The error page for sites with invalid TLS certificates was missing the activation-delay Firefox uses to protect prompts and permission dialogs from attacks that exploit human response time delays. If a malicious page elicited user clicks in precise locations immediately before navigating to a site with a certificate error and made the renderer extremely busy at the same time, it could create a gap between when the error page was loaded and when the display actually refreshed. With the right timing the elicited clicks could land in that gap and activate the button that overrides the certificate error for that site. This vulnerability affects Firefox ESR < 102.12, Firefox < 114, and Thunderbird < 102.12.
Source: Mozilla Corporation
Max CVSS
3.1
EPSS Score
0.06%
Published
2023-06-19
Updated
2024-01-07
Search queries in the default search engine could appear to have been the currently navigated URL if the search query itself was a well formed URL. This could have led to a site spoofing another if it had been maliciously set as the default search engine. This vulnerability affects Firefox < 117.
Source: Mozilla Corporation
Max CVSS
3.1
EPSS Score
0.05%
Published
2023-09-11
Updated
2024-01-07
Logins saved by Firefox should be managed by the Password Manager component which uses encryption to save files on-disk. Instead, the username (not password) was saved by the Form Manager to an unencrypted file on disk. This vulnerability affects Firefox < 106.
Source: Mozilla Corporation
Max CVSS
3.3
EPSS Score
0.04%
Published
2022-12-22
Updated
2023-01-04
A race condition with requestPointerLock() and setTimeout() could have resulted in a user interacting with one tab when they believed they were on a separate tab. In conjunction with certain elements (such as &lt;input type="file"&gt;) this could have led to an attack where a user was confused about the origin of the webpage and potentially disclosed information they did not intend to. This vulnerability affects Firefox < 88.
Source: Mozilla Corporation
Max CVSS
3.1
EPSS Score
0.08%
Published
2021-06-24
Updated
2021-07-01
When typing in a password under certain conditions, a race may have occured where the InputContext was not being correctly set for the input field, resulting in the typed password being saved to the keyboard dictionary. This vulnerability affects Firefox for Android < 80.
Source: Mozilla Corporation
Max CVSS
3.1
EPSS Score
0.08%
Published
2020-10-01
Updated
2021-07-21
A logic flaw in our location bar implementation could have allowed a local attacker to spoof the current location by selecting a different origin and removing focus from the input element. This vulnerability affects Firefox < 76.
Source: Mozilla Corporation
Max CVSS
3.3
EPSS Score
0.05%
Published
2020-05-26
Updated
2022-04-26
The existence of a specifically requested local file can be found due to the double firing of the "onerror" when the "source" attribute on a "<track>" tag refers to a file that does not exist if the source page is loaded locally. This vulnerability affects Firefox < 51.
Source: Mozilla Corporation
Max CVSS
3.3
EPSS Score
0.06%
Published
2018-06-11
Updated
2018-08-07
Private browsing mode leaves metadata information, such as URLs, for sites visited in "browser.db" and "browser.db-wal" files within the Firefox profile after the mode is exited. Note: This issue only affects Firefox for Android. Other versions and operating systems are unaffected. This vulnerability affects Firefox < 50.
Source: Mozilla Corporation
Max CVSS
3.3
EPSS Score
0.07%
Published
2018-06-11
Updated
2018-07-30
Race condition in the Mozilla Maintenance Service in Mozilla Firefox before 40.0 and Firefox ESR 38.x before 38.2 on Windows allows local users to write to arbitrary files and consequently gain privileges via vectors involving a hard link to a log file during an update.
Source: Mozilla Corporation
Max CVSS
3.3
EPSS Score
0.05%
Published
2015-08-16
Updated
2018-10-30
Mozilla Firefox before 3.6.23 and 4.x through 6, Thunderbird before 7.0, and SeaMonkey before 2.4 do not prevent the starting of a download in response to the holding of the Enter key, which allows user-assisted remote attackers to bypass intended access restrictions via a crafted web site.
Source: MITRE
Max CVSS
3.5
EPSS Score
0.18%
Published
2011-09-29
Updated
2017-09-19
Mozilla Firefox 3.x before 3.0.6 does not properly implement the (1) no-store and (2) no-cache Cache-Control directives, which allows local users to obtain sensitive information by using the (a) back button or (b) history list of the victim's browser, as demonstrated by reading the response page of an https POST request.
Source: Red Hat, Inc.
Max CVSS
3.3
EPSS Score
0.04%
Published
2009-02-04
Updated
2017-09-29
Multiple unspecified vulnerabilities in the layout engine in Mozilla Firefox before 1.5.0.10 and 2.x before 2.0.0.2, Thunderbird before 1.5.0.10, and SeaMonkey before 1.0.8 allow remote attackers to cause a denial of service (crash) and potentially execute arbitrary code via certain vectors.
Source: Red Hat, Inc.
Max CVSS
3.7
EPSS Score
97.07%
Published
2007-02-26
Updated
2018-10-16
12 vulnerabilities found
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!