VYPR

Firefox

by Mozilla Corporation

Source repositories

CVEs (3,179)

  • CVE-2025-5265MedMay 27, 2025
    risk 0.31cvss 4.8epss 0.00

    Due to insufficient escaping of the ampersand character in the “Copy as cURL” feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system. *This bug only affects Firefox for Windows. Other versions of…

  • CVE-2025-5264MedMay 27, 2025
    risk 0.31cvss 4.8epss 0.00

    Due to insufficient escaping of the newline character in the “Copy as cURL” feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system. This vulnerability was fixed in Firefox 139, Firefox ESR 115.24,…

  • CVE-2025-4087MedApr 29, 2025
    risk 0.31cvss 4.8epss 0.00

    A vulnerability was identified in Thunderbird where XPath parsing could trigger undefined behavior due to missing null checks during attribute access. This could lead to out-of-bounds read access and potentially, memory corruption. This vulnerability was fixed in Firefox 138,…

  • CVE-2024-6601MedJul 9, 2024
    risk 0.31cvss 4.7epss 0.00

    A race condition could lead to a cross-origin container obtaining permissions of the top-level origin. This vulnerability affects Firefox < 128, Firefox ESR < 115.13, Thunderbird < 115.13, and Thunderbird < 128.

  • CVE-2024-5691MedJun 11, 2024
    risk 0.31cvss 4.7epss 0.01

    By tricking the browser with a `X-Frame-Options` header, a sandboxed iframe could have presented a button that, if clicked by a user, would bypass restrictions to open a new window. This vulnerability affects Firefox < 127, Firefox ESR < 115.12, and Thunderbird < 115.12.

  • CVE-2024-26281MedFeb 22, 2024
    risk 0.31cvss 4.7epss 0.00

    Upon scanning a JavaScript URI with the QR code scanner, an attacker could have executed unauthorized scripts on the current top origin sites in the URL bar. This vulnerability affects Firefox for iOS < 123.

  • CVE-2020-12401MedOct 8, 2020
    risk 0.31cvss 4.7epss 0.00

    During ECDSA signature generation, padding applied in the nonce designed to ensure constant-time scalar multiplication was removed, resulting in variable-time execution dependent on secret data. This vulnerability affects Firefox < 80 and Firefox for Android < 80.

  • CVE-2020-12400MedOct 8, 2020
    risk 0.31cvss 4.7epss 0.00

    When converting coordinates from projective to affine, the modular inversion was not performed in constant time, resulting in a possible timing-based side channel attack. This vulnerability affects Firefox < 80 and Firefox for Android < 80.

  • CVE-2020-6827MedApr 24, 2020
    risk 0.31cvss 4.7epss 0.01

    When following a link that opened an intent://-schemed URL, causing a custom tab to be opened, Firefox for Android could be tricked into displaying the incorrect URI. *Note: This issue only affects Firefox for Android. Other operating systems are unaffected.*. This…

  • CVE-2019-11728MedJul 23, 2019
    risk 0.31cvss 4.7epss 0.01

    The HTTP Alternative Services header, Alt-Svc, can be used by a malicious site to scan all TCP ports of any host that the accessible to a user when web content is loaded. This vulnerability affects Firefox < 68.

  • CVE-2017-7796MedJun 11, 2018
    risk 0.31cvss 4.7epss 0.00

    On Windows systems, the logger run by the Windows updater deletes the file "update.log" before it runs in order to write a new log of that name. The path to this file is supplied at the command line to the updater and could be used in concert with another local exploit to delete…

  • CVE-2016-5253MedAug 5, 2016
    risk 0.31cvss 4.7epss 0.00

    The Updater in Mozilla Firefox before 48.0 on Windows allows local users to write to arbitrary files via vectors involving the callback application-path parameter and a hard link.

  • CVE-2016-1947MedJan 31, 2016
    risk 0.31cvss 4.7epss 0.02

    Mozilla Firefox 43.x mishandles attempts to connect to the Application Reputation service, which makes it easier for remote attackers to trigger an unintended download by leveraging the absence of reputation data.

  • CVE-2016-1943MedJan 31, 2016
    risk 0.31cvss 4.7epss 0.01

    Mozilla Firefox before 44.0 on Android allows remote attackers to spoof the address bar via the scrollTo method.

  • CVE-2015-8512MedJan 9, 2016
    risk 0.30cvss 4.6epss 0.00

    The lockscreen feature in Mozilla Firefox OS before 2.5 does not properly restrict failed authentication attempts, which makes it easier for physically proximate attackers to obtain access by entering many passcode guesses.

  • CVE-2020-12402MedJul 9, 2020
    risk 0.29cvss 4.4epss 0.00

    During RSA key generation, bignum implementations used a variation of the Binary Extended Euclidean Algorithm which entailed significantly input-dependent flow. This allowed an attacker able to perform electromagnetic-based side channel attacks to record traces leading to the…

  • CVE-2020-12399MedJul 9, 2020
    risk 0.29cvss 4.4epss 0.01

    NSS has shown timing differences when performing DSA signatures, which was exploitable and could eventually leak private keys. This vulnerability affects Thunderbird < 68.9.0, Firefox < 77, and Firefox ESR < 68.9.

  • CVE-2026-12320MedJun 16, 2026
    risk 0.28cvss 4.3epss 0.00

    Information disclosure in the Password Manager component. This vulnerability was fixed in Firefox 152 and Thunderbird 152.

  • CVE-2026-12303MedJun 16, 2026
    risk 0.28cvss 4.3epss 0.00

    Information disclosure due to incorrect boundary conditions in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 152 and Thunderbird 152.

  • CVE-2026-10702MedJun 2, 2026
    risk 0.28cvss 4.3epss 0.00

    JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 151.0.3.

Page 88 of 159