Total
2868 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2009-3378 | 1 Mozilla | 1 Firefox | 2017-09-19 | 9.3 HIGH | N/A |
| The oggplay_data_handle_theora_frame function in media/liboggplay/src/liboggplay/oggplay_data.c in liboggplay, as used in Mozilla Firefox 3.5.x before 3.5.4, attempts to reuse an earlier frame data structure upon encountering a decoding error for the first frame, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) or possibly execute arbitrary code via a crafted .ogg video file. | |||||
| CVE-2009-3983 | 1 Mozilla | 3 Firefox, Seamonkey, Thunderbird | 2017-09-19 | 6.8 MEDIUM | N/A |
| Mozilla Firefox before 3.0.16 and 3.5.x before 3.5.6, and SeaMonkey before 2.0.1, allows remote attackers to send authenticated requests to arbitrary applications by replaying the NTLM credentials of a browser user. | |||||
| CVE-2009-2664 | 1 Mozilla | 1 Firefox | 2017-09-19 | 5.0 MEDIUM | N/A |
| The js_watch_set function in js/src/jsdbgapi.cpp in the JavaScript engine in Mozilla Firefox before 3.0.12 allows remote attackers to cause a denial of service (assertion failure and application exit) or possibly execute arbitrary code via a crafted .js file, related to a "memory safety bug." NOTE: this was originally reported as affecting versions before 3.0.13. | |||||
| CVE-2009-3071 | 1 Mozilla | 1 Firefox | 2017-09-19 | 10.0 HIGH | N/A |
| Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 3.0.14, and 3.5.x before 3.5.2, allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. | |||||
| CVE-2009-3077 | 1 Mozilla | 1 Firefox | 2017-09-19 | 9.3 HIGH | N/A |
| Mozilla Firefox before 3.0.14, and 3.5.x before 3.5.3, does not properly manage pointers for the columns (aka TreeColumns) of a XUL tree element, which allows remote attackers to execute arbitrary code via a crafted HTML document, related to a "dangling pointer vulnerability." | |||||
| CVE-2009-3377 | 1 Mozilla | 1 Firefox | 2017-09-19 | 10.0 HIGH | N/A |
| Multiple unspecified vulnerabilities in liboggz before cf5feeaab69b05e24, as used in Mozilla Firefox 3.5.x before 3.5.4, allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unknown vectors. | |||||
| CVE-2009-3984 | 1 Mozilla | 3 Firefox, Seamonkey, Thunderbird | 2017-09-19 | 6.8 MEDIUM | N/A |
| Mozilla Firefox before 3.0.16 and 3.5.x before 3.5.6, and SeaMonkey before 2.0.1, allows remote attackers to spoof an SSL indicator for an http URL or a file URL by setting document.location to an https URL corresponding to a site that responds with a No Content (aka 204) status code and an empty body. | |||||
| CVE-2015-0816 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2017-09-17 | 5.0 MEDIUM | N/A |
| Mozilla Firefox before 37.0, Firefox ESR 31.x before 31.6, and Thunderbird before 31.6 do not properly restrict resource: URLs, which makes it easier for remote attackers to execute arbitrary JavaScript code with chrome privileges by leveraging the ability to bypass the Same Origin Policy, as demonstrated by the resource: URL associated with PDF.js. | |||||
| CVE-2016-1948 | 2 Google, Mozilla | 2 Android, Firefox | 2017-09-10 | 4.3 MEDIUM | 5.3 MEDIUM |
| Mozilla Firefox before 44.0 on Android does not ensure that HTTPS is used for a lightweight-theme installation, which allows man-in-the-middle attackers to replace a theme's images and colors by modifying the client-server data stream. | |||||
| CVE-2016-1940 | 2 Google, Mozilla | 2 Android, Firefox | 2017-09-10 | 5.0 MEDIUM | 5.3 MEDIUM |
| Mozilla Firefox before 44.0 on Android allows remote attackers to spoof the address bar via a data: URL that is mishandled during (1) shortcut opening or (2) BOOKMARK intent processing. | |||||
| CVE-2016-1941 | 2 Apple, Mozilla | 2 Mac Os X, Firefox | 2017-09-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| The file-download dialog in Mozilla Firefox before 44.0 on OS X enables a certain button too quickly, which allows remote attackers to conduct clickjacking attacks via a crafted web site that triggers a single-click action in a situation where a double-click action was intended. | |||||
| CVE-2014-8636 | 1 Mozilla | 2 Firefox, Seamonkey | 2017-09-08 | 7.5 HIGH | N/A |
| The XrayWrapper implementation in Mozilla Firefox before 35.0 and SeaMonkey before 2.32 does not properly interact with a DOM object that has a named getter, which might allow remote attackers to execute arbitrary JavaScript code with chrome privileges via unspecified vectors. | |||||
| CVE-2014-8637 | 1 Mozilla | 2 Firefox, Seamonkey | 2017-09-08 | 5.0 MEDIUM | N/A |
| Mozilla Firefox before 35.0 and SeaMonkey before 2.32 do not properly initialize memory for BMP images, which allows remote attackers to obtain sensitive information from process memory via a crafted web page that triggers the rendering of malformed BMP data within a CANVAS element. | |||||
| CVE-2007-5341 | 1 Mozilla | 1 Firefox | 2017-08-29 | 7.5 HIGH | 9.8 CRITICAL |
| Remote code execution in the Venkman script debugger in Mozilla Firefox before 2.0.0.8. | |||||
| CVE-2012-4190 | 2 Cyanogenmod, Mozilla | 2 Cyanogenmod, Firefox | 2017-08-29 | 10.0 HIGH | N/A |
| The FT2FontEntry::CreateFontEntry function in FreeType, as used in the Android build of Mozilla Firefox before 16.0.1 on CyanogenMod 10, allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unspecified vectors. | |||||
| CVE-2011-3339 | 3 7t, Mozilla, Safenet-inc | 4 Igss, Firefox, Sentinel Hasp Run-time and 1 more | 2017-08-29 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the Admin Control Center in Sentinel HASP Run-time Environment 5.95 and earlier in SafeNet Sentinel HASP (formerly Aladdin HASP SRM) run-time installer before 6.x and SDK before 5.11, as used in 7 Technologies (7T) IGSS 7 and other products, when Firefox 2.0 is used, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors that trigger write access to a configuration file. | |||||
| CVE-2002-2436 | 1 Mozilla | 3 Firefox, Seamonkey, Thunderbird | 2017-08-29 | 4.3 MEDIUM | N/A |
| The Cascading Style Sheets (CSS) implementation in Mozilla Firefox before 4.0, Thunderbird before 3.3, and SeaMonkey before 2.1 does not properly handle the :visited pseudo-class, which allows remote attackers to obtain sensitive information about visited web pages via a crafted HTML document, a related issue to CVE-2010-2264. | |||||
| CVE-2011-1179 | 2 Mozilla, Redhat | 2 Firefox, Spice-xpi | 2017-08-17 | 5.1 MEDIUM | N/A |
| The SPICE Firefox plug-in (spice-xpi) 2.4, 2.3, 2.2, and possibly other versions allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via vectors related to (1) plugin/nsScriptablePeer.cpp and (2) plugin/plugin.cpp, which trigger multiple uses of an uninitialized pointer. | |||||
| CVE-2011-0341 | 2 Artifex, Mozilla | 2 Mupdf, Firefox | 2017-08-17 | 9.3 HIGH | N/A |
| Stack-based buffer overflow in the pdfmoz_onmouse function in apps/mozilla/moz_main.c in the MuPDF plug-in 2008.09.02 for Firefox allows remote attackers to execute arbitrary code via a crafted web site. | |||||
| CVE-2009-4129 | 1 Mozilla | 1 Firefox | 2017-08-17 | 5.8 MEDIUM | N/A |
| Race condition in Mozilla Firefox allows remote attackers to produce a JavaScript message with a spoofed domain association by writing the message in between the document request and document load for a web page in a different domain. | |||||