| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2016-5265 |
79 |
|
XSS Bypass |
2016-08-04 |
2017-08-15 |
4.0 |
None |
Remote |
High |
Not required |
Partial |
Partial |
None |
|
Mozilla Firefox before 48.0 and Firefox ESR 45.x before 45.3 allow user-assisted remote attackers to bypass the Same Origin Policy, and conduct Universal XSS (UXSS) attacks or read arbitrary files, by arranging for the presence of a crafted HTML document and a crafted shortcut file in the same local directory. |
|
2 |
CVE-2016-5262 |
79 |
|
XSS |
2016-08-04 |
2017-08-15 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Mozilla Firefox before 48.0 and Firefox ESR 45.x before 45.3 process JavaScript event-handler attributes of a MARQUEE element within a sandboxed IFRAME element that lacks the sandbox="allow-scripts" attribute value, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via a crafted web site. |
|
3 |
CVE-2016-2833 |
79 |
|
XSS |
2016-06-13 |
2016-06-20 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Mozilla Firefox before 47.0 ignores Content Security Policy (CSP) directives for cross-domain Java applets, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via a crafted applet. |
|
4 |
CVE-2016-2817 |
264 |
|
XSS |
2016-04-30 |
2017-06-30 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The WebExtension sandbox feature in browser/components/extensions/ext-tabs.js in Mozilla Firefox before 46.0 does not properly restrict principal inheritance during chrome.tabs.create and chrome.tabs.update API calls, which allows remote attackers to conduct Universal XSS (UXSS) attacks via a crafted extension that accesses a (1) javascript: or (2) data: URL. |
|
5 |
CVE-2016-2803 |
79 |
|
XSS |
2017-04-12 |
2017-04-20 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the dependency graphs in Bugzilla 2.16rc1 through 4.4.11, and 4.5.1 through 5.0.2 allows remote attackers to inject arbitrary web script or HTML. |
|
6 |
CVE-2016-1941 |
79 |
|
XSS |
2016-01-31 |
2017-09-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The file-download dialog in Mozilla Firefox before 44.0 on OS X enables a certain button too quickly, which allows remote attackers to conduct clickjacking attacks via a crafted web site that triggers a single-click action in a situation where a double-click action was intended. |
|
7 |
CVE-2016-1937 |
79 |
|
XSS |
2016-01-31 |
2017-09-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The protocol-handler dialog in Mozilla Firefox before 44.0 allows remote attackers to conduct clickjacking attacks via a crafted web site that triggers a single-click action in a situation where a double-click action was intended. |
|
8 |
CVE-2015-8510 |
79 |
|
XSS |
2016-01-08 |
2016-01-14 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the internationalization feature in the default homescreen app in Mozilla Firefox OS before 2.5 allows user-assisted remote attackers to inject arbitrary web script or HTML via a crafted web site that is mishandled during "Add to home screen" bookmarking. |
|
9 |
CVE-2015-8508 |
79 |
|
XSS |
2016-01-03 |
2016-12-07 |
2.6 |
None |
Remote |
High |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in showdependencygraph.cgi in Bugzilla 2.x, 3.x, and 4.x before 4.2.16, 4.3.x and 4.4.x before 4.4.11, and 4.5.x and 5.0.x before 5.0.2, when a local dot configuration is used, allows remote attackers to inject arbitrary web script or HTML via a crafted bug summary. |
|
10 |
CVE-2015-7223 |
264 |
|
+Priv XSS +Info |
2015-12-16 |
2016-12-07 |
4.0 |
None |
Remote |
High |
Not required |
Partial |
Partial |
None |
|
The WebExtension APIs in Mozilla Firefox before 43.0 allow remote attackers to gain privileges, and possibly obtain sensitive information or conduct cross-site scripting (XSS) attacks, via a crafted web site. |
|
11 |
CVE-2015-7191 |
79 |
|
XSS |
2015-11-05 |
2016-12-07 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Mozilla Firefox before 42.0 on Android improperly restricts URL strings in intents, which allows attackers to conduct cross-site scripting (XSS) attacks via vectors involving an intent: URL and fallback navigation, aka "Universal XSS (UXSS)." |
|
12 |
CVE-2015-7188 |
254 |
|
XSS Bypass |
2015-11-05 |
2016-12-07 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Mozilla Firefox before 42.0 and Firefox ESR 38.x before 38.4 allow remote attackers to bypass the Same Origin Policy for an IP address origin, and conduct cross-site scripting (XSS) attacks, by appending whitespace characters to an IP address string. |
|
13 |
CVE-2015-7187 |
254 |
|
Exec Code XSS |
2015-11-05 |
2016-12-07 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The Add-on SDK in Mozilla Firefox before 42.0 misinterprets a "script: false" panel setting, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via inline JavaScript code that is executed within a third-party extension. |
|
14 |
CVE-2015-4518 |
79 |
|
XSS Bypass |
2015-11-05 |
2016-12-07 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The Reader View implementation in Mozilla Firefox before 42.0 has an improper whitelist, which makes it easier for remote attackers to bypass the Content Security Policy (CSP) protection mechanism and conduct cross-site scripting (XSS) attacks via vectors involving SVG animations and the about:reader URL. |
|
15 |
CVE-2015-4490 |
79 |
|
XSS |
2015-08-15 |
2016-12-23 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The nsCSPHostSrc::permits function in dom/security/nsCSPUtils.cpp in Mozilla Firefox before 40.0 does not implement the Content Security Policy Level 2 exceptions for the blob, data, and filesystem URL schemes during wildcard source-expression matching, which might make it easier for remote attackers to conduct cross-site scripting (XSS) attacks by leveraging unexpected policy-enforcement behavior. |
|
16 |
CVE-2015-2745 |
79 |
|
XSS |
2015-08-07 |
2015-08-10 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in the Search app in Gaia in Mozilla Firefox OS before 2.2 allow remote attackers to inject arbitrary HTML via the (1) name or (2) title field in card content associated with a search link that is mishandled after a HOME button press or a Show Windows action, as demonstrated by embedding an arbitrary application or spoofing the account-creation page. |
|
17 |
CVE-2015-2744 |
79 |
|
XSS |
2015-08-07 |
2015-08-10 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Search app in Gaia in Mozilla Firefox OS before 2.2 allows remote attackers to inject arbitrary HTML via a crafted search link that is mishandled after re-opening the browser or opening the tab view. |
|
18 |
CVE-2014-2018 |
79 |
|
XSS |
2014-02-17 |
2016-10-03 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in Mozilla Thunderbird 17.x through 17.0.8, Thunderbird ESR 17.x through 17.0.10, and SeaMonkey before 2.20 allows user-assisted remote attackers to inject arbitrary web script or HTML via an e-mail message containing a data: URL in a (1) OBJECT or (2) EMBED element, a related issue to CVE-2013-6674. |
|
19 |
CVE-2014-1573 |
79 |
|
XSS |
2014-10-12 |
2016-11-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Bugzilla 2.x through 4.0.x before 4.0.15, 4.1.x and 4.2.x before 4.2.11, 4.3.x and 4.4.x before 4.4.6, and 4.5.x before 4.5.6 does not ensure that a scalar context is used for certain CGI parameters, which allows remote attackers to conduct cross-site scripting (XSS) attacks by sending three values for a single parameter name. |
|
20 |
CVE-2014-1530 |
79 |
|
XSS |
2014-04-30 |
2017-01-06 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The docshell implementation in Mozilla Firefox before 29.0, Firefox ESR 24.x before 24.5, Thunderbird before 24.5, and SeaMonkey before 2.26 allows remote attackers to trigger the loading of a URL with a spoofed baseURI property, and conduct cross-site scripting (XSS) attacks, via a crafted web site that performs history navigation. |
|
21 |
CVE-2014-1504 |
264 |
|
XSS |
2014-03-19 |
2016-12-21 |
2.6 |
None |
Remote |
High |
Not required |
None |
Partial |
None |
|
The session-restore feature in Mozilla Firefox before 28.0 and SeaMonkey before 2.25 does not consider the Content Security Policy of a data: URL, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via a crafted document that is accessed after a browser restart. |
|
22 |
CVE-2013-6674 |
79 |
|
XSS |
2014-02-17 |
2015-08-07 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in Mozilla Thunderbird 17.x through 17.0.8, Thunderbird ESR 17.x through 17.0.10, and SeaMonkey before 2.20 allows user-assisted remote attackers to inject arbitrary web script or HTML via an e-mail message containing a data: URL in an IFRAME element, a related issue to CVE-2014-2018. |
|
23 |
CVE-2013-5612 |
79 |
|
XSS |
2013-12-11 |
2016-12-21 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in Mozilla Firefox before 26.0 and SeaMonkey before 2.23 makes it easier for remote attackers to inject arbitrary web script or HTML by leveraging a Same Origin Policy violation triggered by lack of a charset parameter in a Content-Type HTTP header. |
|
24 |
CVE-2013-1743 |
79 |
|
XSS |
2013-10-24 |
2013-10-24 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in report.cgi in Bugzilla 4.1.x and 4.2.x before 4.2.7 and 4.3.x and 4.4.x before 4.4.1 allow remote attackers to inject arbitrary web script or HTML via a field value that is not properly handled during construction of a tabular report, as demonstrated by the (1) summary or (2) real name field. NOTE: this issue exists because of an incomplete fix for CVE-2012-4189. |
|
25 |
CVE-2013-1742 |
79 |
|
XSS |
2013-10-24 |
2013-10-24 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in editflagtypes.cgi in Bugzilla 2.x, 3.x, and 4.0.x before 4.0.11; 4.1.x and 4.2.x before 4.2.7; and 4.3.x and 4.4.x before 4.4.1 allow remote attackers to inject arbitrary web script or HTML via the (1) id or (2) sortkey parameter. |
|
26 |
CVE-2013-1727 |
79 |
|
XSS Bypass +Info |
2013-09-18 |
2013-10-02 |
4.0 |
None |
Remote |
High |
Not required |
Partial |
Partial |
None |
|
Mozilla Firefox before 24.0 on Android allows attackers to bypass the Same Origin Policy, and consequently conduct cross-site scripting (XSS) attacks or obtain password or cookie information, by using a symlink in conjunction with a file: URL for a local file. |
|
27 |
CVE-2013-1714 |
264 |
|
XSS Bypass |
2013-08-06 |
2017-09-18 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The Web Workers implementation in Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, Thunderbird ESR 17.x before 17.0.8, and SeaMonkey before 2.20 does not properly restrict XMLHttpRequest calls, which allows remote attackers to bypass the Same Origin Policy and conduct cross-site scripting (XSS) attacks via unspecified vectors. |
|
28 |
CVE-2013-1713 |
264 |
|
XSS |
2013-08-06 |
2017-09-18 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, Thunderbird ESR 17.x before 17.0.8, and SeaMonkey before 2.20 use an incorrect URI within unspecified comparisons during enforcement of the Same Origin Policy, which allows remote attackers to conduct cross-site scripting (XSS) attacks or install arbitrary add-ons via a crafted web site. |
|
29 |
CVE-2013-1711 |
79 |
|
XSS Bypass |
2013-08-06 |
2017-09-18 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The XrayWrapper implementation in Mozilla Firefox before 23.0 and SeaMonkey before 2.20 does not properly address the possibility of an XBL scope bypass resulting from non-native arguments in XBL function calls, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks by leveraging access to an unprivileged object. |
|
30 |
CVE-2013-1710 |
20 |
|
Exec Code XSS |
2013-08-06 |
2017-09-18 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
The crypto.generateCRMFRequest function in Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, Thunderbird ESR 17.x before 17.0.8, and SeaMonkey before 2.20 allows remote attackers to execute arbitrary JavaScript code or conduct cross-site scripting (XSS) attacks via vectors related to Certificate Request Message Format (CRMF) request generation. |
|
31 |
CVE-2013-1709 |
79 |
|
XSS |
2013-08-06 |
2017-09-18 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, Thunderbird ESR 17.x before 17.0.8, and SeaMonkey before 2.20 do not properly handle the interaction between FRAME elements and history, which allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors involving spoofing a relative location in a previously visited document. |
|
32 |
CVE-2013-1687 |
264 |
|
Exec Code XSS |
2013-06-25 |
2017-09-18 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
The System Only Wrapper (SOW) and Chrome Object Wrapper (COW) implementations in Mozilla Firefox before 22.0, Firefox ESR 17.x before 17.0.7, Thunderbird before 17.0.7, and Thunderbird ESR 17.x before 17.0.7 do not properly restrict XBL user-defined functions, which allows remote attackers to execute arbitrary JavaScript code with chrome privileges, or conduct cross-site scripting (XSS) attacks, via a crafted web site. |
|
33 |
CVE-2013-1670 |
79 |
1
|
XSS Bypass |
2013-05-16 |
2017-09-18 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 21.0, Firefox ESR 17.x before 17.0.6, Thunderbird before 17.0.6, and Thunderbird ESR 17.x before 17.0.6 does not prevent acquisition of chrome privileges during calls to content level constructors, which allows remote attackers to bypass certain read-only restrictions and conduct cross-site scripting (XSS) attacks via a crafted web site. |
|
34 |
CVE-2013-0793 |
79 |
|
XSS |
2013-04-03 |
2017-09-18 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Mozilla Firefox before 20.0, Firefox ESR 17.x before 17.0.5, Thunderbird before 17.0.5, Thunderbird ESR 17.x before 17.0.5, and SeaMonkey before 2.17 do not ensure the correctness of the address bar during history navigation, which allows remote attackers to conduct cross-site scripting (XSS) attacks or phishing attacks by leveraging control over navigation timing. |
|
35 |
CVE-2013-0785 |
79 |
|
XSS |
2013-02-24 |
2013-12-13 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in show_bug.cgi in Bugzilla before 3.6.13, 3.7.x and 4.0.x before 4.0.10, 4.1.x and 4.2.x before 4.2.5, and 4.3.x and 4.4.x before 4.4rc2 allows remote attackers to inject arbitrary web script or HTML via the id parameter in conjunction with an invalid value of the format parameter. |
|
36 |
CVE-2013-0751 |
264 |
|
XSS +Info |
2013-01-13 |
2017-09-18 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Mozilla Firefox before 18.0 on Android and SeaMonkey before 2.15 do not restrict a touch event to a single IFRAME element, which allows remote attackers to obtain sensitive information or possibly conduct cross-site scripting (XSS) attacks via a crafted HTML document. |
|
37 |
CVE-2012-5883 |
79 |
|
XSS |
2012-11-16 |
2017-08-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Flash component infrastructure in YUI 2.8.0 through 2.9.0, as used in Bugzilla 3.7.x and 4.0.x before 4.0.9, 4.1.x and 4.2.x before 4.2.4, and 4.3.x and 4.4.x before 4.4rc1, allows remote attackers to inject arbitrary web script or HTML via vectors related to swfstore.swf, a similar issue to CVE-2010-4209. |
|
38 |
CVE-2012-5841 |
79 |
|
XSS |
2012-11-21 |
2017-09-18 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Mozilla Firefox before 17.0, Firefox ESR 10.x before 10.0.11, Thunderbird before 17.0, Thunderbird ESR 10.x before 10.0.11, and SeaMonkey before 2.14 implement cross-origin wrappers with a filtering behavior that does not properly restrict write actions, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted web site. |
|
39 |
CVE-2012-5837 |
79 |
|
XSS |
2012-11-21 |
2017-09-18 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The Web Developer Toolbar in Mozilla Firefox before 17.0 executes script with chrome privileges, which allows user-assisted remote attackers to conduct cross-site scripting (XSS) attacks via a crafted string. |
|
40 |
CVE-2012-4209 |
16 |
|
XSS |
2012-11-21 |
2017-09-18 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Mozilla Firefox before 17.0, Firefox ESR 10.x before 10.0.11, Thunderbird before 17.0, Thunderbird ESR 10.x before 10.0.11, and SeaMonkey before 2.14 do not prevent use of a "top" frame name-attribute value to access the location property, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via vectors involving a binary plugin. |
|
41 |
CVE-2012-4207 |
79 |
|
XSS |
2012-11-21 |
2017-09-18 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The HZ-GB-2312 character-set implementation in Mozilla Firefox before 17.0, Firefox ESR 10.x before 10.0.11, Thunderbird before 17.0, Thunderbird ESR 10.x before 10.0.11, and SeaMonkey before 2.14 does not properly handle a ~ (tilde) character in proximity to a chunk delimiter, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted document. |
|
42 |
CVE-2012-4201 |
16 |
|
XSS |
2012-11-21 |
2017-09-18 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
None |
|
The evalInSandbox implementation in Mozilla Firefox before 17.0, Firefox ESR 10.x before 10.0.11, Thunderbird before 17.0, Thunderbird ESR 10.x before 10.0.11, and SeaMonkey before 2.14 uses an incorrect context during the handling of JavaScript code that sets the location.href property, which allows remote attackers to conduct cross-site scripting (XSS) attacks or read arbitrary files by leveraging a sandboxed add-on. |
|
43 |
CVE-2012-4195 |
264 |
|
Exec Code XSS |
2012-10-29 |
2017-09-18 |
5.1 |
None |
Remote |
High |
Not required |
Partial |
Partial |
Partial |
|
The nsLocation::CheckURL function in Mozilla Firefox before 16.0.2, Firefox ESR 10.x before 10.0.10, Thunderbird before 16.0.2, Thunderbird ESR 10.x before 10.0.10, and SeaMonkey before 2.13.2 does not properly determine the calling document and principal in its return value, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via a crafted web site, and makes it easier for remote attackers to execute arbitrary JavaScript code by leveraging certain add-on behavior. |
|
44 |
CVE-2012-4194 |
79 |
|
XSS |
2012-10-29 |
2017-09-18 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Mozilla Firefox before 16.0.2, Firefox ESR 10.x before 10.0.10, Thunderbird before 16.0.2, Thunderbird ESR 10.x before 10.0.10, and SeaMonkey before 2.13.2 do not prevent use of the valueOf method to shadow the location object (aka window.location), which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via vectors involving a plugin. |
|
45 |
CVE-2012-4189 |
79 |
|
XSS |
2012-11-16 |
2013-12-13 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in Bugzilla 4.1.x and 4.2.x before 4.2.4, and 4.3.x and 4.4.x before 4.4rc1, allows remote attackers to inject arbitrary web script or HTML via a field value that is not properly handled during construction of a tabular report, as demonstrated by the Version field. |
|
46 |
CVE-2012-3994 |
79 |
|
XSS |
2012-10-10 |
2017-09-18 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbird before 16.0, Thunderbird ESR 10.x before 10.0.8, and SeaMonkey before 2.13 allow remote attackers to conduct cross-site scripting (XSS) attacks via a binary plugin that uses Object.defineProperty to shadow the top object, and leverages the relationship between top.location and the location property. |
|
47 |
CVE-2012-3992 |
264 |
|
XSS |
2012-10-10 |
2017-09-18 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbird before 16.0, Thunderbird ESR 10.x before 10.0.8, and SeaMonkey before 2.13 do not properly manage history data, which allows remote attackers to conduct cross-site scripting (XSS) attacks or obtain sensitive POST content via vectors involving a location.hash write operation and history navigation that triggers the loading of a URL into the history object. |
|
48 |
CVE-2012-3985 |
|
|
XSS |
2012-10-10 |
2017-09-18 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Mozilla Firefox before 16.0, Thunderbird before 16.0, and SeaMonkey before 2.13 do not properly implement the HTML5 Same Origin Policy, which allows remote attackers to conduct cross-site scripting (XSS) attacks by leveraging initial-origin access after document.domain has been set. |
|
49 |
CVE-2012-1966 |
264 |
|
XSS |
2012-07-18 |
2017-12-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Mozilla Firefox 4.x through 13.0 and Firefox ESR 10.x before 10.0.6 do not have the same context-menu restrictions for data: URLs as for javascript: URLs, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL. |
|
50 |
CVE-2012-1965 |
79 |
|
XSS Bypass |
2012-07-18 |
2017-12-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Mozilla Firefox 4.x through 13.0 and Firefox ESR 10.x before 10.0.6 do not properly establish the security context of a feed: URL, which allows remote attackers to bypass unspecified cross-site scripting (XSS) protection mechanisms via a feed:javascript: URL. |
