Lucene search

K
MozillaThunderbird

263 matches found

CVE
CVE
added 2024/02/20 2:15 p.m.7283 views

CVE-2024-1547

Through a series of API calls and redirects, an attacker-controlled alert dialog could have been displayed on another website (with the victim website's URL shown). This vulnerability affects Firefox < 123, Firefox ESR < 115.8, and Thunderbird < 115.8.

6.5CVSS5.9AI score0.00487EPSS
CVE
CVE
added 2024/02/20 2:15 p.m.7179 views

CVE-2024-1550

A malicious website could have used a combination of exiting fullscreen mode and requestPointerLock to cause the user's mouse to be re-positioned unexpectedly, which could have led to user confusion and inadvertently granting permissions they did not intend to grant. This vulnerability affects Fire...

6.1CVSS7.2AI score0.00219EPSS
CVE
CVE
added 2024/02/20 2:15 p.m.6730 views

CVE-2024-1551

Set-Cookie response headers were being incorrectly honored in multipart HTTP responses. If an attacker could control the Content-Type response header, as well as control part of the response body, they could inject Set-Cookie response headers that would have been honored by the browser. This vulner...

6.1CVSS7.5AI score0.00316EPSS
CVE
CVE
added 2024/02/20 2:15 p.m.6316 views

CVE-2024-1549

If a website set a large custom cursor, portions of the cursor could have overlapped with the permission dialog, potentially resulting in user confusion and unexpected granted permissions. This vulnerability affects Firefox < 123, Firefox ESR < 115.8, and Thunderbird < 115.8.

6.1CVSS7.4AI score0.00368EPSS
CVE
CVE
added 2024/03/19 12:15 p.m.5979 views

CVE-2023-5388

NSS was susceptible to a timing side-channel attack when performing RSA decryption. This attack could potentially allow an attacker to recover the private data. This vulnerability affects Firefox < 124, Firefox ESR < 115.9, and Thunderbird < 115.9.

6.5CVSS6.3AI score0.00149EPSS
CVE
CVE
added 2024/03/19 12:15 p.m.2716 views

CVE-2024-2609

The permission prompt input delay could expire while the window is not in focus. This makes it vulnerable to clickjacking by malicious websites. This vulnerability affects Firefox < 124, Firefox ESR < 115.10, and Thunderbird < 115.10.

6.1CVSS5.5AI score0.00822EPSS
CVE
CVE
added 2013/05/16 11:45 a.m.998 views

CVE-2013-1675

Mozilla Firefox before 21.0, Firefox ESR 17.x before 17.0.6, Thunderbird before 17.0.6, and Thunderbird ESR 17.x before 17.0.6 do not properly initialize data structures for the nsDOMSVGZoomEvent::mPreviousScale and nsDOMSVGZoomEvent::mNewScale functions, which allows remote attackers to obtain sen...

6.5CVSS8.7AI score0.02572EPSS
CVE
CVE
added 2023/06/02 5:15 p.m.816 views

CVE-2023-23599

When copying a network request from the developer tools panel as a curl command the output was not being properly sanitized and could allow arbitrary commands to be hidden within. This vulnerability affects Firefox < 109, Thunderbird < 102.7, and Firefox ESR < 102.7.

6.5CVSS6.8AI score0.00098EPSS
CVE
CVE
added 2022/12/22 8:15 p.m.540 views

CVE-2022-29914

When reusing existing popups Firefox would have allowed them to cover the fullscreen notification UI, which could have enabled browser spoofing attacks. This vulnerability affects Thunderbird < 91.9, Firefox ESR < 91.9, and Firefox < 100.

6.5CVSS7.1AI score0.0008EPSS
CVE
CVE
added 2022/12/22 8:15 p.m.513 views

CVE-2022-28285

When generating the assembly code for <code>MLoadTypedArrayElementHole</code>, an incorrect AliasSet was used. In conjunction with another vulnerability this could have been used for an out of bounds memory read. This vulnerability affects Thunderbird &lt; 91.8, Firefox &lt; 99, and Firefox ESR &lt...

6.5CVSS7.2AI score0.00164EPSS
CVE
CVE
added 2022/12/22 8:15 p.m.512 views

CVE-2022-26386

Previously Firefox for macOS and Linux would download temporary files to a user-specific directory in <code>/tmp</code>, but this behavior was changed to download them to <code>/tmp</code> where they could be affected by other local users. This behavior was reverted to the original, user-specific d...

6.5CVSS6.9AI score0.00089EPSS
CVE
CVE
added 2022/12/22 8:15 p.m.500 views

CVE-2022-28282

By using a link with <code>rel="localization"</code> a use-after-free could have been triggered by destroying an object during JavaScript execution and then referencing the object through a freed pointer, leading to a potential exploitable crash. This vulnerability affects Thunderbird &lt; 91.8, Fi...

6.5CVSS7.1AI score0.06124EPSS
CVE
CVE
added 2022/12/22 8:15 p.m.480 views

CVE-2022-22747

After accepting an untrusted certificate, handling an empty pkcs7 sequence as part of the certificate data could have lead to a crash. This crash is believed to be unexploitable. This vulnerability affects Firefox ESR &lt; 91.5, Firefox &lt; 96, and Thunderbird &lt; 91.5.

6.5CVSS7.1AI score0.00085EPSS
CVE
CVE
added 2022/12/22 8:15 p.m.479 views

CVE-2022-22739

Malicious websites could have tricked users into accepting launching a program to handle an external URL protocol. This vulnerability affects Firefox ESR &lt; 91.5, Firefox &lt; 96, and Thunderbird &lt; 91.5.

6.5CVSS7AI score0.00128EPSS
CVE
CVE
added 2022/12/22 8:15 p.m.478 views

CVE-2022-1196

After a VR Process is destroyed, a reference to it may have been retained and used, leading to a use-after-free and potentially exploitable crash. This vulnerability affects Thunderbird &lt; 91.8 and Firefox ESR &lt; 91.8.

6.5CVSS7.3AI score0.00129EPSS
CVE
CVE
added 2022/12/22 8:15 p.m.478 views

CVE-2022-29911

An improper implementation of the new iframe sandbox keyword <code>allow-top-navigation-by-user-activation</code> could lead to script execution without <code>allow-scripts</code> being present. This vulnerability affects Thunderbird &lt; 91.9, Firefox ESR &lt; 91.9, and Firefox &lt; 100.

6.1CVSS7.3AI score0.00087EPSS
CVE
CVE
added 2022/12/22 8:15 p.m.468 views

CVE-2022-22745

Securitypolicyviolation events could have leaked cross-origin information for frame-ancestors violations. This vulnerability affects Firefox ESR &lt; 91.5, Firefox &lt; 96, and Thunderbird &lt; 91.5.

6.5CVSS7.1AI score0.00179EPSS
CVE
CVE
added 2022/12/22 8:15 p.m.468 views

CVE-2022-22760

When importing resources using Web Workers, error messages would distinguish the difference between <code>application/javascript</code> responses and non-script responses. This could have been abused to learn information cross-origin. This vulnerability affects Firefox &lt; 97, Thunderbird &lt; 91....

6.5CVSS7AI score0.00251EPSS
CVE
CVE
added 2022/12/22 8:15 p.m.463 views

CVE-2022-22754

If a user installed an extension of a particular type, the extension could have auto-updated itself and while doing so, bypass the prompt which grants the new version the new requested permissions. This vulnerability affects Firefox &lt; 97, Thunderbird &lt; 91.6, and Firefox ESR &lt; 91.6.

6.5CVSS7AI score0.00023EPSS
CVE
CVE
added 2022/12/22 8:15 p.m.462 views

CVE-2022-1097

<code>NSSToken</code> objects were referenced via direct points, and could have been accessed in an unsafe way on different threads, leading to a use-after-free and potentially exploitable crash. This vulnerability affects Thunderbird &lt; 91.8, Firefox &lt; 99, and Firefox ESR &lt; 91.8.

6.5CVSS7.3AI score0.00163EPSS
CVE
CVE
added 2022/12/22 8:15 p.m.461 views

CVE-2022-22742

When inserting text while in edit mode, some characters might have lead to out-of-bounds memory access causing a potentially exploitable crash. This vulnerability affects Firefox ESR &lt; 91.5, Firefox &lt; 96, and Thunderbird &lt; 91.5.

6.5CVSS7.3AI score0.00124EPSS
CVE
CVE
added 2022/12/22 8:15 p.m.453 views

CVE-2022-29916

Firefox behaved slightly differently for already known resources when loading CSS resources involving CSS variables. This could have been used to probe the browser history. This vulnerability affects Thunderbird &lt; 91.9, Firefox ESR &lt; 91.9, and Firefox &lt; 100.

6.5CVSS7.4AI score0.0011EPSS
CVE
CVE
added 2022/12/22 8:15 p.m.448 views

CVE-2022-22748

Malicious websites could have confused Firefox into showing the wrong origin when asking to launch a program and handling an external URL protocol. This vulnerability affects Firefox ESR &lt; 91.5, Firefox &lt; 96, and Thunderbird &lt; 91.5.

6.5CVSS7.1AI score0.00135EPSS
CVE
CVE
added 2022/12/22 8:15 p.m.439 views

CVE-2022-29912

Requests initiated through reader mode did not properly omit cookies with a SameSite attribute. This vulnerability affects Thunderbird &lt; 91.9, Firefox ESR &lt; 91.9, and Firefox &lt; 100.

6.1CVSS7.2AI score0.00282EPSS
CVE
CVE
added 2022/12/22 8:15 p.m.429 views

CVE-2022-31738

When exiting fullscreen mode, an iframe could have confused the browser about the current state of fullscreen, resulting in potential user confusion or spoofing attacks. This vulnerability affects Thunderbird &lt; 91.10, Firefox &lt; 101, and Firefox ESR &lt; 91.10.

6.5CVSS7.3AI score0.00094EPSS
CVE
CVE
added 2022/12/22 8:15 p.m.426 views

CVE-2022-1834

When displaying the sender of an email, and the sender name contained the Braille Pattern Blank space character multiple times, Thunderbird would have displayed all the spaces. This could have been used by an attacker to send an email message with the attacker's digital signature, that was shown wi...

6.5CVSS7.4AI score0.00105EPSS
CVE
CVE
added 2022/12/22 8:15 p.m.421 views

CVE-2022-34479

A malicious website that could create a popup could have resized the popup to overlay the address bar with its own content, resulting in potential user confusion or spoofing attacks. <br>This bug only affects Thunderbird for Linux. Other operating systems are unaffected. . This vulnerability affect...

6.5CVSS7.1AI score0.00113EPSS
CVE
CVE
added 2022/12/22 8:15 p.m.402 views

CVE-2022-45418

If a custom mouse cursor is specified in CSS, under certain circumstances the cursor could have been drawn over the browser UI, resulting in potential user confusion or spoofing attacks. This vulnerability affects Firefox ESR &lt; 102.5, Thunderbird &lt; 102.5, and Firefox &lt; 107.

6.1CVSS7.1AI score0.00118EPSS
CVE
CVE
added 2022/12/22 8:15 p.m.373 views

CVE-2022-45404

Through a series of popup and <code>window.print()</code> calls, an attacker can cause a window to go fullscreen without the user seeing the notification prompt, resulting in potential user confusion or spoofing attacks. This vulnerability affects Firefox ESR &lt; 102.5, Thunderbird &lt; 102.5, and...

6.5CVSS7.1AI score0.00075EPSS
CVE
CVE
added 2022/12/22 8:15 p.m.365 views

CVE-2022-42929

If a website called window.print() in a particular way, it could cause a denial of service of the browser, which may persist beyond browser restart depending on the user's session restore settings. This vulnerability affects Firefox &lt; 106, Firefox ESR &lt; 102.4, and Thunderbird &lt; 102.4.

6.5CVSS6.6AI score0.00144EPSS
CVE
CVE
added 2021/06/24 2:15 p.m.362 views

CVE-2021-29945

The WebAssembly JIT could miscalculate the size of a return type, which could lead to a null read and result in a crash. Note: This issue only affected x86-32 platforms. Other platforms are unaffected. . This vulnerability affects Firefox ESR &lt; 78.10, Thunderbird &lt; 78.10, and Firefox &lt; 88.

6.5CVSS6.2AI score0.00411EPSS
CVE
CVE
added 2022/12/22 8:15 p.m.362 views

CVE-2022-45420

Use tables inside of an iframe, an attacker could have caused iframe contents to be rendered outside the boundaries of the iframe, resulting in potential user confusion or spoofing attacks. This vulnerability affects Firefox ESR &lt; 102.5, Thunderbird &lt; 102.5, and Firefox &lt; 107.

6.5CVSS7.2AI score0.00092EPSS
CVE
CVE
added 2022/12/22 8:15 p.m.351 views

CVE-2022-45408

Through a series of popups that reuse windowName, an attacker can cause a window to go fullscreen without the user seeing the notification prompt, resulting in potential user confusion or spoofing attacks. This vulnerability affects Firefox ESR &lt; 102.5, Thunderbird &lt; 102.5, and Firefox &lt; 1...

6.5CVSS7.1AI score0.00121EPSS
CVE
CVE
added 2019/09/27 6:15 p.m.299 views

CVE-2019-11744

Some HTML elements, such as &lt;title&gt; and &lt;textarea&gt;, can contain literal angle brackets without treating them as markup. It is possible to pass a literal closing tag to .innerHTML on these elements, and subsequent content after that will be parsed as if it were outside the tag. This can ...

6.1CVSS6.6AI score0.00786EPSS
CVE
CVE
added 2023/06/02 5:15 p.m.288 views

CVE-2023-23598

Due to the Firefox GTK wrapper code's use of text/plain for drag data and GTK treating all text/plain MIMEs containing file URLs as being dragged a website could arbitrarily read a file via a call to <code>DataTransfer.setData</code>. This vulnerability affects Firefox &lt; 109, Thunderbird &lt; 10...

6.5CVSS6.5AI score0.00137EPSS
CVE
CVE
added 2020/03/02 5:15 a.m.284 views

CVE-2020-6794

If a user saved passwords before Thunderbird 60 and then later set a master password, an unencrypted copy of these passwords is still accessible. This is because the older stored password file was not deleted when the data was copied to a new format starting in Thunderbird 60. The new master passwo...

6.5CVSS6.8AI score0.00326EPSS
CVE
CVE
added 2020/03/02 5:15 a.m.284 views

CVE-2020-6798

If a template tag was used in a select tag, the parser could be confused and allow JavaScript parsing and execution when it should not be allowed. A site that relied on the browser behaving correctly could suffer a cross-site scripting vulnerability as a result. In general, this flaw cannot be expl...

6.1CVSS6.6AI score0.01265EPSS
CVE
CVE
added 2025/02/04 2:15 p.m.276 views

CVE-2025-1013

A race condition could have led to private browsing tabs being opened in normal browsing windows. This could have resulted in a potential privacy leak. This vulnerability affects Firefox &lt; 135, Firefox ESR &lt; 128.7, Thunderbird &lt; 128.7, and Thunderbird &lt; 135.

6.5CVSS6.1AI score0.00107EPSS
CVE
CVE
added 2020/12/09 1:15 a.m.266 views

CVE-2020-26965

Some websites have a feature "Show Password" where clicking a button will change a password field into a textbook field, revealing the typed password. If, when using a software keyboard that remembers user input, a user typed their password and used that feature, the type of the password field was ...

6.5CVSS6.8AI score0.00444EPSS
CVE
CVE
added 2021/02/26 2:15 a.m.263 views

CVE-2021-23973

When trying to load a cross-origin resource in an audio/video context a decoding error may have resulted, and the content of that error may have revealed information about the resource. This vulnerability affects Firefox &lt; 86, Thunderbird &lt; 78.8, and Firefox ESR &lt; 78.8.

6.5CVSS6.6AI score0.00705EPSS
CVE
CVE
added 2021/03/31 2:15 p.m.261 views

CVE-2021-23984

A malicious extension could have opened a popup window lacking an address bar. The title of the popup lacking an address bar should not be fully controllable, but in this situation was. This could have been used to spoof a website and attempt to trick the user into providing credentials. This vulne...

6.5CVSS6.7AI score0.00267EPSS
CVE
CVE
added 2024/03/19 12:15 p.m.261 views

CVE-2024-2610

Using a markup injection an attacker could have stolen nonce values. This could have been used to bypass strict content security policies. This vulnerability affects Firefox &lt; 124, Firefox ESR &lt; 115.9, and Thunderbird &lt; 115.9.

6.1CVSS7AI score0.0016EPSS
CVE
CVE
added 2025/01/07 4:15 p.m.260 views

CVE-2025-0242

Memory safety bugs present in Firefox 133, Thunderbird 133, Firefox ESR 115.18, Firefox ESR 128.5, Thunderbird 115.18, and Thunderbird 128.5. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code....

6.5CVSS7.4AI score0.00332EPSS
CVE
CVE
added 2020/10/01 7:15 p.m.257 views

CVE-2020-15664

By holding a reference to the eval() function from an about:blank window, a malicious webpage could have gained access to the InstallTrigger object which would allow them to prompt the user to install an extension. Combined with user confusion, this could result in an unintended or malicious extens...

6.5CVSS6.7AI score0.00371EPSS
CVE
CVE
added 2021/03/31 2:15 p.m.257 views

CVE-2021-23982

Using techniques that built on the slipstream research, a malicious webpage could have scanned both an internal network's hosts as well as services running on the user's local machine utilizing WebRTC connections. This vulnerability affects Firefox ESR &lt; 78.9, Firefox &lt; 87, and Thunderbird &l...

6.5CVSS6.6AI score0.00196EPSS
CVE
CVE
added 2019/07/23 2:15 p.m.256 views

CVE-2019-11715

Due to an error while parsing page content, it is possible for properly sanitized user input to be misinterpreted and lead to XSS hazards on web sites in certain circumstances. This vulnerability affects Firefox ESR &lt; 60.8, Firefox &lt; 68, and Thunderbird &lt; 60.8.

6.1CVSS6.9AI score0.01EPSS
CVE
CVE
added 2020/03/02 5:15 a.m.255 views

CVE-2020-6795

When processing a message that contains multiple S/MIME signatures, a bug in the MIME processing code caused a null pointer dereference, leading to an unexploitable crash. This vulnerability affects Thunderbird &lt; 68.5.

6.5CVSS6.9AI score0.00688EPSS
CVE
CVE
added 2019/09/27 6:15 p.m.252 views

CVE-2019-11742

A same-origin policy violation occurs allowing the theft of cross-origin images through a combination of SVG filters and a &lt;canvas&gt; element due to an error in how same-origin policy is applied to cached image content. The resulting same-origin policy violation could allow for data theft. This...

6.5CVSS6.9AI score0.0053EPSS
CVE
CVE
added 2019/07/23 2:15 p.m.249 views

CVE-2019-11730

A vulnerability exists where if a user opens a locally saved HTML file, this file can use file: URIs to access other files in the same directory or sub-directories if the names are known or guessed. The Fetch API can then be used to read the contents of any files stored in these directories and the...

6.5CVSS6.9AI score0.34646EPSS
CVE
CVE
added 2020/03/02 5:15 a.m.249 views

CVE-2020-6793

When processing an email message with an ill-formed envelope, Thunderbird could read data from a random memory location. This vulnerability affects Thunderbird &lt; 68.5.

6.5CVSS6.7AI score0.00803EPSS
Total number of security vulnerabilities263