rpm package
suse/MozillaFirefox&distro=SUSE Linux Enterprise Server 15 SP5-LTSS
pkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP5-LTSS
Vulnerabilities (206)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-0240 | Med | 4.0 | < 128.6.0-150200.152.167.1 | 128.6.0-150200.152.167.1 | Jan 7, 2025 | Parsing a JavaScript module as JSON could, under some circumstances, cause cross-compartment access, which may result in a use-after-free. This vulnerability was fixed in Firefox 134, Firefox ESR 128.6, Thunderbird 134, and Thunderbird 128.6. | |
| CVE-2025-0239 | Med | 4.0 | < 128.6.0-150200.152.167.1 | 128.6.0-150200.152.167.1 | Jan 7, 2025 | When using Alt-Svc, ALPN did not properly validate certificates when the original server is redirecting to an insecure site. This vulnerability was fixed in Firefox 134, Firefox ESR 128.6, Thunderbird 134, and Thunderbird 128.6. | |
| CVE-2025-0238 | Med | 5.3 | < 128.6.0-150200.152.167.1 | 128.6.0-150200.152.167.1 | Jan 7, 2025 | Assuming a controlled failed memory allocation, an attacker could have caused a use-after-free, leading to a potentially exploitable crash. This vulnerability was fixed in Firefox 134, Firefox ESR 128.6, Firefox ESR 115.19, Thunderbird 134, and Thunderbird 128.6. | |
| CVE-2025-0237 | Med | 5.4 | < 128.6.0-150200.152.167.1 | 128.6.0-150200.152.167.1 | Jan 7, 2025 | The WebChannel API, which is used to transport various information across processes, did not check the sending principal but rather accepted the principal being sent. This could have led to privilege escalation attacks. This vulnerability was fixed in Firefox 134, Firefox ESR 128 | |
| CVE-2024-43097 | — | < 128.8.0-150200.152.173.1 | 128.8.0-150200.152.173.1 | Jan 2, 2025 | In resizeToAtLeast of SkRegion.cpp, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | ||
| CVE-2024-11704 | — | < 128.7.0-150200.152.170.1 | 128.7.0-150200.152.170.1 | Nov 26, 2024 | A double-free issue could have occurred in `sec_pkcs7_decoder_start_decrypt()` when handling an error path. Under specific conditions, the same symmetric key could have been freed twice, potentially leading to memory corruption. This vulnerability affects Firefox < 133, Thunderbi |
- affected < 128.6.0-150200.152.167.1fixed 128.6.0-150200.152.167.1
Parsing a JavaScript module as JSON could, under some circumstances, cause cross-compartment access, which may result in a use-after-free. This vulnerability was fixed in Firefox 134, Firefox ESR 128.6, Thunderbird 134, and Thunderbird 128.6.
- affected < 128.6.0-150200.152.167.1fixed 128.6.0-150200.152.167.1
When using Alt-Svc, ALPN did not properly validate certificates when the original server is redirecting to an insecure site. This vulnerability was fixed in Firefox 134, Firefox ESR 128.6, Thunderbird 134, and Thunderbird 128.6.
- affected < 128.6.0-150200.152.167.1fixed 128.6.0-150200.152.167.1
Assuming a controlled failed memory allocation, an attacker could have caused a use-after-free, leading to a potentially exploitable crash. This vulnerability was fixed in Firefox 134, Firefox ESR 128.6, Firefox ESR 115.19, Thunderbird 134, and Thunderbird 128.6.
- affected < 128.6.0-150200.152.167.1fixed 128.6.0-150200.152.167.1
The WebChannel API, which is used to transport various information across processes, did not check the sending principal but rather accepted the principal being sent. This could have led to privilege escalation attacks. This vulnerability was fixed in Firefox 134, Firefox ESR 128
- CVE-2024-43097Jan 2, 2025affected < 128.8.0-150200.152.173.1fixed 128.8.0-150200.152.173.1
In resizeToAtLeast of SkRegion.cpp, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
- CVE-2024-11704Nov 26, 2024affected < 128.7.0-150200.152.170.1fixed 128.7.0-150200.152.170.1
A double-free issue could have occurred in `sec_pkcs7_decoder_start_decrypt()` when handling an error path. Under specific conditions, the same symmetric key could have been freed twice, potentially leading to memory corruption. This vulnerability affects Firefox < 133, Thunderbi
Page 11 of 11