rpm package
suse/MozillaFirefox&distro=SUSE Linux Enterprise Server 12 SP5-LTSS
pkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5-LTSS
Vulnerabilities (241)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-6426 | Hig | 8.8 | < 128.12.0-112.265.1 | 128.12.0-112.265.1 | Jun 24, 2025 | The executable file warning did not warn users before opening files with the `terminal` extension. *This bug only affects Firefox for macOS. Other versions of Firefox are unaffected.*. This vulnerability was fixed in Firefox 140, Firefox ESR 128.12, Thunderbird 140, and Thunderb | |
| CVE-2025-6425 | Med | 4.3 | < 128.12.0-112.265.1 | 128.12.0-112.265.1 | Jun 24, 2025 | An attacker who enumerated resources from the WebCompat extension could have obtained a persistent UUID that identified the browser, and persisted between containers and normal/private browsing mode, but not profiles. This vulnerability was fixed in Firefox 140, Firefox ESR 115.2 | |
| CVE-2025-6424 | Cri | 9.8 | < 128.12.0-112.265.1 | 128.12.0-112.265.1 | Jun 24, 2025 | A use-after-free in FontFaceSet resulted in a potentially exploitable crash. This vulnerability was fixed in Firefox 140, Firefox ESR 115.25, Firefox ESR 128.12, Thunderbird 140, and Thunderbird 128.12. | |
| CVE-2025-5269 | Hig | 8.1 | < 128.11.0-112.262.1 | 128.11.0-112.262.1 | May 27, 2025 | Memory safety bug present in Firefox ESR 128.10, and Thunderbird 128.10. This bug showed evidence of memory corruption and we presume that with enough effort this could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox ESR 128.11 and Thunderbird 1 | |
| CVE-2025-5268 | Hig | 8.1 | < 128.11.0-112.262.1 | 128.11.0-112.262.1 | May 27, 2025 | Memory safety bugs present in Firefox 138, Thunderbird 138, Firefox ESR 128.10, and Thunderbird 128.10. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability | |
| CVE-2025-5267 | Med | 5.4 | < 128.11.0-112.262.1 | 128.11.0-112.262.1 | May 27, 2025 | A clickjacking vulnerability could have been used to trick a user into leaking saved payment card details to a malicious page. This vulnerability was fixed in Firefox 139, Firefox ESR 128.11, Thunderbird 139, and Thunderbird 128.11. | |
| CVE-2025-5266 | Med | 4.3 | < 128.11.0-112.262.1 | 128.11.0-112.262.1 | May 27, 2025 | Script elements loading cross-origin resources generated load and error events which leaked information enabling XS-Leaks attacks. This vulnerability was fixed in Firefox 139, Firefox ESR 128.11, Thunderbird 139, and Thunderbird 128.11. | |
| CVE-2025-5265 | Med | 4.8 | < 128.11.0-112.262.1 | 128.11.0-112.262.1 | May 27, 2025 | Due to insufficient escaping of the ampersand character in the “Copy as cURL” feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system. *This bug only affects Firefox for Windows. Other versions of Firefox a | |
| CVE-2025-5264 | Med | 4.8 | < 128.11.0-112.262.1 | 128.11.0-112.262.1 | May 27, 2025 | Due to insufficient escaping of the newline character in the “Copy as cURL” feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system. This vulnerability was fixed in Firefox 139, Firefox ESR 115.24, Firefox | |
| CVE-2025-5263 | Med | 4.3 | < 128.11.0-112.262.1 | 128.11.0-112.262.1 | May 27, 2025 | Error handling for script execution was incorrectly isolated from web content, which could have allowed cross-origin leak attacks. This vulnerability was fixed in Firefox 139, Firefox ESR 115.24, Firefox ESR 128.11, Thunderbird 139, and Thunderbird 128.11. | |
| CVE-2025-4919 | Hig | 8.8 | < 128.10.1-112.259.1 | 128.10.1-112.259.1 | May 17, 2025 | An attacker was able to perform an out-of-bounds read or write on a JavaScript object by confusing array index sizes. This vulnerability was fixed in Firefox 138.0.4, Firefox ESR 128.10.1, Firefox ESR 115.23.1, Thunderbird 128.10.2, and Thunderbird 138.0.2. | |
| CVE-2025-4918 | Cri | 9.8 | < 128.10.1-112.259.1 | 128.10.1-112.259.1 | May 17, 2025 | An attacker was able to perform an out-of-bounds read or write on a JavaScript `Promise` object. This vulnerability was fixed in Firefox 138.0.4, Firefox ESR 128.10.1, Firefox ESR 115.23.1, Thunderbird 128.10.2, and Thunderbird 138.0.2. | |
| CVE-2025-2817 | Hig | 8.8 | < 128.10.0-112.255.1 | 128.10.0-112.255.1 | Apr 29, 2025 | Thunderbird's update mechanism allowed a medium-integrity user process to interfere with the SYSTEM-level updater by manipulating the file-locking behavior. By injecting code into the user-privileged process, an attacker could bypass intended access controls, allowing SYSTEM-leve | |
| CVE-2025-3030 | Hig | 8.1 | < 128.9.0-112.252.1 | 128.9.0-112.252.1 | Apr 1, 2025 | Memory safety bugs present in Firefox 136, Thunderbird 136, Firefox ESR 128.8, and Thunderbird 128.8. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability w | |
| CVE-2025-3029 | Hig | 7.3 | < 128.9.0-112.252.1 | 128.9.0-112.252.1 | Apr 1, 2025 | A crafted URL containing specific Unicode characters could have hidden the true origin of the page, resulting in a potential spoofing attack. This vulnerability was fixed in Firefox 137, Firefox ESR 128.9, Thunderbird 137, and Thunderbird 128.9. | |
| CVE-2025-3028 | Med | 6.5 | < 128.9.0-112.252.1 | 128.9.0-112.252.1 | Apr 1, 2025 | JavaScript code running while transforming a document with the XSLTProcessor could lead to a use-after-free. This vulnerability was fixed in Firefox 137, Firefox ESR 115.22, Firefox ESR 128.9, Thunderbird 137, and Thunderbird 128.9. | |
| CVE-2025-1938 | Med | 6.5 | < 128.8.0-112.249.3 | 128.8.0-112.249.3 | Mar 4, 2025 | Memory safety bugs present in Firefox 135, Thunderbird 135, Firefox ESR 128.7, and Thunderbird 128.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability w | |
| CVE-2025-1937 | Hig | 7.5 | < 128.8.0-112.249.3 | 128.8.0-112.249.3 | Mar 4, 2025 | Memory safety bugs present in Firefox 135, Thunderbird 135, Firefox ESR 115.20, Firefox ESR 128.7, and Thunderbird 128.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. | |
| CVE-2025-1936 | Hig | 7.3 | < 128.8.0-112.249.3 | 128.8.0-112.249.3 | Mar 4, 2025 | jar: URLs retrieve local file content packaged in a ZIP archive. The null and everything after it was ignored when retrieving the content from the archive, but the fake extension after the null was used to determine the type of content. This could have been used to hide code in a | |
| CVE-2025-1935 | Med | 4.3 | < 128.8.0-112.249.3 | 128.8.0-112.249.3 | Mar 4, 2025 | A web page could trick a user into setting that site as the default handler for a custom URL protocol. This vulnerability was fixed in Firefox 136, Firefox ESR 128.8, Thunderbird 136, and Thunderbird 128.8. |
- affected < 128.12.0-112.265.1fixed 128.12.0-112.265.1
The executable file warning did not warn users before opening files with the `terminal` extension. *This bug only affects Firefox for macOS. Other versions of Firefox are unaffected.*. This vulnerability was fixed in Firefox 140, Firefox ESR 128.12, Thunderbird 140, and Thunderb
- affected < 128.12.0-112.265.1fixed 128.12.0-112.265.1
An attacker who enumerated resources from the WebCompat extension could have obtained a persistent UUID that identified the browser, and persisted between containers and normal/private browsing mode, but not profiles. This vulnerability was fixed in Firefox 140, Firefox ESR 115.2
- affected < 128.12.0-112.265.1fixed 128.12.0-112.265.1
A use-after-free in FontFaceSet resulted in a potentially exploitable crash. This vulnerability was fixed in Firefox 140, Firefox ESR 115.25, Firefox ESR 128.12, Thunderbird 140, and Thunderbird 128.12.
- affected < 128.11.0-112.262.1fixed 128.11.0-112.262.1
Memory safety bug present in Firefox ESR 128.10, and Thunderbird 128.10. This bug showed evidence of memory corruption and we presume that with enough effort this could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox ESR 128.11 and Thunderbird 1
- affected < 128.11.0-112.262.1fixed 128.11.0-112.262.1
Memory safety bugs present in Firefox 138, Thunderbird 138, Firefox ESR 128.10, and Thunderbird 128.10. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability
- affected < 128.11.0-112.262.1fixed 128.11.0-112.262.1
A clickjacking vulnerability could have been used to trick a user into leaking saved payment card details to a malicious page. This vulnerability was fixed in Firefox 139, Firefox ESR 128.11, Thunderbird 139, and Thunderbird 128.11.
- affected < 128.11.0-112.262.1fixed 128.11.0-112.262.1
Script elements loading cross-origin resources generated load and error events which leaked information enabling XS-Leaks attacks. This vulnerability was fixed in Firefox 139, Firefox ESR 128.11, Thunderbird 139, and Thunderbird 128.11.
- affected < 128.11.0-112.262.1fixed 128.11.0-112.262.1
Due to insufficient escaping of the ampersand character in the “Copy as cURL” feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system. *This bug only affects Firefox for Windows. Other versions of Firefox a
- affected < 128.11.0-112.262.1fixed 128.11.0-112.262.1
Due to insufficient escaping of the newline character in the “Copy as cURL” feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system. This vulnerability was fixed in Firefox 139, Firefox ESR 115.24, Firefox
- affected < 128.11.0-112.262.1fixed 128.11.0-112.262.1
Error handling for script execution was incorrectly isolated from web content, which could have allowed cross-origin leak attacks. This vulnerability was fixed in Firefox 139, Firefox ESR 115.24, Firefox ESR 128.11, Thunderbird 139, and Thunderbird 128.11.
- affected < 128.10.1-112.259.1fixed 128.10.1-112.259.1
An attacker was able to perform an out-of-bounds read or write on a JavaScript object by confusing array index sizes. This vulnerability was fixed in Firefox 138.0.4, Firefox ESR 128.10.1, Firefox ESR 115.23.1, Thunderbird 128.10.2, and Thunderbird 138.0.2.
- affected < 128.10.1-112.259.1fixed 128.10.1-112.259.1
An attacker was able to perform an out-of-bounds read or write on a JavaScript `Promise` object. This vulnerability was fixed in Firefox 138.0.4, Firefox ESR 128.10.1, Firefox ESR 115.23.1, Thunderbird 128.10.2, and Thunderbird 138.0.2.
- affected < 128.10.0-112.255.1fixed 128.10.0-112.255.1
Thunderbird's update mechanism allowed a medium-integrity user process to interfere with the SYSTEM-level updater by manipulating the file-locking behavior. By injecting code into the user-privileged process, an attacker could bypass intended access controls, allowing SYSTEM-leve
- affected < 128.9.0-112.252.1fixed 128.9.0-112.252.1
Memory safety bugs present in Firefox 136, Thunderbird 136, Firefox ESR 128.8, and Thunderbird 128.8. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability w
- affected < 128.9.0-112.252.1fixed 128.9.0-112.252.1
A crafted URL containing specific Unicode characters could have hidden the true origin of the page, resulting in a potential spoofing attack. This vulnerability was fixed in Firefox 137, Firefox ESR 128.9, Thunderbird 137, and Thunderbird 128.9.
- affected < 128.9.0-112.252.1fixed 128.9.0-112.252.1
JavaScript code running while transforming a document with the XSLTProcessor could lead to a use-after-free. This vulnerability was fixed in Firefox 137, Firefox ESR 115.22, Firefox ESR 128.9, Thunderbird 137, and Thunderbird 128.9.
- affected < 128.8.0-112.249.3fixed 128.8.0-112.249.3
Memory safety bugs present in Firefox 135, Thunderbird 135, Firefox ESR 128.7, and Thunderbird 128.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability w
- affected < 128.8.0-112.249.3fixed 128.8.0-112.249.3
Memory safety bugs present in Firefox 135, Thunderbird 135, Firefox ESR 115.20, Firefox ESR 128.7, and Thunderbird 128.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
- affected < 128.8.0-112.249.3fixed 128.8.0-112.249.3
jar: URLs retrieve local file content packaged in a ZIP archive. The null and everything after it was ignored when retrieving the content from the archive, but the fake extension after the null was used to determine the type of content. This could have been used to hide code in a
- affected < 128.8.0-112.249.3fixed 128.8.0-112.249.3
A web page could trick a user into setting that site as the default handler for a custom URL protocol. This vulnerability was fixed in Firefox 136, Firefox ESR 128.8, Thunderbird 136, and Thunderbird 128.8.
Page 10 of 13