Filtered by vendor Mozilla
Subscribe
Total
3234 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-7524 | 1 Mozilla | 2 Firefox, Firefox Esr | 2025-03-25 | N/A | 6.1 MEDIUM |
| Firefox adds web-compatibility shims in place of some tracking scripts blocked by Enhanced Tracking Protection. On a site protected by Content Security Policy in "strict-dynamic" mode, an attacker able to inject an HTML element could have used a DOM Clobbering attack on some of the shims and achieved XSS, bypassing the CSP strict-dynamic protection. This vulnerability affects Firefox < 129, Firefox ESR < 115.14, and Firefox ESR < 128.1. | |||||
| CVE-2024-6608 | 1 Mozilla | 2 Firefox, Thunderbird | 2025-03-25 | N/A | 4.3 MEDIUM |
| It was possible to move the cursor using pointerlock from an iframe. This allowed moving the cursor outside of the viewport and the Firefox window. This vulnerability affects Firefox < 128 and Thunderbird < 128. | |||||
| CVE-2024-7520 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2025-03-24 | N/A | 8.8 HIGH |
| A type confusion bug in WebAssembly could be leveraged by an attacker to potentially achieve code execution. This vulnerability affects Firefox < 129, Firefox ESR < 128.1, and Thunderbird < 128.1. | |||||
| CVE-2024-43113 | 1 Mozilla | 1 Firefox | 2025-03-24 | N/A | 6.1 MEDIUM |
| The contextual menu for links could provide an opportunity for cross-site scripting attacks This vulnerability affects Firefox for iOS < 129. | |||||
| CVE-2024-10466 | 1 Mozilla | 2 Firefox, Thunderbird | 2025-03-22 | N/A | 7.5 HIGH |
| By sending a specially crafted push message, a remote server could have hung the parent process, causing the browser to become unresponsive. This vulnerability affects Firefox < 132, Firefox ESR < 128.4, Thunderbird < 128.4, and Thunderbird < 132. | |||||
| CVE-2022-26486 | 1 Mozilla | 4 Firefox, Firefox Esr, Firefox Focus and 1 more | 2025-03-21 | N/A | 9.6 CRITICAL |
| An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape. We have had reports of attacks in the wild abusing this flaw. This vulnerability affects Firefox < 97.0.2, Firefox ESR < 91.6.1, Firefox for Android < 97.3.0, Thunderbird < 91.6.2, and Focus < 97.3.0. | |||||
| CVE-2019-11708 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2025-03-21 | 10.0 HIGH | 10.0 CRITICAL |
| Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes can result in the non-sandboxed parent process opening web content chosen by a compromised child process. When combined with additional vulnerabilities this could result in executing arbitrary code on the user's computer. This vulnerability affects Firefox ESR < 60.7.2, Firefox < 67.0.4, and Thunderbird < 60.7.2. | |||||
| CVE-2020-6819 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2025-03-21 | 6.8 MEDIUM | 8.1 HIGH |
| Under certain conditions, when running the nsDocShell destructor, a race condition can cause a use-after-free. We are aware of targeted attacks in the wild abusing this flaw. This vulnerability affects Thunderbird < 68.7.0, Firefox < 74.0.1, and Firefox ESR < 68.6.1. | |||||
| CVE-2020-6820 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2025-03-21 | 6.8 MEDIUM | 8.1 HIGH |
| Under certain conditions, when handling a ReadableStream, a race condition can cause a use-after-free. We are aware of targeted attacks in the wild abusing this flaw. This vulnerability affects Thunderbird < 68.7.0, Firefox < 74.0.1, and Firefox ESR < 68.6.1. | |||||
| CVE-2016-9079 | 5 Debian, Microsoft, Mozilla and 2 more | 11 Debian Linux, Windows, Firefox and 8 more | 2025-03-21 | 5.0 MEDIUM | 7.5 HIGH |
| A use-after-free vulnerability in SVG Animation has been discovered. An exploit built on this vulnerability has been discovered in the wild targeting Firefox and Tor Browser users on Windows. This vulnerability affects Firefox < 50.0.2, Firefox ESR < 45.5.1, and Thunderbird < 45.5.1. | |||||
| CVE-2019-17026 | 2 Canonical, Mozilla | 3 Ubuntu Linux, Firefox, Thunderbird | 2025-03-21 | 6.8 MEDIUM | 8.8 HIGH |
| Incorrect alias information in IonMonkey JIT compiler for setting array elements could lead to a type confusion. We are aware of targeted attacks in the wild abusing this flaw. This vulnerability affects Firefox ESR < 68.4.1, Thunderbird < 68.4.1, and Firefox < 72.0.1. | |||||
| CVE-2024-5691 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2025-03-19 | N/A | 4.7 MEDIUM |
| By tricking the browser with a `X-Frame-Options` header, a sandboxed iframe could have presented a button that, if clicked by a user, would bypass restrictions to open a new window. This vulnerability affects Firefox < 127, Firefox ESR < 115.12, and Thunderbird < 115.12. | |||||
| CVE-2024-8394 | 1 Mozilla | 1 Thunderbird | 2025-03-19 | N/A | 6.5 MEDIUM |
| When aborting the verification of an OTR chat session, an attacker could have caused a use-after-free bug leading to a potentially exploitable crash. This vulnerability affects Thunderbird < 128.2. | |||||
| CVE-2024-8897 | 2 Google, Mozilla | 2 Android, Firefox | 2025-03-19 | N/A | 6.1 MEDIUM |
| Under certain conditions, an attacker with the ability to redirect users to a malicious site via an open redirect on a trusted site, may be able to spoof the address bar contents. This can lead to a malicious site to appear to have the same URL as the trusted site. *This bug only affects Firefox for Android. Other versions of Firefox are unaffected.* This vulnerability affects Firefox for Android < 130.0.1. | |||||
| CVE-2024-8399 | 1 Mozilla | 1 Firefox Focus | 2025-03-19 | N/A | 4.7 MEDIUM |
| Websites could utilize Javascript links to spoof URL addresses in the Focus navigation bar This vulnerability affects Focus for iOS < 130. | |||||
| CVE-2024-7531 | 1 Mozilla | 2 Firefox, Firefox Esr | 2025-03-19 | N/A | 6.5 MEDIUM |
| Calling `PK11_Encrypt()` in NSS using CKM_CHACHA20 and the same buffer for input and output can result in plaintext on an Intel Sandy Bridge processor. In Firefox this only affects the QUIC header protection feature when the connection is using the ChaCha20-Poly1305 cipher suite. The most likely outcome is connection failure, but if the connection persists despite the high packet loss it could be possible for a network observer to identify packets as coming from the same source despite a network path change. This vulnerability affects Firefox < 129, Firefox ESR < 115.14, and Firefox ESR < 128.1. | |||||
| CVE-2021-23980 | 1 Mozilla | 1 Bleach | 2025-03-19 | N/A | 6.1 MEDIUM |
| A mutation XSS affects users calling bleach.clean with all of: svg or math in the allowed tags p or br in allowed tags style, title, noscript, script, textarea, noframes, iframe, or xmp in allowed tags the keyword argument strip_comments=False Note: none of the above tags are in the default allowed tags and strip_comments defaults to True. | |||||
| CVE-2020-6817 | 1 Mozilla | 1 Bleach | 2025-03-19 | N/A | 7.5 HIGH |
| bleach.clean behavior parsing style attributes could result in a regular expression denial of service (ReDoS). Calls to bleach.clean with an allowed tag with an allowed style attribute are vulnerable to ReDoS. For example, bleach.clean(..., attributes={'a': ['style']}). | |||||
| CVE-2020-12413 | 1 Mozilla | 2 Firefox, Firefox Esr | 2025-03-19 | N/A | 5.9 MEDIUM |
| The Raccoon attack is a timing attack on DHE ciphersuites inherit in the TLS specification. To mitigate this vulnerability, Firefox disabled support for DHE ciphersuites. | |||||
| CVE-2019-17003 | 1 Mozilla | 1 Firefox | 2025-03-19 | N/A | 6.1 MEDIUM |
| Scanning a QR code that contained a javascript: URL would have resulted in the Javascript being executed. | |||||