Total
1332 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2023-23599 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2023-12-10 | N/A | 6.5 MEDIUM |
When copying a network request from the developer tools panel as a curl command the output was not being properly sanitized and could allow arbitrary commands to be hidden within. This vulnerability affects Firefox < 109, Thunderbird < 102.7, and Firefox ESR < 102.7. | |||||
CVE-2023-25737 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2023-12-10 | N/A | 8.8 HIGH |
An invalid downcast from <code>nsTextNode</code> to <code>SVGElement</code> could have lead to undefined behavior. This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8. | |||||
CVE-2023-29542 | 2 Microsoft, Mozilla | 4 Windows, Firefox, Firefox Esr and 1 more | 2023-12-10 | N/A | 9.8 CRITICAL |
A newline in a filename could have been used to bypass the file extension security mechanisms that replace malicious file extensions such as .lnk with .download. This could have led to accidental execution of malicious code. *This bug only affects Firefox and Thunderbird on Windows. Other versions of Firefox and Thunderbird are unaffected.* This vulnerability affects Firefox < 112, Firefox ESR < 102.10, and Thunderbird < 102.10. | |||||
CVE-2023-0616 | 1 Mozilla | 1 Thunderbird | 2023-12-10 | N/A | 6.5 MEDIUM |
If a MIME email combines OpenPGP and OpenPGP MIME data in a certain way Thunderbird repeatedly attempts to process and display the message, which could cause Thunderbird's user interface to lock up and no longer respond to the user's actions. An attacker could send a crafted message with this structure to attempt a DoS attack. This vulnerability affects Thunderbird < 102.8. | |||||
CVE-2023-25742 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2023-12-10 | N/A | 6.5 MEDIUM |
When importing a SPKI RSA public key as ECDSA P-256, the key would be handled incorrectly causing the tab to crash. This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8. | |||||
CVE-2022-22747 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2023-12-10 | N/A | 6.5 MEDIUM |
After accepting an untrusted certificate, handling an empty pkcs7 sequence as part of the certificate data could have lead to a crash. This crash is believed to be unexploitable. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5. | |||||
CVE-2022-36318 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2023-12-10 | N/A | 5.3 MEDIUM |
When visiting directory listings for `chrome://` URLs as source text, some parameters were reflected. This vulnerability affects Firefox ESR < 102.1, Firefox ESR < 91.12, Firefox < 103, Thunderbird < 102.1, and Thunderbird < 91.12. | |||||
CVE-2022-22738 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2023-12-10 | N/A | 8.8 HIGH |
Applying a CSS filter effect could have accessed out of bounds memory. This could have lead to a heap-buffer-overflow causing a potentially exploitable crash. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5. | |||||
CVE-2022-26485 | 1 Mozilla | 4 Firefox, Firefox Esr, Firefox Focus and 1 more | 2023-12-10 | N/A | 8.8 HIGH |
Removing an XSLT parameter during processing could have lead to an exploitable use-after-free. We have had reports of attacks in the wild abusing this flaw. This vulnerability affects Firefox < 97.0.2, Firefox ESR < 91.6.1, Firefox for Android < 97.3.0, Thunderbird < 91.6.2, and Focus < 97.3.0. | |||||
CVE-2022-26383 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2023-12-10 | N/A | 4.3 MEDIUM |
When resizing a popup after requesting fullscreen access, the popup would not display the fullscreen notification. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7. | |||||
CVE-2020-15685 | 1 Mozilla | 1 Thunderbird | 2023-12-10 | N/A | 8.8 HIGH |
During the plaintext phase of the STARTTLS connection setup, protocol commands could have been injected and evaluated within the encrypted session. This vulnerability affects Thunderbird < 78.7. | |||||
CVE-2022-3034 | 1 Mozilla | 1 Thunderbird | 2023-12-10 | N/A | 4.3 MEDIUM |
When receiving an HTML email that specified to load an <code>iframe</code> element from a remote location, a request to the remote document was sent. However, Thunderbird didn't display the document. This vulnerability affects Thunderbird < 102.2.1 and Thunderbird < 91.13.1. | |||||
CVE-2022-34484 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2023-12-10 | N/A | 8.8 HIGH |
The Mozilla Fuzzing Team reported potential vulnerabilities present in Thunderbird 91.10. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102, and Thunderbird < 91.11. | |||||
CVE-2022-45406 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2023-12-10 | N/A | 9.8 CRITICAL |
If an out-of-memory condition occurred when creating a JavaScript global, a JavaScript realm may be deleted while references to it lived on in a BaseShape. This could lead to a use-after-free causing a potentially exploitable crash. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107. | |||||
CVE-2022-40958 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2023-12-10 | N/A | 6.5 MEDIUM |
By injecting a cookie with certain special characters, an attacker on a shared subdomain which is not a secure context could set and thus overwrite cookies from a secure context, leading to session fixation and other attacks. This vulnerability affects Firefox ESR < 102.3, Thunderbird < 102.3, and Firefox < 105. | |||||
CVE-2022-22761 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2023-12-10 | N/A | 8.8 HIGH |
Web-accessible extension pages (pages with a moz-extension:// scheme) were not correctly enforcing the frame-ancestors directive when it was used in the Web Extension's Content Security Policy. This vulnerability affects Firefox < 97, Thunderbird < 91.6, and Firefox ESR < 91.6. | |||||
CVE-2022-22743 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2023-12-10 | N/A | 4.3 MEDIUM |
When navigating from inside an iframe while requesting fullscreen access, an attacker-controlled tab could have made the browser unable to leave fullscreen mode. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5. | |||||
CVE-2022-29912 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2023-12-10 | N/A | 6.1 MEDIUM |
Requests initiated through reader mode did not properly omit cookies with a SameSite attribute. This vulnerability affects Thunderbird < 91.9, Firefox ESR < 91.9, and Firefox < 100. | |||||
CVE-2022-45416 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2023-12-10 | N/A | 6.5 MEDIUM |
Keyboard events reference strings like "KeyA" that were at fixed, known, and widely-spread addresses. Cache-based timing attacks such as Prime+Probe could have possibly figured out which keys were being pressed. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107. | |||||
CVE-2022-42927 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2023-12-10 | N/A | 8.1 HIGH |
A same-origin policy violation could have allowed the theft of cross-origin URL entries, leaking the result of a redirect, via `performance.getEntries()`. This vulnerability affects Firefox < 106, Firefox ESR < 102.4, and Thunderbird < 102.4. |