Filtered by vendor Mozilla
Subscribe
Search
Total
2714 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2004-0191 | 1 Mozilla | 1 Mozilla | 2017-10-10 | 6.8 MEDIUM | N/A |
| Mozilla before 1.4.2 executes Javascript events in the context of a new page while it is being loaded, allowing it to interact with the previous page (zombie document) and enable cross-domain and cross-site scripting (XSS) attacks, as demonstrated using onmousemove events. | |||||
| CVE-2002-0007 | 1 Mozilla | 1 Bugzilla | 2017-10-10 | 10.0 HIGH | N/A |
| CGI.pl in Bugzilla before 2.14.1, when using LDAP, allows remote attackers to obtain an anonymous bind to the LDAP server via a request that does not include a password, which causes a null password to be sent to the LDAP server. | |||||
| CVE-2001-0330 | 1 Mozilla | 1 Bugzilla | 2017-10-10 | 7.5 HIGH | N/A |
| Bugzilla 2.10 allows remote attackers to access sensitive information, including the database username and password, via an HTTP request for the globals.pl file, which is normally returned by the web server without being executed. | |||||
| CVE-2009-1232 | 1 Mozilla | 1 Firefox | 2017-09-29 | 4.3 MEDIUM | N/A |
| Mozilla Firefox 3.0.8 and earlier 3.0.x versions allows remote attackers to cause a denial of service (memory corruption) via an XML document composed of a long series of start-tags with no corresponding end-tags. NOTE: it was later reported that 3.0.10 and earlier are also affected. | |||||
| CVE-2009-0771 | 1 Mozilla | 3 Firefox, Seamonkey, Thunderbird | 2017-09-29 | 10.0 HIGH | N/A |
| The layout engine in Mozilla Firefox before 3.0.7, Thunderbird before 2.0.0.21, and SeaMonkey 1.1.15 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via certain vectors that trigger memory corruption and assertion failures. | |||||
| CVE-2009-1313 | 1 Mozilla | 1 Firefox | 2017-09-29 | 9.3 HIGH | N/A |
| The nsTextFrame::ClearTextRun function in layout/generic/nsTextFrameThebes.cpp in Mozilla Firefox 3.0.9 allows remote attackers to cause a denial of service (memory corruption) and probably execute arbitrary code via unspecified vectors. NOTE: this vulnerability reportedly exists because of an incorrect fix for CVE-2009-1302. | |||||
| CVE-2009-0775 | 1 Mozilla | 3 Firefox, Seamonkey, Thunderbird | 2017-09-29 | 10.0 HIGH | N/A |
| Double free vulnerability in Mozilla Firefox before 3.0.7, Thunderbird before 2.0.0.21, and SeaMonkey before 1.1.15 allows remote attackers to execute arbitrary code via "cloned XUL DOM elements which were linked as a parent and child," which are not properly handled during garbage collection. | |||||
| CVE-2009-0773 | 1 Mozilla | 3 Firefox, Seamonkey, Thunderbird | 2017-09-29 | 10.0 HIGH | N/A |
| The JavaScript engine in Mozilla Firefox before 3.0.7, Thunderbird before 2.0.0.21, and SeaMonkey 1.1.15 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via (1) a splice of an array that contains "some non-set elements," which causes jsarray.cpp to pass an incorrect argument to the ResizeSlots function, which triggers memory corruption; (2) vectors related to js_DecompileValueGenerator, jsopcode.cpp, __defineSetter__, and watch, which triggers an assertion failure or a segmentation fault; and (3) vectors related to gczeal, __defineSetter__, and watch, which triggers a hang. | |||||
| CVE-2009-0777 | 1 Mozilla | 3 Firefox, Seamonkey, Thunderbird | 2017-09-29 | 5.8 MEDIUM | N/A |
| Mozilla Firefox before 3.0.7, Thunderbird before 2.0.0.21, and SeaMonkey before 1.1.15 decode invisible characters when they are displayed in the location bar, which causes an incorrect address to be displayed and makes it easier for remote attackers to spoof URLs and conduct phishing attacks. | |||||
| CVE-2009-1169 | 1 Mozilla | 1 Firefox | 2017-09-29 | 9.3 HIGH | N/A |
| The txMozillaXSLTProcessor::TransformToDoc function in Mozilla Firefox before 3.0.8 and SeaMonkey before 1.1.16 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via an XML file with a crafted XSLT transform. | |||||
| CVE-2009-1839 | 1 Mozilla | 1 Firefox | 2017-09-29 | 5.4 MEDIUM | N/A |
| Mozilla Firefox 3 before 3.0.11 associates an incorrect principal with a file: URL loaded through the location bar, which allows user-assisted remote attackers to bypass intended access restrictions and read files via a crafted HTML document, aka a "file-URL-to-file-URL scripting" attack. | |||||
| CVE-2009-1840 | 1 Mozilla | 3 Firefox, Seamonkey, Thunderbird | 2017-09-29 | 9.3 HIGH | N/A |
| Mozilla Firefox before 3.0.11, Thunderbird, and SeaMonkey do not check content policy before loading a script file into a XUL document, which allows remote attackers to bypass intended access restrictions via a crafted HTML document, as demonstrated by a "web bug" in an e-mail message, or web script or an advertisement in a web page. | |||||
| CVE-2009-0356 | 1 Mozilla | 2 Firefox, Seamonkey | 2017-09-29 | 5.1 MEDIUM | N/A |
| Mozilla Firefox before 3.0.6 and SeaMonkey do not block links to the (1) about:plugins and (2) about:config URIs from .desktop files, which allows user-assisted remote attackers to bypass the Same Origin Policy and execute arbitrary code with chrome privileges via vectors involving the URL field in a Desktop Entry section of a .desktop file, related to representation of about: URIs as jar:file:// URIs. NOTE: this issue exists because of an incomplete fix for CVE-2008-4582. | |||||
| CVE-2009-0253 | 1 Mozilla | 1 Firefox | 2017-09-29 | 6.8 MEDIUM | N/A |
| Mozilla Firefox 3.0.5 allows remote attackers to trick a user into visiting an arbitrary URL via an onclick action that moves a crafted element to the current mouse position, related to a "Status Bar Obfuscation" and "Clickjacking" attack. | |||||
| CVE-2009-0354 | 1 Mozilla | 1 Firefox | 2017-09-29 | 2.6 LOW | N/A |
| Cross-domain vulnerability in js/src/jsobj.cpp in Mozilla Firefox 3.x before 3.0.6 allows remote attackers to bypass the Same Origin Policy, and access the properties of an arbitrary window and conduct cross-site scripting (XSS) attacks, via vectors involving a chrome XBL method and the window.eval function. | |||||
| CVE-2009-0353 | 1 Mozilla | 3 Firefox, Seamonkey, Thunderbird | 2017-09-29 | 10.0 HIGH | N/A |
| Unspecified vulnerability in Mozilla Firefox 3.x before 3.0.6, Thunderbird before 2.0.0.21, and SeaMonkey before 1.1.15 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to the JavaScript engine. | |||||
| CVE-2009-0357 | 1 Mozilla | 2 Firefox, Seamonkey | 2017-09-29 | 5.0 MEDIUM | N/A |
| Mozilla Firefox before 3.0.6 and SeaMonkey before 1.1.15 do not properly restrict access from web pages to the (1) Set-Cookie and (2) Set-Cookie2 HTTP response headers, which allows remote attackers to obtain sensitive information from cookies via XMLHttpRequest calls, related to the HTTPOnly protection mechanism. | |||||
| CVE-2009-0071 | 1 Mozilla | 1 Firefox | 2017-09-29 | 2.6 LOW | N/A |
| Mozilla Firefox 3.0.5 and earlier 3.0.x versions, when designMode is enabled, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a certain (a) replaceChild or (b) removeChild call, followed by a (1) queryCommandValue, (2) queryCommandState, or (3) queryCommandIndeterm call. NOTE: it was later reported that 3.0.6 and 3.0.7 are also affected. | |||||
| CVE-2009-0355 | 1 Mozilla | 1 Firefox | 2017-09-29 | 5.4 MEDIUM | N/A |
| components/sessionstore/src/nsSessionStore.js in Mozilla Firefox before 3.0.6 does not block changes of INPUT elements to type="file" during tab restoration, which allows user-assisted remote attackers to read arbitrary files on a client machine via a crafted INPUT element. | |||||
| CVE-2009-0358 | 1 Mozilla | 1 Firefox | 2017-09-29 | 3.3 LOW | N/A |
| Mozilla Firefox 3.x before 3.0.6 does not properly implement the (1) no-store and (2) no-cache Cache-Control directives, which allows local users to obtain sensitive information by using the (a) back button or (b) history list of the victim's browser, as demonstrated by reading the response page of an https POST request. | |||||
| CVE-2008-5697 | 2 Mozilla, Skype | 2 Firefox, Skype Extension For Firefox | 2017-09-29 | 4.3 MEDIUM | N/A |
| The skype_tool.copy_num method in the Skype extension BETA 2.2.0.95 for Firefox allows remote attackers to write arbitrary data to the clipboard via a string argument. | |||||
| CVE-2008-5012 | 1 Mozilla | 3 Firefox, Seamonkey, Thunderbird | 2017-09-29 | 5.0 MEDIUM | N/A |
| Mozilla Firefox 2.x before 2.0.0.18, Thunderbird 2.x before 2.0.0.18, and SeaMonkey 1.x before 1.1.13 do not properly change the source URI when processing a canvas element and an HTTP redirect, which allows remote attackers to bypass the same origin policy and access arbitrary images that are not directly accessible to the attacker. NOTE: this issue can be leveraged to enumerate software on the client by performing redirections related to moz-icon. | |||||
| CVE-2008-5913 | 1 Mozilla | 2 Firefox, Seamonkey | 2017-09-29 | 4.9 MEDIUM | N/A |
| The Math.random function in the JavaScript implementation in Mozilla Firefox 3.5.x before 3.5.10 and 3.6.x before 3.6.4, and SeaMonkey before 2.0.5, uses a random number generator that is seeded only once per browser session, which makes it easier for remote attackers to track a user, or trick a user into acting upon a spoofed pop-up message, by calculating the seed value, related to a "temporary footprint" and an "in-session phishing attack." | |||||
| CVE-2008-5015 | 1 Mozilla | 1 Firefox | 2017-09-29 | 5.1 MEDIUM | N/A |
| Mozilla Firefox 3.x before 3.0.4 assigns chrome privileges to a file: URI when it is accessed in the same tab from a chrome or privileged about: page, which makes it easier for user-assisted attackers to execute arbitrary JavaScript with chrome privileges via malicious code in a file that has already been saved on the local system. | |||||
| CVE-2008-5016 | 1 Mozilla | 3 Firefox, Seamonkey, Thunderbird | 2017-09-29 | 5.0 MEDIUM | N/A |
| The layout engine in Mozilla Firefox 3.x before 3.0.4, Thunderbird 2.x before 2.0.0.18, and SeaMonkey 1.x before 1.1.13 allows remote attackers to cause a denial of service (crash) via multiple vectors that trigger an assertion failure or other consequences. | |||||
| CVE-2008-5504 | 1 Mozilla | 1 Firefox | 2017-09-29 | 7.5 HIGH | N/A |
| Mozilla Firefox 2.x before 2.0.0.19 allows remote attackers to run arbitrary JavaScript with chrome privileges via vectors related to the feed preview, a different vulnerability than CVE-2008-3836. | |||||
| CVE-2008-4059 | 1 Mozilla | 1 Firefox | 2017-09-29 | 7.5 HIGH | N/A |
| The XPConnect component in Mozilla Firefox before 2.0.0.17 allows remote attackers to "pollute XPCNativeWrappers" and execute arbitrary code with chrome privileges via vectors related to a SCRIPT element. | |||||
| CVE-2008-4069 | 1 Mozilla | 2 Firefox, Seamonkey | 2017-09-29 | 5.0 MEDIUM | N/A |
| The XBM decoder in Mozilla Firefox before 2.0.0.17 and SeaMonkey before 1.1.12 allows remote attackers to read uninitialized memory, and possibly obtain sensitive information in opportunistic circumstances, via a crafted XBM image file. | |||||
| CVE-2008-3835 | 1 Mozilla | 3 Firefox, Seamonkey, Thunderbird | 2017-09-29 | 7.5 HIGH | N/A |
| The nsXMLDocument::OnChannelRedirect function in Mozilla Firefox before 2.0.0.17, Thunderbird before 2.0.0.17, and SeaMonkey before 1.1.12 allows remote attackers to bypass the Same Origin Policy and execute arbitrary JavaScript code via unknown vectors. | |||||
| CVE-2008-4070 | 1 Mozilla | 2 Seamonkey, Thunderbird | 2017-09-29 | 10.0 HIGH | N/A |
| Heap-based buffer overflow in Mozilla Thunderbird before 2.0.0.17 and SeaMonkey before 1.1.12 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long header in a news article, related to "canceling [a] newsgroup message" and "cancelled newsgroup messages." | |||||
| CVE-2008-4064 | 1 Mozilla | 1 Firefox | 2017-09-29 | 10.0 HIGH | N/A |
| Multiple unspecified vulnerabilities in Mozilla Firefox 3.x before 3.0.2 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to graphics rendering and (1) handling of a long alert messagebox in the cairo_surface_set_device_offset function, (2) integer overflows when handling animated PNG data in the info_callback function in nsPNGDecoder.cpp, and (3) an integer overflow when handling SVG data in the nsSVGFEGaussianBlurElement::SetupPredivide function in nsSVGFilters.cpp. | |||||
| CVE-2008-4063 | 2 Canonical, Mozilla | 2 Ubuntu Linux, Firefox | 2017-09-29 | 9.3 HIGH | N/A |
| Multiple unspecified vulnerabilities in Mozilla Firefox 3.x before 3.0.2 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to the layout engine and (1) a zero value of the "this" variable in the nsContentList::Item function; (2) interaction of the indic IME extension, a Hindi language selection, and the "g" character; and (3) interaction of the nsFrameList::SortByContentOrder function with a certain insufficient protection of inline frames. | |||||
| CVE-2008-4060 | 1 Mozilla | 3 Firefox, Seamonkey, Thunderbird | 2017-09-29 | 7.5 HIGH | N/A |
| Mozilla Firefox before 2.0.0.17 and 3.x before 3.0.2, Thunderbird before 2.0.0.17, and SeaMonkey before 1.1.12 allow remote attackers to create documents that lack script-handling objects, and execute arbitrary code with chrome privileges, via vectors related to (1) the document.loadBindingDocument function and (2) XSLT. | |||||
| CVE-2008-4066 | 1 Mozilla | 1 Firefox | 2017-09-29 | 4.3 MEDIUM | N/A |
| Mozilla Firefox 2.0.0.14, and other versions before 2.0.0.17, allows remote attackers to bypass cross-site scripting (XSS) protection mechanisms and conduct XSS attacks via HTML-escaped low surrogate characters that are ignored by the HTML parser, as demonstrated by a "jav�ascript" sequence, aka "HTML escaped low surrogates bug." | |||||
| CVE-2008-0016 | 1 Mozilla | 2 Firefox, Seamonkey | 2017-09-29 | 10.0 HIGH | N/A |
| Stack-based buffer overflow in the URL parsing implementation in Mozilla Firefox before 2.0.0.17 and SeaMonkey before 1.1.12 allows remote attackers to execute arbitrary code via a crafted UTF-8 URL in a link. | |||||
| CVE-2007-6589 | 1 Mozilla | 2 Firefox, Seamonkey | 2017-09-29 | 4.3 MEDIUM | N/A |
| The jar protocol handler in Mozilla Firefox before 2.0.0.10 and SeaMonkey before 1.1.7 does not update the origin domain when retrieving the inner URL parameter yields an HTTP redirect, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a jar: URI, a different vulnerability than CVE-2007-5947. | |||||
| CVE-2008-0304 | 3 Linux, Microsoft, Mozilla | 4 Linux Kernel, Windows, Seamonkey and 1 more | 2017-09-29 | 7.5 HIGH | N/A |
| Heap-based buffer overflow in Mozilla Thunderbird before 2.0.0.12 and SeaMonkey before 1.1.8 might allow remote attackers to execute arbitrary code via a crafted external-body MIME type in an e-mail message, related to an incorrect memory allocation during message preview. | |||||
| CVE-2014-1569 | 1 Mozilla | 1 Network Security Services | 2017-09-22 | 7.5 HIGH | N/A |
| The definite_length_decoder function in lib/util/quickder.c in Mozilla Network Security Services (NSS) before 3.16.2.4 and 3.17.x before 3.17.3 does not ensure that the DER encoding of an ASN.1 length is properly formed, which allows remote attackers to conduct data-smuggling attacks by using a long byte sequence for an encoding, as demonstrated by the SEC_QuickDERDecodeItem function's improper handling of an arbitrary-length encoding of 0x00. | |||||
| CVE-2013-1718 | 1 Mozilla | 5 Firefox, Firefox Esr, Seamonkey and 2 more | 2017-09-19 | 10.0 HIGH | N/A |
| Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 24.0, Firefox ESR 17.x before 17.0.9, Thunderbird before 24.0, Thunderbird ESR 17.x before 17.0.9, and SeaMonkey before 2.21 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. | |||||
| CVE-2013-1700 | 2 Microsoft, Mozilla | 2 Windows, Firefox | 2017-09-19 | 7.2 HIGH | N/A |
| The Mozilla Maintenance Service in Mozilla Firefox before 22.0 on Windows does not properly handle inability to launch the Mozilla Updater executable file, which allows local users to gain privileges via vectors involving placement of a Trojan horse executable file at an arbitrary location. | |||||
| CVE-2013-1701 | 1 Mozilla | 5 Firefox, Firefox Esr, Seamonkey and 2 more | 2017-09-19 | 10.0 HIGH | N/A |
| Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, Thunderbird ESR 17.x before 17.0.8, and SeaMonkey before 2.20 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. | |||||
| CVE-2013-1693 | 1 Mozilla | 4 Firefox, Firefox Esr, Thunderbird and 1 more | 2017-09-19 | 4.3 MEDIUM | N/A |
| The SVG filter implementation in Mozilla Firefox before 22.0, Firefox ESR 17.x before 17.0.7, Thunderbird before 17.0.7, and Thunderbird ESR 17.x before 17.0.7 allows remote attackers to read pixel values, and possibly bypass the Same Origin Policy and read text from a different domain, by observing timing differences in execution of filter code. | |||||
| CVE-2013-1706 | 1 Mozilla | 4 Firefox, Firefox Esr, Thunderbird and 1 more | 2017-09-19 | 7.2 HIGH | N/A |
| Stack-based buffer overflow in maintenanceservice.exe in the Mozilla Maintenance Service in Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, and Thunderbird ESR 17.x before 17.0.8 allows local users to gain privileges via a long pathname on the command line. | |||||
| CVE-2013-1707 | 1 Mozilla | 4 Firefox, Firefox Esr, Thunderbird and 1 more | 2017-09-19 | 7.2 HIGH | N/A |
| Stack-based buffer overflow in Mozilla Updater in Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, and Thunderbird ESR 17.x before 17.0.8 allows local users to gain privileges via a long pathname on the command line to the Mozilla Maintenance Service. | |||||
| CVE-2013-1708 | 1 Mozilla | 2 Firefox, Seamonkey | 2017-09-19 | 4.3 MEDIUM | N/A |
| Mozilla Firefox before 23.0 and SeaMonkey before 2.20 allow remote attackers to cause a denial of service (application crash) via a crafted WAV file that is not properly handled by the nsCString::CharAt function. | |||||
| CVE-2013-1709 | 1 Mozilla | 5 Firefox, Firefox Esr, Seamonkey and 2 more | 2017-09-19 | 4.3 MEDIUM | N/A |
| Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, Thunderbird ESR 17.x before 17.0.8, and SeaMonkey before 2.20 do not properly handle the interaction between FRAME elements and history, which allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors involving spoofing a relative location in a previously visited document. | |||||
| CVE-2013-1710 | 1 Mozilla | 5 Firefox, Firefox Esr, Seamonkey and 2 more | 2017-09-19 | 10.0 HIGH | N/A |
| The crypto.generateCRMFRequest function in Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, Thunderbird ESR 17.x before 17.0.8, and SeaMonkey before 2.20 allows remote attackers to execute arbitrary JavaScript code or conduct cross-site scripting (XSS) attacks via vectors related to Certificate Request Message Format (CRMF) request generation. | |||||
| CVE-2013-1694 | 1 Mozilla | 4 Firefox, Firefox Esr, Thunderbird and 1 more | 2017-09-19 | 7.5 HIGH | N/A |
| The PreserveWrapper implementation in Mozilla Firefox before 22.0, Firefox ESR 17.x before 17.0.7, Thunderbird before 17.0.7, and Thunderbird ESR 17.x before 17.0.7 does not properly handle the lack of a wrapper, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code by leveraging unintended clearing of the wrapper cache's preserved-wrapper flag. | |||||
| CVE-2013-1711 | 1 Mozilla | 2 Firefox, Seamonkey | 2017-09-19 | 4.3 MEDIUM | N/A |
| The XrayWrapper implementation in Mozilla Firefox before 23.0 and SeaMonkey before 2.20 does not properly address the possibility of an XBL scope bypass resulting from non-native arguments in XBL function calls, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks by leveraging access to an unprivileged object. | |||||
| CVE-2013-1712 | 2 Microsoft, Mozilla | 8 Windows 7, Windows 8, Windows Server 2008 and 5 more | 2017-09-19 | 6.9 MEDIUM | N/A |
| Multiple untrusted search path vulnerabilities in updater.exe in Mozilla Updater in Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, and Thunderbird ESR 17.x before 17.0.8 on Windows 7, Windows Server 2008 R2, Windows 8, and Windows Server 2012 allow local users to gain privileges via a Trojan horse DLL in (1) the update directory or (2) the current working directory. | |||||