Search Results (26282 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2016-9901 2 Mozilla, Redhat 7 Firefox, Enterprise Linux, Enterprise Linux Aus and 4 more 2025-11-25 N/A
HTML tags received from the Pocket server will be processed without sanitization and any JavaScript code executed will be run in the "about:pocket-saved" (unprivileged) page, giving it access to Pocket's messaging API through HTML injection. This vulnerability affects Firefox ESR < 45.6 and Firefox < 50.1.
CVE-2014-1587 2 Mozilla, Redhat 4 Firefox, Seamonkey, Thunderbird and 1 more 2025-11-25 N/A
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 34.0, Firefox ESR 31.x before 31.3, Thunderbird before 31.3, and SeaMonkey before 2.31 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.
CVE-2014-1594 2 Mozilla, Redhat 4 Firefox, Seamonkey, Thunderbird and 1 more 2025-11-25 N/A
Mozilla Firefox before 34.0, Firefox ESR 31.x before 31.3, Thunderbird before 31.3, and SeaMonkey before 2.31 might allow remote attackers to execute arbitrary code by leveraging an incorrect cast from the BasicThebesLayer data type to the BasicContainerLayer data type.
CVE-2016-5294 2 Microsoft, Mozilla 3 Windows, Firefox, Thunderbird 2025-11-25 N/A
The Mozilla Updater can be made to choose an arbitrary target working directory for output files resulting from the update process. This vulnerability requires local system access. Note: this issue only affects Windows operating systems. This vulnerability affects Thunderbird < 45.5, Firefox ESR < 45.5, and Firefox < 50.
CVE-2017-5407 3 Debian, Mozilla, Redhat 9 Debian Linux, Firefox, Thunderbird and 6 more 2025-11-25 N/A
Using SVG filters that don't use the fixed point math implementation on a target iframe, a malicious page can extract pixel values from a targeted user. This can be used to extract history information and read text values across domains. This violates same-origin policy and leads to information disclosure. This vulnerability affects Firefox < 52, Firefox ESR < 45.8, Thunderbird < 52, and Thunderbird < 45.8.
CVE-2017-5449 2 Mozilla, Redhat 8 Firefox, Thunderbird, Enterprise Linux and 5 more 2025-11-25 N/A
A possibly exploitable crash triggered during layout and manipulation of bidirectional unicode text in concert with CSS animations. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 52.1, and Firefox < 53.
CVE-2018-12367 3 Canonical, Debian, Mozilla 4 Ubuntu Linux, Debian Linux, Firefox and 1 more 2025-11-25 N/A
In the previous mitigations for Spectre, the resolution or precision of various methods was reduced to counteract the ability to measure precise time intervals. In that work PerformanceNavigationTiming was not adjusted but it was found that it could be used as a precision timer. This vulnerability affects Thunderbird < 60, Firefox ESR < 60.1, and Firefox < 61.
CVE-2019-11694 2 Microsoft, Mozilla 3 Windows, Firefox, Thunderbird 2025-11-25 N/A
A vulnerability exists in the Windows sandbox where an uninitialized value in memory can be leaked to a renderer from a broker when making a call to access an otherwise unavailable file. This results in the potential leaking of information stored at that memory location. *Note: this issue only occurs on Windows. Other operating systems are unaffected.*. This vulnerability affects Thunderbird < 60.7, Firefox < 67, and Firefox ESR < 60.7.
CVE-2018-5131 4 Canonical, Debian, Mozilla and 1 more 9 Ubuntu Linux, Debian Linux, Firefox and 6 more 2025-11-25 N/A
Under certain circumstances the "fetch()" API can return transient local copies of resources that were sent with a "no-store" or "no-cache" cache header instead of downloading a copy from the network as it should. This can result in previously stored, locally cached data of a website being accessible to users if they share a common profile while browsing. This vulnerability affects Firefox ESR < 52.7 and Firefox < 59.
CVE-2014-1590 2 Mozilla, Redhat 4 Firefox, Seamonkey, Thunderbird and 1 more 2025-11-25 N/A
The XMLHttpRequest.prototype.send method in Mozilla Firefox before 34.0, Firefox ESR 31.x before 31.3, Thunderbird before 31.3, and SeaMonkey before 2.31 allows remote attackers to cause a denial of service (application crash) via a crafted JavaScript object.
CVE-2019-11743 2 Mozilla, Redhat 4 Firefox, Firefox Esr, Thunderbird and 1 more 2025-11-25 3.7 Low
Navigation events were not fully adhering to the W3C's "Navigation-Timing Level 2" draft specification in some instances for the unload event, which restricts access to detailed timing attributes to only be same-origin. This resulted in potential cross-origin information exposure of history through timing side-channel attacks. This vulnerability affects Firefox < 69, Thunderbird < 68.1, Thunderbird < 60.9, Firefox ESR < 60.9, and Firefox ESR < 68.1.
CVE-2018-5157 4 Canonical, Debian, Mozilla and 1 more 10 Ubuntu Linux, Debian Linux, Firefox and 7 more 2025-11-25 N/A
Same-origin protections for the PDF viewer can be bypassed, allowing a malicious site to intercept messages meant for the viewer. This could allow the site to retrieve PDF files restricted to viewing by an authenticated user on a third-party website. This vulnerability affects Firefox ESR < 52.8 and Firefox < 60.
CVE-2017-5378 3 Debian, Mozilla, Redhat 9 Debian Linux, Firefox, Thunderbird and 6 more 2025-11-25 N/A
Hashed codes of JavaScript objects are shared between pages. This allows for pointer leaks because an object's address can be discovered through hash codes, and also allows for data leakage of an object's content using these hash codes. This vulnerability affects Thunderbird < 45.7, Firefox ESR < 45.7, and Firefox < 51.
CVE-2017-7843 3 Debian, Mozilla, Redhat 8 Debian Linux, Firefox, Enterprise Linux and 5 more 2025-11-25 N/A
When Private Browsing mode is used, it is possible for a web worker to write persistent data to IndexedDB and fingerprint a user uniquely. IndexedDB should not be available in Private Browsing mode and this stored data will persist across multiple private browsing mode sessions because it is not cleared when exiting. This vulnerability affects Firefox ESR < 52.5.2 and Firefox < 57.0.1.
CVE-2014-1505 7 Canonical, Debian, Mozilla and 4 more 17 Ubuntu Linux, Debian Linux, Firefox and 14 more 2025-11-25 7.5 High
The SVG filter implementation in Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and SeaMonkey before 2.25 allows remote attackers to obtain sensitive displacement-correlation information, and possibly bypass the Same Origin Policy and read text from a different domain, via a timing attack involving feDisplacementMap elements, a related issue to CVE-2013-1693.
CVE-2017-7804 2 Microsoft, Mozilla 3 Windows, Firefox, Thunderbird 2025-11-25 N/A
The destructor function for the "WindowsDllDetourPatcher" class can be re-purposed by malicious code in concert with another vulnerability to write arbitrary data to an attacker controlled location in memory. This can be used to bypass existing memory protections in this situation. Note: This attack only affects Windows operating systems. Other operating systems are not affected. This vulnerability affects Thunderbird < 52.3, Firefox ESR < 52.3, and Firefox < 55.
CVE-2019-9792 2 Mozilla, Redhat 6 Firefox, Thunderbird, Enterprise Linux and 3 more 2025-11-25 9.8 Critical
The IonMonkey just-in-time (JIT) compiler can leak an internal JS_OPTIMIZED_OUT magic value to the running script during a bailout. This magic value can then be used by JavaScript to achieve memory corruption, which results in a potentially exploitable crash. This vulnerability affects Thunderbird < 60.6, Firefox ESR < 60.6, and Firefox < 66.
CVE-2014-1487 7 Canonical, Debian, Fedoraproject and 4 more 18 Ubuntu Linux, Debian Linux, Fedora and 15 more 2025-11-25 7.5 High
The Web workers implementation in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, and SeaMonkey before 2.24 allows remote attackers to bypass the Same Origin Policy and obtain sensitive authentication information via vectors involving error messages.
CVE-2016-5291 3 Debian, Mozilla, Redhat 4 Debian Linux, Firefox, Thunderbird and 1 more 2025-11-25 N/A
A same-origin policy bypass with local shortcut files to load arbitrary local content from disk. This vulnerability affects Thunderbird < 45.5, Firefox ESR < 45.5, and Firefox < 50.
CVE-2018-5130 4 Canonical, Debian, Mozilla and 1 more 9 Ubuntu Linux, Debian Linux, Firefox and 6 more 2025-11-25 N/A
When packets with a mismatched RTP payload type are sent in WebRTC connections, in some circumstances a potentially exploitable crash is triggered. This vulnerability affects Firefox ESR < 52.7 and Firefox < 59.