Skip to main content

Mozilla

2675 CVEs vendor

Monthly

CVE-2024-50346 MEDIUM This Month

WebFeed is a lightweight web feed reader extension for Firefox/Chrome. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF XSS Google Mozilla
NVD GitHub
CVSS 4.0
5.1
EPSS
0.6%
CVE-2024-10468 MEDIUM This Month

Potential race conditions in IndexedDB could have caused memory corruption, leading to a potentially exploitable crash. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Buffer Overflow Race Condition Mozilla Firefox Thunderbird
NVD
CVSS 3.1
5.3
EPSS
0.4%
CVE-2024-10467 HIGH This Week

Memory safety bugs present in Firefox 131, Firefox ESR 128.3, and Thunderbird 128.3. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Mozilla Memory Corruption Firefox +1
NVD
CVSS 3.1
8.8
EPSS
0.6%
CVE-2024-10466 HIGH This Week

By sending a specially crafted push message, a remote server could have hung the parent process, causing the browser to become unresponsive. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Mozilla Firefox Thunderbird
NVD
CVSS 3.1
7.5
EPSS
0.8%
CVE-2024-10465 MEDIUM This Month

A clipboard "paste" button could persist across tabs which allowed a spoofing attack. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Mozilla Firefox Thunderbird
NVD
CVSS 3.1
6.5
EPSS
0.5%
CVE-2024-10464 MEDIUM This Month

Repeated writes to history interface attributes could have been used to cause a Denial of Service condition in the browser. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Information Disclosure Denial Of Service Mozilla Firefox +1
NVD
CVSS 3.1
6.5
EPSS
0.6%
CVE-2024-10463 MEDIUM This Month

Video frames could have been leaked between origins in some situations. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox Thunderbird
NVD
CVSS 3.1
6.5
EPSS
0.7%
CVE-2024-10462 MEDIUM This Month

Truncation of a long URL could have allowed origin spoofing in a permission prompt. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Mozilla Firefox Thunderbird
NVD
CVSS 3.1
6.5
EPSS
0.5%
CVE-2024-10461 MEDIUM This Month

In multipart/x-mixed-replace responses, `Content-Disposition: attachment` in the response header was not respected and did not force a download, which could allow XSS attacks. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Mozilla Firefox Thunderbird
NVD
CVSS 3.1
6.1
EPSS
0.6%
CVE-2024-10460 MEDIUM This Month

The origin of an external protocol handler prompt could have been obscured using a data: URL within an `iframe`. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox Thunderbird
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2024-10459 HIGH This Week

An attacker could have caused a use-after-free when accessibility was enabled, leading to a potentially exploitable crash. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Use After Free Mozilla Denial Of Service Memory Corruption Firefox +1
NVD
CVSS 3.1
7.5
EPSS
0.6%
CVE-2024-10458 HIGH This Week

A permission leak could have occurred from a trusted site to an untrusted site via `embed` or `object` elements. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox Thunderbird
NVD
CVSS 3.1
7.5
EPSS
0.6%
CVE-2024-49378 MEDIUM This Month

smartUp, a web browser mouse gestures extension, has a universal cross-site scripting issue in the Edge and Firefox versions of smartUp 7.2.622.1170. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE XSS Mozilla
NVD GitHub
CVSS 4.0
5.8
EPSS
0.3%
CVE-2024-10004 CRITICAL Act Now

Opening an external link to an HTTP website when Firefox iOS was previously closed and had an HTTPS tab open could in some cases result in the padlock icon showing an HTTPS indicator incorrectly This. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apple XSS Mozilla Firefox
NVD
CVSS 3.1
9.1
EPSS
0.4%
CVE-2024-9936 MEDIUM This Month

When manipulating the selection node cache, an attacker may have been able to cause unexpected behavior, potentially leading to an exploitable crash. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Race Condition Denial Of Service Mozilla Firefox
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2024-47884 LOW Monitor

foxmarks is a CLI read-only interface for Firefox's bookmarks and history. Rated low severity (CVSS 2.4), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Mozilla
NVD GitHub
CVSS 4.0
2.4
EPSS
0.2%
CVE-2024-9403 HIGH This Week

Memory safety bugs present in Firefox 130. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Mozilla Firefox Thunderbird
NVD
CVSS 3.1
7.3
EPSS
0.4%
CVE-2024-9402 CRITICAL Act Now

Memory safety bugs present in Firefox 130, Firefox ESR 128.2, and Thunderbird 128.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Mozilla Firefox Thunderbird
NVD
CVSS 3.1
9.8
EPSS
0.6%
CVE-2024-9401 CRITICAL Act Now

Memory safety bugs present in Firefox 130, Firefox ESR 115.15, Firefox ESR 128.2, and Thunderbird 128.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Mozilla Firefox Thunderbird
NVD
CVSS 3.1
9.8
EPSS
0.7%
CVE-2024-9400 HIGH This Week

A potential memory corruption vulnerability could be triggered if an attacker had the ability to trigger an OOM at a specific moment during JIT compilation. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Mozilla Firefox Thunderbird
NVD
CVSS 3.1
8.8
EPSS
0.5%
CVE-2024-9399 HIGH This Week

A website configured to initiate a specially crafted WebTransport session could crash the Firefox process leading to a denial of service condition. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Mozilla Firefox Thunderbird
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2024-9398 MEDIUM This Month

By checking the result of calls to `window.open` with specifically set protocol handlers, an attacker could determine if the application which implements that protocol handler is installed. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox Firefox Esr Thunderbird
NVD
CVSS 3.1
5.3
EPSS
0.6%
CVE-2024-9397 MEDIUM This Month

A missing delay in directory upload UI could have made it possible for an attacker to trick a user into granting permission via clickjacking. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Mozilla Firefox Firefox Esr Thunderbird
NVD
CVSS 3.1
6.1
EPSS
0.4%
CVE-2024-9396 HIGH This Week

It is currently unknown if this issue is exploitable but a condition may arise where the structured clone of certain objects could lead to memory corruption. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Mozilla Firefox Thunderbird
NVD
CVSS 3.1
8.8
EPSS
0.5%
CVE-2024-9395 MEDIUM This Month

A specially crafted filename containing a large number of spaces could obscure the file's extension when displayed in the download dialog. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Google Mozilla Firefox
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2024-9394 HIGH This Week

An attacker could, via a specially crafted multipart response, execute arbitrary JavaScript under the `resource://devtools` origin. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Google Mozilla Firefox Firefox Esr +1
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2024-9393 HIGH This Week

An attacker could, via a specially crafted multipart response, execute arbitrary JavaScript under the `resource://pdf.js` origin. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Google Mozilla Firefox Firefox Esr +1
NVD
CVSS 3.1
7.5
EPSS
0.4%
CVE-2024-9392 CRITICAL Act Now

A compromised content process could have allowed for the arbitrary loading of cross-origin pages. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox Thunderbird
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2024-9391 MEDIUM This Month

A user who enables full-screen mode on a specially crafted web page could potentially be prevented from exiting full screen mode. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Google Mozilla Firefox
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2024-8900 HIGH This Week

An attacker could write data to the user's clipboard, bypassing the user prompt, during a certain sequence of navigational events. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Mozilla Firefox
NVD
CVSS 3.1
7.5
EPSS
0.4%
CVE-2024-8897 MEDIUM This Month

Under certain conditions, an attacker with the ability to redirect users to a malicious site via an open redirect on a trusted site, may be able to spoof the address bar contents. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Open Redirect Google Mozilla Firefox
NVD
CVSS 3.1
6.1
EPSS
6.9%
CVE-2024-7652 HIGH This Week

An error in the ECMA-262 specification relating to Async Generators could have resulted in a type confusion, potentially leading to memory corruption and an exploitable crash. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Null Pointer Dereference Buffer Overflow Denial Of Service Mozilla Firefox +1
NVD GitHub
CVSS 3.1
7.5
EPSS
0.7%
CVE-2024-8394 MEDIUM This Month

When aborting the verification of an OTR chat session, an attacker could have caused a use-after-free bug leading to a potentially exploitable crash. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Use After Free Mozilla Denial Of Service Memory Corruption Thunderbird
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2024-8389 CRITICAL Act Now

Memory safety bugs present in Firefox 129. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Mozilla Memory Corruption Firefox
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2024-8388 MEDIUM This Month

Multiple prompts and panels from both Firefox and the Android OS could be used to obscure the notification announcing the transition to fullscreen mode after the fix for CVE-2023-6870 in Firefox 121. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Google Mozilla Firefox
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2024-8387 CRITICAL Act Now

Memory safety bugs present in Firefox 129, Firefox ESR 128.1, and Thunderbird 128.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Mozilla Memory Corruption Firefox +2
NVD
CVSS 3.1
9.8
EPSS
0.6%
CVE-2024-8386 MEDIUM This Month

If a site had been granted the permission to open popup windows, it could cause Select elements to appear on top of another site to perform a spoofing attack. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Open Redirect Mozilla Microsoft Firefox Firefox Esr
NVD
CVSS 3.1
6.1
EPSS
0.4%
CVE-2024-8385 CRITICAL Act Now

A difference in the handling of StructFields and ArrayTypes in WASM could be used to trigger an exploitable type confusion vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Memory Corruption Firefox Firefox Esr
NVD
CVSS 3.1
9.8
EPSS
0.6%
CVE-2024-8383 HIGH This Week

Firefox normally asks for confirmation before asking the operating system to find an application to handle a scheme that the browser does not support. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox Firefox Esr
NVD
CVSS 3.1
7.5
EPSS
0.6%
CVE-2024-8382 HIGH This Week

Internal browser event interfaces were exposed to web content when privileged EventHandler listener callbacks ran for those events. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox Firefox Esr
NVD
CVSS 3.1
8.8
EPSS
0.6%
CVE-2024-8381 CRITICAL Act Now

A potentially exploitable type confusion could be triggered when looking up a property name on an object being used as the `with` environment. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Memory Corruption Firefox Firefox Esr
NVD
CVSS 3.1
9.8
EPSS
4.4%
CVE-2024-43357 HIGH This Week

ECMA-262 is the language specification for the scripting language ECMAScript. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apple Information Disclosure Google Mozilla
NVD GitHub
CVSS 3.1
8.6
EPSS
0.6%
CVE-2024-43113 MEDIUM This Month

The contextual menu for links could provide an opportunity for cross-site scripting attacks This vulnerability affects Firefox for iOS < 129. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apple XSS Mozilla Firefox
NVD
CVSS 3.1
6.1
EPSS
0.2%
CVE-2024-43112 MEDIUM This Month

Long pressing on a download link could potentially provide a means for cross-site scripting This vulnerability affects Firefox for iOS < 129. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apple XSS Mozilla Firefox
NVD
CVSS 3.1
6.1
EPSS
0.2%
CVE-2024-43111 MEDIUM This Month

Long pressing on a download link could potentially allow Javascript commands to be executed within the browser This vulnerability affects Firefox for iOS < 129. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apple XSS Mozilla Firefox
NVD
CVSS 3.1
6.1
EPSS
0.3%
CVE-2024-7531 MEDIUM This Month

Calling `PK11_Encrypt()` in NSS using CKM_CHACHA20 and the same buffer for input and output can result in plaintext on an Intel Sandy Bridge processor. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Intel Mozilla Firefox Firefox Esr
NVD
CVSS 3.1
6.5
EPSS
0.4%
CVE-2024-7530 HIGH This Week

Incorrect garbage collection interaction could have led to a use-after-free. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Use After Free Information Disclosure Mozilla Memory Corruption Firefox
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2024-7529 MEDIUM This Month

The date picker could partially obscure security prompts. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox Firefox Esr Thunderbird
NVD
CVSS 3.1
6.5
EPSS
0.5%
CVE-2024-7528 HIGH This Week

Incorrect garbage collection interaction in IndexedDB could have led to a use-after-free. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Use After Free Information Disclosure Mozilla Memory Corruption Firefox +2
NVD
CVSS 3.1
8.8
EPSS
0.5%
CVE-2024-7526 MEDIUM This Month

ANGLE failed to initialize parameters which lead to reading from uninitialized memory. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox Firefox Esr Thunderbird
NVD
CVSS 3.1
6.5
EPSS
0.5%
CVE-2024-7525 HIGH This Week

It was possible for a web extension with minimal permissions to create a `StreamFilter` which could be used to read and modify the response body of requests on any site. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation Mozilla Firefox Firefox Esr Thunderbird
NVD
CVSS 3.1
8.1
EPSS
0.6%
CVE-2024-7524 MEDIUM This Month

Firefox adds web-compatibility shims in place of some tracking scripts blocked by Enhanced Tracking Protection. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Mozilla Firefox Firefox Esr
NVD
CVSS 3.1
6.1
EPSS
0.5%
CVE-2024-7523 HIGH This Week

A select option could partially obscure security prompts. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Google Mozilla Firefox
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2024-7522 HIGH This Week

Editor code failed to check an attribute value. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Information Disclosure Mozilla Firefox Firefox Esr +1
NVD
CVSS 3.1
8.8
EPSS
0.6%
CVE-2024-7521 HIGH This Week

Incomplete WebAssembly exception handing could have led to a use-after-free. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox Firefox Esr Thunderbird
NVD
CVSS 3.1
8.8
EPSS
0.6%
CVE-2024-7520 HIGH This Week

A type confusion bug in WebAssembly could be leveraged by an attacker to potentially achieve code execution. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Mozilla Memory Corruption Firefox Firefox Esr +1
NVD
CVSS 3.1
8.8
EPSS
0.6%
CVE-2024-7519 CRITICAL Act Now

Insufficient checks when processing graphics shared memory could have led to memory corruption. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Mozilla Memory Corruption Firefox Firefox Esr +1
NVD
CVSS 3.1
9.6
EPSS
0.6%
CVE-2024-7518 MEDIUM This Month

Select options could obscure the fullscreen notification dialog. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Mozilla Firefox Firefox Esr Thunderbird
NVD
CVSS 3.1
6.5
EPSS
0.5%
CVE-2024-0981 HIGH This Week

Okta Browser Plugin versions 6.5.0 through 6.31.0 (Chrome/Edge/Firefox/Safari) are vulnerable to cross-site scripting. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apple XSS Google Mozilla
NVD
CVSS 3.1
7.1
EPSS
0.4%
CVE-2024-6615 HIGH This Week

Memory safety bugs present in Firefox 127 and Thunderbird 127. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Mozilla Memory Corruption Firefox +1
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2024-6614 MEDIUM This Month

The frame iterator could get stuck in a loop when encountering certain wasm frames leading to incorrect stack traces. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Mozilla Firefox Thunderbird
NVD
CVSS 3.1
4.3
EPSS
0.4%
CVE-2024-6613 MEDIUM This Month

The frame iterator could get stuck in a loop when encountering certain wasm frames leading to incorrect stack traces. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox Thunderbird
NVD
CVSS 3.1
5.5
EPSS
0.2%
CVE-2024-6612 MEDIUM This Month

CSP violations generated links in the console tab of the developer tools, pointing to the violating resource. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox Thunderbird
NVD
CVSS 3.1
5.3
EPSS
0.5%
CVE-2024-6611 CRITICAL Act Now

A nested iframe, triggering a cross-site navigation, could send SameSite=Strict or Lax cookies. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox Thunderbird
NVD
CVSS 3.1
9.8
EPSS
0.7%
CVE-2024-6610 MEDIUM This Month

Form validation popups could capture escape key presses. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox Thunderbird
NVD
CVSS 3.1
4.3
EPSS
0.3%
CVE-2024-6609 HIGH This Week

When almost out-of-memory an elliptic curve key which was never allocated could have been freed again. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox Thunderbird
NVD
CVSS 3.1
8.8
EPSS
0.6%
CVE-2024-6608 MEDIUM This Month

It was possible to move the cursor using pointerlock from an iframe. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox Thunderbird
NVD
CVSS 3.1
4.3
EPSS
0.4%
CVE-2024-6607 HIGH POC This Week

It was possible to prevent a user from exiting pointerlock when pressing escape and to overlay customValidity notifications from a `&lt;select&gt;` element over certain permission prompts. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Mozilla Firefox Thunderbird
NVD
CVSS 3.1
8.8
EPSS
0.6%
CVE-2024-6606 HIGH This Week

Clipboard code failed to check the index on an array access. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Information Disclosure Mozilla Firefox Thunderbird
NVD
CVSS 3.1
8.2
EPSS
0.4%
CVE-2024-6605 HIGH This Week

Firefox Android allowed immediate interaction with permission prompts. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Google Mozilla Firefox
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2024-6604 HIGH This Week

Memory safety bugs present in Firefox 127, Firefox ESR 115.12, and Thunderbird 115.12. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Buffer Overflow RCE Mozilla Firefox Thunderbird
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2024-6603 HIGH This Week

In an out-of-memory scenario an allocation could fail but free would have been called on the pointer afterwards leading to memory corruption. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Buffer Overflow Mozilla Memory Corruption Firefox Thunderbird
NVD
CVSS 3.1
7.4
EPSS
0.5%
CVE-2024-6602 CRITICAL Act Now

A mismatch between allocator and deallocator could have led to memory corruption. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE Buffer Overflow Mozilla Firefox +1
NVD
CVSS 3.1
9.8
EPSS
1.0%
CVE-2024-6601 MEDIUM This Month

A race condition could lead to a cross-origin container obtaining permissions of the top-level origin. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox Thunderbird
NVD
CVSS 3.1
4.7
EPSS
0.4%
CVE-2024-6600 MEDIUM This Month

Due to large allocation checks in Angle for GLSL shaders being too lenient an out-of-bounds access could occur when allocating more than 8192 ints in private shader memory on macOS. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apple Denial Of Service Mozilla Firefox Thunderbird
NVD
CVSS 3.1
6.3
EPSS
0.4%
CVE-2024-39689 PyPI HIGH PATCH This Week

Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Mozilla Certifi Management Services For Element Software And Netapp Hci Ontap Select Deploy Administration Utility +1
NVD GitHub
CVSS 3.1
7.5
EPSS
1.0%
CVE-2024-38313 MEDIUM This Month

In certain scenarios a malicious website could attempt to display a fake location URL bar which could mislead users as to the actual website address This vulnerability affects Firefox for iOS < 127. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apple Information Disclosure Mozilla Firefox
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2024-38312 MEDIUM This Month

When browsing private tabs, some data related to location history or webpage thumbnails could be persisted incorrectly within the sandboxed app bundle after app termination This vulnerability affects. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apple Information Disclosure Mozilla Firefox
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2024-5702 HIGH This Week

Memory corruption in the networking stack could have led to a potentially exploitable crash. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Use After Free Buffer Overflow Mozilla Memory Corruption Firefox +1
NVD
CVSS 3.1
7.5
EPSS
0.9%
CVE-2024-5701 CRITICAL Act Now

Memory safety bugs present in Firefox 126. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Mozilla Memory Corruption Firefox
NVD
CVSS 3.1
9.8
EPSS
0.6%
CVE-2024-5700 HIGH This Week

Memory safety bugs present in Firefox 126, Firefox ESR 115.11, and Thunderbird 115.11. Rated high severity (CVSS 7.0), this vulnerability is no authentication required. No vendor patch available.

RCE Buffer Overflow Mozilla Firefox Thunderbird
NVD
CVSS 3.1
7.0
EPSS
0.4%
CVE-2024-5699 CRITICAL POC Act Now

In violation of spec, cookie prefixes such as `__Secure` were being ignored if they were not correctly capitalized - by spec they should be checked with a case-insensitive comparison. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Mozilla Firefox
NVD
CVSS 3.1
9.8
EPSS
0.8%
CVE-2024-5698 MEDIUM This Month

By manipulating the fullscreen feature while opening a data-list, an attacker could have overlaid a text box over the address bar. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Mozilla Firefox
NVD
CVSS 3.1
6.1
EPSS
0.4%
CVE-2024-5697 MEDIUM This Month

A website was able to detect when a user took a screenshot of a page using the built-in Screenshot functionality in Firefox. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox
NVD
CVSS 3.1
4.3
EPSS
0.4%
CVE-2024-5696 HIGH This Week

By manipulating the text in an `&lt;input&gt;` tag, an attacker could have caused corrupt memory leading to a potentially exploitable crash. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Mozilla Memory Corruption Firefox Thunderbird +1
NVD
CVSS 3.1
8.6
EPSS
0.8%
CVE-2024-5695 CRITICAL Act Now

If an out-of-memory condition occurs at a specific point using allocations in the probabilistic heap checker, an assertion could have been triggered, and in rarer situations, memory corruption could. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Mozilla Memory Corruption Firefox
NVD
CVSS 3.1
9.8
EPSS
0.6%
CVE-2024-5694 HIGH This Week

An attacker could have caused a use-after-free in the JavaScript engine to read memory in the JavaScript string section of the heap. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Use After Free Information Disclosure Mozilla Memory Corruption Firefox
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2024-5693 MEDIUM This Month

Offscreen Canvas did not properly track cross-origin tainting, which could be used to access image data from another site in violation of same-origin policy. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox Thunderbird
NVD
CVSS 3.1
6.1
EPSS
0.6%
CVE-2024-5692 MEDIUM POC This Month

On Windows 10, when using the 'Save As' functionality, an attacker could have tricked the browser into saving the file with a disallowed extension such as `.url` by including an invalid character in. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Mozilla Microsoft Firefox Thunderbird
NVD
CVSS 3.1
6.5
EPSS
0.6%
CVE-2024-5691 MEDIUM This Month

By tricking the browser with a `X-Frame-Options` header, a sandboxed iframe could have presented a button that, if clicked by a user, would bypass restrictions to open a new window. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Mozilla Firefox Firefox Esr Thunderbird
NVD
CVSS 3.1
4.7
EPSS
0.7%
EPSS 1% CVSS 5.1
MEDIUM This Month

WebFeed is a lightweight web feed reader extension for Firefox/Chrome. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF XSS Google +1
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

Potential race conditions in IndexedDB could have caused memory corruption, leading to a potentially exploitable crash. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Buffer Overflow Race Condition Mozilla +2
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Memory safety bugs present in Firefox 131, Firefox ESR 128.3, and Thunderbird 128.3. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Mozilla +3
NVD
EPSS 1% CVSS 7.5
HIGH This Week

By sending a specially crafted push message, a remote server could have hung the parent process, causing the browser to become unresponsive. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Mozilla Firefox +1
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

A clipboard "paste" button could persist across tabs which allowed a spoofing attack. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Mozilla Firefox +1
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

Repeated writes to history interface attributes could have been used to cause a Denial of Service condition in the browser. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Information Disclosure Denial Of Service +3
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

Video frames could have been leaked between origins in some situations. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox +1
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

Truncation of a long URL could have allowed origin spoofing in a permission prompt. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Mozilla Firefox +1
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

In multipart/x-mixed-replace responses, `Content-Disposition: attachment` in the response header was not respected and did not force a download, which could allow XSS attacks. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Mozilla Firefox +1
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

The origin of an external protocol handler prompt could have been obscured using a data: URL within an `iframe`. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox +1
NVD
EPSS 1% CVSS 7.5
HIGH This Week

An attacker could have caused a use-after-free when accessibility was enabled, leading to a potentially exploitable crash. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Use After Free Mozilla Denial Of Service +3
NVD
EPSS 1% CVSS 7.5
HIGH This Week

A permission leak could have occurred from a trusted site to an untrusted site via `embed` or `object` elements. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox +1
NVD
EPSS 0% CVSS 5.8
MEDIUM This Month

smartUp, a web browser mouse gestures extension, has a universal cross-site scripting issue in the Edge and Firefox versions of smartUp 7.2.622.1170. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE XSS Mozilla
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL Act Now

Opening an external link to an HTTP website when Firefox iOS was previously closed and had an HTTPS tab open could in some cases result in the padlock icon showing an HTTPS indicator incorrectly This. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apple XSS Mozilla +1
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

When manipulating the selection node cache, an attacker may have been able to cause unexpected behavior, potentially leading to an exploitable crash. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Race Condition Denial Of Service Mozilla +1
NVD
EPSS 0% CVSS 2.4
LOW Monitor

foxmarks is a CLI read-only interface for Firefox's bookmarks and history. Rated low severity (CVSS 2.4), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Mozilla
NVD GitHub
EPSS 0% CVSS 7.3
HIGH This Week

Memory safety bugs present in Firefox 130. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Mozilla +2
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Memory safety bugs present in Firefox 130, Firefox ESR 128.2, and Thunderbird 128.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Mozilla +2
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Memory safety bugs present in Firefox 130, Firefox ESR 115.15, Firefox ESR 128.2, and Thunderbird 128.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Mozilla +2
NVD
EPSS 0% CVSS 8.8
HIGH This Week

A potential memory corruption vulnerability could be triggered if an attacker had the ability to trigger an OOM at a specific moment during JIT compilation. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Mozilla Firefox +1
NVD
EPSS 0% CVSS 7.5
HIGH This Week

A website configured to initiate a specially crafted WebTransport session could crash the Firefox process leading to a denial of service condition. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Mozilla Firefox +1
NVD
EPSS 1% CVSS 5.3
MEDIUM This Month

By checking the result of calls to `window.open` with specifically set protocol handlers, an attacker could determine if the application which implements that protocol handler is installed. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox +2
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

A missing delay in directory upload UI could have made it possible for an attacker to trick a user into granting permission via clickjacking. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Mozilla Firefox +2
NVD
EPSS 1% CVSS 8.8
HIGH This Week

It is currently unknown if this issue is exploitable but a condition may arise where the structured clone of certain objects could lead to memory corruption. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Mozilla Firefox +1
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

A specially crafted filename containing a large number of spaces could obscure the file's extension when displayed in the download dialog. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Google Mozilla +1
NVD
EPSS 0% CVSS 7.5
HIGH This Week

An attacker could, via a specially crafted multipart response, execute arbitrary JavaScript under the `resource://devtools` origin. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Google Mozilla +3
NVD
EPSS 0% CVSS 7.5
HIGH This Week

An attacker could, via a specially crafted multipart response, execute arbitrary JavaScript under the `resource://pdf.js` origin. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Google Mozilla +3
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

A compromised content process could have allowed for the arbitrary loading of cross-origin pages. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox +1
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

A user who enables full-screen mode on a specially crafted web page could potentially be prevented from exiting full screen mode. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Google Mozilla +1
NVD
EPSS 0% CVSS 7.5
HIGH This Week

An attacker could write data to the user's clipboard, bypassing the user prompt, during a certain sequence of navigational events. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Mozilla Firefox
NVD
EPSS 7% CVSS 6.1
MEDIUM This Month

Under certain conditions, an attacker with the ability to redirect users to a malicious site via an open redirect on a trusted site, may be able to spoof the address bar contents. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Open Redirect Google Mozilla +1
NVD
EPSS 1% CVSS 7.5
HIGH This Week

An error in the ECMA-262 specification relating to Async Generators could have resulted in a type confusion, potentially leading to memory corruption and an exploitable crash. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Null Pointer Dereference Buffer Overflow Denial Of Service +3
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

When aborting the verification of an OTR chat session, an attacker could have caused a use-after-free bug leading to a potentially exploitable crash. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Use After Free Mozilla Denial Of Service +2
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Memory safety bugs present in Firefox 129. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Mozilla +2
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Multiple prompts and panels from both Firefox and the Android OS could be used to obscure the notification announcing the transition to fullscreen mode after the fix for CVE-2023-6870 in Firefox 121. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Google Mozilla +1
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Memory safety bugs present in Firefox 129, Firefox ESR 128.1, and Thunderbird 128.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Mozilla +4
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

If a site had been granted the permission to open popup windows, it could cause Select elements to appear on top of another site to perform a spoofing attack. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Open Redirect Mozilla Microsoft +2
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

A difference in the handling of StructFields and ArrayTypes in WASM could be used to trigger an exploitable type confusion vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Memory Corruption +2
NVD
EPSS 1% CVSS 7.5
HIGH This Week

Firefox normally asks for confirmation before asking the operating system to find an application to handle a scheme that the browser does not support. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox +1
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Internal browser event interfaces were exposed to web content when privileged EventHandler listener callbacks ran for those events. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox +1
NVD
EPSS 4% CVSS 9.8
CRITICAL Act Now

A potentially exploitable type confusion could be triggered when looking up a property name on an object being used as the `with` environment. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Memory Corruption +2
NVD
EPSS 1% CVSS 8.6
HIGH This Week

ECMA-262 is the language specification for the scripting language ECMAScript. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apple Information Disclosure Google +1
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM This Month

The contextual menu for links could provide an opportunity for cross-site scripting attacks This vulnerability affects Firefox for iOS < 129. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apple XSS Mozilla +1
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Long pressing on a download link could potentially provide a means for cross-site scripting This vulnerability affects Firefox for iOS < 129. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apple XSS Mozilla +1
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Long pressing on a download link could potentially allow Javascript commands to be executed within the browser This vulnerability affects Firefox for iOS < 129. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apple XSS Mozilla +1
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Calling `PK11_Encrypt()` in NSS using CKM_CHACHA20 and the same buffer for input and output can result in plaintext on an Intel Sandy Bridge processor. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Intel Mozilla +2
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Incorrect garbage collection interaction could have led to a use-after-free. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Use After Free Information Disclosure Mozilla +2
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

The date picker could partially obscure security prompts. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox +2
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Incorrect garbage collection interaction in IndexedDB could have led to a use-after-free. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Use After Free Information Disclosure Mozilla +4
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

ANGLE failed to initialize parameters which lead to reading from uninitialized memory. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox +2
NVD
EPSS 1% CVSS 8.1
HIGH This Week

It was possible for a web extension with minimal permissions to create a `StreamFilter` which could be used to read and modify the response body of requests on any site. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation Mozilla Firefox +2
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Firefox adds web-compatibility shims in place of some tracking scripts blocked by Enhanced Tracking Protection. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Mozilla Firefox +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

A select option could partially obscure security prompts. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Google Mozilla +1
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Editor code failed to check an attribute value. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Information Disclosure Mozilla +3
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Incomplete WebAssembly exception handing could have led to a use-after-free. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox +2
NVD
EPSS 1% CVSS 8.8
HIGH This Week

A type confusion bug in WebAssembly could be leveraged by an attacker to potentially achieve code execution. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Mozilla Memory Corruption +3
NVD
EPSS 1% CVSS 9.6
CRITICAL Act Now

Insufficient checks when processing graphics shared memory could have led to memory corruption. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Mozilla Memory Corruption +3
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Select options could obscure the fullscreen notification dialog. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Mozilla Firefox +2
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Okta Browser Plugin versions 6.5.0 through 6.31.0 (Chrome/Edge/Firefox/Safari) are vulnerable to cross-site scripting. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apple XSS Google +1
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Memory safety bugs present in Firefox 127 and Thunderbird 127. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Mozilla +3
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The frame iterator could get stuck in a loop when encountering certain wasm frames leading to incorrect stack traces. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Mozilla Firefox +1
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

The frame iterator could get stuck in a loop when encountering certain wasm frames leading to incorrect stack traces. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox +1
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

CSP violations generated links in the console tab of the developer tools, pointing to the violating resource. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox +1
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

A nested iframe, triggering a cross-site navigation, could send SameSite=Strict or Lax cookies. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox +1
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Form validation popups could capture escape key presses. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox +1
NVD
EPSS 1% CVSS 8.8
HIGH This Week

When almost out-of-memory an elliptic curve key which was never allocated could have been freed again. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox +1
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

It was possible to move the cursor using pointerlock from an iframe. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox +1
NVD
EPSS 1% CVSS 8.8
HIGH POC This Week

It was possible to prevent a user from exiting pointerlock when pressing escape and to overlay customValidity notifications from a `&lt;select&gt;` element over certain permission prompts. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Mozilla Firefox +1
NVD
EPSS 0% CVSS 8.2
HIGH This Week

Clipboard code failed to check the index on an array access. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Information Disclosure Mozilla +2
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Firefox Android allowed immediate interaction with permission prompts. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Google Mozilla +1
NVD
EPSS 1% CVSS 7.5
HIGH This Week

Memory safety bugs present in Firefox 127, Firefox ESR 115.12, and Thunderbird 115.12. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Buffer Overflow RCE Mozilla +2
NVD
EPSS 1% CVSS 7.4
HIGH This Week

In an out-of-memory scenario an allocation could fail but free would have been called on the pointer afterwards leading to memory corruption. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Buffer Overflow Mozilla Memory Corruption +2
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

A mismatch between allocator and deallocator could have led to memory corruption. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE Buffer Overflow +3
NVD
EPSS 0% CVSS 4.7
MEDIUM This Month

A race condition could lead to a cross-origin container obtaining permissions of the top-level origin. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox +1
NVD
EPSS 0% CVSS 6.3
MEDIUM This Month

Due to large allocation checks in Angle for GLSL shaders being too lenient an out-of-bounds access could occur when allocating more than 8192 ints in private shader memory on macOS. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apple Denial Of Service Mozilla +2
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Mozilla Certifi +3
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

In certain scenarios a malicious website could attempt to display a fake location URL bar which could mislead users as to the actual website address This vulnerability affects Firefox for iOS < 127. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apple Information Disclosure Mozilla +1
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

When browsing private tabs, some data related to location history or webpage thumbnails could be persisted incorrectly within the sandboxed app bundle after app termination This vulnerability affects. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apple Information Disclosure Mozilla +1
NVD
EPSS 1% CVSS 7.5
HIGH This Week

Memory corruption in the networking stack could have led to a potentially exploitable crash. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Use After Free Buffer Overflow Mozilla +3
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Memory safety bugs present in Firefox 126. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Mozilla +2
NVD
EPSS 0% CVSS 7.0
HIGH This Week

Memory safety bugs present in Firefox 126, Firefox ESR 115.11, and Thunderbird 115.11. Rated high severity (CVSS 7.0), this vulnerability is no authentication required. No vendor patch available.

RCE Buffer Overflow Mozilla +2
NVD
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

In violation of spec, cookie prefixes such as `__Secure` were being ignored if they were not correctly capitalized - by spec they should be checked with a case-insensitive comparison. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Mozilla Firefox
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

By manipulating the fullscreen feature while opening a data-list, an attacker could have overlaid a text box over the address bar. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Mozilla Firefox
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

A website was able to detect when a user took a screenshot of a page using the built-in Screenshot functionality in Firefox. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox
NVD
EPSS 1% CVSS 8.6
HIGH This Week

By manipulating the text in an `&lt;input&gt;` tag, an attacker could have caused corrupt memory leading to a potentially exploitable crash. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Mozilla Memory Corruption +3
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

If an out-of-memory condition occurs at a specific point using allocations in the probabilistic heap checker, an assertion could have been triggered, and in rarer situations, memory corruption could. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Mozilla Memory Corruption +1
NVD
EPSS 0% CVSS 7.5
HIGH This Week

An attacker could have caused a use-after-free in the JavaScript engine to read memory in the JavaScript string section of the heap. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Use After Free Information Disclosure Mozilla +2
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

Offscreen Canvas did not properly track cross-origin tainting, which could be used to access image data from another site in violation of same-origin policy. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox +1
NVD
EPSS 1% CVSS 6.5
MEDIUM POC This Month

On Windows 10, when using the 'Save As' functionality, an attacker could have tricked the browser into saving the file with a disallowed extension such as `.url` by including an invalid character in. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Mozilla Microsoft +2
NVD
EPSS 1% CVSS 4.7
MEDIUM This Month

By tricking the browser with a `X-Frame-Options` header, a sandboxed iframe could have presented a button that, if clicked by a user, would bypass restrictions to open a new window. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Mozilla Firefox +2
NVD
Prev Page 7 of 30 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy