Filtered by vendor Mozilla
Subscribe
Total
2782 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2014-1582 | 1 Mozilla | 1 Firefox | 2016-12-21 | 4.3 MEDIUM | N/A |
| The Public Key Pinning (PKP) implementation in Mozilla Firefox before 33.0 does not properly consider the connection-coalescing behavior of SPDY and HTTP/2 in the case of a shared IP address, which allows man-in-the-middle attackers to bypass an intended pinning configuration and spoof a web site by providing a valid certificate from an arbitrary recognized Certification Authority. | |||||
| CVE-2014-1583 | 1 Mozilla | 2 Firefox, Firefox Esr | 2016-12-21 | 5.0 MEDIUM | N/A |
| The Alarm API in Mozilla Firefox before 33.0 and Firefox ESR 31.x before 31.2 does not properly restrict toJSON calls, which allows remote attackers to bypass the Same Origin Policy via crafted API calls that access sensitive information within the JSON data of an alarm. | |||||
| CVE-2014-1584 | 1 Mozilla | 1 Firefox | 2016-12-21 | 4.3 MEDIUM | N/A |
| The Public Key Pinning (PKP) implementation in Mozilla Firefox before 33.0 skips pinning checks upon an unspecified issuer-verification error, which makes it easier for remote attackers to bypass an intended pinning configuration and spoof a web site via a crafted certificate that leads to presentation of the Untrusted Connection dialog to the user. | |||||
| CVE-2015-4522 | 1 Mozilla | 2 Firefox, Firefox Esr | 2016-12-21 | 7.5 HIGH | N/A |
| The nsUnicodeToUTF8::GetMaxLength function in Mozilla Firefox before 41.0 and Firefox ESR 38.x before 38.3 might allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via unknown vectors, related to an "overflow." | |||||
| CVE-2015-4521 | 1 Mozilla | 2 Firefox, Firefox Esr | 2016-12-21 | 7.5 HIGH | N/A |
| The ConvertDialogOptions function in Mozilla Firefox before 41.0 and Firefox ESR 38.x before 38.3 might allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via unknown vectors. | |||||
| CVE-2015-4517 | 1 Mozilla | 2 Firefox, Firefox Esr | 2016-12-21 | 7.5 HIGH | N/A |
| NetworkUtils.cpp in Mozilla Firefox before 41.0 and Firefox ESR 38.x before 38.3 might allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via unknown vectors. | |||||
| CVE-2015-4512 | 2 Linux, Mozilla | 2 Linux Kernel, Firefox | 2016-12-21 | 6.4 MEDIUM | N/A |
| gfx/2d/DataSurfaceHelpers.cpp in Mozilla Firefox before 41.0 on Linux improperly attempts to use the Cairo library with 32-bit color-depth surface creation followed by 16-bit color-depth surface display, which allows remote attackers to obtain sensitive information from process memory or cause a denial of service (out-of-bounds read) by using a CANVAS element to trigger 2D rendering. | |||||
| CVE-2015-4511 | 1 Mozilla | 2 Firefox, Firefox Esr | 2016-12-21 | 6.8 MEDIUM | N/A |
| Heap-based buffer overflow in the nestegg_track_codec_data function in Mozilla Firefox before 41.0 and Firefox ESR 38.x before 38.3 allows remote attackers to execute arbitrary code via a crafted header in a WebM video. | |||||
| CVE-2015-4510 | 1 Mozilla | 1 Firefox | 2016-12-21 | 6.8 MEDIUM | N/A |
| Race condition in the WorkerPrivate::NotifyFeatures function in Mozilla Firefox before 41.0 allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and application crash) by leveraging improper interaction between shared workers and the IndexedDB implementation. | |||||
| CVE-2015-4509 | 1 Mozilla | 2 Firefox, Firefox Esr | 2016-12-21 | 7.5 HIGH | N/A |
| Use-after-free vulnerability in the HTMLVideoElement interface in Mozilla Firefox before 41.0 and Firefox ESR 38.x before 38.3 allows remote attackers to execute arbitrary code via crafted JavaScript code that modifies the URI table of a media element, aka ZDI-CAN-3176. | |||||
| CVE-2015-4508 | 1 Mozilla | 1 Firefox | 2016-12-21 | 2.6 LOW | N/A |
| Mozilla Firefox before 41.0, when reader mode is enabled, allows remote attackers to spoof the relationship between address-bar URLs and web content via a crafted web site. | |||||
| CVE-2015-4507 | 1 Mozilla | 1 Firefox | 2016-12-21 | 5.1 MEDIUM | N/A |
| The SavedStacks class in the JavaScript implementation in Mozilla Firefox before 41.0, when the Debugger API is enabled, allows remote attackers to cause a denial of service (getSlotRef assertion failure and application exit) or possibly execute arbitrary code via a crafted web site. | |||||
| CVE-2015-4506 | 1 Mozilla | 2 Firefox, Firefox Esr | 2016-12-21 | 6.8 MEDIUM | N/A |
| Buffer overflow in the vp9_init_context_buffers function in libvpx, as used in Mozilla Firefox before 41.0 and Firefox ESR 38.x before 38.3, allows remote attackers to execute arbitrary code via a crafted VP9 file. | |||||
| CVE-2015-4505 | 2 Microsoft, Mozilla | 3 Windows, Firefox, Firefox Esr | 2016-12-21 | 6.6 MEDIUM | N/A |
| updater.exe in Mozilla Firefox before 41.0 and Firefox ESR 38.x before 38.3 on Windows allows local users to write to arbitrary files by conducting a junction attack and waiting for an update operation by the Mozilla Maintenance Service. | |||||
| CVE-2015-4516 | 1 Mozilla | 1 Firefox | 2016-12-21 | 9.3 HIGH | N/A |
| Mozilla Firefox before 41.0 allows remote attackers to bypass certain ECMAScript 5 (aka ES5) API protection mechanisms and modify immutable properties, and consequently execute arbitrary JavaScript code with chrome privileges, via a crafted web page that does not use ES5 APIs. | |||||
| CVE-2015-4504 | 1 Mozilla | 1 Firefox | 2016-12-21 | 6.4 MEDIUM | N/A |
| The lut_inverse_interp16 function in the QCMS library in Mozilla Firefox before 41.0 allows remote attackers to obtain sensitive information or cause a denial of service (buffer over-read and application crash) via crafted attributes in the ICC 4 profile of an image. | |||||
| CVE-2015-4503 | 1 Mozilla | 1 Firefox | 2016-12-21 | 5.0 MEDIUM | N/A |
| The TCP Socket API implementation in Mozilla Firefox before 41.0 mishandles array boundaries that were established with a navigator.mozTCPSocket.open method call and send method calls, which allows remote TCP servers to obtain sensitive information from process memory by reading packet data, as demonstrated by availability of this API in a Firefox OS application. | |||||
| CVE-2015-0835 | 1 Mozilla | 1 Firefox | 2016-12-21 | 7.5 HIGH | N/A |
| Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 36.0 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. | |||||
| CVE-2015-8509 | 1 Mozilla | 1 Bugzilla | 2016-12-07 | 4.3 MEDIUM | 3.5 LOW |
| Template.pm in Bugzilla 2.x, 3.x, and 4.x before 4.2.16, 4.3.x and 4.4.x before 4.4.11, and 4.5.x and 5.0.x before 5.0.2 does not properly construct CSV files, which allows remote attackers to obtain sensitive information by leveraging a web browser that interprets CSV data as JavaScript code. | |||||
| CVE-2015-8508 | 1 Mozilla | 1 Bugzilla | 2016-12-07 | 2.6 LOW | 4.7 MEDIUM |
| Cross-site scripting (XSS) vulnerability in showdependencygraph.cgi in Bugzilla 2.x, 3.x, and 4.x before 4.2.16, 4.3.x and 4.4.x before 4.4.11, and 4.5.x and 5.0.x before 5.0.2, when a local dot configuration is used, allows remote attackers to inject arbitrary web script or HTML via a crafted bug summary. | |||||