apk package
chainguard/firefox-esr
pkg:apk/chainguard/firefox-esr
Vulnerabilities (470)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-1550 | — | < 115.8.0-r0 | 115.8.0-r0 | Feb 20, 2024 | A malicious website could have used a combination of exiting fullscreen mode and `requestPointerLock` to cause the user's mouse to be re-positioned unexpectedly, which could have led to user confusion and inadvertently granting permissions they did not intend to grant. This vulne | ||
| CVE-2024-1549 | — | < 115.8.0-r0 | 115.8.0-r0 | Feb 20, 2024 | If a website set a large custom cursor, portions of the cursor could have overlapped with the permission dialog, potentially resulting in user confusion and unexpected granted permissions. This vulnerability affects Firefox < 123, Firefox ESR < 115.8, and Thunderbird < 115.8. | ||
| CVE-2024-1548 | — | < 115.8.0-r0 | 115.8.0-r0 | Feb 20, 2024 | A website could have obscured the fullscreen notification by using a dropdown select input element. This could have led to user confusion and possible spoofing attacks. This vulnerability affects Firefox < 123, Firefox ESR < 115.8, and Thunderbird < 115.8. | ||
| CVE-2024-1547 | — | < 115.8.0-r0 | 115.8.0-r0 | Feb 20, 2024 | Through a series of API calls and redirects, an attacker-controlled alert dialog could have been displayed on another website (with the victim website's URL shown). This vulnerability affects Firefox < 123, Firefox ESR < 115.8, and Thunderbird < 115.8. | ||
| CVE-2024-1546 | — | < 115.8.0-r0 | 115.8.0-r0 | Feb 20, 2024 | When storing and re-accessing data on a networking channel, the length of buffers may have been confused, resulting in an out-of-bounds memory read. This vulnerability affects Firefox < 123, Firefox ESR < 115.8, and Thunderbird < 115.8. | ||
| CVE-2024-0953 | — | < 129-r0 | 129-r0 | Feb 5, 2024 | When a user scans a QR Code with the QR Code Scanner feature, the user is not prompted before being navigated to the page specified in the code. This may surprise the user and potentially direct them to unwanted content. This vulnerability affects Firefox for iOS < 129. | ||
| CVE-2024-0754 | — | < 122.0-r0 | 122.0-r0 | Jan 23, 2024 | Some WASM source files could have caused a crash when loaded in devtools. This vulnerability affects Firefox < 122. | ||
| CVE-2024-0752 | — | < 122.0-r0 | 122.0-r0 | Jan 23, 2024 | A use-after-free crash could have occurred on macOS if a Firefox update were being applied on a very busy system. This could have resulted in an exploitable crash. This vulnerability affects Firefox < 122. | ||
| CVE-2024-0748 | — | < 122.0-r0 | 122.0-r0 | Jan 23, 2024 | A compromised content process could have updated the document URI. This could have allowed an attacker to set an arbitrary URI in the address bar or history. This vulnerability affects Firefox < 122. | ||
| CVE-2024-0744 | — | < 122.0-r0 | 122.0-r0 | Jan 23, 2024 | In some circumstances, JIT compiled code could have dereferenced a wild pointer value. This could have led to an exploitable crash. This vulnerability affects Firefox < 122. | ||
| CVE-2024-0743 | — | < 122.0-r0 | 122.0-r0 | Jan 23, 2024 | An unchecked return value in TLS handshake code could have caused a potentially exploitable crash. This vulnerability affects Firefox < 122, Firefox ESR < 115.9, and Thunderbird < 115.9. | ||
| CVE-2024-0753 | — | < 122.0-r0 | 122.0-r0 | Jan 23, 2024 | In specific HSTS configurations an attacker could have bypassed HSTS on a subdomain. This vulnerability affects Firefox < 122, Firefox ESR < 115.7, and Thunderbird < 115.7. | ||
| CVE-2024-0751 | — | < 122.0-r0 | 122.0-r0 | Jan 23, 2024 | A malicious devtools extension could have been used to escalate privileges. This vulnerability affects Firefox < 122, Firefox ESR < 115.7, and Thunderbird < 115.7. | ||
| CVE-2024-0750 | — | < 122.0-r0 | 122.0-r0 | Jan 23, 2024 | A bug in popup notifications delay calculation could have made it possible for an attacker to trick a user into granting permissions. This vulnerability affects Firefox < 122, Firefox ESR < 115.7, and Thunderbird < 115.7. | ||
| CVE-2024-0742 | — | < 122.0-r0 | 122.0-r0 | Jan 23, 2024 | It was possible for certain browser prompts and dialogs to be activated or dismissed unintentionally by the user due to an incorrect timestamp used to prevent input after page load. This vulnerability affects Firefox < 122, Firefox ESR < 115.7, and Thunderbird < 115.7. | ||
| CVE-2024-0741 | — | < 122.0-r0 | 122.0-r0 | Jan 23, 2024 | An out of bounds write in ANGLE could have allowed an attacker to corrupt memory leading to a potentially exploitable crash. This vulnerability affects Firefox < 122, Firefox ESR < 115.7, and Thunderbird < 115.7. | ||
| CVE-2023-6871 | — | < 121.0-r0 | 121.0-r0 | Dec 19, 2023 | Under certain conditions, Firefox did not display a warning when a user attempted to navigate to a new protocol handler. This vulnerability affects Firefox < 121. | ||
| CVE-2023-6869 | — | < 121.0-r0 | 121.0-r0 | Dec 19, 2023 | A `<dialog>` element could have been manipulated to paint content outside of a sandboxed iframe. This could allow untrusted content to display under the guise of trusted content. This vulnerability affects Firefox < 121. | ||
| CVE-2023-6868 | — | < 121.0-r0 | 121.0-r0 | Dec 19, 2023 | In some instances, the user-agent would allow push requests which lacked a valid VAPID even though the push manager subscription defined one. This could allow empty messages to be sent from unauthorized parties. *This bug only affects Firefox on Android.* This vulnerability affec | ||
| CVE-2023-6867 | — | < 121.0-r0 | 121.0-r0 | Dec 19, 2023 | The timing of a button click causing a popup to disappear was approximately the same length as the anti-clickjacking delay on permission prompts. It was possible to use this fact to surprise users by luring them to click where the permission grant button would be about to appear. |
- CVE-2024-1550Feb 20, 2024affected < 115.8.0-r0fixed 115.8.0-r0
A malicious website could have used a combination of exiting fullscreen mode and `requestPointerLock` to cause the user's mouse to be re-positioned unexpectedly, which could have led to user confusion and inadvertently granting permissions they did not intend to grant. This vulne
- CVE-2024-1549Feb 20, 2024affected < 115.8.0-r0fixed 115.8.0-r0
If a website set a large custom cursor, portions of the cursor could have overlapped with the permission dialog, potentially resulting in user confusion and unexpected granted permissions. This vulnerability affects Firefox < 123, Firefox ESR < 115.8, and Thunderbird < 115.8.
- CVE-2024-1548Feb 20, 2024affected < 115.8.0-r0fixed 115.8.0-r0
A website could have obscured the fullscreen notification by using a dropdown select input element. This could have led to user confusion and possible spoofing attacks. This vulnerability affects Firefox < 123, Firefox ESR < 115.8, and Thunderbird < 115.8.
- CVE-2024-1547Feb 20, 2024affected < 115.8.0-r0fixed 115.8.0-r0
Through a series of API calls and redirects, an attacker-controlled alert dialog could have been displayed on another website (with the victim website's URL shown). This vulnerability affects Firefox < 123, Firefox ESR < 115.8, and Thunderbird < 115.8.
- CVE-2024-1546Feb 20, 2024affected < 115.8.0-r0fixed 115.8.0-r0
When storing and re-accessing data on a networking channel, the length of buffers may have been confused, resulting in an out-of-bounds memory read. This vulnerability affects Firefox < 123, Firefox ESR < 115.8, and Thunderbird < 115.8.
- CVE-2024-0953Feb 5, 2024affected < 129-r0fixed 129-r0
When a user scans a QR Code with the QR Code Scanner feature, the user is not prompted before being navigated to the page specified in the code. This may surprise the user and potentially direct them to unwanted content. This vulnerability affects Firefox for iOS < 129.
- CVE-2024-0754Jan 23, 2024affected < 122.0-r0fixed 122.0-r0
Some WASM source files could have caused a crash when loaded in devtools. This vulnerability affects Firefox < 122.
- CVE-2024-0752Jan 23, 2024affected < 122.0-r0fixed 122.0-r0
A use-after-free crash could have occurred on macOS if a Firefox update were being applied on a very busy system. This could have resulted in an exploitable crash. This vulnerability affects Firefox < 122.
- CVE-2024-0748Jan 23, 2024affected < 122.0-r0fixed 122.0-r0
A compromised content process could have updated the document URI. This could have allowed an attacker to set an arbitrary URI in the address bar or history. This vulnerability affects Firefox < 122.
- CVE-2024-0744Jan 23, 2024affected < 122.0-r0fixed 122.0-r0
In some circumstances, JIT compiled code could have dereferenced a wild pointer value. This could have led to an exploitable crash. This vulnerability affects Firefox < 122.
- CVE-2024-0743Jan 23, 2024affected < 122.0-r0fixed 122.0-r0
An unchecked return value in TLS handshake code could have caused a potentially exploitable crash. This vulnerability affects Firefox < 122, Firefox ESR < 115.9, and Thunderbird < 115.9.
- CVE-2024-0753Jan 23, 2024affected < 122.0-r0fixed 122.0-r0
In specific HSTS configurations an attacker could have bypassed HSTS on a subdomain. This vulnerability affects Firefox < 122, Firefox ESR < 115.7, and Thunderbird < 115.7.
- CVE-2024-0751Jan 23, 2024affected < 122.0-r0fixed 122.0-r0
A malicious devtools extension could have been used to escalate privileges. This vulnerability affects Firefox < 122, Firefox ESR < 115.7, and Thunderbird < 115.7.
- CVE-2024-0750Jan 23, 2024affected < 122.0-r0fixed 122.0-r0
A bug in popup notifications delay calculation could have made it possible for an attacker to trick a user into granting permissions. This vulnerability affects Firefox < 122, Firefox ESR < 115.7, and Thunderbird < 115.7.
- CVE-2024-0742Jan 23, 2024affected < 122.0-r0fixed 122.0-r0
It was possible for certain browser prompts and dialogs to be activated or dismissed unintentionally by the user due to an incorrect timestamp used to prevent input after page load. This vulnerability affects Firefox < 122, Firefox ESR < 115.7, and Thunderbird < 115.7.
- CVE-2024-0741Jan 23, 2024affected < 122.0-r0fixed 122.0-r0
An out of bounds write in ANGLE could have allowed an attacker to corrupt memory leading to a potentially exploitable crash. This vulnerability affects Firefox < 122, Firefox ESR < 115.7, and Thunderbird < 115.7.
- CVE-2023-6871Dec 19, 2023affected < 121.0-r0fixed 121.0-r0
Under certain conditions, Firefox did not display a warning when a user attempted to navigate to a new protocol handler. This vulnerability affects Firefox < 121.
- CVE-2023-6869Dec 19, 2023affected < 121.0-r0fixed 121.0-r0
A `<dialog>` element could have been manipulated to paint content outside of a sandboxed iframe. This could allow untrusted content to display under the guise of trusted content. This vulnerability affects Firefox < 121.
- CVE-2023-6868Dec 19, 2023affected < 121.0-r0fixed 121.0-r0
In some instances, the user-agent would allow push requests which lacked a valid VAPID even though the push manager subscription defined one. This could allow empty messages to be sent from unauthorized parties. *This bug only affects Firefox on Android.* This vulnerability affec
- CVE-2023-6867Dec 19, 2023affected < 121.0-r0fixed 121.0-r0
The timing of a button click causing a popup to disappear was approximately the same length as the anti-clickjacking delay on permission prompts. It was possible to use this fact to surprise users by luring them to click where the permission grant button would be about to appear.
Page 21 of 24