rpm package

suse/MozillaFirefox&distro=SUSE Linux Enterprise Server LTSS Extended Security 12 SP5

pkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Server%20LTSS%20Extended%20Security%2012%20SP5

Vulnerabilities (212)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2025-14321	Cri	9.8	< 140.6.0-112.292.1	140.6.0-112.292.1	Dec 9, 2025	Use-after-free in the WebRTC: Signaling component. This vulnerability was fixed in Firefox 146, Firefox ESR 140.6, Thunderbird 146, and Thunderbird 140.6.
CVE-2025-13020	Hig	8.8	< 140.5.0-112.289.1	140.5.0-112.289.1	Nov 11, 2025	Use-after-free in the WebRTC: Audio/Video component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Thunderbird 145, and Thunderbird 140.5.
CVE-2025-13019	Hig	8.1	< 140.5.0-112.289.1	140.5.0-112.289.1	Nov 11, 2025	Same-origin policy bypass in the DOM: Workers component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Thunderbird 145, and Thunderbird 140.5.
CVE-2025-13018	Hig	8.1	< 140.5.0-112.289.1	140.5.0-112.289.1	Nov 11, 2025	Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Thunderbird 145, and Thunderbird 140.5.
CVE-2025-13017	Hig	8.1	< 140.5.0-112.289.1	140.5.0-112.289.1	Nov 11, 2025	Same-origin policy bypass in the DOM: Notifications component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Thunderbird 145, and Thunderbird 140.5.
CVE-2025-13016	Hig	7.5	< 140.5.0-112.289.1	140.5.0-112.289.1	Nov 11, 2025	Incorrect boundary conditions in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Thunderbird 145, and Thunderbird 140.5.
CVE-2025-13015	Low	3.4	< 140.5.0-112.289.1	140.5.0-112.289.1	Nov 11, 2025	Spoofing issue in Firefox. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, and Firefox ESR 115.30.
CVE-2025-13014	Hig	8.8	< 140.5.0-112.289.1	140.5.0-112.289.1	Nov 11, 2025	Use-after-free in the Audio/Video component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Firefox ESR 115.30, Thunderbird 145, and Thunderbird 140.5.
CVE-2025-13013	Med	6.1	< 140.5.0-112.289.1	140.5.0-112.289.1	Nov 11, 2025	Mitigation bypass in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Firefox ESR 115.30, Thunderbird 145, and Thunderbird 140.5.
CVE-2025-13012	Hig	7.5	< 140.5.0-112.289.1	140.5.0-112.289.1	Nov 11, 2025	Race condition in the Graphics component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Firefox ESR 115.30, Thunderbird 145, and Thunderbird 140.5.
CVE-2025-11715	Hig	8.8	< 140.4.0-112.286.1	140.4.0-112.286.1	Oct 14, 2025	Memory safety bugs present in Firefox ESR 140.3, Thunderbird ESR 140.3, Firefox 143 and Thunderbird 143. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerabilit
CVE-2025-11714	Hig	8.8	< 140.4.0-112.286.1	140.4.0-112.286.1	Oct 14, 2025	Memory safety bugs present in Firefox ESR 115.28, Firefox ESR 140.3, Thunderbird ESR 140.3, Firefox 143 and Thunderbird 143. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary cod
CVE-2025-11713	Hig	8.1	< 140.4.0-112.286.1	140.4.0-112.286.1	Oct 14, 2025	Insufficient escaping in the “Copy as cURL” feature could have been used to trick a user into executing unexpected code on Windows. This did not affect the application when running on other operating systems. This vulnerability was fixed in Firefox 144, Firefox ESR 140.4, Thunder
CVE-2025-11712	Med	6.1	< 140.4.0-112.286.1	140.4.0-112.286.1	Oct 14, 2025	A malicious page could have used the type attribute of an OBJECT tag to override the default browser behavior when encountering a web resource served without a content-type. This could have contributed to an XSS on a site that unsafely serves files without a content-type header.
CVE-2025-11711	Med	6.5	< 140.4.0-112.286.1	140.4.0-112.286.1	Oct 14, 2025	There was a way to change the value of JavaScript Object properties that were supposed to be non-writeable. This vulnerability was fixed in Firefox 144, Firefox ESR 115.29, Firefox ESR 140.4, Thunderbird 144, and Thunderbird 140.4.
CVE-2025-11710	Cri	9.8	< 140.4.0-112.286.1	140.4.0-112.286.1	Oct 14, 2025	A compromised web process using malicious IPC messages could have caused the privileged browser process to reveal blocks of its memory to the compromised process. This vulnerability was fixed in Firefox 144, Firefox ESR 115.29, Firefox ESR 140.4, Thunderbird 144, and Thunderbird
CVE-2025-11709	Cri	9.8	< 140.4.0-112.286.1	140.4.0-112.286.1	Oct 14, 2025	A compromised web process was able to trigger out of bounds reads and writes in a more privileged process using manipulated WebGL textures. This vulnerability was fixed in Firefox 144, Firefox ESR 115.29, Firefox ESR 140.4, Thunderbird 144, and Thunderbird 140.4.
CVE-2025-11708	Cri	9.8	< 140.4.0-112.286.1	140.4.0-112.286.1	Oct 14, 2025	Use-after-free in MediaTrackGraphImpl::GetInstance(). This vulnerability was fixed in Firefox 144, Firefox ESR 140.4, Thunderbird 144, and Thunderbird 140.4.
CVE-2025-59375	Hig	7.5	< 140.9.0-112.304.2	140.9.0-112.304.2	Sep 15, 2025	libexpat in Expat before 2.7.2 allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing.
CVE-2025-9187	Cri	9.8	< 140.2.0-112.276.1	140.2.0-112.276.1	Aug 19, 2025	Memory safety bugs present in Firefox 141 and Thunderbird 141. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 142 and Thunderbird

CVE-2025-14321CriDec 9, 2025
affected < 140.6.0-112.292.1fixed 140.6.0-112.292.1
Use-after-free in the WebRTC: Signaling component. This vulnerability was fixed in Firefox 146, Firefox ESR 140.6, Thunderbird 146, and Thunderbird 140.6.
CVE-2025-13020HigNov 11, 2025
affected < 140.5.0-112.289.1fixed 140.5.0-112.289.1
Use-after-free in the WebRTC: Audio/Video component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Thunderbird 145, and Thunderbird 140.5.
CVE-2025-13019HigNov 11, 2025
affected < 140.5.0-112.289.1fixed 140.5.0-112.289.1
Same-origin policy bypass in the DOM: Workers component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Thunderbird 145, and Thunderbird 140.5.
CVE-2025-13018HigNov 11, 2025
affected < 140.5.0-112.289.1fixed 140.5.0-112.289.1
Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Thunderbird 145, and Thunderbird 140.5.
CVE-2025-13017HigNov 11, 2025
affected < 140.5.0-112.289.1fixed 140.5.0-112.289.1
Same-origin policy bypass in the DOM: Notifications component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Thunderbird 145, and Thunderbird 140.5.
CVE-2025-13016HigNov 11, 2025
affected < 140.5.0-112.289.1fixed 140.5.0-112.289.1
Incorrect boundary conditions in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Thunderbird 145, and Thunderbird 140.5.
CVE-2025-13015LowNov 11, 2025
affected < 140.5.0-112.289.1fixed 140.5.0-112.289.1
Spoofing issue in Firefox. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, and Firefox ESR 115.30.
CVE-2025-13014HigNov 11, 2025
affected < 140.5.0-112.289.1fixed 140.5.0-112.289.1
Use-after-free in the Audio/Video component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Firefox ESR 115.30, Thunderbird 145, and Thunderbird 140.5.
CVE-2025-13013MedNov 11, 2025
affected < 140.5.0-112.289.1fixed 140.5.0-112.289.1
Mitigation bypass in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Firefox ESR 115.30, Thunderbird 145, and Thunderbird 140.5.
CVE-2025-13012HigNov 11, 2025
affected < 140.5.0-112.289.1fixed 140.5.0-112.289.1
Race condition in the Graphics component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Firefox ESR 115.30, Thunderbird 145, and Thunderbird 140.5.
CVE-2025-11715HigOct 14, 2025
affected < 140.4.0-112.286.1fixed 140.4.0-112.286.1
Memory safety bugs present in Firefox ESR 140.3, Thunderbird ESR 140.3, Firefox 143 and Thunderbird 143. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerabilit
CVE-2025-11714HigOct 14, 2025
affected < 140.4.0-112.286.1fixed 140.4.0-112.286.1
Memory safety bugs present in Firefox ESR 115.28, Firefox ESR 140.3, Thunderbird ESR 140.3, Firefox 143 and Thunderbird 143. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary cod
CVE-2025-11713HigOct 14, 2025
affected < 140.4.0-112.286.1fixed 140.4.0-112.286.1
Insufficient escaping in the “Copy as cURL” feature could have been used to trick a user into executing unexpected code on Windows. This did not affect the application when running on other operating systems. This vulnerability was fixed in Firefox 144, Firefox ESR 140.4, Thunder
CVE-2025-11712MedOct 14, 2025
affected < 140.4.0-112.286.1fixed 140.4.0-112.286.1
A malicious page could have used the type attribute of an OBJECT tag to override the default browser behavior when encountering a web resource served without a content-type. This could have contributed to an XSS on a site that unsafely serves files without a content-type header.
CVE-2025-11711MedOct 14, 2025
affected < 140.4.0-112.286.1fixed 140.4.0-112.286.1
There was a way to change the value of JavaScript Object properties that were supposed to be non-writeable. This vulnerability was fixed in Firefox 144, Firefox ESR 115.29, Firefox ESR 140.4, Thunderbird 144, and Thunderbird 140.4.
CVE-2025-11710CriOct 14, 2025
affected < 140.4.0-112.286.1fixed 140.4.0-112.286.1
A compromised web process using malicious IPC messages could have caused the privileged browser process to reveal blocks of its memory to the compromised process. This vulnerability was fixed in Firefox 144, Firefox ESR 115.29, Firefox ESR 140.4, Thunderbird 144, and Thunderbird
CVE-2025-11709CriOct 14, 2025
affected < 140.4.0-112.286.1fixed 140.4.0-112.286.1
A compromised web process was able to trigger out of bounds reads and writes in a more privileged process using manipulated WebGL textures. This vulnerability was fixed in Firefox 144, Firefox ESR 115.29, Firefox ESR 140.4, Thunderbird 144, and Thunderbird 140.4.
CVE-2025-11708CriOct 14, 2025
affected < 140.4.0-112.286.1fixed 140.4.0-112.286.1
Use-after-free in MediaTrackGraphImpl::GetInstance(). This vulnerability was fixed in Firefox 144, Firefox ESR 140.4, Thunderbird 144, and Thunderbird 140.4.
CVE-2025-59375HigSep 15, 2025
affected < 140.9.0-112.304.2fixed 140.9.0-112.304.2
libexpat in Expat before 2.7.2 allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing.
CVE-2025-9187CriAug 19, 2025
affected < 140.2.0-112.276.1fixed 140.2.0-112.276.1
Memory safety bugs present in Firefox 141 and Thunderbird 141. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 142 and Thunderbird

Page 6 of 11