Total
2387 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-9805 | 1 Mozilla | 1 Firefox | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| A latent vulnerability exists in the Prio library where data may be read from uninitialized memory for some functions, leading to potential memory corruption. This vulnerability affects Firefox < 66. | |||||
| CVE-2019-11699 | 1 Mozilla | 1 Firefox | 2020-08-24 | 4.3 MEDIUM | 6.5 MEDIUM |
| A malicious page can briefly cause the wrong name to be highlighted as the domain name in the addressbar during page navigations. This could result in user confusion of which site is currently loaded for spoofing attacks. This vulnerability affects Firefox < 67. | |||||
| CVE-2019-9795 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| A vulnerability where type-confusion in the IonMonkey just-in-time (JIT) compiler could potentially be used by malicious JavaScript to trigger a potentially exploitable crash. This vulnerability affects Thunderbird < 60.6, Firefox ESR < 60.6, and Firefox < 66. | |||||
| CVE-2019-9813 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2020-08-24 | 6.8 MEDIUM | 8.8 HIGH |
| Incorrect handling of __proto__ mutations may lead to type confusion in IonMonkey JIT code and can be leveraged for arbitrary memory read and write. This vulnerability affects Firefox < 66.0.1, Firefox ESR < 60.6.1, and Thunderbird < 60.6.1. | |||||
| CVE-2018-18498 | 4 Canonical, Debian, Mozilla and 1 more | 11 Ubuntu Linux, Debian Linux, Firefox and 8 more | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| A potential vulnerability leading to an integer overflow can occur during buffer size calculations for images when a raw value is used instead of the checked value. This leads to a possible out-of-bounds write. This vulnerability affects Thunderbird < 60.4, Firefox ESR < 60.4, and Firefox < 64. | |||||
| CVE-2019-11700 | 2 Microsoft, Mozilla | 2 Windows, Firefox | 2020-08-24 | 4.3 MEDIUM | 6.5 MEDIUM |
| A hyperlink using the res: protocol can be used to open local files at a known location in Internet Explorer if a user approves execution when prompted. *Note: this issue only occurs on Windows. Other operating systems are unaffected.*. This vulnerability affects Firefox < 67. | |||||
| CVE-2019-9798 | 2 Google, Mozilla | 2 Android, Firefox | 2020-08-24 | 5.8 MEDIUM | 7.4 HIGH |
| On Android systems, Firefox can load a library from APITRACE_LIB, which is writable by all users and applications. This could allow malicious third party applications to execute a man-in-the-middle attack if a malicious code was written to that location and loaded. *Note: This issue only affects Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 66. | |||||
| CVE-2018-5122 | 2 Canonical, Mozilla | 2 Ubuntu Linux, Firefox | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| A potential integer overflow in the "DoCrypt" function of WebCrypto was identified. If a means was found of exploiting it, it could result in an out-of-bounds write. This vulnerability affects Firefox < 58. | |||||
| CVE-2018-18497 | 2 Canonical, Mozilla | 2 Ubuntu Linux, Firefox | 2020-08-24 | 4.3 MEDIUM | 6.5 MEDIUM |
| Limitations on the URIs allowed to WebExtensions by the browser.windows.create API can be bypassed when a pipe in the URL field is used within the extension to load multiple pages as a single argument. This could allow a malicious WebExtension to open privileged about: or file: locations. This vulnerability affects Firefox < 64. | |||||
| CVE-2019-17025 | 2 Canonical, Mozilla | 2 Ubuntu Linux, Firefox | 2020-08-24 | 6.8 MEDIUM | 8.8 HIGH |
| Mozilla developers reported memory safety bugs present in Firefox 71. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 72. | |||||
| CVE-2018-18496 | 2 Microsoft, Mozilla | 2 Windows, Firefox | 2020-08-24 | 6.8 MEDIUM | 8.8 HIGH |
| When the RSS Feed preview about:feeds page is framed within another page, it can be used in concert with scripted content for a clickjacking attack that confuses users into downloading and executing an executable file from a temporary directory. *Note: This issue only affects Windows operating systems. Other operating systems are not affected.*. This vulnerability affects Firefox < 64. | |||||
| CVE-2019-17009 | 3 Microsoft, Mozilla, Opensuse | 5 Windows, Firefox, Firefox Esr and 2 more | 2020-08-24 | 4.6 MEDIUM | 7.8 HIGH |
| When running, the updater service wrote status and log files to an unrestricted location; potentially allowing an unprivileged process to locate and exploit a vulnerability in file handling in the updater service. *Note: This attack requires local system access and only affects Windows. Other operating systems are not affected.*. This vulnerability affects Thunderbird < 68.3, Firefox ESR < 68.3, and Firefox < 71. | |||||
| CVE-2019-11754 | 1 Mozilla | 1 Firefox | 2020-08-24 | 4.3 MEDIUM | 4.3 MEDIUM |
| When the pointer lock is enabled by a website though requestPointerLock(), no user notification is given. This could allow a malicious website to hijack the mouse pointer and confuse users. This vulnerability affects Firefox < 69.0.1. | |||||
| CVE-2019-11751 | 2 Microsoft, Mozilla | 3 Windows, Firefox, Firefox Esr | 2020-08-24 | 6.8 MEDIUM | 8.8 HIGH |
| Logging-related command line parameters are not properly sanitized when Firefox is launched by another program, such as when a user clicks on malicious links in a chat application. This can be used to write a log file to an arbitrary location such as the Windows 'Startup' folder. <br>*Note: this issue only affects Firefox on Windows operating systems.*. This vulnerability affects Firefox < 69 and Firefox ESR < 68.1. | |||||
| CVE-2019-11750 | 1 Mozilla | 2 Firefox, Firefox Esr | 2020-08-24 | 4.3 MEDIUM | 6.5 MEDIUM |
| A type confusion vulnerability exists in Spidermonkey, which results in a non-exploitable crash. This vulnerability affects Firefox < 69 and Firefox ESR < 68.1. | |||||
| CVE-2019-11748 | 1 Mozilla | 2 Firefox, Firefox Esr | 2020-08-24 | 4.3 MEDIUM | 6.5 MEDIUM |
| WebRTC in Firefox will honor persisted permissions given to sites for access to microphone and camera resources even when in a third-party context. In light of recent high profile vulnerabilities in other software, a decision was made to no longer persist these permissions. This avoids the possibility of trusted WebRTC resources being invisibly embedded in web content and abusing permissions previously given by users. Users will now be prompted for permissions on each use. This vulnerability affects Firefox < 69 and Firefox ESR < 68.1. | |||||
| CVE-2018-12403 | 2 Canonical, Mozilla | 2 Ubuntu Linux, Firefox | 2020-08-24 | 5.0 MEDIUM | 5.3 MEDIUM |
| If a site is loaded over a HTTPS connection but loads a favicon resource over HTTP, the mixed content warning is not displayed to users. This vulnerability affects Firefox < 63. | |||||
| CVE-2018-18510 | 1 Mozilla | 1 Firefox | 2020-08-24 | 4.3 MEDIUM | 6.5 MEDIUM |
| The about:crashcontent and about:crashparent pages can be triggered by web content. These pages are used to crash the loaded page or the browser for test purposes. This issue allows for a non-persistent denial of service (DOS) attack by a malicious site which links to these pages. This vulnerability affects Firefox < 64. | |||||
| CVE-2019-11749 | 1 Mozilla | 2 Firefox, Firefox Esr | 2020-08-24 | 4.3 MEDIUM | 4.3 MEDIUM |
| A vulnerability exists in WebRTC where malicious web content can use probing techniques on the getUserMedia API using constraints to reveal device properties of cameras on the system without triggering a user prompt or notification. This allows for the potential fingerprinting of users. This vulnerability affects Firefox < 69 and Firefox ESR < 68.1. | |||||
| CVE-2019-11743 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2020-08-24 | 4.3 MEDIUM | 3.7 LOW |
| Navigation events were not fully adhering to the W3C's "Navigation-Timing Level 2" draft specification in some instances for the unload event, which restricts access to detailed timing attributes to only be same-origin. This resulted in potential cross-origin information exposure of history through timing side-channel attacks. This vulnerability affects Firefox < 69, Thunderbird < 68.1, Thunderbird < 60.9, Firefox ESR < 60.9, and Firefox ESR < 68.1. | |||||