Skip to main content

Mozilla

2675 CVEs vendor

Monthly

CVE-2022-21190 npm CRITICAL POC PATCH Act Now

This affects the package convict before 6.2.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Authentication Bypass Prototype Pollution Mozilla Convict
NVD GitHub
CVSS 3.1
9.8
EPSS
3.8%
CVE-2022-28795 MEDIUM This Month

A vulnerability within the Avira Password Manager Browser Extensions provided a potential loophole where, if a user visited a page crafted by an attacker, the discovered vulnerability could trigger. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google Mozilla Apple Information Disclosure Password Manager
NVD
CVSS 3.1
6.5
EPSS
1.0%
CVE-2021-43546 MEDIUM This Month

It was possible to recreate previous cursor spoofing attacks against users with a zoomed native cursor. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla XSS Firefox Firefox Esr Thunderbird +1
NVD
CVSS 3.1
4.3
EPSS
1.4%
CVE-2021-43545 MEDIUM This Month

Using the Location API in a loop could have caused severe application hangs and crashes. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Denial Of Service Firefox Firefox Esr Thunderbird +1
NVD
CVSS 3.1
6.5
EPSS
1.6%
CVE-2021-43544 MEDIUM This Month

When receiving a URL through a SEND intent, Firefox would have searched for the text, but subsequent usages of the address bar might have caused the URL to load unintentionally, which could lead to. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google XSS Mozilla Firefox
NVD
CVSS 3.1
6.1
EPSS
0.5%
CVE-2021-43543 MEDIUM This Month

Documents loaded with the CSP sandbox directive could have escaped the sandbox's script restriction by embedding additional content. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla XSS Firefox Firefox Esr Thunderbird +1
NVD
CVSS 3.1
6.1
EPSS
1.4%
CVE-2021-43542 MEDIUM This Month

Using XMLHttpRequest, an attacker could have identified installed applications by probing error messages for loading external protocols. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Firefox Firefox Esr Thunderbird +1
NVD
CVSS 3.1
6.5
EPSS
1.7%
CVE-2021-43541 MEDIUM This Month

When invoking protocol handlers for external protocols, a supplied parameter URL containing spaces was not properly escaped. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Firefox Firefox Esr Thunderbird +1
NVD
CVSS 3.1
6.5
EPSS
1.6%
CVE-2021-43540 MEDIUM This Month

WebExtensions with the correct permissions were able to create and install ServiceWorkers for third-party websites that would not have been uninstalled with the extension. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Firefox
NVD
CVSS 3.1
6.5
EPSS
0.9%
CVE-2021-43539 HIGH This Week

Failure to correctly record the location of live pointers across wasm instance calls resulted in a GC occurring within the call not tracing those live pointers. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Use After Free Denial Of Service Memory Corruption Mozilla Firefox +3
NVD
CVSS 3.1
8.8
EPSS
1.6%
CVE-2021-43538 MEDIUM This Month

By misusing a race in our notification code, an attacker could have forcefully hidden the notification for pages that had received full screen and pointer lock access, which could have been used for. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Race Condition Firefox Firefox Esr +2
NVD
CVSS 3.1
4.3
EPSS
1.2%
CVE-2021-43537 HIGH This Week

An incorrect type conversion of sizes from 64bit to 32bit integers allowed an attacker to corrupt memory leading to a potentially exploitable crash. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Denial Of Service Firefox Firefox Esr Thunderbird +1
NVD
CVSS 3.1
8.8
EPSS
2.0%
CVE-2021-43536 MEDIUM This Month

Under certain circumstances, asynchronous functions could have caused a navigation to fail but expose the target URL. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Firefox Firefox Esr Thunderbird +1
NVD
CVSS 3.1
6.5
EPSS
1.7%
CVE-2021-43535 HIGH This Week

A use-after-free could have occured when an HTTP2 session object was released on a different thread, leading to memory corruption and a potentially exploitable crash. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Use After Free Buffer Overflow Memory Corruption Mozilla Firefox +3
NVD
CVSS 3.1
8.8
EPSS
1.1%
CVE-2021-43534 HIGH This Week

Mozilla developers and community members reported memory safety bugs present in Firefox 93 and Firefox ESR 91.2. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Memory Corruption Mozilla Firefox +3
NVD
CVSS 3.1
8.8
EPSS
1.2%
CVE-2021-43533 MEDIUM This Month

When parsing internationalized domain names, high bits of the characters in the URLs were sometimes stripped, resulting in inconsistencies that could lead to user confusion or attacks such as. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Firefox
NVD
CVSS 3.1
4.3
EPSS
0.5%
CVE-2021-43532 MEDIUM This Month

The 'Copy Image Link' context menu action would copy the final image URL after redirects. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Open Redirect Firefox
NVD
CVSS 3.1
6.1
EPSS
0.5%
CVE-2021-43531 MEDIUM This Month

When a user loaded a Web Extensions context menu, the Web Extension could access the post-redirect URL of the element clicked. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Firefox
NVD
CVSS 3.1
4.3
EPSS
0.3%
CVE-2021-43530 MEDIUM This Month

A Universal XSS vulnerability was present in Firefox for Android resulting from improper sanitization when processing a URL scanned from a QR code. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google XSS Mozilla Firefox
NVD
CVSS 3.1
6.1
EPSS
1.4%
CVE-2021-43528 MEDIUM This Month

Thunderbird unexpectedly enabled JavaScript in the composition area. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google Privilege Escalation Mozilla Thunderbird Debian Linux
NVD
CVSS 3.1
6.5
EPSS
1.3%
CVE-2021-43527 CRITICAL PATCH Act Now

NSS (Network Security Services) versions prior to 3.73 or 3.68.1 ESR are vulnerable to a heap overflow when handling DER-encoded DSA or RSA-PSS signatures. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Out-of-bounds Write vulnerability could allow attackers to write data beyond allocated buffer boundaries leading to code execution or crashes.

Buffer Overflow Memory Corruption Mozilla Nss Nss Esr +8
NVD
CVSS 3.1
9.8
EPSS
17.6%
CVE-2021-38510 HIGH This Week

The executable file warning was not presented when downloading .inetloc files, which, due to a flaw in Mac OS, can run commands on a user's computer.*Note: This issue only affected Mac OS operating. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Firefox Firefox Esr Thunderbird
NVD
CVSS 3.1
8.8
EPSS
1.0%
CVE-2021-38509 MEDIUM This Month

Due to an unusual sequence of attacker-controlled events, a Javascript alert() dialog with arbitrary (although unstyled) contents could be displayed over top an uncontrolled webpage of the attacker's. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla XSS Firefox Firefox Esr Thunderbird +1
NVD
CVSS 3.1
4.3
EPSS
1.6%
CVE-2021-38508 MEDIUM This Month

By displaying a form validity message in the correct location at the same time as a permission prompt (such as for geolocation), the validity message could have obscured the prompt, resulting in the. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla XSS Firefox Firefox Esr Thunderbird +1
NVD
CVSS 3.1
4.3
EPSS
1.5%
CVE-2021-38507 MEDIUM This Month

The Opportunistic Encryption feature of HTTP2 (RFC 8164) allows a connection to be transparently upgraded to TLS while retaining the visual properties of an HTTP connection, including being. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Firefox Firefox Esr Thunderbird +1
NVD
CVSS 3.1
6.5
EPSS
0.8%
CVE-2021-38506 MEDIUM This Month

Through a series of navigations, Firefox could have entered fullscreen mode without notification or warning to the user. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla XSS Firefox Firefox Esr Thunderbird +1
NVD
CVSS 3.1
4.3
EPSS
1.5%
CVE-2021-38505 MEDIUM This Month

Microsoft introduced a new feature in Windows 10 known as Cloud Clipboard which, if enabled, will record data copied to the clipboard to the cloud, and make it available on other computers in certain. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Microsoft Information Disclosure Firefox Firefox Esr +1
NVD
CVSS 3.1
6.5
EPSS
1.1%
CVE-2021-38504 HIGH This Week

When interacting with an HTML input element's file picker dialog with webkitdirectory set, a use-after-free could have resulted, leading to memory corruption and a potentially exploitable crash. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Use After Free Buffer Overflow Memory Corruption Mozilla Firefox +3
NVD
CVSS 3.1
8.8
EPSS
1.6%
CVE-2021-38503 CRITICAL Act Now

The iframe sandbox rules were not correctly applied to XSLT stylesheets, allowing an iframe to bypass restrictions such as executing scripts or navigating the top-level frame. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Authentication Bypass Firefox Firefox Esr Thunderbird +1
NVD
CVSS 3.1
10.0
EPSS
3.8%
CVE-2021-35053 HIGH This Week

Possible system denial of service in case of arbitrary changing Firefox browser parameters. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Denial Of Service Endpoint Security
NVD
CVSS 3.1
7.5
EPSS
2.5%
CVE-2021-38502 MEDIUM This Month

Thunderbird ignored the configuration to require STARTTLS security for an SMTP connection. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Mozilla Information Disclosure Thunderbird Debian Linux
NVD
CVSS 3.1
5.9
EPSS
1.1%
CVE-2021-38501 HIGH This Week

Mozilla developers reported memory safety bugs present in Firefox 92 and Firefox ESR 91.1. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Buffer Overflow RCE Firefox Firefox Esr +1
NVD
CVSS 3.1
8.8
EPSS
1.0%
CVE-2021-38500 HIGH This Week

Mozilla developers reported memory safety bugs present in Firefox 92 and Firefox ESR 91.1. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Buffer Overflow RCE Firefox Firefox Esr +2
NVD
CVSS 3.1
8.8
EPSS
1.2%
CVE-2021-38499 HIGH This Week

Mozilla developers reported memory safety bugs present in Firefox 92. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Memory Corruption Mozilla Firefox
NVD
CVSS 3.1
8.8
EPSS
0.8%
CVE-2021-38498 HIGH This Week

During process shutdown, a document could have caused a use-after-free of a languages service object, leading to memory corruption and a potentially exploitable crash. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Use After Free Buffer Overflow Memory Corruption Mozilla Firefox +2
NVD
CVSS 3.1
7.5
EPSS
1.4%
CVE-2021-38497 MEDIUM This Month

Through use of reportValidity() and window.open(), a plain-text validation message could have been overlaid on another origin, leading to possible user confusion and spoofing attacks. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Firefox Firefox Esr Thunderbird
NVD
CVSS 3.1
6.5
EPSS
0.5%
CVE-2021-38496 HIGH This Week

During operations on MessageTasks, a task may have been removed while it was still scheduled, resulting in memory corruption and a potentially exploitable crash. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Use After Free Buffer Overflow Memory Corruption Mozilla Firefox +3
NVD
CVSS 3.1
8.8
EPSS
1.6%
CVE-2021-38495 HIGH This Week

Mozilla developers reported memory safety bugs present in Thunderbird 78.13.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Memory Corruption Mozilla Firefox Esr +1
NVD
CVSS 3.1
8.8
EPSS
1.1%
CVE-2021-38494 HIGH This Week

Mozilla developers reported memory safety bugs present in Firefox 91. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Memory Corruption Mozilla Firefox
NVD
CVSS 3.1
8.8
EPSS
0.8%
CVE-2021-38493 HIGH This Week

Mozilla developers reported memory safety bugs present in Firefox 91 and Firefox ESR 78.13. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Memory Corruption Mozilla Firefox +2
NVD
CVSS 3.1
8.8
EPSS
1.2%
CVE-2021-38492 MEDIUM POC This Month

When delegating navigations to the operating system, Firefox would accept the `mk` scheme which might allow attackers to launch pages and execute scripts in Internet Explorer in unprivileged mode. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Mozilla Microsoft Information Disclosure Firefox Firefox Esr +1
NVD
CVSS 3.1
6.5
EPSS
1.1%
CVE-2021-38491 MEDIUM This Month

Mixed-content checks were unable to analyze opaque origins which led to some mixed content being loaded. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Firefox
NVD
CVSS 3.1
6.5
EPSS
0.9%
CVE-2021-29993 HIGH This Week

Firefox for Android allowed navigations through the `intent://` protocol, which could be used to cause crashes and UI spoofs. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google Denial Of Service Mozilla Firefox
NVD
CVSS 3.1
8.1
EPSS
0.7%
CVE-2021-29991 HIGH This Week

Firefox incorrectly accepted a newline in a HTTP/3 header, interpretting it as two separate headers. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Request Smuggling Information Disclosure Firefox Thunderbird
NVD
CVSS 3.1
8.1
EPSS
0.9%
CVE-2021-22964 npm HIGH POC PATCH This Week

A redirect vulnerability in the `fastify-static` module version >= 4.2.4 and < 4.4.1 allows remote attackers to redirect Mozilla Firefox users to arbitrary websites via a double slash `//` followed. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Mozilla Denial Of Service Fastify Static
NVD
CVSS 3.1
8.8
EPSS
1.0%
CVE-2021-20801 MEDIUM This Month

Cybozu Remote Service 3.1.8 to 3.1.9 allows a remote authenticated attacker to conduct XML External Entity (XXE) attacks and obtain the information stored in the product via unspecified vectors. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Mozilla XXE Remote Service Manager
NVD
CVSS 3.1
6.5
EPSS
1.0%
CVE-2021-20797 MEDIUM This Month

Cross-site script inclusion vulnerability in the management screen of Cybozu Remote Service 3.1.8 allows a remote authenticated attacker to obtain the information stored in the product. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Mozilla XSS Remote Service Manager
NVD
CVSS 3.1
5.4
EPSS
0.6%
CVE-2021-40529 MEDIUM POC PATCH This Month

The ElGamal implementation in Botan through 2.18.1, as used in Thunderbird and other products, allows plaintext recovery because, during interaction between two cryptographic libraries, a certain. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Mozilla Information Disclosure Botan Fedora Thunderbird
NVD GitHub
CVSS 3.1
5.9
EPSS
1.5%
CVE-2021-29990 HIGH This Week

Mozilla developers and community members reported memory safety bugs present in Firefox 90. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Memory Corruption Mozilla Firefox
NVD
CVSS 3.1
8.8
EPSS
1.0%
CVE-2021-29989 HIGH This Week

Mozilla developers reported memory safety bugs present in Firefox 90 and Firefox ESR 78.12. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Memory Corruption Mozilla Firefox +2
NVD
CVSS 3.1
8.8
EPSS
1.3%
CVE-2021-29988 HIGH POC This Week

Firefox incorrectly treated an inline list-item element as a block element, resulting in an out of bounds read or memory corruption, and a potentially exploitable crash. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Information Disclosure Mozilla Firefox Firefox Esr +1
NVD
CVSS 3.1
8.8
EPSS
1.4%
CVE-2021-29987 MEDIUM This Month

After requesting multiple permissions, and closing the first permission panel, subsequent permission panels will be displayed in a different position but still record a click in the default location,. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Firefox Thunderbird
NVD
CVSS 3.1
6.5
EPSS
0.9%
CVE-2021-29986 HIGH POC This Week

A suspected race condition when calling getaddrinfo led to memory corruption and a potentially exploitable crash. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Mozilla Buffer Overflow Race Condition Firefox Firefox Esr +1
NVD
CVSS 3.1
8.1
EPSS
1.3%
CVE-2021-29985 HIGH POC This Week

A use-after-free vulnerability in media channels could have led to memory corruption and a potentially exploitable crash. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Use After Free Buffer Overflow Memory Corruption Mozilla Firefox +2
NVD
CVSS 3.1
8.8
EPSS
1.5%
CVE-2021-29984 HIGH POC This Week

Instruction reordering resulted in a sequence of instructions that would cause an object to be incorrectly considered during garbage collection. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Memory Corruption Mozilla Firefox Firefox Esr +1
NVD
CVSS 3.1
8.8
EPSS
1.4%
CVE-2021-29983 MEDIUM This Month

Firefox for Android could get stuck in fullscreen mode and not exit it even after normal interactions that should cause it to exit. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google Information Disclosure Mozilla Firefox
NVD
CVSS 3.1
6.5
EPSS
0.7%
CVE-2021-29982 MEDIUM POC This Month

Due to incorrect JIT optimization, we incorrectly interpreted data from the wrong type of object, resulting in the potential leak of a single bit of memory. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Mozilla Information Disclosure Firefox Thunderbird
NVD
CVSS 3.1
6.5
EPSS
1.1%
CVE-2021-29981 HIGH This Week

An issue present in lowering/register allocation could have led to obscure but deterministic register confusion failures in JITted code that would lead to a potentially exploitable crash. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Denial Of Service Firefox Thunderbird
NVD
CVSS 3.1
8.8
EPSS
1.0%
CVE-2021-29980 HIGH POC This Week

Uninitialized memory in a canvas object could have caused an incorrect free() leading to memory corruption and a potentially exploitable crash. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Mozilla Buffer Overflow Firefox Firefox Esr Thunderbird
NVD
CVSS 3.1
8.8
EPSS
1.4%
CVE-2021-29978 CRITICAL POC PATCH Act Now

Multiple low security issues were discovered and fixed in a security audit of Mozilla VPN 2.x branch as part of a 3rd party security audit. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Mozilla Information Disclosure Mozilla Vpn
NVD GitHub
CVSS 3.1
9.8
EPSS
2.8%
CVE-2021-29977 HIGH This Week

Mozilla developers reported memory safety bugs present in Firefox 89. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Memory Corruption Mozilla Firefox
NVD
CVSS 3.1
8.8
EPSS
1.0%
CVE-2021-29976 HIGH This Week

Mozilla developers reported memory safety bugs present in code shared between Firefox and Thunderbird. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Memory Corruption Mozilla Firefox +2
NVD
CVSS 3.1
8.8
EPSS
1.2%
CVE-2021-29975 MEDIUM POC This Month

Through a series of DOM manipulations, a message, over which the attacker had control of the text but not HTML or formatting, could be overlaid on top of another domain (with the new domain correctly. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Mozilla Information Disclosure Firefox
NVD
CVSS 3.1
6.5
EPSS
1.0%
CVE-2021-29974 MEDIUM This Month

When network partitioning was enabled, e.g. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Firefox
NVD
CVSS 3.1
4.3
EPSS
0.8%
CVE-2021-29973 HIGH This Week

Password autofill was enabled without user interaction on insecure websites on Firefox for Android. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google Information Disclosure Mozilla Firefox
NVD
CVSS 3.1
8.8
EPSS
0.8%
CVE-2021-29972 HIGH POC This Week

A use-after-free vulnerability was found via testing, and traced to an out-of-date Cairo library. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Use After Free Memory Corruption Information Disclosure Mozilla Firefox
NVD
CVSS 3.1
8.8
EPSS
1.0%
CVE-2021-29971 CRITICAL Act Now

If a user had granted a permission to a webpage and saved that grant, any webpage running on the same host - irrespective of scheme or port - would be granted that permission. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google Information Disclosure Mozilla Firefox
NVD
CVSS 3.1
9.8
EPSS
1.0%
CVE-2021-29970 HIGH POC This Week

A malicious webpage could have triggered a use-after-free, memory corruption, and a potentially exploitable crash. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Use After Free Buffer Overflow Memory Corruption Mozilla Firefox +2
NVD
CVSS 3.1
8.8
EPSS
1.4%
CVE-2021-29969 MEDIUM This Month

If Thunderbird was configured to use STARTTLS for an IMAP connection, and an attacker injected IMAP server responses prior to the completion of the STARTTLS handshake, then Thunderbird didn't ignore. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Mozilla Path Traversal Information Disclosure Thunderbird
NVD
CVSS 3.1
5.9
EPSS
1.2%
CVE-2021-37840 HIGH POC This Week

aaPanel through 6.8.12 allows Cross-Site WebSocket Hijacking (CSWH) involving OS commands within WebSocket messages at a ws:// URL for /webssh (the victim must have configured Terminal with at least. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Google Information Disclosure Mozilla Aapanel
NVD GitHub
CVSS 3.1
8.8
EPSS
1.7%
CVE-2021-30117 HIGH This Week

The API call /InstallTab/exportFldr.asp is vulnerable to a semi-authenticated boolean-based blind SQL injection in the parameter fldrId. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Mozilla SQLi Intel Vsa
NVD
CVSS 3.1
8.8
EPSS
72.1%
CVE-2021-29968 HIGH This Week

When drawing text onto a canvas with WebRender disabled, an out of bounds read could occur. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Microsoft Information Disclosure Mozilla Firefox
NVD
CVSS 3.1
8.1
EPSS
0.8%
CVE-2021-29967 HIGH This Week

Mozilla developers reported memory safety bugs present in Firefox 88 and Firefox ESR 78.11. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Memory Corruption Mozilla Firefox +2
NVD
CVSS 3.1
8.8
EPSS
1.4%
CVE-2021-29966 HIGH This Week

Mozilla developers reported memory safety bugs present in Firefox 88. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Memory Corruption Mozilla Firefox
NVD
CVSS 3.1
8.8
EPSS
1.0%
CVE-2021-29965 MEDIUM This Month

A malicious website that causes an HTTP Authentication dialog to be spawned could trick the built-in password manager to suggest passwords for the currently active website instead of the website that. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google Information Disclosure Mozilla Firefox
NVD
CVSS 3.1
5.3
EPSS
0.7%
CVE-2021-29964 HIGH This Week

A locally-installed hostile program could send `WM_COPYDATA` messages that Firefox would process incorrectly, leading to an out-of-bounds read. Rated high severity (CVSS 7.1), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Microsoft Information Disclosure Mozilla Firefox +2
NVD
CVSS 3.1
7.1
EPSS
0.8%
CVE-2021-29963 MEDIUM This Month

Address bar search suggestions in private browsing mode were re-using session data from normal mode. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google Information Disclosure Mozilla Firefox
NVD
CVSS 3.1
4.3
EPSS
0.3%
CVE-2021-29962 MEDIUM This Month

Firefox for Android would become unstable and hard-to-recover when a website opened too many popups. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google Information Disclosure Mozilla Firefox
NVD
CVSS 3.1
4.3
EPSS
0.7%
CVE-2021-29961 MEDIUM This Month

When styling and rendering an oversized `<select>` element, Firefox did not apply correct clipping which allowed an attacker to paint over the user interface. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Authentication Bypass Firefox
NVD
CVSS 3.1
4.3
EPSS
0.8%
CVE-2021-29960 MEDIUM This Month

Firefox used to cache the last filename used for printing a file. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Firefox
NVD
CVSS 3.1
4.3
EPSS
0.8%
CVE-2021-29959 MEDIUM This Month

When a user has already allowed a website to access microphone and camera, disabling camera sharing would not fully prevent the website from re-enabling it without an additional prompt. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Authentication Bypass Firefox
NVD
CVSS 3.1
4.3
EPSS
0.8%
CVE-2021-29958 MEDIUM This Month

When a download was initiated, the client did not check whether it was in normal or private browsing mode, which led to private mode cookies being shared in normal browsing mode. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Apple Authentication Bypass Firefox
NVD
CVSS 3.1
4.3
EPSS
0.7%
CVE-2021-29957 MEDIUM POC This Month

If a MIME encoded email contains an OpenPGP inline signed or encrypted message part, but also contains an additional unprotected part, Thunderbird did not indicate that only parts of the message are. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Mozilla Information Disclosure Thunderbird
NVD
CVSS 3.1
4.3
EPSS
0.9%
CVE-2021-29956 MEDIUM POC This Month

OpenPGP secret keys that were imported using Thunderbird version 78.8.1 up to version 78.10.1 were stored unencrypted on the user's local disk. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Mozilla Information Disclosure Thunderbird
NVD
CVSS 3.1
4.3
EPSS
0.8%
CVE-2021-29955 MEDIUM This Month

A transient execution vulnerability, named Floating Point Value Injection (FPVI) allowed an attacker to leak arbitrary memory addresses and may have also enabled JIT type confusion attacks. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Mozilla RCE Firefox Firefox Esr
NVD
CVSS 3.1
5.3
EPSS
1.5%
CVE-2021-29953 MEDIUM This Month

A malicious webpage could have forced a Firefox for Android user into executing attacker-controlled JavaScript in the context of another domain, resulting in a Universal Cross-Site Scripting. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google XSS Mozilla Firefox
NVD
CVSS 3.1
6.1
EPSS
0.6%
CVE-2021-29952 HIGH This Week

When Web Render components were destructed, a race condition could have caused undefined behavior, and we presume that with enough effort may have been exploitable to run arbitrary code. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Google RCE Race Condition Mozilla Firefox
NVD
CVSS 3.1
7.5
EPSS
0.7%
CVE-2021-29951 MEDIUM This Month

The Mozilla Maintenance Service granted SERVICE_START access to BUILTIN|Users which, in a domain network, grants normal remote users access to start or stop the service. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Microsoft Privilege Escalation Firefox Firefox Esr +1
NVD
CVSS 3.1
6.5
EPSS
1.9%
CVE-2021-29950 HIGH POC This Week

Thunderbird unprotects a secret OpenPGP key prior to using it for a decryption, signing or key import task. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Mozilla Information Disclosure Thunderbird
NVD
CVSS 3.1
7.5
EPSS
0.9%
CVE-2021-29949 HIGH This Week

When loading the shared library that provides the OTR protocol implementation, Thunderbird will initially attempt to open it using a filename that isn't distributed by Thunderbird. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Thunderbird
NVD
CVSS 3.1
7.8
EPSS
0.3%
EPSS 4% CVSS 9.8
CRITICAL POC PATCH Act Now

This affects the package convict before 6.2.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Authentication Bypass Prototype Pollution Mozilla +1
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM This Month

A vulnerability within the Avira Password Manager Browser Extensions provided a potential loophole where, if a user visited a page crafted by an attacker, the discovered vulnerability could trigger. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google Mozilla Apple +2
NVD
EPSS 1% CVSS 4.3
MEDIUM This Month

It was possible to recreate previous cursor spoofing attacks against users with a zoomed native cursor. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla XSS Firefox +3
NVD
EPSS 2% CVSS 6.5
MEDIUM This Month

Using the Location API in a loop could have caused severe application hangs and crashes. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Denial Of Service Firefox +3
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

When receiving a URL through a SEND intent, Firefox would have searched for the text, but subsequent usages of the address bar might have caused the URL to load unintentionally, which could lead to. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google XSS Mozilla +1
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

Documents loaded with the CSP sandbox directive could have escaped the sandbox's script restriction by embedding additional content. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla XSS Firefox +3
NVD
EPSS 2% CVSS 6.5
MEDIUM This Month

Using XMLHttpRequest, an attacker could have identified installed applications by probing error messages for loading external protocols. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Firefox +3
NVD
EPSS 2% CVSS 6.5
MEDIUM This Month

When invoking protocol handlers for external protocols, a supplied parameter URL containing spaces was not properly escaped. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Firefox +3
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

WebExtensions with the correct permissions were able to create and install ServiceWorkers for third-party websites that would not have been uninstalled with the extension. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Firefox
NVD
EPSS 2% CVSS 8.8
HIGH This Week

Failure to correctly record the location of live pointers across wasm instance calls resulted in a GC occurring within the call not tracing those live pointers. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Use After Free Denial Of Service Memory Corruption +5
NVD
EPSS 1% CVSS 4.3
MEDIUM This Month

By misusing a race in our notification code, an attacker could have forcefully hidden the notification for pages that had received full screen and pointer lock access, which could have been used for. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Race Condition +4
NVD
EPSS 2% CVSS 8.8
HIGH This Week

An incorrect type conversion of sizes from 64bit to 32bit integers allowed an attacker to corrupt memory leading to a potentially exploitable crash. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Denial Of Service Firefox +3
NVD
EPSS 2% CVSS 6.5
MEDIUM This Month

Under certain circumstances, asynchronous functions could have caused a navigation to fail but expose the target URL. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Firefox +3
NVD
EPSS 1% CVSS 8.8
HIGH This Week

A use-after-free could have occured when an HTTP2 session object was released on a different thread, leading to memory corruption and a potentially exploitable crash. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Use After Free Buffer Overflow Memory Corruption +5
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Mozilla developers and community members reported memory safety bugs present in Firefox 93 and Firefox ESR 91.2. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Memory Corruption +5
NVD
EPSS 1% CVSS 4.3
MEDIUM This Month

When parsing internationalized domain names, high bits of the characters in the URLs were sometimes stripped, resulting in inconsistencies that could lead to user confusion or attacks such as. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Firefox
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

The 'Copy Image Link' context menu action would copy the final image URL after redirects. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Open Redirect Firefox
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

When a user loaded a Web Extensions context menu, the Web Extension could access the post-redirect URL of the element clicked. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Firefox
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

A Universal XSS vulnerability was present in Firefox for Android resulting from improper sanitization when processing a URL scanned from a QR code. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google XSS Mozilla +1
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

Thunderbird unexpectedly enabled JavaScript in the composition area. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google Privilege Escalation Mozilla +2
NVD
EPSS 18% CVSS 9.8
CRITICAL PATCH Act Now

NSS (Network Security Services) versions prior to 3.73 or 3.68.1 ESR are vulnerable to a heap overflow when handling DER-encoded DSA or RSA-PSS signatures. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Out-of-bounds Write vulnerability could allow attackers to write data beyond allocated buffer boundaries leading to code execution or crashes.

Buffer Overflow Memory Corruption Mozilla +10
NVD
EPSS 1% CVSS 8.8
HIGH This Week

The executable file warning was not presented when downloading .inetloc files, which, due to a flaw in Mac OS, can run commands on a user's computer.*Note: This issue only affected Mac OS operating. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Firefox +2
NVD
EPSS 2% CVSS 4.3
MEDIUM This Month

Due to an unusual sequence of attacker-controlled events, a Javascript alert() dialog with arbitrary (although unstyled) contents could be displayed over top an uncontrolled webpage of the attacker's. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla XSS Firefox +3
NVD
EPSS 2% CVSS 4.3
MEDIUM This Month

By displaying a form validity message in the correct location at the same time as a permission prompt (such as for geolocation), the validity message could have obscured the prompt, resulting in the. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla XSS Firefox +3
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

The Opportunistic Encryption feature of HTTP2 (RFC 8164) allows a connection to be transparently upgraded to TLS while retaining the visual properties of an HTTP connection, including being. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Firefox +3
NVD
EPSS 1% CVSS 4.3
MEDIUM This Month

Through a series of navigations, Firefox could have entered fullscreen mode without notification or warning to the user. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla XSS Firefox +3
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

Microsoft introduced a new feature in Windows 10 known as Cloud Clipboard which, if enabled, will record data copied to the clipboard to the cloud, and make it available on other computers in certain. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Microsoft Information Disclosure +3
NVD
EPSS 2% CVSS 8.8
HIGH This Week

When interacting with an HTML input element's file picker dialog with webkitdirectory set, a use-after-free could have resulted, leading to memory corruption and a potentially exploitable crash. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Use After Free Buffer Overflow Memory Corruption +5
NVD
EPSS 4% CVSS 10.0
CRITICAL Act Now

The iframe sandbox rules were not correctly applied to XSLT stylesheets, allowing an iframe to bypass restrictions such as executing scripts or navigating the top-level frame. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Authentication Bypass Firefox +3
NVD
EPSS 3% CVSS 7.5
HIGH This Week

Possible system denial of service in case of arbitrary changing Firefox browser parameters. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Denial Of Service Endpoint Security
NVD
EPSS 1% CVSS 5.9
MEDIUM This Month

Thunderbird ignored the configuration to require STARTTLS security for an SMTP connection. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Mozilla Information Disclosure Thunderbird +1
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Mozilla developers reported memory safety bugs present in Firefox 92 and Firefox ESR 91.1. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Buffer Overflow RCE +3
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Mozilla developers reported memory safety bugs present in Firefox 92 and Firefox ESR 91.1. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Buffer Overflow RCE +4
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Mozilla developers reported memory safety bugs present in Firefox 92. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Memory Corruption +2
NVD
EPSS 1% CVSS 7.5
HIGH This Week

During process shutdown, a document could have caused a use-after-free of a languages service object, leading to memory corruption and a potentially exploitable crash. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Use After Free Buffer Overflow Memory Corruption +4
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

Through use of reportValidity() and window.open(), a plain-text validation message could have been overlaid on another origin, leading to possible user confusion and spoofing attacks. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Firefox +2
NVD
EPSS 2% CVSS 8.8
HIGH This Week

During operations on MessageTasks, a task may have been removed while it was still scheduled, resulting in memory corruption and a potentially exploitable crash. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Use After Free Buffer Overflow Memory Corruption +5
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Mozilla developers reported memory safety bugs present in Thunderbird 78.13.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Memory Corruption +3
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Mozilla developers reported memory safety bugs present in Firefox 91. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Memory Corruption +2
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Mozilla developers reported memory safety bugs present in Firefox 91 and Firefox ESR 78.13. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Memory Corruption +4
NVD
EPSS 1% CVSS 6.5
MEDIUM POC This Month

When delegating navigations to the operating system, Firefox would accept the `mk` scheme which might allow attackers to launch pages and execute scripts in Internet Explorer in unprivileged mode. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Mozilla Microsoft Information Disclosure +3
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

Mixed-content checks were unable to analyze opaque origins which led to some mixed content being loaded. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Firefox
NVD
EPSS 1% CVSS 8.1
HIGH This Week

Firefox for Android allowed navigations through the `intent://` protocol, which could be used to cause crashes and UI spoofs. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google Denial Of Service Mozilla +1
NVD
EPSS 1% CVSS 8.1
HIGH This Week

Firefox incorrectly accepted a newline in a HTTP/3 header, interpretting it as two separate headers. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Request Smuggling Information Disclosure +2
NVD
EPSS 1% CVSS 8.8
HIGH POC PATCH This Week

A redirect vulnerability in the `fastify-static` module version >= 4.2.4 and < 4.4.1 allows remote attackers to redirect Mozilla Firefox users to arbitrary websites via a double slash `//` followed. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Mozilla Denial Of Service Fastify Static
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

Cybozu Remote Service 3.1.8 to 3.1.9 allows a remote authenticated attacker to conduct XML External Entity (XXE) attacks and obtain the information stored in the product via unspecified vectors. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Mozilla XXE Remote Service Manager
NVD
EPSS 1% CVSS 5.4
MEDIUM This Month

Cross-site script inclusion vulnerability in the management screen of Cybozu Remote Service 3.1.8 allows a remote authenticated attacker to obtain the information stored in the product. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Mozilla XSS Remote Service Manager
NVD
EPSS 2% CVSS 5.9
MEDIUM POC PATCH This Month

The ElGamal implementation in Botan through 2.18.1, as used in Thunderbird and other products, allows plaintext recovery because, during interaction between two cryptographic libraries, a certain. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Mozilla Information Disclosure Botan +2
NVD GitHub
EPSS 1% CVSS 8.8
HIGH This Week

Mozilla developers and community members reported memory safety bugs present in Firefox 90. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Memory Corruption +2
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Mozilla developers reported memory safety bugs present in Firefox 90 and Firefox ESR 78.12. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Memory Corruption +4
NVD
EPSS 1% CVSS 8.8
HIGH POC This Week

Firefox incorrectly treated an inline list-item element as a block element, resulting in an out of bounds read or memory corruption, and a potentially exploitable crash. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Information Disclosure Mozilla +3
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

After requesting multiple permissions, and closing the first permission panel, subsequent permission panels will be displayed in a different position but still record a click in the default location,. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Firefox +1
NVD
EPSS 1% CVSS 8.1
HIGH POC This Week

A suspected race condition when calling getaddrinfo led to memory corruption and a potentially exploitable crash. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Mozilla Buffer Overflow Race Condition +3
NVD
EPSS 1% CVSS 8.8
HIGH POC This Week

A use-after-free vulnerability in media channels could have led to memory corruption and a potentially exploitable crash. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Use After Free Buffer Overflow Memory Corruption +4
NVD
EPSS 1% CVSS 8.8
HIGH POC This Week

Instruction reordering resulted in a sequence of instructions that would cause an object to be incorrectly considered during garbage collection. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Memory Corruption Mozilla +3
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

Firefox for Android could get stuck in fullscreen mode and not exit it even after normal interactions that should cause it to exit. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google Information Disclosure Mozilla +1
NVD
EPSS 1% CVSS 6.5
MEDIUM POC This Month

Due to incorrect JIT optimization, we incorrectly interpreted data from the wrong type of object, resulting in the potential leak of a single bit of memory. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Mozilla Information Disclosure Firefox +1
NVD
EPSS 1% CVSS 8.8
HIGH This Week

An issue present in lowering/register allocation could have led to obscure but deterministic register confusion failures in JITted code that would lead to a potentially exploitable crash. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Denial Of Service Firefox +1
NVD
EPSS 1% CVSS 8.8
HIGH POC This Week

Uninitialized memory in a canvas object could have caused an incorrect free() leading to memory corruption and a potentially exploitable crash. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Mozilla Buffer Overflow Firefox +2
NVD
EPSS 3% CVSS 9.8
CRITICAL POC PATCH Act Now

Multiple low security issues were discovered and fixed in a security audit of Mozilla VPN 2.x branch as part of a 3rd party security audit. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Mozilla Information Disclosure Mozilla Vpn
NVD GitHub
EPSS 1% CVSS 8.8
HIGH This Week

Mozilla developers reported memory safety bugs present in Firefox 89. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Memory Corruption +2
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Mozilla developers reported memory safety bugs present in code shared between Firefox and Thunderbird. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Memory Corruption +4
NVD
EPSS 1% CVSS 6.5
MEDIUM POC This Month

Through a series of DOM manipulations, a message, over which the attacker had control of the text but not HTML or formatting, could be overlaid on top of another domain (with the new domain correctly. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Mozilla Information Disclosure Firefox
NVD
EPSS 1% CVSS 4.3
MEDIUM This Month

When network partitioning was enabled, e.g. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Firefox
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Password autofill was enabled without user interaction on insecure websites on Firefox for Android. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google Information Disclosure Mozilla +1
NVD
EPSS 1% CVSS 8.8
HIGH POC This Week

A use-after-free vulnerability was found via testing, and traced to an out-of-date Cairo library. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Use After Free Memory Corruption Information Disclosure +2
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

If a user had granted a permission to a webpage and saved that grant, any webpage running on the same host - irrespective of scheme or port - would be granted that permission. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google Information Disclosure Mozilla +1
NVD
EPSS 1% CVSS 8.8
HIGH POC This Week

A malicious webpage could have triggered a use-after-free, memory corruption, and a potentially exploitable crash. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Use After Free Buffer Overflow Memory Corruption +4
NVD
EPSS 1% CVSS 5.9
MEDIUM This Month

If Thunderbird was configured to use STARTTLS for an IMAP connection, and an attacker injected IMAP server responses prior to the completion of the STARTTLS handshake, then Thunderbird didn't ignore. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Mozilla Path Traversal Information Disclosure +1
NVD
EPSS 2% CVSS 8.8
HIGH POC This Week

aaPanel through 6.8.12 allows Cross-Site WebSocket Hijacking (CSWH) involving OS commands within WebSocket messages at a ws:// URL for /webssh (the victim must have configured Terminal with at least. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Google Information Disclosure Mozilla +1
NVD GitHub
EPSS 72% CVSS 8.8
HIGH This Week

The API call /InstallTab/exportFldr.asp is vulnerable to a semi-authenticated boolean-based blind SQL injection in the parameter fldrId. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Mozilla SQLi Intel +1
NVD
EPSS 1% CVSS 8.1
HIGH This Week

When drawing text onto a canvas with WebRender disabled, an out of bounds read could occur. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Microsoft Information Disclosure +2
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Mozilla developers reported memory safety bugs present in Firefox 88 and Firefox ESR 78.11. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Memory Corruption +4
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Mozilla developers reported memory safety bugs present in Firefox 88. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Memory Corruption +2
NVD
EPSS 1% CVSS 5.3
MEDIUM This Month

A malicious website that causes an HTTP Authentication dialog to be spawned could trick the built-in password manager to suggest passwords for the currently active website instead of the website that. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google Information Disclosure Mozilla +1
NVD
EPSS 1% CVSS 7.1
HIGH This Week

A locally-installed hostile program could send `WM_COPYDATA` messages that Firefox would process incorrectly, leading to an out-of-bounds read. Rated high severity (CVSS 7.1), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Microsoft Information Disclosure +4
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Address bar search suggestions in private browsing mode were re-using session data from normal mode. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google Information Disclosure Mozilla +1
NVD
EPSS 1% CVSS 4.3
MEDIUM This Month

Firefox for Android would become unstable and hard-to-recover when a website opened too many popups. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google Information Disclosure Mozilla +1
NVD
EPSS 1% CVSS 4.3
MEDIUM This Month

When styling and rendering an oversized `<select>` element, Firefox did not apply correct clipping which allowed an attacker to paint over the user interface. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Authentication Bypass Firefox
NVD
EPSS 1% CVSS 4.3
MEDIUM This Month

Firefox used to cache the last filename used for printing a file. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Firefox
NVD
EPSS 1% CVSS 4.3
MEDIUM This Month

When a user has already allowed a website to access microphone and camera, disabling camera sharing would not fully prevent the website from re-enabling it without an additional prompt. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Authentication Bypass Firefox
NVD
EPSS 1% CVSS 4.3
MEDIUM This Month

When a download was initiated, the client did not check whether it was in normal or private browsing mode, which led to private mode cookies being shared in normal browsing mode. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Apple Authentication Bypass +1
NVD
EPSS 1% CVSS 4.3
MEDIUM POC This Month

If a MIME encoded email contains an OpenPGP inline signed or encrypted message part, but also contains an additional unprotected part, Thunderbird did not indicate that only parts of the message are. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Mozilla Information Disclosure Thunderbird
NVD
EPSS 1% CVSS 4.3
MEDIUM POC This Month

OpenPGP secret keys that were imported using Thunderbird version 78.8.1 up to version 78.10.1 were stored unencrypted on the user's local disk. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Mozilla Information Disclosure Thunderbird
NVD
EPSS 2% CVSS 5.3
MEDIUM This Month

A transient execution vulnerability, named Floating Point Value Injection (FPVI) allowed an attacker to leak arbitrary memory addresses and may have also enabled JIT type confusion attacks. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Mozilla RCE Firefox +1
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

A malicious webpage could have forced a Firefox for Android user into executing attacker-controlled JavaScript in the context of another domain, resulting in a Universal Cross-Site Scripting. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google XSS Mozilla +1
NVD
EPSS 1% CVSS 7.5
HIGH This Week

When Web Render components were destructed, a race condition could have caused undefined behavior, and we presume that with enough effort may have been exploitable to run arbitrary code. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Google RCE Race Condition +2
NVD
EPSS 2% CVSS 6.5
MEDIUM This Month

The Mozilla Maintenance Service granted SERVICE_START access to BUILTIN|Users which, in a domain network, grants normal remote users access to start or stop the service. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Microsoft Privilege Escalation +3
NVD
EPSS 1% CVSS 7.5
HIGH POC This Week

Thunderbird unprotects a secret OpenPGP key prior to using it for a decryption, signing or key import task. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Mozilla Information Disclosure Thunderbird
NVD
EPSS 0% CVSS 7.8
HIGH This Week

When loading the shared library that provides the OTR protocol implementation, Thunderbird will initially attempt to open it using a filename that isn't distributed by Thunderbird. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Thunderbird
NVD
Prev Page 13 of 30 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy