Skip to main content

Firefox

1672 CVEs product

Monthly

CVE-2024-5700 HIGH This Week

Memory safety bugs present in Firefox 126, Firefox ESR 115.11, and Thunderbird 115.11. Rated high severity (CVSS 7.0), this vulnerability is no authentication required. No vendor patch available.

RCE Buffer Overflow Mozilla Firefox Thunderbird
NVD
CVSS 3.1
7.0
EPSS
0.4%
CVE-2024-5699 CRITICAL POC Act Now

In violation of spec, cookie prefixes such as `__Secure` were being ignored if they were not correctly capitalized - by spec they should be checked with a case-insensitive comparison. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Mozilla Firefox
NVD
CVSS 3.1
9.8
EPSS
0.8%
CVE-2024-5698 MEDIUM This Month

By manipulating the fullscreen feature while opening a data-list, an attacker could have overlaid a text box over the address bar. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Mozilla Firefox
NVD
CVSS 3.1
6.1
EPSS
0.4%
CVE-2024-5697 MEDIUM This Month

A website was able to detect when a user took a screenshot of a page using the built-in Screenshot functionality in Firefox. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox
NVD
CVSS 3.1
4.3
EPSS
0.4%
CVE-2024-5696 HIGH This Week

By manipulating the text in an `<input>` tag, an attacker could have caused corrupt memory leading to a potentially exploitable crash. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Mozilla Memory Corruption Firefox Thunderbird +1
NVD
CVSS 3.1
8.6
EPSS
0.8%
CVE-2024-5695 CRITICAL Act Now

If an out-of-memory condition occurs at a specific point using allocations in the probabilistic heap checker, an assertion could have been triggered, and in rarer situations, memory corruption could. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Mozilla Memory Corruption Firefox
NVD
CVSS 3.1
9.8
EPSS
0.6%
CVE-2024-5694 HIGH This Week

An attacker could have caused a use-after-free in the JavaScript engine to read memory in the JavaScript string section of the heap. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Use After Free Information Disclosure Mozilla Memory Corruption Firefox
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2024-5693 MEDIUM This Month

Offscreen Canvas did not properly track cross-origin tainting, which could be used to access image data from another site in violation of same-origin policy. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox Thunderbird
NVD
CVSS 3.1
6.1
EPSS
0.6%
CVE-2024-5692 MEDIUM POC This Month

On Windows 10, when using the 'Save As' functionality, an attacker could have tricked the browser into saving the file with a disallowed extension such as `.url` by including an invalid character in. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Mozilla Microsoft Firefox Thunderbird
NVD
CVSS 3.1
6.5
EPSS
0.6%
CVE-2024-5691 MEDIUM This Month

By tricking the browser with a `X-Frame-Options` header, a sandboxed iframe could have presented a button that, if clicked by a user, would bypass restrictions to open a new window. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Mozilla Firefox Firefox Esr Thunderbird
NVD
CVSS 3.1
4.7
EPSS
0.7%
CVE-2024-5690 MEDIUM This Month

By monitoring the time certain operations take, an attacker could have guessed which external protocol handlers were functional on a user's system. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox Firefox Esr Thunderbird +1
NVD
CVSS 3.1
4.3
EPSS
0.7%
CVE-2024-5689 MEDIUM This Month

In addition to detecting when a user was taking a screenshot (XXX), a website was able to overlay the 'My Shots' button that appeared, and direct the user to a replica Firefox Screenshots page that. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox
NVD
CVSS 3.1
4.3
EPSS
0.4%
CVE-2024-5688 HIGH POC This Week

If a garbage collection was triggered at the right time, a use-after-free could have occurred during object transplant. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Use After Free Information Disclosure Mozilla Memory Corruption Firefox +1
NVD
CVSS 3.1
8.1
EPSS
1.1%
CVE-2024-5687 MEDIUM POC This Month

If a specific sequence of actions is performed when opening a new tab, the triggering principal associated with the new tab may have been incorrect. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Google Mozilla Firefox
NVD
CVSS 3.1
5.3
EPSS
0.4%
CVE-2024-4778 CRITICAL Act Now

Memory safety bugs present in Firefox 125. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Buffer Overflow Mozilla Firefox
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2024-4777 HIGH This Week

Memory safety bugs present in Firefox 125, Firefox ESR 115.10, and Thunderbird 115.10. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Mozilla Memory Corruption Firefox +2
NVD
CVSS 3.1
8.8
EPSS
0.5%
CVE-2024-4776 HIGH POC This Week

A file dialog shown while in full-screen mode could have resulted in the window remaining disabled. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Mozilla Firefox
NVD
CVSS 3.1
8.2
EPSS
0.4%
CVE-2024-4775 MEDIUM POC This Month

An iterator stop condition was missing when handling WASM code in the built-in profiler, potentially leading to invalid memory access and undefined behavior. Rated medium severity (CVSS 5.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Mozilla Firefox
NVD
CVSS 3.1
5.9
EPSS
0.2%
CVE-2024-4774 MEDIUM This Month

The `ShmemCharMapHashEntry()` code was susceptible to potentially undefined behavior by bypassing the move semantics for one of its data members. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Mozilla Firefox
NVD
CVSS 3.1
6.5
EPSS
0.4%
CVE-2024-4773 HIGH This Week

When a network error occurred during page load, the prior content could have remained in view with a blank URL bar. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Open Redirect Mozilla Firefox
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2024-4772 MEDIUM POC This Month

An HTTP digest authentication nonce value was generated using `rand()` which could lead to predictable values. Rated medium severity (CVSS 5.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Mozilla Firefox
NVD
CVSS 3.1
5.9
EPSS
0.2%
CVE-2024-4771 HIGH POC This Week

A memory allocation check was missing which would lead to a use-after-free if the allocation failed. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Use After Free RCE Mozilla Memory Corruption Firefox
NVD
CVSS 3.1
8.6
EPSS
0.5%
CVE-2024-4770 HIGH POC This Week

When saving a page to PDF, certain font styles could have led to a potential use-after-free crash. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Use After Free Mozilla Denial Of Service Memory Corruption Firefox +1
NVD
CVSS 3.1
8.8
EPSS
0.6%
CVE-2024-4769 MEDIUM This Month

When importing resources using Web Workers, error messages would distinguish the difference between `application/javascript` responses and non-script responses. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Mozilla Firefox Thunderbird Debian Linux
NVD
CVSS 3.1
5.9
EPSS
0.4%
CVE-2024-4768 MEDIUM POC This Month

A bug in popup notifications' interaction with WebAuthn made it easier for an attacker to trick a user into granting permissions. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Mozilla Firefox Thunderbird Debian Linux
NVD
CVSS 3.1
6.1
EPSS
0.5%
CVE-2024-4767 MEDIUM POC This Month

If the `browser.privatebrowsing.autostart` preference is enabled, IndexedDB files were not properly deleted when the window was closed. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Mozilla Firefox Thunderbird Debian Linux
NVD
CVSS 3.1
4.3
EPSS
0.5%
CVE-2024-4766 MEDIUM This Month

Different techniques existed to obscure the fullscreen notification in Firefox for Android. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Google Mozilla Firefox
NVD
CVSS 3.1
4.3
EPSS
0.4%
CVE-2024-4765 HIGH This Week

Web application manifests were stored by using an insecure MD5 hash which allowed for a hash collision to overwrite another application's manifest. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Google Mozilla Firefox
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2024-4764 CRITICAL POC Act Now

Multiple WebRTC threads could have claimed a newly connected audio input leading to use-after-free. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Use After Free Information Disclosure Mozilla Memory Corruption Firefox
NVD
CVSS 3.1
9.8
EPSS
0.6%
CVE-2024-4367 npm HIGH POC PATCH THREAT CISA Act Now

Arbitrary JavaScript execution in Mozilla's PDF.js library affects Firefox before 126, Firefox ESR before 115.11, and Thunderbird before 115.11 when rendering a malicious PDF document. A missing type check in font handling lets a crafted PDF run JavaScript in the PDF.js context, and publicly available exploit code exists with an EPSS of 34.61% (97th percentile) indicating elevated exploitation likelihood.

Mozilla Information Disclosure Firefox Thunderbird Debian Linux +1
NVD GitHub Exploit-DB
CVSS 3.1
8.8
EPSS
34.6%
Threat
6.3
CVE-2024-3865 HIGH This Week

Memory safety bugs present in Firefox 124. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Buffer Overflow RCE Mozilla Firefox
NVD
CVSS 3.1
8.1
EPSS
0.5%
CVE-2024-3863 CRITICAL Act Now

The executable file warning was not presented when downloading .xrm-ms files. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Microsoft Mozilla File Upload Firefox Thunderbird
NVD
CVSS 3.1
9.8
EPSS
0.8%
CVE-2024-3862 MEDIUM This Month

The MarkStack assignment operator, part of the JavaScript engine, could access uninitialized memory if it were used in a self-assignment. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Mozilla Firefox
NVD
CVSS 3.1
5.3
EPSS
0.4%
CVE-2024-3861 MEDIUM This Month

If an AlignedBuffer were assigned to itself, the subsequent self-move could result in an incorrect reference count and later use-after-free. Rated medium severity (CVSS 4.0), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Use After Free Information Disclosure Mozilla Memory Corruption Firefox +2
NVD
CVSS 3.1
4.0
EPSS
0.2%
CVE-2024-3860 MEDIUM This Month

An out-of-memory condition during object initialization could result in an empty shape list. Rated medium severity (CVSS 6.2), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Mozilla Firefox
NVD
CVSS 3.1
6.2
EPSS
0.2%
CVE-2024-3859 MEDIUM This Month

On 32-bit versions there were integer-overflows that led to an out-of-bounds-read that potentially could be triggered by a malformed OpenType font. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Buffer Overflow Information Disclosure Mozilla Firefox Thunderbird +1
NVD
CVSS 3.1
5.9
EPSS
0.7%
CVE-2024-3858 HIGH This Week

It was possible to mutate a JavaScript object so that the JIT could crash while tracing it. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Null Pointer Dereference Denial Of Service Mozilla Firefox
NVD
CVSS 3.1
7.5
EPSS
0.6%
CVE-2024-3857 HIGH This Week

The JIT created incorrect code for arguments in certain cases. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Use After Free Mozilla Denial Of Service Memory Corruption Firefox +2
NVD
CVSS 3.1
7.8
EPSS
0.2%
CVE-2024-3856 HIGH This Week

A use-after-free could occur during WASM execution if garbage collection ran during the creation of an array. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Use After Free Information Disclosure Mozilla Memory Corruption Firefox
NVD
CVSS 3.1
8.8
EPSS
0.6%
CVE-2024-3855 MEDIUM This Month

In certain cases the JIT incorrectly optimized MSubstr operations, which led to out-of-bounds reads. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Information Disclosure Mozilla Firefox
NVD
CVSS 3.1
6.5
EPSS
0.4%
CVE-2024-3854 HIGH This Week

In some code patterns the JIT incorrectly optimized switch statements and generated code with out-of-bounds-reads. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Information Disclosure Mozilla Firefox Thunderbird
NVD
CVSS 3.1
8.8
EPSS
0.7%
CVE-2024-3853 HIGH This Week

A use-after-free could result if a JavaScript realm was in the process of being initialized when a garbage collection started. Rated high severity (CVSS 7.5), this vulnerability is no authentication required. No vendor patch available.

Use After Free Information Disclosure Mozilla Memory Corruption Firefox
NVD
CVSS 3.1
7.5
EPSS
0.4%
CVE-2024-3852 HIGH This Week

GetBoundName could return the wrong version of an object when JIT optimizations were applied. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Mozilla Firefox Thunderbird
NVD
CVSS 3.1
7.5
EPSS
0.6%
CVE-2024-3302 LOW Monitor

There was no limit to the number of HTTP/2 CONTINUATION frames that would be processed. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Denial Of Service Mozilla Firefox Thunderbird
NVD
CVSS 3.1
3.7
EPSS
0.8%
CVE-2024-31393 MEDIUM This Month

Dragging Javascript URLs to the address bar could cause them to be loaded, bypassing restrictions and security protections This vulnerability affects Firefox for iOS < 124. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Apple Mozilla Firefox
NVD
CVSS 3.1
4.3
EPSS
0.3%
CVE-2024-31392 HIGH This Week

If an insecure element was added to a page after a delay, Firefox would not replace the secure icon with a mixed content security status This vulnerability affects Firefox for iOS < 124. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apple Information Disclosure Mozilla Firefox
NVD
CVSS 3.1
7.5
EPSS
0.4%
CVE-2024-29943 CRITICAL Act Now

An attacker was able to perform an out-of-bounds read or write on a JavaScript object by fooling range-based bounds check elimination. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Information Disclosure Mozilla Firefox
NVD
CVSS 3.1
9.8
EPSS
22.9%
CVE-2024-2616 LOW Monitor

To harden ICU against exploitation, the behavior for out-of-memory conditions was changed to crash instead of attempt to continue. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Buffer Overflow Mozilla Memory Corruption Firefox Thunderbird
NVD
CVSS 3.1
2.7
EPSS
0.7%
CVE-2024-2615 CRITICAL Act Now

Memory safety bugs present in Firefox 123. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Mozilla Memory Corruption Firefox
NVD
CVSS 3.1
9.8
EPSS
0.6%
CVE-2024-2614 HIGH This Week

Memory safety bugs present in Firefox 123, Firefox ESR 115.8, and Thunderbird 115.8. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Buffer Overflow RCE Mozilla Memory Corruption Firefox +2
NVD
CVSS 3.1
8.8
EPSS
0.9%
CVE-2024-2613 HIGH PATCH This Week

Data was not properly sanitized when decoding a QUIC ACK frame; this could have led to unrestricted memory consumption and a crash. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XSS Mozilla Firefox
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2024-2612 HIGH This Week

If an attacker could find a way to trigger a particular code path in `SafeRefPtr`, it could have triggered a crash or potentially be leveraged to achieve code execution. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Use After Free RCE Mozilla Memory Corruption Firefox +1
NVD
CVSS 3.1
8.1
EPSS
1.0%
CVE-2024-2611 MEDIUM POC This Month

A missing delay on when pointer lock was used could have allowed a malicious page to trick a user into granting permissions. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Mozilla Firefox Thunderbird Debian Linux
NVD
CVSS 3.1
5.5
EPSS
0.6%
CVE-2024-2610 MEDIUM POC This Month

Using a markup injection an attacker could have stolen nonce values. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE Mozilla Firefox Thunderbird
NVD
CVSS 3.1
6.1
EPSS
0.7%
CVE-2024-2609 MEDIUM POC This Month

The permission prompt input delay could expire while the window is not in focus. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Mozilla Firefox Thunderbird Debian Linux
NVD
CVSS 3.1
6.1
EPSS
0.6%
CVE-2024-2608 HIGH POC This Week

`AppendEncodedAttributeValue(), ExtraSpaceNeededForAttrEncoding()` and `AppendEncodedCharacters()` could have experienced integer overflows, causing underallocation of an output buffer leading to an. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Mozilla Firefox Thunderbird Debian Linux
NVD
CVSS 3.1
8.4
EPSS
0.4%
CVE-2024-2607 HIGH POC This Week

Return registers were overwritten which could have allowed an attacker to execute arbitrary code. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

RCE Mozilla Firefox Thunderbird Debian Linux
NVD
CVSS 3.1
8.1
EPSS
1.1%
CVE-2024-2606 LOW POC Monitor

Passing invalid data could have led to invalid wasm values being created, such as arbitrary integers turning into pointer values. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Information Disclosure Mozilla Firefox
NVD
CVSS 3.1
3.7
EPSS
0.4%
CVE-2024-2605 MEDIUM This Month

An attacker could have leveraged the Windows Error Reporter to run arbitrary code on the system escaping the sandbox. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

RCE Mozilla Microsoft Firefox Thunderbird
NVD
CVSS 3.1
5.9
EPSS
0.6%
CVE-2024-26283 HIGH This Week

An attacker could have executed unauthorized scripts on top origin sites using a JavaScript URI when opening an external URL with a custom Firefox scheme. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Apple Mozilla Firefox
NVD
CVSS 3.1
7.8
EPSS
0.3%
CVE-2024-26282 HIGH This Week

Using an AMP url with a canonical element, an attacker could have executed JavaScript from an opened bookmarked page. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apple XSS Canonical Mozilla Firefox
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2024-26281 MEDIUM This Month

Upon scanning a JavaScript URI with the QR code scanner, an attacker could have executed unauthorized scripts on the current top origin sites in the URL bar. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apple XSS Mozilla Firefox
NVD
CVSS 3.1
4.7
EPSS
0.3%
CVE-2024-1557 HIGH This Week

Memory safety bugs present in Firefox 122. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Buffer Overflow RCE Mozilla Memory Corruption Firefox
NVD
CVSS 3.1
8.1
EPSS
0.6%
CVE-2024-1556 MEDIUM This Month

The incorrect object was checked for NULL in the built-in profiler, potentially leading to invalid memory access and undefined behavior. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox
NVD
CVSS 3.1
6.5
EPSS
0.5%
CVE-2024-1555 HIGH This Week

When opening a website using the `firefox://` protocol handler, SameSite cookies were not properly respected. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Mozilla Firefox
NVD
CVSS 3.1
8.3
EPSS
0.5%
CVE-2024-1554 CRITICAL POC Act Now

The `fetch()` API and navigation incorrectly shared the same cache, as the cache key did not include the optional headers `fetch()` may contain. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Mozilla Firefox
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2024-1552 HIGH This Week

Incorrect code generation could have led to unexpected numeric conversions and potential undefined behavior.*Note:* This issue only affects 32-bit ARM devices. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox Thunderbird Debian Linux
NVD
CVSS 3.1
7.5
EPSS
0.7%
CVE-2024-1551 MEDIUM POC This Month

Set-Cookie response headers were being incorrectly honored in multipart HTTP responses. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection Mozilla Firefox Thunderbird Debian Linux
NVD
CVSS 3.1
6.1
EPSS
0.7%
CVE-2024-1550 MEDIUM This Month

A malicious website could have used a combination of exiting fullscreen mode and `requestPointerLock` to cause the user's mouse to be re-positioned unexpectedly, which could have led to user. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Mozilla Firefox Thunderbird Debian Linux
NVD
CVSS 3.1
6.1
EPSS
0.6%
CVE-2024-1549 MEDIUM This Month

If a website set a large custom cursor, portions of the cursor could have overlapped with the permission dialog, potentially resulting in user confusion and unexpected granted permissions. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox Thunderbird Debian Linux
NVD
CVSS 3.1
6.1
EPSS
0.5%
CVE-2024-1548 MEDIUM This Month

A website could have obscured the fullscreen notification by using a dropdown select input element. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox Thunderbird Debian Linux
NVD
CVSS 3.1
4.3
EPSS
0.9%
CVE-2024-1547 MEDIUM This Month

Through a series of API calls and redirects, an attacker-controlled alert dialog could have been displayed on another website (with the victim website's URL shown). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Mozilla Firefox Thunderbird Debian Linux
NVD
CVSS 3.1
6.5
EPSS
0.7%
CVE-2024-1546 HIGH This Week

When storing and re-accessing data on a networking channel, the length of buffers may have been confused, resulting in an out-of-bounds memory read. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Buffer Overflow Information Disclosure Mozilla Firefox Thunderbird +1
NVD
CVSS 3.1
7.5
EPSS
0.7%
CVE-2024-0953 MEDIUM POC This Month

When a user scans a QR Code with the QR Code Scanner feature, the user is not prompted before being navigated to the page specified in the code. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Apple Open Redirect Mozilla Firefox
NVD
CVSS 3.1
6.1
EPSS
0.3%
CVE-2024-0755 HIGH This Week

Memory safety bugs present in Firefox 121, Firefox ESR 115.6, and Thunderbird 115.6. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE Buffer Overflow Mozilla Firefox +3
NVD
CVSS 3.1
8.8
EPSS
0.7%
CVE-2024-0754 MEDIUM This Month

Some WASM source files could have caused a crash when loaded in devtools. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Mozilla Firefox
NVD
CVSS 3.1
6.5
EPSS
0.4%
CVE-2024-0753 MEDIUM This Month

In specific HSTS configurations an attacker could have bypassed HSTS on a subdomain. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Mozilla Firefox Firefox Esr Thunderbird +1
NVD
CVSS 3.1
6.5
EPSS
0.7%
CVE-2024-0752 MEDIUM This Month

A use-after-free crash could have occurred on macOS if a Firefox update were being applied on a very busy system. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Use After Free Memory Corruption Denial Of Service Mozilla Apple +1
NVD
CVSS 3.1
6.5
EPSS
0.4%
CVE-2024-0751 HIGH This Week

A malicious devtools extension could have been used to escalate privileges. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation Mozilla Firefox Firefox Esr Thunderbird +1
NVD
CVSS 3.1
8.8
EPSS
0.6%
CVE-2024-0750 HIGH This Week

A bug in popup notifications delay calculation could have made it possible for an attacker to trick a user into granting permissions. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox Firefox Esr Thunderbird +1
NVD
CVSS 3.1
8.8
EPSS
0.8%
CVE-2024-0749 MEDIUM This Month

A phishing site could have repurposed an `about:` dialog to show phishing content with an incorrect origin in the address bar. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox Firefox Esr Thunderbird +1
NVD
CVSS 3.1
4.3
EPSS
0.3%
CVE-2024-0748 MEDIUM This Month

A compromised content process could have updated the document URI. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox
NVD
CVSS 3.1
4.3
EPSS
0.4%
CVE-2024-0747 MEDIUM This Month

When a parent page loaded a child in an iframe with `unsafe-inline`, the parent Content Security Policy could have overridden the child Content Security Policy. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox Firefox Esr Thunderbird +1
NVD
CVSS 3.1
6.5
EPSS
0.6%
CVE-2024-0746 MEDIUM This Month

A Linux user opening the print preview dialog could have caused the browser to crash. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Use After Free Mozilla Denial Of Service Memory Corruption Firefox +3
NVD
CVSS 3.1
6.5
EPSS
0.7%
CVE-2024-0745 HIGH This Week

The WebAudio `OscillatorNode` object was susceptible to a stack buffer overflow. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Mozilla Memory Corruption Firefox
NVD
CVSS 3.1
8.8
EPSS
0.7%
CVE-2024-0744 HIGH This Week

In some circumstances, JIT compiled code could have dereferenced a wild pointer value. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Mozilla Firefox
NVD
CVSS 3.1
7.5
EPSS
0.6%
CVE-2024-0743 HIGH This Week

An unchecked return value in TLS handshake code could have caused a potentially exploitable crash. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Mozilla Firefox
NVD
CVSS 3.1
7.5
EPSS
1.3%
CVE-2024-0742 MEDIUM This Month

It was possible for certain browser prompts and dialogs to be activated or dismissed unintentionally by the user due to an incorrect timestamp used to prevent input after page load. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox Firefox Esr Thunderbird +1
NVD
CVSS 3.1
4.3
EPSS
0.6%
CVE-2024-0741 MEDIUM This Month

An out of bounds write in ANGLE could have allowed an attacker to corrupt memory leading to a potentially exploitable crash. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Mozilla Memory Corruption Firefox Firefox Esr +2
NVD
CVSS 3.1
6.5
EPSS
2.2%
CVE-2023-6873 HIGH This Week

Memory safety bugs present in Firefox 120. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Memory Corruption Buffer Overflow Mozilla RCE Firefox +1
NVD
CVSS 3.1
8.8
EPSS
0.8%
EPSS 0% CVSS 7.0
HIGH This Week

Memory safety bugs present in Firefox 126, Firefox ESR 115.11, and Thunderbird 115.11. Rated high severity (CVSS 7.0), this vulnerability is no authentication required. No vendor patch available.

RCE Buffer Overflow Mozilla +2
NVD
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

In violation of spec, cookie prefixes such as `__Secure` were being ignored if they were not correctly capitalized - by spec they should be checked with a case-insensitive comparison. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Mozilla Firefox
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

By manipulating the fullscreen feature while opening a data-list, an attacker could have overlaid a text box over the address bar. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Mozilla Firefox
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

A website was able to detect when a user took a screenshot of a page using the built-in Screenshot functionality in Firefox. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox
NVD
EPSS 1% CVSS 8.6
HIGH This Week

By manipulating the text in an `&lt;input&gt;` tag, an attacker could have caused corrupt memory leading to a potentially exploitable crash. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Mozilla Memory Corruption +3
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

If an out-of-memory condition occurs at a specific point using allocations in the probabilistic heap checker, an assertion could have been triggered, and in rarer situations, memory corruption could. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Mozilla Memory Corruption +1
NVD
EPSS 0% CVSS 7.5
HIGH This Week

An attacker could have caused a use-after-free in the JavaScript engine to read memory in the JavaScript string section of the heap. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Use After Free Information Disclosure Mozilla +2
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

Offscreen Canvas did not properly track cross-origin tainting, which could be used to access image data from another site in violation of same-origin policy. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox +1
NVD
EPSS 1% CVSS 6.5
MEDIUM POC This Month

On Windows 10, when using the 'Save As' functionality, an attacker could have tricked the browser into saving the file with a disallowed extension such as `.url` by including an invalid character in. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Mozilla Microsoft +2
NVD
EPSS 1% CVSS 4.7
MEDIUM This Month

By tricking the browser with a `X-Frame-Options` header, a sandboxed iframe could have presented a button that, if clicked by a user, would bypass restrictions to open a new window. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Mozilla Firefox +2
NVD
EPSS 1% CVSS 4.3
MEDIUM This Month

By monitoring the time certain operations take, an attacker could have guessed which external protocol handlers were functional on a user's system. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox +3
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

In addition to detecting when a user was taking a screenshot (XXX), a website was able to overlay the 'My Shots' button that appeared, and direct the user to a replica Firefox Screenshots page that. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox
NVD
EPSS 1% CVSS 8.1
HIGH POC This Week

If a garbage collection was triggered at the right time, a use-after-free could have occurred during object transplant. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Use After Free Information Disclosure Mozilla +3
NVD
EPSS 0% CVSS 5.3
MEDIUM POC This Month

If a specific sequence of actions is performed when opening a new tab, the triggering principal associated with the new tab may have been incorrect. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Google Mozilla +1
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Memory safety bugs present in Firefox 125. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Buffer Overflow Mozilla +1
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Memory safety bugs present in Firefox 125, Firefox ESR 115.10, and Thunderbird 115.10. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Mozilla +4
NVD
EPSS 0% CVSS 8.2
HIGH POC This Week

A file dialog shown while in full-screen mode could have resulted in the window remaining disabled. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Mozilla Firefox
NVD
EPSS 0% CVSS 5.9
MEDIUM POC This Month

An iterator stop condition was missing when handling WASM code in the built-in profiler, potentially leading to invalid memory access and undefined behavior. Rated medium severity (CVSS 5.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Mozilla Firefox
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

The `ShmemCharMapHashEntry()` code was susceptible to potentially undefined behavior by bypassing the move semantics for one of its data members. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Mozilla Firefox
NVD
EPSS 1% CVSS 7.5
HIGH This Week

When a network error occurred during page load, the prior content could have remained in view with a blank URL bar. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Open Redirect Mozilla Firefox
NVD
EPSS 0% CVSS 5.9
MEDIUM POC This Month

An HTTP digest authentication nonce value was generated using `rand()` which could lead to predictable values. Rated medium severity (CVSS 5.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Mozilla Firefox
NVD
EPSS 1% CVSS 8.6
HIGH POC This Week

A memory allocation check was missing which would lead to a use-after-free if the allocation failed. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Use After Free RCE Mozilla +2
NVD
EPSS 1% CVSS 8.8
HIGH POC This Week

When saving a page to PDF, certain font styles could have led to a potential use-after-free crash. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Use After Free Mozilla Denial Of Service +3
NVD
EPSS 0% CVSS 5.9
MEDIUM This Month

When importing resources using Web Workers, error messages would distinguish the difference between `application/javascript` responses and non-script responses. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Mozilla Firefox +2
NVD
EPSS 1% CVSS 6.1
MEDIUM POC This Month

A bug in popup notifications' interaction with WebAuthn made it easier for an attacker to trick a user into granting permissions. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Mozilla Firefox +2
NVD
EPSS 0% CVSS 4.3
MEDIUM POC This Month

If the `browser.privatebrowsing.autostart` preference is enabled, IndexedDB files were not properly deleted when the window was closed. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Mozilla Firefox +2
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Different techniques existed to obscure the fullscreen notification in Firefox for Android. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Google Mozilla +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Web application manifests were stored by using an insecure MD5 hash which allowed for a hash collision to overwrite another application's manifest. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Google Mozilla +1
NVD
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

Multiple WebRTC threads could have claimed a newly connected audio input leading to use-after-free. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Use After Free Information Disclosure Mozilla +2
NVD
EPSS 35% 6.3 CVSS 8.8
HIGH POC PATCH THREAT Act Now

Arbitrary JavaScript execution in Mozilla's PDF.js library affects Firefox before 126, Firefox ESR before 115.11, and Thunderbird before 115.11 when rendering a malicious PDF document. A missing type check in font handling lets a crafted PDF run JavaScript in the PDF.js context, and publicly available exploit code exists with an EPSS of 34.61% (97th percentile) indicating elevated exploitation likelihood.

Mozilla Information Disclosure Firefox +3
NVD GitHub Exploit-DB
EPSS 0% CVSS 8.1
HIGH This Week

Memory safety bugs present in Firefox 124. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Buffer Overflow RCE Mozilla +1
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

The executable file warning was not presented when downloading .xrm-ms files. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Microsoft Mozilla File Upload +2
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

The MarkStack assignment operator, part of the JavaScript engine, could access uninitialized memory if it were used in a self-assignment. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Mozilla Firefox
NVD
EPSS 0% CVSS 4.0
MEDIUM This Month

If an AlignedBuffer were assigned to itself, the subsequent self-move could result in an incorrect reference count and later use-after-free. Rated medium severity (CVSS 4.0), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Use After Free Information Disclosure Mozilla +4
NVD
EPSS 0% CVSS 6.2
MEDIUM This Month

An out-of-memory condition during object initialization could result in an empty shape list. Rated medium severity (CVSS 6.2), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Mozilla Firefox
NVD
EPSS 1% CVSS 5.9
MEDIUM This Month

On 32-bit versions there were integer-overflows that led to an out-of-bounds-read that potentially could be triggered by a malformed OpenType font. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Buffer Overflow Information Disclosure Mozilla +3
NVD
EPSS 1% CVSS 7.5
HIGH This Week

It was possible to mutate a JavaScript object so that the JIT could crash while tracing it. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Null Pointer Dereference Denial Of Service Mozilla +1
NVD
EPSS 0% CVSS 7.8
HIGH This Week

The JIT created incorrect code for arguments in certain cases. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Use After Free Mozilla Denial Of Service +4
NVD
EPSS 1% CVSS 8.8
HIGH This Week

A use-after-free could occur during WASM execution if garbage collection ran during the creation of an array. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Use After Free Information Disclosure Mozilla +2
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

In certain cases the JIT incorrectly optimized MSubstr operations, which led to out-of-bounds reads. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Information Disclosure Mozilla +1
NVD
EPSS 1% CVSS 8.8
HIGH This Week

In some code patterns the JIT incorrectly optimized switch statements and generated code with out-of-bounds-reads. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Information Disclosure Mozilla +2
NVD
EPSS 0% CVSS 7.5
HIGH This Week

A use-after-free could result if a JavaScript realm was in the process of being initialized when a garbage collection started. Rated high severity (CVSS 7.5), this vulnerability is no authentication required. No vendor patch available.

Use After Free Information Disclosure Mozilla +2
NVD
EPSS 1% CVSS 7.5
HIGH This Week

GetBoundName could return the wrong version of an object when JIT optimizations were applied. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Mozilla Firefox +1
NVD
EPSS 1% CVSS 3.7
LOW Monitor

There was no limit to the number of HTTP/2 CONTINUATION frames that would be processed. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Denial Of Service Mozilla Firefox +1
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Dragging Javascript URLs to the address bar could cause them to be loaded, bypassing restrictions and security protections This vulnerability affects Firefox for iOS < 124. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Apple Mozilla +1
NVD
EPSS 0% CVSS 7.5
HIGH This Week

If an insecure element was added to a page after a delay, Firefox would not replace the secure icon with a mixed content security status This vulnerability affects Firefox for iOS < 124. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apple Information Disclosure Mozilla +1
NVD
EPSS 23% CVSS 9.8
CRITICAL Act Now

An attacker was able to perform an out-of-bounds read or write on a JavaScript object by fooling range-based bounds check elimination. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Information Disclosure Mozilla +1
NVD
EPSS 1% CVSS 2.7
LOW Monitor

To harden ICU against exploitation, the behavior for out-of-memory conditions was changed to crash instead of attempt to continue. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Buffer Overflow Mozilla Memory Corruption +2
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Memory safety bugs present in Firefox 123. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Mozilla +2
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Memory safety bugs present in Firefox 123, Firefox ESR 115.8, and Thunderbird 115.8. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Buffer Overflow RCE Mozilla +4
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Data was not properly sanitized when decoding a QUIC ACK frame; this could have led to unrestricted memory consumption and a crash. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XSS Mozilla Firefox
NVD
EPSS 1% CVSS 8.1
HIGH This Week

If an attacker could find a way to trigger a particular code path in `SafeRefPtr`, it could have triggered a crash or potentially be leveraged to achieve code execution. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Use After Free RCE Mozilla +3
NVD
EPSS 1% CVSS 5.5
MEDIUM POC This Month

A missing delay on when pointer lock was used could have allowed a malicious page to trick a user into granting permissions. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Mozilla Firefox +2
NVD
EPSS 1% CVSS 6.1
MEDIUM POC This Month

Using a markup injection an attacker could have stolen nonce values. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE Mozilla +2
NVD
EPSS 1% CVSS 6.1
MEDIUM POC This Month

The permission prompt input delay could expire while the window is not in focus. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Mozilla Firefox +2
NVD
EPSS 0% CVSS 8.4
HIGH POC This Week

`AppendEncodedAttributeValue(), ExtraSpaceNeededForAttrEncoding()` and `AppendEncodedCharacters()` could have experienced integer overflows, causing underallocation of an output buffer leading to an. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Mozilla Firefox +2
NVD
EPSS 1% CVSS 8.1
HIGH POC This Week

Return registers were overwritten which could have allowed an attacker to execute arbitrary code. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

RCE Mozilla Firefox +2
NVD
EPSS 0% CVSS 3.7
LOW POC Monitor

Passing invalid data could have led to invalid wasm values being created, such as arbitrary integers turning into pointer values. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Information Disclosure Mozilla Firefox
NVD
EPSS 1% CVSS 5.9
MEDIUM This Month

An attacker could have leveraged the Windows Error Reporter to run arbitrary code on the system escaping the sandbox. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

RCE Mozilla Microsoft +2
NVD
EPSS 0% CVSS 7.8
HIGH This Week

An attacker could have executed unauthorized scripts on top origin sites using a JavaScript URI when opening an external URL with a custom Firefox scheme. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Apple Mozilla +1
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Using an AMP url with a canonical element, an attacker could have executed JavaScript from an opened bookmarked page. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apple XSS Canonical +2
NVD
EPSS 0% CVSS 4.7
MEDIUM This Month

Upon scanning a JavaScript URI with the QR code scanner, an attacker could have executed unauthorized scripts on the current top origin sites in the URL bar. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apple XSS Mozilla +1
NVD
EPSS 1% CVSS 8.1
HIGH This Week

Memory safety bugs present in Firefox 122. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Buffer Overflow RCE Mozilla +2
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

The incorrect object was checked for NULL in the built-in profiler, potentially leading to invalid memory access and undefined behavior. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox
NVD
EPSS 0% CVSS 8.3
HIGH This Week

When opening a website using the `firefox://` protocol handler, SameSite cookies were not properly respected. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Mozilla Firefox
NVD
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

The `fetch()` API and navigation incorrectly shared the same cache, as the cache key did not include the optional headers `fetch()` may contain. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Mozilla Firefox
NVD
EPSS 1% CVSS 7.5
HIGH This Week

Incorrect code generation could have led to unexpected numeric conversions and potential undefined behavior.*Note:* This issue only affects 32-bit ARM devices. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox +2
NVD
EPSS 1% CVSS 6.1
MEDIUM POC This Month

Set-Cookie response headers were being incorrectly honored in multipart HTTP responses. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection Mozilla Firefox +2
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

A malicious website could have used a combination of exiting fullscreen mode and `requestPointerLock` to cause the user's mouse to be re-positioned unexpectedly, which could have led to user. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Mozilla Firefox +2
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

If a website set a large custom cursor, portions of the cursor could have overlapped with the permission dialog, potentially resulting in user confusion and unexpected granted permissions. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox +2
NVD
EPSS 1% CVSS 4.3
MEDIUM This Month

A website could have obscured the fullscreen notification by using a dropdown select input element. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox +2
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

Through a series of API calls and redirects, an attacker-controlled alert dialog could have been displayed on another website (with the victim website's URL shown). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Mozilla Firefox +2
NVD
EPSS 1% CVSS 7.5
HIGH This Week

When storing and re-accessing data on a networking channel, the length of buffers may have been confused, resulting in an out-of-bounds memory read. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Buffer Overflow Information Disclosure Mozilla +3
NVD
EPSS 0% CVSS 6.1
MEDIUM POC This Month

When a user scans a QR Code with the QR Code Scanner feature, the user is not prompted before being navigated to the page specified in the code. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Apple Open Redirect Mozilla +1
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Memory safety bugs present in Firefox 121, Firefox ESR 115.6, and Thunderbird 115.6. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE Buffer Overflow +5
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Some WASM source files could have caused a crash when loaded in devtools. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Mozilla Firefox
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

In specific HSTS configurations an attacker could have bypassed HSTS on a subdomain. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Mozilla Firefox +3
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

A use-after-free crash could have occurred on macOS if a Firefox update were being applied on a very busy system. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Use After Free Memory Corruption Denial Of Service +3
NVD
EPSS 1% CVSS 8.8
HIGH This Week

A malicious devtools extension could have been used to escalate privileges. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation Mozilla Firefox +3
NVD
EPSS 1% CVSS 8.8
HIGH This Week

A bug in popup notifications delay calculation could have made it possible for an attacker to trick a user into granting permissions. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox +3
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

A phishing site could have repurposed an `about:` dialog to show phishing content with an incorrect origin in the address bar. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox +3
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

A compromised content process could have updated the document URI. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

When a parent page loaded a child in an iframe with `unsafe-inline`, the parent Content Security Policy could have overridden the child Content Security Policy. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox +3
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

A Linux user opening the print preview dialog could have caused the browser to crash. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Use After Free Mozilla Denial Of Service +5
NVD
EPSS 1% CVSS 8.8
HIGH This Week

The WebAudio `OscillatorNode` object was susceptible to a stack buffer overflow. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Mozilla Memory Corruption +1
NVD
EPSS 1% CVSS 7.5
HIGH This Week

In some circumstances, JIT compiled code could have dereferenced a wild pointer value. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Mozilla Firefox
NVD
EPSS 1% CVSS 7.5
HIGH This Week

An unchecked return value in TLS handshake code could have caused a potentially exploitable crash. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Mozilla Firefox
NVD
EPSS 1% CVSS 4.3
MEDIUM This Month

It was possible for certain browser prompts and dialogs to be activated or dismissed unintentionally by the user due to an incorrect timestamp used to prevent input after page load. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox +3
NVD
EPSS 2% CVSS 6.5
MEDIUM This Month

An out of bounds write in ANGLE could have allowed an attacker to corrupt memory leading to a potentially exploitable crash. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Mozilla Memory Corruption +4
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Memory safety bugs present in Firefox 120. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Memory Corruption Buffer Overflow Mozilla +3
NVD
Prev Page 2 of 19 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy