| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2022-29167 |
400 |
|
|
2022-05-05 |
2022-05-16 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Hawk is an HTTP authentication scheme providing mechanisms for making authenticated HTTP requests with partial cryptographic verification of the request and response, covering the HTTP method, request URI, host, and optionally the request payload. Hawk used a regular expression to parse `Host` HTTP header (`Hawk.utils.parseHost()`), which was subject to regular expression DoS attack - meaning each added character in the attacker's input increases the computation time exponentially. `parseHost()` was patched in `9.0.1` to use built-in `URL` class to parse hostname instead. `Hawk.authenticate()` accepts `options` argument. If that contains `host` and `port`, those would be used instead of a call to `utils.parseHost()`. |
|
2 |
CVE-2021-43532 |
601 |
|
|
2021-12-08 |
2021-12-10 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
The 'Copy Image Link' context menu action would copy the final image URL after redirects. By embedding an image that triggered authentication flows - in conjunction with a Content Security Policy that stopped a redirection chain in the middle - the final image URL could be one that contained an authentication token used to takeover a user account. If a website tricked a user into copy and pasting the image link back to the page, the page would be able to steal the authentication tokens. This was fixed by making the action return the original URL, before any redirects. This vulnerability affects Firefox < 94. |
|
3 |
CVE-2021-38498 |
416 |
|
Mem. Corr. |
2021-11-03 |
2021-11-04 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
During process shutdown, a document could have caused a use-after-free of a languages service object, leading to memory corruption and a potentially exploitable crash. This vulnerability affects Firefox < 93, Thunderbird < 91.2, and Firefox ESR < 91.2. |
|
4 |
CVE-2021-29993 |
|
|
|
2021-11-03 |
2021-11-04 |
5.8 |
None |
Remote |
Medium |
Not required |
None |
Partial |
Partial |
|
Firefox for Android allowed navigations through the `intent://` protocol, which could be used to cause crashes and UI spoofs. *This bug only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 92. |
|
5 |
CVE-2021-29991 |
444 |
|
|
2021-11-03 |
2021-11-04 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Firefox incorrectly accepted a newline in a HTTP/3 header, interpretting it as two separate headers. This allowed for a header splitting attack against servers using HTTP/3. This vulnerability affects Firefox < 91.0.1 and Thunderbird < 91.0.1. |
|
6 |
CVE-2021-29970 |
787 |
|
Mem. Corr. |
2021-08-05 |
2022-12-09 |
5.1 |
None |
Remote |
High |
Not required |
Partial |
Partial |
Partial |
|
A malicious webpage could have triggered a use-after-free, memory corruption, and a potentially exploitable crash. *This bug could only be triggered when accessibility was enabled.*. This vulnerability affects Thunderbird < 78.12, Firefox ESR < 78.12, and Firefox < 90. |
|
7 |
CVE-2021-29954 |
312 |
|
|
2021-06-24 |
2021-06-30 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Proxy functionality built into Hubs Cloud’s Reticulum software allowed access to internal URLs, including the metadata service. This vulnerability affects Hubs Cloud < mozillareality/reticulum/1.0.1/20210428201255. |
|
8 |
CVE-2021-29952 |
362 |
|
|
2021-06-24 |
2021-06-25 |
5.1 |
None |
Remote |
High |
Not required |
Partial |
Partial |
Partial |
|
When Web Render components were destructed, a race condition could have caused undefined behavior, and we presume that with enough effort may have been exploitable to run arbitrary code. This vulnerability affects Firefox < 88.0.1 and Firefox for Android < 88.1.3. |
|
9 |
CVE-2021-29950 |
312 |
|
|
2021-06-24 |
2021-06-25 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Thunderbird unprotects a secret OpenPGP key prior to using it for a decryption, signing or key import task. If the task runs into a failure, the secret key may remain in memory in its unprotected state. This vulnerability affects Thunderbird < 78.8.1. |
|
10 |
CVE-2021-23995 |
672 |
|
|
2021-06-24 |
2021-07-02 |
5.1 |
None |
Remote |
High |
Not required |
Partial |
Partial |
Partial |
|
When Responsive Design Mode was enabled, it used references to objects that were previously freed. We presume that with enough effort this could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 78.10, Thunderbird < 78.10, and Firefox < 88. |
|
11 |
CVE-2021-23981 |
787 |
|
Mem. Corr. +Info |
2021-03-31 |
2022-05-03 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
None |
Partial |
|
A texture upload of a Pixel Buffer Object could have confused the WebGL code to skip binding the buffer used to unpack it, resulting in memory corruption and a potentially exploitable information leak or crash. This vulnerability affects Firefox ESR < 78.9, Firefox < 87, and Thunderbird < 78.9. |
|
12 |
CVE-2021-23976 |
1021 |
|
|
2021-02-26 |
2022-05-27 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
When accepting a malicious intent from other installed apps, Firefox for Android accepted manifests from arbitrary file paths and allowed declaring webapp manifests for other origins. This could be used to gain fullscreen access for UI spoofing and could also lead to cross-origin attacks on targeted websites. Note: This issue is a different issue from CVE-2020-26954 and only affected Firefox for Android. Other operating systems are unaffected. This vulnerability affects Firefox < 86. |
|
13 |
CVE-2021-21354 |
601 |
|
|
2021-03-08 |
2021-03-12 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Pollbot is open source software which "frees its human masters from the toilsome task of polling for the state of things during the Firefox release process." In Pollbot before version 1.4.4 there is an open redirection vulnerability in the path of "https://pollbot.services.mozilla.com/". An attacker can redirect anyone to malicious sites. To Reproduce type in this URL: "https://pollbot.services.mozilla.com//evil.com/". Affected versions will redirect to that website when you inject a payload like "//evil.com/". This is fixed in version 1.4.4. |
|
14 |
CVE-2021-4138 |
|
|
|
2022-05-02 |
2022-05-11 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Improved Host header checks to reject requests not sent to a well-known local hostname or IP, or the server-specified hostname. |
|
15 |
CVE-2020-26979 |
601 |
|
|
2021-01-07 |
2021-01-12 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
When a user typed a URL in the address bar or the search bar and quickly hit the enter key, a website could sometimes capture that event and then redirect the user before navigation occurred to the desired, entered address. To construct a convincing spoof the attacker would have had to guess what the user was typing, perhaps by suggesting it. This vulnerability affects Firefox < 84. |
|
16 |
CVE-2020-26978 |
|
|
|
2021-01-07 |
2021-01-12 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Using techniques that built on the slipstream research, a malicious webpage could have exposed both an internal network's hosts as well as services running on the user's local machine. This vulnerability affects Firefox < 84, Thunderbird < 78.6, and Firefox ESR < 78.6. |
|
17 |
CVE-2020-25648 |
770 |
|
DoS |
2020-10-20 |
2022-05-10 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
A flaw was found in the way NSS handled CCS (ChangeCipherSpec) messages in TLS 1.3. This flaw allows a remote attacker to send multiple CCS messages, causing a denial of service for servers compiled with the NSS library. The highest threat from this vulnerability is to system availability. This flaw affects NSS versions before 3.58. |
|
18 |
CVE-2020-15681 |
|
|
|
2020-10-22 |
2020-10-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
When multiple WASM threads had a reference to a module, and were looking up exported functions, one WASM thread could have overwritten another's entry in a shared stub table, resulting in a potentially exploitable crash. This vulnerability affects Firefox < 82. |
|
19 |
CVE-2020-15680 |
|
|
|
2020-10-22 |
2020-10-30 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
If a valid external protocol handler was referenced in an image tag, the resulting broken image size could be distinguished from a broken image size of a non-existent protocol handler. This allowed an attacker to successfully probe whether an external protocol handler was registered. This vulnerability affects Firefox < 82. |
|
20 |
CVE-2020-15677 |
601 |
|
|
2020-10-01 |
2022-11-16 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
By exploiting an Open Redirect vulnerability on a website, an attacker could have spoofed the site displayed in the download file dialog to show the original site (the one suffering from the open redirect) rather than the site the file was actually downloaded from. This vulnerability affects Firefox < 81, Thunderbird < 78.3, and Firefox ESR < 78.3. |
|
21 |
CVE-2020-13790 |
125 |
|
|
2020-06-03 |
2020-10-20 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
None |
Partial |
|
libjpeg-turbo 2.0.4, and mozjpeg 4.0.0, has a heap-based buffer over-read in get_rgb_row() in rdppm.c via a malformed PPM input file. |
|
22 |
CVE-2020-12391 |
863 |
|
|
2020-05-26 |
2022-07-12 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Documents formed using data: URLs in an OBJECT element failed to inherit the CSP of the creating context. This allowed the execution of scripts that should have been blocked, albeit with a unique opaque origin. This vulnerability affects Firefox < 76. |
|
23 |
CVE-2020-6830 |
200 |
|
+Info |
2020-05-26 |
2020-05-28 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
For native-to-JS bridging, the app requires a unique token to be passed that ensures non-app code can't call the bridging functions. That token was being used for JS-to-native also, but it isn't needed in this case, and its usage was also leaking this token. This vulnerability affects Firefox for iOS < 25. |
|
24 |
CVE-2020-6829 |
|
|
+Info |
2020-10-28 |
2023-02-20 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
When performing EC scalar point multiplication, the wNAF point multiplication algorithm was used; which leaked partial information about the nonce used during signature generation. Given an electro-magnetic trace of a few signature generations, the private key could have been computed. This vulnerability affects Firefox < 80 and Firefox for Android < 80. |
|
25 |
CVE-2020-6821 |
119 |
|
Overflow |
2020-04-24 |
2021-07-21 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
When reading from areas partially or fully outside the source resource with WebGL's <code>copyTexSubImage</code> method, the specification requires the returned values be zero. Previously, this memory was uninitialized, leading to potentially sensitive data disclosure. This vulnerability affects Thunderbird < 68.7.0, Firefox ESR < 68.7, and Firefox < 75. |
|
26 |
CVE-2020-6813 |
|
|
Bypass |
2020-03-25 |
2020-03-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
When protecting CSS blocks with the nonce feature of Content Security Policy, the @import statement in the CSS block could allow an attacker to inject arbitrary styles, bypassing the intent of the Content Security Policy. This vulnerability affects Firefox < 74. |
|
27 |
CVE-2020-6812 |
200 |
|
+Info |
2020-03-25 |
2023-02-23 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The first time AirPods are connected to an iPhone, they become named after the user's name by default (e.g. Jane Doe's AirPods.) Websites with camera or microphone permission are able to enumerate device names, disclosing the user's name. To resolve this issue, Firefox added a special case that renames devices containing the substring 'AirPods' to simply 'AirPods'. This vulnerability affects Thunderbird < 68.6, Firefox < 74, Firefox < ESR68.6, and Firefox ESR < 68.6. |
|
28 |
CVE-2020-6809 |
200 |
|
+Info |
2020-03-25 |
2021-07-21 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
When a Web Extension had the all-urls permission and made a fetch request with a mode set to 'same-origin', it was possible for the Web Extension to read local files. This vulnerability affects Firefox < 74. |
|
29 |
CVE-2020-6803 |
601 |
|
|
2020-02-28 |
2020-03-04 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
An open redirect is present on the gateway's login page, which could cause a user to be redirected to a malicious site after logging in. |
|
30 |
CVE-2019-17018 |
200 |
|
+Info |
2020-01-08 |
2020-01-13 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
When in Private Browsing Mode on Windows 10, the Windows keyboard may retain word suggestions to improve the accuracy of the keyboard. This vulnerability affects Firefox < 72. |
|
31 |
CVE-2019-17011 |
362 |
|
|
2020-01-08 |
2022-04-08 |
5.1 |
None |
Remote |
High |
Not required |
Partial |
Partial |
Partial |
|
Under certain conditions, when retrieving a document from a DocShell in the antitracking code, a race condition could cause a use-after-free condition and a potentially exploitable crash. This vulnerability affects Thunderbird < 68.3, Firefox ESR < 68.3, and Firefox < 71. |
|
32 |
CVE-2019-17010 |
362 |
|
|
2020-01-08 |
2022-04-08 |
5.1 |
None |
Remote |
High |
Not required |
Partial |
Partial |
Partial |
|
Under certain conditions, when checking the Resist Fingerprinting preference during device orientation checks, a race condition could have caused a use-after-free and a potentially exploitable crash. This vulnerability affects Thunderbird < 68.3, Firefox ESR < 68.3, and Firefox < 71. |
|
33 |
CVE-2019-17007 |
295 |
|
DoS |
2020-10-22 |
2021-02-19 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
In Network Security Services before 3.44, a malformed Netscape Certificate Sequence can cause NSS to crash, resulting in a denial of service. |
|
34 |
CVE-2019-17001 |
79 |
|
XSS Bypass |
2020-01-08 |
2020-01-13 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
A Content-Security-Policy that blocks in-line scripts could be bypassed using an object tag to execute JavaScript in the protected document (cross-site scripting). This is a separate bypass from CVE-2019-17000.*Note: This flaw only affected Firefox 69 and was not present in earlier versions.*. This vulnerability affects Firefox < 70. |
|
35 |
CVE-2019-17000 |
79 |
|
XSS Bypass |
2020-01-08 |
2020-01-13 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
An object tag with a data URI did not correctly inherit the document's Content Security Policy. This allowed a CSP bypass in a cross-origin frame if the document's policy explicitly allowed data: URIs. This vulnerability affects Firefox < 70. |
|
36 |
CVE-2019-11762 |
346 |
|
|
2020-01-08 |
2023-02-01 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
If two same-origin documents set document.domain differently to become cross-origin, it was possible for them to call arbitrary DOM methods/getters/setters on the now-cross-origin window. This vulnerability affects Firefox < 70, Thunderbird < 68.2, and Firefox ESR < 68.2. |
|
37 |
CVE-2019-11761 |
362 |
|
+Priv Bypass |
2020-01-08 |
2023-02-01 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
By using a form with a data URI it was possible to gain access to the privileged JSONView object that had been cloned into content. Impact from exposing this object appears to be minimal, however it was a bypass of existing defense in depth mechanisms. This vulnerability affects Firefox < 70, Thunderbird < 68.2, and Firefox ESR < 68.2. |
|
38 |
CVE-2019-11755 |
347 |
|
|
2019-09-27 |
2020-08-24 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
A crafted S/MIME message consisting of an inner encryption layer and an outer SignedData layer was shown as having a valid digital signature, although the signer might have had no access to the contents of the encrypted message, and might have stripped a different signature from the encrypted message. Previous versions had only suppressed showing a digital signature for messages with an outer multipart/signed layer. This vulnerability affects Thunderbird < 68.1.1. |
|
39 |
CVE-2019-11737 |
345 |
|
|
2019-09-27 |
2019-10-02 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
If a wildcard ('*') is specified for the host in Content Security Policy (CSP) directives, any port or path restriction of the directive will be ignored, leading to CSP directives not being properly applied to content. This vulnerability affects Firefox < 69. |
|
40 |
CVE-2019-11733 |
287 |
|
|
2019-09-27 |
2020-08-24 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
When a master password is set, it is required to be entered again before stored passwords can be accessed in the 'Saved Logins' dialog. It was found that locally stored passwords can be copied to the clipboard thorough the 'copy password' context menu item without re-entering the master password if the master password had been previously entered in the same session, allowing for potential theft of stored passwords. This vulnerability affects Firefox < 68.0.2 and Firefox ESR < 68.0.2. |
|
41 |
CVE-2019-11729 |
119 |
|
Overflow |
2019-07-23 |
2020-09-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Empty or malformed p256-ECDH public keys may trigger a segmentation fault due values being improperly sanitized before being copied into memory and used. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. |
|
42 |
CVE-2019-11727 |
295 |
|
|
2019-07-23 |
2019-07-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This vulnerability affects Firefox < 68. |
|
43 |
CVE-2019-11724 |
863 |
|
|
2019-07-23 |
2023-01-31 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Application permissions give additional remote troubleshooting permission to the site input.mozilla.org, which has been retired and now redirects to another site. This additional permission is unnecessary and is a potential vector for malicious attacks. This vulnerability affects Firefox < 68. |
|
44 |
CVE-2019-11723 |
346 |
|
|
2019-07-23 |
2023-01-31 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
A vulnerability exists during the installation of add-ons where the initial fetch ignored the origin attributes of the browsing context. This could leak cookies in private browsing mode or across different "containers" for people who use the Firefox Multi-Account Containers Web Extension. This vulnerability affects Firefox < 68. |
|
45 |
CVE-2019-11719 |
125 |
|
|
2019-07-23 |
2020-09-30 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
When importing a curve25519 private key in PKCS#8format with leading 0x00 bytes, it is possible to trigger an out-of-bounds read in the Network Security Services (NSS) library. This could lead to information disclosure. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. |
|
46 |
CVE-2019-11718 |
74 |
|
|
2019-07-23 |
2023-01-31 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Activity Stream can display content from sent from the Snippet Service website. This content is written to innerHTML on the Activity Stream page without sanitization, allowing for a potential access to other information available to the Activity Stream, such as browsing history, if the Snipper Service were compromised. This vulnerability affects Firefox < 68. |
|
47 |
CVE-2019-11717 |
116 |
|
|
2019-07-23 |
2023-02-28 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
A vulnerability exists where the caret ("^") character is improperly escaped constructing some URIs due to it being used as a separator, allowing for possible spoofing of origin attributes. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. |
|
48 |
CVE-2019-11706 |
843 |
|
|
2019-07-23 |
2023-02-02 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
A flaw in Thunderbird's implementation of iCal causes a type confusion in icaltimezone_get_vtimezone_properties when processing certain email messages, resulting in a crash. This vulnerability affects Thunderbird < 60.7.1. |
|
49 |
CVE-2019-11698 |
20 |
|
|
2019-07-23 |
2019-07-29 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
If a crafted hyperlink is dragged and dropped to the bookmark bar or sidebar and the resulting bookmark is subsequently dragged and dropped into the web content area, an arbitrary query of a user's browser history can be run and transmitted to the content page via drop event data. This allows for the theft of browser history by a malicious site. This vulnerability affects Thunderbird < 60.7, Firefox < 67, and Firefox ESR < 60.7. |
|
50 |
CVE-2019-9817 |
346 |
|
|
2019-07-23 |
2019-07-26 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Images from a different domain can be read using a canvas object in some circumstances. This could be used to steal image data from a different site in violation of same-origin policy. This vulnerability affects Thunderbird < 60.7, Firefox < 67, and Firefox ESR < 60.7. |
