VYPR

Firefox

by Mozilla Corporation

Source repositories

CVEs (3,179)

  • CVE-2023-29532MedJun 19, 2023
    risk 0.36cvss 5.5epss 0.00

    A local attacker can trick the Mozilla Maintenance Service into applying an unsigned update file by pointing the service at an update file on a malicious SMB server. The update file can be replaced after the signature check, before the use, because the write-lock requested by…

  • CVE-2022-3266MedDec 22, 2022
    risk 0.36cvss 5.5epss 0.00

    An out-of-bounds read can occur when decoding H264 video. This results in a potentially exploitable crash. This vulnerability affects Firefox ESR < 102.3, Thunderbird < 102.3, and Firefox < 105.

  • CVE-2022-36314MedDec 22, 2022
    risk 0.36cvss 5.5epss 0.00

    When opening a Windows shortcut from the local filesystem, an attacker could supply a remote path that would lead to unexpected network requests from the operating system.This bug only affects Firefox for Windows. Other operating systems are unaffected.*. This vulnerability…

  • CVE-2020-15650MedAug 10, 2020
    risk 0.36cvss 5.5epss 0.01

    Given an installed malicious file picker application, an attacker was able to overwrite local files and thus overwrite Firefox settings (but not access the previous profile). *Note: This issue only affected Firefox for Android. Other operating systems are unaffected.*. This…

  • CVE-2020-15649MedAug 10, 2020
    risk 0.36cvss 5.5epss 0.01

    Given an installed malicious file picker application, an attacker was able to steal and upload local files of their choosing, regardless of the actually files picked. *Note: This issue only affected Firefox for Android. Other operating systems are unaffected.*. This…

  • CVE-2020-12392MedMay 26, 2020
    risk 0.36cvss 5.5epss 0.00

    The 'Copy as cURL' feature of Devtools' network tab did not properly escape the HTTP POST data of a request, which can be controlled by the website. If a user used the 'Copy as cURL' feature and pasted the command into a terminal, it could have resulted in the disclosure of…

  • CVE-2018-12383MedOct 18, 2018
    risk 0.36cvss 5.5epss 0.00

    If a user saved passwords before Firefox 58 and then later set a master password, an unencrypted copy of these passwords is still accessible. This is because the older stored password file was not deleted when the data was copied to a new format starting in Firefox 58. The new…

  • CVE-2017-7768MedJun 11, 2018
    risk 0.36cvss 5.5epss 0.00

    The Mozilla Maintenance Service can be invoked by an unprivileged user to read 32 bytes of any arbitrary file on the local system by convincing the service that it is reading a status file provided by the Mozilla Windows Updater. The Mozilla Maintenance Service executes with…

  • CVE-2017-7767MedJun 11, 2018
    risk 0.36cvss 5.5epss 0.00

    The Mozilla Maintenance Service can be invoked by an unprivileged user to overwrite arbitrary files with junk data using the Mozilla Windows Updater, which runs with the Maintenance Service's privileged access. Note: This attack requires local system access and only affects…

  • CVE-2017-7761MedJun 11, 2018
    risk 0.36cvss 5.5epss 0.00

    The Mozilla Maintenance Service "helper.exe" application creates a temporary directory writable by non-privileged users. When this is combined with creation of a junction (a form of symbolic link), protected files in the target directory of the junction can be deleted by the…

  • CVE-2017-5427MedJun 11, 2018
    risk 0.36cvss 5.5epss 0.00

    A non-existent chrome.manifest file will attempt to be loaded during startup from the primary installation directory. If a malicious user with local access puts chrome.manifest and other referenced files in this directory, they will be loaded and activated during startup. This…

  • CVE-2017-5414MedJun 11, 2018
    risk 0.36cvss 5.5epss 0.00

    The file picker dialog can choose and display the wrong local default directory when instantiated. On some operating systems, this can lead to information disclosure, such as the operating system or the local account name. This vulnerability affects Firefox < 52 and Thunderbird…

  • CVE-2017-5409MedJun 11, 2018
    risk 0.36cvss 5.5epss 0.00

    The Mozilla Windows updater can be called by a non-privileged user to delete an arbitrary local file by passing a special path to the callback parameter through the Mozilla Maintenance Service, which has privileged access. Note: This attack requires local system access and only…

  • CVE-2016-5294MedJun 11, 2018
    risk 0.36cvss 5.5epss 0.00

    The Mozilla Updater can be made to choose an arbitrary target working directory for output files resulting from the update process. This vulnerability requires local system access. Note: this issue only affects Windows operating systems. This vulnerability affects Thunderbird <…

  • CVE-2016-5293MedJun 11, 2018
    risk 0.36cvss 5.5epss 0.00

    When the Mozilla Updater is run, if the Updater's log file in the working directory points to a hardlink, data can be appended to an arbitrary local file. This vulnerability requires local system access. Note: this issue only affects Windows operating systems. This vulnerability…

  • CVE-2016-5291MedJun 11, 2018
    risk 0.36cvss 5.5epss 0.00

    A same-origin policy bypass with local shortcut files to load arbitrary local content from disk. This vulnerability affects Thunderbird < 45.5, Firefox ESR < 45.5, and Firefox < 50.

  • CVE-2016-7153MedSep 6, 2016
    risk 0.36cvss 5.3epss 0.14

    The HTTP/2 protocol does not consider the role of the TCP congestion window in providing information about content length, which makes it easier for remote attackers to obtain cleartext data by leveraging a web-browser configuration in which third-party cookies are sent, aka a…

  • CVE-2016-7152MedSep 6, 2016
    risk 0.36cvss 5.3epss 0.14

    The HTTPS protocol does not consider the role of the TCP congestion window in providing information about content length, which makes it easier for remote attackers to obtain cleartext data by leveraging a web-browser configuration in which third-party cookies are sent, aka a…

  • CVE-2016-5265MedAug 5, 2016
    risk 0.36cvss 5.5epss 0.01

    Mozilla Firefox before 48.0 and Firefox ESR 45.x before 45.3 allow user-assisted remote attackers to bypass the Same Origin Policy, and conduct Universal XSS (UXSS) attacks or read arbitrary files, by arranging for the presence of a crafted HTML document and a crafted shortcut…

  • CVE-2016-2809MedApr 30, 2016
    risk 0.36cvss 5.5epss 0.02

    The Mozilla Maintenance Service updater in Mozilla Firefox before 46.0 on Windows allows user-assisted remote attackers to delete arbitrary files by leveraging certain local file execution.

Page 80 of 159