VYPR

Vendor CVEs

Mozilla Corporation

All CVEs

3,627 total · sorted by risk
  • CVE-2022-36315MedDec 22, 2022
    risk 0.28cvss 4.3epss 0.00

    When loading a script with Subresource Integrity, attackers with an injection capability could trigger the reuse of previously cached entries with incorrect, different integrity metadata. This vulnerability affects Firefox < 103.

  • CVE-2022-34472MedDec 22, 2022
    risk 0.28cvss 4.3epss 0.01

    If there was a PAC URL set and the server that hosts the PAC was not reachable, OCSP requests would have been blocked, resulting in incorrect error pages being shown. This vulnerability affects Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102, and Thunderbird < 91.11.

  • CVE-2022-31745MedDec 22, 2022
    risk 0.28cvss 4.3epss 0.00

    If array shift operations are not used, the Garbage Collector may have become confused about valid objects. This vulnerability affects Firefox < 101.

  • CVE-2022-29915MedDec 22, 2022
    risk 0.28cvss 4.3epss 0.00

    The Performance API did not properly hide the fact whether a request cross-origin resource has observed redirects. This vulnerability affects Firefox < 100.

  • CVE-2022-26383MedDec 22, 2022
    risk 0.28cvss 4.3epss 0.01

    When resizing a popup after requesting fullscreen access, the popup would not display the fullscreen notification. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.

  • CVE-2022-26382MedDec 22, 2022
    risk 0.28cvss 4.3epss 0.00

    While the text displayed in Autofill tooltips cannot be directly read by JavaScript, the text was rendered using page fonts. Side-channel attacks on the text by using specially crafted fonts could have lead to this text being inferred by the webpage. This vulnerability affects…

  • CVE-2022-22762MedDec 22, 2022
    risk 0.28cvss 4.3epss 0.00

    Under certain circumstances, a JavaScript alert (or prompt) could have been shown while another website was displayed underneath it. This could have been abused to trick the user. *This bug only affects Firefox for Android. Other operating systems are unaffected.*. This…

  • CVE-2022-22749MedDec 22, 2022
    risk 0.28cvss 4.3epss 0.00

    When scanning QR codes, Firefox for Android would have allowed navigation to some URLs that do not point to web content.*This bug only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 96.

  • CVE-2022-22743MedDec 22, 2022
    risk 0.28cvss 4.3epss 0.01

    When navigating from inside an iframe while requesting fullscreen access, an attacker-controlled tab could have made the browser unable to leave fullscreen mode. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5.

  • CVE-2022-1520MedDec 22, 2022
    risk 0.28cvss 4.3epss 0.00

    When viewing an email message A, which contains an attached message B, where B is encrypted or digitally signed or both, Thunderbird may show an incorrect encryption or signature status. After opening and viewing the attached message B, when returning to the display of message…

  • CVE-2021-4221MedDec 22, 2022
    risk 0.28cvss 4.3epss 0.00

    If a domain name contained a RTL character, it would cause the domain to be rendered to the right of the path. This could lead to user confusion and spoofing attacks. *This bug only affects Firefox for Android. Other operating systems are unaffected.**Note*: Due to a…

  • CVE-2021-43546MedDec 8, 2021
    risk 0.28cvss 4.3epss 0.01

    It was possible to recreate previous cursor spoofing attacks against users with a zoomed native cursor. This vulnerability affects Thunderbird < 91.4.0, Firefox ESR < 91.4.0, and Firefox < 95.

  • CVE-2021-43538MedDec 8, 2021
    risk 0.28cvss 4.3epss 0.01

    By misusing a race in our notification code, an attacker could have forcefully hidden the notification for pages that had received full screen and pointer lock access, which could have been used for spoofing attacks. This vulnerability affects Thunderbird < 91.4.0, Firefox ESR <…

  • CVE-2021-43533MedDec 8, 2021
    risk 0.28cvss 4.3epss 0.01

    When parsing internationalized domain names, high bits of the characters in the URLs were sometimes stripped, resulting in inconsistencies that could lead to user confusion or attacks such as phishing. This vulnerability affects Firefox < 94.

  • CVE-2021-43531MedDec 8, 2021
    risk 0.28cvss 4.3epss 0.00

    When a user loaded a Web Extensions context menu, the Web Extension could access the post-redirect URL of the element clicked. If the Web Extension lacked the WebRequest permission for the hosts involved in the redirect, this would be a same-origin-violation leaking data the Web…

  • CVE-2021-38509MedDec 8, 2021
    risk 0.28cvss 4.3epss 0.02

    Due to an unusual sequence of attacker-controlled events, a Javascript alert() dialog with arbitrary (although unstyled) contents could be displayed over top an uncontrolled webpage of the attacker's choosing. This vulnerability affects Firefox < 94, Thunderbird < 91.3, and…

  • CVE-2021-38508MedDec 8, 2021
    risk 0.28cvss 4.3epss 0.02

    By displaying a form validity message in the correct location at the same time as a permission prompt (such as for geolocation), the validity message could have obscured the prompt, resulting in the user potentially being tricked into granting the permission. This vulnerability…

  • CVE-2021-38506MedDec 8, 2021
    risk 0.28cvss 4.3epss 0.01

    Through a series of navigations, Firefox could have entered fullscreen mode without notification or warning to the user. This could lead to spoofing attacks on the browser UI including phishing. This vulnerability affects Firefox < 94, Thunderbird < 91.3, and Firefox ESR < 91.3.

  • CVE-2021-29974MedAug 5, 2021
    risk 0.28cvss 4.3epss 0.01

    When network partitioning was enabled, e.g. as a result of Enhanced Tracking Protection settings, a TLS error page would allow the user to override an error on a domain which had specified HTTP Strict Transport Security (which implies that the error should not be override-able.)…

  • CVE-2021-29963MedJun 24, 2021
    risk 0.28cvss 4.3epss 0.00

    Address bar search suggestions in private browsing mode were re-using session data from normal mode. *This bug only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 89.

  • CVE-2021-29962MedJun 24, 2021
    risk 0.28cvss 4.3epss 0.01

    Firefox for Android would become unstable and hard-to-recover when a website opened too many popups. *This bug only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 89.

  • CVE-2021-29961MedJun 24, 2021
    risk 0.28cvss 4.3epss 0.01

    When styling and rendering an oversized `` element, Firefox did not apply correct clipping which allowed an attacker to paint over the user interface. This vulnerability affects Firefox < 89.

  • CVE-2021-29960MedJun 24, 2021
    risk 0.28cvss 4.3epss 0.01

    Firefox used to cache the last filename used for printing a file. When generating a filename for printing, Firefox usually suggests the web page title. The caching and suggestion techniques combined may have lead to the title of a website visited during private browsing mode…

  • CVE-2021-29959MedJun 24, 2021
    risk 0.28cvss 4.3epss 0.01

    When a user has already allowed a website to access microphone and camera, disabling camera sharing would not fully prevent the website from re-enabling it without an additional prompt. This was only possible if the website kept recording with the microphone until re-enabling…

  • CVE-2021-29958MedJun 24, 2021
    risk 0.28cvss 4.3epss 0.01

    When a download was initiated, the client did not check whether it was in normal or private browsing mode, which led to private mode cookies being shared in normal browsing mode. This vulnerability affects Firefox for iOS < 34.

  • CVE-2021-29957MedJun 24, 2021
    risk 0.28cvss 4.3epss 0.01

    If a MIME encoded email contains an OpenPGP inline signed or encrypted message part, but also contains an additional unprotected part, Thunderbird did not indicate that only parts of the message are protected. This vulnerability affects Thunderbird < 78.10.2.

  • CVE-2021-29956MedJun 24, 2021
    risk 0.28cvss 4.3epss 0.01

    OpenPGP secret keys that were imported using Thunderbird version 78.8.1 up to version 78.10.1 were stored unencrypted on the user's local disk. The master password protection was inactive for those keys. Version 78.10.2 will restore the protection mechanism for newly imported…

  • CVE-2021-24001MedJun 24, 2021
    risk 0.28cvss 4.3epss 0.01

    A compromised content process could have performed session history manipulations it should not have been able to due to testing infrastructure that was not restricted to testing-only configurations. This vulnerability affects Firefox < 88.

  • CVE-2021-23992MedJun 24, 2021
    risk 0.28cvss 4.3epss 0.00

    Thunderbird did not check if the user ID associated with an OpenPGP key has a valid self signature. An attacker may create a crafted version of an OpenPGP key, by either replacing the original user ID, or by adding another user ID. If Thunderbird imports and accepts the crafted…

  • CVE-2021-23963MedFeb 26, 2021
    risk 0.28cvss 4.3epss 0.01

    When sharing geolocation during an active WebRTC share, Firefox could have reset the webRTC sharing state in the user interface, leading to loss of control over the currently granted permission. This vulnerability affects Firefox < 85.

  • CVE-2021-23953MedFeb 26, 2021
    risk 0.28cvss 4.3epss 0.01

    If a user clicked into a specifically crafted PDF, the PDF reader could be confused into leaking cross-origin information, when said information is served as chunked data. This vulnerability affects Firefox < 85, Thunderbird < 78.7, and Firefox ESR < 78.7.

  • CVE-2021-23969MedFeb 26, 2021
    risk 0.28cvss 4.3epss 0.01

    As specified in the W3C Content Security Policy draft, when creating a violation report, "User agents need to ensure that the source file is the URL requested by the page, pre-redirects. If that’s not possible, user agents need to strip the URL down to an origin to avoid…

  • CVE-2021-23968MedFeb 26, 2021
    risk 0.28cvss 4.3epss 0.01

    If Content Security Policy blocked frame navigation, the full destination of a redirect served in the frame was reported in the violation report; as opposed to the original frame URI. This could be used to leak sensitive information contained in such URIs. This vulnerability…

  • CVE-2020-35111MedJan 7, 2021
    risk 0.28cvss 4.3epss 0.01

    When an extension with the proxy permission registered to receive <all_urls>, the proxy.onRequest callback was not triggered for view-source URLs. While web content cannot navigate to such URLs, a user opening View Source could have inadvertently leaked their IP address. This…

  • CVE-2020-26963MedDec 9, 2020
    risk 0.28cvss 4.3epss 0.01

    Repeated calls to the history and location interfaces could have been used to hang the browser. This was addressed by introducing rate-limiting to these API calls. This vulnerability affects Firefox < 83.

  • CVE-2020-26954MedDec 9, 2020
    risk 0.28cvss 4.3epss 0.01

    When accepting a malicious intent from other installed apps, Firefox for Android accepted manifests from arbitrary file paths and allowed declaring webapp manifests for other origins. This could be used to gain fullscreen access for UI spoofing and could also lead to…

  • CVE-2020-26953MedDec 9, 2020
    risk 0.28cvss 4.3epss 0.01

    It was possible to cause the browser to enter fullscreen mode without displaying the security UI; thus making it possible to attempt a phishing attack or otherwise confuse the user. This vulnerability affects Firefox < 83, Firefox ESR < 78.5, and Thunderbird < 78.5.

  • CVE-2020-15668MedOct 1, 2020
    risk 0.28cvss 4.3epss 0.01

    A lock was missing when accessing a data structure and importing certificate information into the trust database. This vulnerability affects Firefox < 80 and Firefox for Android < 80.

  • CVE-2020-15665MedOct 1, 2020
    risk 0.28cvss 4.3epss 0.01

    Firefox did not reset the address bar after the beforeunload dialog was shown if the user chose to remain on the page. This could have resulted in an incorrect URL being shown when used in conjunction with other unexpected browser behaviors. This vulnerability affects Firefox <…

  • CVE-2020-15651MedAug 10, 2020
    risk 0.28cvss 4.3epss 0.01

    A unicode RTL order character in the downloaded file name can be used to change the file's name during the download UI flow to change the file extension. This vulnerability affects Firefox for iOS < 28.

  • CVE-2020-12412MedJul 9, 2020
    risk 0.28cvss 4.3epss 0.01

    By navigating a tab using the history API, an attacker could cause the address bar to display the incorrect domain (with the https:// scheme, a blocked port number such as '1', and without a lock icon) while controlling the page contents. This vulnerability affects Firefox < 70.

  • CVE-2020-12404MedJul 9, 2020
    risk 0.28cvss 4.3epss 0.01

    For native-to-JS bridging the app requires a unique token to be passed that ensures non-app code can't call the bridging functions. That token could leak when used for downloading files. This vulnerability affects Firefox for iOS < 26.

  • CVE-2020-12397MedMay 22, 2020
    risk 0.28cvss 4.3epss 0.01

    By encoding Unicode whitespace characters within the From email header, an attacker can spoof the sender email address that Thunderbird displays. This vulnerability affects Thunderbird < 68.8.0.

  • CVE-2020-6810MedMar 25, 2020
    risk 0.28cvss 4.3epss 0.01

    After a website had entered fullscreen mode, it could have used a previously opened popup to obscure the notification that indicates the browser is in fullscreen mode. Combined with spoofing the browser chrome, this could have led to confusing the user about the current origin…

  • CVE-2020-6797MedMar 2, 2020
    risk 0.28cvss 4.3epss 0.01

    By downloading a file with the .fileloc extension, a semi-privileged extension could launch an arbitrary application on the user's computer. The attacker is restricted as they are unable to download non-quarantined files or supply command line arguments to the application,…

  • CVE-2020-6792MedMar 2, 2020
    risk 0.28cvss 4.3epss 0.01

    When deriving an identifier for an email message, uninitialized memory was used in addition to the message contents. This vulnerability affects Thunderbird < 68.5.

  • CVE-2013-5594MedFeb 18, 2020
    risk 0.28cvss 4.3epss 0.01

    Mozilla Firefox before 25 allows modification of anonymous content of pluginProblem.xml binding

  • CVE-2019-17002MedJan 8, 2020
    risk 0.28cvss 4.3epss 0.01

    If upgrade-insecure-requests was specified in the Content Security Policy, and a link was dragged and dropped from that page, the link was not upgraded to https. This vulnerability affects Firefox < 70.

  • CVE-2019-11754MedSep 27, 2019
    risk 0.28cvss 4.3epss 0.01

    When the pointer lock is enabled by a website though requestPointerLock(), no user notification is given. This could allow a malicious website to hijack the mouse pointer and confuse users. This vulnerability affects Firefox < 69.0.1.

  • CVE-2019-11749MedSep 27, 2019
    risk 0.28cvss 4.3epss 0.01

    A vulnerability exists in WebRTC where malicious web content can use probing techniques on the getUserMedia API using constraints to reveal device properties of cameras on the system without triggering a user prompt or notification. This allows for the potential fingerprinting…

Page 37 of 73