The permission request prompt from the site in the background tab was overlaid on top of the site in the foreground tab. This vulnerability affects Firefox for iOS < 115.
Max CVSS
5.4
EPSS Score
0.05%
Published
2023-07-12
Updated
2023-07-20
Service workers could reveal script base URL due to dynamic `import()`. This vulnerability affects Firefox < 113.
Max CVSS
5.3
EPSS Score
0.05%
Published
2023-06-19
Updated
2024-01-07
A local attacker can trick the Mozilla Maintenance Service into applying an unsigned update file by pointing the service at an update file on a malicious SMB server. The update file can be replaced after the signature check, before the use, because the write-lock requested by the service does not work on a SMB server. *Note: This attack requires local system access and only affects Windows. Other operating systems are not affected.* This vulnerability affects Firefox < 112, Firefox ESR < 102.10, and Thunderbird < 102.10.
Max CVSS
5.5
EPSS Score
0.04%
Published
2023-06-19
Updated
2023-06-27
A background script invoking <code>requestFullscreen</code> and then blocking the main thread could force the browser into fullscreen mode indefinitely, resulting in potential user confusion or spoofing attacks. This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8.
Max CVSS
5.4
EPSS Score
0.08%
Published
2023-06-02
Updated
2023-06-08
When resolving a symlink, a race may occur where the buffer passed to `readlink` may actually be smaller than necessary. *This bug only affects Firefox on Unix-based operating systems (Android, Linux, MacOS). Windows is unaffected.* This vulnerability affects Firefox ESR < 115.6, Thunderbird < 115.6, and Firefox < 121.
Max CVSS
5.3
EPSS Score
0.11%
Published
2023-12-19
Updated
2024-02-02
The black fade animation when exiting fullscreen is roughly the length of the anti-clickjacking delay on permission prompts. It was possible to use this fact to surprise users by luring them to click where the permission grant button would be about to appear. This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.
Max CVSS
5.4
EPSS Score
0.09%
Published
2023-11-21
Updated
2023-11-30
An attacker with temporary script access to a site could have set a cookie containing invalid characters using `document.cookie` that could have led to unknown errors. This vulnerability affects Firefox < 119.
Max CVSS
5.3
EPSS Score
0.05%
Published
2023-10-25
Updated
2024-01-07
Using iterative requests an attacker was able to learn the size of an opaque response, as well as the contents of a server-supplied Vary header. This vulnerability affects Firefox < 119.
Max CVSS
5.3
EPSS Score
0.05%
Published
2023-10-25
Updated
2024-01-07
When opening appref-ms files, Firefox did not warn the user that these files may contain malicious code. *This bug only affects Firefox on Windows. Other operating systems are unaffected.* This vulnerability affects Firefox < 116, Firefox ESR < 102.14, Firefox ESR < 115.1, Thunderbird < 102.14, and Thunderbird < 115.1.
Max CVSS
5.5
EPSS Score
0.05%
Published
2023-08-01
Updated
2023-08-07
Race conditions in reference counting code were found through code inspection. These could have resulted in potentially exploitable use-after-free vulnerabilities. This vulnerability affects Firefox < 116, Firefox ESR < 102.14, and Firefox ESR < 115.1.
Max CVSS
5.9
EPSS Score
0.11%
Published
2023-08-01
Updated
2023-08-09
In some circumstances, a stale value could have been used for a global variable in WASM JIT analysis. This resulted in incorrect compilation and a potentially exploitable crash in the content process. This vulnerability affects Firefox < 116, Firefox ESR < 102.14, and Firefox ESR < 115.1.
Max CVSS
5.3
EPSS Score
0.07%
Published
2023-08-01
Updated
2023-08-09
Offscreen Canvas did not properly track cross-origin tainting, which could have been used to access image data from another site in violation of same-origin policy. This vulnerability affects Firefox < 116, Firefox ESR < 102.14, and Firefox ESR < 115.1.
Max CVSS
5.3
EPSS Score
0.07%
Published
2023-08-01
Updated
2023-08-09
When visiting directory listings for `chrome://` URLs as source text, some parameters were reflected. This vulnerability affects Firefox ESR < 102.1, Firefox ESR < 91.12, Firefox < 103, Thunderbird < 102.1, and Thunderbird < 91.12.
Max CVSS
5.3
EPSS Score
0.15%
Published
2022-12-22
Updated
2023-01-04
When opening a Windows shortcut from the local filesystem, an attacker could supply a remote path that would lead to unexpected network requests from the operating system.<br>This bug only affects Firefox for Windows. Other operating systems are unaffected.*. This vulnerability affects Firefox ESR < 102.1, Firefox < 103, and Thunderbird < 102.1.
Max CVSS
5.5
EPSS Score
0.05%
Published
2022-12-22
Updated
2023-01-03
Due to a layout change, iframe contents could have been rendered outside of its border. This could have led to user confusion or spoofing attacks. This vulnerability affects Thunderbird < 91.8, Firefox < 99, and Firefox ESR < 91.8.
Max CVSS
5.4
EPSS Score
0.09%
Published
2022-12-22
Updated
2022-12-30
A race condition could have allowed bypassing the fullscreen notification which could have lead to a fullscreen window spoof being unnoticed.<br>*This bug only affects Firefox for Windows. Other operating systems are unaffected.*. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5.
Max CVSS
5.9
EPSS Score
0.13%
Published
2022-12-22
Updated
2022-12-31
An out-of-bounds read can occur when decoding H264 video. This results in a potentially exploitable crash. This vulnerability affects Firefox ESR < 102.3, Thunderbird < 102.3, and Firefox < 105.
Max CVSS
5.5
EPSS Score
0.05%
Published
2022-12-22
Updated
2022-12-30
A malicious website that causes an HTTP Authentication dialog to be spawned could trick the built-in password manager to suggest passwords for the currently active website instead of the website that triggered the dialog. *This bug only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 89.
Max CVSS
5.3
EPSS Score
0.09%
Published
2021-06-24
Updated
2021-06-30
A transient execution vulnerability, named Floating Point Value Injection (FPVI) allowed an attacker to leak arbitrary memory addresses and may have also enabled JIT type confusion attacks. (A related vulnerability, Speculative Code Store Bypass (SCSB), did not affect Firefox.). This vulnerability affects Firefox ESR < 78.9 and Firefox < 87.
Max CVSS
5.3
EPSS Score
0.23%
Published
2021-06-24
Updated
2021-06-30
Firefox for Android suffered from a time-of-check-time-of-use vulnerability that allowed a malicious application to read sensitive data from application directories. Note: This issue is only affected Firefox for Android. Other operating systems are unaffected. This vulnerability affects Firefox < 86.
Max CVSS
5.3
EPSS Score
0.15%
Published
2021-02-26
Updated
2022-05-27
If a valid external protocol handler was referenced in an image tag, the resulting broken image size could be distinguished from a broken image size of a non-existent protocol handler. This allowed an attacker to successfully probe whether an external protocol handler was registered. This vulnerability affects Firefox < 82.
Max CVSS
5.3
EPSS Score
0.09%
Published
2020-10-22
Updated
2020-10-30
The Raccoon attack is a timing attack on DHE ciphersuites inherit in the TLS specification. To mitigate this vulnerability, Firefox disabled support for DHE ciphersuites.
Max CVSS
5.9
EPSS Score
0.13%
Published
2023-02-16
Updated
2023-02-28
When browsing a malicious page, a race condition in our SharedWorkerService could occur and lead to a potentially exploitable crash. This vulnerability affects Thunderbird < 68.9.0, Firefox < 77, and Firefox ESR < 68.9.
Max CVSS
5.3
EPSS Score
0.25%
Published
2020-07-09
Updated
2022-05-03
The 'Copy as cURL' feature of Devtools' network tab did not properly escape the HTTP POST data of a request, which can be controlled by the website. If a user used the 'Copy as cURL' feature and pasted the command into a terminal, it could have resulted in the disclosure of local files. This vulnerability affects Firefox ESR < 68.8, Firefox < 76, and Thunderbird < 68.8.0.
Max CVSS
5.5
EPSS Score
0.05%
Published
2020-05-26
Updated
2022-04-26
When performing EC scalar point multiplication, the wNAF point multiplication algorithm was used; which leaked partial information about the nonce used during signature generation. Given an electro-magnetic trace of a few signature generations, the private key could have been computed. This vulnerability affects Firefox < 80 and Firefox for Android < 80.
Max CVSS
5.3
EPSS Score
0.12%
Published
2020-10-28
Updated
2023-02-20
325 vulnerabilities found
1 2 3 4 5 6 7 8 9 10 11 12 13
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!