Filtered by vendor Mozilla
Subscribe
Total
3457 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-6610 | 1 Mozilla | 2 Firefox, Thunderbird | 2025-03-18 | N/A | 4.3 MEDIUM |
|
Form validation popups could capture escape key presses. Therefore, spamming form validation messages could be used to prevent users from exiting full-screen mode. This vulnerability affects Firefox < 128 and Thunderbird < 128.
|
|||||
| CVE-2024-9398 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2025-03-18 | N/A | 5.3 MEDIUM |
|
By checking the result of calls to `window.open` with specifically set protocol handlers, an attacker could determine if the application which implements that protocol handler is installed. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Thunderbird < 128.3, and Thunderbird < 131.
|
|||||
| CVE-2024-7527 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2025-03-18 | N/A | 8.8 HIGH |
|
Unexpected marking work at the start of sweeping could have led to a use-after-free. This vulnerability affects Firefox < 129, Firefox ESR < 115.14, Firefox ESR < 128.1, Thunderbird < 128.1, and Thunderbird < 115.14.
|
|||||
| CVE-2024-9397 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2025-03-18 | N/A | 6.1 MEDIUM |
|
A missing delay in directory upload UI could have made it possible for an attacker to trick a user into granting permission via clickjacking. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Thunderbird < 128.3, and Thunderbird < 131.
|
|||||
| CVE-2024-43112 | 1 Mozilla | 1 Firefox | 2025-03-17 | N/A | 6.1 MEDIUM |
|
Long pressing on a download link could potentially provide a means for cross-site scripting This vulnerability affects Firefox for iOS < 129.
|
|||||
| CVE-2024-5694 | 1 Mozilla | 1 Firefox | 2025-03-14 | N/A | 7.5 HIGH |
|
An attacker could have caused a use-after-free in the JavaScript engine to read memory in the JavaScript string section of the heap. This vulnerability affects Firefox < 127.
|
|||||
| CVE-2024-9399 | 1 Mozilla | 2 Firefox, Thunderbird | 2025-03-14 | N/A | 7.5 HIGH |
|
A website configured to initiate a specially crafted WebTransport session could crash the Firefox process leading to a denial of service condition. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Thunderbird < 128.3, and Thunderbird < 131.
|
|||||
| CVE-2024-7523 | 1 Mozilla | 1 Firefox | 2025-03-14 | N/A | 8.1 HIGH |
|
A select option could partially obscure security prompts. This could be used by a malicious site to trick a user into granting permissions.
*This issue only affects Android versions of Firefox.* This vulnerability affects Firefox < 129.
|
|||||
| CVE-2024-38313 | 1 Mozilla | 1 Firefox | 2025-03-14 | N/A | 4.3 MEDIUM |
|
In certain scenarios a malicious website could attempt to display a fake location URL bar which could mislead users as to the actual website address This vulnerability affects Firefox for iOS < 127.
|
|||||
| CVE-2024-2615 | 1 Mozilla | 1 Firefox | 2025-03-14 | N/A | 9.8 CRITICAL |
|
Memory safety bugs present in Firefox 123. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 124.
|
|||||
| CVE-2024-5698 | 1 Mozilla | 1 Firefox | 2025-03-14 | N/A | 6.1 MEDIUM |
|
By manipulating the fullscreen feature while opening a data-list, an attacker could have overlaid a text box over the address bar. This could have led to user confusion and possible spoofing attacks. This vulnerability affects Firefox < 127.
|
|||||
| CVE-2024-10474 | 1 Mozilla | 1 Firefox Focus | 2025-03-13 | N/A | 6.5 MEDIUM |
|
Focus was incorrectly allowing internal links to utilize the app scheme used for deeplinking, which could result in links potentially circumventing some URL safety checks This vulnerability affects Focus for iOS < 132.
|
|||||
| CVE-2024-4777 | 2 Debian, Mozilla | 3 Debian Linux, Firefox, Thunderbird | 2025-03-13 | N/A | 8.8 HIGH |
|
Memory safety bugs present in Firefox 125, Firefox ESR 115.10, and Thunderbird 115.10. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11.
|
|||||
| CVE-2024-5697 | 1 Mozilla | 1 Firefox | 2025-03-13 | N/A | 4.3 MEDIUM |
|
A website was able to detect when a user took a screenshot of a page using the built-in Screenshot functionality in Firefox. This vulnerability affects Firefox < 127.
|
|||||
| CVE-2025-1015 | 1 Mozilla | 1 Thunderbird | 2025-03-10 | N/A | 5.4 MEDIUM |
|
The Thunderbird Address Book URI fields contained unsanitized links. This could be used by an attacker to create and export an address book containing a malicious payload in a field. For example, in the “Other” field of the Instant Messaging section. If another user imported the address book, clicking on the link could result in opening a web page inside Thunderbird, and that page could execute (unprivileged) JavaScript. This vulnerability affects Thunderbird < 128.7 and Thunderbird < 135.
|
|||||
| CVE-2024-2613 | 1 Mozilla | 1 Firefox | 2025-02-25 | N/A | 7.5 HIGH |
|
Data was not properly sanitized when decoding a QUIC ACK frame; this could have led to unrestricted memory consumption and a crash. This vulnerability affects Firefox < 124.
|
|||||
| CVE-2024-2614 | 2 Debian, Mozilla | 3 Debian Linux, Firefox, Thunderbird | 2025-02-25 | N/A | 8.8 HIGH |
|
Memory safety bugs present in Firefox 123, Firefox ESR 115.8, and Thunderbird 115.8. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 124, Firefox ESR < 115.9, and Thunderbird < 115.9.
|
|||||
| CVE-2024-2616 | 1 Mozilla | 2 Firefox, Thunderbird | 2025-02-25 | N/A | 2.7 LOW |
|
To harden ICU against exploitation, the behavior for out-of-memory conditions was changed to crash instead of attempt to continue. This vulnerability affects Firefox ESR < 115.9 and Thunderbird < 115.9.
|
|||||
| CVE-2023-34416 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2025-02-13 | N/A | 9.8 CRITICAL |
|
Memory safety bugs present in Firefox 113, Firefox ESR 102.11, and Thunderbird 102.12. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 102.12, Firefox < 114, and Thunderbird < 102.12.
|
|||||
| CVE-2024-10941 | 1 Mozilla | 1 Firefox | 2025-02-10 | N/A | 6.5 MEDIUM |
|
A malicious website could have included an iframe with an malformed URI resulting in a non-exploitable browser crash. This vulnerability affects Firefox < 126.
|
|||||
| CVE-2025-1020 | 1 Mozilla | 2 Firefox, Thunderbird | 2025-02-06 | N/A | 9.8 CRITICAL |
|
Memory safety bugs present in Firefox 134 and Thunderbird 134. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 135 and Thunderbird < 135.
|
|||||
| CVE-2025-0510 | 1 Mozilla | 1 Thunderbird | 2025-02-06 | N/A | 6.5 MEDIUM |
|
Thunderbird displayed an incorrect sender address if the From field of an email used the invalid group name syntax that is described in CVE-2024-49040. This vulnerability affects Thunderbird < 128.7 and Thunderbird < 135.
|
|||||
| CVE-2025-1019 | 1 Mozilla | 2 Firefox, Thunderbird | 2025-02-06 | N/A | 4.3 MEDIUM |
|
The z-order of the browser windows could be manipulated to hide the fullscreen notification. This could potentially be leveraged to perform a spoofing attack. This vulnerability affects Firefox < 135 and Thunderbird < 135.
|
|||||
| CVE-2025-1018 | 1 Mozilla | 2 Firefox, Thunderbird | 2025-02-06 | N/A | 5.3 MEDIUM |
|
The fullscreen notification is prematurely hidden when fullscreen is re-requested quickly by the user. This could have been leveraged to perform a potential spoofing attack. This vulnerability affects Firefox < 135 and Thunderbird < 135.
|
|||||
| CVE-2023-32207 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2025-01-31 | N/A | 8.8 HIGH |
|
A missing delay in popup notifications could have made it possible for an attacker to trick a user into granting permissions. This vulnerability affects Firefox < 113, Firefox ESR < 102.11, and Thunderbird < 102.11.
|
|||||
| CVE-2023-29550 | 1 Mozilla | 4 Firefox, Firefox Esr, Focus and 1 more | 2025-01-10 | N/A | 8.8 HIGH |
|
Memory safety bugs present in Firefox 111 and Firefox ESR 102.9. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 112, Focus for Android < 112, Firefox ESR < 102.10, Firefox for Android < 112, and Thunderbird < 102.10.
|
|||||
| CVE-2023-29549 | 1 Mozilla | 2 Firefox, Focus | 2025-01-10 | N/A | 6.5 MEDIUM |
|
Under certain circumstances, a call to the <code>bind</code> function may have resulted in the incorrect realm. This may have created a vulnerability relating to JavaScript-implemented sandboxes such as SES. This vulnerability affects Firefox for Android < 112, Firefox < 112, and Focus for Android < 112.
|
|||||
| CVE-2023-29548 | 1 Mozilla | 4 Firefox, Firefox Esr, Focus and 1 more | 2025-01-10 | N/A | 6.5 MEDIUM |
|
A wrong lowering instruction in the ARM64 Ion compiler resulted in a wrong optimization result. This vulnerability affects Firefox < 112, Focus for Android < 112, Firefox ESR < 102.10, Firefox for Android < 112, and Thunderbird < 102.10.
|
|||||
| CVE-2023-29547 | 1 Mozilla | 3 Firefox, Firefox Esr, Focus | 2025-01-10 | N/A | 6.5 MEDIUM |
|
When a secure cookie existed in the Firefox cookie jar an insecure cookie for the same domain could have been created, when it should have silently failed. This could have led to a desynchronization in expected results when reading from the secure cookie. This vulnerability affects Firefox for Android < 112, Firefox < 112, and Focus for Android < 112.
|
|||||
| CVE-2023-29544 | 1 Mozilla | 2 Firefox, Focus | 2025-01-10 | N/A | 6.5 MEDIUM |
|
If multiple instances of resource exhaustion occurred at the incorrect time, the garbage collector could have caused memory corruption and a potentially exploitable crash. This vulnerability affects Firefox for Android < 112, Firefox < 112, and Focus for Android < 112.
|
|||||
| CVE-2023-29543 | 1 Mozilla | 2 Firefox, Focus | 2025-01-10 | N/A | 8.8 HIGH |
|
An attacker could have caused memory corruption and a potentially exploitable use-after-free of a pointer in a global object's debugger vector. This vulnerability affects Firefox for Android < 112, Firefox < 112, and Focus for Android < 112.
|
|||||
| CVE-2023-29541 | 1 Mozilla | 4 Firefox, Firefox Esr, Focus and 1 more | 2025-01-10 | N/A | 8.8 HIGH |
|
Firefox did not properly handle downloads of files ending in <code>.desktop</code>, which can be interpreted to run attacker-controlled commands. <br>*This bug only affects Firefox for Linux on certain Distributions. Other operating systems are unaffected, and Mozilla is unable to enumerate all affected Linux Distributions.*. This vulnerability affects Firefox < 112, Focus for Android < 112, Firefox ESR < 102.10, Firefox for Android < 112, and Thunderbird < 102.10.
|
|||||
| CVE-2023-0616 | 1 Mozilla | 1 Thunderbird | 2025-01-10 | N/A | 6.5 MEDIUM |
|
If a MIME email combines OpenPGP and OpenPGP MIME data in a certain way Thunderbird repeatedly attempts to process and display the message, which could cause Thunderbird's user interface to lock up and no longer respond to the user's actions. An attacker could send a crafted message with this structure to attempt a DoS attack. This vulnerability affects Thunderbird < 102.8.
|
|||||
| CVE-2023-0547 | 1 Mozilla | 1 Thunderbird | 2025-01-10 | N/A | 6.5 MEDIUM |
|
OCSP revocation status of recipient certificates was not checked when sending S/Mime encrypted email, and revoked certificates would be accepted. Thunderbird versions from 68 to 102.9.1 were affected by this bug. This vulnerability affects Thunderbird < 102.10.
|
|||||
| CVE-2023-0430 | 1 Mozilla | 1 Thunderbird | 2025-01-10 | N/A | 6.5 MEDIUM |
|
Certificate OCSP revocation status was not checked when verifying S/Mime signatures. Mail signed with a revoked certificate would be displayed as having a valid signature. Thunderbird versions from 68 to 102.7.0 were affected by this bug. This vulnerability affects Thunderbird < 102.7.1.
|
|||||
| CVE-2023-25731 | 1 Mozilla | 1 Firefox | 2025-01-10 | N/A | 8.8 HIGH |
|
Due to URL previews in the network panel of developer tools improperly storing URLs, query parameters could potentially be used to overwrite global objects in privileged code. This vulnerability affects Firefox < 110.
|
|||||
| CVE-2023-25730 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2025-01-10 | N/A | 5.4 MEDIUM |
|
A background script invoking <code>requestFullscreen</code> and then blocking the main thread could force the browser into fullscreen mode indefinitely, resulting in potential user confusion or spoofing attacks. This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8.
|
|||||
| CVE-2023-25729 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2025-01-10 | N/A | 8.8 HIGH |
|
Permission prompts for opening external schemes were only shown for <code>ContentPrincipals</code> resulting in extensions being able to open them without user interaction via <code>ExpandedPrincipals</code>. This could lead to further malicious actions such as downloading files or interacting with software already installed on the system. This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8.
|
|||||
| CVE-2023-25728 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2025-01-10 | N/A | 6.5 MEDIUM |
|
The <code>Content-Security-Policy-Report-Only</code> header could allow an attacker to leak a child iframe's unredacted URI when interaction with that iframe triggers a redirect. This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8.
|
|||||
| CVE-2023-25735 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2025-01-09 | N/A | 8.8 HIGH |
|
Cross-compartment wrappers wrapping a scripted proxy could have caused objects from other compartments to be stored in the main compartment resulting in a use-after-free after unwrapping the proxy. This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8.
|
|||||