VYPR

Firefox

by Mozilla Corporation

Source repositories

CVEs (3,179)

  • CVE-2020-26977MedJan 7, 2021
    risk 0.42cvss 6.5epss 0.01

    By attempting to connect a website using an unresponsive port, an attacker could have controlled the content of a tab while the URL bar displayed the original domain. *Note: This issue only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability…

  • CVE-2020-26976MedJan 7, 2021
    risk 0.42cvss 6.5epss 0.02

    When a HTTPS pages was embedded in a HTTP page, and there was a service worker registered for the former, the service worker could have intercepted the request for the secure page despite the iframe not being a secure context due to the (insecure) framing. This vulnerability…

  • CVE-2020-26975MedJan 7, 2021
    risk 0.42cvss 6.5epss 0.01

    When a malicious application installed on the user's device broadcast an Intent to Firefox for Android, arbitrary headers could have been specified, leading to attacks such as abusing ambient authority or session fixation. This was resolved by only allowing certain safe-listed…

  • CVE-2020-26967MedDec 9, 2020
    risk 0.42cvss 6.5epss 0.01

    When listening for page changes with a Mutation Observer, a malicious web page could confuse Firefox Screenshots into interacting with elements other than those that it injected into the page. This would lead to internal errors and unexpected behavior in the Screenshots code.…

  • CVE-2020-26966MedDec 9, 2020
    risk 0.42cvss 6.5epss 0.01

    Searching for a single word from the address bar caused an mDNS request to be sent on the local network searching for a hostname consisting of that string; resulting in an information leak. *Note: This issue only affected Windows operating systems. Other operating systems are…

  • CVE-2020-26965MedDec 9, 2020
    risk 0.42cvss 6.5epss 0.01

    Some websites have a feature "Show Password" where clicking a button will change a password field into a textbook field, revealing the typed password. If, when using a software keyboard that remembers user input, a user typed their password and used that feature, the type of the…

  • CVE-2020-26961MedDec 9, 2020
    risk 0.42cvss 6.5epss 0.01

    When DNS over HTTPS is in use, it intentionally filters RFC1918 and related IP ranges from the responses as these do not make sense coming from a DoH resolver. However when an IPv4 address was mapped through IPv6, these addresses were erroneously let through, leading to a…

  • CVE-2020-26957MedDec 9, 2020
    risk 0.42cvss 6.5epss 0.01

    OneCRL was non-functional in the new Firefox for Android due to a missing service initialization. This could result in a failure to enforce some certificate revocations. *Note: This issue only affected Firefox for Android. Other operating systems are unaffected.*. This…

  • CVE-2020-26955MedDec 9, 2020
    risk 0.42cvss 6.5epss 0.01

    When a user downloaded a file in Firefox for Android, if a cookie is set, it would have been re-sent during a subsequent file download operation on the same domain, regardless of whether the original and subsequent request were in private and non-private browsing modes. *Note:…

  • CVE-2020-15682MedOct 22, 2020
    risk 0.42cvss 6.5epss 0.00

    When a link to an external protocol was clicked, a prompt was presented that allowed the user to choose what application to open it in. An attacker could induce that prompt to be associated with an origin they didn't control, resulting in a spoofing attack. This was fixed by…

  • CVE-2020-15666MedOct 1, 2020
    risk 0.42cvss 6.5epss 0.01

    When trying to load a non-video in an audio/video context the exact status code (200, 302, 404, 500, 412, 403, etc.) was disclosed via the MediaError Message. This level of information leakage is inconsistent with the standardized onerror/onsuccess disclosure and can lead to…

  • CVE-2020-15664MedOct 1, 2020
    risk 0.42cvss 6.5epss 0.01

    By holding a reference to the eval() function from an about:blank window, a malicious webpage could have gained access to the InstallTrigger object which would allow them to prompt the user to install an extension. Combined with user confusion, this could result in an unintended…

  • CVE-2020-15658MedAug 10, 2020
    risk 0.42cvss 6.5epss 0.01

    The code for downloading files did not properly take care of special characters, which led to an attacker being able to cut off the file ending at an earlier position, leading to a different file type being downloaded than shown in the dialog. This vulnerability affects Firefox…

  • CVE-2020-15655MedAug 10, 2020
    risk 0.42cvss 6.5epss 0.02

    A redirected HTTP request which is observed or modified through a web extension could bypass existing CORS checks, leading to potential disclosure of cross-origin information. This vulnerability affects Firefox ESR < 78.1, Firefox < 79, and Thunderbird < 78.1.

  • CVE-2020-15654MedAug 10, 2020
    risk 0.42cvss 6.5epss 0.01

    When in an endless loop, a website specifying a custom cursor using CSS could make it look like the user is interacting with the user interface, when they are not. This could lead to a perceived broken state, especially when interactions with existing browser dialogs and…

  • CVE-2020-15653MedAug 10, 2020
    risk 0.42cvss 6.5epss 0.01

    An iframe sandbox element with the allow-popups flag could be bypassed when using noopener links. This could have led to security issues for websites relying on sandbox configurations that allowed popups and hosted arbitrary content. This vulnerability affects Firefox ESR <…

  • CVE-2020-15652MedAug 10, 2020
    risk 0.42cvss 6.5epss 0.01

    By observing the stack trace for JavaScript errors in web workers, it was possible to leak the result of a cross-origin redirect. This applied only to content that can be parsed as script. This vulnerability affects Firefox < 79, Firefox ESR < 68.11, Firefox ESR < 78.1,…

  • CVE-2020-15648MedAug 10, 2020
    risk 0.42cvss 6.5epss 0.01

    Using object or embed tags, it was possible to frame other websites, even if they disallowed framing using the X-Frame-Options header. This vulnerability affects Thunderbird < 78 and Firefox < 78.0.2.

  • CVE-2020-12425MedJul 9, 2020
    risk 0.42cvss 6.5epss 0.01

    Due to confusion processing a hyphen character in Date.parse(), a one-byte out of bounds read could have occurred, leading to potential information disclosure. This vulnerability affects Firefox < 78.

  • CVE-2020-12421MedJul 9, 2020
    risk 0.42cvss 6.5epss 0.02

    When performing add-on updates, certificate chains terminating in non-built-in-roots were rejected (even if they were legitimately added by an administrator.) This could have caused add-ons to become out-of-date silently without notification to the user. This vulnerability…

Page 70 of 159