Total
306554 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-52553 | 1 Goauthentik | 1 Authentik | 2025-08-21 | N/A | 9.6 CRITICAL |
| authentik is an open-source identity provider. After authorizing access to a RAC endpoint, authentik creates a token which is used for a single connection and is sent to the client in the URL. This token is intended to only be valid for the session of the user who authorized the connection, however this check is missing in versions prior to 2025.6.3 and 2025.4.3. When, for example, using RAC during a screenshare, a malicious user could access the same session by copying the URL from the shown browser. authentik 2025.4.3 and 2025.6.3 fix this issue. As a workaround, it is recommended to decrease the duration a token is valid for (in the RAC Provider settings, set Connection expiry to `minutes=5` for example). The maintainers of authentik also recommend enabling the option Delete authorization on disconnect. | |||||
| CVE-2025-55028 | 1 Mozilla | 1 Firefox | 2025-08-21 | N/A | 6.5 MEDIUM |
| Malicious scripts utilizing repetitive JavaScript alerts could prevent client user interaction in some scenarios and allow for denial of service attacks This vulnerability affects Firefox for iOS < 142. | |||||
| CVE-2025-55029 | 1 Mozilla | 1 Firefox | 2025-08-21 | N/A | 7.5 HIGH |
| Malicious scripts could bypass the popup blocker to spam new tabs, potentially resulting in denial of service attacks This vulnerability affects Firefox for iOS < 142. | |||||
| CVE-2025-55030 | 1 Mozilla | 1 Firefox | 2025-08-21 | N/A | 6.1 MEDIUM |
| Firefox for iOS would not respect a Content-Disposition header of type Attachment and would incorrectly display the content inline rather than downloading, potentially allowing for XSS attacks This vulnerability affects Firefox for iOS < 142. | |||||
| CVE-2025-55031 | 1 Mozilla | 2 Firefox, Firefox Focus | 2025-08-21 | N/A | 9.8 CRITICAL |
| Malicious pages could use Firefox for iOS to pass FIDO: links to the OS and trigger the hybrid passkey transport. An attacker within Bluetooth range could have used this to trick the user into using their passkey to log the attacker's computer into the target account. This vulnerability affects Firefox for iOS < 142 and Focus for iOS < 142. | |||||
| CVE-2025-55032 | 1 Mozilla | 1 Firefox Focus | 2025-08-21 | N/A | 6.1 MEDIUM |
| Focus for iOS would not respect a Content-Disposition header of type Attachment and would incorrectly display the content inline, potentially allowing for XSS attacks This vulnerability affects Focus for iOS < 142. | |||||
| CVE-2025-55033 | 1 Mozilla | 1 Firefox Focus | 2025-08-21 | N/A | 6.1 MEDIUM |
| Dragging JavaScript links to the URL bar in Focus for iOS could be utilized to run malicious scripts, potentially resulting in XSS attacks This vulnerability affects Focus for iOS < 142. | |||||
| CVE-2025-8364 | 2 Google, Mozilla | 2 Android, Firefox | 2025-08-21 | N/A | 4.3 MEDIUM |
| A crafted URL using a blob: URI could have hidden the true origin of the page, resulting in a potential spoofing attack. *Note: This issue only affected Android operating systems. Other operating systems are unaffected.* This vulnerability affects Firefox < 141. | |||||
| CVE-2025-9167 | 1 Solidinvoice | 1 Solidinvoice | 2025-08-21 | 4.0 MEDIUM | 3.5 LOW |
| A vulnerability has been found in SolidInvoice up to 2.4.0. This vulnerability affects unknown code of the file /invoice/recurring of the component Recurring Invoice Module. The manipulation of the argument client name leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-9168 | 1 Solidinvoice | 1 Solidinvoice | 2025-08-21 | 4.0 MEDIUM | 3.5 LOW |
| A vulnerability was found in SolidInvoice up to 2.4.0. This issue affects some unknown processing of the file /invoice of the component Invoice Creation Module. The manipulation of the argument Client Name results in cross site scripting. The attack may be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-9179 | 1 Mozilla | 2 Firefox, Thunderbird | 2025-08-21 | N/A | 9.8 CRITICAL |
| An attacker was able to perform memory corruption in the GMP process which processes encrypted media. This process is also heavily sandboxed, but represents slightly different privileges from the content process. This vulnerability affects Firefox < 142, Firefox ESR < 115.27, Firefox ESR < 128.14, Firefox ESR < 140.2, Thunderbird < 142, Thunderbird < 128.14, and Thunderbird < 140.2. | |||||
| CVE-2025-9180 | 1 Mozilla | 2 Firefox, Thunderbird | 2025-08-21 | N/A | 8.1 HIGH |
| 'Same-origin policy bypass in the Graphics: Canvas2D component.' This vulnerability affects Firefox < 142, Firefox ESR < 115.27, Firefox ESR < 128.14, Firefox ESR < 140.2, Thunderbird < 142, Thunderbird < 128.14, and Thunderbird < 140.2. | |||||
| CVE-2025-9181 | 1 Mozilla | 2 Firefox, Thunderbird | 2025-08-21 | N/A | 6.5 MEDIUM |
| Uninitialized memory in the JavaScript Engine component. This vulnerability affects Firefox < 142, Firefox ESR < 128.14, Firefox ESR < 140.2, Thunderbird < 142, Thunderbird < 128.14, and Thunderbird < 140.2. | |||||
| CVE-2025-9182 | 1 Mozilla | 2 Firefox, Thunderbird | 2025-08-21 | N/A | 7.5 HIGH |
| 'Denial-of-service due to out-of-memory in the Graphics: WebRender component.' This vulnerability affects Firefox < 142, Firefox ESR < 140.2, Thunderbird < 142, and Thunderbird < 140.2. | |||||
| CVE-2025-9183 | 1 Mozilla | 1 Firefox | 2025-08-21 | N/A | 6.5 MEDIUM |
| Spoofing issue in the Address Bar component. This vulnerability affects Firefox < 142 and Firefox ESR < 140.2. | |||||
| CVE-2025-9184 | 1 Mozilla | 2 Firefox, Thunderbird | 2025-08-21 | N/A | 8.1 HIGH |
| Memory safety bugs present in Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 142, Firefox ESR < 140.2, Thunderbird < 142, and Thunderbird < 140.2. | |||||
| CVE-2025-9185 | 1 Mozilla | 2 Firefox, Thunderbird | 2025-08-21 | N/A | 8.1 HIGH |
| Memory safety bugs present in Firefox ESR 115.26, Firefox ESR 128.13, Thunderbird ESR 128.13, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 142, Firefox ESR < 115.27, Firefox ESR < 128.14, Firefox ESR < 140.2, Thunderbird < 142, Thunderbird < 128.14, and Thunderbird < 140.2. | |||||
| CVE-2025-53942 | 1 Goauthentik | 1 Authentik | 2025-08-21 | N/A | 7.4 HIGH |
| authentik is an open-source Identity Provider that emphasizes flexibility and versatility, with support for a wide set of protocols. In versions 2025.4.4 and earlier, as well as versions 2025.6.0-rc1 through 2025.6.3, deactivated users who registered through OAuth/SAML or linked their accounts to OAuth/SAML providers can still retain partial access to the system despite their accounts being deactivated. They end up in a half-authenticated state where they cannot access the API but crucially they can authorize applications if they know the URL of the application. To workaround this issue, developers can add an expression policy to the user login stage on the respective authentication flow with the expression of return request.context["pending_user"].is_active. This modification ensures that the return statement only activates the user login stage when the user is active. This issue is fixed in versions authentik 2025.4.4 and 2025.6.4. | |||||
| CVE-2025-9186 | 1 Mozilla | 1 Firefox | 2025-08-21 | N/A | 6.5 MEDIUM |
| Spoofing issue in the Address Bar component of Firefox Focus for Android. This vulnerability affects Firefox < 142. | |||||
| CVE-2025-8361 | 1 Config Pages Project | 1 Config Pages | 2025-08-21 | N/A | 7.6 HIGH |
| Missing Authorization vulnerability in Drupal Config Pages allows Forceful Browsing.This issue affects Config Pages: from 0.0.0 before 2.18.0. | |||||