Skip to main content

Thunderbird

995 CVEs product

Monthly

CVE-2024-11159 MEDIUM This Month

Using remote content in OpenPGP encrypted messages can lead to the disclosure of plaintext. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Thunderbird
NVD
CVSS 3.1
4.3
EPSS
0.3%
CVE-2024-10468 MEDIUM This Month

Potential race conditions in IndexedDB could have caused memory corruption, leading to a potentially exploitable crash. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Buffer Overflow Race Condition Mozilla Firefox Thunderbird
NVD
CVSS 3.1
5.3
EPSS
0.4%
CVE-2024-10467 HIGH This Week

Memory safety bugs present in Firefox 131, Firefox ESR 128.3, and Thunderbird 128.3. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Mozilla Memory Corruption Firefox +1
NVD
CVSS 3.1
8.8
EPSS
0.6%
CVE-2024-10466 HIGH This Week

By sending a specially crafted push message, a remote server could have hung the parent process, causing the browser to become unresponsive. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Mozilla Firefox Thunderbird
NVD
CVSS 3.1
7.5
EPSS
0.8%
CVE-2024-10465 MEDIUM This Month

A clipboard "paste" button could persist across tabs which allowed a spoofing attack. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Mozilla Firefox Thunderbird
NVD
CVSS 3.1
6.5
EPSS
0.5%
CVE-2024-10464 MEDIUM This Month

Repeated writes to history interface attributes could have been used to cause a Denial of Service condition in the browser. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Information Disclosure Denial Of Service Mozilla Firefox +1
NVD
CVSS 3.1
6.5
EPSS
0.6%
CVE-2024-10463 MEDIUM This Month

Video frames could have been leaked between origins in some situations. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox Thunderbird
NVD
CVSS 3.1
6.5
EPSS
0.7%
CVE-2024-10462 MEDIUM This Month

Truncation of a long URL could have allowed origin spoofing in a permission prompt. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Mozilla Firefox Thunderbird
NVD
CVSS 3.1
6.5
EPSS
0.5%
CVE-2024-10461 MEDIUM This Month

In multipart/x-mixed-replace responses, `Content-Disposition: attachment` in the response header was not respected and did not force a download, which could allow XSS attacks. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Mozilla Firefox Thunderbird
NVD
CVSS 3.1
6.1
EPSS
0.6%
CVE-2024-10460 MEDIUM This Month

The origin of an external protocol handler prompt could have been obscured using a data: URL within an `iframe`. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox Thunderbird
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2024-10459 HIGH This Week

An attacker could have caused a use-after-free when accessibility was enabled, leading to a potentially exploitable crash. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Use After Free Mozilla Denial Of Service Memory Corruption Firefox +1
NVD
CVSS 3.1
7.5
EPSS
0.6%
CVE-2024-10458 HIGH This Week

A permission leak could have occurred from a trusted site to an untrusted site via `embed` or `object` elements. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox Thunderbird
NVD
CVSS 3.1
7.5
EPSS
0.6%
CVE-2024-9403 HIGH This Week

Memory safety bugs present in Firefox 130. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Mozilla Firefox Thunderbird
NVD
CVSS 3.1
7.3
EPSS
0.4%
CVE-2024-9402 CRITICAL Act Now

Memory safety bugs present in Firefox 130, Firefox ESR 128.2, and Thunderbird 128.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Mozilla Firefox Thunderbird
NVD
CVSS 3.1
9.8
EPSS
0.6%
CVE-2024-9401 CRITICAL Act Now

Memory safety bugs present in Firefox 130, Firefox ESR 115.15, Firefox ESR 128.2, and Thunderbird 128.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Mozilla Firefox Thunderbird
NVD
CVSS 3.1
9.8
EPSS
0.7%
CVE-2024-9400 HIGH This Week

A potential memory corruption vulnerability could be triggered if an attacker had the ability to trigger an OOM at a specific moment during JIT compilation. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Mozilla Firefox Thunderbird
NVD
CVSS 3.1
8.8
EPSS
0.5%
CVE-2024-9399 HIGH This Week

A website configured to initiate a specially crafted WebTransport session could crash the Firefox process leading to a denial of service condition. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Mozilla Firefox Thunderbird
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2024-9398 MEDIUM This Month

By checking the result of calls to `window.open` with specifically set protocol handlers, an attacker could determine if the application which implements that protocol handler is installed. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox Firefox Esr Thunderbird
NVD
CVSS 3.1
5.3
EPSS
0.6%
CVE-2024-9397 MEDIUM This Month

A missing delay in directory upload UI could have made it possible for an attacker to trick a user into granting permission via clickjacking. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Mozilla Firefox Firefox Esr Thunderbird
NVD
CVSS 3.1
6.1
EPSS
0.4%
CVE-2024-9396 HIGH This Week

It is currently unknown if this issue is exploitable but a condition may arise where the structured clone of certain objects could lead to memory corruption. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Mozilla Firefox Thunderbird
NVD
CVSS 3.1
8.8
EPSS
0.5%
CVE-2024-9394 HIGH This Week

An attacker could, via a specially crafted multipart response, execute arbitrary JavaScript under the `resource://devtools` origin. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Google Mozilla Firefox Firefox Esr +1
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2024-9393 HIGH This Week

An attacker could, via a specially crafted multipart response, execute arbitrary JavaScript under the `resource://pdf.js` origin. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Google Mozilla Firefox Firefox Esr +1
NVD
CVSS 3.1
7.5
EPSS
0.4%
CVE-2024-9392 CRITICAL Act Now

A compromised content process could have allowed for the arbitrary loading of cross-origin pages. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox Thunderbird
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2024-7652 HIGH This Week

An error in the ECMA-262 specification relating to Async Generators could have resulted in a type confusion, potentially leading to memory corruption and an exploitable crash. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Null Pointer Dereference Buffer Overflow Denial Of Service Mozilla Firefox +1
NVD GitHub
CVSS 3.1
7.5
EPSS
0.7%
CVE-2024-8394 MEDIUM This Month

When aborting the verification of an OTR chat session, an attacker could have caused a use-after-free bug leading to a potentially exploitable crash. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Use After Free Mozilla Denial Of Service Memory Corruption Thunderbird
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2024-8387 CRITICAL Act Now

Memory safety bugs present in Firefox 129, Firefox ESR 128.1, and Thunderbird 128.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Mozilla Memory Corruption Firefox +2
NVD
CVSS 3.1
9.8
EPSS
0.6%
CVE-2024-7529 MEDIUM This Month

The date picker could partially obscure security prompts. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox Firefox Esr Thunderbird
NVD
CVSS 3.1
6.5
EPSS
0.5%
CVE-2024-7528 HIGH This Week

Incorrect garbage collection interaction in IndexedDB could have led to a use-after-free. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Use After Free Information Disclosure Mozilla Memory Corruption Firefox +2
NVD
CVSS 3.1
8.8
EPSS
0.5%
CVE-2024-7526 MEDIUM This Month

ANGLE failed to initialize parameters which lead to reading from uninitialized memory. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox Firefox Esr Thunderbird
NVD
CVSS 3.1
6.5
EPSS
0.5%
CVE-2024-7525 HIGH This Week

It was possible for a web extension with minimal permissions to create a `StreamFilter` which could be used to read and modify the response body of requests on any site. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation Mozilla Firefox Firefox Esr Thunderbird
NVD
CVSS 3.1
8.1
EPSS
0.6%
CVE-2024-7522 HIGH This Week

Editor code failed to check an attribute value. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Information Disclosure Mozilla Firefox Firefox Esr +1
NVD
CVSS 3.1
8.8
EPSS
0.6%
CVE-2024-7521 HIGH This Week

Incomplete WebAssembly exception handing could have led to a use-after-free. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox Firefox Esr Thunderbird
NVD
CVSS 3.1
8.8
EPSS
0.6%
CVE-2024-7520 HIGH This Week

A type confusion bug in WebAssembly could be leveraged by an attacker to potentially achieve code execution. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Mozilla Memory Corruption Firefox Firefox Esr +1
NVD
CVSS 3.1
8.8
EPSS
0.6%
CVE-2024-7519 CRITICAL Act Now

Insufficient checks when processing graphics shared memory could have led to memory corruption. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Mozilla Memory Corruption Firefox Firefox Esr +1
NVD
CVSS 3.1
9.6
EPSS
0.6%
CVE-2024-7518 MEDIUM This Month

Select options could obscure the fullscreen notification dialog. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Mozilla Firefox Firefox Esr Thunderbird
NVD
CVSS 3.1
6.5
EPSS
0.5%
CVE-2024-6615 HIGH This Week

Memory safety bugs present in Firefox 127 and Thunderbird 127. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Mozilla Memory Corruption Firefox +1
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2024-6614 MEDIUM This Month

The frame iterator could get stuck in a loop when encountering certain wasm frames leading to incorrect stack traces. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Mozilla Firefox Thunderbird
NVD
CVSS 3.1
4.3
EPSS
0.4%
CVE-2024-6613 MEDIUM This Month

The frame iterator could get stuck in a loop when encountering certain wasm frames leading to incorrect stack traces. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox Thunderbird
NVD
CVSS 3.1
5.5
EPSS
0.2%
CVE-2024-6612 MEDIUM This Month

CSP violations generated links in the console tab of the developer tools, pointing to the violating resource. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox Thunderbird
NVD
CVSS 3.1
5.3
EPSS
0.5%
CVE-2024-6611 CRITICAL Act Now

A nested iframe, triggering a cross-site navigation, could send SameSite=Strict or Lax cookies. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox Thunderbird
NVD
CVSS 3.1
9.8
EPSS
0.7%
CVE-2024-6610 MEDIUM This Month

Form validation popups could capture escape key presses. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox Thunderbird
NVD
CVSS 3.1
4.3
EPSS
0.3%
CVE-2024-6609 HIGH This Week

When almost out-of-memory an elliptic curve key which was never allocated could have been freed again. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox Thunderbird
NVD
CVSS 3.1
8.8
EPSS
0.6%
CVE-2024-6608 MEDIUM This Month

It was possible to move the cursor using pointerlock from an iframe. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox Thunderbird
NVD
CVSS 3.1
4.3
EPSS
0.4%
CVE-2024-6607 HIGH POC This Week

It was possible to prevent a user from exiting pointerlock when pressing escape and to overlay customValidity notifications from a `<select>` element over certain permission prompts. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Mozilla Firefox Thunderbird
NVD
CVSS 3.1
8.8
EPSS
0.6%
CVE-2024-6606 HIGH This Week

Clipboard code failed to check the index on an array access. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Information Disclosure Mozilla Firefox Thunderbird
NVD
CVSS 3.1
8.2
EPSS
0.4%
CVE-2024-6604 HIGH This Week

Memory safety bugs present in Firefox 127, Firefox ESR 115.12, and Thunderbird 115.12. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Buffer Overflow RCE Mozilla Firefox Thunderbird
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2024-6603 HIGH This Week

In an out-of-memory scenario an allocation could fail but free would have been called on the pointer afterwards leading to memory corruption. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Buffer Overflow Mozilla Memory Corruption Firefox Thunderbird
NVD
CVSS 3.1
7.4
EPSS
0.5%
CVE-2024-6602 CRITICAL Act Now

A mismatch between allocator and deallocator could have led to memory corruption. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE Buffer Overflow Mozilla Firefox +1
NVD
CVSS 3.1
9.8
EPSS
1.0%
CVE-2024-6601 MEDIUM This Month

A race condition could lead to a cross-origin container obtaining permissions of the top-level origin. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox Thunderbird
NVD
CVSS 3.1
4.7
EPSS
0.4%
CVE-2024-6600 MEDIUM This Month

Due to large allocation checks in Angle for GLSL shaders being too lenient an out-of-bounds access could occur when allocating more than 8192 ints in private shader memory on macOS. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apple Denial Of Service Mozilla Firefox Thunderbird
NVD
CVSS 3.1
6.3
EPSS
0.4%
CVE-2024-5702 HIGH This Week

Memory corruption in the networking stack could have led to a potentially exploitable crash. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Use After Free Buffer Overflow Mozilla Memory Corruption Firefox +1
NVD
CVSS 3.1
7.5
EPSS
0.9%
CVE-2024-5700 HIGH This Week

Memory safety bugs present in Firefox 126, Firefox ESR 115.11, and Thunderbird 115.11. Rated high severity (CVSS 7.0), this vulnerability is no authentication required. No vendor patch available.

RCE Buffer Overflow Mozilla Firefox Thunderbird
NVD
CVSS 3.1
7.0
EPSS
0.4%
CVE-2024-5696 HIGH This Week

By manipulating the text in an `<input>` tag, an attacker could have caused corrupt memory leading to a potentially exploitable crash. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Mozilla Memory Corruption Firefox Thunderbird +1
NVD
CVSS 3.1
8.6
EPSS
0.8%
CVE-2024-5693 MEDIUM This Month

Offscreen Canvas did not properly track cross-origin tainting, which could be used to access image data from another site in violation of same-origin policy. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox Thunderbird
NVD
CVSS 3.1
6.1
EPSS
0.6%
CVE-2024-5692 MEDIUM POC This Month

On Windows 10, when using the 'Save As' functionality, an attacker could have tricked the browser into saving the file with a disallowed extension such as `.url` by including an invalid character in. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Mozilla Microsoft Firefox Thunderbird
NVD
CVSS 3.1
6.5
EPSS
0.6%
CVE-2024-5691 MEDIUM This Month

By tricking the browser with a `X-Frame-Options` header, a sandboxed iframe could have presented a button that, if clicked by a user, would bypass restrictions to open a new window. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Mozilla Firefox Firefox Esr Thunderbird
NVD
CVSS 3.1
4.7
EPSS
0.7%
CVE-2024-5690 MEDIUM This Month

By monitoring the time certain operations take, an attacker could have guessed which external protocol handlers were functional on a user's system. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox Firefox Esr Thunderbird +1
NVD
CVSS 3.1
4.3
EPSS
0.7%
CVE-2024-5688 HIGH POC This Week

If a garbage collection was triggered at the right time, a use-after-free could have occurred during object transplant. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Use After Free Information Disclosure Mozilla Memory Corruption Firefox +1
NVD
CVSS 3.1
8.1
EPSS
1.1%
CVE-2024-4777 HIGH This Week

Memory safety bugs present in Firefox 125, Firefox ESR 115.10, and Thunderbird 115.10. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Mozilla Memory Corruption Firefox +2
NVD
CVSS 3.1
8.8
EPSS
0.5%
CVE-2024-4770 HIGH POC This Week

When saving a page to PDF, certain font styles could have led to a potential use-after-free crash. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Use After Free Mozilla Denial Of Service Memory Corruption Firefox +1
NVD
CVSS 3.1
8.8
EPSS
0.6%
CVE-2024-4769 MEDIUM This Month

When importing resources using Web Workers, error messages would distinguish the difference between `application/javascript` responses and non-script responses. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Mozilla Firefox Thunderbird Debian Linux
NVD
CVSS 3.1
5.9
EPSS
0.4%
CVE-2024-4768 MEDIUM POC This Month

A bug in popup notifications' interaction with WebAuthn made it easier for an attacker to trick a user into granting permissions. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Mozilla Firefox Thunderbird Debian Linux
NVD
CVSS 3.1
6.1
EPSS
0.5%
CVE-2024-4767 MEDIUM POC This Month

If the `browser.privatebrowsing.autostart` preference is enabled, IndexedDB files were not properly deleted when the window was closed. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Mozilla Firefox Thunderbird Debian Linux
NVD
CVSS 3.1
4.3
EPSS
0.5%
CVE-2024-4367 npm HIGH POC PATCH THREAT CISA Act Now

Arbitrary JavaScript execution in Mozilla's PDF.js library affects Firefox before 126, Firefox ESR before 115.11, and Thunderbird before 115.11 when rendering a malicious PDF document. A missing type check in font handling lets a crafted PDF run JavaScript in the PDF.js context, and publicly available exploit code exists with an EPSS of 34.61% (97th percentile) indicating elevated exploitation likelihood.

Mozilla Information Disclosure Firefox Thunderbird Debian Linux +1
NVD GitHub Exploit-DB
CVSS 3.1
8.8
EPSS
34.6%
Threat
6.3
CVE-2024-3863 CRITICAL Act Now

The executable file warning was not presented when downloading .xrm-ms files. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Microsoft Mozilla File Upload Firefox Thunderbird
NVD
CVSS 3.1
9.8
EPSS
0.8%
CVE-2024-3861 MEDIUM This Month

If an AlignedBuffer were assigned to itself, the subsequent self-move could result in an incorrect reference count and later use-after-free. Rated medium severity (CVSS 4.0), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Use After Free Information Disclosure Mozilla Memory Corruption Firefox +2
NVD
CVSS 3.1
4.0
EPSS
0.2%
CVE-2024-3859 MEDIUM This Month

On 32-bit versions there were integer-overflows that led to an out-of-bounds-read that potentially could be triggered by a malformed OpenType font. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Buffer Overflow Information Disclosure Mozilla Firefox Thunderbird +1
NVD
CVSS 3.1
5.9
EPSS
0.7%
CVE-2024-3857 HIGH This Week

The JIT created incorrect code for arguments in certain cases. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Use After Free Mozilla Denial Of Service Memory Corruption Firefox +2
NVD
CVSS 3.1
7.8
EPSS
0.2%
CVE-2024-3854 HIGH This Week

In some code patterns the JIT incorrectly optimized switch statements and generated code with out-of-bounds-reads. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Information Disclosure Mozilla Firefox Thunderbird
NVD
CVSS 3.1
8.8
EPSS
0.7%
CVE-2024-3852 HIGH This Week

GetBoundName could return the wrong version of an object when JIT optimizations were applied. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Mozilla Firefox Thunderbird
NVD
CVSS 3.1
7.5
EPSS
0.6%
CVE-2024-3302 LOW Monitor

There was no limit to the number of HTTP/2 CONTINUATION frames that would be processed. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Denial Of Service Mozilla Firefox Thunderbird
NVD
CVSS 3.1
3.7
EPSS
0.8%
CVE-2024-2616 LOW Monitor

To harden ICU against exploitation, the behavior for out-of-memory conditions was changed to crash instead of attempt to continue. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Buffer Overflow Mozilla Memory Corruption Firefox Thunderbird
NVD
CVSS 3.1
2.7
EPSS
0.7%
CVE-2024-2614 HIGH This Week

Memory safety bugs present in Firefox 123, Firefox ESR 115.8, and Thunderbird 115.8. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Buffer Overflow RCE Mozilla Memory Corruption Firefox +2
NVD
CVSS 3.1
8.8
EPSS
0.9%
CVE-2024-2612 HIGH This Week

If an attacker could find a way to trigger a particular code path in `SafeRefPtr`, it could have triggered a crash or potentially be leveraged to achieve code execution. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Use After Free RCE Mozilla Memory Corruption Firefox +1
NVD
CVSS 3.1
8.1
EPSS
1.0%
CVE-2024-2611 MEDIUM POC This Month

A missing delay on when pointer lock was used could have allowed a malicious page to trick a user into granting permissions. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Mozilla Firefox Thunderbird Debian Linux
NVD
CVSS 3.1
5.5
EPSS
0.6%
CVE-2024-2610 MEDIUM POC This Month

Using a markup injection an attacker could have stolen nonce values. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE Mozilla Firefox Thunderbird
NVD
CVSS 3.1
6.1
EPSS
0.7%
CVE-2024-2609 MEDIUM POC This Month

The permission prompt input delay could expire while the window is not in focus. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Mozilla Firefox Thunderbird Debian Linux
NVD
CVSS 3.1
6.1
EPSS
0.6%
CVE-2024-2608 HIGH POC This Week

`AppendEncodedAttributeValue(), ExtraSpaceNeededForAttrEncoding()` and `AppendEncodedCharacters()` could have experienced integer overflows, causing underallocation of an output buffer leading to an. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Mozilla Firefox Thunderbird Debian Linux
NVD
CVSS 3.1
8.4
EPSS
0.4%
CVE-2024-2607 HIGH POC This Week

Return registers were overwritten which could have allowed an attacker to execute arbitrary code. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

RCE Mozilla Firefox Thunderbird Debian Linux
NVD
CVSS 3.1
8.1
EPSS
1.1%
CVE-2024-2605 MEDIUM This Month

An attacker could have leveraged the Windows Error Reporter to run arbitrary code on the system escaping the sandbox. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

RCE Mozilla Microsoft Firefox Thunderbird
NVD
CVSS 3.1
5.9
EPSS
0.6%
CVE-2024-1936 HIGH POC This Week

The encrypted subject of an email message could be incorrectly and permanently assigned to an arbitrary other email message in Thunderbird's local cache. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Information Disclosure Mozilla Thunderbird Debian Linux
NVD
CVSS 3.1
7.5
EPSS
0.7%
CVE-2024-1552 HIGH This Week

Incorrect code generation could have led to unexpected numeric conversions and potential undefined behavior.*Note:* This issue only affects 32-bit ARM devices. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox Thunderbird Debian Linux
NVD
CVSS 3.1
7.5
EPSS
0.7%
CVE-2024-1551 MEDIUM POC This Month

Set-Cookie response headers were being incorrectly honored in multipart HTTP responses. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection Mozilla Firefox Thunderbird Debian Linux
NVD
CVSS 3.1
6.1
EPSS
0.7%
CVE-2024-1550 MEDIUM This Month

A malicious website could have used a combination of exiting fullscreen mode and `requestPointerLock` to cause the user's mouse to be re-positioned unexpectedly, which could have led to user. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Mozilla Firefox Thunderbird Debian Linux
NVD
CVSS 3.1
6.1
EPSS
0.6%
CVE-2024-1549 MEDIUM This Month

If a website set a large custom cursor, portions of the cursor could have overlapped with the permission dialog, potentially resulting in user confusion and unexpected granted permissions. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox Thunderbird Debian Linux
NVD
CVSS 3.1
6.1
EPSS
0.5%
CVE-2024-1548 MEDIUM This Month

A website could have obscured the fullscreen notification by using a dropdown select input element. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox Thunderbird Debian Linux
NVD
CVSS 3.1
4.3
EPSS
0.9%
CVE-2024-1547 MEDIUM This Month

Through a series of API calls and redirects, an attacker-controlled alert dialog could have been displayed on another website (with the victim website's URL shown). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Mozilla Firefox Thunderbird Debian Linux
NVD
CVSS 3.1
6.5
EPSS
0.7%
CVE-2024-1546 HIGH This Week

When storing and re-accessing data on a networking channel, the length of buffers may have been confused, resulting in an out-of-bounds memory read. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Buffer Overflow Information Disclosure Mozilla Firefox Thunderbird +1
NVD
CVSS 3.1
7.5
EPSS
0.7%
CVE-2024-0755 HIGH This Week

Memory safety bugs present in Firefox 121, Firefox ESR 115.6, and Thunderbird 115.6. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE Buffer Overflow Mozilla Firefox +3
NVD
CVSS 3.1
8.8
EPSS
0.7%
CVE-2024-0753 MEDIUM This Month

In specific HSTS configurations an attacker could have bypassed HSTS on a subdomain. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Mozilla Firefox Firefox Esr Thunderbird +1
NVD
CVSS 3.1
6.5
EPSS
0.7%
EPSS 0% CVSS 4.3
MEDIUM This Month

Using remote content in OpenPGP encrypted messages can lead to the disclosure of plaintext. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Thunderbird
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Potential race conditions in IndexedDB could have caused memory corruption, leading to a potentially exploitable crash. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Buffer Overflow Race Condition Mozilla +2
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Memory safety bugs present in Firefox 131, Firefox ESR 128.3, and Thunderbird 128.3. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Mozilla +3
NVD
EPSS 1% CVSS 7.5
HIGH This Week

By sending a specially crafted push message, a remote server could have hung the parent process, causing the browser to become unresponsive. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Mozilla Firefox +1
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

A clipboard "paste" button could persist across tabs which allowed a spoofing attack. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Mozilla Firefox +1
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

Repeated writes to history interface attributes could have been used to cause a Denial of Service condition in the browser. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Information Disclosure Denial Of Service +3
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

Video frames could have been leaked between origins in some situations. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox +1
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

Truncation of a long URL could have allowed origin spoofing in a permission prompt. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Mozilla Firefox +1
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

In multipart/x-mixed-replace responses, `Content-Disposition: attachment` in the response header was not respected and did not force a download, which could allow XSS attacks. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Mozilla Firefox +1
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

The origin of an external protocol handler prompt could have been obscured using a data: URL within an `iframe`. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox +1
NVD
EPSS 1% CVSS 7.5
HIGH This Week

An attacker could have caused a use-after-free when accessibility was enabled, leading to a potentially exploitable crash. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Use After Free Mozilla Denial Of Service +3
NVD
EPSS 1% CVSS 7.5
HIGH This Week

A permission leak could have occurred from a trusted site to an untrusted site via `embed` or `object` elements. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox +1
NVD
EPSS 0% CVSS 7.3
HIGH This Week

Memory safety bugs present in Firefox 130. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Mozilla +2
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Memory safety bugs present in Firefox 130, Firefox ESR 128.2, and Thunderbird 128.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Mozilla +2
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Memory safety bugs present in Firefox 130, Firefox ESR 115.15, Firefox ESR 128.2, and Thunderbird 128.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Mozilla +2
NVD
EPSS 0% CVSS 8.8
HIGH This Week

A potential memory corruption vulnerability could be triggered if an attacker had the ability to trigger an OOM at a specific moment during JIT compilation. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Mozilla Firefox +1
NVD
EPSS 0% CVSS 7.5
HIGH This Week

A website configured to initiate a specially crafted WebTransport session could crash the Firefox process leading to a denial of service condition. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Mozilla Firefox +1
NVD
EPSS 1% CVSS 5.3
MEDIUM This Month

By checking the result of calls to `window.open` with specifically set protocol handlers, an attacker could determine if the application which implements that protocol handler is installed. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox +2
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

A missing delay in directory upload UI could have made it possible for an attacker to trick a user into granting permission via clickjacking. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Mozilla Firefox +2
NVD
EPSS 1% CVSS 8.8
HIGH This Week

It is currently unknown if this issue is exploitable but a condition may arise where the structured clone of certain objects could lead to memory corruption. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Mozilla Firefox +1
NVD
EPSS 0% CVSS 7.5
HIGH This Week

An attacker could, via a specially crafted multipart response, execute arbitrary JavaScript under the `resource://devtools` origin. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Google Mozilla +3
NVD
EPSS 0% CVSS 7.5
HIGH This Week

An attacker could, via a specially crafted multipart response, execute arbitrary JavaScript under the `resource://pdf.js` origin. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Google Mozilla +3
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

A compromised content process could have allowed for the arbitrary loading of cross-origin pages. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox +1
NVD
EPSS 1% CVSS 7.5
HIGH This Week

An error in the ECMA-262 specification relating to Async Generators could have resulted in a type confusion, potentially leading to memory corruption and an exploitable crash. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Null Pointer Dereference Buffer Overflow Denial Of Service +3
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

When aborting the verification of an OTR chat session, an attacker could have caused a use-after-free bug leading to a potentially exploitable crash. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Use After Free Mozilla Denial Of Service +2
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Memory safety bugs present in Firefox 129, Firefox ESR 128.1, and Thunderbird 128.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Mozilla +4
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

The date picker could partially obscure security prompts. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox +2
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Incorrect garbage collection interaction in IndexedDB could have led to a use-after-free. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Use After Free Information Disclosure Mozilla +4
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

ANGLE failed to initialize parameters which lead to reading from uninitialized memory. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox +2
NVD
EPSS 1% CVSS 8.1
HIGH This Week

It was possible for a web extension with minimal permissions to create a `StreamFilter` which could be used to read and modify the response body of requests on any site. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation Mozilla Firefox +2
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Editor code failed to check an attribute value. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Information Disclosure Mozilla +3
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Incomplete WebAssembly exception handing could have led to a use-after-free. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox +2
NVD
EPSS 1% CVSS 8.8
HIGH This Week

A type confusion bug in WebAssembly could be leveraged by an attacker to potentially achieve code execution. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Mozilla Memory Corruption +3
NVD
EPSS 1% CVSS 9.6
CRITICAL Act Now

Insufficient checks when processing graphics shared memory could have led to memory corruption. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Mozilla Memory Corruption +3
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Select options could obscure the fullscreen notification dialog. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Mozilla Firefox +2
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Memory safety bugs present in Firefox 127 and Thunderbird 127. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Mozilla +3
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The frame iterator could get stuck in a loop when encountering certain wasm frames leading to incorrect stack traces. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Mozilla Firefox +1
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

The frame iterator could get stuck in a loop when encountering certain wasm frames leading to incorrect stack traces. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox +1
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

CSP violations generated links in the console tab of the developer tools, pointing to the violating resource. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox +1
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

A nested iframe, triggering a cross-site navigation, could send SameSite=Strict or Lax cookies. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox +1
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Form validation popups could capture escape key presses. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox +1
NVD
EPSS 1% CVSS 8.8
HIGH This Week

When almost out-of-memory an elliptic curve key which was never allocated could have been freed again. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox +1
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

It was possible to move the cursor using pointerlock from an iframe. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox +1
NVD
EPSS 1% CVSS 8.8
HIGH POC This Week

It was possible to prevent a user from exiting pointerlock when pressing escape and to overlay customValidity notifications from a `<select>` element over certain permission prompts. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Mozilla Firefox +1
NVD
EPSS 0% CVSS 8.2
HIGH This Week

Clipboard code failed to check the index on an array access. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Information Disclosure Mozilla +2
NVD
EPSS 1% CVSS 7.5
HIGH This Week

Memory safety bugs present in Firefox 127, Firefox ESR 115.12, and Thunderbird 115.12. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Buffer Overflow RCE Mozilla +2
NVD
EPSS 1% CVSS 7.4
HIGH This Week

In an out-of-memory scenario an allocation could fail but free would have been called on the pointer afterwards leading to memory corruption. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Buffer Overflow Mozilla Memory Corruption +2
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

A mismatch between allocator and deallocator could have led to memory corruption. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE Buffer Overflow +3
NVD
EPSS 0% CVSS 4.7
MEDIUM This Month

A race condition could lead to a cross-origin container obtaining permissions of the top-level origin. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox +1
NVD
EPSS 0% CVSS 6.3
MEDIUM This Month

Due to large allocation checks in Angle for GLSL shaders being too lenient an out-of-bounds access could occur when allocating more than 8192 ints in private shader memory on macOS. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apple Denial Of Service Mozilla +2
NVD
EPSS 1% CVSS 7.5
HIGH This Week

Memory corruption in the networking stack could have led to a potentially exploitable crash. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Use After Free Buffer Overflow Mozilla +3
NVD
EPSS 0% CVSS 7.0
HIGH This Week

Memory safety bugs present in Firefox 126, Firefox ESR 115.11, and Thunderbird 115.11. Rated high severity (CVSS 7.0), this vulnerability is no authentication required. No vendor patch available.

RCE Buffer Overflow Mozilla +2
NVD
EPSS 1% CVSS 8.6
HIGH This Week

By manipulating the text in an `<input>` tag, an attacker could have caused corrupt memory leading to a potentially exploitable crash. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Mozilla Memory Corruption +3
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

Offscreen Canvas did not properly track cross-origin tainting, which could be used to access image data from another site in violation of same-origin policy. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox +1
NVD
EPSS 1% CVSS 6.5
MEDIUM POC This Month

On Windows 10, when using the 'Save As' functionality, an attacker could have tricked the browser into saving the file with a disallowed extension such as `.url` by including an invalid character in. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Mozilla Microsoft +2
NVD
EPSS 1% CVSS 4.7
MEDIUM This Month

By tricking the browser with a `X-Frame-Options` header, a sandboxed iframe could have presented a button that, if clicked by a user, would bypass restrictions to open a new window. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Mozilla Firefox +2
NVD
EPSS 1% CVSS 4.3
MEDIUM This Month

By monitoring the time certain operations take, an attacker could have guessed which external protocol handlers were functional on a user's system. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox +3
NVD
EPSS 1% CVSS 8.1
HIGH POC This Week

If a garbage collection was triggered at the right time, a use-after-free could have occurred during object transplant. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Use After Free Information Disclosure Mozilla +3
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Memory safety bugs present in Firefox 125, Firefox ESR 115.10, and Thunderbird 115.10. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Mozilla +4
NVD
EPSS 1% CVSS 8.8
HIGH POC This Week

When saving a page to PDF, certain font styles could have led to a potential use-after-free crash. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Use After Free Mozilla Denial Of Service +3
NVD
EPSS 0% CVSS 5.9
MEDIUM This Month

When importing resources using Web Workers, error messages would distinguish the difference between `application/javascript` responses and non-script responses. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Mozilla Firefox +2
NVD
EPSS 1% CVSS 6.1
MEDIUM POC This Month

A bug in popup notifications' interaction with WebAuthn made it easier for an attacker to trick a user into granting permissions. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Mozilla Firefox +2
NVD
EPSS 0% CVSS 4.3
MEDIUM POC This Month

If the `browser.privatebrowsing.autostart` preference is enabled, IndexedDB files were not properly deleted when the window was closed. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Mozilla Firefox +2
NVD
EPSS 35% 6.3 CVSS 8.8
HIGH POC PATCH THREAT Act Now

Arbitrary JavaScript execution in Mozilla's PDF.js library affects Firefox before 126, Firefox ESR before 115.11, and Thunderbird before 115.11 when rendering a malicious PDF document. A missing type check in font handling lets a crafted PDF run JavaScript in the PDF.js context, and publicly available exploit code exists with an EPSS of 34.61% (97th percentile) indicating elevated exploitation likelihood.

Mozilla Information Disclosure Firefox +3
NVD GitHub Exploit-DB
EPSS 1% CVSS 9.8
CRITICAL Act Now

The executable file warning was not presented when downloading .xrm-ms files. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Microsoft Mozilla File Upload +2
NVD
EPSS 0% CVSS 4.0
MEDIUM This Month

If an AlignedBuffer were assigned to itself, the subsequent self-move could result in an incorrect reference count and later use-after-free. Rated medium severity (CVSS 4.0), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Use After Free Information Disclosure Mozilla +4
NVD
EPSS 1% CVSS 5.9
MEDIUM This Month

On 32-bit versions there were integer-overflows that led to an out-of-bounds-read that potentially could be triggered by a malformed OpenType font. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Buffer Overflow Information Disclosure Mozilla +3
NVD
EPSS 0% CVSS 7.8
HIGH This Week

The JIT created incorrect code for arguments in certain cases. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Use After Free Mozilla Denial Of Service +4
NVD
EPSS 1% CVSS 8.8
HIGH This Week

In some code patterns the JIT incorrectly optimized switch statements and generated code with out-of-bounds-reads. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Information Disclosure Mozilla +2
NVD
EPSS 1% CVSS 7.5
HIGH This Week

GetBoundName could return the wrong version of an object when JIT optimizations were applied. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Mozilla Firefox +1
NVD
EPSS 1% CVSS 3.7
LOW Monitor

There was no limit to the number of HTTP/2 CONTINUATION frames that would be processed. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Denial Of Service Mozilla Firefox +1
NVD
EPSS 1% CVSS 2.7
LOW Monitor

To harden ICU against exploitation, the behavior for out-of-memory conditions was changed to crash instead of attempt to continue. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Buffer Overflow Mozilla Memory Corruption +2
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Memory safety bugs present in Firefox 123, Firefox ESR 115.8, and Thunderbird 115.8. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Buffer Overflow RCE Mozilla +4
NVD
EPSS 1% CVSS 8.1
HIGH This Week

If an attacker could find a way to trigger a particular code path in `SafeRefPtr`, it could have triggered a crash or potentially be leveraged to achieve code execution. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Use After Free RCE Mozilla +3
NVD
EPSS 1% CVSS 5.5
MEDIUM POC This Month

A missing delay on when pointer lock was used could have allowed a malicious page to trick a user into granting permissions. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Mozilla Firefox +2
NVD
EPSS 1% CVSS 6.1
MEDIUM POC This Month

Using a markup injection an attacker could have stolen nonce values. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE Mozilla +2
NVD
EPSS 1% CVSS 6.1
MEDIUM POC This Month

The permission prompt input delay could expire while the window is not in focus. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Mozilla Firefox +2
NVD
EPSS 0% CVSS 8.4
HIGH POC This Week

`AppendEncodedAttributeValue(), ExtraSpaceNeededForAttrEncoding()` and `AppendEncodedCharacters()` could have experienced integer overflows, causing underallocation of an output buffer leading to an. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Mozilla Firefox +2
NVD
EPSS 1% CVSS 8.1
HIGH POC This Week

Return registers were overwritten which could have allowed an attacker to execute arbitrary code. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

RCE Mozilla Firefox +2
NVD
EPSS 1% CVSS 5.9
MEDIUM This Month

An attacker could have leveraged the Windows Error Reporter to run arbitrary code on the system escaping the sandbox. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

RCE Mozilla Microsoft +2
NVD
EPSS 1% CVSS 7.5
HIGH POC This Week

The encrypted subject of an email message could be incorrectly and permanently assigned to an arbitrary other email message in Thunderbird's local cache. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Information Disclosure Mozilla Thunderbird +1
NVD
EPSS 1% CVSS 7.5
HIGH This Week

Incorrect code generation could have led to unexpected numeric conversions and potential undefined behavior.*Note:* This issue only affects 32-bit ARM devices. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox +2
NVD
EPSS 1% CVSS 6.1
MEDIUM POC This Month

Set-Cookie response headers were being incorrectly honored in multipart HTTP responses. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection Mozilla Firefox +2
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

A malicious website could have used a combination of exiting fullscreen mode and `requestPointerLock` to cause the user's mouse to be re-positioned unexpectedly, which could have led to user. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Mozilla Firefox +2
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

If a website set a large custom cursor, portions of the cursor could have overlapped with the permission dialog, potentially resulting in user confusion and unexpected granted permissions. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox +2
NVD
EPSS 1% CVSS 4.3
MEDIUM This Month

A website could have obscured the fullscreen notification by using a dropdown select input element. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox +2
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

Through a series of API calls and redirects, an attacker-controlled alert dialog could have been displayed on another website (with the victim website's URL shown). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Mozilla Firefox +2
NVD
EPSS 1% CVSS 7.5
HIGH This Week

When storing and re-accessing data on a networking channel, the length of buffers may have been confused, resulting in an out-of-bounds memory read. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Buffer Overflow Information Disclosure Mozilla +3
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Memory safety bugs present in Firefox 121, Firefox ESR 115.6, and Thunderbird 115.6. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE Buffer Overflow +5
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

In specific HSTS configurations an attacker could have bypassed HSTS on a subdomain. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Mozilla Firefox +3
NVD
Prev Page 2 of 12 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy