Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Mozilla Subscribe
Filtered by product Firefox
Total 2387 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-43533 1 Mozilla 1 Firefox 2021-12-10 4.3 MEDIUM 4.3 MEDIUM
When parsing internationalized domain names, high bits of the characters in the URLs were sometimes stripped, resulting in inconsistencies that could lead to user confusion or attacks such as phishing. This vulnerability affects Firefox < 94.
CVE-2021-43544 2 Google, Mozilla 2 Android, Firefox 2021-12-10 4.3 MEDIUM 6.1 MEDIUM
When receiving a URL through a SEND intent, Firefox would have searched for the text, but subsequent usages of the address bar might have caused the URL to load unintentionally, which could lead to XSS and spoofing attacks. *This bug only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 95.
CVE-2021-29991 1 Mozilla 2 Firefox, Thunderbird 2021-11-04 5.8 MEDIUM 8.1 HIGH
Firefox incorrectly accepted a newline in a HTTP/3 header, interpretting it as two separate headers. This allowed for a header splitting attack against servers using HTTP/3. This vulnerability affects Firefox < 91.0.1 and Thunderbird < 91.0.1.
CVE-2021-29993 1 Mozilla 1 Firefox 2021-11-04 5.8 MEDIUM 8.1 HIGH
Firefox for Android allowed navigations through the `intent://` protocol, which could be used to cause crashes and UI spoofs. *This bug only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 92.
CVE-2021-38497 1 Mozilla 3 Firefox, Firefox Esr, Thunderbird 2021-11-04 4.3 MEDIUM 6.5 MEDIUM
Through use of reportValidity() and window.open(), a plain-text validation message could have been overlaid on another origin, leading to possible user confusion and spoofing attacks. This vulnerability affects Firefox < 93, Thunderbird < 91.2, and Firefox ESR < 91.2.
CVE-2021-38498 1 Mozilla 3 Firefox, Firefox Esr, Thunderbird 2021-11-04 5.0 MEDIUM 7.5 HIGH
During process shutdown, a document could have caused a use-after-free of a languages service object, leading to memory corruption and a potentially exploitable crash. This vulnerability affects Firefox < 93, Thunderbird < 91.2, and Firefox ESR < 91.2.
CVE-2021-38501 1 Mozilla 3 Firefox, Firefox Esr, Thunderbird 2021-11-04 6.8 MEDIUM 8.8 HIGH
Mozilla developers reported memory safety bugs present in Firefox 92 and Firefox ESR 91.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 93, Thunderbird < 91.2, and Firefox ESR < 91.2.
CVE-2015-2742 3 Apple, Mozilla, Oracle 3 Macos, Firefox, Solaris 2021-09-22 4.3 MEDIUM N/A
Mozilla Firefox before 39.0 on OS X includes native key press information during the logging of crashes, which allows remote attackers to obtain sensitive information by leveraging access to a crash-reporting data stream.
CVE-2013-6853 3 Apple, Mozilla, Yahoo 3 Macos, Firefox, Toolbar 2021-09-22 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in clickstream.js in Y! Toolbar plugin for FireFox 3.1.0.20130813024103 for Mac, and 2.5.9.2013418100420 for Windows, allows remote attackers to inject arbitrary web script or HTML via a crafted URL that is stored by the victim.
CVE-2021-29961 1 Mozilla 1 Firefox 2021-09-20 4.3 MEDIUM 4.3 MEDIUM
When styling and rendering an oversized `<select>` element, Firefox did not apply correct clipping which allowed an attacker to paint over the user interface. This vulnerability affects Firefox < 89.
CVE-2021-29960 1 Mozilla 1 Firefox 2021-09-20 4.3 MEDIUM 4.3 MEDIUM
Firefox used to cache the last filename used for printing a file. When generating a filename for printing, Firefox usually suggests the web page title. The caching and suggestion techniques combined may have lead to the title of a website visited during private browsing mode being stored on disk. This vulnerability affects Firefox < 89.
CVE-2020-6797 2 Apple, Mozilla 4 Macos, Firefox, Firefox Esr and 1 more 2021-09-16 4.3 MEDIUM 4.3 MEDIUM
By downloading a file with the .fileloc extension, a semi-privileged extension could launch an arbitrary application on the user's computer. The attacker is restricted as they are unable to download non-quarantined files or supply command line arguments to the application, limiting the impact. Note: this issue only occurs on Mac OSX. Other operating systems are unaffected. This vulnerability affects Thunderbird < 68.5, Firefox < 73, and Firefox < ESR68.5.
CVE-2019-9815 2 Apple, Mozilla 4 Macos, Firefox, Firefox Esr and 1 more 2021-09-08 6.8 MEDIUM 8.1 HIGH
If hyperthreading is not disabled, a timing attack vulnerability exists, similar to previous Spectre attacks. Apple has shipped macOS 10.14.5 with an option to disable hyperthreading in applications running untrusted code in a thread through a new sysctl. Firefox now makes use of it on the main thread and any worker threads. *Note: users need to update to macOS 10.14.5 in order to take advantage of this change.*. This vulnerability affects Thunderbird < 60.7, Firefox < 67, and Firefox ESR < 60.7.
CVE-2021-29983 2 Google, Mozilla 2 Android, Firefox 2021-08-25 4.3 MEDIUM 6.5 MEDIUM
Firefox for Android could get stuck in fullscreen mode and not exit it even after normal interactions that should cause it to exit. *Note: This issue only affected Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 91.
CVE-2021-29973 1 Mozilla 1 Firefox 2021-08-12 6.8 MEDIUM 8.8 HIGH
Password autofill was enabled without user interaction on insecure websites on Firefox for Android. This was corrected to require user interaction with the page before a user's password would be entered by the browser's autofill functionality *This bug only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 90.
CVE-2021-29971 1 Mozilla 1 Firefox 2021-08-12 7.5 HIGH 9.8 CRITICAL
If a user had granted a permission to a webpage and saved that grant, any webpage running on the same host - irrespective of scheme or port - would be granted that permission. *This bug only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 90.
CVE-2021-23982 1 Mozilla 3 Firefox, Firefox Esr, Thunderbird 2021-08-06 4.3 MEDIUM 6.5 MEDIUM
Using techniques that built on the slipstream research, a malicious webpage could have scanned both an internal network's hosts as well as services running on the user's local machine utilizing WebRTC connections. This vulnerability affects Firefox ESR < 78.9, Firefox < 87, and Thunderbird < 78.9.
CVE-2021-23986 1 Mozilla 1 Firefox 2021-08-06 4.3 MEDIUM 6.5 MEDIUM
A malicious extension with the 'search' permission could have installed a new search engine whose favicon referenced a cross-origin URL. The response to this cross-origin request could have been read by the extension, allowing a same-origin policy bypass by the extension, which should not have cross-origin permissions. This cross-origin request was made without cookies, so the sensitive information disclosed by the violation was limited to local-network resources or resources that perform IP-based authentication. This vulnerability affects Firefox < 87.
CVE-2021-23984 1 Mozilla 3 Firefox, Firefox Esr, Thunderbird 2021-08-06 4.3 MEDIUM 6.5 MEDIUM
A malicious extension could have opened a popup window lacking an address bar. The title of the popup lacking an address bar should not be fully controllable, but in this situation was. This could have been used to spoof a website and attempt to trick the user into providing credentials. This vulnerability affects Firefox ESR < 78.9, Firefox < 87, and Thunderbird < 78.9.
CVE-2015-2716 4 Mozilla, Novell, Opensuse and 1 more 8 Firefox, Firefox Esr, Thunderbird and 5 more 2021-07-31 7.5 HIGH N/A
Buffer overflow in the XML parser in Mozilla Firefox before 38.0, Firefox ESR 31.x before 31.7, and Thunderbird before 31.7 allows remote attackers to execute arbitrary code by providing a large amount of compressed XML data, a related issue to CVE-2015-1283.