Total
1332 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-46872 | 2 Linux, Mozilla | 4 Linux Kernel, Firefox, Firefox Esr and 1 more | 2023-05-03 | N/A | 8.6 HIGH |
| An attacker who compromised a content process could have partially escaped the sandbox to read arbitrary files via clipboard-related IPC messages.<br>*This bug only affects Thunderbird for Linux. Other operating systems are unaffected.*. This vulnerability affects Firefox < 108, Firefox ESR < 102.6, and Thunderbird < 102.6. | |||||
| CVE-2019-11711 | 2 Debian, Mozilla | 4 Debian Linux, Firefox, Firefox Esr and 1 more | 2023-03-01 | 6.8 MEDIUM | 8.8 HIGH |
| When an inner window is reused, it does not consider the use of document.domain for cross-origin protections. If pages on different subdomains ever cooperatively use document.domain, then either page can abuse this to inject script into arbitrary pages on the other subdomain, even those that did not use document.domain to relax their origin security. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. | |||||
| CVE-2020-12397 | 2 Canonical, Mozilla | 2 Ubuntu Linux, Thunderbird | 2023-02-28 | 4.3 MEDIUM | 4.3 MEDIUM |
| By encoding Unicode whitespace characters within the From email header, an attacker can spoof the sender email address that Thunderbird displays. This vulnerability affects Thunderbird < 68.8.0. | |||||
| CVE-2019-9811 | 4 Debian, Mozilla, Novell and 1 more | 6 Debian Linux, Firefox, Firefox Esr and 3 more | 2023-02-28 | 5.1 MEDIUM | 8.3 HIGH |
| As part of a winning Pwn2Own entry, a researcher demonstrated a sandbox escape by installing a malicious language pack and then opening a browser feature that used the compromised translation. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. | |||||
| CVE-2019-11717 | 4 Debian, Mozilla, Novell and 1 more | 6 Debian Linux, Firefox, Firefox Esr and 3 more | 2023-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability exists where the caret ("^") character is improperly escaped constructing some URIs due to it being used as a separator, allowing for possible spoofing of origin attributes. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. | |||||
| CVE-2021-43529 | 1 Mozilla | 1 Thunderbird | 2023-02-28 | N/A | 9.8 CRITICAL |
| Thunderbird versions prior to 91.3.0 are vulnerable to the heap overflow described in CVE-2021-43527 when processing S/MIME messages. Thunderbird versions 91.3.0 and later will not call the vulnerable code when processing S/MIME messages that contain certificates with DER-encoded DSA or RSA-PSS signatures. | |||||
| CVE-2020-6812 | 2 Canonical, Mozilla | 4 Ubuntu Linux, Firefox, Firefox Esr and 1 more | 2023-02-23 | 5.0 MEDIUM | 5.3 MEDIUM |
| The first time AirPods are connected to an iPhone, they become named after the user's name by default (e.g. Jane Doe's AirPods.) Websites with camera or microphone permission are able to enumerate device names, disclosing the user's name. To resolve this issue, Firefox added a special case that renames devices containing the substring 'AirPods' to simply 'AirPods'. This vulnerability affects Thunderbird < 68.6, Firefox < 74, Firefox < ESR68.6, and Firefox ESR < 68.6. | |||||
| CVE-2009-1308 | 1 Mozilla | 3 Firefox, Seamonkey, Thunderbird | 2023-02-13 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in Mozilla Firefox before 3.0.9, Thunderbird, and SeaMonkey allows remote attackers to inject arbitrary web script or HTML via vectors involving XBL JavaScript bindings and remote stylesheets, as exploited in the wild by a March 2009 eBay listing. | |||||
| CVE-2009-0771 | 1 Mozilla | 3 Firefox, Seamonkey, Thunderbird | 2023-02-13 | 10.0 HIGH | N/A |
| The layout engine in Mozilla Firefox before 3.0.7, Thunderbird before 2.0.0.21, and SeaMonkey 1.1.15 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via certain vectors that trigger memory corruption and assertion failures. | |||||
| CVE-2008-5513 | 3 Canonical, Debian, Mozilla | 5 Ubuntu Linux, Debian Linux, Firefox and 2 more | 2023-02-13 | 4.3 MEDIUM | N/A |
| Unspecified vulnerability in the session-restore feature in Mozilla Firefox 3.x before 3.0.5 and 2.x before 2.0.0.19 allows remote attackers to bypass the same origin policy, inject content into documents associated with other domains, and conduct cross-site scripting (XSS) attacks via unknown vectors related to restoration of SessionStore data. | |||||
| CVE-2008-5511 | 3 Canonical, Debian, Mozilla | 5 Ubuntu Linux, Debian Linux, Firefox and 2 more | 2023-02-13 | 4.3 MEDIUM | N/A |
| Mozilla Firefox 3.x before 3.0.5 and 2.x before 2.0.0.19, Thunderbird 2.x before 2.0.0.19, and SeaMonkey 1.x before 1.1.14 allows remote attackers to bypass the same origin policy and conduct cross-site scripting (XSS) attacks via an XBL binding to an "unloaded document." | |||||
| CVE-2008-5016 | 1 Mozilla | 3 Firefox, Seamonkey, Thunderbird | 2023-02-13 | 5.0 MEDIUM | N/A |
| The layout engine in Mozilla Firefox 3.x before 3.0.4, Thunderbird 2.x before 2.0.0.18, and SeaMonkey 1.x before 1.1.13 allows remote attackers to cause a denial of service (crash) via multiple vectors that trigger an assertion failure or other consequences. | |||||
| CVE-2007-5340 | 1 Mozilla | 3 Firefox, Seamonkey, Thunderbird | 2023-02-13 | 4.3 MEDIUM | N/A |
| Multiple vulnerabilities in the Javascript engine in Mozilla Firefox before 2.0.0.8, Thunderbird before 2.0.0.8, and SeaMonkey before 1.1.5 allow remote attackers to cause a denial of service (crash) via crafted HTML that triggers memory corruption. | |||||
| CVE-2007-5339 | 1 Mozilla | 3 Firefox, Seamonkey, Thunderbird | 2023-02-13 | 4.3 MEDIUM | N/A |
| Multiple vulnerabilities in Mozilla Firefox before 2.0.0.8, Thunderbird before 2.0.0.8, and SeaMonkey before 1.1.5 allow remote attackers to cause a denial of service (crash) via crafted HTML that triggers memory corruption or assert errors. | |||||
| CVE-2020-6807 | 2 Canonical, Mozilla | 4 Ubuntu Linux, Firefox, Firefox Esr and 1 more | 2023-02-10 | 6.8 MEDIUM | 8.8 HIGH |
| When a device was changed while a stream was about to be destroyed, the <code>stream-reinit</code> task may have been executed after the stream was destroyed, causing a use-after-free and a potentially exploitable crash. This vulnerability affects Thunderbird < 68.6, Firefox < 74, Firefox < ESR68.6, and Firefox ESR < 68.6. | |||||
| CVE-2020-6805 | 2 Canonical, Mozilla | 4 Ubuntu Linux, Firefox, Firefox Esr and 1 more | 2023-02-10 | 6.8 MEDIUM | 8.8 HIGH |
| When removing data about an origin whose tab was recently closed, a use-after-free could occur in the Quota manager, resulting in a potentially exploitable crash. This vulnerability affects Thunderbird < 68.6, Firefox < 74, Firefox < ESR68.6, and Firefox ESR < 68.6. | |||||
| CVE-2015-4000 | 12 Apple, Canonical, Debian and 9 more | 25 Iphone Os, Mac Os X, Safari and 22 more | 2023-02-09 | 4.3 MEDIUM | 3.7 LOW |
| The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by DHE_EXPORT and then rewriting a ServerHello with DHE_EXPORT replaced by DHE, aka the "Logjam" issue. | |||||
| CVE-2020-6806 | 2 Canonical, Mozilla | 4 Ubuntu Linux, Firefox, Firefox Esr and 1 more | 2023-02-03 | 6.8 MEDIUM | 8.8 HIGH |
| By carefully crafting promise resolutions, it was possible to cause an out-of-bounds read off the end of an array resized during script execution. This could have led to memory corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 68.6, Firefox < 74, Firefox < ESR68.6, and Firefox ESR < 68.6. | |||||
| CVE-2019-11763 | 2 Canonical, Mozilla | 4 Ubuntu Linux, Firefox, Firefox Esr and 1 more | 2023-02-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| Failure to correctly handle null bytes when processing HTML entities resulted in Firefox incorrectly parsing these entities. This could have led to HTML comment text being treated as HTML which could have led to XSS in a web application under certain conditions. It could have also led to HTML entities being masked from filters - enabling the use of entities to mask the actual characters of interest from filters. This vulnerability affects Firefox < 70, Thunderbird < 68.2, and Firefox ESR < 68.2. | |||||
| CVE-2020-15658 | 2 Canonical, Mozilla | 4 Ubuntu Linux, Firefox, Firefox Esr and 1 more | 2023-02-02 | 4.3 MEDIUM | 6.5 MEDIUM |
| The code for downloading files did not properly take care of special characters, which led to an attacker being able to cut off the file ending at an earlier position, leading to a different file type being downloaded than shown in the dialog. This vulnerability affects Firefox ESR < 78.1, Firefox < 79, and Thunderbird < 78.1. | |||||