rpm package

opensuse/mozjs128&distro=openSUSE Leap 16.0

pkg:rpm/opensuse/mozjs128&distro=openSUSE%20Leap%2016.0

Vulnerabilities (26)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2025-9185	Hig	8.1	< 128.14.0-160000.1.1	128.14.0-160000.1.1	Aug 19, 2025	Memory safety bugs present in Firefox ESR 115.26, Firefox ESR 128.13, Thunderbird ESR 128.13, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these co
CVE-2025-9181	Med	6.5	< 128.14.0-160000.1.1	128.14.0-160000.1.1	Aug 19, 2025	Uninitialized memory in the JavaScript Engine component. This vulnerability was fixed in Firefox 142, Firefox ESR 128.14, Firefox ESR 140.2, Thunderbird 142, Thunderbird 128.14, and Thunderbird 140.2.
CVE-2025-9180	Hig	8.1	< 128.14.0-160000.1.1	128.14.0-160000.1.1	Aug 19, 2025	Same-origin policy bypass in the Graphics: Canvas2D component. This vulnerability was fixed in Firefox 142, Firefox ESR 115.27, Firefox ESR 128.14, Firefox ESR 140.2, Thunderbird 142, Thunderbird 128.14, and Thunderbird 140.2.
CVE-2025-9179	Cri	9.8	< 128.14.0-160000.1.1	128.14.0-160000.1.1	Aug 19, 2025	An attacker was able to perform memory corruption in the GMP process which processes encrypted media. This process is also heavily sandboxed, but represents slightly different privileges from the content process. This vulnerability was fixed in Firefox 142, Firefox ESR 115.27, Fi
CVE-2025-8035	Hig	8.8	< 128.14.0-160000.1.1	128.14.0-160000.1.1	Jul 22, 2025	Memory safety bugs present in Firefox ESR 128.12, Thunderbird ESR 128.12, Firefox ESR 140.0, Thunderbird ESR 140.0, Firefox 140 and Thunderbird 140. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploi
CVE-2025-8034	Hig	8.8	< 128.14.0-160000.1.1	128.14.0-160000.1.1	Jul 22, 2025	Memory safety bugs present in Firefox ESR 115.25, Firefox ESR 128.12, Thunderbird ESR 128.12, Firefox ESR 140.0, Thunderbird ESR 140.0, Firefox 140 and Thunderbird 140. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these co
CVE-2025-8033	Med	6.5	< 128.14.0-160000.1.1	128.14.0-160000.1.1	Jul 22, 2025	The JavaScript engine did not handle closed generators correctly and it was possible to resume them leading to a nullptr deref. This vulnerability was fixed in Firefox 141, Firefox ESR 115.26, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunder
CVE-2025-8032	Hig	8.1	< 128.14.0-160000.1.1	128.14.0-160000.1.1	Jul 22, 2025	XSLT document loading did not correctly propagate the source document which bypassed its CSP. This vulnerability was fixed in Firefox 141, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1.
CVE-2025-8031	Cri	9.8	< 128.14.0-160000.1.1	128.14.0-160000.1.1	Jul 22, 2025	The `username:password` part was not correctly stripped from URLs in CSP reports potentially leaking HTTP Basic Authentication credentials. This vulnerability was fixed in Firefox 141, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140
CVE-2025-8030	Hig	8.1	< 128.14.0-160000.1.1	128.14.0-160000.1.1	Jul 22, 2025	Insufficient escaping in the “Copy as cURL” feature could potentially be used to trick a user into executing unexpected code. This vulnerability was fixed in Firefox 141, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1.
CVE-2025-8029	Hig	8.1	< 128.14.0-160000.1.1	128.14.0-160000.1.1	Jul 22, 2025	Thunderbird executed `javascript:` URLs when used in `object` and `embed` tags. This vulnerability was fixed in Firefox 141, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1.
CVE-2025-8028	Cri	9.8	< 128.14.0-160000.1.1	128.14.0-160000.1.1	Jul 22, 2025	On arm64, a WASM `br_table` instruction with a lot of entries could lead to the label being too far from the instruction causing truncation and incorrect computation of the branch address. This vulnerability was fixed in Firefox 141, Firefox ESR 115.26, Firefox ESR 128.13, Firefo
CVE-2025-8027	Med	6.5	< 128.14.0-160000.1.1	128.14.0-160000.1.1	Jul 22, 2025	On 64-bit platforms IonMonkey-JIT only wrote 32 bits of the 64-bit return value space on the stack. Baseline-JIT, however, read the entire 64 bits. This vulnerability was fixed in Firefox 141, Firefox ESR 115.26, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird
CVE-2025-6430	Med	6.1	< 128.14.0-160000.1.1	128.14.0-160000.1.1	Jun 24, 2025	When a file download is specified via the `Content-Disposition` header, that directive would be ignored if the file was included via a `<embed>` or `<object>` tag, potentially making a website vulnerable to a cross-site scripting attack. This vulnerability was fixed i
CVE-2025-6429	Med	6.5	< 128.14.0-160000.1.1	128.14.0-160000.1.1	Jun 24, 2025	Firefox could have incorrectly parsed a URL and rewritten it to the youtube.com domain when parsing the URL specified in an `embed` tag. This could have bypassed website security checks that restricted which domains users were allowed to embed. This vulnerability was fixed in Fi
CVE-2025-6426	Hig	8.8	< 128.14.0-160000.1.1	128.14.0-160000.1.1	Jun 24, 2025	The executable file warning did not warn users before opening files with the `terminal` extension. This bug only affects Firefox for macOS. Other versions of Firefox are unaffected.. This vulnerability was fixed in Firefox 140, Firefox ESR 128.12, Thunderbird 140, and Thunderb
CVE-2025-6425	Med	4.3	< 128.14.0-160000.1.1	128.14.0-160000.1.1	Jun 24, 2025	An attacker who enumerated resources from the WebCompat extension could have obtained a persistent UUID that identified the browser, and persisted between containers and normal/private browsing mode, but not profiles. This vulnerability was fixed in Firefox 140, Firefox ESR 115.2
CVE-2025-6424	Cri	9.8	< 128.14.0-160000.1.1	128.14.0-160000.1.1	Jun 24, 2025	A use-after-free in FontFaceSet resulted in a potentially exploitable crash. This vulnerability was fixed in Firefox 140, Firefox ESR 115.25, Firefox ESR 128.12, Thunderbird 140, and Thunderbird 128.12.
CVE-2025-5283		—	< 128.14.0-160000.1.1	128.14.0-160000.1.1	May 27, 2025	Use after free in libvpx in Google Chrome prior to 137.0.7151.55 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)
CVE-2025-5269	Hig	8.1	< 128.14.0-160000.1.1	128.14.0-160000.1.1	May 27, 2025	Memory safety bug present in Firefox ESR 128.10, and Thunderbird 128.10. This bug showed evidence of memory corruption and we presume that with enough effort this could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox ESR 128.11 and Thunderbird 1

CVE-2025-9185HigAug 19, 2025
affected < 128.14.0-160000.1.1fixed 128.14.0-160000.1.1
Memory safety bugs present in Firefox ESR 115.26, Firefox ESR 128.13, Thunderbird ESR 128.13, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these co
CVE-2025-9181MedAug 19, 2025
affected < 128.14.0-160000.1.1fixed 128.14.0-160000.1.1
Uninitialized memory in the JavaScript Engine component. This vulnerability was fixed in Firefox 142, Firefox ESR 128.14, Firefox ESR 140.2, Thunderbird 142, Thunderbird 128.14, and Thunderbird 140.2.
CVE-2025-9180HigAug 19, 2025
affected < 128.14.0-160000.1.1fixed 128.14.0-160000.1.1
Same-origin policy bypass in the Graphics: Canvas2D component. This vulnerability was fixed in Firefox 142, Firefox ESR 115.27, Firefox ESR 128.14, Firefox ESR 140.2, Thunderbird 142, Thunderbird 128.14, and Thunderbird 140.2.
CVE-2025-9179CriAug 19, 2025
affected < 128.14.0-160000.1.1fixed 128.14.0-160000.1.1
An attacker was able to perform memory corruption in the GMP process which processes encrypted media. This process is also heavily sandboxed, but represents slightly different privileges from the content process. This vulnerability was fixed in Firefox 142, Firefox ESR 115.27, Fi
CVE-2025-8035HigJul 22, 2025
affected < 128.14.0-160000.1.1fixed 128.14.0-160000.1.1
Memory safety bugs present in Firefox ESR 128.12, Thunderbird ESR 128.12, Firefox ESR 140.0, Thunderbird ESR 140.0, Firefox 140 and Thunderbird 140. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploi
CVE-2025-8034HigJul 22, 2025
affected < 128.14.0-160000.1.1fixed 128.14.0-160000.1.1
Memory safety bugs present in Firefox ESR 115.25, Firefox ESR 128.12, Thunderbird ESR 128.12, Firefox ESR 140.0, Thunderbird ESR 140.0, Firefox 140 and Thunderbird 140. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these co
CVE-2025-8033MedJul 22, 2025
affected < 128.14.0-160000.1.1fixed 128.14.0-160000.1.1
The JavaScript engine did not handle closed generators correctly and it was possible to resume them leading to a nullptr deref. This vulnerability was fixed in Firefox 141, Firefox ESR 115.26, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunder
CVE-2025-8032HigJul 22, 2025
affected < 128.14.0-160000.1.1fixed 128.14.0-160000.1.1
XSLT document loading did not correctly propagate the source document which bypassed its CSP. This vulnerability was fixed in Firefox 141, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1.
CVE-2025-8031CriJul 22, 2025
affected < 128.14.0-160000.1.1fixed 128.14.0-160000.1.1
The `username:password` part was not correctly stripped from URLs in CSP reports potentially leaking HTTP Basic Authentication credentials. This vulnerability was fixed in Firefox 141, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140
CVE-2025-8030HigJul 22, 2025
affected < 128.14.0-160000.1.1fixed 128.14.0-160000.1.1
Insufficient escaping in the “Copy as cURL” feature could potentially be used to trick a user into executing unexpected code. This vulnerability was fixed in Firefox 141, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1.
CVE-2025-8029HigJul 22, 2025
affected < 128.14.0-160000.1.1fixed 128.14.0-160000.1.1
Thunderbird executed `javascript:` URLs when used in `object` and `embed` tags. This vulnerability was fixed in Firefox 141, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1.
CVE-2025-8028CriJul 22, 2025
affected < 128.14.0-160000.1.1fixed 128.14.0-160000.1.1
On arm64, a WASM `br_table` instruction with a lot of entries could lead to the label being too far from the instruction causing truncation and incorrect computation of the branch address. This vulnerability was fixed in Firefox 141, Firefox ESR 115.26, Firefox ESR 128.13, Firefo
CVE-2025-8027MedJul 22, 2025
affected < 128.14.0-160000.1.1fixed 128.14.0-160000.1.1
On 64-bit platforms IonMonkey-JIT only wrote 32 bits of the 64-bit return value space on the stack. Baseline-JIT, however, read the entire 64 bits. This vulnerability was fixed in Firefox 141, Firefox ESR 115.26, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird
CVE-2025-6430MedJun 24, 2025
affected < 128.14.0-160000.1.1fixed 128.14.0-160000.1.1
When a file download is specified via the `Content-Disposition` header, that directive would be ignored if the file was included via a `<embed>` or `<object>` tag, potentially making a website vulnerable to a cross-site scripting attack. This vulnerability was fixed i
CVE-2025-6429MedJun 24, 2025
affected < 128.14.0-160000.1.1fixed 128.14.0-160000.1.1
Firefox could have incorrectly parsed a URL and rewritten it to the youtube.com domain when parsing the URL specified in an `embed` tag. This could have bypassed website security checks that restricted which domains users were allowed to embed. This vulnerability was fixed in Fi
CVE-2025-6426HigJun 24, 2025
affected < 128.14.0-160000.1.1fixed 128.14.0-160000.1.1
The executable file warning did not warn users before opening files with the `terminal` extension. *This bug only affects Firefox for macOS. Other versions of Firefox are unaffected.*. This vulnerability was fixed in Firefox 140, Firefox ESR 128.12, Thunderbird 140, and Thunderb
CVE-2025-6425MedJun 24, 2025
affected < 128.14.0-160000.1.1fixed 128.14.0-160000.1.1
An attacker who enumerated resources from the WebCompat extension could have obtained a persistent UUID that identified the browser, and persisted between containers and normal/private browsing mode, but not profiles. This vulnerability was fixed in Firefox 140, Firefox ESR 115.2
CVE-2025-6424CriJun 24, 2025
affected < 128.14.0-160000.1.1fixed 128.14.0-160000.1.1
A use-after-free in FontFaceSet resulted in a potentially exploitable crash. This vulnerability was fixed in Firefox 140, Firefox ESR 115.25, Firefox ESR 128.12, Thunderbird 140, and Thunderbird 128.12.
CVE-2025-5283May 27, 2025
affected < 128.14.0-160000.1.1fixed 128.14.0-160000.1.1
Use after free in libvpx in Google Chrome prior to 137.0.7151.55 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)
CVE-2025-5269HigMay 27, 2025
affected < 128.14.0-160000.1.1fixed 128.14.0-160000.1.1
Memory safety bug present in Firefox ESR 128.10, and Thunderbird 128.10. This bug showed evidence of memory corruption and we presume that with enough effort this could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox ESR 128.11 and Thunderbird 1

Page 1 of 2