Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Thunderbird
(Mozilla)| Repositories | https://github.com/libevent/libevent |
| #Vulnerabilities | 1420 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2019-07-23 | CVE-2019-9800 | Mozilla developers and community members reported memory safety bugs present in Firefox 66, Firefox ESR 60.6, and Thunderbird 60.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Thunderbird < 60.7, Firefox < 67, and Firefox ESR < 60.7. | Firefox, Firefox_esr, Thunderbird | 9.8 | ||
| 2019-07-23 | CVE-2019-9818 | A race condition is present in the crash generation server used to generate data for the crash reporter. This issue can lead to a use-after-free in the main process, resulting in a potentially exploitable crash and a sandbox escape. *Note: this vulnerability only affects Windows. Other operating systems are unaffected.*. This vulnerability affects Thunderbird < 60.7, Firefox < 67, and Firefox ESR < 60.7. | Firefox, Firefox_esr, Thunderbird | 8.3 | ||
| 2019-07-23 | CVE-2019-9819 | A vulnerability where a JavaScript compartment mismatch can occur while working with the fetch API, resulting in a potentially exploitable crash. This vulnerability affects Thunderbird < 60.7, Firefox < 67, and Firefox ESR < 60.7. | Firefox, Firefox_esr, Thunderbird | 9.8 | ||
| 2020-05-26 | CVE-2020-12393 | The 'Copy as cURL' feature of Devtools' network tab did not properly escape the HTTP method of a request, which can be controlled by the website. If a user used the 'Copy as cURL' feature and pasted the command into a terminal, it could have resulted in command injection and arbitrary command execution. *Note: this issue only affects Firefox on Windows operating systems.*. This vulnerability affects Firefox ESR < 68.8, Firefox < 76, and Thunderbird < 68.8.0. | Firefox, Firefox_esr, Thunderbird | 7.8 | ||
| 2020-01-08 | CVE-2019-11745 | When encrypting with a block cipher, if a call to NSC_EncryptUpdate was made with data smaller than the block size, a small out of bounds write could occur. This could have caused heap corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 68.3, Firefox ESR < 68.3, and Firefox < 71. | Ubuntu_linux, Debian_linux, Firefox, Firefox_esr, Thunderbird, Leap, Enterprise_linux_server_aus, Ruggedcom_rox_mx5000_firmware, Ruggedcom_rox_rx1400_firmware, Ruggedcom_rox_rx1500_firmware, Ruggedcom_rox_rx1501_firmware, Ruggedcom_rox_rx1510_firmware, Ruggedcom_rox_rx1511_firmware, Ruggedcom_rox_rx1512_firmware, Ruggedcom_rox_rx5000_firmware | 8.8 | ||
| 2018-06-11 | CVE-2018-5168 | Sites can bypass security checks on permissions to install lightweight themes by manipulating the "baseURI" property of the theme element. This could allow a malicious site to install a theme without user interaction which could contain offensive or embarrassing images. This vulnerability affects Thunderbird < 52.8, Thunderbird ESR < 52.8, Firefox < 60, and Firefox ESR < 52.8. | Ubuntu_linux, Debian_linux, Firefox, Firefox_esr, Thunderbird, Thunderbird_esr, Enterprise_linux_desktop, Enterprise_linux_server, Enterprise_linux_server_aus, Enterprise_linux_server_eus, Enterprise_linux_server_tus, Enterprise_linux_workstation | 5.3 | ||
| 2018-06-11 | CVE-2018-5095 | An integer overflow vulnerability in the Skia library when allocating memory for edge builders on some systems with at least 8 GB of RAM. This results in the use of uninitialized memory, resulting in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.6, Firefox ESR < 52.6, and Firefox < 58. | Ubuntu_linux, Debian_linux, Firefox, Firefox_esr, Thunderbird, Enterprise_linux, Enterprise_linux_desktop, Enterprise_linux_server, Enterprise_linux_server_aus, Enterprise_linux_server_eus, Enterprise_linux_workstation | 9.8 | ||
| 2019-04-26 | CVE-2018-18513 | A crash can occur when processing a crafted S/MIME message or an XPI package containing a crafted signature. This can be used as a denial-of-service (DOS) attack because Thunderbird reopens the last seen message on restart, triggering the crash again. This vulnerability affects Thunderbird < 60.5. | Thunderbird | 7.5 | ||
| 2019-02-28 | CVE-2018-18498 | A potential vulnerability leading to an integer overflow can occur during buffer size calculations for images when a raw value is used instead of the checked value. This leads to a possible out-of-bounds write. This vulnerability affects Thunderbird < 60.4, Firefox ESR < 60.4, and Firefox < 64. | Ubuntu_linux, Debian_linux, Firefox, Firefox_esr, Thunderbird, Enterprise_linux_desktop, Enterprise_linux_server, Enterprise_linux_server_aus, Enterprise_linux_server_eus, Enterprise_linux_server_tus, Enterprise_linux_workstation | 9.8 | ||
| 2012-06-05 | CVE-2012-1938 | Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 13.0, Thunderbird before 13.0, and SeaMonkey before 2.10 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to (1) methodjit/ImmutableSync.cpp, (2) the JSObject::makeDenseArraySlow function in js/src/jsarray.cpp, and unknown other components. | Firefox, Seamonkey, Thunderbird, Opensuse, Enterprise_linux_desktop, Enterprise_linux_eus, Enterprise_linux_server, Enterprise_linux_server_aus, Enterprise_linux_workstation, Storage, Linux_enterprise_desktop, Linux_enterprise_server, Linux_enterprise_software_development_kit | N/A |