keys, and will automat...

4.3CVSS5.7AI score0.00133EPSS
CVE
CVE
added 2022/12/22 8:15 p.m.488 views

CVE-2022-26383

When resizing a popup after requesting fullscreen access, the popup would not display the fullscreen notification. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.

4.3CVSS6AI score0.00247EPSS
CVE
CVE
added 2022/12/22 8:15 p.m.456 views

CVE-2022-22743

When navigating from inside an iframe while requesting fullscreen access, an attacker-controlled tab could have made the browser unable to leave fullscreen mode. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5.

4.3CVSS6AI score0.00112EPSS
CVE
CVE
added 2022/12/22 8:15 p.m.409 views

CVE-2022-1520

When viewing an email message A, which contains an attached message B, where B is encrypted or digitally signed or both, Thunderbird may show an incorrect encryption or signature status. After opening and viewing the attached message B, when returning to the display of message A, the message A migh...

4.3CVSS6.1AI score0.00145EPSS
CVE
CVE
added 2020/07/09 3:15 p.m.360 views

CVE-2020-12399

NSS has shown timing differences when performing DSA signatures, which was exploitable and could eventually leak private keys. This vulnerability affects Thunderbird < 68.9.0, Firefox < 77, and Firefox ESR < 68.9.

4.4CVSS5.9AI score0.0008EPSS
CVE
CVE
added 2020/05/22 7:15 p.m.325 views

CVE-2020-12397

By encoding Unicode whitespace characters within the From email header, an attacker can spoof the sender email address that Thunderbird displays. This vulnerability affects Thunderbird < 68.8.0.

4.3CVSS6AI score0.00184EPSS
CVE
CVE
added 2021/02/26 2:15 a.m.298 views

CVE-2021-23968

If Content Security Policy blocked frame navigation, the full destination of a redirect served in the frame was reported in the violation report; as opposed to the original frame URI. This could be used to leak sensitive information contained in such URIs. This vulnerability affects Firefox < 86...

4.3CVSS5.4AI score0.01004EPSS
CVE
CVE
added 2020/03/02 5:15 a.m.283 views

CVE-2020-6792

When deriving an identifier for an email message, uninitialized memory was used in addition to the message contents. This vulnerability affects Thunderbird < 68.5.

4.3CVSS5.6AI score0.00779EPSS
CVE
CVE
added 2021/02/26 2:15 a.m.277 views

CVE-2021-23969

As specified in the W3C Content Security Policy draft, when creating a violation report, "User agents need to ensure that the source file is the URL requested by the page, pre-redirects. If that’s not possible, user agents need to strip the URL down to an origin to avoid unintentional leakage." Und...

4.3CVSS5.6AI score0.01163EPSS
CVE
CVE
added 2023/06/02 5:15 p.m.276 views

CVE-2023-32205

In multiple cases browser prompts could have been obscured by popups controlled by content. These could have led to potential user confusion and spoofing attacks. This vulnerability affects Firefox < 113, Firefox ESR < 102.11, and Thunderbird < 102.11.

4.3CVSS5.8AI score0.00143EPSS
CVE
CVE
added 2020/03/02 5:15 a.m.259 views

CVE-2020-6797

By downloading a file with the .fileloc extension, a semi-privileged extension could launch an arbitrary application on the user's computer. The attacker is restricted as they are unable to download non-quarantined files or supply command line arguments to the application, limiting the impact. Note...

4.3CVSS5.5AI score0.0102EPSS
CVE
CVE
added 2019/09/27 6:15 p.m.255 views

CVE-2019-11743

Navigation events were not fully adhering to the W3C's "Navigation-Timing Level 2" draft specification in some instances for the unload event, which restricts access to detailed timing attributes to only be same-origin. This resulted in potential cross-origin information exposure of history through...

4.3CVSS5.9AI score0.00989EPSS
CVE
CVE
added 2021/02/26 3:15 a.m.252 views

CVE-2021-23953

If a user clicked into a specifically crafted PDF, the PDF reader could be confused into leaking cross-origin information, when said information is served as chunked data. This vulnerability affects Firefox < 85, Thunderbird < 78.7, and Firefox ESR < 78.7.

4.3CVSS5.5AI score0.00382EPSS
CVE
CVE
added 2024/05/14 6:15 p.m.252 views

CVE-2024-4767

If the browser.privatebrowsing.autostart preference is enabled, IndexedDB files were not properly deleted when the window was closed. This preference is disabled by default in Firefox. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11.

4.3CVSS5.7AI score0.0038EPSS
CVE
CVE
added 2024/07/09 3:15 p.m.238 views

CVE-2024-6601

A race condition could lead to a cross-origin container obtaining permissions of the top-level origin. This vulnerability affects Firefox < 128, Firefox ESR < 115.13, Thunderbird < 115.13, and Thunderbird < 128.

4.7CVSS7.5AI score0.00265EPSS
CVE
CVE
added 2024/06/11 1:15 p.m.226 views

CVE-2024-5691

By tricking the browser with a X-Frame-Options header, a sandboxed iframe could have presented a button that, if clicked by a user, would bypass restrictions to open a new window. This vulnerability affects Firefox < 127, Firefox ESR < 115.12, and Thunderbird < 115.12.

4.7CVSS5.2AI score0.00148EPSS
CVE
CVE
added 2025/01/07 4:15 p.m.224 views

CVE-2025-0239

When using Alt-Svc, ALPN did not properly validate certificates when the original server is redirecting to an insecure site. This vulnerability affects Firefox < 134, Firefox ESR < 128.6, Thunderbird < 134, and Thunderbird < 128.6.

4CVSS4.8AI score0.0003EPSS
CVE
CVE
added 2024/06/11 1:15 p.m.221 views

CVE-2024-5690

By monitoring the time certain operations take, an attacker could have guessed which external protocol handlers were functional on a user's system. This vulnerability affects Firefox < 127, Firefox ESR < 115.12, and Thunderbird < 115.12.

4.3CVSS5.3AI score0.03218EPSS
CVE
CVE
added 2021/01/07 2:15 p.m.219 views

CVE-2020-35111

When an extension with the proxy permission registered to receive <all_urls>, the proxy.onRequest callback was not triggered for view-source URLs. While web content cannot navigate to such URLs, a user opening View Source could have inadvertently leaked their IP address. This vulnerability af...

4.3CVSS5.6AI score0.00455EPSS
CVE
CVE
added 2025/01/07 4:15 p.m.219 views

CVE-2025-0240

Parsing a JavaScript module as JSON could, under some circumstances, cause cross-compartment access, which may result in a use-after-free. This vulnerability affects Firefox < 134, Firefox ESR < 128.6, Thunderbird < 134, and Thunderbird < 128.6.

4CVSS5.5AI score0.00047EPSS
CVE
CVE
added 2021/06/24 2:15 p.m.218 views

CVE-2021-29957

If a MIME encoded email contains an OpenPGP inline signed or encrypted message part, but also contains an additional unprotected part, Thunderbird did not indicate that only parts of the message are protected. This vulnerability affects Thunderbird < 78.10.2.

4.3CVSS5.7AI score0.00305EPSS
CVE
CVE
added 2024/07/09 3:15 p.m.218 views

CVE-2024-6614

The frame iterator could get stuck in a loop when encountering certain wasm frames leading to incorrect stack traces. This vulnerability affects Firefox < 128 and Thunderbird < 128.

4.3CVSS8.6AI score0.00067EPSS
CVE
CVE
added 2021/12/08 10:15 p.m.214 views

CVE-2021-38508

By displaying a form validity message in the correct location at the same time as a permission prompt (such as for geolocation), the validity message could have obscured the prompt, resulting in the user potentially being tricked into granting the permission. This vulnerability affects Firefox <...

4.3CVSS6.1AI score0.00384EPSS
CVE
CVE
added 2024/07/09 3:15 p.m.213 views

CVE-2024-6608

It was possible to move the cursor using pointerlock from an iframe. This allowed moving the cursor outside of the viewport and the Firefox window. This vulnerability affects Firefox < 128 and Thunderbird < 128.

4.3CVSS8.6AI score0.00141EPSS
CVE
CVE
added 2020/12/09 1:15 a.m.211 views

CVE-2020-26953

It was possible to cause the browser to enter fullscreen mode without displaying the security UI; thus making it possible to attempt a phishing attack or otherwise confuse the user. This vulnerability affects Firefox < 83, Firefox ESR < 78.5, and Thunderbird < 78.5.

4.3CVSS5.7AI score0.00283EPSS
CVE
CVE
added 2025/02/04 2:15 p.m.210 views

CVE-2025-1019

The z-order of the browser windows could be manipulated to hide the fullscreen notification. This could potentially be leveraged to perform a spoofing attack. This vulnerability affects Firefox < 135 and Thunderbird < 135.

4.3CVSS6.1AI score0.00059EPSS
CVE
CVE
added 2021/12/08 10:15 p.m.207 views

CVE-2021-43546

It was possible to recreate previous cursor spoofing attacks against users with a zoomed native cursor. This vulnerability affects Thunderbird < 91.4.0, Firefox ESR < 91.4.0, and Firefox < 95.

4.3CVSS6.1AI score0.00204EPSS
CVE
CVE
added 2024/11/26 2:15 p.m.204 views

CVE-2024-11692

An attacker could cause a select dropdown to be shown over another tab; this could have led to user confusion and possible spoofing attacks. This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Thunderbird < 133, and Thunderbird < 128.5.

4.3CVSS6AI score0.00118EPSS
CVE
CVE
added 2021/12/08 10:15 p.m.202 views

CVE-2021-43538

By misusing a race in our notification code, an attacker could have forcefully hidden the notification for pages that had received full screen and pointer lock access, which could have been used for spoofing attacks. This vulnerability affects Thunderbird < 91.4.0, Firefox ESR < 91.4.0, and F...

4.3CVSS6.4AI score0.00195EPSS
CVE
CVE
added 2024/11/26 2:15 p.m.198 views

CVE-2024-11701

The incorrect domain may have been displayed in the address bar during an interrupted navigation attempt. This could have led to user confusion and possible spoofing attacks. This vulnerability affects Firefox < 133 and Thunderbird < 133.

4.3CVSS6.2AI score0.00063EPSS
CVE
CVE
added 2021/06/24 2:15 p.m.197 views

CVE-2021-23992

Thunderbird did not check if the user ID associated with an OpenPGP key has a valid self signature. An attacker may create a crafted version of an OpenPGP key, by either replacing the original user ID, or by adding another user ID. If Thunderbird imports and accepts the crafted key, the Thunderbird...

4.3CVSS5.5AI score0.00087EPSS
CVE
CVE
added 2021/12/08 10:15 p.m.195 views

CVE-2021-38506

Through a series of navigations, Firefox could have entered fullscreen mode without notification or warning to the user. This could lead to spoofing attacks on the browser UI including phishing. This vulnerability affects Firefox < 94, Thunderbird < 91.3, and Firefox ESR < 91.3.

4.3CVSS6AI score0.00207EPSS
CVE
CVE
added 2021/12/08 10:15 p.m.193 views

CVE-2021-38509

Due to an unusual sequence of attacker-controlled events, a Javascript alert() dialog with arbitrary (although unstyled) contents could be displayed over top an uncontrolled webpage of the attacker's choosing. This vulnerability affects Firefox < 94, Thunderbird < 91.3, and Firefox ESR < 9...

4.3CVSS6.1AI score0.00477EPSS
CVE
CVE
added 2023/10/25 6:17 p.m.193 views

CVE-2023-5721

It was possible for certain browser prompts and dialogs to be activated or dismissed unintentionally by the user due to an insufficient activation-delay. This vulnerability affects Firefox < 119, Firefox ESR < 115.4, and Thunderbird < 115.4.1.

4.3CVSS6AI score0.0027EPSS
CVE
CVE
added 2023/09/11 9:15 a.m.187 views

CVE-2023-4581

Excel .xll add-in files did not have a blocklist entry in Firefox's executable blocklist which allowed them to be downloaded without any warning of their potential harm. This vulnerability affects Firefox < 117, Firefox ESR < 102.15, Firefox ESR < 115.2, Thunderbird < 102.15, and Thunde...

4.3CVSS5.5AI score0.00169EPSS
CVE
CVE
added 2022/12/22 8:15 p.m.167 views

CVE-2022-3034

When receiving an HTML email that specified to load an <code>iframe</code> element from a remote location, a request to the remote document was sent. However, Thunderbird didn't display the document. This vulnerability affects Thunderbird &lt; 102.2.1 and Thunderbird &lt; 91.13.1.

4.3CVSS5.6AI score0.00107EPSS
CVE
CVE
added 2011/09/29 12:55 a.m.163 views

CVE-2011-3000

Mozilla Firefox before 3.6.23 and 4.x through 6, Thunderbird before 7.0, and SeaMonkey before 2.4 do not properly handle HTTP responses that contain multiple Location, Content-Length, or Content-Disposition headers, which makes it easier for remote attackers to conduct HTTP response splitting attac...

4.3CVSS9.2AI score0.01301EPSS
CVE
CVE
added 2023/10/25 6:17 p.m.154 views

CVE-2023-5725

A malicious installed WebExtension could open arbitrary URLs, which under the right circumstance could be leveraged to collect sensitive user data. This vulnerability affects Firefox &lt; 119, Firefox ESR &lt; 115.4, and Thunderbird &lt; 115.4.1.

4.3CVSS6AI score0.00267EPSS
CVE
CVE
added 2022/12/22 8:15 p.m.152 views

CVE-2022-34472

If there was a PAC URL set and the server that hosts the PAC was not reachable, OCSP requests would have been blocked, resulting in incorrect error pages being shown. This vulnerability affects Firefox &lt; 102, Firefox ESR &lt; 91.11, Thunderbird &lt; 102, and Thunderbird &lt; 91.11.

4.3CVSS6.3AI score0.00141EPSS
CVE
CVE
added 2018/10/18 1:29 p.m.134 views

CVE-2018-12367

In the previous mitigations for Spectre, the resolution or precision of various methods was reduced to counteract the ability to measure precise time intervals. In that work PerformanceNavigationTiming was not adjusted but it was found that it could be used as a precision timer. This vulnerability ...

4.3CVSS5.2AI score0.00752EPSS
CVE
CVE
added 2018/10/18 1:29 p.m.125 views

CVE-2018-12374

Plaintext of decrypted emails can leak through by user submitting an embedded form by pressing enter key within a text input field. This vulnerability affects Thunderbird &lt; 52.9.

4.3CVSS6AI score0.00447EPSS
CVE
CVE
added 2023/10/25 6:17 p.m.118 views

CVE-2023-5726

A website could have obscured the full screen notification by using the file open dialog. This could have led to user confusion and possible spoofing attacks.Note: This issue only affected macOS operating systems. Other operating systems are unaffected. This vulnerability affects Firefox &lt; 119, ...

4.3CVSS5.3AI score0.00133EPSS
CVE
CVE
added 2023/06/02 5:15 p.m.117 views

CVE-2023-32212

An attacker could have positioned a datalist element to obscure the address bar. This vulnerability affects Firefox &lt; 113, Firefox ESR &lt; 102.11, and Thunderbird &lt; 102.11.

4.3CVSS5.9AI score0.00143EPSS
CVE
CVE
added 2018/06/11 9:29 p.m.107 views

CVE-2018-5170

It is possible to spoof the filename of an attachment and display an arbitrary attachment name. This could lead to a user opening a remote attachment which is a different file type than expected. This vulnerability affects Thunderbird ESR &lt; 52.8 and Thunderbird &lt; 52.8.

4.3CVSS6.1AI score0.0117EPSS
CVE
CVE
added 2013/05/16 11:45 a.m.106 views

CVE-2013-1670

The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 21.0, Firefox ESR 17.x before 17.0.6, Thunderbird before 17.0.6, and Thunderbird ESR 17.x before 17.0.6 does not prevent acquisition of chrome privileges during calls to content level constructors, which allows remote attacker...

4.3CVSS8.1AI score0.45979EPSS
CVE
CVE
added 2023/06/02 5:15 p.m.106 views

CVE-2023-29533

A website could have obscured the fullscreen notification by using a combination of <code>window.open</code>, fullscreen requests, <code>window.name</code> assignments, and <code>setInterval</code> calls. This could have led to user confusion and possible spoofing attacks. This vulnerability affect...

4.3CVSS5.4AI score0.00099EPSS
Total number of security vulnerabilities163