Vendor CVEs
Mozilla Corporation
All CVEs
3,627 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-8032 | Hig | 0.53 | 8.1 | 0.00 | Jul 22, 2025 | XSLT document loading did not correctly propagate the source document which bypassed its CSP. This vulnerability was fixed in Firefox 141, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1. | ||
| CVE-2025-8030 | Hig | 0.53 | 8.1 | 0.00 | Jul 22, 2025 | Insufficient escaping in the “Copy as cURL” feature could potentially be used to trick a user into executing unexpected code. This vulnerability was fixed in Firefox 141, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1. | ||
| CVE-2025-8029 | Hig | 0.53 | 8.1 | 0.00 | Jul 22, 2025 | Thunderbird executed `javascript:` URLs when used in `object` and `embed` tags. This vulnerability was fixed in Firefox 141, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1. | ||
| CVE-2025-6436 | Hig | 0.53 | 8.1 | 0.03 | Jun 24, 2025 | Memory safety bugs present in Firefox 139 and Thunderbird 139. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 140 and… | ||
| CVE-2025-6435 | Hig | 0.53 | 8.1 | 0.00 | Jun 24, 2025 | If a user saved a response from the Network tab in Devtools using the Save As context menu option, that file may not have been saved with the `.download` file extension. This could have led to the user inadvertently running a malicious executable. This vulnerability was fixed in… | ||
| CVE-2025-5269 | Hig | 0.53 | 8.1 | 0.00 | May 27, 2025 | Memory safety bug present in Firefox ESR 128.10, and Thunderbird 128.10. This bug showed evidence of memory corruption and we presume that with enough effort this could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox ESR 128.11 and Thunderbird… | ||
| CVE-2025-5268 | Hig | 0.53 | 8.1 | 0.00 | May 27, 2025 | Memory safety bugs present in Firefox 138, Thunderbird 138, Firefox ESR 128.10, and Thunderbird 128.10. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This… | ||
| CVE-2025-3909 | Hig | 0.53 | 8.1 | 0.00 | May 14, 2025 | Thunderbird's handling of the X-Mozilla-External-Attachment-URL header can be exploited to execute JavaScript in the file:/// context. By crafting a nested email attachment (message/rfc822) and setting its content type to application/pdf, Thunderbird may incorrectly render it as… | ||
| CVE-2025-4093 | Hig | 0.53 | 8.1 | 0.00 | Apr 29, 2025 | Memory safety bug present in Firefox ESR 128.9, and Thunderbird 128.9. This bug showed evidence of memory corruption and we presume that with enough effort this could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox ESR 128.10 and Thunderbird… | ||
| CVE-2025-4091 | Hig | 0.53 | 8.1 | 0.00 | Apr 29, 2025 | Memory safety bugs present in Firefox 137, Thunderbird 137, Firefox ESR 128.9, and Thunderbird 128.9. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability… | ||
| CVE-2025-3034 | Hig | 0.53 | 8.1 | 0.00 | Apr 1, 2025 | Memory safety bugs present in Firefox 136 and Thunderbird 136. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 137 and… | ||
| CVE-2025-3030 | Hig | 0.53 | 8.1 | 0.00 | Apr 1, 2025 | Memory safety bugs present in Firefox 136, Thunderbird 136, Firefox ESR 128.8, and Thunderbird 128.8. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability… | ||
| CVE-2025-1943 | Hig | 0.53 | 8.2 | 0.00 | Mar 4, 2025 | Memory safety bugs present in Firefox 135 and Thunderbird 135. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 136 and… | ||
| CVE-2025-1932 | Hig | 0.53 | 8.1 | 0.00 | Mar 4, 2025 | An inconsistent comparator in xslt/txNodeSorter could have resulted in potentially exploitable out-of-bounds access. Only affected version 122 and later. This vulnerability was fixed in Firefox 136, Firefox ESR 128.8, Thunderbird 136, and Thunderbird 128.8. | ||
| CVE-2018-5178 | Hig | 0.53 | 8.1 | 0.05 | Jun 11, 2018 | A buffer overflow was found during UTF8 to Unicode string conversion within JavaScript with extremely large amounts of data. This vulnerability requires the use of a malicious or vulnerable legacy extension in order to occur. This vulnerability affects Thunderbird ESR < 52.8,… | ||
| CVE-2018-5163 | Hig | 0.53 | 8.1 | 0.02 | Jun 11, 2018 | If a malicious attacker has used another vulnerability to gain full control over a content process, they may be able to replace the alternate data resources stored in the JavaScript Start-up Bytecode Cache (JSBC) for other JavaScript code. If the parent process then runs this… | ||
| CVE-2018-5141 | Hig | 0.53 | 8.2 | 0.02 | Jun 11, 2018 | A vulnerability in the notifications Push API where notifications can be sent through service workers by web content without direct user interaction. This could be used to open new tabs in a denial of service (DOS) attack or to display unwanted content from arbitrary URLs to… | ||
| CVE-2017-7813 | Hig | 0.53 | 8.2 | 0.02 | Jun 11, 2018 | Inside the JavaScript parser, a cast of an integer to a narrower type can result in data read from outside the buffer being parsed. This usually results in a non-exploitable crash, but can leak a limited amount of information from memory if it matches JavaScript identifier… | ||
| CVE-2017-7807 | Hig | 0.53 | 8.1 | 0.02 | Jun 11, 2018 | A mechanism that uses AppCache to hijack a URL in a domain using fallback by serving the files from a sub-path on the domain. This has been addressed by requiring fallback files be inside the manifest directory. This vulnerability affects Thunderbird < 52.3, Firefox ESR < 52.3,… | ||
| CVE-2017-7783 | Hig | 0.53 | 7.5 | 0.14 | Jun 11, 2018 | If a long user name is used in a username/password combination in a site URL (such as " http://UserName:Password@example.com"), the resulting modal prompt will hang in a non-responsive state or crash, causing a denial of service. This vulnerability affects Firefox < 55. | ||
| CVE-2016-9896 | Hig | 0.53 | 8.1 | 0.02 | Jun 11, 2018 | Use-after-free while manipulating the "navigator" object within WebVR. Note: WebVR is not currently enabled by default. This vulnerability affects Firefox < 50.1. | ||
| CVE-2016-5266 | Hig | 0.53 | 8.1 | 0.02 | Aug 5, 2016 | Mozilla Firefox before 48.0 does not properly restrict drag-and-drop (aka dataTransfer) actions for file: URIs, which allows user-assisted remote attackers to access local files via a crafted web site. | ||
| CVE-2016-1526 | Hig | 0.53 | 8.1 | 0.02 | Feb 13, 2016 | The TtfUtil:LocaLookup function in TtfUtil.cpp in Libgraphite in Graphite 2 1.2.4, as used in Mozilla Firefox before 43.0 and Firefox ESR 38.x before 38.6.1, incorrectly validates a size value, which allows remote attackers to obtain sensitive information or cause a denial of… | ||
| CVE-2006-5160 | Hig | 0.53 | 8.1 | 0.02 | Oct 5, 2006 | Multiple unspecified vulnerabilities in Mozilla Firefox have unspecified vectors and impact, as claimed during ToorCon 2006. NOTE: the vendor and original researchers have released a follow-up comment disputing this issue, in which one researcher states that "I have no… | ||
| CVE-2026-0878 | Hig | 0.52 | 8.0 | 0.00 | Jan 13, 2026 | Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component. This vulnerability was fixed in Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7. | ||
| CVE-2025-14322 | Hig | 0.52 | 8.0 | 0.00 | Dec 9, 2025 | Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component. This vulnerability was fixed in Firefox 146, Firefox ESR 115.31, Firefox ESR 140.6, Thunderbird 146, and Thunderbird 140.6. | ||
| CVE-2016-9070 | Hig | 0.52 | 8.0 | 0.02 | Jun 11, 2018 | A maliciously crafted page loaded to the sidebar through a bookmark can reference a privileged chrome window and engage in limited JavaScript operations violating cross-origin protections. This vulnerability affects Firefox < 50. | ||
| CVE-2026-6776 | Hig | 0.51 | 7.8 | 0.00 | Apr 21, 2026 | Incorrect boundary conditions in the WebRTC: Networking component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10. | ||
| CVE-2018-5158 | Hig | 0.51 | 8.8 | 0.11 | Jun 11, 2018 | The PDF viewer does not sufficiently sanitize PostScript calculator functions, allowing malicious JavaScript to be injected through a crafted PDF file. This JavaScript can then be run with the permissions of the PDF viewer by its worker. This vulnerability affects Firefox ESR <… | ||
| CVE-2018-5105 | Hig | 0.51 | 7.8 | 0.00 | Jun 11, 2018 | WebExtensions can bypass user prompts to first save and then open an arbitrarily downloaded file. This can result in an executable file running with local user privileges without explicit user consent. This vulnerability affects Firefox < 58. | ||
| CVE-2017-7836 | Hig | 0.51 | 7.8 | 0.00 | Jun 11, 2018 | The "pingsender" executable used by the Firefox Health Report dynamically loads a system copy of libcurl, which an attacker could replace. This allows for privilege escalation as the replaced libcurl code will run with Firefox's privileges. Note: This attack requires an attacker… | ||
| CVE-2017-7814 | Hig | 0.51 | 7.8 | 0.01 | Jun 11, 2018 | File downloads encoded with "blob:" and "data:" URL elements bypassed normal file download checks though the Phishing and Malware Protection feature and its block lists of suspicious sites and files. This would allow malicious sites to lure users into downloading executables… | ||
| CVE-2017-7794 | Hig | 0.51 | 7.8 | 0.00 | Jun 11, 2018 | On Linux systems, if the content process is compromised, the sandbox broker will allow files to be truncated even though the sandbox explicitly only has read access to the local file system and no write permissions. Note: This attack only affects the Linux operating system.… | ||
| CVE-2017-7766 | Hig | 0.51 | 7.8 | 0.00 | Jun 11, 2018 | An attack using manipulation of "updater.ini" contents, used by the Mozilla Windows Updater, and privilege escalation through the Mozilla Maintenance Service to allow for arbitrary file execution and deletion by the Maintenance Service, which has privileged access. Note: This… | ||
| CVE-2017-7760 | Hig | 0.51 | 7.8 | 0.00 | Jun 11, 2018 | The Mozilla Windows updater modifies some files to be updated by reading the original file and applying changes to it. The location of the original file can be altered by a malicious user by passing a special path to the callback parameter through the Mozilla Maintenance… | ||
| CVE-2017-7755 | Hig | 0.51 | 7.8 | 0.01 | Jun 11, 2018 | The Firefox installer on Windows can be made to load malicious DLL files stored in the same directory as the installer when it is run. This allows privileged execution if the installer is run with elevated privileges. Note: This attack only affects Windows operating systems.… | ||
| CVE-2016-5295 | Hig | 0.51 | 7.8 | 0.00 | Jun 11, 2018 | This vulnerability allows an attacker to use the Mozilla Maintenance Service to escalate privilege by having the Maintenance Service invoke the Mozilla Updater to run malicious local files. This vulnerability requires local system access and is a variant of MFSA2013-44. Note:… | ||
| CVE-2017-14892 | Hig | 0.51 | 7.8 | 0.00 | Mar 30, 2018 | In the function msm_pcm_hw_params() in Android for MSM, Firefox OS for MSM, and QRD Android before 2017-09-19, the return value of q6asm_open_shared_io() is not checked properly potentially leading to a possible dangling pointer access. | ||
| CVE-2017-11081 | Hig | 0.51 | 7.8 | 0.00 | Jan 10, 2018 | In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, there is a potential buffer overflow vulnerability in hdd_parse_setrmcenable_command and hdd_parse_setrmcactionperiod_command APIs as buffers defined in this API can… | ||
| CVE-2017-11698 | Hig | 0.51 | 7.8 | 0.01 | Dec 27, 2017 | Heap-based buffer overflow in the __get_page function in lib/dbm/src/h_page.c in Mozilla Network Security Services (NSS) allows context-dependent attackers to have unspecified impact using a crafted cert8.db file. | ||
| CVE-2017-11697 | Hig | 0.51 | 7.8 | 0.01 | Dec 27, 2017 | The __hash_open function in hash.c:229 in Mozilla Network Security Services (NSS) allows context-dependent attackers to cause a denial of service (floating point exception and crash) via a crafted cert8.db file. | ||
| CVE-2017-11696 | Hig | 0.51 | 7.8 | 0.01 | Dec 27, 2017 | Heap-based buffer overflow in the __hash_open function in lib/dbm/src/hash.c in Mozilla Network Security Services (NSS) allows context-dependent attackers to have unspecified impact using a crafted cert8.db file. | ||
| CVE-2017-11695 | Hig | 0.51 | 7.8 | 0.01 | Dec 27, 2017 | Heap-based buffer overflow in the alloc_segs function in lib/dbm/src/hash.c in Mozilla Network Security Services (NSS) allows context-dependent attackers to have unspecified impact using a crafted cert8.db file. | ||
| CVE-2017-14897 | Hig | 0.51 | 7.8 | 0.00 | Dec 5, 2017 | In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, while handling the QSEOS_RPMB_CHECK_PROV_STATUS_COMMAND, a userspace buffer is directly accessed in kernel space. | ||
| CVE-2017-11043 | Hig | 0.51 | 7.8 | 0.01 | Dec 5, 2017 | In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, in a WiFI driver function, an integer overflow leading to heap buffer overflow may potentially occur. | ||
| CVE-2016-2826 | Hig | 0.51 | 7.8 | 0.00 | Jun 13, 2016 | The maintenance service in Mozilla Firefox before 47.0 and Firefox ESR 45.x before 45.2 on Windows does not prevent MAR extracted-file modification during updater execution, which might allow local users to gain privileges via a Trojan horse file. | ||
| CVE-2025-3033 | Hig | 0.50 | 7.7 | 0.00 | Apr 1, 2025 | After selecting a malicious Windows `.url` shortcut from the local filesystem, an unexpected file could be uploaded. *This bug only affects Firefox on Windows. Other operating systems are unaffected.*. This vulnerability was fixed in Firefox 137 and Thunderbird 137. | ||
| CVE-2025-0241 | Hig | 0.50 | 7.7 | 0.01 | Jan 7, 2025 | When segmenting specially crafted text, segmentation would corrupt memory leading to a potentially exploitable crash. This vulnerability was fixed in Firefox 134, Firefox ESR 128.6, Thunderbird 134, and Thunderbird 128.6. | ||
| CVE-2018-5094 | Hig | 0.50 | 7.5 | 0.15 | Jun 11, 2018 | A heap buffer overflow vulnerability may occur in WebAssembly when "shrinkElements" is called followed by garbage collection on memory that is now uninitialized. This results in a potentially exploitable crash. This vulnerability affects Firefox < 58. | ||
| CVE-2018-5093 | Hig | 0.50 | 7.5 | 0.20 | Jun 11, 2018 | A heap buffer overflow vulnerability may occur in WebAssembly during Memory/Table resizing, resulting in a potentially exploitable crash. This vulnerability affects Firefox < 58. |
- risk 0.53cvss 8.1epss 0.00
XSLT document loading did not correctly propagate the source document which bypassed its CSP. This vulnerability was fixed in Firefox 141, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1.
- risk 0.53cvss 8.1epss 0.00
Insufficient escaping in the “Copy as cURL” feature could potentially be used to trick a user into executing unexpected code. This vulnerability was fixed in Firefox 141, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1.
- risk 0.53cvss 8.1epss 0.00
Thunderbird executed `javascript:` URLs when used in `object` and `embed` tags. This vulnerability was fixed in Firefox 141, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1.
- risk 0.53cvss 8.1epss 0.03
Memory safety bugs present in Firefox 139 and Thunderbird 139. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 140 and…
- risk 0.53cvss 8.1epss 0.00
If a user saved a response from the Network tab in Devtools using the Save As context menu option, that file may not have been saved with the `.download` file extension. This could have led to the user inadvertently running a malicious executable. This vulnerability was fixed in…
- risk 0.53cvss 8.1epss 0.00
Memory safety bug present in Firefox ESR 128.10, and Thunderbird 128.10. This bug showed evidence of memory corruption and we presume that with enough effort this could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox ESR 128.11 and Thunderbird…
- risk 0.53cvss 8.1epss 0.00
Memory safety bugs present in Firefox 138, Thunderbird 138, Firefox ESR 128.10, and Thunderbird 128.10. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This…
- risk 0.53cvss 8.1epss 0.00
Thunderbird's handling of the X-Mozilla-External-Attachment-URL header can be exploited to execute JavaScript in the file:/// context. By crafting a nested email attachment (message/rfc822) and setting its content type to application/pdf, Thunderbird may incorrectly render it as…
- risk 0.53cvss 8.1epss 0.00
Memory safety bug present in Firefox ESR 128.9, and Thunderbird 128.9. This bug showed evidence of memory corruption and we presume that with enough effort this could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox ESR 128.10 and Thunderbird…
- risk 0.53cvss 8.1epss 0.00
Memory safety bugs present in Firefox 137, Thunderbird 137, Firefox ESR 128.9, and Thunderbird 128.9. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability…
- risk 0.53cvss 8.1epss 0.00
Memory safety bugs present in Firefox 136 and Thunderbird 136. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 137 and…
- risk 0.53cvss 8.1epss 0.00
Memory safety bugs present in Firefox 136, Thunderbird 136, Firefox ESR 128.8, and Thunderbird 128.8. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability…
- risk 0.53cvss 8.2epss 0.00
Memory safety bugs present in Firefox 135 and Thunderbird 135. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 136 and…
- risk 0.53cvss 8.1epss 0.00
An inconsistent comparator in xslt/txNodeSorter could have resulted in potentially exploitable out-of-bounds access. Only affected version 122 and later. This vulnerability was fixed in Firefox 136, Firefox ESR 128.8, Thunderbird 136, and Thunderbird 128.8.
- risk 0.53cvss 8.1epss 0.05
A buffer overflow was found during UTF8 to Unicode string conversion within JavaScript with extremely large amounts of data. This vulnerability requires the use of a malicious or vulnerable legacy extension in order to occur. This vulnerability affects Thunderbird ESR < 52.8,…
- risk 0.53cvss 8.1epss 0.02
If a malicious attacker has used another vulnerability to gain full control over a content process, they may be able to replace the alternate data resources stored in the JavaScript Start-up Bytecode Cache (JSBC) for other JavaScript code. If the parent process then runs this…
- risk 0.53cvss 8.2epss 0.02
A vulnerability in the notifications Push API where notifications can be sent through service workers by web content without direct user interaction. This could be used to open new tabs in a denial of service (DOS) attack or to display unwanted content from arbitrary URLs to…
- risk 0.53cvss 8.2epss 0.02
Inside the JavaScript parser, a cast of an integer to a narrower type can result in data read from outside the buffer being parsed. This usually results in a non-exploitable crash, but can leak a limited amount of information from memory if it matches JavaScript identifier…
- risk 0.53cvss 8.1epss 0.02
A mechanism that uses AppCache to hijack a URL in a domain using fallback by serving the files from a sub-path on the domain. This has been addressed by requiring fallback files be inside the manifest directory. This vulnerability affects Thunderbird < 52.3, Firefox ESR < 52.3,…
- risk 0.53cvss 7.5epss 0.14
If a long user name is used in a username/password combination in a site URL (such as " http://UserName:Password@example.com"), the resulting modal prompt will hang in a non-responsive state or crash, causing a denial of service. This vulnerability affects Firefox < 55.
- risk 0.53cvss 8.1epss 0.02
Use-after-free while manipulating the "navigator" object within WebVR. Note: WebVR is not currently enabled by default. This vulnerability affects Firefox < 50.1.
- risk 0.53cvss 8.1epss 0.02
Mozilla Firefox before 48.0 does not properly restrict drag-and-drop (aka dataTransfer) actions for file: URIs, which allows user-assisted remote attackers to access local files via a crafted web site.
- risk 0.53cvss 8.1epss 0.02
The TtfUtil:LocaLookup function in TtfUtil.cpp in Libgraphite in Graphite 2 1.2.4, as used in Mozilla Firefox before 43.0 and Firefox ESR 38.x before 38.6.1, incorrectly validates a size value, which allows remote attackers to obtain sensitive information or cause a denial of…
- risk 0.53cvss 8.1epss 0.02
Multiple unspecified vulnerabilities in Mozilla Firefox have unspecified vectors and impact, as claimed during ToorCon 2006. NOTE: the vendor and original researchers have released a follow-up comment disputing this issue, in which one researcher states that "I have no…
- risk 0.52cvss 8.0epss 0.00
Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component. This vulnerability was fixed in Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.
- risk 0.52cvss 8.0epss 0.00
Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component. This vulnerability was fixed in Firefox 146, Firefox ESR 115.31, Firefox ESR 140.6, Thunderbird 146, and Thunderbird 140.6.
- risk 0.52cvss 8.0epss 0.02
A maliciously crafted page loaded to the sidebar through a bookmark can reference a privileged chrome window and engage in limited JavaScript operations violating cross-origin protections. This vulnerability affects Firefox < 50.
- risk 0.51cvss 7.8epss 0.00
Incorrect boundary conditions in the WebRTC: Networking component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
- risk 0.51cvss 8.8epss 0.11
The PDF viewer does not sufficiently sanitize PostScript calculator functions, allowing malicious JavaScript to be injected through a crafted PDF file. This JavaScript can then be run with the permissions of the PDF viewer by its worker. This vulnerability affects Firefox ESR <…
- risk 0.51cvss 7.8epss 0.00
WebExtensions can bypass user prompts to first save and then open an arbitrarily downloaded file. This can result in an executable file running with local user privileges without explicit user consent. This vulnerability affects Firefox < 58.
- risk 0.51cvss 7.8epss 0.00
The "pingsender" executable used by the Firefox Health Report dynamically loads a system copy of libcurl, which an attacker could replace. This allows for privilege escalation as the replaced libcurl code will run with Firefox's privileges. Note: This attack requires an attacker…
- risk 0.51cvss 7.8epss 0.01
File downloads encoded with "blob:" and "data:" URL elements bypassed normal file download checks though the Phishing and Malware Protection feature and its block lists of suspicious sites and files. This would allow malicious sites to lure users into downloading executables…
- risk 0.51cvss 7.8epss 0.00
On Linux systems, if the content process is compromised, the sandbox broker will allow files to be truncated even though the sandbox explicitly only has read access to the local file system and no write permissions. Note: This attack only affects the Linux operating system.…
- risk 0.51cvss 7.8epss 0.00
An attack using manipulation of "updater.ini" contents, used by the Mozilla Windows Updater, and privilege escalation through the Mozilla Maintenance Service to allow for arbitrary file execution and deletion by the Maintenance Service, which has privileged access. Note: This…
- risk 0.51cvss 7.8epss 0.00
The Mozilla Windows updater modifies some files to be updated by reading the original file and applying changes to it. The location of the original file can be altered by a malicious user by passing a special path to the callback parameter through the Mozilla Maintenance…
- risk 0.51cvss 7.8epss 0.01
The Firefox installer on Windows can be made to load malicious DLL files stored in the same directory as the installer when it is run. This allows privileged execution if the installer is run with elevated privileges. Note: This attack only affects Windows operating systems.…
- risk 0.51cvss 7.8epss 0.00
This vulnerability allows an attacker to use the Mozilla Maintenance Service to escalate privilege by having the Maintenance Service invoke the Mozilla Updater to run malicious local files. This vulnerability requires local system access and is a variant of MFSA2013-44. Note:…
- risk 0.51cvss 7.8epss 0.00
In the function msm_pcm_hw_params() in Android for MSM, Firefox OS for MSM, and QRD Android before 2017-09-19, the return value of q6asm_open_shared_io() is not checked properly potentially leading to a possible dangling pointer access.
- risk 0.51cvss 7.8epss 0.00
In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, there is a potential buffer overflow vulnerability in hdd_parse_setrmcenable_command and hdd_parse_setrmcactionperiod_command APIs as buffers defined in this API can…
- risk 0.51cvss 7.8epss 0.01
Heap-based buffer overflow in the __get_page function in lib/dbm/src/h_page.c in Mozilla Network Security Services (NSS) allows context-dependent attackers to have unspecified impact using a crafted cert8.db file.
- risk 0.51cvss 7.8epss 0.01
The __hash_open function in hash.c:229 in Mozilla Network Security Services (NSS) allows context-dependent attackers to cause a denial of service (floating point exception and crash) via a crafted cert8.db file.
- risk 0.51cvss 7.8epss 0.01
Heap-based buffer overflow in the __hash_open function in lib/dbm/src/hash.c in Mozilla Network Security Services (NSS) allows context-dependent attackers to have unspecified impact using a crafted cert8.db file.
- risk 0.51cvss 7.8epss 0.01
Heap-based buffer overflow in the alloc_segs function in lib/dbm/src/hash.c in Mozilla Network Security Services (NSS) allows context-dependent attackers to have unspecified impact using a crafted cert8.db file.
- risk 0.51cvss 7.8epss 0.00
In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, while handling the QSEOS_RPMB_CHECK_PROV_STATUS_COMMAND, a userspace buffer is directly accessed in kernel space.
- risk 0.51cvss 7.8epss 0.01
In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, in a WiFI driver function, an integer overflow leading to heap buffer overflow may potentially occur.
- risk 0.51cvss 7.8epss 0.00
The maintenance service in Mozilla Firefox before 47.0 and Firefox ESR 45.x before 45.2 on Windows does not prevent MAR extracted-file modification during updater execution, which might allow local users to gain privileges via a Trojan horse file.
- risk 0.50cvss 7.7epss 0.00
After selecting a malicious Windows `.url` shortcut from the local filesystem, an unexpected file could be uploaded. *This bug only affects Firefox on Windows. Other operating systems are unaffected.*. This vulnerability was fixed in Firefox 137 and Thunderbird 137.
- risk 0.50cvss 7.7epss 0.01
When segmenting specially crafted text, segmentation would corrupt memory leading to a potentially exploitable crash. This vulnerability was fixed in Firefox 134, Firefox ESR 128.6, Thunderbird 134, and Thunderbird 128.6.
- risk 0.50cvss 7.5epss 0.15
A heap buffer overflow vulnerability may occur in WebAssembly when "shrinkElements" is called followed by garbage collection on memory that is now uninitialized. This results in a potentially exploitable crash. This vulnerability affects Firefox < 58.
- risk 0.50cvss 7.5epss 0.20
A heap buffer overflow vulnerability may occur in WebAssembly during Memory/Table resizing, resulting in a potentially exploitable crash. This vulnerability affects Firefox < 58.
Page 10 of 73