Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Firefox
(Mozilla)Repositories |
• https://github.com/libevent/libevent
• https://github.com/khaledhosny/ots |
#Vulnerabilities | 2708 |
Date | Id | Summary | Products | Score | Patch | Annotated |
---|---|---|---|---|---|---|
2020-01-08 | CVE-2019-17021 | During the initialization of a new content process, a race condition occurs that can allow a content process to disclose heap addresses from the parent process. *Note: this issue only occurs on Windows. Other operating systems are unaffected.*. This vulnerability affects Firefox ESR < 68.4 and Firefox < 72. | Firefox, Firefox_esr, Leap | 5.3 | ||
2020-05-26 | CVE-2020-12387 | A race condition when running shutdown code for Web Worker led to a use-after-free vulnerability. This resulted in a potentially exploitable crash. This vulnerability affects Firefox ESR < 68.8, Firefox < 76, and Thunderbird < 68.8.0. | Firefox, Firefox_esr, Thunderbird | 8.1 | ||
2015-07-06 | CVE-2015-2742 | Mozilla Firefox before 39.0 on OS X includes native key press information during the logging of crashes, which allows remote attackers to obtain sensitive information by leveraging access to a crash-reporting data stream. | Firefox, Solaris | N/A | ||
2019-07-23 | CVE-2019-9815 | If hyperthreading is not disabled, a timing attack vulnerability exists, similar to previous Spectre attacks. Apple has shipped macOS 10.14.5 with an option to disable hyperthreading in applications running untrusted code in a thread through a new sysctl. Firefox now makes use of it on the main thread and any worker threads. *Note: users need to update to macOS 10.14.5 in order to take advantage of this change.*. This vulnerability affects Thunderbird < 60.7, Firefox < 67, and Firefox ESR < 60.7. | Firefox, Firefox_esr, Thunderbird | 8.1 | ||
2009-07-22 | CVE-2009-2472 | Mozilla Firefox before 3.0.12 does not always use XPCCrossOriginWrapper when required during object construction, which allows remote attackers to bypass the Same Origin Policy and conduct cross-site scripting (XSS) attacks via a crafted document, related to a "cross origin wrapper bypass." | Fedora, Firefox, Opensuse, Linux_enterprise_debuginfo, Linux_enterprise_desktop, Linux_enterprise_server | N/A | ||
2004-09-16 | CVE-2004-0866 | Internet Explorer 6.0 allows web sites to set cookies for country-specific top-level domains, such as .ltd.uk, .plc.uk, and .sch.uk, which could allow remote attackers to perform a session fixation attack and hijack a user's HTTP session. | Konqueror, Ie, Internet_explorer, Firefox, Suse_linux | N/A | ||
2004-12-23 | CVE-2004-0867 | Mozilla Firefox 0.9.2 allows web sites to set cookies for country-specific top-level domains, such as .ltd.uk, .plc.uk, and .sch.uk, which could allow remote attackers to perform a session fixation attack and hijack a user's HTTP session. NOTE: it was later reported that 2.x is also affected. | Konqueror, Ie, Internet_explorer, Firefox, Suse_linux | N/A | ||
2007-07-27 | CVE-2007-4041 | Multiple argument injection vulnerabilities in Mozilla Firefox 2.0.0.5 and 3.0alpha allow remote attackers to execute arbitrary commands via a NULL byte (%00) and shell metacharacters in a (1) mailto, (2) nntp, (3) news, (4) snews, or (5) telnet URI, a similar issue to CVE-2007-3670. | Internet_explorer, Firefox | N/A | ||
2007-07-10 | CVE-2007-3670 | Argument injection vulnerability in Microsoft Internet Explorer, when running on systems with Firefox installed and certain URIs registered, allows remote attackers to conduct cross-browser scripting attacks and execute arbitrary commands via shell metacharacters in a (1) FirefoxURL or (2) FirefoxHTML URI, which are inserted into the command line that is created when invoking firefox.exe. NOTE: it has been debated as to whether the issue is in Internet Explorer or Firefox. As of 20070711,... | Internet_explorer, Firefox | N/A | ||
2007-04-26 | CVE-2007-2292 | CRLF injection vulnerability in the Digest Authentication support for Mozilla Firefox before 2.0.0.8 and SeaMonkey before 1.1.5 allows remote attackers to conduct HTTP request splitting attacks via LF (%0a) bytes in the username attribute. | Internet_explorer, Firefox, Seamonkey | N/A |