Vulnerabilities (CVE)

Filtered by vendor Mozilla Subscribe
Filtered by product Thunderbird
Total 1279 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2023-1945 1 Mozilla 2 Firefox Esr, Thunderbird 2025-01-09 N/A 6.5 MEDIUM
Unexpected data returned from the Safe Browsing API could have led to memory corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 102.10 and Firefox ESR < 102.10.
CVE-2023-28163 1 Mozilla 3 Firefox, Firefox Esr, Thunderbird 2025-01-09 N/A 6.5 MEDIUM
When downloading files through the Save As dialog on Windows with suggested filenames containing environment variable names, Windows would have resolved those in the context of the current user. <br>*This bug only affects Firefox on Windows. Other versions of Firefox are unaffected.*. This vulnerability affects Firefox < 111, Firefox ESR < 102.9, and Thunderbird < 102.9.
CVE-2023-28162 1 Mozilla 3 Firefox, Firefox Esr, Thunderbird 2025-01-09 N/A 8.8 HIGH
While implementing AudioWorklets, some code may have casted one type to another, invalid, dynamic type. This could have led to a potentially exploitable crash. This vulnerability affects Firefox < 111, Firefox ESR < 102.9, and Thunderbird < 102.9.
CVE-2023-28164 1 Mozilla 3 Firefox, Firefox Esr, Thunderbird 2025-01-09 N/A 6.5 MEDIUM
Dragging a URL from a cross-origin iframe that was removed during the drag could have led to user confusion and website spoofing attacks. This vulnerability affects Firefox < 111, Firefox ESR < 102.9, and Thunderbird < 102.9.
CVE-2023-28176 1 Mozilla 3 Firefox, Firefox Esr, Thunderbird 2025-01-08 N/A 8.8 HIGH
Mozilla developers Timothy Nikkel, Andrew McCreight, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 110 and Firefox ESR 102.8. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 111, Firefox ESR < 102.9, and Thunderbird < 102.9.
CVE-2023-5217 8 Apple, Debian, Fedoraproject and 5 more 11 Ipad Os, Iphone Os, Debian Linux and 8 more 2024-12-20 N/A 8.8 HIGH
Heap buffer overflow in vp8 encoding in libvpx in Google Chrome prior to 117.0.5938.132 and libvpx 1.13.1 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
CVE-2023-4863 9 Bandisoft, Bentley, Debian and 6 more 12 Honeyview, Seequent Leapfrog, Debian Linux and 9 more 2024-12-20 N/A 8.8 HIGH
Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical)
CVE-2013-1690 6 Canonical, Debian, Mozilla and 3 more 15 Ubuntu Linux, Debian Linux, Firefox and 12 more 2024-12-20 9.3 HIGH 8.8 HIGH
Mozilla Firefox before 22.0, Firefox ESR 17.x before 17.0.7, Thunderbird before 17.0.7, and Thunderbird ESR 17.x before 17.0.7 do not properly handle onreadystatechange events in conjunction with page reloading, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted web site that triggers an attempt to execute data at an unmapped memory location.
CVE-2013-1675 5 Canonical, Debian, Mozilla and 2 more 18 Ubuntu Linux, Debian Linux, Firefox and 15 more 2024-12-20 4.3 MEDIUM 6.5 MEDIUM
Mozilla Firefox before 21.0, Firefox ESR 17.x before 17.0.6, Thunderbird before 17.0.6, and Thunderbird ESR 17.x before 17.0.6 do not properly initialize data structures for the nsDOMSVGZoomEvent::mPreviousScale and nsDOMSVGZoomEvent::mNewScale functions, which allows remote attackers to obtain sensitive information from process memory via a crafted web site.
CVE-2023-29545 1 Mozilla 3 Firefox, Firefox Esr, Thunderbird 2024-12-11 N/A 6.5 MEDIUM
Similar to CVE-2023-28163, this time when choosing 'Save Link As', suggested filenames containing environment variable names would have resolved those in the context of the current user. *This bug only affects Firefox and Thunderbird on Windows. Other versions of Firefox and Thunderbird are unaffected.* This vulnerability affects Firefox < 112, Firefox ESR < 102.10, and Thunderbird < 102.10.
CVE-2023-29542 2 Microsoft, Mozilla 4 Windows, Firefox, Firefox Esr and 1 more 2024-12-11 N/A 9.8 CRITICAL
A newline in a filename could have been used to bypass the file extension security mechanisms that replace malicious file extensions such as .lnk with .download. This could have led to accidental execution of malicious code. *This bug only affects Firefox and Thunderbird on Windows. Other versions of Firefox and Thunderbird are unaffected.* This vulnerability affects Firefox < 112, Firefox ESR < 102.10, and Thunderbird < 102.10.
CVE-2023-29532 2 Microsoft, Mozilla 4 Windows, Firefox, Firefox Esr and 1 more 2024-12-11 N/A 5.5 MEDIUM
A local attacker can trick the Mozilla Maintenance Service into applying an unsigned update file by pointing the service at an update file on a malicious SMB server. The update file can be replaced after the signature check, before the use, because the write-lock requested by the service does not work on a SMB server. *Note: This attack requires local system access and only affects Windows. Other operating systems are not affected.* This vulnerability affects Firefox < 112, Firefox ESR < 102.10, and Thunderbird < 102.10.
CVE-2023-29531 2 Apple, Mozilla 4 Macos, Firefox, Firefox Esr and 1 more 2024-12-11 N/A 9.8 CRITICAL
An attacker could have caused an out of bounds memory access using WebGL APIs, leading to memory corruption and a potentially exploitable crash. *This bug only affects Firefox and Thunderbird for macOS. Other operating systems are unaffected.* This vulnerability affects Firefox < 112, Firefox ESR < 102.10, and Thunderbird < 102.10.
CVE-2024-1552 3 Debian, Linux, Mozilla 4 Debian Linux, Linux Kernel, Firefox and 1 more 2024-12-10 N/A 7.5 HIGH
Incorrect code generation could have led to unexpected numeric conversions and potential undefined behavior.*Note:* This issue only affects 32-bit ARM devices. This vulnerability affects Firefox < 123, Firefox ESR < 115.8, and Thunderbird < 115.8.
CVE-2024-1550 2 Debian, Mozilla 3 Debian Linux, Firefox, Thunderbird 2024-12-10 N/A 6.1 MEDIUM
A malicious website could have used a combination of exiting fullscreen mode and `requestPointerLock` to cause the user's mouse to be re-positioned unexpectedly, which could have led to user confusion and inadvertently granting permissions they did not intend to grant. This vulnerability affects Firefox < 123, Firefox ESR < 115.8, and Thunderbird < 115.8.
CVE-2024-1547 2 Debian, Mozilla 3 Debian Linux, Firefox, Thunderbird 2024-12-10 N/A 6.5 MEDIUM
Through a series of API calls and redirects, an attacker-controlled alert dialog could have been displayed on another website (with the victim website's URL shown). This vulnerability affects Firefox < 123, Firefox ESR < 115.8, and Thunderbird < 115.8.
CVE-2024-11159 1 Mozilla 1 Thunderbird 2024-12-06 N/A 4.3 MEDIUM
Using remote content in OpenPGP encrypted messages can lead to the disclosure of plaintext. This vulnerability affects Thunderbird < 128.4.3 and Thunderbird < 132.0.1.
CVE-2024-9680 2 Debian, Mozilla 3 Debian Linux, Firefox, Thunderbird 2024-11-26 N/A 9.8 CRITICAL
An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines. We have had reports of this vulnerability being exploited in the wild. This vulnerability affects Firefox < 131.0.2, Firefox ESR < 128.3.1, Firefox ESR < 115.16.1, Thunderbird < 131.0.1, Thunderbird < 128.3.1, and Thunderbird < 115.16.0.
CVE-2024-6610 1 Mozilla 2 Firefox, Thunderbird 2024-11-21 N/A 4.3 MEDIUM
Form validation popups could capture escape key presses. Therefore, spamming form validation messages could be used to prevent users from exiting full-screen mode. This vulnerability affects Firefox < 128 and Thunderbird < 128.
CVE-2024-6609 1 Mozilla 2 Firefox, Thunderbird 2024-11-21 N/A 8.8 HIGH
When almost out-of-memory an elliptic curve key which was never allocated could have been freed again. This vulnerability affects Firefox < 128 and Thunderbird < 128.