| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2021-38498 |
416 |
|
Mem. Corr. |
2021-11-03 |
2021-11-04 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
During process shutdown, a document could have caused a use-after-free of a languages service object, leading to memory corruption and a potentially exploitable crash. This vulnerability affects Firefox < 93, Thunderbird < 91.2, and Firefox ESR < 91.2. |
|
2 |
CVE-2021-29991 |
444 |
|
|
2021-11-03 |
2021-11-04 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Firefox incorrectly accepted a newline in a HTTP/3 header, interpretting it as two separate headers. This allowed for a header splitting attack against servers using HTTP/3. This vulnerability affects Firefox < 91.0.1 and Thunderbird < 91.0.1. |
|
3 |
CVE-2021-29970 |
787 |
|
Mem. Corr. |
2021-08-05 |
2022-12-09 |
5.1 |
None |
Remote |
High |
Not required |
Partial |
Partial |
Partial |
|
A malicious webpage could have triggered a use-after-free, memory corruption, and a potentially exploitable crash. *This bug could only be triggered when accessibility was enabled.*. This vulnerability affects Thunderbird < 78.12, Firefox ESR < 78.12, and Firefox < 90. |
|
4 |
CVE-2021-29950 |
312 |
|
|
2021-06-24 |
2021-06-25 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Thunderbird unprotects a secret OpenPGP key prior to using it for a decryption, signing or key import task. If the task runs into a failure, the secret key may remain in memory in its unprotected state. This vulnerability affects Thunderbird < 78.8.1. |
|
5 |
CVE-2021-23995 |
672 |
|
|
2021-06-24 |
2021-07-02 |
5.1 |
None |
Remote |
High |
Not required |
Partial |
Partial |
Partial |
|
When Responsive Design Mode was enabled, it used references to objects that were previously freed. We presume that with enough effort this could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 78.10, Thunderbird < 78.10, and Firefox < 88. |
|
6 |
CVE-2021-23981 |
787 |
|
Mem. Corr. +Info |
2021-03-31 |
2022-05-03 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
None |
Partial |
|
A texture upload of a Pixel Buffer Object could have confused the WebGL code to skip binding the buffer used to unpack it, resulting in memory corruption and a potentially exploitable information leak or crash. This vulnerability affects Firefox ESR < 78.9, Firefox < 87, and Thunderbird < 78.9. |
|
7 |
CVE-2020-26978 |
|
|
|
2021-01-07 |
2021-01-12 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Using techniques that built on the slipstream research, a malicious webpage could have exposed both an internal network's hosts as well as services running on the user's local machine. This vulnerability affects Firefox < 84, Thunderbird < 78.6, and Firefox ESR < 78.6. |
|
8 |
CVE-2020-15677 |
601 |
|
|
2020-10-01 |
2022-11-16 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
By exploiting an Open Redirect vulnerability on a website, an attacker could have spoofed the site displayed in the download file dialog to show the original site (the one suffering from the open redirect) rather than the site the file was actually downloaded from. This vulnerability affects Firefox < 81, Thunderbird < 78.3, and Firefox ESR < 78.3. |
|
9 |
CVE-2020-6821 |
119 |
|
Overflow |
2020-04-24 |
2021-07-21 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
When reading from areas partially or fully outside the source resource with WebGL's <code>copyTexSubImage</code> method, the specification requires the returned values be zero. Previously, this memory was uninitialized, leading to potentially sensitive data disclosure. This vulnerability affects Thunderbird < 68.7.0, Firefox ESR < 68.7, and Firefox < 75. |
|
10 |
CVE-2020-6812 |
200 |
|
+Info |
2020-03-25 |
2023-02-23 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The first time AirPods are connected to an iPhone, they become named after the user's name by default (e.g. Jane Doe's AirPods.) Websites with camera or microphone permission are able to enumerate device names, disclosing the user's name. To resolve this issue, Firefox added a special case that renames devices containing the substring 'AirPods' to simply 'AirPods'. This vulnerability affects Thunderbird < 68.6, Firefox < 74, Firefox < ESR68.6, and Firefox ESR < 68.6. |
|
11 |
CVE-2019-17011 |
362 |
|
|
2020-01-08 |
2022-04-08 |
5.1 |
None |
Remote |
High |
Not required |
Partial |
Partial |
Partial |
|
Under certain conditions, when retrieving a document from a DocShell in the antitracking code, a race condition could cause a use-after-free condition and a potentially exploitable crash. This vulnerability affects Thunderbird < 68.3, Firefox ESR < 68.3, and Firefox < 71. |
|
12 |
CVE-2019-17010 |
362 |
|
|
2020-01-08 |
2022-04-08 |
5.1 |
None |
Remote |
High |
Not required |
Partial |
Partial |
Partial |
|
Under certain conditions, when checking the Resist Fingerprinting preference during device orientation checks, a race condition could have caused a use-after-free and a potentially exploitable crash. This vulnerability affects Thunderbird < 68.3, Firefox ESR < 68.3, and Firefox < 71. |
|
13 |
CVE-2019-11762 |
346 |
|
|
2020-01-08 |
2023-02-01 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
If two same-origin documents set document.domain differently to become cross-origin, it was possible for them to call arbitrary DOM methods/getters/setters on the now-cross-origin window. This vulnerability affects Firefox < 70, Thunderbird < 68.2, and Firefox ESR < 68.2. |
|
14 |
CVE-2019-11761 |
362 |
|
+Priv Bypass |
2020-01-08 |
2023-02-01 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
By using a form with a data URI it was possible to gain access to the privileged JSONView object that had been cloned into content. Impact from exposing this object appears to be minimal, however it was a bypass of existing defense in depth mechanisms. This vulnerability affects Firefox < 70, Thunderbird < 68.2, and Firefox ESR < 68.2. |
|
15 |
CVE-2019-11755 |
347 |
|
|
2019-09-27 |
2020-08-24 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
A crafted S/MIME message consisting of an inner encryption layer and an outer SignedData layer was shown as having a valid digital signature, although the signer might have had no access to the contents of the encrypted message, and might have stripped a different signature from the encrypted message. Previous versions had only suppressed showing a digital signature for messages with an outer multipart/signed layer. This vulnerability affects Thunderbird < 68.1.1. |
|
16 |
CVE-2019-11729 |
119 |
|
Overflow |
2019-07-23 |
2020-09-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Empty or malformed p256-ECDH public keys may trigger a segmentation fault due values being improperly sanitized before being copied into memory and used. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. |
|
17 |
CVE-2019-11719 |
125 |
|
|
2019-07-23 |
2020-09-30 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
When importing a curve25519 private key in PKCS#8format with leading 0x00 bytes, it is possible to trigger an out-of-bounds read in the Network Security Services (NSS) library. This could lead to information disclosure. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. |
|
18 |
CVE-2019-11717 |
116 |
|
|
2019-07-23 |
2023-02-28 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
A vulnerability exists where the caret ("^") character is improperly escaped constructing some URIs due to it being used as a separator, allowing for possible spoofing of origin attributes. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. |
|
19 |
CVE-2019-11706 |
843 |
|
|
2019-07-23 |
2023-02-02 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
A flaw in Thunderbird's implementation of iCal causes a type confusion in icaltimezone_get_vtimezone_properties when processing certain email messages, resulting in a crash. This vulnerability affects Thunderbird < 60.7.1. |
|
20 |
CVE-2019-11698 |
20 |
|
|
2019-07-23 |
2019-07-29 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
If a crafted hyperlink is dragged and dropped to the bookmark bar or sidebar and the resulting bookmark is subsequently dragged and dropped into the web content area, an arbitrary query of a user's browser history can be run and transmitted to the content page via drop event data. This allows for the theft of browser history by a malicious site. This vulnerability affects Thunderbird < 60.7, Firefox < 67, and Firefox ESR < 60.7. |
|
21 |
CVE-2019-9817 |
346 |
|
|
2019-07-23 |
2019-07-26 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Images from a different domain can be read using a canvas object in some circumstances. This could be used to steal image data from a different site in violation of same-origin policy. This vulnerability affects Thunderbird < 60.7, Firefox < 67, and Firefox ESR < 60.7. |
|
22 |
CVE-2019-9811 |
74 |
|
|
2019-07-23 |
2023-02-28 |
5.1 |
None |
Remote |
High |
Not required |
Partial |
Partial |
Partial |
|
As part of a winning Pwn2Own entry, a researcher demonstrated a sandbox escape by installing a malicious language pack and then opening a browser feature that used the compromised translation. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. |
|
23 |
CVE-2018-18513 |
476 |
|
|
2019-04-26 |
2020-08-24 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
A crash can occur when processing a crafted S/MIME message or an XPI package containing a crafted signature. This can be used as a denial-of-service (DOS) attack because Thunderbird reopens the last seen message on restart, triggering the crash again. This vulnerability affects Thunderbird < 60.5. |
|
24 |
CVE-2018-18509 |
347 |
|
|
2019-04-26 |
2019-06-03 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
A flaw during verification of certain S/MIME signatures causes emails to be shown in Thunderbird as having a valid digital signature, even if the shown message contents aren't covered by the signature. The flaw allows an attacker to reuse a valid S/MIME signature to craft an email message with arbitrary content. This vulnerability affects Thunderbird < 60.5.1. |
|
25 |
CVE-2018-12393 |
787 |
|
Overflow |
2019-02-28 |
2020-08-24 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
A potential vulnerability was found in 32-bit builds where an integer overflow during the conversion of scripts to an internal UTF-16 representation could result in allocating a buffer too small for the conversion. This leads to a possible out-of-bounds write. *Note: 64-bit builds are not vulnerable to this issue.*. This vulnerability affects Firefox < 63, Firefox ESR < 60.3, and Thunderbird < 60.3. |
|
26 |
CVE-2018-5184 |
326 |
|
|
2018-06-11 |
2019-03-13 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Using remote content in encrypted messages can lead to the disclosure of plaintext. This vulnerability affects Thunderbird ESR < 52.8 and Thunderbird < 52.8. |
|
27 |
CVE-2018-5168 |
|
|
Bypass |
2018-06-11 |
2020-08-24 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Sites can bypass security checks on permissions to install lightweight themes by manipulating the "baseURI" property of the theme element. This could allow a malicious site to install a theme without user interaction which could contain offensive or embarrassing images. This vulnerability affects Thunderbird < 52.8, Thunderbird ESR < 52.8, Firefox < 60, and Firefox ESR < 52.8. |
|
28 |
CVE-2018-5162 |
311 |
|
|
2018-06-11 |
2019-10-03 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Plaintext of decrypted emails can leak through the src attribute of remote images, or links. This vulnerability affects Thunderbird ESR < 52.8 and Thunderbird < 52.8. |
|
29 |
CVE-2018-5129 |
787 |
|
Mem. Corr. |
2018-06-11 |
2019-03-08 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
A lack of parameter validation on IPC messages results in a potential out-of-bounds write through malformed IPC messages. This can potentially allow for sandbox escape through memory corruption in the parent process. This vulnerability affects Thunderbird < 52.7, Firefox ESR < 52.7, and Firefox < 59. |
|
30 |
CVE-2018-5117 |
|
|
|
2018-06-11 |
2019-10-03 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
If right-to-left text is used in the addressbar with left-to-right alignment, it is possible in some circumstances to scroll this text to spoof the displayed URL. This issue could result in the wrong URL being displayed as a location, which can mislead users to believe they are on a different site than the one loaded. This vulnerability affects Thunderbird < 52.6, Firefox ESR < 52.6, and Firefox < 58. |
|
31 |
CVE-2017-7848 |
74 |
|
|
2018-06-11 |
2018-08-09 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
RSS fields can inject new lines into the created email structure, modifying the message body. This vulnerability affects Thunderbird < 52.5.2. |
|
32 |
CVE-2017-7829 |
20 |
|
|
2018-06-11 |
2018-08-07 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
It is possible to spoof the sender's email address and display an arbitrary sender address to the email recipient. The real sender's address is not displayed if preceded by a null character in the display string. This vulnerability affects Thunderbird < 52.5.2. |
|
33 |
CVE-2017-7807 |
20 |
|
|
2018-06-11 |
2019-10-03 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
A mechanism that uses AppCache to hijack a URL in a domain using fallback by serving the files from a sub-path on the domain. This has been addressed by requiring fallback files be inside the manifest directory. This vulnerability affects Thunderbird < 52.3, Firefox ESR < 52.3, and Firefox < 55. |
|
34 |
CVE-2017-7805 |
416 |
|
|
2018-06-11 |
2018-10-17 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
During TLS 1.2 exchanges, handshake hashes are generated which point to a message buffer. This saved data is used for later messages but in some cases, the handshake transcript can exceed the space available in the current buffer, causing the allocation of a new buffer. This leaves a pointer pointing to the old, freed buffer, resulting in a use-after-free when handshake hashes are then calculated afterwards. This can result in a potentially exploitable crash. This vulnerability affects Firefox < 56, Firefox ESR < 52.4, and Thunderbird < 52.4. |
|
35 |
CVE-2017-7803 |
269 |
|
|
2018-06-11 |
2019-10-03 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
When a page's content security policy (CSP) header contains a "sandbox" directive, other directives are ignored. This results in the incorrect enforcement of CSP. This vulnerability affects Thunderbird < 52.3, Firefox ESR < 52.3, and Firefox < 55. |
|
36 |
CVE-2017-7791 |
20 |
|
|
2018-06-11 |
2018-08-03 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
On pages containing an iframe, the "data:" protocol can be used to create a modal alert that will render over arbitrary domains following page navigation, spoofing of the origin of the modal alert from the iframe content. This vulnerability affects Thunderbird < 52.3, Firefox ESR < 52.3, and Firefox < 55. |
|
37 |
CVE-2017-7787 |
200 |
|
Bypass +Info |
2018-06-11 |
2018-08-03 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Same-origin policy protections can be bypassed on pages with embedded iframes during page reloads, allowing the iframes to access content on the top level page, leading to information disclosure. This vulnerability affects Thunderbird < 52.3, Firefox ESR < 52.3, and Firefox < 55. |
|
38 |
CVE-2017-7764 |
20 |
|
|
2018-06-11 |
2018-08-13 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Characters from the "Canadian Syllabics" unicode block can be mixed with characters from other unicode blocks in the addressbar instead of being rendered as their raw "punycode" form, allowing for domain name spoofing attacks through character confusion. The current Unicode standard allows characters from "Aspirational Use Scripts" such as Canadian Syllabics to be mixed with Latin characters in the "moderately restrictive" IDN profile. We have changed Firefox behavior to match the upcoming Unicode version 10.0 which removes this category and treats them as "Limited Use Scripts.". This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2. |
|
39 |
CVE-2017-7754 |
125 |
|
|
2018-06-11 |
2018-08-03 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
An out-of-bounds read in WebGL with a maliciously crafted "ImageInfo" object during WebGL operations. This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2. |
|
40 |
CVE-2017-5467 |
119 |
|
Overflow Mem. Corr. |
2018-06-11 |
2018-07-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
A potential memory corruption and crash when using Skia content when drawing content outside of the bounds of a clipping region. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 52.1, and Firefox < 53. |
|
41 |
CVE-2017-5462 |
682 |
|
|
2018-06-11 |
2019-10-03 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
A flaw in DRBG number generation within the Network Security Services (NSS) library where the internal state V does not correctly carry bits over. The NSS library has been updated to fix this issue to address this issue and Firefox ESR 52.1 has been updated with NSS version 3.28.4. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. |
|
42 |
CVE-2017-5454 |
200 |
|
Bypass +Info |
2018-06-11 |
2018-08-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
A mechanism to bypass file system access protections in the sandbox to use the file picker to access different files than those selected in the file picker through the use of relative paths. This allows for read only access to the local file system. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 52.1, and Firefox < 53. |
|
43 |
CVE-2017-5449 |
20 |
|
|
2018-06-11 |
2018-08-09 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
A possibly exploitable crash triggered during layout and manipulation of bidirectional unicode text in concert with CSS animations. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 52.1, and Firefox < 53. |
|
44 |
CVE-2017-5445 |
129 |
|
|
2018-06-11 |
2018-08-07 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
A vulnerability while parsing "application/http-index-format" format content where uninitialized values are used to create an array. This could allow the reading of uninitialized memory into the arrays affected. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. |
|
45 |
CVE-2017-5444 |
119 |
|
Overflow |
2018-06-11 |
2018-08-07 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
A buffer overflow vulnerability while parsing "application/http-index-format" format content when the header contains improperly formatted data. This allows for an out-of-bounds read of data from memory. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. |
|
46 |
CVE-2017-5422 |
20 |
|
|
2018-06-11 |
2018-08-07 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
If a malicious site uses the "view-source:" protocol in a series within a single hyperlink, it can trigger a non-exploitable browser crash when the hyperlink is selected. This was fixed by no longer making "view-source:" linkable. This vulnerability affects Firefox < 52 and Thunderbird < 52. |
|
47 |
CVE-2017-5421 |
20 |
|
|
2018-06-11 |
2018-08-07 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
A malicious site could spoof the contents of the print preview window if popup windows are enabled, resulting in user confusion of what site is currently loaded. This vulnerability affects Firefox < 52 and Thunderbird < 52. |
|
48 |
CVE-2017-5418 |
125 |
|
+Info |
2018-06-11 |
2018-08-07 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
An out of bounds read error occurs when parsing some HTTP digest authorization responses, resulting in information leakage through the reading of random memory containing matches to specifically set patterns. This vulnerability affects Firefox < 52 and Thunderbird < 52. |
|
49 |
CVE-2017-5416 |
476 |
|
|
2018-06-11 |
2018-08-07 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
In certain circumstances a networking event listener can be prematurely released. This appears to result in a null dereference in practice. This vulnerability affects Firefox < 52 and Thunderbird < 52. |
|
50 |
CVE-2017-5412 |
119 |
|
Overflow |
2018-06-11 |
2018-08-07 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
A buffer overflow read during SVG filter color value operations, resulting in data exposure. This vulnerability affects Firefox < 52 and Thunderbird < 52. |
