VYPR

Vendor CVEs

Mozilla Corporation

All CVEs

3,626 total · sorted by risk
  • CVE-2005-0588May 2, 2005
    risk 0.00cvss epss 0.02

    Firefox before 1.0.1 and Mozilla before 1.7.6 does not restrict xsl:include and xsl:import tags in XSLT stylesheets to the current domain, which allows remote attackers to determine the existence of files on the local system.

  • CVE-2005-0142May 2, 2005
    risk 0.00cvss epss 0.00

    Firefox 0.9, Thunderbird 0.6 and other versions before 0.9, and Mozilla 1.7 before 1.7.5 save temporary files with world-readable permissions, which allows local users to read certain web content or attachments that belong to other users, e.g. content that is managed by helper…

  • CVE-2005-0141May 2, 2005
    risk 0.00cvss epss 0.01

    Firefox before 1.0 and Mozilla before 1.7.5 allow remote attackers to load local files via links "with a custom getter and toString method" that are middle-clicked by the user to be opened in a new tab.

  • CVE-2005-0146May 2, 2005
    risk 0.00cvss epss 0.01

    Firefox before 1.0 and Mozilla before 1.7.5 allow remote attackers to obtain sensitive data from the clipboard via Javascript that generates a middle-click event on systems for which a middle-click performs a paste operation.

  • CVE-2005-0586May 2, 2005
    risk 0.00cvss epss 0.01

    Firefox before 1.0.1 and Mozilla before 1.7.6 allows remote malicious web sites to spoof the extensions of files to download via the Content-Disposition header, which could be used to trick users into downloading dangerous content.

  • CVE-2005-0589May 2, 2005
    risk 0.00cvss epss 0.01

    The Form Fill feature in Firefox before 1.0.1 allows remote attackers to steal potentially sensitive information via an input control that monitors the values that are generated by the autocomplete capability.

  • CVE-2005-0215May 2, 2005
    risk 0.00cvss epss 0.01

    Mozilla 1.6 and possibly other versions allows remote attackers to cause a denial of service (application crash) via a XBM (X BitMap) file with a large (1) height or (2) width value.

  • CVE-2005-0402May 2, 2005
    risk 0.00cvss epss 0.03

    Firefox before 1.0.2 allows remote attackers to execute arbitrary code by tricking a user into saving a page as a Firefox sidebar panel, then using the sidebar panel to inject Javascript into a privileged page.

  • CVE-2005-1160May 2, 2005
    risk 0.00cvss epss 0.03

    The privileged "chrome" UI code in Firefox before 1.0.3 and Mozilla Suite before 1.7.7 allows remote attackers to gain privileges by overriding certain properties or methods of DOM nodes, as demonstrated using multiple attacks involving the eval function or the Script object.

  • CVE-2005-0148May 2, 2005
    risk 0.00cvss epss 0.01

    Thunderbird before 0.9, when running on Windows systems, uses the default handler when processing javascript: links, which invokes Internet Explorer and may expose the Thunderbird user to vulnerabilities in the version of Internet Explorer that is installed on the user's system.…

  • CVE-2005-0584May 2, 2005
    risk 0.00cvss epss 0.01

    Firefox before 1.0.1 and Mozilla before 1.7.6, when displaying the HTTP Authentication dialog, do not change the focus to the tab that generated the prompt, which could facilitate spoofing and phishing attacks.

  • CVE-2005-1153May 2, 2005
    risk 0.00cvss epss 0.04

    Firefox before 1.0.3 and Mozilla Suite before 1.7.7, when blocking a popup, allows remote attackers to execute arbitrary code via a javascript: URL that is executed when the user selects the "Show javascript" option.

  • CVE-2005-0238May 2, 2005
    risk 0.00cvss epss 0.02

    The International Domain Name (IDN) support in Epiphany allows remote attackers to spoof domain names using punycode encoded domain names that are decoded in URLs and SSL certificates in a way that uses homograph characters from other character sets, which facilitates phishing…

  • CVE-2005-0578May 2, 2005
    risk 0.00cvss epss 0.00

    Firefox before 1.0.1 and Mozilla Suite before 1.7.6 use a predictable filename for the plugin temporary directory, which allows local users to delete arbitrary files of other users via a symlink attack on the plugtmp directory.

  • CVE-2005-1156May 2, 2005
    risk 0.00cvss epss 0.02

    Firefox before 1.0.3, Mozilla Suite before 1.7.7, and Netscape 7.2 allows remote attackers to execute arbitrary script and code via a new search plugin using sidebar.addSearchEngine, aka "Firesearching 1."

  • CVE-2005-0144May 2, 2005
    risk 0.00cvss epss 0.01

    Firefox before 1.0 and Mozilla before 1.7.5 display the secure site lock icon when a view-source: URL references a secure SSL site while an insecure page is being loaded, which could facilitate phishing attacks.

  • CVE-2005-1159May 2, 2005
    risk 0.00cvss epss 0.03

    The native implementations of InstallTrigger and other functions in Firefox before 1.0.3 and Mozilla Suite before 1.7.7 do not properly verify the types of objects being accessed, which causes the Javascript interpreter to continue execution at the wrong memory address, which…

  • CVE-2005-0232May 2, 2005
    risk 0.00cvss epss 0.03

    Firefox 1.0 allows remote attackers to modify Boolean configuration parameters for the about:config site by using a plugin such as Flash, and the -moz-opacity filter, to display the about:config site then cause the user to double-click at a certain screen position, aka…

  • CVE-2005-0590May 2, 2005
    risk 0.00cvss epss 0.02

    The installation confirmation dialog in Firefox before 1.0.1, Thunderbird before 1.0.1, and Mozilla before 1.7.6 allows remote attackers to use InstallTrigger to spoof the hostname of the host performing the installation via a long "user:pass" sequence in the URL, which appears…

  • CVE-2005-0401May 2, 2005
    risk 0.00cvss epss 0.03

    FireFox 1.0.1 and Mozilla before 1.7.6 do not sufficiently address all attack vectors for loading chrome files and hijacking drag and drop events, which allows remote attackers to execute arbitrary XUL code by tricking a user into dragging a scrollbar, a variant of…

  • CVE-2005-0255May 2, 2005
    risk 0.00cvss epss 0.04

    String handling functions in Mozilla 1.7.3, Firefox 1.0, and Thunderbird before 1.0.2, such as the nsTSubstring_CharT::Replace function, do not properly check the return values of other functions that resize the string, which allows remote attackers to cause a denial of service…

  • CVE-2005-0591May 2, 2005
    risk 0.00cvss epss 0.02

    Firefox before 1.0.1 allows remote attackers to spoof the (1) security and (2) download modal dialog boxes, which could be used to trick users into executing script or downloading and executing a file, aka "Firespoofing."

  • CVE-2005-1154May 2, 2005
    risk 0.00cvss epss 0.02

    Firefox before 1.0.3 and Mozilla Suite before 1.7.7 allows remote attackers to execute arbitrary script in other domains via a setter function for a variable in the target domain, which is executed when the user visits that domain, aka "Cross-site scripting through global scope…

  • CVE-2005-1158May 2, 2005
    risk 0.00cvss epss 0.01

    Multiple "missing security checks" in Firefox before 1.0.3 allow remote attackers to inject arbitrary Javascript into privileged pages using the _search target of the Firefox sidebar.

  • CVE-2005-0752Apr 18, 2005
    risk 0.00cvss epss 0.04

    The Plugin Finder Service (PFS) in Firefox before 1.0.3 allows remote attackers to execute arbitrary code via a javascript: URL in the PLUGINSPAGE attribute of an EMBED tag.

  • CVE-2005-0592Mar 25, 2005
    risk 0.00cvss epss 0.04

    Heap-based buffer overflow in the UTF8ToNewUnicode function for Firefox before 1.0.1 and Mozilla before 1.7.6 might allow remote attackers to cause a denial of service (crash) or execute arbitrary code via invalid sequences in a UTF8 encoded string that result in a zero length…

  • CVE-2005-0585Mar 25, 2005
    risk 0.00cvss epss 0.02

    Firefox before 1.0.1 and Mozilla before 1.7.6 truncates long sub-domains or paths for display, which may allow remote malicious web sites to spoof legitimate sites and facilitate phishing attacks.

  • CVE-2005-0143Mar 23, 2005
    risk 0.00cvss epss 0.01

    Firefox before 1.0 and Mozilla before 1.7.5 display the SSL lock icon when an insecure page loads a binary file from a trusted site, which could facilitate phishing attacks.

  • CVE-2005-0593Mar 4, 2005
    risk 0.00cvss epss 0.02

    Firefox before 1.0.1 and Mozilla before 1.7.6 allows remote attackers to spoof the SSL "secure site" lock icon via (1) a web site that does not finish loading, which shows the lock of the previous site, (2) a non-HTTP server that uses SSL, which causes the lock to be displayed…

  • CVE-2005-0149Feb 15, 2005
    risk 0.00cvss epss 0.02

    Thunderbird 0.6 through 0.9 and Mozilla 1.7 through 1.7.3 does not obey the network.cookie.disableCookieForMailNews preference, which could allow remote attackers to bypass the user's intended privacy and security policy by using cookies in e-mail messages.

  • CVE-2005-0231Feb 7, 2005
    risk 0.00cvss epss 0.03

    Firefox 1.0 does not invoke the Javascript Security Manager when a user drags a javascript: or data: URL to a tab, which allows remote attackers to bypass the security model, aka "firetabbing."

  • CVE-2005-0145Jan 24, 2005
    risk 0.00cvss epss 0.01

    Firefox before 1.0 does not properly distinguish between user-generated and synthetic click events, which allows remote attackers to use Javascript to bypass the file download prompt when the user uses the Alt-click feature.

  • CVE-2004-1061Jan 4, 2005
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in Bugzilla before 2.18, including 2.16.x before 2.16.11, allows remote attackers to inject arbitrary HTML and web script via forced error messages, as demonstrated using the action parameter.

  • CVE-2004-1451Dec 31, 2004
    risk 0.00cvss epss 0.01

    Mozilla before 1.6 does not display the entire URL in the status bar when a link contains %00, which could allow remote attackers to trick users into clicking on unknown or untrusted sites and facilitate phishing attacks.

  • CVE-2004-1753Dec 31, 2004
    risk 0.00cvss epss 0.02

    The Apple Java plugin, as used in Netscape 7.1 and 7.2, Mozilla 1.7.2, and Firefox 0.9.3 on MacOS X 10.3.5, when tabbed browsing is enabled, does not properly handle SetWindow(NULL) calls, which allows Java applets from one tab to draw to other tabs and facilitates phishing…

  • CVE-2004-2657Dec 31, 2004
    risk 0.00cvss epss 0.00

    Mozilla Firefox 1.5.0.1, and possibly other versions, preserves some records of user activity even after uninstalling, which allows local users who share a Windows profile to view the records after a new installation of Firefox, as reported for the list of Passwords Never Saved…

  • CVE-2004-1450Dec 31, 2004
    risk 0.00cvss epss 0.01

    Unknown vulnerability in LiveConnect in Mozilla 1.7 beta allows remote attackers to read arbitrary files in known locations.

  • CVE-2004-2227Dec 31, 2004
    risk 0.00cvss epss 0.02

    Mozilla Firefox before 1.0 truncates long filenames in the file download dialog box, which makes it easier for remote attackers to trick users into downloading files with dangerous extensions.

  • CVE-2004-0909Dec 31, 2004
    risk 0.00cvss epss 0.02

    Mozilla Firefox before the Preview Release, Mozilla before 1.7.3, and Thunderbird before 0.8 may allow remote attackers to trick users into performing unexpected actions, including installing software, via signed scripts that request enhanced abilities using the enablePrivilege…

  • CVE-2004-2228Dec 31, 2004
    risk 0.00cvss epss 0.00

    Mozilla Firefox before 1.0 is installed with world-writable permissions on Mac OS X, which allows local users to gain privileges.

  • CVE-2004-1156Dec 31, 2004
    risk 0.00cvss epss 0.01

    Mozilla before 1.7.6, and Firefox before 1.0.1, allows remote attackers to spoof arbitrary web sites by injecting content from one window into a target window whose name is known but resides in a different domain, as demonstrated using a pop-up window on a trusted web site, aka…

  • CVE-2004-0907Dec 31, 2004
    risk 0.00cvss epss 0.00

    The Linux install .tar.gz archives for Mozilla Firefox before the Preview Release, Mozilla before 1.7.3, and Thunderbird before 0.8, create certain files with insecure permissions, which could allow local users to overwrite those files and execute arbitrary code.

  • CVE-2004-1200Dec 31, 2004
    risk 0.00cvss epss 0.02

    Firefox and Mozilla allow remote attackers to cause a denial of service (application crash from memory consumption), as demonstrated using Javascript code that continuously creates nested arrays and then sorts the newly created arrays.

  • CVE-2004-2226Dec 31, 2004
    risk 0.00cvss epss 0.01

    Mozilla Mail 1.7.1 and 1.7.3, and Thunderbird before 0.9, when HTML-Mails is enabled, allows remote attackers to determine valid e-mail addresses via an HTML e-mail that references a Cascading Style Sheets (CSS) document on the attacker's server.

  • CVE-2004-0908Dec 31, 2004
    risk 0.00cvss epss 0.02

    Mozilla Firefox before the Preview Release, Mozilla before 1.7.3, and Thunderbird before 0.8 allows untrusted Javascript code to read and write to the clipboard, and possibly obtain sensitive information, via script-generated events such as Ctrl-Ins.

  • CVE-2004-0906Dec 31, 2004
    risk 0.00cvss epss 0.00

    The XPInstall installer in Mozilla Firefox before the Preview Release, Mozilla before 1.7.3, and Thunderbird before 0.8 sets insecure permissions for certain installed files within xpi packages, which could allow local users to overwrite arbitrary files or execute arbitrary code.

  • CVE-2004-2225Dec 31, 2004
    risk 0.00cvss epss 0.02

    Mozilla Firefox before 0.10.1 allows remote attackers to delete arbitrary files in the download directory via a crafted data: URI that is not properly handled when the user clicks the Save button.

  • CVE-2004-1449Dec 31, 2004
    risk 0.00cvss epss 0.01

    Mozilla before 1.7, Firefox before 0.9, and Thunderbird before 0.7 allows remote attackers to determine the location of files on a user's hard drive by obscuring a file upload control and tricking the user into dragging text into that control.

  • CVE-2004-2659Dec 31, 2004
    risk 0.00cvss epss 0.01

    Opera offers an Open button to verify that a user wishes to execute a downloaded file, which allows user-assisted remote attackers to construct a race condition that tricks a user into clicking Open via a request for a different mouse or keyboard action very shortly before the…

  • CVE-2004-1316Dec 29, 2004
    risk 0.00cvss epss 0.03

    Heap-based buffer overflow in MSG_UnEscapeSearchUrl in nsNNTPProtocol.cpp for Mozilla 1.7.3 and earlier allows remote attackers to cause a denial of service (application crash) via an NNTP URL (news:) with a trailing '\' (backslash) character, which prevents a string from being…