Product:

Firefox

(Mozilla)
Repositories https://github.com/libevent/libevent
https://github.com/khaledhosny/ots
#Vulnerabilities 2639
Date Id Summary Products Score Patch Annotated
2019-07-23 CVE-2019-11711 When an inner window is reused, it does not consider the use of document.domain for cross-origin protections. If pages on different subdomains ever cooperatively use document.domain, then either page can abuse this to inject script into arbitrary pages on the other subdomain, even those that did not use document.domain to relax their origin security. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. Debian_linux, Firefox, Firefox_esr, Thunderbird 8.8
2019-07-23 CVE-2019-11717 A vulnerability exists where the caret ("^") character is improperly escaped constructing some URIs due to it being used as a separator, allowing for possible spoofing of origin attributes. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. Debian_linux, Firefox, Firefox_esr, Thunderbird, Suse_package_hub_for_suse_linux_enterprise, Leap 5.3
2019-07-23 CVE-2019-9811 As part of a winning Pwn2Own entry, a researcher demonstrated a sandbox escape by installing a malicious language pack and then opening a browser feature that used the compromised translation. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. Debian_linux, Firefox, Firefox_esr, Thunderbird, Suse_package_hub_for_suse_linux_enterprise, Leap 8.3
2020-05-26 CVE-2020-12388 The Firefox content processes did not sufficiently lockdown access control which could result in a sandbox escape. *Note: this issue only affects Firefox on Windows operating systems.*. This vulnerability affects Firefox ESR < 68.8 and Firefox < 76. Firefox, Firefox_esr 10.0
2020-10-08 CVE-2020-12400 When converting coordinates from projective to affine, the modular inversion was not performed in constant time, resulting in a possible timing-based side channel attack. This vulnerability affects Firefox < 80 and Firefox for Android < 80. Firefox 4.7
2020-10-08 CVE-2020-12401 During ECDSA signature generation, padding applied in the nonce designed to ensure constant-time scalar multiplication was removed, resulting in variable-time execution dependent on secret data. This vulnerability affects Firefox < 80 and Firefox for Android < 80. Firefox 4.7
2008-03-27 CVE-2008-1238 Mozilla Firefox before 2.0.0.13 and SeaMonkey before 1.1.9, when generating the HTTP Referer header, does not list the entire URL when it contains Basic Authentication credentials without a username, which makes it easier for remote attackers to bypass application protection mechanisms that rely on Referer headers, such as with some Cross-Site Request Forgery (CSRF) mechanisms. Firefox, Seamonkey N/A
2007-10-21 CVE-2007-5339 Multiple vulnerabilities in Mozilla Firefox before 2.0.0.8, Thunderbird before 2.0.0.8, and SeaMonkey before 1.1.5 allow remote attackers to cause a denial of service (crash) via crafted HTML that triggers memory corruption or assert errors. Firefox, Seamonkey, Thunderbird N/A
2007-10-21 CVE-2007-5340 Multiple vulnerabilities in the Javascript engine in Mozilla Firefox before 2.0.0.8, Thunderbird before 2.0.0.8, and SeaMonkey before 1.1.5 allow remote attackers to cause a denial of service (crash) via crafted HTML that triggers memory corruption. Firefox, Seamonkey, Thunderbird N/A
2007-11-26 CVE-2007-5960 Mozilla Firefox before 2.0.0.10 and SeaMonkey before 1.1.7 sets the Referer header to the window or frame in which script is running, instead of the address of the content that initiated the script, which allows remote attackers to spoof HTTP Referer headers and bypass Referer-based CSRF protection schemes by setting window.location and using a modal alert dialog that causes the wrong Referer to be sent. Firefox, Seamonkey N/A