Skip to main content

Mozilla

2675 CVEs vendor

Monthly

CVE-2022-31748 CRITICAL Act Now

Mozilla developers Gabriele Svelto, Timothy Nikkel, Randell Jesup, Jon Coppeard, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 100. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Mozilla Buffer Overflow Firefox
NVD
CVSS 3.1
9.8
EPSS
0.7%
CVE-2022-31747 CRITICAL Act Now

Mozilla developers Andrew McCreight, Nicolas B. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure RCE Mozilla Buffer Overflow Firefox +2
NVD
CVSS 3.1
9.8
EPSS
0.9%
CVE-2022-31746 MEDIUM This Month

Internal URLs are protected by a secret UUID key, which could have been leaked to web page through the Referrer header. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Apple Mozilla Firefox
NVD
CVSS 3.1
6.5
EPSS
0.4%
CVE-2022-31745 MEDIUM This Month

If array shift operations are not used, the Garbage Collector may have become confused about valid objects. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox
NVD
CVSS 3.1
4.3
EPSS
0.3%
CVE-2022-31744 MEDIUM This Month

An attacker could have injected CSS into stylesheets accessible via internal URIs, such as resource:, and in doing so bypass a page's Content Security Policy. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla XSS Firefox Firefox Esr Thunderbird
NVD
CVSS 3.1
6.5
EPSS
0.6%
CVE-2022-31743 MEDIUM This Month

Firefox's HTML parser did not correctly interpret HTML comment tags, resulting in an incongruity with other browsers. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla XSS Firefox
NVD
CVSS 3.1
6.5
EPSS
0.4%
CVE-2022-31742 MEDIUM This Month

An attacker could have exploited a timing attack by sending a large number of allowCredential entries and detecting the difference between invalid key handles and cross-origin key handles. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox Firefox Esr Thunderbird
NVD
CVSS 3.1
6.5
EPSS
0.6%
CVE-2022-31741 HIGH This Week

A crafted CMS message could have been processed incorrectly, leading to an invalid memory read, and potentially further memory corruption. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Buffer Overflow Firefox Firefox Esr Thunderbird
NVD
CVSS 3.1
8.8
EPSS
0.7%
CVE-2022-31740 HIGH This Week

On arm64, WASM code could have resulted in incorrect assembly generation leading to a register allocation problem, and a potentially exploitable crash. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Buffer Overflow Firefox Firefox Esr Thunderbird
NVD
CVSS 3.1
8.8
EPSS
0.7%
CVE-2022-31739 HIGH This Week

When downloading files on Windows, the % character was not escaped, which could have lead to a download incorrectly being saved to attacker-influenced paths that used variables such as %HOMEPATH% or. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Microsoft Mozilla Firefox Firefox Esr +1
NVD
CVSS 3.1
8.8
EPSS
0.7%
CVE-2022-31738 MEDIUM This Month

When exiting fullscreen mode, an iframe could have confused the browser about the current state of fullscreen, resulting in potential user confusion or spoofing attacks. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Mozilla Firefox Firefox Esr Thunderbird
NVD
CVSS 3.1
6.5
EPSS
0.6%
CVE-2022-31737 CRITICAL Act Now

A malicious webpage could have caused an out-of-bounds write in WebGL, leading to memory corruption and a potentially exploitable crash. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Memory Corruption Mozilla Buffer Overflow Firefox Firefox Esr +1
NVD
CVSS 3.1
9.8
EPSS
0.8%
CVE-2022-31736 CRITICAL Act Now

A malicious website could have learned the size of a cross-origin resource that supported Range requests. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Cors Misconfiguration Firefox Firefox Esr +1
NVD
CVSS 3.1
9.8
EPSS
1.1%
CVE-2022-2505 HIGH This Week

Mozilla developers and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 102. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Memory Corruption RCE Mozilla Buffer Overflow Firefox +2
NVD
CVSS 3.1
8.8
EPSS
0.7%
CVE-2022-2226 MEDIUM This Month

An OpenPGP digital signature includes information about the date when the signature was created. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Thunderbird
NVD
CVSS 3.1
6.5
EPSS
0.4%
CVE-2022-2200 HIGH This Week

If an object prototype was corrupted by an attacker, they would have been able to set undesired attributes on a JavaScript object, leading to privileged code execution. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Mozilla Prototype Pollution Firefox Firefox Esr +1
NVD
CVSS 3.1
8.8
EPSS
23.9%
CVE-2022-29918 HIGH This Week

Mozilla developers Gabriele Svelto, Randell Jesup and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 99. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Memory Corruption RCE Mozilla Buffer Overflow Firefox
NVD
CVSS 3.1
8.8
EPSS
0.5%
CVE-2022-29917 CRITICAL POC Act Now

Mozilla developers Andrew McCreight, Gabriele Svelto, Tom Ritter and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 99 and Firefox ESR 91.8. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Memory Corruption RCE Mozilla Buffer Overflow Firefox +2
NVD
CVSS 3.1
9.8
EPSS
1.0%
CVE-2022-29916 MEDIUM POC This Month

Firefox behaved slightly differently for already known resources when loading CSS resources involving CSS variables. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Mozilla Firefox Firefox Esr Thunderbird
NVD
CVSS 3.1
6.5
EPSS
0.7%
CVE-2022-29915 MEDIUM POC This Month

The Performance API did not properly hide the fact whether a request cross-origin resource has observed redirects. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Mozilla Firefox
NVD
CVSS 3.1
4.3
EPSS
0.3%
CVE-2022-29914 MEDIUM This Month

When reusing existing popups Firefox would have allowed them to cover the fullscreen notification UI, which could have enabled browser spoofing attacks. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla XSS Firefox Firefox Esr Thunderbird
NVD
CVSS 3.1
6.5
EPSS
0.6%
CVE-2022-29913 MEDIUM This Month

The parent process would not properly check whether the Speech Synthesis feature is enabled, when receiving instructions from a child process. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Mozilla Thunderbird
NVD
CVSS 3.1
6.5
EPSS
0.4%
CVE-2022-29912 MEDIUM POC This Month

Requests initiated through reader mode did not properly omit cookies with a SameSite attribute. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Open Redirect Mozilla Firefox Firefox Esr Thunderbird
NVD
CVSS 3.1
6.1
EPSS
0.6%
CVE-2022-29911 MEDIUM This Month

An improper implementation of the new iframe sandbox keyword <code>allow-top-navigation-by-user-activation</code> could lead to script execution without <code>allow-scripts</code> being present. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla XSS Firefox Firefox Esr Thunderbird
NVD
CVSS 3.1
6.1
EPSS
0.6%
CVE-2022-29910 MEDIUM POC This Month

When closed or sent to the background, Firefox for Android would not properly record and persist HSTS settings.<br>*Note: This issue only affected Firefox for Android. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Google Open Redirect Mozilla Firefox
NVD
CVSS 3.1
6.1
EPSS
0.4%
CVE-2022-29909 HIGH This Week

Documents in deeply-nested cross-origin browsing contexts could have obtained permissions granted to the top-level origin, bypassing the existing prompt and wrongfully inheriting the top-level. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation Mozilla Firefox Firefox Esr Thunderbird
NVD
CVSS 3.1
8.8
EPSS
0.8%
CVE-2022-28289 HIGH This Week

Mozilla developers and community members Nika Layzell, Andrew McCreight, Gabriele Svelto, and the Mozilla Fuzzing Team reported memory safety bugs present in Thunderbird 91.7. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Memory Corruption RCE Mozilla Buffer Overflow Firefox +2
NVD
CVSS 3.1
8.8
EPSS
0.7%
CVE-2022-28288 HIGH This Week

Mozilla developers and community members Randell Jesup, Sebastian Hengst, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 98. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Memory Corruption RCE Mozilla Buffer Overflow Firefox
NVD
CVSS 3.1
8.8
EPSS
0.5%
CVE-2022-28287 MEDIUM POC This Month

In unusual circumstances, selecting text could cause text selection caching to behave incorrectly, leading to a crash. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Mozilla Firefox
NVD
CVSS 3.1
6.5
EPSS
0.5%
CVE-2022-28286 MEDIUM POC This Month

Due to a layout change, iframe contents could have been rendered outside of its border. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Mozilla XSS Firefox Firefox Esr Thunderbird
NVD
CVSS 3.1
5.4
EPSS
0.6%
CVE-2022-28285 MEDIUM POC This Month

When generating the assembly code for <code>MLoadTypedArrayElementHole</code>, an incorrect AliasSet was used. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Mozilla Buffer Overflow Firefox Firefox Esr +1
NVD
CVSS 3.1
6.5
EPSS
0.8%
CVE-2022-28284 HIGH This Week

SVG's <code>&lt;use&gt;</code> element could have been used to load unexpected content that could have executed script in certain circumstances. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox
NVD
CVSS 3.1
8.8
EPSS
0.5%
CVE-2022-28283 MEDIUM POC This Month

The sourceMapURL feature in devtools was missing security checks that would have allowed a webpage to attempt to include local files or other files that should have been inaccessible. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Information Disclosure Mozilla Firefox
NVD
CVSS 3.1
6.5
EPSS
0.6%
CVE-2022-28282 MEDIUM POC This Month

By using a link with <code>rel="localization"</code> a use-after-free could have been triggered by destroying an object during JavaScript execution and then referencing the object through a freed. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Use After Free Mozilla Memory Corruption Firefox +2
NVD
CVSS 3.1
6.5
EPSS
2.0%
CVE-2022-28281 HIGH POC This Week

If a compromised content process sent an unexpected number of WebAuthN Extensions in a Register command to the parent process, an out of bounds write would have occurred leading to memory corruption. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Memory Corruption Mozilla Buffer Overflow Firefox Firefox Esr +1
NVD
CVSS 3.1
8.8
EPSS
2.6%
CVE-2022-26486 CRITICAL POC KEV THREAT Act Now

An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Google Mozilla Information Disclosure Use After Free Memory Corruption +3
NVD
CVSS 3.1
9.6
EPSS
2.3%
CVE-2022-26485 HIGH POC KEV THREAT This Week

Removing an XSLT parameter during processing could have lead to an exploitable use-after-free. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Google Mozilla Information Disclosure Use After Free Memory Corruption +3
NVD
CVSS 3.1
8.8
EPSS
14.3%
CVE-2022-26387 HIGH POC This Week

When installing an add-on, Firefox verified the signature before prompting the user; but while the user was confirming the prompt, the underlying add-on file could have been modified and Firefox. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Information Disclosure Mozilla Firefox Firefox Esr Thunderbird
NVD
CVSS 3.1
7.5
EPSS
0.7%
CVE-2022-26386 MEDIUM POC This Month

Previously Firefox for macOS and Linux would download temporary files to a user-specific directory in <code>/tmp</code>, but this behavior was changed to download them to <code>/tmp</code> where they. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Apple Mozilla Firefox Esr Thunderbird
NVD
CVSS 3.1
6.5
EPSS
0.7%
CVE-2022-26385 MEDIUM POC This Month

In unusual circumstances, an individual thread may outlive the thread's manager during shutdown. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Use After Free Mozilla Memory Corruption Firefox
NVD
CVSS 3.1
6.5
EPSS
0.6%
CVE-2022-26384 CRITICAL POC Act Now

If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Mozilla Firefox Firefox Esr Thunderbird
NVD
CVSS 3.1
9.6
EPSS
0.9%
CVE-2022-26383 MEDIUM This Month

When resizing a popup after requesting fullscreen access, the popup would not display the fullscreen notification. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox Firefox Esr Thunderbird
NVD
CVSS 3.1
4.3
EPSS
0.7%
CVE-2022-26382 MEDIUM POC This Month

While the text displayed in Autofill tooltips cannot be directly read by JavaScript, the text was rendered using page fonts. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Mozilla Firefox
NVD
CVSS 3.1
4.3
EPSS
0.5%
CVE-2022-26381 HIGH POC This Week

An attacker could have caused a use-after-free by forcing a text reflow in an SVG object leading to a potentially exploitable crash. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Use After Free Mozilla Memory Corruption Firefox +2
NVD
CVSS 3.1
8.8
EPSS
0.8%
CVE-2022-22764 HIGH This Week

Mozilla developers Paul Adenot and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 96 and Firefox ESR 91.5. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Memory Corruption RCE Mozilla Buffer Overflow Firefox +2
NVD
CVSS 3.1
8.8
EPSS
0.7%
CVE-2022-22763 HIGH This Week

When a worker is shutdown, it was possible to cause script to run late in the lifecycle, at a point after where it should not be possible. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Race Condition Information Disclosure Mozilla Firefox Firefox Esr +1
NVD
CVSS 3.1
8.8
EPSS
0.6%
CVE-2022-22762 MEDIUM This Month

Under certain circumstances, a JavaScript alert (or prompt) could have been shown while another website was displayed underneath it. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Google Mozilla Firefox
NVD
CVSS 3.1
4.3
EPSS
0.4%
CVE-2022-22761 HIGH This Week

Web-accessible extension pages (pages with a moz-extension:// scheme) were not correctly enforcing the frame-ancestors directive when it was used in the Web Extension's Content Security Policy. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox Firefox Esr Thunderbird
NVD
CVSS 3.1
8.8
EPSS
0.7%
CVE-2022-22760 MEDIUM This Month

When importing resources using Web Workers, error messages would distinguish the difference between <code>application/javascript</code> responses and non-script responses. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox Firefox Esr Thunderbird
NVD
CVSS 3.1
6.5
EPSS
0.8%
CVE-2022-22759 CRITICAL Act Now

If a document created a sandboxed iframe without <code>allow-scripts</code>, and subsequently appended an element to the iframe's document that e.g. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox Firefox Esr Thunderbird
NVD
CVSS 3.1
9.6
EPSS
0.7%
CVE-2022-22758 HIGH This Week

When clicking on a tel: link, USSD codes, specified after a <code>\*</code> character, would be included in the phone number. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Google Mozilla Firefox
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2022-22757 MEDIUM This Month

Remote Agent, used in WebDriver, did not validate the Host or Origin headers. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2022-22756 HIGH POC This Week

If a user was convinced to drag and drop an image to their desktop or other folder, the resulting object could have been changed into an executable script which would have run arbitrary code after. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Mozilla Code Injection Firefox Firefox Esr +1
NVD
CVSS 3.1
8.8
EPSS
0.9%
CVE-2022-22755 HIGH This Week

By using XSL Transforms, a malicious webserver could have served a user an XSL document that would continue to execute JavaScript (within the bounds of the same-origin policy) even after the tab was. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox
NVD
CVSS 3.1
8.8
EPSS
0.6%
CVE-2022-22754 MEDIUM This Month

If a user installed an extension of a particular type, the extension could have auto-updated itself and while doing so, bypass the prompt which grants the new version the new requested permissions. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Mozilla Firefox Firefox Esr Thunderbird
NVD
CVSS 3.1
6.5
EPSS
0.6%
CVE-2022-22753 HIGH POC This Week

A Time-of-Check Time-of-Use bug existed in the Maintenance (Updater) Service that could be abused to grant Users write access to an arbitrary directory. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

Microsoft Privilege Escalation Mozilla Firefox Firefox Esr +1
NVD
CVSS 3.1
7.1
EPSS
0.6%
CVE-2022-22752 HIGH This Week

Mozilla developers Christian Holler and Jason Kratzer reported memory safety bugs present in Firefox 95. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Memory Corruption RCE Mozilla Buffer Overflow Firefox
NVD
CVSS 3.1
8.8
EPSS
0.5%
CVE-2022-22751 HIGH This Week

Mozilla developers Calixte Denizet, Kershaw Chang, Christian Holler, Jason Kratzer, Gabriele Svelto, Tyson Smith, Simon Giesecke, and Steve Fink reported memory safety bugs present in Firefox 95 and. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Memory Corruption RCE Mozilla Buffer Overflow Firefox +2
NVD
CVSS 3.1
8.8
EPSS
0.9%
CVE-2022-22750 MEDIUM POC This Month

By generally accepting and passing resource handles across processes, a compromised content process might have confused higher privileged processes to interact with handles that the unprivileged. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Apple Microsoft Mozilla Firefox
NVD
CVSS 3.1
6.5
EPSS
0.6%
CVE-2022-22749 MEDIUM POC This Month

When scanning QR codes, Firefox for Android would have allowed navigation to some URLs that do not point to web content.<br>*This bug only affects Firefox for Android. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Google Mozilla Firefox
NVD
CVSS 3.1
4.3
EPSS
0.4%
CVE-2022-22748 MEDIUM POC This Month

Malicious websites could have confused Firefox into showing the wrong origin when asking to launch a program and handling an external URL protocol. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Mozilla XSS Firefox Firefox Esr Thunderbird
NVD
CVSS 3.1
6.5
EPSS
0.7%
CVE-2022-22747 MEDIUM This Month

After accepting an untrusted certificate, handling an empty pkcs7 sequence as part of the certificate data could have lead to a crash. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Mozilla Firefox Firefox Esr Thunderbird
NVD
CVSS 3.1
6.5
EPSS
0.6%
CVE-2022-22746 MEDIUM This Month

A race condition could have allowed bypassing the fullscreen notification which could have lead to a fullscreen window spoof being unnoticed.<br>*This bug only affects Firefox for Windows. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Race Condition Microsoft Authentication Bypass Mozilla Firefox +2
NVD
CVSS 3.1
5.9
EPSS
0.6%
CVE-2022-22745 MEDIUM This Month

Securitypolicyviolation events could have leaked cross-origin information for frame-ancestors violations. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox Firefox Esr Thunderbird
NVD
CVSS 3.1
6.5
EPSS
0.6%
CVE-2022-22744 HIGH This Week

The constructed curl command from the "Copy as curl" feature in DevTools was not properly escaped for PowerShell. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Microsoft Command Injection Mozilla Firefox Firefox Esr +1
NVD
CVSS 3.1
8.8
EPSS
1.3%
CVE-2022-22743 MEDIUM This Month

When navigating from inside an iframe while requesting fullscreen access, an attacker-controlled tab could have made the browser unable to leave fullscreen mode. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox Firefox Esr Thunderbird
NVD
CVSS 3.1
4.3
EPSS
0.6%
CVE-2022-22742 MEDIUM This Month

When inserting text while in edit mode, some characters might have lead to out-of-bounds memory access causing a potentially exploitable crash. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Buffer Overflow Firefox Firefox Esr +1
NVD
CVSS 3.1
6.5
EPSS
0.8%
CVE-2022-22741 HIGH This Week

When resizing a popup while requesting fullscreen access, the popup would have become unable to leave fullscreen mode. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox Firefox Esr Thunderbird
NVD
CVSS 3.1
7.5
EPSS
0.7%
CVE-2022-22740 HIGH POC This Week

Certain network request objects were freed too early when releasing a network request handle. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Use After Free Mozilla Memory Corruption Firefox +2
NVD
CVSS 3.1
8.8
EPSS
1.0%
CVE-2022-22739 MEDIUM POC This Month

Malicious websites could have tricked users into accepting launching a program to handle an external URL protocol. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Mozilla Firefox Firefox Esr Thunderbird
NVD
CVSS 3.1
6.5
EPSS
0.7%
CVE-2022-22738 HIGH POC This Week

Applying a CSS filter effect could have accessed out of bounds memory. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Memory Corruption Mozilla Buffer Overflow Firefox Firefox Esr +1
NVD
CVSS 3.1
8.8
EPSS
1.0%
CVE-2022-22737 HIGH POC This Week

Constructing audio sinks could have lead to a race condition when playing audio files and closing windows. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Race Condition Denial Of Service Microsoft Mozilla Firefox +2
NVD
CVSS 3.1
7.5
EPSS
0.8%
CVE-2022-22736 HIGH POC This Week

If Firefox was installed to a world-writable directory, a local privilege escalation could occur when Firefox searched the current directory for system libraries. Rated high severity (CVSS 7.0). Public exploit code available and no vendor patch available.

Microsoft Privilege Escalation Mozilla Firefox
NVD
CVSS 3.1
7.0
EPSS
0.2%
CVE-2022-1887 CRITICAL Act Now

The search term could have been specified externally to trigger SQL injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apple SQLi Mozilla Firefox
NVD
CVSS 3.1
9.8
EPSS
0.6%
CVE-2022-1834 MEDIUM This Month

When displaying the sender of an email, and the sender name contained the Braille Pattern Blank space character multiple times, Thunderbird would have displayed all the spaces. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Thunderbird
NVD
CVSS 3.1
6.5
EPSS
0.4%
CVE-2022-1802 HIGH This Week

If an attacker was able to corrupt the methods of an Array object in JavaScript via prototype pollution, they could have achieved execution of attacker-controlled JavaScript code in a privileged. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Google Mozilla Prototype Pollution Firefox +2
NVD
CVSS 3.1
8.8
EPSS
26.7%
CVE-2022-1529 HIGH This Week

An attacker could have sent a message to the parent process where the contents were used to double-index into a JavaScript object, leading to prototype pollution and ultimately attacker-controlled. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Google Mozilla Prototype Pollution Firefox +2
NVD
CVSS 3.1
8.8
EPSS
17.1%
CVE-2022-1520 MEDIUM This Month

When viewing an email message A, which contains an attached message B, where B is encrypted or digitally signed or both, Thunderbird may show an incorrect encryption or signature status. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Thunderbird
NVD
CVSS 3.1
4.3
EPSS
0.3%
CVE-2022-1197 MEDIUM This Month

When importing a revoked key that specified key compromise as the revocation reason, Thunderbird did not update the existing copy of the key that was not yet revoked, and the existing key was kept as. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Thunderbird
NVD
CVSS 3.1
5.4
EPSS
0.4%
CVE-2022-1196 MEDIUM POC This Month

After a VR Process is destroyed, a reference to it may have been retained and used, leading to a use-after-free and potentially exploitable crash. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Use After Free Mozilla Memory Corruption Firefox Esr +1
NVD
CVSS 3.1
6.5
EPSS
0.7%
CVE-2022-1097 MEDIUM POC This Month

<code>NSSToken</code> objects were referenced via direct points, and could have been accessed in an unsafe way on different threads, leading to a use-after-free and potentially exploitable crash. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Use After Free Mozilla Memory Corruption Firefox +2
NVD
CVSS 3.1
6.5
EPSS
0.9%
CVE-2022-0843 HIGH This Week

Mozilla developers Kershaw Chang, Ryan VanderMeulen, and Randell Jesup reported memory safety bugs present in Firefox 97. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Memory Corruption RCE Mozilla Buffer Overflow Firefox
NVD
CVSS 3.1
8.8
EPSS
0.6%
CVE-2022-0566 HIGH This Week

It may be possible for an attacker to craft an email message that causes Thunderbird to perform an out-of-bounds write of one byte when processing the message. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Memory Corruption Mozilla Buffer Overflow Thunderbird
NVD
CVSS 3.1
8.8
EPSS
0.7%
CVE-2022-0517 HIGH This Week

Mozilla VPN can load an OpenSSL configuration file from an unsecured directory. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

RCE Mozilla File Upload OpenSSL Vpn
NVD
CVSS 3.1
7.8
EPSS
0.2%
CVE-2022-0511 HIGH This Week

Mozilla developers and community members Gabriele Svelto, Sebastian Hengst, Randell Jesup, Luan Herrera, Lars T Hansen, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 96. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Memory Corruption RCE Mozilla Buffer Overflow Firefox
NVD
CVSS 3.1
8.8
EPSS
0.5%
CVE-2022-23491 PyPI HIGH PATCH This Week

Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Google Mozilla Certifi E Series Performance Analyzer +2
NVD GitHub
CVSS 3.1
7.5
EPSS
0.5%
CVE-2022-4055 HIGH POC This Week

When xdg-mail is configured to use thunderbird for mailto URLs, improper parsing of the URL can lead to additional headers being passed to thunderbird that should not be included per RFC 2368. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Mozilla Xdg Utils
NVD
CVSS 3.1
7.4
EPSS
0.7%
CVE-2022-36033 Maven MEDIUM POC PATCH This Month

jsoup is a Java HTML parser, built for HTML editing, cleaning, scraping, and cross-site scripting (XSS) safety. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Mozilla XSS Java Jsoup Management Services For Element Software +2
NVD GitHub
CVSS 3.1
6.1
EPSS
1.2%
CVE-2022-36010 npm CRITICAL POC PATCH Act Now

This library allows strings to be parsed as functions and stored as a specialized component,. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Mozilla Code Injection React Editable Json Tree
NVD GitHub
CVSS 3.1
9.8
EPSS
1.2%
CVE-2022-32969 MEDIUM PATCH This Month

MetaMask before 10.11.3 might allow an attacker to access a user's secret recovery phrase because an input field is used for a BIP39 mnemonic, and Firefox and Chromium save such fields to disk in. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required.

Google Mozilla Information Disclosure Metamask
NVD GitHub
CVSS 3.1
5.9
EPSS
1.4%
EPSS 1% CVSS 9.8
CRITICAL Act Now

Mozilla developers Gabriele Svelto, Timothy Nikkel, Randell Jesup, Jon Coppeard, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 100. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Mozilla Buffer Overflow +1
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Mozilla developers Andrew McCreight, Nicolas B. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure RCE Mozilla +4
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Internal URLs are protected by a secret UUID key, which could have been leaked to web page through the Referrer header. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Apple Mozilla +1
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

If array shift operations are not used, the Garbage Collector may have become confused about valid objects. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

An attacker could have injected CSS into stylesheets accessible via internal URIs, such as resource:, and in doing so bypass a page's Content Security Policy. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla XSS Firefox +2
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Firefox's HTML parser did not correctly interpret HTML comment tags, resulting in an incongruity with other browsers. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla XSS Firefox
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

An attacker could have exploited a timing attack by sending a large number of allowCredential entries and detecting the difference between invalid key handles and cross-origin key handles. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox +2
NVD
EPSS 1% CVSS 8.8
HIGH This Week

A crafted CMS message could have been processed incorrectly, leading to an invalid memory read, and potentially further memory corruption. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Buffer Overflow Firefox +2
NVD
EPSS 1% CVSS 8.8
HIGH This Week

On arm64, WASM code could have resulted in incorrect assembly generation leading to a register allocation problem, and a potentially exploitable crash. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Buffer Overflow Firefox +2
NVD
EPSS 1% CVSS 8.8
HIGH This Week

When downloading files on Windows, the % character was not escaped, which could have lead to a download incorrectly being saved to attacker-influenced paths that used variables such as %HOMEPATH% or. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Microsoft Mozilla +3
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

When exiting fullscreen mode, an iframe could have confused the browser about the current state of fullscreen, resulting in potential user confusion or spoofing attacks. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Mozilla Firefox +2
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

A malicious webpage could have caused an out-of-bounds write in WebGL, leading to memory corruption and a potentially exploitable crash. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Memory Corruption Mozilla Buffer Overflow +3
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

A malicious website could have learned the size of a cross-origin resource that supported Range requests. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Cors Misconfiguration +3
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Mozilla developers and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 102. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Memory Corruption RCE Mozilla +4
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

An OpenPGP digital signature includes information about the date when the signature was created. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Thunderbird
NVD
EPSS 24% CVSS 8.8
HIGH This Week

If an object prototype was corrupted by an attacker, they would have been able to set undesired attributes on a JavaScript object, leading to privileged code execution. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Mozilla Prototype Pollution +3
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Mozilla developers Gabriele Svelto, Randell Jesup and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 99. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Memory Corruption RCE Mozilla +2
NVD
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

Mozilla developers Andrew McCreight, Gabriele Svelto, Tom Ritter and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 99 and Firefox ESR 91.8. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Memory Corruption RCE Mozilla +4
NVD
EPSS 1% CVSS 6.5
MEDIUM POC This Month

Firefox behaved slightly differently for already known resources when loading CSS resources involving CSS variables. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Mozilla Firefox +2
NVD
EPSS 0% CVSS 4.3
MEDIUM POC This Month

The Performance API did not properly hide the fact whether a request cross-origin resource has observed redirects. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Mozilla Firefox
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

When reusing existing popups Firefox would have allowed them to cover the fullscreen notification UI, which could have enabled browser spoofing attacks. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla XSS Firefox +2
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

The parent process would not properly check whether the Speech Synthesis feature is enabled, when receiving instructions from a child process. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Mozilla Thunderbird
NVD
EPSS 1% CVSS 6.1
MEDIUM POC This Month

Requests initiated through reader mode did not properly omit cookies with a SameSite attribute. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Open Redirect Mozilla Firefox +2
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

An improper implementation of the new iframe sandbox keyword <code>allow-top-navigation-by-user-activation</code> could lead to script execution without <code>allow-scripts</code> being present. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla XSS Firefox +2
NVD
EPSS 0% CVSS 6.1
MEDIUM POC This Month

When closed or sent to the background, Firefox for Android would not properly record and persist HSTS settings.<br>*Note: This issue only affected Firefox for Android. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Google Open Redirect Mozilla +1
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Documents in deeply-nested cross-origin browsing contexts could have obtained permissions granted to the top-level origin, bypassing the existing prompt and wrongfully inheriting the top-level. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation Mozilla Firefox +2
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Mozilla developers and community members Nika Layzell, Andrew McCreight, Gabriele Svelto, and the Mozilla Fuzzing Team reported memory safety bugs present in Thunderbird 91.7. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Memory Corruption RCE Mozilla +4
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Mozilla developers and community members Randell Jesup, Sebastian Hengst, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 98. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Memory Corruption RCE Mozilla +2
NVD
EPSS 1% CVSS 6.5
MEDIUM POC This Month

In unusual circumstances, selecting text could cause text selection caching to behave incorrectly, leading to a crash. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Mozilla Firefox
NVD
EPSS 1% CVSS 5.4
MEDIUM POC This Month

Due to a layout change, iframe contents could have been rendered outside of its border. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Mozilla XSS Firefox +2
NVD
EPSS 1% CVSS 6.5
MEDIUM POC This Month

When generating the assembly code for <code>MLoadTypedArrayElementHole</code>, an incorrect AliasSet was used. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Mozilla Buffer Overflow +3
NVD
EPSS 1% CVSS 8.8
HIGH This Week

SVG's <code>&lt;use&gt;</code> element could have been used to load unexpected content that could have executed script in certain circumstances. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox
NVD
EPSS 1% CVSS 6.5
MEDIUM POC This Month

The sourceMapURL feature in devtools was missing security checks that would have allowed a webpage to attempt to include local files or other files that should have been inaccessible. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Information Disclosure Mozilla +1
NVD
EPSS 2% CVSS 6.5
MEDIUM POC This Month

By using a link with <code>rel="localization"</code> a use-after-free could have been triggered by destroying an object during JavaScript execution and then referencing the object through a freed. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Use After Free Mozilla +4
NVD
EPSS 3% CVSS 8.8
HIGH POC This Week

If a compromised content process sent an unexpected number of WebAuthN Extensions in a Register command to the parent process, an out of bounds write would have occurred leading to memory corruption. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Memory Corruption Mozilla Buffer Overflow +3
NVD
EPSS 2% CVSS 9.6
CRITICAL POC KEV THREAT Act Now

An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Google Mozilla Information Disclosure +5
NVD
EPSS 14% CVSS 8.8
HIGH POC KEV THREAT This Week

Removing an XSLT parameter during processing could have lead to an exploitable use-after-free. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Google Mozilla Information Disclosure +5
NVD
EPSS 1% CVSS 7.5
HIGH POC This Week

When installing an add-on, Firefox verified the signature before prompting the user; but while the user was confirming the prompt, the underlying add-on file could have been modified and Firefox. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Information Disclosure Mozilla Firefox +2
NVD
EPSS 1% CVSS 6.5
MEDIUM POC This Month

Previously Firefox for macOS and Linux would download temporary files to a user-specific directory in <code>/tmp</code>, but this behavior was changed to download them to <code>/tmp</code> where they. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Apple Mozilla +2
NVD
EPSS 1% CVSS 6.5
MEDIUM POC This Month

In unusual circumstances, an individual thread may outlive the thread's manager during shutdown. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Use After Free Mozilla +2
NVD
EPSS 1% CVSS 9.6
CRITICAL POC Act Now

If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Mozilla Firefox +2
NVD
EPSS 1% CVSS 4.3
MEDIUM This Month

When resizing a popup after requesting fullscreen access, the popup would not display the fullscreen notification. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox +2
NVD
EPSS 0% CVSS 4.3
MEDIUM POC This Month

While the text displayed in Autofill tooltips cannot be directly read by JavaScript, the text was rendered using page fonts. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Mozilla Firefox
NVD
EPSS 1% CVSS 8.8
HIGH POC This Week

An attacker could have caused a use-after-free by forcing a text reflow in an SVG object leading to a potentially exploitable crash. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Use After Free Mozilla +4
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Mozilla developers Paul Adenot and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 96 and Firefox ESR 91.5. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Memory Corruption RCE Mozilla +4
NVD
EPSS 1% CVSS 8.8
HIGH This Week

When a worker is shutdown, it was possible to cause script to run late in the lifecycle, at a point after where it should not be possible. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Race Condition Information Disclosure Mozilla +3
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Under certain circumstances, a JavaScript alert (or prompt) could have been shown while another website was displayed underneath it. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Google Mozilla +1
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Web-accessible extension pages (pages with a moz-extension:// scheme) were not correctly enforcing the frame-ancestors directive when it was used in the Web Extension's Content Security Policy. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox +2
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

When importing resources using Web Workers, error messages would distinguish the difference between <code>application/javascript</code> responses and non-script responses. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox +2
NVD
EPSS 1% CVSS 9.6
CRITICAL Act Now

If a document created a sandboxed iframe without <code>allow-scripts</code>, and subsequently appended an element to the iframe's document that e.g. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox +2
NVD
EPSS 0% CVSS 8.8
HIGH This Week

When clicking on a tel: link, USSD codes, specified after a <code>\*</code> character, would be included in the phone number. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Google Mozilla +1
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Remote Agent, used in WebDriver, did not validate the Host or Origin headers. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox
NVD
EPSS 1% CVSS 8.8
HIGH POC This Week

If a user was convinced to drag and drop an image to their desktop or other folder, the resulting object could have been changed into an executable script which would have run arbitrary code after. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Mozilla Code Injection +3
NVD
EPSS 1% CVSS 8.8
HIGH This Week

By using XSL Transforms, a malicious webserver could have served a user an XSL document that would continue to execute JavaScript (within the bounds of the same-origin policy) even after the tab was. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

If a user installed an extension of a particular type, the extension could have auto-updated itself and while doing so, bypass the prompt which grants the new version the new requested permissions. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Mozilla Firefox +2
NVD
EPSS 1% CVSS 7.1
HIGH POC This Week

A Time-of-Check Time-of-Use bug existed in the Maintenance (Updater) Service that could be abused to grant Users write access to an arbitrary directory. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

Microsoft Privilege Escalation Mozilla +3
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Mozilla developers Christian Holler and Jason Kratzer reported memory safety bugs present in Firefox 95. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Memory Corruption RCE Mozilla +2
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Mozilla developers Calixte Denizet, Kershaw Chang, Christian Holler, Jason Kratzer, Gabriele Svelto, Tyson Smith, Simon Giesecke, and Steve Fink reported memory safety bugs present in Firefox 95 and. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Memory Corruption RCE Mozilla +4
NVD
EPSS 1% CVSS 6.5
MEDIUM POC This Month

By generally accepting and passing resource handles across processes, a compromised content process might have confused higher privileged processes to interact with handles that the unprivileged. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Apple Microsoft +2
NVD
EPSS 0% CVSS 4.3
MEDIUM POC This Month

When scanning QR codes, Firefox for Android would have allowed navigation to some URLs that do not point to web content.<br>*This bug only affects Firefox for Android. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Google Mozilla +1
NVD
EPSS 1% CVSS 6.5
MEDIUM POC This Month

Malicious websites could have confused Firefox into showing the wrong origin when asking to launch a program and handling an external URL protocol. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Mozilla XSS Firefox +2
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

After accepting an untrusted certificate, handling an empty pkcs7 sequence as part of the certificate data could have lead to a crash. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Mozilla Firefox +2
NVD
EPSS 1% CVSS 5.9
MEDIUM This Month

A race condition could have allowed bypassing the fullscreen notification which could have lead to a fullscreen window spoof being unnoticed.<br>*This bug only affects Firefox for Windows. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Race Condition Microsoft Authentication Bypass +4
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

Securitypolicyviolation events could have leaked cross-origin information for frame-ancestors violations. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox +2
NVD
EPSS 1% CVSS 8.8
HIGH This Week

The constructed curl command from the "Copy as curl" feature in DevTools was not properly escaped for PowerShell. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Microsoft Command Injection Mozilla +3
NVD
EPSS 1% CVSS 4.3
MEDIUM This Month

When navigating from inside an iframe while requesting fullscreen access, an attacker-controlled tab could have made the browser unable to leave fullscreen mode. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox +2
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

When inserting text while in edit mode, some characters might have lead to out-of-bounds memory access causing a potentially exploitable crash. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Buffer Overflow +3
NVD
EPSS 1% CVSS 7.5
HIGH This Week

When resizing a popup while requesting fullscreen access, the popup would have become unable to leave fullscreen mode. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox +2
NVD
EPSS 1% CVSS 8.8
HIGH POC This Week

Certain network request objects were freed too early when releasing a network request handle. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Use After Free Mozilla +4
NVD
EPSS 1% CVSS 6.5
MEDIUM POC This Month

Malicious websites could have tricked users into accepting launching a program to handle an external URL protocol. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Mozilla Firefox +2
NVD
EPSS 1% CVSS 8.8
HIGH POC This Week

Applying a CSS filter effect could have accessed out of bounds memory. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Memory Corruption Mozilla Buffer Overflow +3
NVD
EPSS 1% CVSS 7.5
HIGH POC This Week

Constructing audio sinks could have lead to a race condition when playing audio files and closing windows. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Race Condition Denial Of Service Microsoft +4
NVD
EPSS 0% CVSS 7.0
HIGH POC This Week

If Firefox was installed to a world-writable directory, a local privilege escalation could occur when Firefox searched the current directory for system libraries. Rated high severity (CVSS 7.0). Public exploit code available and no vendor patch available.

Microsoft Privilege Escalation Mozilla +1
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

The search term could have been specified externally to trigger SQL injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apple SQLi Mozilla +1
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

When displaying the sender of an email, and the sender name contained the Braille Pattern Blank space character multiple times, Thunderbird would have displayed all the spaces. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Thunderbird
NVD
EPSS 27% CVSS 8.8
HIGH This Week

If an attacker was able to corrupt the methods of an Array object in JavaScript via prototype pollution, they could have achieved execution of attacker-controlled JavaScript code in a privileged. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Google Mozilla +4
NVD
EPSS 17% CVSS 8.8
HIGH This Week

An attacker could have sent a message to the parent process where the contents were used to double-index into a JavaScript object, leading to prototype pollution and ultimately attacker-controlled. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Google Mozilla +4
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

When viewing an email message A, which contains an attached message B, where B is encrypted or digitally signed or both, Thunderbird may show an incorrect encryption or signature status. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Thunderbird
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

When importing a revoked key that specified key compromise as the revocation reason, Thunderbird did not update the existing copy of the key that was not yet revoked, and the existing key was kept as. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Thunderbird
NVD
EPSS 1% CVSS 6.5
MEDIUM POC This Month

After a VR Process is destroyed, a reference to it may have been retained and used, leading to a use-after-free and potentially exploitable crash. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Use After Free Mozilla +3
NVD
EPSS 1% CVSS 6.5
MEDIUM POC This Month

<code>NSSToken</code> objects were referenced via direct points, and could have been accessed in an unsafe way on different threads, leading to a use-after-free and potentially exploitable crash. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Use After Free Mozilla +4
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Mozilla developers Kershaw Chang, Ryan VanderMeulen, and Randell Jesup reported memory safety bugs present in Firefox 97. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Memory Corruption RCE Mozilla +2
NVD
EPSS 1% CVSS 8.8
HIGH This Week

It may be possible for an attacker to craft an email message that causes Thunderbird to perform an out-of-bounds write of one byte when processing the message. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Memory Corruption Mozilla Buffer Overflow +1
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Mozilla VPN can load an OpenSSL configuration file from an unsecured directory. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

RCE Mozilla File Upload +2
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Mozilla developers and community members Gabriele Svelto, Sebastian Hengst, Randell Jesup, Luan Herrera, Lars T Hansen, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 96. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Memory Corruption RCE Mozilla +2
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Google Mozilla +4
NVD GitHub
EPSS 1% CVSS 7.4
HIGH POC This Week

When xdg-mail is configured to use thunderbird for mailto URLs, improper parsing of the URL can lead to additional headers being passed to thunderbird that should not be included per RFC 2368. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Mozilla Xdg Utils
NVD
EPSS 1% CVSS 6.1
MEDIUM POC PATCH This Month

jsoup is a Java HTML parser, built for HTML editing, cleaning, scraping, and cross-site scripting (XSS) safety. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Mozilla XSS Java +4
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL POC PATCH Act Now

This library allows strings to be parsed as functions and stored as a specialized component,. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Mozilla Code Injection +1
NVD GitHub
EPSS 1% CVSS 5.9
MEDIUM PATCH This Month

MetaMask before 10.11.3 might allow an attacker to access a user's secret recovery phrase because an input field is used for a BIP39 mnemonic, and Firefox and Chromium save such fields to disk in. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required.

Google Mozilla Information Disclosure +1
NVD GitHub
Prev Page 12 of 30 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy