Filtered by vendor Mozilla
Subscribe
Total
3297 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-11694 | 1 Mozilla | 2 Firefox, Thunderbird | 2025-06-24 | N/A | 6.1 MEDIUM |
| Enhanced Tracking Protection's Strict mode may have inadvertently allowed a CSP `frame-src` bypass and DOM-based XSS through the Google SafeFrame shim in the Web Compatibility extension. This issue could have exposed users to malicious frames masquerading as legitimate content. This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Firefox ESR < 115.18, Thunderbird < 133, Thunderbird < 128.5, and Thunderbird < 115.18. | |||||
| CVE-2024-11691 | 2 Apple, Mozilla | 17 M1, M1 Max, M1 Pro and 14 more | 2025-06-24 | N/A | 8.8 HIGH |
| Certain WebGL operations on Apple silicon M series devices could have lead to an out-of-bounds write and memory corruption due to a flaw in Apple's GPU driver. *This bug only affected the application on Apple M series hardware. Other platforms were unaffected.* This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Firefox ESR < 115.18, Thunderbird < 133, Thunderbird < 128.5, and Thunderbird < 115.18. | |||||
| CVE-2023-2142 | 1 Mozilla | 1 Nunjucks | 2025-06-24 | N/A | 6.1 MEDIUM |
| In Nunjucks versions prior to version 3.2.4, it was possible to bypass the restrictions which are provided by the autoescape functionality. If there are two user-controlled parameters on the same line used in the views, it was possible to inject cross site scripting payloads using the backslash \ character. | |||||
| CVE-2024-0752 | 1 Mozilla | 1 Firefox | 2025-06-20 | N/A | 6.5 MEDIUM |
| A use-after-free crash could have occurred on macOS if a Firefox update were being applied on a very busy system. This could have resulted in an exploitable crash. This vulnerability affects Firefox < 122. | |||||
| CVE-2024-0751 | 2 Debian, Mozilla | 4 Debian Linux, Firefox, Firefox Esr and 1 more | 2025-06-20 | N/A | 8.8 HIGH |
| A malicious devtools extension could have been used to escalate privileges. This vulnerability affects Firefox < 122, Firefox ESR < 115.7, and Thunderbird < 115.7. | |||||
| CVE-2024-0750 | 2 Debian, Mozilla | 4 Debian Linux, Firefox, Firefox Esr and 1 more | 2025-06-20 | N/A | 8.8 HIGH |
| A bug in popup notifications delay calculation could have made it possible for an attacker to trick a user into granting permissions. This vulnerability affects Firefox < 122, Firefox ESR < 115.7, and Thunderbird < 115.7. | |||||
| CVE-2024-0746 | 2 Debian, Mozilla | 4 Debian Linux, Firefox, Firefox Esr and 1 more | 2025-06-20 | N/A | 6.5 MEDIUM |
| A Linux user opening the print preview dialog could have caused the browser to crash. This vulnerability affects Firefox < 122, Firefox ESR < 115.7, and Thunderbird < 115.7. | |||||
| CVE-2024-0606 | 1 Mozilla | 1 Firefox Focus | 2025-06-20 | N/A | 6.1 MEDIUM |
| An attacker could execute unauthorized script on a legitimate site through UXSS using window.open() by opening a javascript URI leading to unauthorized actions within the user's loaded webpage. This vulnerability affects Focus for iOS < 122. | |||||
| CVE-2024-0605 | 1 Mozilla | 1 Firefox Focus | 2025-06-20 | N/A | 7.5 HIGH |
| Using a javascript: URI with a setTimeout race condition, an attacker can execute unauthorized scripts on top origin sites in urlbar. This bypasses security measures, potentially leading to arbitrary code execution or unauthorized actions within the user's loaded webpage. This vulnerability affects Focus for iOS < 122. | |||||
| CVE-2025-2830 | 1 Mozilla | 1 Thunderbird | 2025-06-18 | N/A | 6.3 MEDIUM |
| By crafting a malformed file name for an attachment in a multipart message, an attacker can trick Thunderbird into including a directory listing of /tmp when the message is forwarded or edited as a new message. This vulnerability could allow attackers to disclose sensitive information from the victim's system. This vulnerability is not limited to Linux; similar behavior has been observed on Windows as well. This vulnerability affects Thunderbird < 137.0.2 and Thunderbird < 128.9.2. | |||||
| CVE-2025-3522 | 1 Mozilla | 1 Thunderbird | 2025-06-18 | N/A | 6.3 MEDIUM |
| Thunderbird processes the X-Mozilla-External-Attachment-URL header to handle attachments which can be hosted externally. When an email is opened, Thunderbird accesses the specified URL to determine file size, and navigates to it when the user clicks the attachment. Because the URL is not validated or sanitized, it can reference internal resources like chrome:// or SMB share file:// links, potentially leading to hashed Windows credential leakage and opening the door to more serious security issues. This vulnerability affects Thunderbird < 137.0.2 and Thunderbird < 128.9.2. | |||||
| CVE-2025-49709 | 1 Mozilla | 1 Firefox | 2025-06-16 | N/A | 9.8 CRITICAL |
| Certain canvas operations could have lead to memory corruption. This vulnerability affects Firefox < 139.0.4. | |||||
| CVE-2025-49710 | 1 Mozilla | 1 Firefox | 2025-06-16 | N/A | 9.8 CRITICAL |
| An integer overflow was present in `OrderedHashTable` used by the JavaScript engine This vulnerability affects Firefox < 139.0.4. | |||||
| CVE-2025-5020 | 1 Mozilla | 1 Firefox | 2025-06-13 | N/A | 4.3 MEDIUM |
| Opening maliciously-crafted URLs in Firefox from other apps such as Safari could have allowed attackers to spoof website addresses if the URLs utilized non-HTTP schemes used internally by the Firefox iOS client This vulnerability affects Firefox for iOS < 139. | |||||
| CVE-2025-2817 | 1 Mozilla | 2 Firefox, Thunderbird | 2025-06-13 | N/A | 8.8 HIGH |
| Thunderbird's update mechanism allowed a medium-integrity user process to interfere with the SYSTEM-level updater by manipulating the file-locking behavior. By injecting code into the user-privileged process, an attacker could bypass intended access controls, allowing SYSTEM-level file operations on paths controlled by a non-privileged user and enabling privilege escalation. This vulnerability affects Firefox < 138, Firefox ESR < 128.10, Firefox ESR < 115.23, Thunderbird < 138, and Thunderbird < 128.10. | |||||
| CVE-2025-3523 | 1 Mozilla | 1 Thunderbird | 2025-06-13 | N/A | 6.4 MEDIUM |
| When an email contains multiple attachments with external links via the X-Mozilla-External-Attachment-URL header, only the last link is shown when hovering over any attachment. Although the correct link is used on click, the misleading hover text could trick users into downloading content from untrusted sources. This vulnerability affects Thunderbird < 137.0.2 and Thunderbird < 128.9.2. | |||||
| CVE-2023-5758 | 1 Mozilla | 1 Firefox | 2025-06-12 | N/A | 6.1 MEDIUM |
| When opening a page in reader mode, the redirect URL could have caused attacker-controlled script to execute in a reflected Cross-Site Scripting (XSS) attack. This vulnerability affects Firefox for iOS < 119. | |||||
| CVE-2024-0748 | 1 Mozilla | 1 Firefox | 2025-06-11 | N/A | 4.3 MEDIUM |
| A compromised content process could have updated the document URI. This could have allowed an attacker to set an arbitrary URI in the address bar or history. This vulnerability affects Firefox < 122. | |||||
| CVE-2025-5268 | 1 Mozilla | 2 Firefox, Thunderbird | 2025-06-11 | N/A | 6.5 MEDIUM |
| Memory safety bugs present in Firefox 138, Thunderbird 138, Firefox ESR 128.10, and Thunderbird 128.10. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 139, Firefox ESR < 128.11, Thunderbird < 139, and Thunderbird < 128.11. | |||||
| CVE-2025-5272 | 1 Mozilla | 2 Firefox, Thunderbird | 2025-06-11 | N/A | 7.3 HIGH |
| Memory safety bugs present in Firefox 138 and Thunderbird 138. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 139 and Thunderbird < 139. | |||||