Vulnerabilities (CVE)

Filtered by vendor Mozilla Subscribe
Filtered by product Thunderbird
Total 1071 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2020-6797 2 Apple, Mozilla 4 Macos, Firefox, Firefox Esr and 1 more 2021-09-16 4.3 MEDIUM 4.3 MEDIUM
By downloading a file with the .fileloc extension, a semi-privileged extension could launch an arbitrary application on the user's computer. The attacker is restricted as they are unable to download non-quarantined files or supply command line arguments to the application, limiting the impact. Note: this issue only occurs on Mac OSX. Other operating systems are unaffected. This vulnerability affects Thunderbird < 68.5, Firefox < 73, and Firefox < ESR68.5.
CVE-2019-9815 2 Apple, Mozilla 4 Macos, Firefox, Firefox Esr and 1 more 2021-09-08 6.8 MEDIUM 8.1 HIGH
If hyperthreading is not disabled, a timing attack vulnerability exists, similar to previous Spectre attacks. Apple has shipped macOS 10.14.5 with an option to disable hyperthreading in applications running untrusted code in a thread through a new sysctl. Firefox now makes use of it on the main thread and any worker threads. *Note: users need to update to macOS 10.14.5 in order to take advantage of this change.*. This vulnerability affects Thunderbird < 60.7, Firefox < 67, and Firefox ESR < 60.7.
CVE-2021-29987 2 Linux, Mozilla 3 Linux Kernel, Firefox, Thunderbird 2021-08-25 4.3 MEDIUM 6.5 MEDIUM
After requesting multiple permissions, and closing the first permission panel, subsequent permission panels will be displayed in a different position but still record a click in the default location, making it possible to trick a user into accepting a permission they did not want to. *This bug only affects Firefox on Linux. Other operating systems are unaffected.*. This vulnerability affects Firefox < 91 and Thunderbird < 91.
CVE-2021-29986 2 Linux, Mozilla 4 Linux Kernel, Firefox, Firefox Esr and 1 more 2021-08-25 6.8 MEDIUM 8.1 HIGH
A suspected race condition when calling getaddrinfo led to memory corruption and a potentially exploitable crash. *Note: This issue only affected Linux operating systems. Other operating systems are unaffected.* This vulnerability affects Thunderbird < 78.13, Thunderbird < 91, Firefox ESR < 78.13, and Firefox < 91.
CVE-2021-29989 1 Mozilla 3 Firefox, Firefox Esr, Thunderbird 2021-08-25 6.8 MEDIUM 8.8 HIGH
Mozilla developers reported memory safety bugs present in Firefox 90 and Firefox ESR 78.12. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Thunderbird < 78.13, Firefox ESR < 78.13, and Firefox < 91.
CVE-2021-29988 1 Mozilla 3 Firefox, Firefox Esr, Thunderbird 2021-08-25 6.8 MEDIUM 8.8 HIGH
Firefox incorrectly treated an inline list-item element as a block element, resulting in an out of bounds read or memory corruption, and a potentially exploitable crash. This vulnerability affects Thunderbird < 78.13, Thunderbird < 91, Firefox ESR < 78.13, and Firefox < 91.
CVE-2021-29984 1 Mozilla 3 Firefox, Firefox Esr, Thunderbird 2021-08-25 6.8 MEDIUM 8.8 HIGH
Instruction reordering resulted in a sequence of instructions that would cause an object to be incorrectly considered during garbage collection. This led to memory corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 78.13, Thunderbird < 91, Firefox ESR < 78.13, and Firefox < 91.
CVE-2021-29982 1 Mozilla 2 Firefox, Thunderbird 2021-08-25 4.3 MEDIUM 6.5 MEDIUM
Due to incorrect JIT optimization, we incorrectly interpreted data from the wrong type of object, resulting in the potential leak of a single bit of memory. This vulnerability affects Firefox < 91 and Thunderbird < 91.
CVE-2021-29985 1 Mozilla 3 Firefox, Firefox Esr, Thunderbird 2021-08-25 6.8 MEDIUM 8.8 HIGH
A use-after-free vulnerability in media channels could have led to memory corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 78.13, Thunderbird < 91, Firefox ESR < 78.13, and Firefox < 91.
CVE-2021-29981 1 Mozilla 2 Firefox, Thunderbird 2021-08-25 6.8 MEDIUM 8.8 HIGH
An issue present in lowering/register allocation could have led to obscure but deterministic register confusion failures in JITted code that would lead to a potentially exploitable crash. This vulnerability affects Firefox < 91 and Thunderbird < 91.
CVE-2021-29980 1 Mozilla 3 Firefox, Firefox Esr, Thunderbird 2021-08-25 6.8 MEDIUM 8.8 HIGH
Uninitialized memory in a canvas object could have caused an incorrect free() leading to memory corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 78.13, Thunderbird < 91, Firefox ESR < 78.13, and Firefox < 91.
CVE-2021-29976 1 Mozilla 3 Firefox, Firefox Esr, Thunderbird 2021-08-12 6.8 MEDIUM 8.8 HIGH
Mozilla developers reported memory safety bugs present in code shared between Firefox and Thunderbird. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Thunderbird < 78.12, Firefox ESR < 78.12, and Firefox < 90.
CVE-2021-29970 1 Mozilla 3 Firefox, Firefox Esr, Thunderbird 2021-08-12 5.1 MEDIUM 8.8 HIGH
A malicious webpage could have triggered a use-after-free, memory corruption, and a potentially exploitable crash. *This bug could only be triggered when accessibility was enabled.*. This vulnerability affects Thunderbird < 78.12, Firefox ESR < 78.12, and Firefox < 90.
CVE-2021-29969 1 Mozilla 1 Thunderbird 2021-08-12 4.3 MEDIUM 5.9 MEDIUM
If Thunderbird was configured to use STARTTLS for an IMAP connection, and an attacker injected IMAP server responses prior to the completion of the STARTTLS handshake, then Thunderbird didn't ignore the injected data. This could have resulted in Thunderbird showing incorrect information, for example the attacker could have tricked Thunderbird to show folders that didn't exist on the IMAP server. This vulnerability affects Thunderbird < 78.12.
CVE-2021-23982 1 Mozilla 3 Firefox, Firefox Esr, Thunderbird 2021-08-06 4.3 MEDIUM 6.5 MEDIUM
Using techniques that built on the slipstream research, a malicious webpage could have scanned both an internal network's hosts as well as services running on the user's local machine utilizing WebRTC connections. This vulnerability affects Firefox ESR < 78.9, Firefox < 87, and Thunderbird < 78.9.
CVE-2021-23981 1 Mozilla 3 Firefox, Firefox Esr, Thunderbird 2021-08-06 5.8 MEDIUM 8.1 HIGH
A texture upload of a Pixel Buffer Object could have confused the WebGL code to skip binding the buffer used to unpack it, resulting in memory corruption and a potentially exploitable information leak or crash. This vulnerability affects Firefox ESR < 78.9, Firefox < 87, and Thunderbird < 78.9.
CVE-2021-23984 1 Mozilla 3 Firefox, Firefox Esr, Thunderbird 2021-08-06 4.3 MEDIUM 6.5 MEDIUM
A malicious extension could have opened a popup window lacking an address bar. The title of the popup lacking an address bar should not be fully controllable, but in this situation was. This could have been used to spoof a website and attempt to trick the user into providing credentials. This vulnerability affects Firefox ESR < 78.9, Firefox < 87, and Thunderbird < 78.9.
CVE-2021-23987 1 Mozilla 3 Firefox, Firefox Esr, Thunderbird 2021-08-06 6.8 MEDIUM 8.8 HIGH
Mozilla developers and community members reported memory safety bugs present in Firefox 86 and Firefox ESR 78.8. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 78.9, Firefox < 87, and Thunderbird < 78.9.
CVE-2015-2716 4 Mozilla, Novell, Opensuse and 1 more 8 Firefox, Firefox Esr, Thunderbird and 5 more 2021-07-31 7.5 HIGH N/A
Buffer overflow in the XML parser in Mozilla Firefox before 38.0, Firefox ESR 31.x before 31.7, and Thunderbird before 31.7 allows remote attackers to execute arbitrary code by providing a large amount of compressed XML data, a related issue to CVE-2015-1283.
CVE-2015-4000 12 Apple, Canonical, Debian and 9 more 25 Iphone Os, Mac Os X, Safari and 22 more 2021-07-23 4.3 MEDIUM 3.7 LOW
The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by DHE_EXPORT and then rewriting a ServerHello with DHE_EXPORT replaced by DHE, aka the "Logjam" issue.