Search
Total
11 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-34414 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2024-01-07 | N/A | 3.1 LOW |
| The error page for sites with invalid TLS certificates was missing the activation-delay Firefox uses to protect prompts and permission dialogs from attacks that exploit human response time delays. If a malicious page elicited user clicks in precise locations immediately before navigating to a site with a certificate error and made the renderer extremely busy at the same time, it could create a gap between when the error page was loaded and when the display actually refreshed. With the right timing the elicited clicks could land in that gap and activate the button that overrides the certificate error for that site. This vulnerability affects Firefox ESR < 102.12, Firefox < 114, and Thunderbird < 102.12. | |||||
| CVE-2023-4579 | 1 Mozilla | 1 Firefox | 2024-01-07 | N/A | 3.1 LOW |
| Search queries in the default search engine could appear to have been the currently navigated URL if the search query itself was a well formed URL. This could have led to a site spoofing another if it had been maliciously set as the default search engine. This vulnerability affects Firefox < 117. | |||||
| CVE-2021-24000 | 1 Mozilla | 1 Firefox | 2023-08-08 | 2.6 LOW | 3.1 LOW |
| A race condition with requestPointerLock() and setTimeout() could have resulted in a user interacting with one tab when they believed they were on a separate tab. In conjunction with certain elements (such as <input type="file">) this could have led to an attack where a user was confused about the origin of the webpage and potentially disclosed information they did not intend to. This vulnerability affects Firefox < 88. | |||||
| CVE-2022-42931 | 1 Mozilla | 1 Firefox | 2023-08-08 | N/A | 3.3 LOW |
| Logins saved by Firefox should be managed by the Password Manager component which uses encryption to save files on-disk. Instead, the username (not password) was saved by the Form Manager to an unencrypted file on disk. This vulnerability affects Firefox < 106. | |||||
| CVE-2015-4000 | 12 Apple, Canonical, Debian and 9 more | 25 Iphone Os, Mac Os X, Safari and 22 more | 2022-05-13 | 4.3 MEDIUM | 3.7 LOW |
| The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by DHE_EXPORT and then rewriting a ServerHello with DHE_EXPORT replaced by DHE, aka the "Logjam" issue. | |||||
| CVE-2020-12394 | 1 Mozilla | 1 Firefox | 2022-04-26 | 2.1 LOW | 3.3 LOW |
| A logic flaw in our location bar implementation could have allowed a local attacker to spoof the current location by selecting a different origin and removing focus from the input element. This vulnerability affects Firefox < 76. | |||||
| CVE-2020-15671 | 1 Mozilla | 1 Firefox | 2021-07-21 | 2.6 LOW | 3.1 LOW |
| When typing in a password under certain conditions, a race may have occured where the InputContext was not being correctly set for the input field, resulting in the typed password being saved to the keyboard dictionary. This vulnerability affects Firefox for Android < 80. | |||||
| CVE-2019-11743 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2020-08-24 | 4.3 MEDIUM | 3.7 LOW |
| Navigation events were not fully adhering to the W3C's "Navigation-Timing Level 2" draft specification in some instances for the unload event, which restricts access to detailed timing attributes to only be same-origin. This resulted in potential cross-origin information exposure of history through timing side-channel attacks. This vulnerability affects Firefox < 69, Thunderbird < 68.1, Thunderbird < 60.9, Firefox ESR < 60.9, and Firefox ESR < 68.1. | |||||
| CVE-2020-6824 | 1 Mozilla | 1 Firefox | 2020-05-01 | 1.9 LOW | 2.8 LOW |
| Initially, a user opens a Private Browsing Window and generates a password for a site, then closes the Private Browsing Window but leaves Firefox open. Subsequently, if the user had opened a new Private Browsing Window, revisited the same site, and generated a new password - the generated passwords would have been identical, rather than independent. This vulnerability affects Firefox < 75. | |||||
| CVE-2017-5387 | 1 Mozilla | 1 Firefox | 2018-08-07 | 2.1 LOW | 3.3 LOW |
| The existence of a specifically requested local file can be found due to the double firing of the "onerror" when the "source" attribute on a "<track>" tag refers to a file that does not exist if the source page is loaded locally. This vulnerability affects Firefox < 51. | |||||
| CVE-2016-9062 | 2 Google, Mozilla | 2 Android, Firefox | 2018-07-30 | 2.1 LOW | 3.3 LOW |
| Private browsing mode leaves metadata information, such as URLs, for sites visited in "browser.db" and "browser.db-wal" files within the Firefox profile after the mode is exited. Note: This issue only affects Firefox for Android. Other versions and operating systems are unaffected. This vulnerability affects Firefox < 50. | |||||