Filtered by vendor Mozilla
Subscribe
Total
2782 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2014-1491 | 7 Canonical, Debian, Fedoraproject and 4 more | 14 Ubuntu Linux, Debian Linux, Fedora and 11 more | 2020-07-31 | 4.3 MEDIUM | N/A |
| Mozilla Network Security Services (NSS) before 3.15.4, as used in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, SeaMonkey before 2.24, and other products, does not properly restrict public values in Diffie-Hellman key exchanges, which makes it easier for remote attackers to bypass cryptographic protection mechanisms in ticket handling by leveraging use of a certain value. | |||||
| CVE-2014-1490 | 7 Canonical, Debian, Fedoraproject and 4 more | 14 Ubuntu Linux, Debian Linux, Fedora and 11 more | 2020-07-31 | 9.3 HIGH | N/A |
| Race condition in libssl in Mozilla Network Security Services (NSS) before 3.15.4, as used in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, SeaMonkey before 2.24, and other products, allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via vectors involving a resumption handshake that triggers incorrect replacement of a session ticket. | |||||
| CVE-2018-12371 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2020-07-12 | 6.8 MEDIUM | 8.8 HIGH |
| An integer overflow vulnerability in the Skia library when allocating memory for edge builders on some systems with at least 16 GB of RAM. This results in the use of uninitialized memory, resulting in a potentially exploitable crash. This vulnerability affects Firefox ESR < 60.1, Thunderbird < 60, and Firefox < 61. | |||||
| CVE-2020-12409 | 1 Mozilla | 1 Firefox | 2020-07-12 | 6.8 MEDIUM | 8.8 HIGH |
| When using certain blank characters in a URL, they where incorrectly rendered as spaces instead of an encoded URL. This vulnerability affects Firefox < 77. | |||||
| CVE-2020-12412 | 1 Mozilla | 1 Firefox | 2020-07-12 | 4.3 MEDIUM | 4.3 MEDIUM |
| By navigating a tab using the history API, an attacker could cause the address bar to display the incorrect domain (with the https:// scheme, a blocked port number such as '1', and without a lock icon) while controlling the page contents. This vulnerability affects Firefox < 70. | |||||
| CVE-2020-12414 | 1 Mozilla | 1 Firefox | 2020-07-12 | 4.3 MEDIUM | 6.5 MEDIUM |
| IndexedDB should be cleared when leaving private browsing mode and it is not, the API for WKWebViewConfiguration was being used incorrectly and requires the private instance of this object be deleted when leaving private mode. This vulnerability affects Firefox for iOS < 27. | |||||
| CVE-2011-1187 | 2 Google, Mozilla | 4 Chrome, Firefox, Seamonkey and 1 more | 2020-06-03 | 5.0 MEDIUM | N/A |
| Google Chrome before 10.0.648.127 allows remote attackers to bypass the Same Origin Policy via unspecified vectors, related to an "error message leak." | |||||
| CVE-2020-12390 | 1 Mozilla | 1 Firefox | 2020-05-29 | 7.5 HIGH | 9.8 CRITICAL |
| Incorrect origin serialization of URLs with IPv6 addresses could lead to incorrect security checks. This vulnerability affects Firefox < 76. | |||||
| CVE-2020-6830 | 1 Mozilla | 1 Firefox | 2020-05-28 | 5.0 MEDIUM | 7.5 HIGH |
| For native-to-JS bridging, the app requires a unique token to be passed that ensures non-app code can't call the bridging functions. That token was being used for JS-to-native also, but it isn't needed in this case, and its usage was also leaking this token. This vulnerability affects Firefox for iOS < 25. | |||||
| CVE-2020-12389 | 2 Microsoft, Mozilla | 3 Windows, Firefox, Firefox Esr | 2020-05-27 | 7.5 HIGH | 10.0 CRITICAL |
| The Firefox content processes did not sufficiently lockdown access control which could result in a sandbox escape. *Note: this issue only affects Firefox on Windows operating systems.*. This vulnerability affects Firefox ESR < 68.8 and Firefox < 76. | |||||
| CVE-2020-6824 | 1 Mozilla | 1 Firefox | 2020-05-01 | 1.9 LOW | 2.8 LOW |
| Initially, a user opens a Private Browsing Window and generates a password for a site, then closes the Private Browsing Window but leaves Firefox open. Subsequently, if the user had opened a new Private Browsing Window, revisited the same site, and generated a new password - the generated passwords would have been identical, rather than independent. This vulnerability affects Firefox < 75. | |||||
| CVE-2020-6822 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2020-05-01 | 6.8 MEDIUM | 8.8 HIGH |
| On 32-bit builds, an out of bounds write could have occurred when processing an image larger than 4 GB in <code>GMPDecodeData</code>. It is possible that with enough effort this could have been exploited to run arbitrary code. This vulnerability affects Thunderbird < 68.7.0, Firefox ESR < 68.7, and Firefox < 75. | |||||
| CVE-2020-6827 | 2 Google, Mozilla | 2 Android, Firefox Esr | 2020-05-01 | 4.3 MEDIUM | 4.7 MEDIUM |
| When following a link that opened an intent://-schemed URL, causing a custom tab to be opened, Firefox for Android could be tricked into displaying the incorrect URI. <br> *Note: This issue only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox ESR < 68.7. | |||||
| CVE-2011-3062 | 2 Google, Mozilla | 6 Chrome, Firefox, Firefox Esr and 3 more | 2020-04-14 | 6.8 MEDIUM | N/A |
| Off-by-one error in the OpenType Sanitizer in Google Chrome before 18.0.1025.142 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted OpenType file. | |||||
| CVE-2020-6810 | 1 Mozilla | 1 Firefox | 2020-03-31 | 4.3 MEDIUM | 4.3 MEDIUM |
| After a website had entered fullscreen mode, it could have used a previously opened popup to obscure the notification that indicates the browser is in fullscreen mode. Combined with spoofing the browser chrome, this could have led to confusing the user about the current origin of the page and credential theft or other attacks. This vulnerability affects Firefox < 74. | |||||
| CVE-2020-6813 | 1 Mozilla | 1 Firefox | 2020-03-30 | 5.0 MEDIUM | 5.3 MEDIUM |
| When protecting CSS blocks with the nonce feature of Content Security Policy, the @import statement in the CSS block could allow an attacker to inject arbitrary styles, bypassing the intent of the Content Security Policy. This vulnerability affects Firefox < 74. | |||||
| CVE-2020-6808 | 1 Mozilla | 1 Firefox | 2020-03-27 | 4.3 MEDIUM | 6.5 MEDIUM |
| When a JavaScript URL (javascript:) is evaluated and the result is a string, this string is parsed to create an HTML document, which is then presented. Previously, this document's URL (as reported by the document.location property, for example) was the originating javascript: URL which could lead to spoofing attacks; it is now correctly the URL of the originating document. This vulnerability affects Firefox < 74. | |||||
| CVE-2017-11695 | 1 Mozilla | 1 Network Security Services | 2020-03-16 | 4.6 MEDIUM | 7.8 HIGH |
| Heap-based buffer overflow in the alloc_segs function in lib/dbm/src/hash.c in Mozilla Network Security Services (NSS) allows context-dependent attackers to have unspecified impact using a crafted cert8.db file. | |||||
| CVE-2017-11696 | 1 Mozilla | 1 Network Security Services | 2020-03-16 | 4.6 MEDIUM | 7.8 HIGH |
| Heap-based buffer overflow in the __hash_open function in lib/dbm/src/hash.c in Mozilla Network Security Services (NSS) allows context-dependent attackers to have unspecified impact using a crafted cert8.db file. | |||||
| CVE-2017-11697 | 1 Mozilla | 1 Network Security Services | 2020-03-16 | 4.6 MEDIUM | 7.8 HIGH |
| The __hash_open function in hash.c:229 in Mozilla Network Security Services (NSS) allows context-dependent attackers to cause a denial of service (floating point exception and crash) via a crafted cert8.db file. | |||||