rpm package

suse/MozillaThunderbird&distro=SUSE Linux Enterprise Module for Package Hub 15 SP7

pkg:rpm/suse/MozillaThunderbird&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP7

Vulnerabilities (134)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2025-14325	Hig	7.3	< 140.6.0-150200.8.248.1	140.6.0-150200.8.248.1	Dec 9, 2025	JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 146, Firefox ESR 140.6, Thunderbird 146, and Thunderbird 140.6.
CVE-2025-14324	Cri	9.8	< 140.6.0-150200.8.248.1	140.6.0-150200.8.248.1	Dec 9, 2025	JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 146, Firefox ESR 115.31, Firefox ESR 140.6, Thunderbird 146, and Thunderbird 140.6.
CVE-2025-14323	Hig	8.8	< 140.6.0-150200.8.248.1	140.6.0-150200.8.248.1	Dec 9, 2025	Privilege escalation in the DOM: Notifications component. This vulnerability was fixed in Firefox 146, Firefox ESR 115.31, Firefox ESR 140.6, Thunderbird 146, and Thunderbird 140.6.
CVE-2025-14322	Hig	8.0	< 140.6.0-150200.8.248.1	140.6.0-150200.8.248.1	Dec 9, 2025	Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component. This vulnerability was fixed in Firefox 146, Firefox ESR 115.31, Firefox ESR 140.6, Thunderbird 146, and Thunderbird 140.6.
CVE-2025-14321	Cri	9.8	< 140.6.0-150200.8.248.1	140.6.0-150200.8.248.1	Dec 9, 2025	Use-after-free in the WebRTC: Signaling component. This vulnerability was fixed in Firefox 146, Firefox ESR 140.6, Thunderbird 146, and Thunderbird 140.6.
CVE-2025-13020	Hig	8.8	< 140.5.0-150200.8.245.1	140.5.0-150200.8.245.1	Nov 11, 2025	Use-after-free in the WebRTC: Audio/Video component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Thunderbird 145, and Thunderbird 140.5.
CVE-2025-13019	Hig	8.1	< 140.5.0-150200.8.245.1	140.5.0-150200.8.245.1	Nov 11, 2025	Same-origin policy bypass in the DOM: Workers component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Thunderbird 145, and Thunderbird 140.5.
CVE-2025-13018	Hig	8.1	< 140.5.0-150200.8.245.1	140.5.0-150200.8.245.1	Nov 11, 2025	Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Thunderbird 145, and Thunderbird 140.5.
CVE-2025-13017	Hig	8.1	< 140.5.0-150200.8.245.1	140.5.0-150200.8.245.1	Nov 11, 2025	Same-origin policy bypass in the DOM: Notifications component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Thunderbird 145, and Thunderbird 140.5.
CVE-2025-13016	Hig	7.5	< 140.5.0-150200.8.245.1	140.5.0-150200.8.245.1	Nov 11, 2025	Incorrect boundary conditions in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Thunderbird 145, and Thunderbird 140.5.
CVE-2025-13015	Low	3.4	< 140.5.0-150200.8.245.1	140.5.0-150200.8.245.1	Nov 11, 2025	Spoofing issue in Firefox. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, and Firefox ESR 115.30.
CVE-2025-13014	Hig	8.8	< 140.5.0-150200.8.245.1	140.5.0-150200.8.245.1	Nov 11, 2025	Use-after-free in the Audio/Video component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Firefox ESR 115.30, Thunderbird 145, and Thunderbird 140.5.
CVE-2025-13013	Med	6.1	< 140.5.0-150200.8.245.1	140.5.0-150200.8.245.1	Nov 11, 2025	Mitigation bypass in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Firefox ESR 115.30, Thunderbird 145, and Thunderbird 140.5.
CVE-2025-13012	Hig	7.5	< 140.5.0-150200.8.245.1	140.5.0-150200.8.245.1	Nov 11, 2025	Race condition in the Graphics component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Firefox ESR 115.30, Thunderbird 145, and Thunderbird 140.5.
CVE-2025-11715	Hig	8.8	< 140.4.0-150200.8.242.1	140.4.0-150200.8.242.1	Oct 14, 2025	Memory safety bugs present in Firefox ESR 140.3, Thunderbird ESR 140.3, Firefox 143 and Thunderbird 143. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerabilit
CVE-2025-11714	Hig	8.8	< 140.4.0-150200.8.242.1	140.4.0-150200.8.242.1	Oct 14, 2025	Memory safety bugs present in Firefox ESR 115.28, Firefox ESR 140.3, Thunderbird ESR 140.3, Firefox 143 and Thunderbird 143. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary cod
CVE-2025-11713	Hig	8.1	< 140.4.0-150200.8.242.1	140.4.0-150200.8.242.1	Oct 14, 2025	Insufficient escaping in the “Copy as cURL” feature could have been used to trick a user into executing unexpected code on Windows. This did not affect the application when running on other operating systems. This vulnerability was fixed in Firefox 144, Firefox ESR 140.4, Thunder
CVE-2025-11712	Med	6.1	< 140.4.0-150200.8.242.1	140.4.0-150200.8.242.1	Oct 14, 2025	A malicious page could have used the type attribute of an OBJECT tag to override the default browser behavior when encountering a web resource served without a content-type. This could have contributed to an XSS on a site that unsafely serves files without a content-type header.
CVE-2025-11711	Med	6.5	< 140.4.0-150200.8.242.1	140.4.0-150200.8.242.1	Oct 14, 2025	There was a way to change the value of JavaScript Object properties that were supposed to be non-writeable. This vulnerability was fixed in Firefox 144, Firefox ESR 115.29, Firefox ESR 140.4, Thunderbird 144, and Thunderbird 140.4.
CVE-2025-11710	Cri	9.8	< 140.4.0-150200.8.242.1	140.4.0-150200.8.242.1	Oct 14, 2025	A compromised web process using malicious IPC messages could have caused the privileged browser process to reveal blocks of its memory to the compromised process. This vulnerability was fixed in Firefox 144, Firefox ESR 115.29, Firefox ESR 140.4, Thunderbird 144, and Thunderbird

CVE-2025-14325HigDec 9, 2025
affected < 140.6.0-150200.8.248.1fixed 140.6.0-150200.8.248.1
JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 146, Firefox ESR 140.6, Thunderbird 146, and Thunderbird 140.6.
CVE-2025-14324CriDec 9, 2025
affected < 140.6.0-150200.8.248.1fixed 140.6.0-150200.8.248.1
JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 146, Firefox ESR 115.31, Firefox ESR 140.6, Thunderbird 146, and Thunderbird 140.6.
CVE-2025-14323HigDec 9, 2025
affected < 140.6.0-150200.8.248.1fixed 140.6.0-150200.8.248.1
Privilege escalation in the DOM: Notifications component. This vulnerability was fixed in Firefox 146, Firefox ESR 115.31, Firefox ESR 140.6, Thunderbird 146, and Thunderbird 140.6.
CVE-2025-14322HigDec 9, 2025
affected < 140.6.0-150200.8.248.1fixed 140.6.0-150200.8.248.1
Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component. This vulnerability was fixed in Firefox 146, Firefox ESR 115.31, Firefox ESR 140.6, Thunderbird 146, and Thunderbird 140.6.
CVE-2025-14321CriDec 9, 2025
affected < 140.6.0-150200.8.248.1fixed 140.6.0-150200.8.248.1
Use-after-free in the WebRTC: Signaling component. This vulnerability was fixed in Firefox 146, Firefox ESR 140.6, Thunderbird 146, and Thunderbird 140.6.
CVE-2025-13020HigNov 11, 2025
affected < 140.5.0-150200.8.245.1fixed 140.5.0-150200.8.245.1
Use-after-free in the WebRTC: Audio/Video component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Thunderbird 145, and Thunderbird 140.5.
CVE-2025-13019HigNov 11, 2025
affected < 140.5.0-150200.8.245.1fixed 140.5.0-150200.8.245.1
Same-origin policy bypass in the DOM: Workers component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Thunderbird 145, and Thunderbird 140.5.
CVE-2025-13018HigNov 11, 2025
affected < 140.5.0-150200.8.245.1fixed 140.5.0-150200.8.245.1
Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Thunderbird 145, and Thunderbird 140.5.
CVE-2025-13017HigNov 11, 2025
affected < 140.5.0-150200.8.245.1fixed 140.5.0-150200.8.245.1
Same-origin policy bypass in the DOM: Notifications component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Thunderbird 145, and Thunderbird 140.5.
CVE-2025-13016HigNov 11, 2025
affected < 140.5.0-150200.8.245.1fixed 140.5.0-150200.8.245.1
Incorrect boundary conditions in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Thunderbird 145, and Thunderbird 140.5.
CVE-2025-13015LowNov 11, 2025
affected < 140.5.0-150200.8.245.1fixed 140.5.0-150200.8.245.1
Spoofing issue in Firefox. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, and Firefox ESR 115.30.
CVE-2025-13014HigNov 11, 2025
affected < 140.5.0-150200.8.245.1fixed 140.5.0-150200.8.245.1
Use-after-free in the Audio/Video component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Firefox ESR 115.30, Thunderbird 145, and Thunderbird 140.5.
CVE-2025-13013MedNov 11, 2025
affected < 140.5.0-150200.8.245.1fixed 140.5.0-150200.8.245.1
Mitigation bypass in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Firefox ESR 115.30, Thunderbird 145, and Thunderbird 140.5.
CVE-2025-13012HigNov 11, 2025
affected < 140.5.0-150200.8.245.1fixed 140.5.0-150200.8.245.1
Race condition in the Graphics component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Firefox ESR 115.30, Thunderbird 145, and Thunderbird 140.5.
CVE-2025-11715HigOct 14, 2025
affected < 140.4.0-150200.8.242.1fixed 140.4.0-150200.8.242.1
Memory safety bugs present in Firefox ESR 140.3, Thunderbird ESR 140.3, Firefox 143 and Thunderbird 143. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerabilit
CVE-2025-11714HigOct 14, 2025
affected < 140.4.0-150200.8.242.1fixed 140.4.0-150200.8.242.1
Memory safety bugs present in Firefox ESR 115.28, Firefox ESR 140.3, Thunderbird ESR 140.3, Firefox 143 and Thunderbird 143. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary cod
CVE-2025-11713HigOct 14, 2025
affected < 140.4.0-150200.8.242.1fixed 140.4.0-150200.8.242.1
Insufficient escaping in the “Copy as cURL” feature could have been used to trick a user into executing unexpected code on Windows. This did not affect the application when running on other operating systems. This vulnerability was fixed in Firefox 144, Firefox ESR 140.4, Thunder
CVE-2025-11712MedOct 14, 2025
affected < 140.4.0-150200.8.242.1fixed 140.4.0-150200.8.242.1
A malicious page could have used the type attribute of an OBJECT tag to override the default browser behavior when encountering a web resource served without a content-type. This could have contributed to an XSS on a site that unsafely serves files without a content-type header.
CVE-2025-11711MedOct 14, 2025
affected < 140.4.0-150200.8.242.1fixed 140.4.0-150200.8.242.1
There was a way to change the value of JavaScript Object properties that were supposed to be non-writeable. This vulnerability was fixed in Firefox 144, Firefox ESR 115.29, Firefox ESR 140.4, Thunderbird 144, and Thunderbird 140.4.
CVE-2025-11710CriOct 14, 2025
affected < 140.4.0-150200.8.242.1fixed 140.4.0-150200.8.242.1
A compromised web process using malicious IPC messages could have caused the privileged browser process to reveal blocks of its memory to the compromised process. This vulnerability was fixed in Firefox 144, Firefox ESR 115.29, Firefox ESR 140.4, Thunderbird 144, and Thunderbird

Page 4 of 7