Total
2387 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2015-7182 | 2 Mozilla, Oracle | 8 Firefox, Firefox Esr, Network Security Services and 5 more | 2017-11-03 | 7.5 HIGH | 9.8 CRITICAL |
| Heap-based buffer overflow in the ASN.1 decoder in Mozilla Network Security Services (NSS) before 3.19.2.1 and 3.20.x before 3.20.1, as used in Firefox before 42.0 and Firefox ESR 38.x before 38.4 and other products, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via crafted OCTET STRING data. | |||||
| CVE-2016-1978 | 1 Mozilla | 2 Firefox, Network Security Services | 2017-11-03 | 7.5 HIGH | 7.3 HIGH |
| Use-after-free vulnerability in the ssl3_HandleECDHServerKeyExchange function in Mozilla Network Security Services (NSS) before 3.21, as used in Mozilla Firefox before 44.0, allows remote attackers to cause a denial of service or possibly have unspecified other impact by making an SSL (1) DHE or (2) ECDHE handshake at a time of high memory consumption. | |||||
| CVE-2016-1979 | 1 Mozilla | 2 Firefox, Network Security Services | 2017-11-03 | 6.8 MEDIUM | 8.8 HIGH |
| Use-after-free vulnerability in the PK11_ImportDERPrivateKeyInfoAndReturnKey function in Mozilla Network Security Services (NSS) before 3.21.1, as used in Mozilla Firefox before 45.0, allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted key data with DER encoding. | |||||
| CVE-2015-7181 | 1 Mozilla | 3 Firefox, Firefox Esr, Network Security Services | 2017-11-03 | 7.5 HIGH | N/A |
| The sec_asn1d_parse_leaf function in Mozilla Network Security Services (NSS) before 3.19.2.1 and 3.20.x before 3.20.1, as used in Firefox before 42.0 and Firefox ESR 38.x before 38.4 and other products, improperly restricts access to an unspecified data structure, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via crafted OCTET STRING data, related to a "use-after-poison" issue. | |||||
| CVE-2015-7183 | 1 Mozilla | 3 Firefox, Firefox Esr, Network Security Services | 2017-10-19 | 7.5 HIGH | N/A |
| Integer overflow in the PL_ARENA_ALLOCATE implementation in Netscape Portable Runtime (NSPR) in Mozilla Network Security Services (NSS) before 3.19.2.1 and 3.20.x before 3.20.1, as used in Firefox before 42.0 and Firefox ESR 38.x before 38.4 and other products, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via unspecified vectors. | |||||
| CVE-2006-5462 | 1 Mozilla | 4 Firefox, Network Security Services, Seamonkey and 1 more | 2017-10-10 | 6.4 MEDIUM | N/A |
| Mozilla Network Security Service (NSS) library before 3.11.3, as used in Mozilla Firefox before 1.5.0.8, Thunderbird before 1.5.0.8, and SeaMonkey before 1.0.6, when using an RSA key with exponent 3, does not properly handle extra data in a signature, which allows remote attackers to forge signatures for SSL/TLS and email certificates. NOTE: this identifier is for unpatched product versions that were originally intended to be addressed by CVE-2006-4340. | |||||
| CVE-2005-1477 | 1 Mozilla | 1 Firefox | 2017-10-10 | 5.1 MEDIUM | N/A |
| The install function in Firefox 1.0.3 allows remote web sites on the browser's whitelist, such as update.mozilla.org or addon.mozilla.org, to execute arbitrary Javascript with chrome privileges, leading to arbitrary code execution on the system when combined with vulnerabilities such as CVE-2005-1476, as demonstrated using a javascript: URL as the package icon and a cross-site scripting (XSS) attack on a vulnerable whitelist site. | |||||
| CVE-2005-1532 | 1 Mozilla | 2 Firefox, Mozilla | 2017-10-10 | 7.5 HIGH | N/A |
| Firefox before 1.0.4 and Mozilla Suite before 1.7.8 do not properly limit privileges of Javascript eval and Script objects in the calling context, which allows remote attackers to conduct unauthorized activities via "non-DOM property overrides," a variant of CVE-2005-1160. | |||||
| CVE-2005-1531 | 1 Mozilla | 2 Firefox, Mozilla | 2017-10-10 | 7.5 HIGH | N/A |
| Firefox before 1.0.4 and Mozilla Suite before 1.7.8 does not properly implement certain security checks for script injection, which allows remote attackers to execute script via "Wrapped" javascript: URLs, as demonstrated using (1) a javascript: URL in a view-source: URL, (2) a javascript: URL in a jar: URL, or (3) "a nested variant." | |||||
| CVE-2005-2705 | 1 Mozilla | 2 Firefox, Mozilla Suite | 2017-10-10 | 7.5 HIGH | N/A |
| Integer overflow in the JavaScript engine in Firefox before 1.0.7 and Mozilla Suite before 1.7.12 might allow remote attackers to execute arbitrary code. | |||||
| CVE-2005-1160 | 1 Mozilla | 2 Firefox, Mozilla | 2017-10-10 | 5.1 MEDIUM | N/A |
| The privileged "chrome" UI code in Firefox before 1.0.3 and Mozilla Suite before 1.7.7 allows remote attackers to gain privileges by overriding certain properties or methods of DOM nodes, as demonstrated using multiple attacks involving the eval function or the Script object. | |||||
| CVE-2005-2706 | 1 Mozilla | 2 Firefox, Mozilla Suite | 2017-10-10 | 6.4 MEDIUM | N/A |
| Firefox before 1.0.7 and Mozilla before Suite 1.7.12 allows remote attackers to execute Javascript with chrome privileges via an about: page such as about:mozilla. | |||||
| CVE-2005-2707 | 1 Mozilla | 2 Firefox, Mozilla Suite | 2017-10-10 | 5.0 MEDIUM | N/A |
| Firefox before 1.0.7 and Mozilla Suite before 1.7.12 allows remote attackers to spawn windows without user interface components such as the address and status bar, which could be used to conduct spoofing or phishing attacks. | |||||
| CVE-2005-1159 | 1 Mozilla | 2 Firefox, Mozilla | 2017-10-10 | 7.5 HIGH | N/A |
| The native implementations of InstallTrigger and other functions in Firefox before 1.0.3 and Mozilla Suite before 1.7.7 do not properly verify the types of objects being accessed, which causes the Javascript interpreter to continue execution at the wrong memory address, which may allow attackers to cause a denial of service (application crash) and possibly execute arbitrary code by passing objects of the wrong type. | |||||
| CVE-2005-3089 | 1 Mozilla | 1 Firefox | 2017-10-10 | 2.6 LOW | N/A |
| Firefox 1.0.6 allows attackers to cause a denial of service (crash) via a Proxy Auto-Config (PAC) script that uses an eval statement. NOTE: it is not clear whether an untrusted party has any role in triggering this issue, so it might not be a vulnerability. | |||||
| CVE-2005-1158 | 1 Mozilla | 1 Firefox | 2017-10-10 | 5.0 MEDIUM | N/A |
| Multiple "missing security checks" in Firefox before 1.0.3 allow remote attackers to inject arbitrary Javascript into privileged pages using the _search target of the Firefox sidebar. | |||||
| CVE-2005-1157 | 2 Mozilla, Netscape | 3 Firefox, Mozilla, Navigator | 2017-10-10 | 7.5 HIGH | N/A |
| Firefox before 1.0.3, Mozilla Suite before 1.7.7, and Netscape 7.2 allows remote attackers to replace existing search plugins with malicious ones using sidebar.addSearchEngine and the same filename as the target engine, which may not be displayed in the GUI, which could then be used to execute malicious script, aka "Firesearching 2." | |||||
| CVE-2005-1156 | 2 Mozilla, Netscape | 3 Firefox, Mozilla, Navigator | 2017-10-10 | 7.5 HIGH | N/A |
| Firefox before 1.0.3, Mozilla Suite before 1.7.7, and Netscape 7.2 allows remote attackers to execute arbitrary script and code via a new search plugin using sidebar.addSearchEngine, aka "Firesearching 1." | |||||
| CVE-2005-1155 | 1 Mozilla | 2 Firefox, Mozilla | 2017-10-10 | 7.5 HIGH | N/A |
| The favicon functionality in Firefox before 1.0.3 and Mozilla Suite before 1.7.7 allows remote attackers to execute arbitrary code via a <LINK rel="icon"> tag with a javascript: URL in the href attribute, aka "Firelinking." | |||||
| CVE-2005-1154 | 1 Mozilla | 2 Firefox, Mozilla | 2017-10-10 | 7.5 HIGH | N/A |
| Firefox before 1.0.3 and Mozilla Suite before 1.7.7 allows remote attackers to execute arbitrary script in other domains via a setter function for a variable in the target domain, which is executed when the user visits that domain, aka "Cross-site scripting through global scope pollution." | |||||