rpm package
opensuse/firefox-esr&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/firefox-esr&distro=openSUSE%20Tumbleweed
Vulnerabilities (2,106)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2009-3078 | — | < 128.5.1-1.1 | 128.5.1-1.1 | Sep 10, 2009 | Visual truncation vulnerability in Mozilla Firefox before 3.0.14, and 3.5.x before 3.5.3, allows remote attackers to trigger a vertical scroll and spoof URLs via unspecified Unicode characters with a tall line-height property. | ||
| CVE-2009-3077 | — | < 128.5.1-1.1 | 128.5.1-1.1 | Sep 10, 2009 | Mozilla Firefox before 3.0.14, and 3.5.x before 3.5.3, does not properly manage pointers for the columns (aka TreeColumns) of a XUL tree element, which allows remote attackers to execute arbitrary code via a crafted HTML document, related to a "dangling pointer vulnerability." | ||
| CVE-2009-3072 | — | < 128.5.1-1.1 | 128.5.1-1.1 | Sep 10, 2009 | Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 3.0.14 and 3.5.x before 3.5.3, Thunderbird before 2.0.0.24, and SeaMonkey before 1.1.19 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly e | ||
| CVE-2009-3069 | — | < 128.5.1-1.1 | 128.5.1-1.1 | Sep 10, 2009 | Unspecified vulnerability in the browser engine in Mozilla Firefox 3.5.x before 3.5.3 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. | ||
| CVE-2009-2470 | — | < 128.5.1-1.1 | 128.5.1-1.1 | Aug 4, 2009 | Mozilla Firefox before 3.0.12, and 3.5.x before 3.5.2, allows remote SOCKS5 proxy servers to cause a denial of service (data stream corruption) via a long domain name in a reply. | ||
| CVE-2009-2654 | — | < 128.5.1-1.1 | 128.5.1-1.1 | Aug 3, 2009 | Mozilla Firefox before 3.0.13, and 3.5.x before 3.5.2, allows remote attackers to spoof the address bar, and possibly conduct phishing attacks, via a crafted web page that calls window.open with an invalid character in the URL, makes document.write calls to the resulting object, | ||
| CVE-2009-1313 | — | < 128.5.1-1.1 | 128.5.1-1.1 | Apr 30, 2009 | The nsTextFrame::ClearTextRun function in layout/generic/nsTextFrameThebes.cpp in Mozilla Firefox 3.0.9 allows remote attackers to cause a denial of service (memory corruption) and probably execute arbitrary code via unspecified vectors. NOTE: this vulnerability reportedly exist | ||
| CVE-2009-1312 | — | < 128.5.1-1.1 | 128.5.1-1.1 | Apr 22, 2009 | Mozilla Firefox before 3.0.9 and SeaMonkey 1.1.17 do not block javascript: URIs in Refresh headers in HTTP responses, which allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to (1) injecting a Refresh header or (2) specifying the content of | ||
| CVE-2009-1311 | — | < 128.5.1-1.1 | 128.5.1-1.1 | Apr 22, 2009 | Mozilla Firefox before 3.0.9 and SeaMonkey before 1.1.17 allow user-assisted remote attackers to obtain sensitive information via a web page with an embedded frame, which causes POST data from an outer page to be sent to the inner frame's URL during a SAVEMODE_FILEONLY save of th | ||
| CVE-2009-1310 | — | < 128.5.1-1.1 | 128.5.1-1.1 | Apr 22, 2009 | Cross-site scripting (XSS) vulnerability in the MozSearch plugin implementation in Mozilla Firefox before 3.0.9 allows user-assisted remote attackers to inject arbitrary web script or HTML via a javascript: URI in the SearchForm element. | ||
| CVE-2009-1309 | — | < 128.5.1-1.1 | 128.5.1-1.1 | Apr 22, 2009 | Mozilla Firefox before 3.0.9, Thunderbird, and SeaMonkey do not properly implement the Same Origin Policy for (1) XMLHttpRequest, involving a mismatch for a document's principal, and (2) XPCNativeWrapper.toString, involving an incorrect __proto__ scope, which allows remote attack | ||
| CVE-2009-1308 | — | < 128.5.1-1.1 | 128.5.1-1.1 | Apr 22, 2009 | Cross-site scripting (XSS) vulnerability in Mozilla Firefox before 3.0.9, Thunderbird, and SeaMonkey allows remote attackers to inject arbitrary web script or HTML via vectors involving XBL JavaScript bindings and remote stylesheets, as exploited in the wild by a March 2009 eBay | ||
| CVE-2009-1307 | — | < 128.5.1-1.1 | 128.5.1-1.1 | Apr 22, 2009 | The view-source: URI implementation in Mozilla Firefox before 3.0.9, Thunderbird, and SeaMonkey does not properly implement the Same Origin Policy, which allows remote attackers to (1) bypass crossdomain.xml restrictions and connect to arbitrary web sites via a Flash file; (2) re | ||
| CVE-2009-1306 | — | < 128.5.1-1.1 | 128.5.1-1.1 | Apr 22, 2009 | The jar: URI implementation in Mozilla Firefox before 3.0.9, Thunderbird, and SeaMonkey does not follow the Content-Disposition header of the inner URI, which allows remote attackers to conduct cross-site scripting (XSS) attacks and possibly other attacks via an uploaded .jar fil | ||
| CVE-2009-1302 | — | < 128.5.1-1.1 | 128.5.1-1.1 | Apr 22, 2009 | The browser engine in Mozilla Firefox 3.x before 3.0.9, Thunderbird before 2.0.0.22, and SeaMonkey before 1.1.16 allows remote attackers to cause a denial of service (application crash) and possibly trigger memory corruption via vectors related to (1) nsAsyncInstantiateEvent::Run | ||
| CVE-2009-1169 | — | < 128.5.1-1.1 | 128.5.1-1.1 | Mar 27, 2009 | The txMozillaXSLTProcessor::TransformToDoc function in Mozilla Firefox before 3.0.8 and SeaMonkey before 1.1.16 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via an XML file with a crafted XSLT transform. | ||
| CVE-2009-1044 | — | < 128.5.1-1.1 | 128.5.1-1.1 | Mar 23, 2009 | Mozilla Firefox 3.0.7 on Windows 7 allows remote attackers to execute arbitrary code via unknown vectors related to the _moveToEdgeShift XUL tree method, which triggers garbage collection on objects that are still in use, as demonstrated by Nils during a PWN2OWN competition at Ca | ||
| CVE-2009-0777 | — | < 128.5.1-1.1 | 128.5.1-1.1 | Mar 5, 2009 | Mozilla Firefox before 3.0.7, Thunderbird before 2.0.0.21, and SeaMonkey before 1.1.15 decode invisible characters when they are displayed in the location bar, which causes an incorrect address to be displayed and makes it easier for remote attackers to spoof URLs and conduct phi | ||
| CVE-2009-0776 | — | < 128.5.1-1.1 | 128.5.1-1.1 | Mar 5, 2009 | nsIRDFService in Mozilla Firefox before 3.0.7, Thunderbird before 2.0.0.21, and SeaMonkey before 1.1.15 allows remote attackers to bypass the same-origin policy and read XML data from another domain via a cross-domain redirect. | ||
| CVE-2009-0775 | — | < 128.5.1-1.1 | 128.5.1-1.1 | Mar 5, 2009 | Double free vulnerability in Mozilla Firefox before 3.0.7, Thunderbird before 2.0.0.21, and SeaMonkey before 1.1.15 allows remote attackers to execute arbitrary code via "cloned XUL DOM elements which were linked as a parent and child," which are not properly handled during garba |
- CVE-2009-3078Sep 10, 2009affected < 128.5.1-1.1fixed 128.5.1-1.1
Visual truncation vulnerability in Mozilla Firefox before 3.0.14, and 3.5.x before 3.5.3, allows remote attackers to trigger a vertical scroll and spoof URLs via unspecified Unicode characters with a tall line-height property.
- CVE-2009-3077Sep 10, 2009affected < 128.5.1-1.1fixed 128.5.1-1.1
Mozilla Firefox before 3.0.14, and 3.5.x before 3.5.3, does not properly manage pointers for the columns (aka TreeColumns) of a XUL tree element, which allows remote attackers to execute arbitrary code via a crafted HTML document, related to a "dangling pointer vulnerability."
- CVE-2009-3072Sep 10, 2009affected < 128.5.1-1.1fixed 128.5.1-1.1
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 3.0.14 and 3.5.x before 3.5.3, Thunderbird before 2.0.0.24, and SeaMonkey before 1.1.19 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly e
- CVE-2009-3069Sep 10, 2009affected < 128.5.1-1.1fixed 128.5.1-1.1
Unspecified vulnerability in the browser engine in Mozilla Firefox 3.5.x before 3.5.3 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.
- CVE-2009-2470Aug 4, 2009affected < 128.5.1-1.1fixed 128.5.1-1.1
Mozilla Firefox before 3.0.12, and 3.5.x before 3.5.2, allows remote SOCKS5 proxy servers to cause a denial of service (data stream corruption) via a long domain name in a reply.
- CVE-2009-2654Aug 3, 2009affected < 128.5.1-1.1fixed 128.5.1-1.1
Mozilla Firefox before 3.0.13, and 3.5.x before 3.5.2, allows remote attackers to spoof the address bar, and possibly conduct phishing attacks, via a crafted web page that calls window.open with an invalid character in the URL, makes document.write calls to the resulting object,
- CVE-2009-1313Apr 30, 2009affected < 128.5.1-1.1fixed 128.5.1-1.1
The nsTextFrame::ClearTextRun function in layout/generic/nsTextFrameThebes.cpp in Mozilla Firefox 3.0.9 allows remote attackers to cause a denial of service (memory corruption) and probably execute arbitrary code via unspecified vectors. NOTE: this vulnerability reportedly exist
- CVE-2009-1312Apr 22, 2009affected < 128.5.1-1.1fixed 128.5.1-1.1
Mozilla Firefox before 3.0.9 and SeaMonkey 1.1.17 do not block javascript: URIs in Refresh headers in HTTP responses, which allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to (1) injecting a Refresh header or (2) specifying the content of
- CVE-2009-1311Apr 22, 2009affected < 128.5.1-1.1fixed 128.5.1-1.1
Mozilla Firefox before 3.0.9 and SeaMonkey before 1.1.17 allow user-assisted remote attackers to obtain sensitive information via a web page with an embedded frame, which causes POST data from an outer page to be sent to the inner frame's URL during a SAVEMODE_FILEONLY save of th
- CVE-2009-1310Apr 22, 2009affected < 128.5.1-1.1fixed 128.5.1-1.1
Cross-site scripting (XSS) vulnerability in the MozSearch plugin implementation in Mozilla Firefox before 3.0.9 allows user-assisted remote attackers to inject arbitrary web script or HTML via a javascript: URI in the SearchForm element.
- CVE-2009-1309Apr 22, 2009affected < 128.5.1-1.1fixed 128.5.1-1.1
Mozilla Firefox before 3.0.9, Thunderbird, and SeaMonkey do not properly implement the Same Origin Policy for (1) XMLHttpRequest, involving a mismatch for a document's principal, and (2) XPCNativeWrapper.toString, involving an incorrect __proto__ scope, which allows remote attack
- CVE-2009-1308Apr 22, 2009affected < 128.5.1-1.1fixed 128.5.1-1.1
Cross-site scripting (XSS) vulnerability in Mozilla Firefox before 3.0.9, Thunderbird, and SeaMonkey allows remote attackers to inject arbitrary web script or HTML via vectors involving XBL JavaScript bindings and remote stylesheets, as exploited in the wild by a March 2009 eBay
- CVE-2009-1307Apr 22, 2009affected < 128.5.1-1.1fixed 128.5.1-1.1
The view-source: URI implementation in Mozilla Firefox before 3.0.9, Thunderbird, and SeaMonkey does not properly implement the Same Origin Policy, which allows remote attackers to (1) bypass crossdomain.xml restrictions and connect to arbitrary web sites via a Flash file; (2) re
- CVE-2009-1306Apr 22, 2009affected < 128.5.1-1.1fixed 128.5.1-1.1
The jar: URI implementation in Mozilla Firefox before 3.0.9, Thunderbird, and SeaMonkey does not follow the Content-Disposition header of the inner URI, which allows remote attackers to conduct cross-site scripting (XSS) attacks and possibly other attacks via an uploaded .jar fil
- CVE-2009-1302Apr 22, 2009affected < 128.5.1-1.1fixed 128.5.1-1.1
The browser engine in Mozilla Firefox 3.x before 3.0.9, Thunderbird before 2.0.0.22, and SeaMonkey before 1.1.16 allows remote attackers to cause a denial of service (application crash) and possibly trigger memory corruption via vectors related to (1) nsAsyncInstantiateEvent::Run
- CVE-2009-1169Mar 27, 2009affected < 128.5.1-1.1fixed 128.5.1-1.1
The txMozillaXSLTProcessor::TransformToDoc function in Mozilla Firefox before 3.0.8 and SeaMonkey before 1.1.16 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via an XML file with a crafted XSLT transform.
- CVE-2009-1044Mar 23, 2009affected < 128.5.1-1.1fixed 128.5.1-1.1
Mozilla Firefox 3.0.7 on Windows 7 allows remote attackers to execute arbitrary code via unknown vectors related to the _moveToEdgeShift XUL tree method, which triggers garbage collection on objects that are still in use, as demonstrated by Nils during a PWN2OWN competition at Ca
- CVE-2009-0777Mar 5, 2009affected < 128.5.1-1.1fixed 128.5.1-1.1
Mozilla Firefox before 3.0.7, Thunderbird before 2.0.0.21, and SeaMonkey before 1.1.15 decode invisible characters when they are displayed in the location bar, which causes an incorrect address to be displayed and makes it easier for remote attackers to spoof URLs and conduct phi
- CVE-2009-0776Mar 5, 2009affected < 128.5.1-1.1fixed 128.5.1-1.1
nsIRDFService in Mozilla Firefox before 3.0.7, Thunderbird before 2.0.0.21, and SeaMonkey before 1.1.15 allows remote attackers to bypass the same-origin policy and read XML data from another domain via a cross-domain redirect.
- CVE-2009-0775Mar 5, 2009affected < 128.5.1-1.1fixed 128.5.1-1.1
Double free vulnerability in Mozilla Firefox before 3.0.7, Thunderbird before 2.0.0.21, and SeaMonkey before 1.1.15 allows remote attackers to execute arbitrary code via "cloned XUL DOM elements which were linked as a parent and child," which are not properly handled during garba
Page 103 of 106