VYPR

Vendor CVEs

Mozilla Corporation

All CVEs

3,627 total · sorted by risk
  • CVE-2016-1943MedJan 31, 2016
    risk 0.31cvss 4.7epss 0.01

    Mozilla Firefox before 44.0 on Android allows remote attackers to spoof the address bar via the scrollTo method.

  • CVE-2015-8508MedJan 3, 2016
    risk 0.31cvss 4.7epss 0.01

    Cross-site scripting (XSS) vulnerability in showdependencygraph.cgi in Bugzilla 2.x, 3.x, and 4.x before 4.2.16, 4.3.x and 4.4.x before 4.4.11, and 4.5.x and 5.0.x before 5.0.2, when a local dot configuration is used, allows remote attackers to inject arbitrary web script or…

  • CVE-2015-8512MedJan 9, 2016
    risk 0.30cvss 4.6epss 0.00

    The lockscreen feature in Mozilla Firefox OS before 2.5 does not properly restrict failed authentication attempts, which makes it easier for physically proximate attackers to obtain access by entering many passcode guesses.

  • CVE-2020-12402MedJul 9, 2020
    risk 0.29cvss 4.4epss 0.00

    During RSA key generation, bignum implementations used a variation of the Binary Extended Euclidean Algorithm which entailed significantly input-dependent flow. This allowed an attacker able to perform electromagnetic-based side channel attacks to record traces leading to the…

  • CVE-2020-12399MedJul 9, 2020
    risk 0.29cvss 4.4epss 0.01

    NSS has shown timing differences when performing DSA signatures, which was exploitable and could eventually leak private keys. This vulnerability affects Thunderbird < 68.9.0, Firefox < 77, and Firefox ESR < 68.9.

  • CVE-2026-53900MedJun 16, 2026
    risk 0.28cvss 4.3epss 0.00

    Firefox for iOS preserved cookies set on the initial PDF request across cross-origin HTTP redirects in TemporaryDocument, allowing a malicious site to inject arbitrary cookies into requests to an unrelated target domain. This vulnerability was fixed in Firefox for iOS 152.0.

  • CVE-2026-12320MedJun 16, 2026
    risk 0.28cvss 4.3epss 0.00

    Information disclosure in the Password Manager component. This vulnerability was fixed in Firefox 152 and Thunderbird 152.

  • CVE-2026-12303MedJun 16, 2026
    risk 0.28cvss 4.3epss 0.00

    Information disclosure due to incorrect boundary conditions in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 152 and Thunderbird 152.

  • CVE-2026-10702MedJun 2, 2026
    risk 0.28cvss 4.3epss 0.00

    JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 151.0.3.

  • CVE-2026-2919MedMar 9, 2026
    risk 0.28cvss 4.3epss 0.00

    Malicious scripts could display attacker-controlled web content under spoofed domains in Focus for iOS by stalling a _self navigation to an invalid port and triggering an iframe redirect, causing the UI to display a trusted domain without user interaction. This vulnerability was…

  • CVE-2026-2032MedFeb 16, 2026
    risk 0.28cvss 4.3epss 0.00

    Malicious scripts that interrupt new tab page loading could cause desynchronization between the address bar and page content, allowing the attacker to spoof arbitrary HTML under a trusted domain. This vulnerability was fixed in Firefox for iOS 147.2.1.

  • CVE-2026-0818MedJan 28, 2026
    risk 0.28cvss 4.3epss 0.00

    When a user explicitly requested Thunderbird to decrypt an inline OpenPGP message that was embedded in a text section of an email that was formatted and styled with HTML and CSS, then the decrypted contents were rendered in a context in which the CSS styles from the outer…

  • CVE-2026-0887MedJan 13, 2026
    risk 0.28cvss 4.3epss 0.00

    Clickjacking issue, information disclosure in the PDF Viewer component. This vulnerability was fixed in Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.

  • CVE-2025-8364MedAug 19, 2025
    risk 0.28cvss 4.3epss 0.00

    A crafted URL using a blob: URI could have hidden the true origin of the page, resulting in a potential spoofing attack. *Note: This issue only affected Android operating systems. Other operating systems are unaffected.*. This vulnerability was fixed in Firefox 141.

  • CVE-2025-6434MedJun 24, 2025
    risk 0.28cvss 4.3epss 0.00

    The exception page for the HTTPS-Only feature, displayed when a website is opened via HTTP, lacked an anti-clickjacking delay, potentially allowing an attacker to trick a user into granting an exception and loading a webpage over HTTP. This vulnerability was fixed in Firefox 140…

  • CVE-2025-6428MedJun 24, 2025
    risk 0.28cvss 4.3epss 0.00

    When a URL was provided in a link querystring parameter, Firefox for Android would follow that URL instead of the correct URL, potentially leading to phishing attacks. *This bug only affects Firefox for Android. Other versions of Firefox are unaffected.*. This vulnerability was…

  • CVE-2025-5266MedMay 27, 2025
    risk 0.28cvss 4.3epss 0.00

    Script elements loading cross-origin resources generated load and error events which leaked information enabling XS-Leaks attacks. This vulnerability was fixed in Firefox 139, Firefox ESR 128.11, Thunderbird 139, and Thunderbird 128.11.

  • CVE-2025-5263MedMay 27, 2025
    risk 0.28cvss 4.3epss 0.00

    Error handling for script execution was incorrectly isolated from web content, which could have allowed cross-origin leak attacks. This vulnerability was fixed in Firefox 139, Firefox ESR 115.24, Firefox ESR 128.11, Thunderbird 139, and Thunderbird 128.11.

  • CVE-2025-5020MedMay 21, 2025
    risk 0.28cvss 4.3epss 0.00

    Opening maliciously-crafted URLs in Firefox from other apps such as Safari could have allowed attackers to spoof website addresses if the URLs utilized non-HTTP schemes used internally by the Firefox iOS client. This vulnerability was fixed in Firefox for iOS 139.

  • CVE-2025-27425MedMar 4, 2025
    risk 0.28cvss 4.3epss 0.00

    Scanning certain QR codes that included text with a website URL could allow the URL to be opened without presenting the user with a confirmation alert first. This vulnerability was fixed in Firefox for iOS 136.

  • CVE-2025-27424MedMar 4, 2025
    risk 0.28cvss 4.3epss 0.00

    Websites redirecting to a non-HTTP scheme URL could allow a website address to be spoofed for a malicious page. This vulnerability was fixed in Firefox for iOS 136.

  • CVE-2025-1935MedMar 4, 2025
    risk 0.28cvss 4.3epss 0.00

    A web page could trick a user into setting that site as the default handler for a custom URL protocol. This vulnerability was fixed in Firefox 136, Firefox ESR 128.8, Thunderbird 136, and Thunderbird 128.8.

  • CVE-2025-1019MedFeb 4, 2025
    risk 0.28cvss 4.3epss 0.00

    The z-order of the browser windows could be manipulated to hide the fullscreen notification. This could potentially be leveraged to perform a spoofing attack. This vulnerability was fixed in Firefox 135 and Thunderbird 135.

  • CVE-2025-23108MedJan 11, 2025
    risk 0.28cvss 4.3epss 0.00

    Opening Javascript links in a new tab via long-press in the Firefox iOS client could result in a malicious script spoofing the URL of the new tab. This vulnerability was fixed in Firefox for iOS 134.

  • CVE-2024-0749MedJan 23, 2024
    risk 0.28cvss 4.3epss 0.00

    A phishing site could have repurposed an `about:` dialog to show phishing content with an incorrect origin in the address bar. This vulnerability affects Firefox < 122 and Thunderbird < 115.7.

  • CVE-2024-0748MedJan 23, 2024
    risk 0.28cvss 4.3epss 0.00

    A compromised content process could have updated the document URI. This could have allowed an attacker to set an arbitrary URI in the address bar or history. This vulnerability affects Firefox < 122.

  • CVE-2024-0742MedJan 23, 2024
    risk 0.28cvss 4.3epss 0.01

    It was possible for certain browser prompts and dialogs to be activated or dismissed unintentionally by the user due to an incorrect timestamp used to prevent input after page load. This vulnerability affects Firefox < 122, Firefox ESR < 115.7, and Thunderbird < 115.7.

  • CVE-2023-6871MedDec 19, 2023
    risk 0.28cvss 4.3epss 0.00

    Under certain conditions, Firefox did not display a warning when a user attempted to navigate to a new protocol handler. This vulnerability affects Firefox < 121.

  • CVE-2023-6870MedDec 19, 2023
    risk 0.28cvss 4.3epss 0.00

    Applications which spawn a Toast notification in a background thread may have obscured fullscreen notifications displayed by Firefox. *This issue only affects Android versions of Firefox and Firefox Focus.* This vulnerability affects Firefox < 121.

  • CVE-2023-6868MedDec 19, 2023
    risk 0.28cvss 4.3epss 0.00

    In some instances, the user-agent would allow push requests which lacked a valid VAPID even though the push manager subscription defined one. This could allow empty messages to be sent from unauthorized parties. *This bug only affects Firefox on Android.* This vulnerability…

  • CVE-2023-6135MedDec 19, 2023
    risk 0.28cvss 4.3epss 0.01

    Multiple NSS NIST curves were susceptible to a side-channel attack known as "Minerva". This attack could potentially allow an attacker to recover the private key. This vulnerability affects Firefox < 121.

  • CVE-2023-50762MedDec 19, 2023
    risk 0.28cvss 4.3epss 0.01

    When processing a PGP/MIME payload that contains digitally signed text, the first paragraph of the text was never shown to the user. This is because the text was interpreted as a MIME message and the first paragraph was always treated as an email header section. A digitally…

  • CVE-2023-50761MedDec 19, 2023
    risk 0.28cvss 4.3epss 0.01

    The signature of a digitally signed S/MIME email message may optionally specify the signature creation date and time. If present, Thunderbird did not compare the signature creation date with the message date and time, and displayed a valid signature despite a date or time…

  • CVE-2023-5729MedOct 25, 2023
    risk 0.28cvss 4.3epss 0.01

    A malicious web site can enter fullscreen mode while simultaneously triggering a WebAuthn prompt. This could have obscured the fullscreen notification and could have been leveraged in a spoofing attack. This vulnerability affects Firefox < 119.

  • CVE-2023-5726MedOct 25, 2023
    risk 0.28cvss 4.3epss 0.01

    A website could have obscured the full screen notification by using the file open dialog. This could have led to user confusion and possible spoofing attacks. *Note: This issue only affected macOS operating systems. Other operating systems are unaffected.* This vulnerability…

  • CVE-2023-5725MedOct 25, 2023
    risk 0.28cvss 4.3epss 0.01

    A malicious installed WebExtension could open arbitrary URLs, which under the right circumstance could be leveraged to collect sensitive user data. This vulnerability affects Firefox < 119, Firefox ESR < 115.4, and Thunderbird < 115.4.1.

  • CVE-2023-5721MedOct 25, 2023
    risk 0.28cvss 4.3epss 0.01

    It was possible for certain browser prompts and dialogs to be activated or dismissed unintentionally by the user due to an insufficient activation-delay. This vulnerability affects Firefox < 119, Firefox ESR < 115.4, and Thunderbird < 115.4.1.

  • CVE-2023-4581MedSep 11, 2023
    risk 0.28cvss 4.3epss 0.01

    Excel `.xll` add-in files did not have a blocklist entry in Firefox's executable blocklist which allowed them to be downloaded without any warning of their potential harm. This vulnerability affects Firefox < 117, Firefox ESR < 102.15, Firefox ESR < 115.2, Thunderbird < 102.15,…

  • CVE-2023-32212MedJun 2, 2023
    risk 0.28cvss 4.3epss 0.01

    An attacker could have positioned a `datalist` element to obscure the address bar. This vulnerability affects Firefox < 113, Firefox ESR < 102.11, and Thunderbird < 102.11.

  • CVE-2023-32205MedJun 2, 2023
    risk 0.28cvss 4.3epss 0.01

    In multiple cases browser prompts could have been obscured by popups controlled by content. These could have led to potential user confusion and spoofing attacks. This vulnerability affects Firefox < 113, Firefox ESR < 102.11, and Thunderbird < 102.11.

  • CVE-2023-29538MedJun 2, 2023
    risk 0.28cvss 4.3epss 0.00

    Under specific circumstances a WebExtension may have received a jar:file:/// URI instead of a moz-extension:/// URI during a load request. This leaked directory paths on the user's machine. This vulnerability affects Firefox for Android < 112, Firefox <…

  • CVE-2023-29533MedJun 2, 2023
    risk 0.28cvss 4.3epss 0.01

    A website could have obscured the fullscreen notification by using a combination of window.open, fullscreen requests, window.name assignments, and setInterval calls. This could have led to user confusion and possible spoofing attacks. This…

  • CVE-2023-28159MedJun 2, 2023
    risk 0.28cvss 4.3epss 0.00

    The fullscreen notification could have been hidden on Firefox for Android by using download popups, resulting in potential user confusion or spoofing attacks. *This bug only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects…

  • CVE-2023-25750MedJun 2, 2023
    risk 0.28cvss 4.3epss 0.00

    Under certain circumstances, a ServiceWorker's offline cache may have leaked to the file system when using private browsing mode. This vulnerability affects Firefox < 111.

  • CVE-2023-25749MedJun 2, 2023
    risk 0.28cvss 4.3epss 0.00

    Android applications with unpatched vulnerabilities can be launched from a browser using Intents, exposing users to these vulnerabilities. Firefox will now confirm with users that they want to launch an external application before doing so. *This bug only affects Firefox for…

  • CVE-2023-25748MedJun 2, 2023
    risk 0.28cvss 4.3epss 0.00

    By displaying a prompt with a long description, the fullscreen notification could have been hidden, resulting in potential user confusion or spoofing attacks. *This bug only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects…

  • CVE-2022-46877MedDec 22, 2022
    risk 0.28cvss 4.3epss 0.01

    By confusing the browser, the fullscreen notification could have been delayed or suppressed, resulting in potential user confusion or spoofing attacks. This vulnerability affects Firefox < 108.

  • CVE-2022-45417MedDec 22, 2022
    risk 0.28cvss 4.3epss 0.00

    Service Workers did not detect Private Browsing Mode correctly in all cases, which could have led to Service Workers being written to disk for websites visited in Private Browsing Mode. This would not have persisted them in a state where they would run again, but it would have…

  • CVE-2022-3034MedDec 22, 2022
    risk 0.28cvss 4.3epss 0.01

    When receiving an HTML email that specified to load an iframe element from a remote location, a request to the remote document was sent. However, Thunderbird didn't display the document. This vulnerability affects Thunderbird < 102.2.1 and Thunderbird < 91.13.1.

  • CVE-2022-38474MedDec 22, 2022
    risk 0.28cvss 4.3epss 0.00

    A website that had permission to access the microphone could record audio without the audio notification being shown. This bug does not allow the attacker to bypass the permission prompt - it only affects the notification shown once permission has been granted.*This bug…

Page 36 of 73