VYPR

Vendor CVEs

Mozilla Corporation

All CVEs

3,628 total · sorted by risk
  • CVE-2017-5417MedJun 11, 2018
    risk 0.35cvss 5.3epss 0.01

    When dragging content from the primary browser pane to the addressbar on a malicious site, it is possible to change the addressbar so that the displayed location following navigation does not match the URL of the newly loaded page. This allows for spoofing attacks. This…

  • CVE-2017-5408MedJun 11, 2018
    risk 0.35cvss 5.3epss 0.03

    Video files loaded video captions cross-origin without checking for the presence of CORS headers permitting such cross-origin use, leading to potential information disclosure for video captions. This vulnerability affects Firefox < 52, Firefox ESR < 45.8, Thunderbird < 52, and…

  • CVE-2017-5405MedJun 11, 2018
    risk 0.35cvss 5.3epss 0.03

    Certain response codes in FTP connections can result in the use of uninitialized values for ports in FTP operations. This vulnerability affects Firefox < 52, Firefox ESR < 45.8, Thunderbird < 52, and Thunderbird < 45.8.

  • CVE-2017-5383MedJun 11, 2018
    risk 0.35cvss 5.3epss 0.02

    URLs containing certain unicode glyphs for alternative hyphens and quotes do not properly trigger punycode display, allowing for domain name spoofing attacks in the location bar. This vulnerability affects Thunderbird < 45.7, Firefox ESR < 45.7, and Firefox < 51.

  • CVE-2016-9071MedJun 11, 2018
    risk 0.35cvss 5.3epss 0.02

    Content Security Policy combined with HTTP to HTTPS redirection can be used by malicious server to verify whether a known site is within a user's browser history. This vulnerability affects Firefox < 50.

  • CVE-2016-5267MedAug 5, 2016
    risk 0.35cvss 5.3epss 0.01

    Mozilla Firefox before 48.0 on Android allows remote attackers to spoof the address bar via left-to-right characters in conjunction with a right-to-left character set.

  • CVE-2016-2817MedApr 30, 2016
    risk 0.35cvss 5.4epss 0.01

    The WebExtension sandbox feature in browser/components/extensions/ext-tabs.js in Mozilla Firefox before 46.0 does not properly restrict principal inheritance during chrome.tabs.create and chrome.tabs.update API calls, which allows remote attackers to conduct Universal XSS (UXSS)…

  • CVE-2016-1940MedJan 31, 2016
    risk 0.35cvss 5.3epss 0.01

    Mozilla Firefox before 44.0 on Android allows remote attackers to spoof the address bar via a data: URL that is mishandled during (1) shortcut opening or (2) BOOKMARK intent processing.

  • CVE-2016-1939MedJan 31, 2016
    risk 0.35cvss 5.3epss 0.02

    Mozilla Firefox before 44.0 stores cookies with names containing vertical tab characters, which allows remote attackers to obtain sensitive information by reading HTTP Cookie headers. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-7208.

  • CVE-2015-4000LowMay 21, 2015
    risk 0.35cvss 3.7epss 1.00

    The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by…

  • CVE-2026-12329MedJun 16, 2026
    risk 0.34cvss 5.3epss 0.00

    Memory safety bug fixed in Thunderbird ESR 140.12. This vulnerability was fixed in Firefox ESR 140.12 and Thunderbird 140.12.

  • CVE-2026-12308MedJun 16, 2026
    risk 0.34cvss 5.3epss 0.00

    Memory safety bug fixed in Thunderbird 152. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.

  • CVE-2026-12307MedJun 16, 2026
    risk 0.34cvss 5.3epss 0.00

    Memory safety bug fixed in Thunderbird 152. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.

  • CVE-2026-12306MedJun 16, 2026
    risk 0.34cvss 5.3epss 0.00

    Memory safety bug fixed in Thunderbird 152. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.

  • CVE-2026-12301MedJun 16, 2026
    risk 0.34cvss 5.3epss 0.00

    Memory safety bug fixed in Thunderbird 152. This vulnerability was fixed in Firefox 152 and Thunderbird 152.

  • CVE-2026-12300MedJun 16, 2026
    risk 0.34cvss 5.3epss 0.00

    Memory safety bug fixed in Thunderbird 152. This vulnerability was fixed in Firefox 152 and Thunderbird 152.

  • CVE-2026-8391MedMay 12, 2026
    risk 0.34cvss 5.3epss 0.00

    Other issue in the JavaScript Engine component. This vulnerability was fixed in Firefox 150.0.3, Firefox ESR 115.36, Firefox ESR 140.11, and Thunderbird 140.11.

  • CVE-2026-6783MedApr 21, 2026
    risk 0.34cvss 5.3epss 0.00

    Incorrect boundary conditions, integer overflow in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.

  • CVE-2026-6779MedApr 21, 2026
    risk 0.34cvss 5.3epss 0.00

    Other issue in the JavaScript Engine component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.

  • CVE-2026-6778MedApr 21, 2026
    risk 0.34cvss 5.3epss 0.00

    Invalid pointer in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.

  • CVE-2026-6777MedApr 21, 2026
    risk 0.34cvss 5.3epss 0.00

    Other issue in the Networking: DNS component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.

  • CVE-2026-6775MedApr 21, 2026
    risk 0.34cvss 5.3epss 0.00

    Incorrect boundary conditions in the WebRTC component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.

  • CVE-2026-6767MedApr 21, 2026
    risk 0.34cvss 5.3epss 0.00

    Other issue in the Libraries component in NSS. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.

  • CVE-2026-6765MedApr 21, 2026
    risk 0.34cvss 5.3epss 0.00

    Information disclosure in the Form Autofill component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.

  • CVE-2026-0888MedJan 13, 2026
    risk 0.34cvss 5.3epss 0.00

    Information disclosure in the XML component. This vulnerability was fixed in Firefox 147 and Thunderbird 147.

  • CVE-2026-0886MedJan 13, 2026
    risk 0.34cvss 5.3epss 0.00

    Incorrect boundary conditions in the Graphics component. This vulnerability was fixed in Firefox 147, Firefox ESR 115.32, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.

  • CVE-2026-0883MedJan 13, 2026
    risk 0.34cvss 5.3epss 0.00

    Information disclosure in the Networking component. This vulnerability was fixed in Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.

  • CVE-2025-8041MedAug 19, 2025
    risk 0.34cvss 5.3epss 0.00

    In the address bar, Firefox for Android truncated the display of URLs from the end instead of prioritizing the origin. This vulnerability was fixed in Firefox 141.

  • CVE-2025-4090MedApr 29, 2025
    risk 0.34cvss 5.3epss 0.00

    A vulnerability existed in Thunderbird for Android where potentially sensitive library locations were logged via Logcat. This vulnerability was fixed in Firefox 138 and Thunderbird 138.

  • CVE-2025-3035MedApr 1, 2025
    risk 0.34cvss 5.3epss 0.00

    By first using the AI chatbot in one tab and later activating it in another tab, the document title of the previous tab would leak into the chat prompt. This vulnerability was fixed in Firefox 137.

  • CVE-2025-26695MedMar 10, 2025
    risk 0.34cvss 5.3epss 0.00

    When requesting an OpenPGP key from a WKD server, an incorrect padding size was used and a network observer could have learned the length of the requested email address. This vulnerability was fixed in Thunderbird 136 and Thunderbird 128.8.

  • CVE-2025-1018MedFeb 4, 2025
    risk 0.34cvss 5.3epss 0.00

    The fullscreen notification is prematurely hidden when fullscreen is re-requested quickly by the user. This could have been leveraged to perform a potential spoofing attack. This vulnerability was fixed in Firefox 135 and Thunderbird 135.

  • CVE-2025-0238MedJan 7, 2025
    risk 0.34cvss 5.3epss 0.01

    Assuming a controlled failed memory allocation, an attacker could have caused a use-after-free, leading to a potentially exploitable crash. This vulnerability was fixed in Firefox 134, Firefox ESR 128.6, Firefox ESR 115.19, Thunderbird 134, and Thunderbird 128.6.

  • CVE-2018-5109MedJun 11, 2018
    risk 0.34cvss 5.3epss 0.01

    An audio capture session can started under an incorrect origin from the site making the capture request. Users are still prompted to allow the request but the prompt can display the wrong origin, leading to user confusion about which site is making the request to capture an…

  • CVE-2017-15837MedApr 3, 2018
    risk 0.34cvss 5.3epss 0.00

    In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel before security patch level 2018-04-05, a policy for the packet pattern attribute NL80211_PKTPAT_OFFSET is not defined which can lead to a buffer over-read…

  • CVE-2016-1948MedJan 31, 2016
    risk 0.34cvss 5.3epss 0.00

    Mozilla Firefox before 44.0 on Android does not ensure that HTTPS is used for a lightweight-theme installation, which allows man-in-the-middle attackers to replace a theme's images and colors by modifying the client-server data stream.

  • CVE-2026-6654MedApr 20, 2026
    risk 0.33cvss 5.1epss 0.00

    Double-Free / Use-After-Free (UAF) in the `IntoIter::drop` and `ThinVec::clear` functions in the thin_vec crate. A panic in `ptr::drop_in_place` skips setting the length to zero.

  • CVE-2025-4089MedApr 29, 2025
    risk 0.33cvss 5.1epss 0.00

    Due to insufficient escaping of special characters in the "copy as cURL" feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system. This vulnerability was fixed in Firefox 138 and Thunderbird 138.

  • CVE-2025-0243MedJan 7, 2025
    risk 0.33cvss 5.1epss 0.00

    Memory safety bugs present in Firefox 133, Thunderbird 133, Firefox ESR 128.5, and Thunderbird 128.5. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability…

  • CVE-2016-2810MedApr 30, 2016
    risk 0.33cvss 5.0epss 0.01

    Mozilla Firefox before 46.0 on Android before 5.0 allows attackers to bypass intended Signature access requirements via a crafted application that leverages content-provider permissions, as demonstrated by reading the browser history or a saved password.

  • CVE-2026-12313MedJun 16, 2026
    risk 0.31cvss 4.7epss 0.00

    Information disclosure, sandbox escape in the Security: Process Sandboxing component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.

  • CVE-2026-12311MedJun 16, 2026
    risk 0.31cvss 4.7epss 0.00

    Information disclosure, sandbox escape in the Security: Process Sandboxing component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.

  • CVE-2025-5265MedMay 27, 2025
    risk 0.31cvss 4.8epss 0.00

    Due to insufficient escaping of the ampersand character in the “Copy as cURL” feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system. *This bug only affects Firefox for Windows. Other versions of…

  • CVE-2025-5264MedMay 27, 2025
    risk 0.31cvss 4.8epss 0.00

    Due to insufficient escaping of the newline character in the “Copy as cURL” feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system. This vulnerability was fixed in Firefox 139, Firefox ESR 115.24,…

  • CVE-2025-4087MedApr 29, 2025
    risk 0.31cvss 4.8epss 0.00

    A vulnerability was identified in Thunderbird where XPath parsing could trigger undefined behavior due to missing null checks during attribute access. This could lead to out-of-bounds read access and potentially, memory corruption. This vulnerability was fixed in Firefox 138,…

  • CVE-2017-7796MedJun 11, 2018
    risk 0.31cvss 4.7epss 0.00

    On Windows systems, the logger run by the Windows updater deletes the file "update.log" before it runs in order to write a new log of that name. The path to this file is supplied at the command line to the updater and could be used in concert with another local exploit to delete…

  • CVE-2016-5253MedAug 5, 2016
    risk 0.31cvss 4.7epss 0.00

    The Updater in Mozilla Firefox before 48.0 on Windows allows local users to write to arbitrary files via vectors involving the callback application-path parameter and a hard link.

  • CVE-2016-1947MedJan 31, 2016
    risk 0.31cvss 4.7epss 0.02

    Mozilla Firefox 43.x mishandles attempts to connect to the Application Reputation service, which makes it easier for remote attackers to trigger an unintended download by leveraging the absence of reputation data.

  • CVE-2016-1943MedJan 31, 2016
    risk 0.31cvss 4.7epss 0.01

    Mozilla Firefox before 44.0 on Android allows remote attackers to spoof the address bar via the scrollTo method.

  • CVE-2015-8508MedJan 3, 2016
    risk 0.31cvss 4.7epss 0.01

    Cross-site scripting (XSS) vulnerability in showdependencygraph.cgi in Bugzilla 2.x, 3.x, and 4.x before 4.2.16, 4.3.x and 4.4.x before 4.4.11, and 4.5.x and 5.0.x before 5.0.2, when a local dot configuration is used, allows remote attackers to inject arbitrary web script or…

Page 19 of 73