| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2021-38498 |
416 |
|
Mem. Corr. |
2021-11-03 |
2021-11-04 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
During process shutdown, a document could have caused a use-after-free of a languages service object, leading to memory corruption and a potentially exploitable crash. This vulnerability affects Firefox < 93, Thunderbird < 91.2, and Firefox ESR < 91.2. |
|
2 |
CVE-2021-29970 |
787 |
|
Mem. Corr. |
2021-08-05 |
2022-12-09 |
5.1 |
None |
Remote |
High |
Not required |
Partial |
Partial |
Partial |
|
A malicious webpage could have triggered a use-after-free, memory corruption, and a potentially exploitable crash. *This bug could only be triggered when accessibility was enabled.*. This vulnerability affects Thunderbird < 78.12, Firefox ESR < 78.12, and Firefox < 90. |
|
3 |
CVE-2021-23995 |
672 |
|
|
2021-06-24 |
2021-07-02 |
5.1 |
None |
Remote |
High |
Not required |
Partial |
Partial |
Partial |
|
When Responsive Design Mode was enabled, it used references to objects that were previously freed. We presume that with enough effort this could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 78.10, Thunderbird < 78.10, and Firefox < 88. |
|
4 |
CVE-2021-23981 |
787 |
|
Mem. Corr. +Info |
2021-03-31 |
2022-05-03 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
None |
Partial |
|
A texture upload of a Pixel Buffer Object could have confused the WebGL code to skip binding the buffer used to unpack it, resulting in memory corruption and a potentially exploitable information leak or crash. This vulnerability affects Firefox ESR < 78.9, Firefox < 87, and Thunderbird < 78.9. |
|
5 |
CVE-2020-26978 |
|
|
|
2021-01-07 |
2021-01-12 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Using techniques that built on the slipstream research, a malicious webpage could have exposed both an internal network's hosts as well as services running on the user's local machine. This vulnerability affects Firefox < 84, Thunderbird < 78.6, and Firefox ESR < 78.6. |
|
6 |
CVE-2020-15677 |
601 |
|
|
2020-10-01 |
2022-11-16 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
By exploiting an Open Redirect vulnerability on a website, an attacker could have spoofed the site displayed in the download file dialog to show the original site (the one suffering from the open redirect) rather than the site the file was actually downloaded from. This vulnerability affects Firefox < 81, Thunderbird < 78.3, and Firefox ESR < 78.3. |
|
7 |
CVE-2020-6821 |
119 |
|
Overflow |
2020-04-24 |
2021-07-21 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
When reading from areas partially or fully outside the source resource with WebGL's <code>copyTexSubImage</code> method, the specification requires the returned values be zero. Previously, this memory was uninitialized, leading to potentially sensitive data disclosure. This vulnerability affects Thunderbird < 68.7.0, Firefox ESR < 68.7, and Firefox < 75. |
|
8 |
CVE-2020-6812 |
200 |
|
+Info |
2020-03-25 |
2023-02-23 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The first time AirPods are connected to an iPhone, they become named after the user's name by default (e.g. Jane Doe's AirPods.) Websites with camera or microphone permission are able to enumerate device names, disclosing the user's name. To resolve this issue, Firefox added a special case that renames devices containing the substring 'AirPods' to simply 'AirPods'. This vulnerability affects Thunderbird < 68.6, Firefox < 74, Firefox < ESR68.6, and Firefox ESR < 68.6. |
|
9 |
CVE-2019-17011 |
362 |
|
|
2020-01-08 |
2022-04-08 |
5.1 |
None |
Remote |
High |
Not required |
Partial |
Partial |
Partial |
|
Under certain conditions, when retrieving a document from a DocShell in the antitracking code, a race condition could cause a use-after-free condition and a potentially exploitable crash. This vulnerability affects Thunderbird < 68.3, Firefox ESR < 68.3, and Firefox < 71. |
|
10 |
CVE-2019-17010 |
362 |
|
|
2020-01-08 |
2022-04-08 |
5.1 |
None |
Remote |
High |
Not required |
Partial |
Partial |
Partial |
|
Under certain conditions, when checking the Resist Fingerprinting preference during device orientation checks, a race condition could have caused a use-after-free and a potentially exploitable crash. This vulnerability affects Thunderbird < 68.3, Firefox ESR < 68.3, and Firefox < 71. |
|
11 |
CVE-2019-11762 |
346 |
|
|
2020-01-08 |
2023-02-01 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
If two same-origin documents set document.domain differently to become cross-origin, it was possible for them to call arbitrary DOM methods/getters/setters on the now-cross-origin window. This vulnerability affects Firefox < 70, Thunderbird < 68.2, and Firefox ESR < 68.2. |
|
12 |
CVE-2019-11761 |
362 |
|
+Priv Bypass |
2020-01-08 |
2023-02-01 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
By using a form with a data URI it was possible to gain access to the privileged JSONView object that had been cloned into content. Impact from exposing this object appears to be minimal, however it was a bypass of existing defense in depth mechanisms. This vulnerability affects Firefox < 70, Thunderbird < 68.2, and Firefox ESR < 68.2. |
|
13 |
CVE-2019-11733 |
287 |
|
|
2019-09-27 |
2020-08-24 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
When a master password is set, it is required to be entered again before stored passwords can be accessed in the 'Saved Logins' dialog. It was found that locally stored passwords can be copied to the clipboard thorough the 'copy password' context menu item without re-entering the master password if the master password had been previously entered in the same session, allowing for potential theft of stored passwords. This vulnerability affects Firefox < 68.0.2 and Firefox ESR < 68.0.2. |
|
14 |
CVE-2019-11729 |
119 |
|
Overflow |
2019-07-23 |
2020-09-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Empty or malformed p256-ECDH public keys may trigger a segmentation fault due values being improperly sanitized before being copied into memory and used. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. |
|
15 |
CVE-2019-11719 |
125 |
|
|
2019-07-23 |
2020-09-30 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
When importing a curve25519 private key in PKCS#8format with leading 0x00 bytes, it is possible to trigger an out-of-bounds read in the Network Security Services (NSS) library. This could lead to information disclosure. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. |
|
16 |
CVE-2019-11717 |
116 |
|
|
2019-07-23 |
2023-02-28 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
A vulnerability exists where the caret ("^") character is improperly escaped constructing some URIs due to it being used as a separator, allowing for possible spoofing of origin attributes. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. |
|
17 |
CVE-2019-11698 |
20 |
|
|
2019-07-23 |
2019-07-29 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
If a crafted hyperlink is dragged and dropped to the bookmark bar or sidebar and the resulting bookmark is subsequently dragged and dropped into the web content area, an arbitrary query of a user's browser history can be run and transmitted to the content page via drop event data. This allows for the theft of browser history by a malicious site. This vulnerability affects Thunderbird < 60.7, Firefox < 67, and Firefox ESR < 60.7. |
|
18 |
CVE-2019-9817 |
346 |
|
|
2019-07-23 |
2019-07-26 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Images from a different domain can be read using a canvas object in some circumstances. This could be used to steal image data from a different site in violation of same-origin policy. This vulnerability affects Thunderbird < 60.7, Firefox < 67, and Firefox ESR < 60.7. |
|
19 |
CVE-2019-9812 |
20 |
|
|
2020-01-08 |
2021-07-21 |
5.8 |
None |
Remote |
Medium |
Not required |
None |
Partial |
Partial |
|
Given a compromised sandboxed content process due to a separate vulnerability, it is possible to escape that sandbox by loading accounts.firefox.com in that process and forcing a log-in to a malicious Firefox Sync account. Preference settings that disable the sandbox are then synchronized to the local machine and the compromised browser would restart without the sandbox if a crash is triggered. This vulnerability affects Firefox ESR < 60.9, Firefox ESR < 68.1, and Firefox < 69. |
|
20 |
CVE-2019-9811 |
74 |
|
|
2019-07-23 |
2023-02-28 |
5.1 |
None |
Remote |
High |
Not required |
Partial |
Partial |
Partial |
|
As part of a winning Pwn2Own entry, a researcher demonstrated a sandbox escape by installing a malicious language pack and then opening a browser feature that used the compromised translation. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. |
|
21 |
CVE-2018-12395 |
|
|
Bypass |
2019-02-28 |
2019-10-03 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
By rewriting the Host: request headers using the webRequest API, a WebExtension can bypass domain restrictions through domain fronting. This would allow access to domains that share a host that are otherwise restricted. This vulnerability affects Firefox ESR < 60.3 and Firefox < 63. |
|
22 |
CVE-2018-12393 |
787 |
|
Overflow |
2019-02-28 |
2020-08-24 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
A potential vulnerability was found in 32-bit builds where an integer overflow during the conversion of scripts to an internal UTF-16 representation could result in allocating a buffer too small for the conversion. This leads to a possible out-of-bounds write. *Note: 64-bit builds are not vulnerable to this issue.*. This vulnerability affects Firefox < 63, Firefox ESR < 60.3, and Thunderbird < 60.3. |
|
23 |
CVE-2018-12386 |
704 |
|
Exec Code |
2018-10-18 |
2018-12-06 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
A vulnerability in register allocation in JavaScript can lead to type confusion, allowing for an arbitrary read and write. This leads to remote code execution inside the sandboxed content process when triggered. This vulnerability affects Firefox ESR < 60.2.2 and Firefox < 62.0.3. |
|
24 |
CVE-2018-5168 |
|
|
Bypass |
2018-06-11 |
2020-08-24 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Sites can bypass security checks on permissions to install lightweight themes by manipulating the "baseURI" property of the theme element. This could allow a malicious site to install a theme without user interaction which could contain offensive or embarrassing images. This vulnerability affects Thunderbird < 52.8, Thunderbird ESR < 52.8, Firefox < 60, and Firefox ESR < 52.8. |
|
25 |
CVE-2018-5157 |
200 |
|
Bypass +Info |
2018-06-11 |
2019-03-13 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Same-origin protections for the PDF viewer can be bypassed, allowing a malicious site to intercept messages meant for the viewer. This could allow the site to retrieve PDF files restricted to viewing by an authenticated user on a third-party website. This vulnerability affects Firefox ESR < 52.8 and Firefox < 60. |
|
26 |
CVE-2018-5129 |
787 |
|
Mem. Corr. |
2018-06-11 |
2019-03-08 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
A lack of parameter validation on IPC messages results in a potential out-of-bounds write through malformed IPC messages. This can potentially allow for sandbox escape through memory corruption in the parent process. This vulnerability affects Thunderbird < 52.7, Firefox ESR < 52.7, and Firefox < 59. |
|
27 |
CVE-2018-5117 |
|
|
|
2018-06-11 |
2019-10-03 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
If right-to-left text is used in the addressbar with left-to-right alignment, it is possible in some circumstances to scroll this text to spoof the displayed URL. This issue could result in the wrong URL being displayed as a location, which can mislead users to believe they are on a different site than the one loaded. This vulnerability affects Thunderbird < 52.6, Firefox ESR < 52.6, and Firefox < 58. |
|
28 |
CVE-2017-7843 |
200 |
|
+Info |
2018-06-11 |
2018-08-06 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
When Private Browsing mode is used, it is possible for a web worker to write persistent data to IndexedDB and fingerprint a user uniquely. IndexedDB should not be available in Private Browsing mode and this stored data will persist across multiple private browsing mode sessions because it is not cleared when exiting. This vulnerability affects Firefox ESR < 52.5.2 and Firefox < 57.0.1. |
|
29 |
CVE-2017-7807 |
20 |
|
|
2018-06-11 |
2019-10-03 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
A mechanism that uses AppCache to hijack a URL in a domain using fallback by serving the files from a sub-path on the domain. This has been addressed by requiring fallback files be inside the manifest directory. This vulnerability affects Thunderbird < 52.3, Firefox ESR < 52.3, and Firefox < 55. |
|
30 |
CVE-2017-7805 |
416 |
|
|
2018-06-11 |
2018-10-17 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
During TLS 1.2 exchanges, handshake hashes are generated which point to a message buffer. This saved data is used for later messages but in some cases, the handshake transcript can exceed the space available in the current buffer, causing the allocation of a new buffer. This leaves a pointer pointing to the old, freed buffer, resulting in a use-after-free when handshake hashes are then calculated afterwards. This can result in a potentially exploitable crash. This vulnerability affects Firefox < 56, Firefox ESR < 52.4, and Thunderbird < 52.4. |
|
31 |
CVE-2017-7803 |
269 |
|
|
2018-06-11 |
2019-10-03 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
When a page's content security policy (CSP) header contains a "sandbox" directive, other directives are ignored. This results in the incorrect enforcement of CSP. This vulnerability affects Thunderbird < 52.3, Firefox ESR < 52.3, and Firefox < 55. |
|
32 |
CVE-2017-7791 |
20 |
|
|
2018-06-11 |
2018-08-03 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
On pages containing an iframe, the "data:" protocol can be used to create a modal alert that will render over arbitrary domains following page navigation, spoofing of the origin of the modal alert from the iframe content. This vulnerability affects Thunderbird < 52.3, Firefox ESR < 52.3, and Firefox < 55. |
|
33 |
CVE-2017-7787 |
200 |
|
Bypass +Info |
2018-06-11 |
2018-08-03 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Same-origin policy protections can be bypassed on pages with embedded iframes during page reloads, allowing the iframes to access content on the top level page, leading to information disclosure. This vulnerability affects Thunderbird < 52.3, Firefox ESR < 52.3, and Firefox < 55. |
|
34 |
CVE-2017-7764 |
20 |
|
|
2018-06-11 |
2018-08-13 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Characters from the "Canadian Syllabics" unicode block can be mixed with characters from other unicode blocks in the addressbar instead of being rendered as their raw "punycode" form, allowing for domain name spoofing attacks through character confusion. The current Unicode standard allows characters from "Aspirational Use Scripts" such as Canadian Syllabics to be mixed with Latin characters in the "moderately restrictive" IDN profile. We have changed Firefox behavior to match the upcoming Unicode version 10.0 which removes this category and treats them as "Limited Use Scripts.". This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2. |
|
35 |
CVE-2017-7754 |
125 |
|
|
2018-06-11 |
2018-08-03 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
An out-of-bounds read in WebGL with a maliciously crafted "ImageInfo" object during WebGL operations. This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2. |
|
36 |
CVE-2017-5467 |
119 |
|
Overflow Mem. Corr. |
2018-06-11 |
2018-07-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
A potential memory corruption and crash when using Skia content when drawing content outside of the bounds of a clipping region. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 52.1, and Firefox < 53. |
|
37 |
CVE-2017-5462 |
682 |
|
|
2018-06-11 |
2019-10-03 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
A flaw in DRBG number generation within the Network Security Services (NSS) library where the internal state V does not correctly carry bits over. The NSS library has been updated to fix this issue to address this issue and Firefox ESR 52.1 has been updated with NSS version 3.28.4. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. |
|
38 |
CVE-2017-5455 |
|
|
Exec Code |
2018-06-11 |
2019-10-03 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
The internal feed reader APIs that crossed the sandbox barrier allowed for a sandbox escape and escalation of privilege if combined with another vulnerability that resulted in remote code execution inside the sandboxed process. This vulnerability affects Firefox ESR < 52.1 and Firefox < 53. |
|
39 |
CVE-2017-5454 |
200 |
|
Bypass +Info |
2018-06-11 |
2018-08-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
A mechanism to bypass file system access protections in the sandbox to use the file picker to access different files than those selected in the file picker through the use of relative paths. This allows for read only access to the local file system. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 52.1, and Firefox < 53. |
|
40 |
CVE-2017-5449 |
20 |
|
|
2018-06-11 |
2018-08-09 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
A possibly exploitable crash triggered during layout and manipulation of bidirectional unicode text in concert with CSS animations. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 52.1, and Firefox < 53. |
|
41 |
CVE-2017-5445 |
129 |
|
|
2018-06-11 |
2018-08-07 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
A vulnerability while parsing "application/http-index-format" format content where uninitialized values are used to create an array. This could allow the reading of uninitialized memory into the arrays affected. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. |
|
42 |
CVE-2017-5444 |
119 |
|
Overflow |
2018-06-11 |
2018-08-07 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
A buffer overflow vulnerability while parsing "application/http-index-format" format content when the header contains improperly formatted data. This allows for an out-of-bounds read of data from memory. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. |
|
43 |
CVE-2017-5408 |
200 |
|
+Info |
2018-06-11 |
2018-08-07 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Video files loaded video captions cross-origin without checking for the presence of CORS headers permitting such cross-origin use, leading to potential information disclosure for video captions. This vulnerability affects Firefox < 52, Firefox ESR < 45.8, Thunderbird < 52, and Thunderbird < 45.8. |
|
44 |
CVE-2017-5405 |
1187 |
|
|
2018-06-11 |
2019-10-03 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Certain response codes in FTP connections can result in the use of uninitialized values for ports in FTP operations. This vulnerability affects Firefox < 52, Firefox ESR < 45.8, Thunderbird < 52, and Thunderbird < 45.8. |
|
45 |
CVE-2017-5383 |
20 |
|
|
2018-06-11 |
2018-08-02 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
URLs containing certain unicode glyphs for alternative hyphens and quotes do not properly trigger punycode display, allowing for domain name spoofing attacks in the location bar. This vulnerability affects Thunderbird < 45.7, Firefox ESR < 45.7, and Firefox < 51. |
|
46 |
CVE-2017-5378 |
200 |
|
+Info |
2018-06-11 |
2018-08-02 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Hashed codes of JavaScript objects are shared between pages. This allows for pointer leaks because an object's address can be discovered through hash codes, and also allows for data leakage of an object's content using these hash codes. This vulnerability affects Thunderbird < 45.7, Firefox ESR < 45.7, and Firefox < 51. |
|
47 |
CVE-2016-10196 |
787 |
|
DoS Overflow |
2017-03-15 |
2022-01-31 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Stack-based buffer overflow in the evutil_parse_sockaddr_port function in evutil.c in libevent before 2.1.6-beta allows attackers to cause a denial of service (segmentation fault) via vectors involving a long string in brackets in the ip_as_string argument. |
|
48 |
CVE-2016-9904 |
200 |
|
+Info |
2018-06-11 |
2018-08-01 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
An attacker could use a JavaScript Map/Set timing attack to determine whether an atom is used by another compartment/zone in specific contexts. This could be used to leak information, such as usernames embedded in JavaScript code, across websites. This vulnerability affects Firefox < 50.1, Firefox ESR < 45.6, and Thunderbird < 45.6. |
|
49 |
CVE-2016-9902 |
346 |
|
|
2018-06-11 |
2018-08-09 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
The Pocket toolbar button, once activated, listens for events fired from it's own pages but does not verify the origin of incoming events. This allows content from other origins to fire events and inject content and commands into the Pocket context. Note: this issue does not affect users with e10s enabled. This vulnerability affects Firefox ESR < 45.6 and Firefox < 50.1. |
|
50 |
CVE-2016-9900 |
254 |
|
Bypass |
2018-06-11 |
2018-08-03 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
External resources that should be blocked when loaded by SVG images can bypass security restrictions through the use of "data:" URLs. This could allow for cross-domain data leakage. This vulnerability affects Firefox < 50.1, Firefox ESR < 45.6, and Thunderbird < 45.6. |
