Total
109 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2005-0142 | 1 Mozilla | 3 Firefox, Mozilla, Thunderbird | 2017-10-10 | 2.1 LOW | N/A |
Firefox 0.9, Thunderbird 0.6 and other versions before 0.9, and Mozilla 1.7 before 1.7.5 save temporary files with world-readable permissions, which allows local users to read certain web content or attachments that belong to other users, e.g. content that is managed by helper applications such as PDF. | |||||
CVE-2005-0255 | 1 Mozilla | 3 Firefox, Mozilla, Thunderbird | 2017-10-10 | 5.0 MEDIUM | N/A |
String handling functions in Mozilla 1.7.3, Firefox 1.0, and Thunderbird before 1.0.2, such as the nsTSubstring_CharT::Replace function, do not properly check the return values of other functions that resize the string, which allows remote attackers to cause a denial of service and possibly execute arbitrary code by forcing an out-of-memory state that causes a reallocation to fail and return a pointer to a fixed address, which leads to heap corruption. | |||||
CVE-2005-0578 | 1 Mozilla | 2 Firefox, Mozilla | 2017-10-10 | 2.1 LOW | N/A |
Firefox before 1.0.1 and Mozilla Suite before 1.7.6 use a predictable filename for the plugin temporary directory, which allows local users to delete arbitrary files of other users via a symlink attack on the plugtmp directory. | |||||
CVE-2005-0584 | 1 Mozilla | 2 Firefox, Mozilla | 2017-10-10 | 2.6 LOW | N/A |
Firefox before 1.0.1 and Mozilla before 1.7.6, when displaying the HTTP Authentication dialog, do not change the focus to the tab that generated the prompt, which could facilitate spoofing and phishing attacks. | |||||
CVE-2005-0585 | 1 Mozilla | 2 Firefox, Mozilla | 2017-10-10 | 2.6 LOW | N/A |
Firefox before 1.0.1 and Mozilla before 1.7.6 truncates long sub-domains or paths for display, which may allow remote malicious web sites to spoof legitimate sites and facilitate phishing attacks. | |||||
CVE-2005-0586 | 1 Mozilla | 2 Firefox, Mozilla | 2017-10-10 | 2.6 LOW | N/A |
Firefox before 1.0.1 and Mozilla before 1.7.6 allows remote malicious web sites to spoof the extensions of files to download via the Content-Disposition header, which could be used to trick users into downloading dangerous content. | |||||
CVE-2005-0587 | 1 Mozilla | 2 Firefox, Mozilla | 2017-10-10 | 2.6 LOW | N/A |
Firefox before 1.0.1 and Mozilla before 1.7.6 allows remote malicious web sites to overwrite arbitrary files by tricking the user into downloading a .LNK (link) file twice, which overwrites the file that was referenced in the first .LNK file. | |||||
CVE-2005-0588 | 1 Mozilla | 2 Firefox, Mozilla | 2017-10-10 | 5.0 MEDIUM | N/A |
Firefox before 1.0.1 and Mozilla before 1.7.6 does not restrict xsl:include and xsl:import tags in XSLT stylesheets to the current domain, which allows remote attackers to determine the existence of files on the local system. | |||||
CVE-2005-0590 | 1 Mozilla | 3 Firefox, Mozilla, Thunderbird | 2017-10-10 | 5.0 MEDIUM | N/A |
The installation confirmation dialog in Firefox before 1.0.1, Thunderbird before 1.0.1, and Mozilla before 1.7.6 allows remote attackers to use InstallTrigger to spoof the hostname of the host performing the installation via a long "user:pass" sequence in the URL, which appears before the real hostname. | |||||
CVE-2005-0592 | 1 Mozilla | 2 Firefox, Mozilla | 2017-10-10 | 7.5 HIGH | N/A |
Heap-based buffer overflow in the UTF8ToNewUnicode function for Firefox before 1.0.1 and Mozilla before 1.7.6 might allow remote attackers to cause a denial of service (crash) or execute arbitrary code via invalid sequences in a UTF8 encoded string that result in a zero length value. | |||||
CVE-2002-1308 | 2 Mozilla, Netscape | 2 Mozilla, Navigator | 2017-10-09 | 7.5 HIGH | N/A |
Heap-based buffer overflow in Netscape and Mozilla allows remote attackers to execute arbitrary code via a jar: URL that references a malformed .jar file, which overflows a buffer during decompression. | |||||
CVE-2004-0191 | 1 Mozilla | 1 Mozilla | 2017-10-09 | 6.8 MEDIUM | N/A |
Mozilla before 1.4.2 executes Javascript events in the context of a new page while it is being loaded, allowing it to interact with the previous page (zombie document) and enable cross-domain and cross-site scripting (XSS) attacks, as demonstrated using onmousemove events. | |||||
CVE-2009-3010 | 1 Mozilla | 3 Firefox, Mozilla, Seamonkey | 2017-08-16 | 4.3 MEDIUM | N/A |
Mozilla Firefox 3.0.13 and earlier, 3.5, 3.6 a1 pre, and 3.7 a1 pre; SeaMonkey 1.1.17; and Mozilla 1.7.x and earlier do not properly block data: URIs in Refresh headers in HTTP responses, which allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to (1) injecting a Refresh header that contains JavaScript sequences in a data:text/html URI or (2) entering a data:text/html URI with JavaScript sequences when specifying the content of a Refresh header. NOTE: in some product versions, the JavaScript executes outside of the context of the HTTP site. | |||||
CVE-2005-4874 | 1 Mozilla | 1 Mozilla | 2017-08-07 | 4.3 MEDIUM | N/A |
The XMLHttpRequest object in Mozilla 1.7.8 supports the HTTP TRACE method, which allows remote attackers to obtain (1) proxy authentication passwords via a request with a "Max-Forwards: 0" header or (2) arbitrary local passwords on the web server that hosts this object. | |||||
CVE-2007-3144 | 1 Mozilla | 1 Mozilla | 2017-07-28 | 6.4 MEDIUM | N/A |
Visual truncation vulnerability in Mozilla 1.7.12 allows remote attackers to spoof the address bar and possibly conduct phishing attacks via a long hostname, which is truncated after a certain number of characters, as demonstrated by a phishing attack using HTTP Basic Authentication. | |||||
CVE-2005-4685 | 1 Mozilla | 2 Firefox, Mozilla | 2017-07-19 | 6.4 MEDIUM | N/A |
Firefox and Mozilla can associate a cookie with multiple domains when the DNS resolver has a non-root domain in its search list, which allows remote attackers to trick a user into accepting a cookie for a hostname formed via search-list expansion of the hostname entered by the user, or steal a cookie for an expanded hostname, as demonstrated by an attacker who operates an ap1.com Internet web site to steal cookies associated with an ap1.com.example.com intranet web site. | |||||
CVE-2006-0496 | 1 Mozilla | 2 Firefox, Mozilla | 2017-07-19 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in Mozilla 1.7.12 and possibly earlier, Mozilla Firefox 1.0.7 and possibly earlier, and Netscape 8.1 and possibly earlier, allows remote attackers to inject arbitrary web script or HTML via the -moz-binding (Cascading Style Sheets) CSS property, which does not require that the style sheet have the same origin as the web page, as demonstrated by the compromise of a large number of LiveJournal accounts. | |||||
CVE-2005-4809 | 1 Mozilla | 3 Firefox, Mozilla, Thunderbird | 2017-07-19 | 5.0 MEDIUM | N/A |
Mozilla Firefox 1.0.1 and possibly other versions, including Mozilla and Thunderbird, allows remote attackers to spoof the URL in the Status Bar via an A HREF tag that contains a TABLE tag that contains another A tag. | |||||
CVE-2005-0215 | 1 Mozilla | 1 Mozilla | 2017-07-10 | 5.0 MEDIUM | N/A |
Mozilla 1.6 and possibly other versions allows remote attackers to cause a denial of service (application crash) via a XBM (X BitMap) file with a large (1) height or (2) width value. | |||||
CVE-2004-1753 | 2 Mozilla, Netscape | 3 Firefox, Mozilla, Navigator | 2017-07-10 | 2.6 LOW | N/A |
The Apple Java plugin, as used in Netscape 7.1 and 7.2, Mozilla 1.7.2, and Firefox 0.9.3 on MacOS X 10.3.5, when tabbed browsing is enabled, does not properly handle SetWindow(NULL) calls, which allows Java applets from one tab to draw to other tabs and facilitates phishing attacks that spoof tabs. |