Total
2387 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-14953 | 2 Jetbrains, Mozilla | 2 Youtrack, Firefox | 2019-10-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| JetBrains YouTrack versions before 2019.2.53938 had a possible XSS through issue attachments when using the Firefox browser. | |||||
| CVE-2019-11737 | 1 Mozilla | 1 Firefox | 2019-10-02 | 5.0 MEDIUM | 5.3 MEDIUM |
| If a wildcard ('*') is specified for the host in Content Security Policy (CSP) directives, any port or path restriction of the directive will be ignored, leading to CSP directives not being properly applied to content. This vulnerability affects Firefox < 69. | |||||
| CVE-2019-11708 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2019-08-15 | 10.0 HIGH | 10.0 CRITICAL |
| Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes can result in the non-sandboxed parent process opening web content chosen by a compromised child process. When combined with additional vulnerabilities this could result in executing arbitrary code on the user's computer. This vulnerability affects Firefox ESR < 60.7.2, Firefox < 67.0.4, and Thunderbird < 60.7.2. | |||||
| CVE-2019-11716 | 1 Mozilla | 1 Firefox | 2019-08-15 | 7.5 HIGH | 8.3 HIGH |
| Until explicitly accessed by script, window.globalThis is not enumerable and, as a result, is not visible to code such as Object.getOwnPropertyNames(window). Sites that deploy a sandboxing that depends on enumerating and freezing access to the window object may miss this, allowing their sandboxes to be bypassed. This vulnerability affects Firefox < 68. | |||||
| CVE-2019-11714 | 1 Mozilla | 1 Firefox | 2019-08-15 | 7.5 HIGH | 9.8 CRITICAL |
| Necko can access a child on the wrong thread during UDP connections, resulting in a potentially exploitable crash in some instances. This vulnerability affects Firefox < 68. | |||||
| CVE-2019-11727 | 1 Mozilla | 1 Firefox | 2019-07-30 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This vulnerability affects Firefox < 68. | |||||
| CVE-2019-11712 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2019-07-29 | 6.8 MEDIUM | 8.8 HIGH |
| POST requests made by NPAPI plugins, such as Flash, that receive a status 308 redirect response can bypass CORS requirements. This can allow an attacker to perform Cross-Site Request Forgery (CSRF) attacks. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. | |||||
| CVE-2019-11715 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2019-07-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| Due to an error while parsing page content, it is possible for properly sanitized user input to be misinterpreted and lead to XSS hazards on web sites in certain circumstances. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. | |||||
| CVE-2019-11713 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2019-07-29 | 7.5 HIGH | 9.8 CRITICAL |
| A use-after-free vulnerability can occur in HTTP/2 when a cached HTTP/2 stream is closed while still in use, resulting in a potentially exploitable crash. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. | |||||
| CVE-2019-11697 | 1 Mozilla | 1 Firefox | 2019-07-29 | 4.3 MEDIUM | 6.5 MEDIUM |
| If the ALT and "a" keys are pressed when users receive an extension installation prompt, the extension will be installed without the install prompt delay that keeps the prompt visible in order for users to accept or decline the installation. A malicious web page could use this with spoofing on the page to trick users into installing a malicious extension. This vulnerability affects Firefox < 67. | |||||
| CVE-2019-11698 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2019-07-28 | 5.0 MEDIUM | 5.3 MEDIUM |
| If a crafted hyperlink is dragged and dropped to the bookmark bar or sidebar and the resulting bookmark is subsequently dragged and dropped into the web content area, an arbitrary query of a user's browser history can be run and transmitted to the content page via drop event data. This allows for the theft of browser history by a malicious site. This vulnerability affects Thunderbird < 60.7, Firefox < 67, and Firefox ESR < 60.7. | |||||
| CVE-2019-11696 | 1 Mozilla | 1 Firefox | 2019-07-28 | 6.8 MEDIUM | 7.8 HIGH |
| Files with the .JNLP extension used for "Java web start" applications are not treated as executable content for download prompts even though they can be executed if Java is installed on the local system. This could allow users to mistakenly launch an executable binary locally. This vulnerability affects Firefox < 67. | |||||
| CVE-2019-11701 | 1 Mozilla | 1 Firefox | 2019-07-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| The default webcal: protocol handler will load a web site vulnerable to cross-site scripting (XSS) attacks. This default was left in place as a legacy feature and has now been removed. *Note: this issue only affects users with an account on the vulnerable service. Other users are unaffected.*. This vulnerability affects Firefox < 67. | |||||
| CVE-2019-11691 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2019-07-26 | 7.5 HIGH | 9.8 CRITICAL |
| A use-after-free vulnerability can occur when working with XMLHttpRequest (XHR) in an event loop, causing the XHR main thread to be called after it has been freed. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 60.7, Firefox < 67, and Firefox ESR < 60.7. | |||||
| CVE-2019-9817 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2019-07-26 | 5.0 MEDIUM | 5.3 MEDIUM |
| Images from a different domain can be read using a canvas object in some circumstances. This could be used to steal image data from a different site in violation of same-origin policy. This vulnerability affects Thunderbird < 60.7, Firefox < 67, and Firefox ESR < 60.7. | |||||
| CVE-2019-9820 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2019-07-26 | 7.5 HIGH | 9.8 CRITICAL |
| A use-after-free vulnerability can occur in the chrome event handler when it is freed while still in use. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 60.7, Firefox < 67, and Firefox ESR < 60.7. | |||||
| CVE-2019-11692 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2019-07-25 | 7.5 HIGH | 9.8 CRITICAL |
| A use-after-free vulnerability can occur when listeners are removed from the event listener manager while still in use, resulting in a potentially exploitable crash. This vulnerability affects Thunderbird < 60.7, Firefox < 67, and Firefox ESR < 60.7. | |||||
| CVE-2011-1300 | 3 Google, Microsoft, Mozilla | 3 Chrome, Windows, Firefox | 2019-07-18 | 10.0 HIGH | N/A |
| The Program::getActiveUniformMaxLength function in libGLESv2/Program.cpp in libGLESv2.dll in the WebGLES library in Almost Native Graphics Layer Engine (ANGLE), as used in Mozilla Firefox 4.x before 4.0.1 on Windows and in the GPU process in Google Chrome before 10.0.648.205 on Windows, allows remote attackers to execute arbitrary code via unspecified vectors, related to an "off-by-three" error. | |||||
| CVE-2019-9796 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2019-06-26 | 7.5 HIGH | 9.8 CRITICAL |
| A use-after-free vulnerability can occur when the SMIL animation controller incorrectly registers with the refresh driver twice when only a single registration is expected. When a registration is later freed with the removal of the animation controller element, the refresh driver incorrectly leaves a dangling pointer to the driver's observer array. This vulnerability affects Thunderbird < 60.6, Firefox ESR < 60.6, and Firefox < 66. | |||||
| CVE-2016-9896 | 1 Mozilla | 1 Firefox | 2019-06-25 | 6.8 MEDIUM | 8.1 HIGH |
| Use-after-free while manipulating the "navigator" object within WebVR. Note: WebVR is not currently enabled by default. This vulnerability affects Firefox < 50.1. | |||||