Skip to main content

Mozilla

2675 CVEs vendor

Monthly

CVE-2021-29948 LOW POC Monitor

Signatures are written to disk before and read during verification, which might be subject to a race condition when a malicious local process or user is replacing the file. Rated low severity (CVSS 2.5). Public exploit code available and no vendor patch available.

Mozilla Information Disclosure Race Condition Thunderbird
NVD
CVSS 3.1
2.5
EPSS
0.3%
CVE-2021-29947 HIGH This Week

Mozilla developers and community members reported memory safety bugs present in Firefox 87. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Memory Corruption Mozilla Firefox
NVD
CVSS 3.1
8.8
EPSS
0.9%
CVE-2021-29946 HIGH This Week

Ports that were written as an integer overflow above the bounds of a 16-bit integer could have bypassed port blocking restrictions when used in the Alt-Svc header. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Buffer Overflow Integer Overflow Firefox Firefox Esr +1
NVD
CVSS 3.1
8.8
EPSS
1.2%
CVE-2021-29945 MEDIUM This Month

The WebAssembly JIT could miscalculate the size of a return type, which could lead to a null read and result in a crash. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Denial Of Service Firefox Firefox Esr Thunderbird
NVD
CVSS 3.1
6.5
EPSS
1.2%
CVE-2021-29944 MEDIUM This Month

Lack of escaping allowed HTML injection when a webpage was viewed in Reader View. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google RCE XSS Mozilla Firefox
NVD
CVSS 3.1
6.1
EPSS
0.7%
CVE-2021-24002 HIGH This Week

When a user clicked on an FTP URL containing encoded newline characters (%0A and %0D), the newlines would have been interpreted as such and allowed arbitrary commands to be sent to the FTP server. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla RCE Firefox Firefox Esr Thunderbird
NVD
CVSS 3.1
8.8
EPSS
1.2%
CVE-2021-24001 MEDIUM This Month

A compromised content process could have performed session history manipulations it should not have been able to due to testing infrastructure that was not restricted to testing-only configurations. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Firefox
NVD
CVSS 3.1
4.3
EPSS
0.6%
CVE-2021-24000 LOW Monitor

A race condition with requestPointerLock() and setTimeout() could have resulted in a user interacting with one tab when they believed they were on a separate tab. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Mozilla Information Disclosure Race Condition Firefox
NVD
CVSS 3.1
3.1
EPSS
0.6%
CVE-2021-23999 HIGH POC This Week

If a Blob URL was loaded through some unusual user interaction, it could have been loaded by the System Principal and granted additional privileges that should not be granted to web content. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Mozilla Privilege Escalation Firefox Firefox Esr Thunderbird
NVD
CVSS 3.1
8.8
EPSS
1.3%
CVE-2021-23998 MEDIUM This Month

Through complicated navigations with new windows, an HTTP page could have inherited a secure lock icon from an HTTPS page. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Microsoft Information Disclosure Firefox Firefox Esr +1
NVD
CVSS 3.1
6.5
EPSS
0.6%
CVE-2021-23997 HIGH This Week

Due to unexpected data type conversions, a use-after-free could have occurred when interacting with the font cache. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla RCE Firefox
NVD
CVSS 3.1
8.8
EPSS
0.8%
CVE-2021-23996 MEDIUM This Month

By utilizing 3D CSS in conjunction with Javascript, content could have been rendered outside the webpage's viewport, resulting in a spoofing attack that could have been used for phishing or other. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Firefox
NVD
CVSS 3.1
6.5
EPSS
0.7%
CVE-2021-23995 HIGH This Week

When Responsive Design Mode was enabled, it used references to objects that were previously freed. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla RCE Firefox Firefox Esr Thunderbird
NVD
CVSS 3.1
8.8
EPSS
1.2%
CVE-2021-23994 HIGH This Week

A WebGL framebuffer was not initialized early enough, resulting in memory corruption and an out of bound write. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Buffer Overflow Firefox Firefox Esr Thunderbird
NVD
CVSS 3.1
8.8
EPSS
1.8%
CVE-2021-23993 MEDIUM This Month

An attacker may perform a DoS attack to prevent a user from sending encrypted email to a correspondent. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Jwt Attack Thunderbird
NVD
CVSS 3.1
6.5
EPSS
0.4%
CVE-2021-23992 MEDIUM This Month

Thunderbird did not check if the user ID associated with an OpenPGP key has a valid self signature. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Jwt Attack Thunderbird
NVD
CVSS 3.1
4.3
EPSS
0.5%
CVE-2021-23991 MEDIUM POC This Month

If a Thunderbird user has previously imported Alice's OpenPGP key, and Alice has extended the validity period of her key, but Alice's updated key has not yet been imported, an attacker may send an. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Mozilla Information Disclosure Thunderbird
NVD
CVSS 3.1
6.8
EPSS
1.0%
CVE-2021-23988 HIGH This Week

Mozilla developers reported memory safety bugs present in Firefox 86. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Memory Corruption Mozilla Firefox
NVD
CVSS 3.1
8.8
EPSS
1.1%
CVE-2021-23987 HIGH PATCH This Week

Mozilla developers and community members reported memory safety bugs present in Firefox 86 and Firefox ESR 78.8. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Out-of-bounds Write vulnerability could allow attackers to write data beyond allocated buffer boundaries leading to code execution or crashes.

Buffer Overflow RCE Memory Corruption Mozilla Firefox +2
NVD
CVSS 3.1
8.8
EPSS
1.4%
CVE-2021-23986 MEDIUM This Month

A malicious extension with the 'search' permission could have installed a new search engine whose favicon referenced a cross-origin URL. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Firefox
NVD
CVSS 3.1
6.5
EPSS
0.4%
CVE-2021-23985 MEDIUM This Month

If an attacker is able to alter specific about:config values (for example malware running on the user's computer), the Devtools remote debugging feature could have been enabled in a way that was. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Firefox
NVD
CVSS 3.1
6.5
EPSS
1.4%
CVE-2021-23984 MEDIUM This Month

A malicious extension could have opened a popup window lacking an address bar. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Authentication Bypass Firefox Firefox Esr Thunderbird
NVD
CVSS 3.1
6.5
EPSS
1.1%
CVE-2021-23983 MEDIUM This Month

By causing a transition on a parent node by removing a CSS rule, an invalid property for a marker could have been applied, resulting in memory corruption and a potentially exploitable crash. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Memory Corruption Mozilla Firefox
NVD
CVSS 3.1
6.5
EPSS
0.7%
CVE-2021-23982 MEDIUM This Month

Using techniques that built on the slipstream research, a malicious webpage could have scanned both an internal network's hosts as well as services running on the user's local machine utilizing. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Firefox Firefox Esr Thunderbird
NVD
CVSS 3.1
6.5
EPSS
0.7%
CVE-2021-23981 HIGH This Week

A texture upload of a Pixel Buffer Object could have confused the WebGL code to skip binding the buffer used to unpack it, resulting in memory corruption and a potentially exploitable information. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Memory Corruption Mozilla Firefox Firefox Esr +1
NVD
CVSS 3.1
8.1
EPSS
1.1%
CVE-2021-20628 MEDIUM This Month

Cross-site scripting vulnerability in Address Book of Cybozu Office 10.0.0 to 10.8.4 allows remote attackers to inject an arbitrary script via unspecified vectors. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Microsoft XSS Office
NVD
CVSS 3.1
6.1
EPSS
0.8%
CVE-2021-21354 MEDIUM POC PATCH This Month

Pollbot is open source software which "frees its human masters from the toilsome task of polling for the state of things during the Firefox release process." In Pollbot before version 1.4.4 there is. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Mozilla Open Redirect Pollbot
NVD GitHub
CVSS 3.1
6.1
EPSS
1.4%
CVE-2021-23979 HIGH POC This Week

Mozilla developers reported memory safety bugs present in Firefox 85. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow RCE Memory Corruption Mozilla Firefox
NVD
CVSS 3.1
8.8
EPSS
0.9%
CVE-2021-23978 HIGH This Week

Mozilla developers reported memory safety bugs present in Firefox 85 and Firefox ESR 78.7. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Memory Corruption Mozilla Firefox +3
NVD
CVSS 3.1
8.8
EPSS
1.5%
CVE-2021-23965 HIGH POC This Week

Mozilla developers reported memory safety bugs present in Firefox 84. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow RCE Memory Corruption Mozilla Firefox
NVD
CVSS 3.1
8.8
EPSS
1.0%
CVE-2021-23964 HIGH This Week

Mozilla developers reported memory safety bugs present in Firefox 84 and Firefox ESR 78.6. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Memory Corruption Mozilla Firefox +2
NVD
CVSS 3.1
8.8
EPSS
1.3%
CVE-2021-23977 MEDIUM This Month

Firefox for Android suffered from a time-of-check-time-of-use vulnerability that allowed a malicious application to read sensitive data from application directories. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Google Information Disclosure Mozilla Firefox
NVD
CVSS 3.1
5.3
EPSS
0.9%
CVE-2021-23963 MEDIUM This Month

When sharing geolocation during an active WebRTC share, Firefox could have reset the webRTC sharing state in the user interface, leading to loss of control over the currently granted permission. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Firefox
NVD
CVSS 3.1
4.3
EPSS
0.7%
CVE-2021-23962 HIGH This Week

Incorrect use of the '<RowCountChanged>' method could have led to a user-after-poison and a potentially exploitable crash. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Denial Of Service Firefox
NVD
CVSS 3.1
8.8
EPSS
0.9%
CVE-2021-23961 HIGH This Week

Further techniques that built on the slipstream research combined with a malicious webpage could have exposed both an internal network's hosts as well as services running on the user's local machine. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Firefox Debian Linux
NVD
CVSS 3.1
7.4
EPSS
1.3%
CVE-2021-23960 HIGH This Week

Performing garbage collection on re-declared JavaScript variables resulted in a user-after-poison, and a potentially exploitable crash. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Denial Of Service Firefox Firefox Esr Thunderbird
NVD
CVSS 3.1
8.8
EPSS
1.2%
CVE-2021-23959 MEDIUM This Month

An XSS bug in internal error pages could have led to various spoofing attacks, including other error pages and the address bar. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google XSS Mozilla Firefox
NVD
CVSS 3.1
6.1
EPSS
0.6%
CVE-2021-23958 MEDIUM This Month

The browser could have been confused into transferring a screen sharing state into another tab, which would leak unintended information. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Firefox
NVD
CVSS 3.1
6.5
EPSS
0.9%
CVE-2021-23957 HIGH This Week

Navigations through the Android-specific `intent` URL scheme could have been misused to escape iframe sandbox. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google Information Disclosure Mozilla Firefox
NVD
CVSS 3.1
7.4
EPSS
0.8%
CVE-2021-23956 MEDIUM POC This Month

An ambiguous file picker design could have confused users who intended to select and upload a single file into uploading a whole directory. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Mozilla Information Disclosure Firefox
NVD
CVSS 3.1
6.5
EPSS
1.0%
CVE-2021-23955 MEDIUM This Month

The browser could have been confused into transferring a pointer lock state into another tab, which could have lead to clickjacking attacks. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla XSS Firefox
NVD
CVSS 3.1
6.1
EPSS
0.7%
CVE-2021-23954 HIGH This Week

Using the new logical assignment operators in a JavaScript switch statement could have caused a type confusion, leading to a memory corruption and a potentially exploitable crash. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Buffer Overflow Memory Corruption Firefox Firefox Esr +1
NVD
CVSS 3.1
8.8
EPSS
1.1%
CVE-2021-23953 MEDIUM This Month

If a user clicked into a specifically crafted PDF, the PDF reader could be confused into leaking cross-origin information, when said information is served as chunked data. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Firefox Firefox Esr Thunderbird
NVD
CVSS 3.1
4.3
EPSS
1.0%
CVE-2021-23976 HIGH This Week

When accepting a malicious intent from other installed apps, Firefox for Android accepted manifests from arbitrary file paths and allowed declaring webapp manifests for other origins. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google XSS Mozilla Firefox
NVD
CVSS 3.1
8.1
EPSS
1.1%
CVE-2021-23975 MEDIUM This Month

The developer page about:memory has a Measure function for exploring what object types the browser has allocated and their sizes. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Authentication Bypass Firefox
NVD
CVSS 3.1
6.5
EPSS
1.0%
CVE-2021-23974 MEDIUM This Month

The DOMParser API did not properly process '<noscript>' elements for escaping. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Authentication Bypass Firefox
NVD
CVSS 3.1
6.1
EPSS
0.8%
CVE-2021-23973 MEDIUM This Month

When trying to load a cross-origin resource in an audio/video context a decoding error may have resulted, and the content of that error may have revealed information about the resource. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Firefox Firefox Esr Thunderbird +1
NVD
CVSS 3.1
6.5
EPSS
1.4%
CVE-2021-23972 HIGH This Week

One phishing tactic on the web is to provide a link with HTTP Auth. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Firefox
NVD
CVSS 3.1
8.8
EPSS
1.0%
CVE-2021-23971 MEDIUM This Month

When processing a redirect with a conflicting Referrer-Policy, Firefox would have adopted the redirect's Referrer-Policy. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Firefox
NVD
CVSS 3.1
6.5
EPSS
1.0%
CVE-2021-23970 MEDIUM This Month

Context-specific code was included in a shared jump table; resulting in assertions being triggered in multithreaded wasm code. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Denial Of Service Firefox
NVD
CVSS 3.1
6.5
EPSS
1.0%
CVE-2021-23969 MEDIUM This Month

As specified in the W3C Content Security Policy draft, when creating a violation report, "User agents need to ensure that the source file is the URL requested by the page, pre-redirects. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Firefox Firefox Esr Thunderbird +1
NVD
CVSS 3.1
4.3
EPSS
1.2%
CVE-2021-23968 MEDIUM This Month

If Content Security Policy blocked frame navigation, the full destination of a redirect served in the frame was reported in the violation report; as opposed to the original frame URI. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Firefox Firefox Esr Thunderbird +1
NVD
CVSS 3.1
4.3
EPSS
1.2%
CVE-2020-26970 HIGH This Week

When reading SMTP server status codes, Thunderbird writes an integer value to a position on the stack that is intended to contain just one byte. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Mozilla Memory Corruption Thunderbird
NVD
CVSS 3.1
8.8
EPSS
1.2%
CVE-2020-26969 HIGH This Week

Mozilla developers reported memory safety bugs present in Firefox 82. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Mozilla Memory Corruption Firefox
NVD
CVSS 3.1
8.8
EPSS
1.2%
CVE-2020-26968 HIGH This Week

Mozilla developers reported memory safety bugs present in Firefox 82 and Firefox ESR 78.4. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Mozilla Memory Corruption Firefox +2
NVD
CVSS 3.1
8.8
EPSS
1.5%
CVE-2020-26967 MEDIUM This Month

When listening for page changes with a Mutation Observer, a malicious web page could confuse Firefox Screenshots into interacting with elements other than those that it injected into the page. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Code Injection Firefox
NVD
CVSS 3.1
6.5
EPSS
0.8%
CVE-2020-26966 MEDIUM This Month

Searching for a single word from the address bar caused an mDNS request to be sent on the local network searching for a hostname consisting of that string; resulting in an information leak. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Microsoft Information Disclosure Firefox Firefox Esr +1
NVD
CVSS 3.1
6.5
EPSS
1.3%
CVE-2020-26965 MEDIUM This Month

Some websites have a feature "Show Password" where clicking a button will change a password field into a textbook field, revealing the typed password. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Firefox Firefox Esr Thunderbird
NVD
CVSS 3.1
6.5
EPSS
1.2%
CVE-2020-26964 MEDIUM This Month

If the Remote Debugging via USB feature was enabled in Firefox for Android on an Android version prior to Android 6.0, untrusted apps could have connected to the feature and operated with the. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Google Mozilla Information Disclosure Firefox
NVD
CVSS 3.1
6.8
EPSS
0.9%
CVE-2020-26963 MEDIUM This Month

Repeated calls to the history and location interfaces could have been used to hang the browser. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Firefox
NVD
CVSS 3.1
4.3
EPSS
0.8%
CVE-2020-26962 MEDIUM This Month

Cross-origin iframes that contained a login form could have been recognized by the login autofill service, and populated. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Mozilla Firefox
NVD
CVSS 3.1
6.1
EPSS
0.7%
CVE-2020-26961 MEDIUM This Month

When DNS over HTTPS is in use, it intentionally filters RFC1918 and related IP ranges from the responses as these do not make sense coming from a DoH resolver. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Firefox Firefox Esr Thunderbird
NVD
CVSS 3.1
6.5
EPSS
1.2%
CVE-2020-26960 HIGH This Week

If the Compact() method was called on an nsTArray, the array could have been reallocated without updating other pointers, leading to a potential use-after-free and exploitable crash. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Use After Free Mozilla Memory Corruption Firefox +2
NVD
CVSS 3.1
8.8
EPSS
1.5%
CVE-2020-26959 HIGH This Week

During browser shutdown, reference decrementing could have occured on a previously freed object, resulting in a use-after-free, memory corruption, and a potentially exploitable crash. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Use After Free Mozilla Memory Corruption Firefox +2
NVD
CVSS 3.1
8.8
EPSS
1.3%
CVE-2020-26958 MEDIUM This Month

Firefox did not block execution of scripts with incorrect MIME types when the response was intercepted and cached through a ServiceWorker. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Mozilla Firefox Firefox Esr Thunderbird
NVD
CVSS 3.1
6.1
EPSS
1.3%
CVE-2020-26957 MEDIUM This Month

OneCRL was non-functional in the new Firefox for Android due to a missing service initialization. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google Mozilla Information Disclosure Firefox
NVD
CVSS 3.1
6.5
EPSS
0.5%
CVE-2020-26956 MEDIUM This Month

In some cases, removing HTML elements during sanitization would keep existing SVG event handlers and therefore lead to XSS. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Mozilla Firefox Firefox Esr Thunderbird
NVD
CVSS 3.1
6.1
EPSS
1.2%
CVE-2020-26955 MEDIUM This Month

When a user downloaded a file in Firefox for Android, if a cookie is set, it would have been re-sent during a subsequent file download operation on the same domain, regardless of whether the original. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google Mozilla Information Disclosure Firefox
NVD
CVSS 3.1
6.5
EPSS
0.8%
CVE-2020-26954 MEDIUM This Month

When accepting a malicious intent from other installed apps, Firefox for Android accepted manifests from arbitrary file paths and allowed declaring webapp manifests for other origins. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google Mozilla Information Disclosure Firefox
NVD
CVSS 3.1
4.3
EPSS
0.6%
CVE-2020-26953 MEDIUM This Month

It was possible to cause the browser to enter fullscreen mode without displaying the security UI; thus making it possible to attempt a phishing attack or otherwise confuse the user. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Mozilla Firefox Firefox Esr Thunderbird
NVD
CVSS 3.1
4.3
EPSS
1.3%
CVE-2020-26952 HIGH This Week

Incorrect bookkeeping of functions inlined during JIT compilation could have led to memory corruption and a potentially exploitable crash when handling out-of-memory errors. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Mozilla Memory Corruption Firefox
NVD
CVSS 3.1
8.8
EPSS
1.2%
CVE-2020-26951 MEDIUM This Month

A parsing and event loading mismatch in Firefox's SVG code could have allowed load events to fire, even after sanitization. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Mozilla Firefox Firefox Esr Thunderbird
NVD
CVSS 3.1
6.1
EPSS
1.0%
CVE-2020-26950 HIGH POC THREAT Act Now

In certain circumstances, the MCallGetProperty opcode can be emitted with unmet assumptions resulting in an exploitable use-after-free condition. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Use After Free Mozilla Memory Corruption Information Disclosure Firefox +2
NVD
CVSS 3.1
8.8
EPSS
42.3%
CVE-2020-26212 MEDIUM POC PATCH This Month

GLPI stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Mozilla Authentication Bypass PHP Glpi
NVD GitHub
CVSS 3.1
6.5
EPSS
1.2%
CVE-2020-26239 MEDIUM PATCH This Month

Scratch Addons is a WebExtension that supports both Chrome and Firefox. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Google Mozilla Scratch Addons
NVD GitHub
CVSS 3.1
5.4
EPSS
1.0%
CVE-2020-6829 MEDIUM This Month

When performing EC scalar point multiplication, the wNAF point multiplication algorithm was used; which leaked partial information about the nonce used during signature generation. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google Mozilla Information Disclosure Firefox
NVD
CVSS 3.1
5.3
EPSS
1.4%
CVE-2020-15684 CRITICAL Act Now

Mozilla developers reported memory safety bugs present in Firefox 81. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Buffer Overflow Memory Corruption RCE Use After Free +1
NVD
CVSS 3.1
9.8
EPSS
1.3%
CVE-2020-15683 CRITICAL Act Now

Mozilla developers and community members reported memory safety bugs present in Firefox 81 and Firefox ESR 78.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Buffer Overflow Memory Corruption RCE Use After Free +5
NVD
CVSS 3.1
9.8
EPSS
2.6%
CVE-2020-15682 MEDIUM This Month

When a link to an external protocol was clicked, a prompt was presented that allowed the user to choose what application to open it in. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Firefox
NVD
CVSS 3.1
6.5
EPSS
0.5%
CVE-2020-15681 HIGH This Week

When multiple WASM threads had a reference to a module, and were looking up exported functions, one WASM thread could have overwritten another's entry in a shared stub table, resulting in a. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Mozilla Firefox
NVD
CVSS 3.1
7.5
EPSS
1.1%
CVE-2020-15680 MEDIUM This Month

If a valid external protocol handler was referenced in an image tag, the resulting broken image size could be distinguished from a broken image size of a non-existent protocol handler. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Firefox
NVD
CVSS 3.1
5.3
EPSS
0.9%
CVE-2020-15646 MEDIUM This Month

If an attacker intercepts Thunderbird's initial attempt to perform automatic account setup using the Microsoft Exchange autodiscovery mechanism, and the attacker sends a crafted response, then. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Mozilla Microsoft Information Disclosure Thunderbird
NVD
CVSS 3.1
5.9
EPSS
1.0%
CVE-2020-12401 MEDIUM This Month

During ECDSA signature generation, padding applied in the nonce designed to ensure constant-time scalar multiplication was removed, resulting in variable-time execution dependent on secret data. Rated medium severity (CVSS 4.7). No vendor patch available.

Google Mozilla Information Disclosure Firefox
NVD
CVSS 3.1
4.7
EPSS
0.3%
CVE-2020-12400 MEDIUM This Month

When converting coordinates from projective to affine, the modular inversion was not performed in constant time, resulting in a possible timing-based side channel attack. Rated medium severity (CVSS 4.7). No vendor patch available.

Google Mozilla Information Disclosure Firefox
NVD
CVSS 3.1
4.7
EPSS
0.3%
CVE-2020-15678 HIGH This Week

When recursing through graphical layers while scrolling, an iterator may have become invalid, resulting in a potential use-after-free. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Use After Free Mozilla Memory Corruption Information Disclosure Firefox +4
NVD
CVSS 3.1
8.8
EPSS
1.9%
CVE-2020-15677 MEDIUM This Month

By exploiting an Open Redirect vulnerability on a website, an attacker could have spoofed the site displayed in the download file dialog to show the original site (the one suffering from the open. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Open Redirect Firefox Firefox Esr Thunderbird +2
NVD
CVSS 3.1
6.1
EPSS
1.6%
CVE-2020-15676 MEDIUM This Month

Firefox sometimes ran the onload handler for SVG elements that the DOM sanitizer decided to remove, resulting in JavaScript being executed after pasting attacker-controlled data into a. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Mozilla Firefox Firefox Esr Thunderbird +2
NVD
CVSS 3.1
6.1
EPSS
1.6%
CVE-2020-15675 HIGH This Week

When processing surfaces, the lifetime may outlive a persistent buffer leading to memory corruption and a potentially exploitable crash. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Use After Free Mozilla Memory Corruption Firefox
NVD
CVSS 3.1
8.8
EPSS
1.0%
CVE-2020-15674 HIGH This Week

Mozilla developers reported memory safety bugs present in Firefox 80. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Mozilla Firefox
NVD
CVSS 3.1
8.8
EPSS
0.8%
CVE-2020-15673 HIGH This Week

Mozilla developers reported memory safety bugs present in Firefox 80 and Firefox ESR 78.2. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Buffer Overflow Memory Corruption RCE Use After Free +5
NVD
CVSS 3.1
8.8
EPSS
2.0%
EPSS 0% CVSS 2.5
LOW POC Monitor

Signatures are written to disk before and read during verification, which might be subject to a race condition when a malicious local process or user is replacing the file. Rated low severity (CVSS 2.5). Public exploit code available and no vendor patch available.

Mozilla Information Disclosure Race Condition +1
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Mozilla developers and community members reported memory safety bugs present in Firefox 87. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Memory Corruption +2
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Ports that were written as an integer overflow above the bounds of a 16-bit integer could have bypassed port blocking restrictions when used in the Alt-Svc header. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Buffer Overflow Integer Overflow +3
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

The WebAssembly JIT could miscalculate the size of a return type, which could lead to a null read and result in a crash. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Denial Of Service Firefox +2
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

Lack of escaping allowed HTML injection when a webpage was viewed in Reader View. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google RCE XSS +2
NVD
EPSS 1% CVSS 8.8
HIGH This Week

When a user clicked on an FTP URL containing encoded newline characters (%0A and %0D), the newlines would have been interpreted as such and allowed arbitrary commands to be sent to the FTP server. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla RCE Firefox +2
NVD
EPSS 1% CVSS 4.3
MEDIUM This Month

A compromised content process could have performed session history manipulations it should not have been able to due to testing infrastructure that was not restricted to testing-only configurations. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Firefox
NVD
EPSS 1% CVSS 3.1
LOW Monitor

A race condition with requestPointerLock() and setTimeout() could have resulted in a user interacting with one tab when they believed they were on a separate tab. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Mozilla Information Disclosure Race Condition +1
NVD
EPSS 1% CVSS 8.8
HIGH POC This Week

If a Blob URL was loaded through some unusual user interaction, it could have been loaded by the System Principal and granted additional privileges that should not be granted to web content. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Mozilla Privilege Escalation Firefox +2
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

Through complicated navigations with new windows, an HTTP page could have inherited a secure lock icon from an HTTPS page. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Microsoft Information Disclosure +3
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Due to unexpected data type conversions, a use-after-free could have occurred when interacting with the font cache. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla RCE Firefox
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

By utilizing 3D CSS in conjunction with Javascript, content could have been rendered outside the webpage's viewport, resulting in a spoofing attack that could have been used for phishing or other. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Firefox
NVD
EPSS 1% CVSS 8.8
HIGH This Week

When Responsive Design Mode was enabled, it used references to objects that were previously freed. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla RCE Firefox +2
NVD
EPSS 2% CVSS 8.8
HIGH This Week

A WebGL framebuffer was not initialized early enough, resulting in memory corruption and an out of bound write. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Buffer Overflow Firefox +2
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

An attacker may perform a DoS attack to prevent a user from sending encrypted email to a correspondent. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Jwt Attack +1
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Thunderbird did not check if the user ID associated with an OpenPGP key has a valid self signature. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Jwt Attack +1
NVD
EPSS 1% CVSS 6.8
MEDIUM POC This Month

If a Thunderbird user has previously imported Alice's OpenPGP key, and Alice has extended the validity period of her key, but Alice's updated key has not yet been imported, an attacker may send an. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Mozilla Information Disclosure Thunderbird
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Mozilla developers reported memory safety bugs present in Firefox 86. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Memory Corruption +2
NVD
EPSS 1% CVSS 8.8
HIGH PATCH This Week

Mozilla developers and community members reported memory safety bugs present in Firefox 86 and Firefox ESR 78.8. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Out-of-bounds Write vulnerability could allow attackers to write data beyond allocated buffer boundaries leading to code execution or crashes.

Buffer Overflow RCE Memory Corruption +4
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

A malicious extension with the 'search' permission could have installed a new search engine whose favicon referenced a cross-origin URL. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Firefox
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

If an attacker is able to alter specific about:config values (for example malware running on the user's computer), the Devtools remote debugging feature could have been enabled in a way that was. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Firefox
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

A malicious extension could have opened a popup window lacking an address bar. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Authentication Bypass Firefox +2
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

By causing a transition on a parent node by removing a CSS rule, an invalid property for a marker could have been applied, resulting in memory corruption and a potentially exploitable crash. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Memory Corruption Mozilla +1
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

Using techniques that built on the slipstream research, a malicious webpage could have scanned both an internal network's hosts as well as services running on the user's local machine utilizing. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Firefox +2
NVD
EPSS 1% CVSS 8.1
HIGH This Week

A texture upload of a Pixel Buffer Object could have confused the WebGL code to skip binding the buffer used to unpack it, resulting in memory corruption and a potentially exploitable information. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Memory Corruption Mozilla +3
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

Cross-site scripting vulnerability in Address Book of Cybozu Office 10.0.0 to 10.8.4 allows remote attackers to inject an arbitrary script via unspecified vectors. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Microsoft XSS +1
NVD
EPSS 1% CVSS 6.1
MEDIUM POC PATCH This Month

Pollbot is open source software which "frees its human masters from the toilsome task of polling for the state of things during the Firefox release process." In Pollbot before version 1.4.4 there is. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Mozilla Open Redirect Pollbot
NVD GitHub
EPSS 1% CVSS 8.8
HIGH POC This Week

Mozilla developers reported memory safety bugs present in Firefox 85. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow RCE Memory Corruption +2
NVD
EPSS 2% CVSS 8.8
HIGH This Week

Mozilla developers reported memory safety bugs present in Firefox 85 and Firefox ESR 78.7. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Memory Corruption +5
NVD
EPSS 1% CVSS 8.8
HIGH POC This Week

Mozilla developers reported memory safety bugs present in Firefox 84. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow RCE Memory Corruption +2
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Mozilla developers reported memory safety bugs present in Firefox 84 and Firefox ESR 78.6. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Memory Corruption +4
NVD
EPSS 1% CVSS 5.3
MEDIUM This Month

Firefox for Android suffered from a time-of-check-time-of-use vulnerability that allowed a malicious application to read sensitive data from application directories. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Google Information Disclosure Mozilla +1
NVD
EPSS 1% CVSS 4.3
MEDIUM This Month

When sharing geolocation during an active WebRTC share, Firefox could have reset the webRTC sharing state in the user interface, leading to loss of control over the currently granted permission. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Firefox
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Incorrect use of the '<RowCountChanged>' method could have led to a user-after-poison and a potentially exploitable crash. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Denial Of Service Firefox
NVD
EPSS 1% CVSS 7.4
HIGH This Week

Further techniques that built on the slipstream research combined with a malicious webpage could have exposed both an internal network's hosts as well as services running on the user's local machine. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Firefox +1
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Performing garbage collection on re-declared JavaScript variables resulted in a user-after-poison, and a potentially exploitable crash. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Denial Of Service Firefox +2
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

An XSS bug in internal error pages could have led to various spoofing attacks, including other error pages and the address bar. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google XSS Mozilla +1
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

The browser could have been confused into transferring a screen sharing state into another tab, which would leak unintended information. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Firefox
NVD
EPSS 1% CVSS 7.4
HIGH This Week

Navigations through the Android-specific `intent` URL scheme could have been misused to escape iframe sandbox. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google Information Disclosure Mozilla +1
NVD
EPSS 1% CVSS 6.5
MEDIUM POC This Month

An ambiguous file picker design could have confused users who intended to select and upload a single file into uploading a whole directory. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Mozilla Information Disclosure Firefox
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

The browser could have been confused into transferring a pointer lock state into another tab, which could have lead to clickjacking attacks. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla XSS Firefox
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Using the new logical assignment operators in a JavaScript switch statement could have caused a type confusion, leading to a memory corruption and a potentially exploitable crash. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Buffer Overflow Memory Corruption +3
NVD
EPSS 1% CVSS 4.3
MEDIUM This Month

If a user clicked into a specifically crafted PDF, the PDF reader could be confused into leaking cross-origin information, when said information is served as chunked data. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Firefox +2
NVD
EPSS 1% CVSS 8.1
HIGH This Week

When accepting a malicious intent from other installed apps, Firefox for Android accepted manifests from arbitrary file paths and allowed declaring webapp manifests for other origins. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google XSS Mozilla +1
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

The developer page about:memory has a Measure function for exploring what object types the browser has allocated and their sizes. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Authentication Bypass Firefox
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

The DOMParser API did not properly process '<noscript>' elements for escaping. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Authentication Bypass Firefox
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

When trying to load a cross-origin resource in an audio/video context a decoding error may have resulted, and the content of that error may have revealed information about the resource. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Firefox +3
NVD
EPSS 1% CVSS 8.8
HIGH This Week

One phishing tactic on the web is to provide a link with HTTP Auth. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Firefox
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

When processing a redirect with a conflicting Referrer-Policy, Firefox would have adopted the redirect's Referrer-Policy. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Firefox
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

Context-specific code was included in a shared jump table; resulting in assertions being triggered in multithreaded wasm code. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Denial Of Service Firefox
NVD
EPSS 1% CVSS 4.3
MEDIUM This Month

As specified in the W3C Content Security Policy draft, when creating a violation report, "User agents need to ensure that the source file is the URL requested by the page, pre-redirects. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Firefox +3
NVD
EPSS 1% CVSS 4.3
MEDIUM This Month

If Content Security Policy blocked frame navigation, the full destination of a redirect served in the frame was reported in the violation report; as opposed to the original frame URI. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Firefox +3
NVD
EPSS 1% CVSS 8.8
HIGH This Week

When reading SMTP server status codes, Thunderbird writes an integer value to a position on the stack that is intended to contain just one byte. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Mozilla Memory Corruption +1
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Mozilla developers reported memory safety bugs present in Firefox 82. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Mozilla +2
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Mozilla developers reported memory safety bugs present in Firefox 82 and Firefox ESR 78.4. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Mozilla +4
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

When listening for page changes with a Mutation Observer, a malicious web page could confuse Firefox Screenshots into interacting with elements other than those that it injected into the page. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Code Injection Firefox
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

Searching for a single word from the address bar caused an mDNS request to be sent on the local network searching for a hostname consisting of that string; resulting in an information leak. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Microsoft Information Disclosure +3
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

Some websites have a feature "Show Password" where clicking a button will change a password field into a textbook field, revealing the typed password. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Firefox +2
NVD
EPSS 1% CVSS 6.8
MEDIUM This Month

If the Remote Debugging via USB feature was enabled in Firefox for Android on an Android version prior to Android 6.0, untrusted apps could have connected to the feature and operated with the. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Google Mozilla Information Disclosure +1
NVD
EPSS 1% CVSS 4.3
MEDIUM This Month

Repeated calls to the history and location interfaces could have been used to hang the browser. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Firefox
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

Cross-origin iframes that contained a login form could have been recognized by the login autofill service, and populated. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Mozilla Firefox
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

When DNS over HTTPS is in use, it intentionally filters RFC1918 and related IP ranges from the responses as these do not make sense coming from a DoH resolver. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Firefox +2
NVD
EPSS 2% CVSS 8.8
HIGH This Week

If the Compact() method was called on an nsTArray, the array could have been reallocated without updating other pointers, leading to a potential use-after-free and exploitable crash. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Use After Free Mozilla +4
NVD
EPSS 1% CVSS 8.8
HIGH This Week

During browser shutdown, reference decrementing could have occured on a previously freed object, resulting in a use-after-free, memory corruption, and a potentially exploitable crash. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Use After Free Mozilla +4
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

Firefox did not block execution of scripts with incorrect MIME types when the response was intercepted and cached through a ServiceWorker. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Mozilla Firefox +2
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

OneCRL was non-functional in the new Firefox for Android due to a missing service initialization. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google Mozilla Information Disclosure +1
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

In some cases, removing HTML elements during sanitization would keep existing SVG event handlers and therefore lead to XSS. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Mozilla Firefox +2
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

When a user downloaded a file in Firefox for Android, if a cookie is set, it would have been re-sent during a subsequent file download operation on the same domain, regardless of whether the original. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google Mozilla Information Disclosure +1
NVD
EPSS 1% CVSS 4.3
MEDIUM This Month

When accepting a malicious intent from other installed apps, Firefox for Android accepted manifests from arbitrary file paths and allowed declaring webapp manifests for other origins. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google Mozilla Information Disclosure +1
NVD
EPSS 1% CVSS 4.3
MEDIUM This Month

It was possible to cause the browser to enter fullscreen mode without displaying the security UI; thus making it possible to attempt a phishing attack or otherwise confuse the user. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Mozilla Firefox +2
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Incorrect bookkeeping of functions inlined during JIT compilation could have led to memory corruption and a potentially exploitable crash when handling out-of-memory errors. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Mozilla Memory Corruption +1
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

A parsing and event loading mismatch in Firefox's SVG code could have allowed load events to fire, even after sanitization. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Mozilla Firefox +2
NVD
EPSS 42% CVSS 8.8
HIGH POC THREAT Act Now

In certain circumstances, the MCallGetProperty opcode can be emitted with unmet assumptions resulting in an exploitable use-after-free condition. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Use After Free Mozilla Memory Corruption +4
NVD
EPSS 1% CVSS 6.5
MEDIUM POC PATCH This Month

GLPI stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Mozilla Authentication Bypass PHP +1
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM PATCH This Month

Scratch Addons is a WebExtension that supports both Chrome and Firefox. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Google Mozilla +1
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM This Month

When performing EC scalar point multiplication, the wNAF point multiplication algorithm was used; which leaked partial information about the nonce used during signature generation. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google Mozilla Information Disclosure +1
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Mozilla developers reported memory safety bugs present in Firefox 81. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Buffer Overflow Memory Corruption +3
NVD
EPSS 3% CVSS 9.8
CRITICAL Act Now

Mozilla developers and community members reported memory safety bugs present in Firefox 81 and Firefox ESR 78.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Buffer Overflow Memory Corruption +7
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

When a link to an external protocol was clicked, a prompt was presented that allowed the user to choose what application to open it in. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Firefox
NVD
EPSS 1% CVSS 7.5
HIGH This Week

When multiple WASM threads had a reference to a module, and were looking up exported functions, one WASM thread could have overwritten another's entry in a shared stub table, resulting in a. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Mozilla Firefox
NVD
EPSS 1% CVSS 5.3
MEDIUM This Month

If a valid external protocol handler was referenced in an image tag, the resulting broken image size could be distinguished from a broken image size of a non-existent protocol handler. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Firefox
NVD
EPSS 1% CVSS 5.9
MEDIUM This Month

If an attacker intercepts Thunderbird's initial attempt to perform automatic account setup using the Microsoft Exchange autodiscovery mechanism, and the attacker sends a crafted response, then. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Mozilla Microsoft Information Disclosure +1
NVD
EPSS 0% CVSS 4.7
MEDIUM This Month

During ECDSA signature generation, padding applied in the nonce designed to ensure constant-time scalar multiplication was removed, resulting in variable-time execution dependent on secret data. Rated medium severity (CVSS 4.7). No vendor patch available.

Google Mozilla Information Disclosure +1
NVD
EPSS 0% CVSS 4.7
MEDIUM This Month

When converting coordinates from projective to affine, the modular inversion was not performed in constant time, resulting in a possible timing-based side channel attack. Rated medium severity (CVSS 4.7). No vendor patch available.

Google Mozilla Information Disclosure +1
NVD
EPSS 2% CVSS 8.8
HIGH This Week

When recursing through graphical layers while scrolling, an iterator may have become invalid, resulting in a potential use-after-free. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Use After Free Mozilla Memory Corruption +6
NVD
EPSS 2% CVSS 6.1
MEDIUM This Month

By exploiting an Open Redirect vulnerability on a website, an attacker could have spoofed the site displayed in the download file dialog to show the original site (the one suffering from the open. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Open Redirect Firefox +4
NVD
EPSS 2% CVSS 6.1
MEDIUM This Month

Firefox sometimes ran the onload handler for SVG elements that the DOM sanitizer decided to remove, resulting in JavaScript being executed after pasting attacker-controlled data into a. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Mozilla Firefox +4
NVD
EPSS 1% CVSS 8.8
HIGH This Week

When processing surfaces, the lifetime may outlive a persistent buffer leading to memory corruption and a potentially exploitable crash. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Use After Free Mozilla +2
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Mozilla developers reported memory safety bugs present in Firefox 80. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Mozilla +1
NVD
EPSS 2% CVSS 8.8
HIGH This Week

Mozilla developers reported memory safety bugs present in Firefox 80 and Firefox ESR 78.2. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Buffer Overflow Memory Corruption +7
NVD
Prev Page 14 of 30 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy