FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The last vuln.xml file processed by FreshPorts is:

nothing found there

List all Vulnerabilities, by package

List all Vulnerabilities, by date

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
44b6dfbf-4ef7-4d52-ad52-2b1b05d81272mozilla -- multiple vulnerabilities

Mozilla Foundation reports:

CVE-2019-9815: Disable hyperthreading on content JavaScript threads on macOS

CVE-2019-9816: Type confusion with object groups and UnboxedObjects

CVE-2019-9817: Stealing of cross-domain images using canvas

CVE-2019-9818: Use-after-free in crash generation server

CVE-2019-9819: Compartment mismatch with fetch API

CVE-2019-9820: Use-after-free of ChromeEventHandler by DocShell

CVE-2019-9821: Use-after-free in AssertWorkerThread

CVE-2019-11691: Use-after-free in XMLHttpRequest

CVE-2019-11692: Use-after-free removing listeners in the event listener manager

CVE-2019-11693: Buffer overflow in WebGL bufferdata on Linux

CVE-2019-7317: Use-after-free in png_image_free of libpng library

CVE-2019-11694: Uninitialized memory memory leakage in Windows sandbox

CVE-2019-11695: Custom cursor can render over user interface outside of web content

CVE-2019-11696: Java web start .JNLP files are not recognized as executable files for download prompts

CVE-2019-11697: Pressing key combinations can bypass installation prompt delays and install extensions

CVE-2019-11698: Theft of user history data through drag and drop of hyperlinks to and from bookmarks

CVE-2019-11700: res: protocol can be used to open known local files

CVE-2019-11699: Incorrect domain name highlighting during page navigation

CVE-2019-11701: webcal: protocol default handler loads vulnerable web page

CVE-2019-9814: Memory safety bugs fixed in Firefox 67

CVE-2019-9800: Memory safety bugs fixed in Firefox 67 and Firefox ESR 60.7


Discovery 2019-05-21
Entry 2019-05-22
Modified 2019-07-23
firefox
lt 67.0,1

waterfox
lt 56.2.10

seamonkey
linux-seamonkey
lt 2.53.0

firefox-esr
lt 60.7.0,1

linux-firefox
lt 60.7.0,2

libxul
thunderbird
linux-thunderbird
lt 60.7.0

CVE-2019-9815
CVE-2019-9816
CVE-2019-9817
CVE-2019-9818
CVE-2019-9819
CVE-2019-9820
CVE-2019-9821
CVE-2019-11691
CVE-2019-11692
CVE-2019-11693
CVE-2019-7317
CVE-2019-11694
CVE-2019-11695
CVE-2019-11696
CVE-2019-11697
CVE-2019-11698
CVE-2019-11700
CVE-2019-11699
CVE-2019-11701
CVE-2019-9814
CVE-2019-9800
https://www.mozilla.org/security/advisories/mfsa2019-13/
https://www.mozilla.org/security/advisories/mfsa2019-14/
https://www.mozilla.org/security/advisories/mfsa2019-15/
f78eac48-c3d1-4666-8de5-63ceea25a578mozilla -- multiple vulnerabilities

Mozilla Foundation reports:

CVE-2017-7828: Use-after-free of PressShell while restyling layout

CVE-2017-7830: Cross-origin URL information leak through Resource Timing API

CVE-2017-7831: Information disclosure of exposed properties on JavaScript proxy objects

CVE-2017-7832: Domain spoofing through use of dotless 'i' character followed by accent markers

CVE-2017-7833: Domain spoofing with Arabic and Indic vowel marker characters

CVE-2017-7834: data: URLs opened in new tabs bypass CSP protections

CVE-2017-7835: Mixed content blocking incorrectly applies with redirects

CVE-2017-7836: Pingsender dynamically loads libcurl on Linux and OS X

CVE-2017-7837: SVG loaded as can use meta tags to set cookies

CVE-2017-7838: Failure of individual decoding of labels in international domain names triggers punycode display of entire IDN

CVE-2017-7839: Control characters before javascript: URLs defeats self-XSS prevention mechanism

CVE-2017-7840: Exported bookmarks do not strip script elements from user-supplied tags

CVE-2017-7842: Referrer Policy is not always respected for elements

CVE-2017-7827: Memory safety bugs fixed in Firefox 57

CVE-2017-7826: Memory safety bugs fixed in Firefox 57 and Firefox ESR 52.5


Discovery 2017-11-14
Entry 2017-11-14
firefox
lt 56.0.2_10,1

seamonkey
linux-seamonkey
lt 2.49.2

firefox-esr
lt 52.5.0,1

linux-firefox
lt 52.5.0,2

libxul
thunderbird
linux-thunderbird
lt 52.5.0

CVE-2017-7826
CVE-2017-7827
CVE-2017-7828
CVE-2017-7830
CVE-2017-7831
CVE-2017-7832
CVE-2017-7833
CVE-2017-7834
CVE-2017-7835
CVE-2017-7836
CVE-2017-7837
CVE-2017-7838
CVE-2017-7839
CVE-2017-7840
CVE-2017-7842
https://www.mozilla.org/security/advisories/mfsa2017-24/
https://www.mozilla.org/security/advisories/mfsa2017-25/
18211552-f650-4d86-ba4f-e6d5cbfcdbebmozilla -- multiple vulnerabilities

Mozilla Foundation reports:

CVE-2018-18356: Use-after-free in Skia

CVE-2019-5785: Integer overflow in Skia

CVE-2018-18511: Cross-origin theft of images with ImageBitmapRenderingContext


Discovery 2019-02-13
Entry 2019-02-13
firefox
lt 65.0.1,1

firefox-esr
lt 60.5.1,1

thunderbird
lt 60.5.1

CVE-2018-18511
CVE-2018-18356
CVE-2019-5785
https://www.mozilla.org/en-US/security/advisories/mfsa2019-04/
https://www.mozilla.org/en-US/security/advisories/mfsa2019-05/
1753f0ff-8dd5-11e3-9b45-b4b52fce4ce8mozilla -- multiple vulnerabilities

The Mozilla Project reports:

MFSA 2014-01 Miscellaneous memory safety hazards (rv:27.0 / rv:24.3)

MFSA 2014-02 Clone protected content with XBL scopes

MFSA 2014-03 UI selection timeout missing on download prompts

MFSA 2014-04 Incorrect use of discarded images by RasterImage

MFSA 2014-05 Information disclosure with *FromPoint on iframes

MFSA 2014-06 Profile path leaks to Android system log

MFSA 2014-07 XSLT stylesheets treated as styles in Content Security Policy

MFSA 2014-08 Use-after-free with imgRequestProxy and image proccessing

MFSA 2014-09 Cross-origin information leak through web workers

MFSA 2014-10 Firefox default start page UI content invokable by script

MFSA 2014-11 Crash when using web workers with asm.js

MFSA 2014-12 NSS ticket handling issues

MFSA 2014-13 Inconsistent JavaScript handling of access to Window objects


Discovery 2014-02-04
Entry 2014-02-04
firefox
gt 25.0,1 lt 27.0,1

lt 24.3.0,1

linux-firefox
lt 27.0,1

linux-seamonkey
lt 2.24

linux-thunderbird
lt 24.3.0

seamonkey
lt 2.24

thunderbird
lt 24.3.0

CVE-2014-1477
CVE-2014-1478
CVE-2014-1479
CVE-2014-1480
CVE-2014-1481
CVE-2014-1482
CVE-2014-1483
CVE-2014-1484
CVE-2014-1485
CVE-2014-1486
CVE-2014-1487
CVE-2014-1488
CVE-2014-1489
CVE-2014-1490
CVE-2014-1491
https://www.mozilla.org/security/announce/2014/mfsa2014-01.html
https://www.mozilla.org/security/announce/2014/mfsa2014-02.html
https://www.mozilla.org/security/announce/2014/mfsa2014-03.html
https://www.mozilla.org/security/announce/2014/mfsa2014-04.html
https://www.mozilla.org/security/announce/2014/mfsa2014-05.html
https://www.mozilla.org/security/announce/2014/mfsa2014-06.html
https://www.mozilla.org/security/announce/2014/mfsa2014-07.html
https://www.mozilla.org/security/announce/2014/mfsa2014-08.html
https://www.mozilla.org/security/announce/2014/mfsa2014-09.html
https://www.mozilla.org/security/announce/2014/mfsa2014-10.html
https://www.mozilla.org/security/announce/2014/mfsa2014-11.html
https://www.mozilla.org/security/announce/2014/mfsa2014-12.html
http://www.mozilla.org/security/known-vulnerabilities/
c66a5632-708a-4727-8236-d65b2d5b2739mozilla -- multiple vulnerabilities

The Mozilla Project reports:

MFSA 2015-79 Miscellaneous memory safety hazards (rv:40.0 / rv:38.2)

MFSA 2015-80 Out-of-bounds read with malformed MP3 file

MFSA 2015-81 Use-after-free in MediaStream playback

MFSA 2015-82 Redefinition of non-configurable JavaScript object properties

MFSA 2015-83 Overflow issues in libstagefright

MFSA 2015-84 Arbitrary file overwriting through Mozilla Maintenance Service with hard links

MFSA 2015-85 Out-of-bounds write with Updater and malicious MAR file

MFSA 2015-86 Feed protocol with POST bypasses mixed content protections

MFSA 2015-87 Crash when using shared memory in JavaScript

MFSA 2015-88 Heap overflow in gdk-pixbuf when scaling bitmap images

MFSA 2015-90 Vulnerabilities found through code inspection

MFSA 2015-91 Mozilla Content Security Policy allows for asterisk wildcards in violation of CSP specification

MFSA 2015-92 Use-after-free in XMLHttpRequest with shared workers


Discovery 2015-08-11
Entry 2015-08-11
Modified 2015-08-22
firefox
lt 40.0,1

linux-firefox
lt 40.0,1

seamonkey
ge 2.36 lt 2.37

lt 2.35

linux-seamonkey
ge 2.36 lt 2.37

lt 2.35

firefox-esr
lt 38.2.0,1

libxul
lt 38.2.0

thunderbird
lt 38.2.0

linux-thunderbird
lt 38.2.0

CVE-2015-4473
CVE-2015-4474
CVE-2015-4475
CVE-2015-4477
CVE-2015-4478
CVE-2015-4479
CVE-2015-4480
CVE-2015-4481
CVE-2015-4482
CVE-2015-4483
CVE-2015-4484
CVE-2015-4487
CVE-2015-4488
CVE-2015-4489
CVE-2015-4490
CVE-2015-4491
CVE-2015-4492
CVE-2015-4493
https://www.mozilla.org/security/advisories/mfsa2015-79/
https://www.mozilla.org/security/advisories/mfsa2015-80/
https://www.mozilla.org/security/advisories/mfsa2015-81/
https://www.mozilla.org/security/advisories/mfsa2015-82/
https://www.mozilla.org/security/advisories/mfsa2015-83/
https://www.mozilla.org/security/advisories/mfsa2015-84/
https://www.mozilla.org/security/advisories/mfsa2015-85/
https://www.mozilla.org/security/advisories/mfsa2015-86/
https://www.mozilla.org/security/advisories/mfsa2015-87/
https://www.mozilla.org/security/advisories/mfsa2015-88/
https://www.mozilla.org/security/advisories/mfsa2015-90/
https://www.mozilla.org/security/advisories/mfsa2015-91/
https://www.mozilla.org/security/advisories/mfsa2015-92/
c4f39920-781f-4aeb-b6af-17ed566c4272mozilla -- multiple vulnerabilities

Mozilla Foundation reports:

CVE-2018-12386: Type confusion in JavaScript

A vulnerability in register allocation in JavaScript can lead to type confusion, allowing for an arbitrary read and write. This leads to remote code execution inside the sandboxed content process when triggered.

CVE-2018-12387:

A vulnerability where the JavaScript JIT compiler inlines Array.prototype.push with multiple arguments that results in the stack pointer being off by 8 bytes after a bailout. This leaks a memory address to the calling function which can be used as part of an exploit inside the sandboxed content process.


Discovery 2018-10-02
Entry 2018-10-02
Modified 2019-07-23
firefox
lt 62.0.3,1

waterfox
lt 56.2.4

seamonkey
linux-seamonkey
lt 2.53.0

firefox-esr
lt 60.2.2,1

linux-firefox
lt 60.2.2,2

libxul
thunderbird
linux-thunderbird
lt 60.2.2

CVE-2018-12386
CVE-2018-12387
https://www.mozilla.org/en-US/security/advisories/mfsa2018-24/
610de647-af8d-11e3-a25b-b4b52fce4ce8mozilla -- multiple vulnerabilities

The Mozilla Project reports:

MFSA 2014-15 Miscellaneous memory safety hazards (rv:28.0 / rv:24.4)

MFSA 2014-16 Files extracted during updates are not always read only

MFSA 2014-17 Out of bounds read during WAV file decoding

MFSA 2014-18 crypto.generateCRMFRequest does not validate type of key

MFSA 2014-19 Spoofing attack on WebRTC permission prompt

MFSA 2014-20 onbeforeunload and Javascript navigation DOS

MFSA 2014-21 Local file access via Open Link in new tab

MFSA 2014-22 WebGL content injection from one domain to rendering in another

MFSA 2014-23 Content Security Policy for data: documents not preserved by session restore

MFSA 2014-24 Android Crash Reporter open to manipulation

MFSA 2014-25 Firefox OS DeviceStorageFile object vulnerable to relative path escape

MFSA 2014-26 Information disclosure through polygon rendering in MathML

MFSA 2014-27 Memory corruption in Cairo during PDF font rendering

MFSA 2014-28 SVG filters information disclosure through feDisplacementMap

MFSA 2014-29 Privilege escalation using WebIDL-implemented APIs

MFSA 2014-30 Use-after-free in TypeObject

MFSA 2014-31 Out-of-bounds read/write through neutering ArrayBuffer objects

MFSA 2014-32 Out-of-bounds write through TypedArrayObject after neutering


Discovery 2014-03-19
Entry 2014-03-19
Modified 2014-03-20
firefox
lt 28.0,1

firefox-esr
lt 24.4.0,1

linux-firefox
lt 28.0,1

linux-seamonkey
lt 2.25

linux-thunderbird
lt 24.4.0

seamonkey
lt 2.25

thunderbird
lt 24.4.0

CVE-2014-1493
CVE-2014-1494
CVE-2014-1496
CVE-2014-1497
CVE-2014-1498
CVE-2014-1499
CVE-2014-1500
CVE-2014-1501
CVE-2014-1502
CVE-2014-1504
CVE-2014-1505
CVE-2014-1506
CVE-2014-1507
CVE-2014-1508
CVE-2014-1509
CVE-2014-1510
CVE-2014-1511
CVE-2014-1512
CVE-2014-1513
CVE-2014-1514
https://www.mozilla.org/security/announce/2014/mfsa2014-15.html
https://www.mozilla.org/security/announce/2014/mfsa2014-16.html
https://www.mozilla.org/security/announce/2014/mfsa2014-17.html
https://www.mozilla.org/security/announce/2014/mfsa2014-18.html
https://www.mozilla.org/security/announce/2014/mfsa2014-19.html
https://www.mozilla.org/security/announce/2014/mfsa2014-20.html
https://www.mozilla.org/security/announce/2014/mfsa2014-21.html
https://www.mozilla.org/security/announce/2014/mfsa2014-22.html
https://www.mozilla.org/security/announce/2014/mfsa2014-23.html
https://www.mozilla.org/security/announce/2014/mfsa2014-24.html
https://www.mozilla.org/security/announce/2014/mfsa2014-25.html
https://www.mozilla.org/security/announce/2014/mfsa2014-26.html
https://www.mozilla.org/security/announce/2014/mfsa2014-27.html
https://www.mozilla.org/security/announce/2014/mfsa2014-28.html
https://www.mozilla.org/security/announce/2014/mfsa2014-29.html
https://www.mozilla.org/security/announce/2014/mfsa2014-30.html
https://www.mozilla.org/security/announce/2014/mfsa2014-31.html
https://www.mozilla.org/security/announce/2014/mfsa2014-32.html
http://www.mozilla.org/security/known-vulnerabilities/
44d9daee-940c-4179-86bb-6e3ffd617869mozilla -- multiple vulnerabilities

The Mozilla Project reports:

MFSA 2015-59 Miscellaneous memory safety hazards (rv:39.0 / rv:31.8 / rv:38.1)

MFSA 2015-60 Local files or privileged URLs in pages can be opened into new tabs

MFSA 2015-61 Type confusion in Indexed Database Manager

MFSA 2015-62 Out-of-bound read while computing an oscillator rendering range in Web Audio

MFSA 2015-63 Use-after-free in Content Policy due to microtask execution error

MFSA 2015-64 ECDSA signature validation fails to handle some signatures correctly

MFSA 2015-65 Use-after-free in workers while using XMLHttpRequest

MFSA 2015-66 Vulnerabilities found through code inspection

MFSA 2015-67 Key pinning is ignored when overridable errors are encountered

MFSA 2015-68 OS X crash reports may contain entered key press information

MFSA 2015-69 Privilege escalation through internal workers

MFSA 2015-70 NSS accepts export-length DHE keys with regular DHE cipher suites

MFSA 2015-71 NSS incorrectly permits skipping of ServerKeyExchange


Discovery 2015-07-02
Entry 2015-07-16
Modified 2015-09-22
firefox
lt 39.0,1

linux-firefox
lt 39.0,1

seamonkey
lt 2.35

linux-seamonkey
lt 2.35

firefox-esr
lt 31.8.0,1

ge 38.0,1 lt 38.1.0,1

libxul
lt 31.8.0

ge 38.0 lt 38.1.0

thunderbird
lt 31.8.0

ge 38.0 lt 38.1.0

linux-thunderbird
lt 31.8.0

ge 38.0 lt 38.1.0

CVE-2015-2721
CVE-2015-2722
CVE-2015-2724
CVE-2015-2725
CVE-2015-2726
CVE-2015-2727
CVE-2015-2728
CVE-2015-2729
CVE-2015-2730
CVE-2015-2731
CVE-2015-2733
CVE-2015-2734
CVE-2015-2735
CVE-2015-2736
CVE-2015-2737
CVE-2015-2738
CVE-2015-2739
CVE-2015-2740
CVE-2015-2741
CVE-2015-2742
CVE-2015-2743
CVE-2015-4000
https://www.mozilla.org/security/advisories/mfsa2015-59/
https://www.mozilla.org/security/advisories/mfsa2015-60/
https://www.mozilla.org/security/advisories/mfsa2015-61/
https://www.mozilla.org/security/advisories/mfsa2015-62/
https://www.mozilla.org/security/advisories/mfsa2015-63/
https://www.mozilla.org/security/advisories/mfsa2015-64/
https://www.mozilla.org/security/advisories/mfsa2015-65/
https://www.mozilla.org/security/advisories/mfsa2015-66/
https://www.mozilla.org/security/advisories/mfsa2015-67/
https://www.mozilla.org/security/advisories/mfsa2015-68/
https://www.mozilla.org/security/advisories/mfsa2015-69/
https://www.mozilla.org/security/advisories/mfsa2015-70/
https://www.mozilla.org/security/advisories/mfsa2015-71/
985d4d6c-cfbd-11e3-a003-b4b52fce4ce8mozilla -- multiple vulnerabilities

The Mozilla Project reports:

MFSA 2014-34 Miscellaneous memory safety hazards (rv:29.0 / rv:24.5)

MFSA 2014-35 Privilege escalation through Mozilla Maintenance Service Installer

MFSA 2014-36 Web Audio memory corruption issues

MFSA 2014-37 Out of bounds read while decoding JPG images

MFSA 2014-38 Buffer overflow when using non-XBL object as XBL

MFSA 2014-39 Use-after-free in the Text Track Manager for HTML video

MFSA 2014-41 Out-of-bounds write in Cairo

MFSA 2014-42 Privilege escalation through Web Notification API

MFSA 2014-43 Cross-site scripting (XSS) using history navigations

MFSA 2014-44 Use-after-free in imgLoader while resizing images

MFSA 2014-45 Incorrect IDNA domain name matching for wildcard certificates

MFSA 2014-46 Use-after-free in nsHostResolve

MFSA 2014-47 Debugger can bypass XrayWrappers with JavaScript


Discovery 2014-04-29
Entry 2014-04-29
firefox
lt 29.0,1

firefox-esr
lt 24.5.0,1

linux-firefox
lt 29.0,1

linux-seamonkey
lt 2.26

linux-thunderbird
lt 24.5.0

seamonkey
lt 2.26

thunderbird
lt 24.5.0

CVE-2014-1529
CVE-2014-1492
CVE-2014-1518
CVE-2014-1519
CVE-2014-1520
CVE-2014-1522
CVE-2014-1523
CVE-2014-1524
CVE-2014-1525
CVE-2014-1526
CVE-2014-1527
CVE-2014-1528
CVE-2014-1530
CVE-2014-1531
CVE-2014-1532
https://www.mozilla.org/security/announce/2014/mfsa2014-34.html
https://www.mozilla.org/security/announce/2014/mfsa2014-35.html
https://www.mozilla.org/security/announce/2014/mfsa2014-36.html
https://www.mozilla.org/security/announce/2014/mfsa2014-37.html
https://www.mozilla.org/security/announce/2014/mfsa2014-38.html
https://www.mozilla.org/security/announce/2014/mfsa2014-39.html
https://www.mozilla.org/security/announce/2014/mfsa2014-41.html
https://www.mozilla.org/security/announce/2014/mfsa2014-42.html
https://www.mozilla.org/security/announce/2014/mfsa2014-43.html
https://www.mozilla.org/security/announce/2014/mfsa2014-44.html
https://www.mozilla.org/security/announce/2014/mfsa2014-45.html
https://www.mozilla.org/security/announce/2014/mfsa2014-46.html
https://www.mozilla.org/security/announce/2014/mfsa2014-47.html
http://www.mozilla.org/security/known-vulnerabilities/
d9b43004-f5fd-4807-b1d7-dbf66455b244mozilla -- multiple vulnerabilities

The Mozilla Project reports:

MFSA-2015-46 Miscellaneous memory safety hazards (rv:38.0 / rv:31.7)

MFSA-2015-47 Buffer overflow parsing H.264 video with Linux Gstreamer

MFSA-2015-48 Buffer overflow with SVG content and CSS

MFSA-2015-49 Referrer policy ignored when links opened by middle-click and context menu

MFSA-2015-50 Out-of-bounds read and write in asm.js validation

MFSA-2015-51 Use-after-free during text processing with vertical text enabled

MFSA-2015-52 Sensitive URL encoded information written to Android logcat

MFSA-2015-53 Use-after-free due to Media Decoder Thread creation during shutdown

MFSA-2015-54 Buffer overflow when parsing compressed XML

MFSA-2015-55 Buffer overflow and out-of-bounds read while parsing MP4 video metadata

MFSA-2015-56 Untrusted site hosting trusted page can intercept webchannel responses

MFSA-2015-57 Privilege escalation through IPC channel messages

MFSA-2015-58 Mozilla Windows updater can be run outside of application directory

MFSA 2015-93 Integer overflows in libstagefright while processing MP4 video metadata


Discovery 2015-05-12
Entry 2015-05-12
Modified 2015-08-28
firefox
lt 38.0,1

linux-firefox
lt 38.0,1

seamonkey
lt 2.35

linux-seamonkey
lt 2.35

firefox-esr
lt 31.7.0,1

libxul
lt 31.7.0

ge 32.0 lt 38.0

thunderbird
lt 31.7.0

ge 32.0 lt 38.0

linux-thunderbird
lt 31.7.0

ge 32.0 lt 38.0

CVE-2011-3079
CVE-2015-0797
CVE-2015-0833
CVE-2015-2708
CVE-2015-2709
CVE-2015-2710
CVE-2015-2711
CVE-2015-2712
CVE-2015-2713
CVE-2015-2714
CVE-2015-2715
CVE-2015-2716
CVE-2015-2717
CVE-2015-2718
CVE-2015-2720
CVE-2015-4496
https://www.mozilla.org/security/advisories/mfsa2015-46/
https://www.mozilla.org/security/advisories/mfsa2015-47/
https://www.mozilla.org/security/advisories/mfsa2015-48/
https://www.mozilla.org/security/advisories/mfsa2015-49/
https://www.mozilla.org/security/advisories/mfsa2015-50/
https://www.mozilla.org/security/advisories/mfsa2015-51/
https://www.mozilla.org/security/advisories/mfsa2015-52/
https://www.mozilla.org/security/advisories/mfsa2015-53/
https://www.mozilla.org/security/advisories/mfsa2015-54/
https://www.mozilla.org/security/advisories/mfsa2015-55/
https://www.mozilla.org/security/advisories/mfsa2015-56/
https://www.mozilla.org/security/advisories/mfsa2015-57/
https://www.mozilla.org/security/advisories/mfsa2015-58/
https://www.mozilla.org/security/advisories/mfsa2015-93/
888a0262-f0d9-11e3-ba0c-b4b52fce4ce8mozilla -- multiple vulnerabilities

The Mozilla Project reports:

MFSA 2014-48 Miscellaneous memory safety hazards (rv:30.0 / rv:24.6)

MFSA 2014-49 Use-after-free and out of bounds issues found using Address Sanitizer

MFSA 2014-51 Use-after-free in Event Listener Manager

MFSA 2014-52 Use-after-free with SMIL Animation Controller

MFSA 2014-53 Buffer overflow in Web Audio Speex resampler

MFSA 2014-54 Buffer overflow in Gamepad API

MFSA 2014-55 Out of bounds write in NSPR


Discovery 2014-06-10
Entry 2014-06-10
firefox
lt 30.0,1

firefox-esr
lt 24.6.0,1

seamonkey
lt 2.26.1

linux-firefox
lt 30.0,1

linux-seamonkey
lt 2.26.1

linux-thunderbird
lt 24.6.0

nspr
lt 4.10.6

thunderbird
lt 24.6.0

CVE-2014-1533
CVE-2014-1534
CVE-2014-1536
CVE-2014-1537
CVE-2014-1540
CVE-2014-1541
CVE-2014-1542
CVE-2014-1543
CVE-2014-1545
https://www.mozilla.org/security/announce/2014/mfsa2014-48.html
https://www.mozilla.org/security/announce/2014/mfsa2014-49.html
https://www.mozilla.org/security/announce/2014/mfsa2014-51.html
https://www.mozilla.org/security/announce/2014/mfsa2014-52.html
https://www.mozilla.org/security/announce/2014/mfsa2014-53.html
https://www.mozilla.org/security/announce/2014/mfsa2014-54.html
https://www.mozilla.org/security/announce/2014/mfsa2014-55.html
d0c97697-df2c-4b8b-bff2-cec24dc35af8mozilla -- multiple vulnerabilities

The Mozilla Project reports:

MFSA-2015-30 Miscellaneous memory safety hazards (rv:37.0 / rv:31.6)

MFSA-2015-31 Use-after-free when using the Fluendo MP3 GStreamer plugin

MFSA-2015-32 Add-on lightweight theme installation approval bypassed through MITM attack

MFSA-2015-33 resource:// documents can load privileged pages

MFSA-2015-34 Out of bounds read in QCMS library

MFSA-2015-35 Cursor clickjacking with flash and images

MFSA-2015-36 Incorrect memory management for simple-type arrays in WebRTC

MFSA-2015-37 CORS requests should not follow 30x redirections after preflight

MFSA-2015-38 Memory corruption crashes in Off Main Thread Compositing

MFSA-2015-39 Use-after-free due to type confusion flaws

MFSA-2015-40 Same-origin bypass through anchor navigation

MFSA-2015-41 PRNG weakness allows for DNS poisoning on Android

MFSA-2015-42 Windows can retain access to privileged content on navigation to unprivileged pages


Discovery 2015-03-31
Entry 2015-03-31
firefox
lt 37.0,1

firefox-esr
lt 31.6.0,1

linux-firefox
lt 37.0,1

linux-seamonkey
lt 2.34

linux-thunderbird
lt 31.6.0

seamonkey
lt 2.34

thunderbird
lt 31.6.0

libxul
lt 31.6.0

CVE-2012-2808
CVE-2015-0800
CVE-2015-0801
CVE-2015-0802
CVE-2015-0803
CVE-2015-0804
CVE-2015-0805
CVE-2015-0806
CVE-2015-0807
CVE-2015-0808
CVE-2015-0810
CVE-2015-0811
CVE-2015-0812
CVE-2015-0813
CVE-2015-0814
CVE-2015-0815
CVE-2015-0816
https://www.mozilla.org/security/advisories/mfsa2015-30/
https://www.mozilla.org/security/advisories/mfsa2015-31/
https://www.mozilla.org/security/advisories/mfsa2015-32/
https://www.mozilla.org/security/advisories/mfsa2015-33/
https://www.mozilla.org/security/advisories/mfsa2015-34/
https://www.mozilla.org/security/advisories/mfsa2015-35/
https://www.mozilla.org/security/advisories/mfsa2015-36/
https://www.mozilla.org/security/advisories/mfsa2015-37/
https://www.mozilla.org/security/advisories/mfsa2015-38/
https://www.mozilla.org/security/advisories/mfsa2015-39/
https://www.mozilla.org/security/advisories/mfsa2015-40/
https://www.mozilla.org/security/advisories/mfsa2015-41/
https://www.mozilla.org/security/advisories/mfsa2015-42/
https://www.mozilla.org/security/advisories/
0592f49f-b3b8-4260-b648-d1718762656cmozilla -- multiple vulnerabilities

Mozilla Foundation reports:

CVE-2019-9811: Sandbox escape via installation of malicious language pack

CVE-2019-11711: Script injection within domain through inner window reuse

CVE-2019-11712: Cross-origin POST requests can be made with NPAPI plugins by following 308 redirects

CVE-2019-11713: Use-after-free with HTTP/2 cached stream

CVE-2019-11714: NeckoChild can trigger crash when accessed off of main thread

CVE-2019-11729: Empty or malformed p256-ECDH public keys may trigger a segmentation fault

CVE-2019-11715: HTML parsing error can contribute to content XSS

CVE-2019-11716: globalThis not enumerable until accessed

CVE-2019-11717: Caret character improperly escaped in origins

CVE-2019-11718: Activity Stream writes unsanitized content to innerHTML

CVE-2019-11719: Out-of-bounds read when importing curve25519 private key

CVE-2019-11720: Character encoding XSS vulnerability

CVE-2019-11721: Domain spoofing through unicode latin 'kra' character

CVE-2019-11730: Same-origin policy treats all files in a directory as having the same-origin

CVE-2019-11723: Cookie leakage during add-on fetching across private browsing boundaries

CVE-2019-11724: Retired site input.mozilla.org has remote troubleshooting permissions

CVE-2019-11725: Websocket resources bypass safebrowsing protections

CVE-2019-11727: PKCS#1 v1.5 signatures can be used for TLS 1.3

CVE-2019-11728: Port scanning through Alt-Svc header

CVE-2019-11710: Memory safety bugs fixed in Firefox 68

CVE-2019-11709: Memory safety bugs fixed in Firefox 68 and Firefox ESR 60.8


Discovery 2019-07-09
Entry 2019-07-09
Modified 2019-07-23
firefox
lt 68.0_4,1

waterfox
lt 56.2.12

seamonkey
linux-seamonkey
lt 2.53.0

firefox-esr
lt 60.8.0,1

linux-firefox
lt 60.8.0,2

libxul
thunderbird
linux-thunderbird
lt 60.8.0

CVE-2019-11709
CVE-2019-11710
CVE-2019-11711
CVE-2019-11712
CVE-2019-11713
CVE-2019-11714
CVE-2019-11715
CVE-2019-11716
CVE-2019-11717
CVE-2019-11718
CVE-2019-11719
CVE-2019-11720
CVE-2019-11721
CVE-2019-11723
CVE-2019-11724
CVE-2019-11725
CVE-2019-11727
CVE-2019-11728
CVE-2019-11729
CVE-2019-11730
CVE-2019-9811
https://www.mozilla.org/security/advisories/mfsa2019-21/
https://www.mozilla.org/security/advisories/mfsa2019-22/
978b0f76-122d-11e4-afe3-bc5ff4fb5e7bmozilla -- multiple vulnerabilities

The Mozilla Project reports:

MFSA 2014-66 IFRAME sandbox same-origin access through redirect

MFSA 2014-65 Certificate parsing broken by non-standard character encoding

MFSA 2014-64 Crash in Skia library when scaling high quality images

MFSA 2014-63 Use-after-free while when manipulating certificates in the trusted cache

MFSA 2014-62 Exploitable WebGL crash with Cesium JavaScript library

MFSA 2014-61 Use-after-free with FireOnStateChange event

MFSA 2014-60 Toolbar dialog customization event spoofing

MFSA 2014-59 Use-after-free in DirectWrite font handling

MFSA 2014-58 Use-after-free in Web Audio due to incorrect control message ordering

MFSA 2014-57 Buffer overflow during Web Audio buffering for playback

MFSA 2014-56 Miscellaneous memory safety hazards (rv:31.0 / rv:24.7)


Discovery 2014-07-22
Entry 2014-07-23
firefox
lt 31.0,1

firefox-esr
lt 24.7.0,1

linux-firefox
lt 31.0,1

linux-thunderbird
lt 24.7.0

thunderbird
lt 24.7.0

nss
lt 3.16.1_2

CVE-2014-1544
CVE-2014-1547
CVE-2014-1548
CVE-2014-1549
CVE-2014-1550
CVE-2014-1551
CVE-2014-1552
CVE-2014-1555
CVE-2014-1556
CVE-2014-1557
CVE-2014-1558
CVE-2014-1559
CVE-2014-1560
CVE-2014-1561
https://www.mozilla.org/security/announce/2014/mfsa2014-56.html
https://www.mozilla.org/security/announce/2014/mfsa2014-57.html
https://www.mozilla.org/security/announce/2014/mfsa2014-58.html
https://www.mozilla.org/security/announce/2014/mfsa2014-59.html
https://www.mozilla.org/security/announce/2014/mfsa2014-60.html
https://www.mozilla.org/security/announce/2014/mfsa2014-61.html
https://www.mozilla.org/security/announce/2014/mfsa2014-62.html
https://www.mozilla.org/security/announce/2014/mfsa2014-63.html
https://www.mozilla.org/security/announce/2014/mfsa2014-64.html
https://www.mozilla.org/security/announce/2014/mfsa2014-65.html
https://www.mozilla.org/security/announce/2014/mfsa2014-66.html
https://www.mozilla.org/security/announce/
99029172-8253-407d-9d8b-2cfeab9abf81mozilla -- multiple vulnerabilities

The Mozilla Project reports:

MFSA-2015-11 Miscellaneous memory safety hazards (rv:36.0 / rv:31.5)

MFSA-2015-12 Invoking Mozilla updater will load locally stored DLL files

MFSA-2015-13 Appended period to hostnames can bypass HPKP and HSTS protections

MFSA-2015-14 Malicious WebGL content crash when writing strings

MFSA-2015-15 TLS TURN and STUN connections silently fail to simple TCP connections

MFSA-2015-16 Use-after-free in IndexedDB

MFSA-2015-17 Buffer overflow in libstagefright during MP4 video playback

MFSA-2015-18 Double-free when using non-default memory allocators with a zero-length XHR

MFSA-2015-19 Out-of-bounds read and write while rendering SVG content

MFSA-2015-20 Buffer overflow during CSS restyling

MFSA-2015-21 Buffer underflow during MP3 playback

MFSA-2015-22 Crash using DrawTarget in Cairo graphics library

MFSA-2015-23 Use-after-free in Developer Console date with OpenType Sanitiser

MFSA-2015-24 Reading of local files through manipulation of form autocomplete

MFSA-2015-25 Local files or privileged URLs in pages can be opened into new tabs

MFSA-2015-26 UI Tour whitelisted sites in background tab can spoof foreground tabs

MFSA-2015-27 Caja Compiler JavaScript sandbox bypass


Discovery 2015-02-24
Entry 2015-02-27
firefox
lt 36.0,1

firefox-esr
lt 31.5.0,1

linux-firefox
lt 36.0,1

linux-seamonkey
lt 2.33

linux-thunderbird
lt 31.5.0

seamonkey
lt 2.33

thunderbird
lt 31.5.0

libxul
lt 31.5.0

CVE-2015-0819
CVE-2015-0820
CVE-2015-0821
CVE-2015-0822
CVE-2015-0823
CVE-2015-0824
CVE-2015-0825
CVE-2015-0826
CVE-2015-0827
CVE-2015-0828
CVE-2015-0829
CVE-2015-0830
CVE-2015-0831
CVE-2015-0832
CVE-2015-0833
CVE-2015-0834
CVE-2015-0835
CVE-2015-0836
https://www.mozilla.org/security/advisories/mfsa2015-11/
https://www.mozilla.org/security/advisories/mfsa2015-12/
https://www.mozilla.org/security/advisories/mfsa2015-13/
https://www.mozilla.org/security/advisories/mfsa2015-14/
https://www.mozilla.org/security/advisories/mfsa2015-15/
https://www.mozilla.org/security/advisories/mfsa2015-16/
https://www.mozilla.org/security/advisories/mfsa2015-17/
https://www.mozilla.org/security/advisories/mfsa2015-18/
https://www.mozilla.org/security/advisories/mfsa2015-19/
https://www.mozilla.org/security/advisories/mfsa2015-20/
https://www.mozilla.org/security/advisories/mfsa2015-21/
https://www.mozilla.org/security/advisories/mfsa2015-22/
https://www.mozilla.org/security/advisories/mfsa2015-23/
https://www.mozilla.org/security/advisories/mfsa2015-24/
https://www.mozilla.org/security/advisories/mfsa2015-25/
https://www.mozilla.org/security/advisories/mfsa2015-26/
https://www.mozilla.org/security/advisories/mfsa2015-27/
https://www.mozilla.org/security/advisories/
9c1495ac-8d8c-4789-a0f3-8ca6b476619cmozilla -- multiple vulnerabilities

The Mozilla Project reports:

MFSA 2014-74 Miscellaneous memory safety hazards (rv:33.0 / rv:31.2)

MFSA 2014-75 Buffer overflow during CSS manipulation

MFSA 2014-76 Web Audio memory corruption issues with custom waveforms

MFSA 2014-78 Further uninitialized memory use during GIF

MFSA 2014-79 Use-after-free interacting with text directionality

MFSA 2014-80 Key pinning bypasses

MFSA 2014-81 Inconsistent video sharing within iframe

MFSA 2014-82 Accessing cross-origin objects via the Alarms API


Discovery 2014-10-14
Entry 2014-10-14
Modified 2015-08-12
firefox
lt 33.0,1

firefox-esr
lt 31.2.0,1

linux-firefox
lt 33.0,1

linux-seamonkey
lt 2.30

linux-thunderbird
lt 31.2.0

seamonkey
lt 2.30

thunderbird
lt 31.2.0

libxul
lt 31.2.0

CVE-2014-1575
CVE-2014-1574
CVE-2014-1576
CVE-2014-1577
CVE-2014-1580
CVE-2014-1581
CVE-2014-1582
CVE-2014-1583
CVE-2014-1584
CVE-2014-1585
CVE-2014-1586
https://www.mozilla.org/security/announce/2014/mfsa2014-74.html
https://www.mozilla.org/security/announce/2014/mfsa2014-75.html
https://www.mozilla.org/security/announce/2014/mfsa2014-76.html
https://www.mozilla.org/security/announce/2014/mfsa2014-78.html
https://www.mozilla.org/security/announce/2014/mfsa2014-79.html
https://www.mozilla.org/security/announce/2014/mfsa2014-80.html
https://www.mozilla.org/security/announce/2014/mfsa2014-81.html
https://www.mozilla.org/security/announce/2014/mfsa2014-82.html
https://www.mozilla.org/security/announce/
bd62c640-9bb9-11e4-a5ad-000c297fb80fmozilla -- multiple vulnerabilities

The Mozilla Project reports:

MFSA-2015-01 Miscellaneous memory safety hazards (rv:35.0 / rv:31.4)

MFSA-2015-02 Uninitialized memory use during bitmap rendering

MFSA-2015-03 sendBeacon requests lack an Origin header

MFSA-2015-04 Cookie injection through Proxy Authenticate responses

MFSA-2015-05 Read of uninitialized memory in Web Audio

MFSA-2015-06 Read-after-free in WebRTC

MFSA-2015-07 Gecko Media Plugin sandbox escape

MFSA-2015-08 Delegated OCSP responder certificates failure with id-pkix-ocsp-nocheck extension

MFSA-2015-09 XrayWrapper bypass through DOM objects


Discovery 2015-01-13
Entry 2015-01-14
firefox
lt 35.0,1

firefox-esr
lt 31.4.0,1

linux-firefox
lt 35.0,1

linux-seamonkey
lt 2.32

linux-thunderbird
lt 31.4.0

seamonkey
lt 2.32

thunderbird
lt 31.4.0

libxul
lt 31.4.0

CVE-2014-8634
CVE-2014-8635
CVE-2014-8637
CVE-2014-8638
CVE-2014-8639
CVE-2014-8640
CVE-2014-8641
CVE-2014-8642
CVE-2014-8643
CVE-2014-8636
https://www.mozilla.org/en-US/security/advisories/mfsa2015-01/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-02/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-03/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-04/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-05/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-06/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-07/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-08/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-09/
https://www.mozilla.org/security/advisories/
7ae61870-9dd2-4884-a2f2-f19bb5784d09mozilla -- multiple vulnerabilities

The Mozilla Project reports:

ASN.1 DER decoding of lengths is too permissive, allowing undetected smuggling of arbitrary data

MFSA-2014-90 Apple CoreGraphics framework on OS X 10.10 logging input data to /tmp directory

MFSA-2014-89 Bad casting from the BasicThebesLayer to BasicContainerLayer

MFSA-2014-88 Buffer overflow while parsing media content

MFSA-2014-87 Use-after-free during HTML5 parsing

MFSA-2014-86 CSP leaks redirect data via violation reports

MFSA-2014-85 XMLHttpRequest crashes with some input streams

MFSA-2014-84 XBL bindings accessible via improper CSS declarations

MFSA-2014-83 Miscellaneous memory safety hazards (rv:34.0 / rv:31.3)


Discovery 2014-12-01
Entry 2014-12-02
firefox
lt 34.0,1

firefox-esr
lt 31.3.0,1

linux-firefox
lt 34.0,1

linux-seamonkey
lt 2.31

linux-thunderbird
lt 31.3.0

seamonkey
lt 2.31

thunderbird
lt 31.3.0

libxul
lt 31.3.0

nss
lt 3.17.3

CVE-2014-1587
CVE-2014-1588
CVE-2014-1589
CVE-2014-1590
CVE-2014-1591
CVE-2014-1592
CVE-2014-1593
CVE-2014-1594
CVE-2014-1595
CVE-2014-1569
https://www.mozilla.org/security/advisories/mfsa2014-83
https://www.mozilla.org/security/advisories/mfsa2014-84
https://www.mozilla.org/security/advisories/mfsa2014-85
https://www.mozilla.org/security/advisories/mfsa2014-86
https://www.mozilla.org/security/advisories/mfsa2014-87
https://www.mozilla.org/security/advisories/mfsa2014-88
https://www.mozilla.org/security/advisories/mfsa2014-89
https://www.mozilla.org/security/advisories/mfsa2014-90
https://www.mozilla.org/security/advisories/
05da6b56-3e66-4306-9ea3-89fafe939726mozilla -- multiple vulnerabilities

Mozilla Foundation reports:

CVE-2019-9790: Use-after-free when removing in-use DOM elements

CVE-2019-9791: Type inference is incorrect for constructors entered through on-stack replacement with IonMonkey

CVE-2019-9792: IonMonkey leaks JS_OPTIMIZED_OUT magic value to script

CVE-2019-9793: Improper bounds checks when Spectre mitigations are disabled

CVE-2019-9794: Command line arguments not discarded during execution

CVE-2019-9795: Type-confusion in IonMonkey JIT compiler

CVE-2019-9796: Use-after-free with SMIL animation controller

CVE-2019-9797: Cross-origin theft of images with createImageBitmap

CVE-2019-9798: Library is loaded from world writable APITRACE_LIB location

CVE-2019-9799: Information disclosure via IPC channel messages

CVE-2019-9801: Windows programs that are not 'URL Handlers' are exposed to web content

CVE-2019-9802: Chrome process information leak

CVE-2019-9803: Upgrade-Insecure-Requests incorrectly enforced for same-origin navigation

CVE-2019-9804: Code execution through 'Copy as cURL' in Firefox Developer Tools on macOS

CVE-2019-9805: Potential use of uninitialized memory in Prio

CVE-2019-9806: Denial of service through successive FTP authorization prompts

CVE-2019-9807: Text sent through FTP connection can be incorporated into alert messages

CVE-2019-9809: Denial of service through FTP modal alert error messages

CVE-2019-9808: WebRTC permissions can display incorrect origin with data: and blob: URLs

CVE-2019-9789: Memory safety bugs fixed in Firefox 66

CVE-2019-9788: Memory safety bugs fixed in Firefox 66 and Firefox ESR 60.6


Discovery 2019-03-19
Entry 2019-03-19
Modified 2019-07-23
firefox
lt 66.0_3,1

waterfox
lt 56.2.9

seamonkey
linux-seamonkey
lt 2.53.0

firefox-esr
lt 60.6.0,1

linux-firefox
lt 60.6.0,2

libxul
thunderbird
linux-thunderbird
lt 60.6.0

CVE-2019-9788
CVE-2019-9789
CVE-2019-9790
CVE-2019-9791
CVE-2019-9792
CVE-2019-9793
CVE-2019-9794
CVE-2019-9795
CVE-2019-9796
CVE-2019-9797
CVE-2019-9798
CVE-2019-9799
CVE-2019-9801
CVE-2019-9802
CVE-2019-9803
CVE-2019-9804
CVE-2019-9805
CVE-2019-9806
CVE-2019-9807
CVE-2019-9808
CVE-2019-9809
https://www.mozilla.org/security/advisories/mfsa2019-07/
https://www.mozilla.org/security/advisories/mfsa2019-08/
1098a15b-b0f6-42b7-b5c7-8a8646e8be07mozilla -- multiple vulnerabilities

Mozilla Foundation reports:

CVE-2017-7793: Use-after-free with Fetch API

CVE-2017-7817: Firefox for Android address bar spoofing through fullscreen mode

CVE-2017-7818: Use-after-free during ARIA array manipulation

CVE-2017-7819: Use-after-free while resizing images in design mode

CVE-2017-7824: Buffer overflow when drawing and validating elements with ANGLE

CVE-2017-7805: Use-after-free in TLS 1.2 generating handshake hashes

CVE-2017-7812: Drag and drop of malicious page content to the tab bar can open locally stored files

CVE-2017-7814: Blob and data URLs bypass phishing and malware protection warnings

CVE-2017-7813: Integer truncation in the JavaScript parser

CVE-2017-7825: OS X fonts render some Tibetan and Arabic unicode characters as spaces

CVE-2017-7815: Spoofing attack with modal dialogs on non-e10s installations

CVE-2017-7816: WebExtensions can load about: URLs in extension UI

CVE-2017-7821: WebExtensions can download and open non-executable files without user interaction

CVE-2017-7823: CSP sandbox directive did not create a unique origin

CVE-2017-7822: WebCrypto allows AES-GCM with 0-length IV

CVE-2017-7820: Xray wrapper bypass with new tab and web console

CVE-2017-7811: Memory safety bugs fixed in Firefox 56

CVE-2017-7810: Memory safety bugs fixed in Firefox 56 and Firefox ESR 52.4


Discovery 2017-09-28
Entry 2017-09-29
Modified 2017-10-03
firefox
lt 56.0,1

seamonkey
linux-seamonkey
lt 2.49.1

firefox-esr
lt 52.4.0,1

linux-firefox
lt 52.4.0,2

libxul
thunderbird
linux-thunderbird
lt 52.4.0

CVE-2017-7793
CVE-2017-7805
CVE-2017-7810
CVE-2017-7811
CVE-2017-7812
CVE-2017-7813
CVE-2017-7814
CVE-2017-7815
CVE-2017-7816
CVE-2017-7817
CVE-2017-7818
CVE-2017-7819
CVE-2017-7820
CVE-2017-7821
CVE-2017-7822
CVE-2017-7823
CVE-2017-7824
CVE-2017-7825
https://www.mozilla.org/en-US/security/advisories/mfsa2017-21/
https://www.mozilla.org/en-US/security/advisories/mfsa2017-22/
7c3a02b9-3273-4426-a0ba-f90fad2ff72emozilla -- multiple vulnerabilities

Mozilla Foundation reports:

CVE-2018-12391: HTTP Live Stream audio data is accessible cross-origin

CVE-2018-12392: Crash with nested event loops

CVE-2018-12393: Integer overflow during Unicode conversion while loading JavaScript

CVE-2018-12395: WebExtension bypass of domain restrictions through header rewriting

CVE-2018-12396: WebExtension content scripts can execute in disallowed contexts

CVE-2018-12397:

CVE-2018-12398: CSP bypass through stylesheet injection in resource URIs

CVE-2018-12399: Spoofing of protocol registration notification bar

CVE-2018-12400: Favicons are cached in private browsing mode on Firefox for Android

CVE-2018-12401: DOS attack through special resource URI parsing

CVE-2018-12402: SameSite cookies leak when pages are explicitly saved

CVE-2018-12403: Mixed content warning is not displayed when HTTPS page loads a favicon over HTTP

CVE-2018-12388: Memory safety bugs fixed in Firefox 63

CVE-2018-12390: Memory safety bugs fixed in Firefox 63 and Firefox ESR 60.3


Discovery 2018-10-23
Entry 2018-10-23
Modified 2019-07-23
firefox
lt 63.0_1,1

waterfox
lt 56.2.5

seamonkey
linux-seamonkey
lt 2.53.0

firefox-esr
lt 60.3.0,1

linux-firefox
lt 60.3.0,2

libxul
thunderbird
linux-thunderbird
lt 60.3.0

CVE-2018-12388
CVE-2018-12390
CVE-2018-12391
CVE-2018-12392
CVE-2018-12393
CVE-2018-12395
CVE-2018-12396
CVE-2018-12397
CVE-2018-12398
CVE-2018-12399
CVE-2018-12400
CVE-2018-12401
CVE-2018-12402
CVE-2018-12403
https://www.mozilla.org/en-US/security/advisories/mfsa2018-26/
https://www.mozilla.org/en-US/security/advisories/mfsa2018-27/
c96d416a-eae7-4d5d-bc84-40deca9329fbmozilla -- multiple vulnerabilities

Mozilla Foundation reports:

CVE-2018-12377: Use-after-free in refresh driver timers

CVE-2018-12378: Use-after-free in IndexedDB

CVE-2018-12379: Out-of-bounds write with malicious MAR file

CVE-2017-16541: Proxy bypass using automount and autofs

CVE-2018-12381: Dragging and dropping Outlook email message results in page navigation

CVE-2018-12382: Addressbar spoofing with javascript URI on Firefox for Android

CVE-2018-12383: Setting a master password post-Firefox 58 does not delete unencrypted previously stored passwords

CVE-2018-12375: Memory safety bugs fixed in Firefox 62

CVE-2018-12376: Memory safety bugs fixed in Firefox 62 and Firefox ESR 60.2


Discovery 2018-09-05
Entry 2018-09-05
Modified 2018-09-15
firefox
lt 62.0_1,1

waterfox
lt 56.2.3

seamonkey
linux-seamonkey
lt 2.49.5

firefox-esr
lt 60.2.0_1,1

linux-firefox
lt 60.2.0,2

libxul
thunderbird
linux-thunderbird
lt 60.2

CVE-2017-16541
CVE-2018-12375
CVE-2018-12376
CVE-2018-12377
CVE-2018-12378
CVE-2018-12379
CVE-2018-12381
CVE-2018-12382
CVE-2018-12383
https://www.mozilla.org/en-US/security/advisories/mfsa2018-20/
https://www.mozilla.org/en-US/security/advisories/mfsa2018-21/
56cfe192-329f-11df-abb2-000f20797edemozilla -- multiple vulnerabilities

Mozilla Project reports:

MFSA 2010-07 Fixes for potentially exploitable crashes ported to the legacy branch

MFSA 2010-06 Scriptable plugin execution in SeaMonkey mail

MFSA 2009-68 NTLM reflection vulnerability

MFSA 2009-62 Download filename spoofing with RTL override

MFSA 2009-59 Heap buffer overflow in string to number conversion

MFSA 2009-49 TreeColumns dangling pointer vulnerability


Discovery 2010-03-16
Entry 2010-03-19
seamonkey
linux-seamonkey
lt 1.1.19

thunderbird
linux-thunderbird
lt 2.0.0.24

CVE-2010-0161
CVE-2010-0163
CVE-2009-3075
CVE-2009-3072
CVE-2009-2463
CVE-2009-3385
CVE-2009-3983
CVE-2009-3376
CVE-2009-0689
CVE-2009-3077
http://www.mozilla.org/security/announce/2010/mfsa2010-07.html
http://www.mozilla.org/security/announce/2010/mfsa2010-06.html
http://www.mozilla.org/security/announce/2009/mfsa2009-68.html
http://www.mozilla.org/security/announce/2009/mfsa2009-62.html
http://www.mozilla.org/security/announce/2009/mfsa2009-59.html
http://www.mozilla.org/security/announce/2009/mfsa2009-49.html
45f102cd-4456-11e0-9580-4061862b8c22mozilla -- multiple vulnerabilities

The Mozilla Project reports:

MFSA 2011-01 Miscellaneous memory safety hazards (rv:1.9.2.14/ 1.9.1.17)

MFSA 2011-02 Recursive eval call causes confirm dialogs to evaluate to true

MFSA 2011-03 Use-after-free error in JSON.stringify

MFSA 2011-04 Buffer overflow in JavaScript upvarMap

MFSA 2011-05 Buffer overflow in JavaScript atom map

MFSA 2011-06 Use-after-free error using Web Workers

MFSA 2011-07 Memory corruption during text run construction (Windows)

MFSA 2011-08 ParanoidFragmentSink allows javascript: URLs in chrome documents

MFSA 2011-09 Crash caused by corrupted JPEG image

MFSA 2011-10 CSRF risk with plugins and 307 redirects


Discovery 2011-03-01
Entry 2011-03-01
firefox
gt 3.6.*,1 lt 3.6.14,1

gt 3.5.*,1 lt 3.5.17,1

libxul
gt 1.9.2.* lt 1.9.2.14

linux-firefox
lt 3.6.14,1

linux-firefox-devel
lt 3.5.17

linux-seamonkey
gt 2.0.* lt 2.0.12

linux-thunderbird
ge 3.1 lt 3.1.8

seamonkey
gt 2.0.* lt 2.0.12

thunderbird
lt 3.1.8

CVE-2010-1585
CVE-2011-0051
CVE-2011-0053
CVE-2011-0054
CVE-2011-0055
CVE-2011-0056
CVE-2011-0057
CVE-2011-0058
CVE-2011-0059
CVE-2011-0061
CVE-2011-0062
https://www.mozilla.org/security/announce/2011/mfsa2011-01.html
https://www.mozilla.org/security/announce/2011/mfsa2011-02.html
https://www.mozilla.org/security/announce/2011/mfsa2011-03.html
https://www.mozilla.org/security/announce/2011/mfsa2011-04.html
https://www.mozilla.org/security/announce/2011/mfsa2011-05.html
https://www.mozilla.org/security/announce/2011/mfsa2011-06.html
https://www.mozilla.org/security/announce/2011/mfsa2011-07.html
https://www.mozilla.org/security/announce/2011/mfsa2011-08.html
https://www.mozilla.org/security/announce/2011/mfsa2011-09.html
https://www.mozilla.org/security/announce/2011/mfsa2011-10.html
555b244e-6b20-4546-851f-d8eb7d6c1ffamozilla -- multiple vulnerabilities

Mozilla Foundation reports:

Please reference CVE/URL list for details


Discovery 2017-08-08
Entry 2017-08-08
firefox
lt 55.0,1

seamonkey
linux-seamonkey
lt 2.49.1

firefox-esr
lt 52.3.0,1

linux-firefox
lt 52.3.0,2

libxul
thunderbird
linux-thunderbird
lt 52.3.0

CVE-2017-7753
CVE-2017-7779
CVE-2017-7780
CVE-2017-7781
CVE-2017-7782
CVE-2017-7783
CVE-2017-7784
CVE-2017-7785
CVE-2017-7786
CVE-2017-7787
CVE-2017-7788
CVE-2017-7789
CVE-2017-7790
CVE-2017-7791
CVE-2017-7792
CVE-2017-7794
CVE-2017-7796
CVE-2017-7797
CVE-2017-7798
CVE-2017-7799
CVE-2017-7800
CVE-2017-7801
CVE-2017-7802
CVE-2017-7803
CVE-2017-7804
CVE-2017-7806
CVE-2017-7807
CVE-2017-7808
https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/
dfe40cff-9c3f-11e0-9bec-6c626dd55a41mozilla -- multiple vulnerabilities

The Mozilla Project reports:

MFSA 2011-19 Miscellaneous memory safety hazards (rv:3.0/1.9.2.18)

MFSA 2011-20 Use-after-free vulnerability when viewing XUL document with script disabled

MFSA 2011-21 Memory corruption due to multipart/x-mixed-replace images

MFSA 2011-22 Integer overflow and arbitrary code execution in Array.reduceRight()

MFSA 2011-23 Multiple dangling pointer vulnerabilities

MFSA 2011-24 Cookie isolation error

MFSA 2011-25 Stealing of cross-domain images using WebGL textures

MFSA 2011-26 Multiple WebGL crashes

MFSA 2011-27 XSS encoding hazard with inline SVG

MFSA 2011-28 Non-whitelisted site can trigger xpinstall


Discovery 2011-06-21
Entry 2011-06-21
Modified 2011-06-23
firefox
gt 3.5.*,1 lt 3.5.20,1

gt 3.6.*,1 lt 3.6.18,1

gt 4.0.*,1 lt 5.0,1

linux-firefox
lt 3.6.18,1

thunderbird
lt 3.1.11

linux-thunderbird
lt 3.1.11

http://www.mozilla.org/security/announce/2011/mfsa2011-19.html
http://www.mozilla.org/security/announce/2011/mfsa2011-20.html
http://www.mozilla.org/security/announce/2011/mfsa2011-21.html
http://www.mozilla.org/security/announce/2011/mfsa2011-22.html
http://www.mozilla.org/security/announce/2011/mfsa2011-23.html
http://www.mozilla.org/security/announce/2011/mfsa2011-24.html
http://www.mozilla.org/security/announce/2011/mfsa2011-25.html
http://www.mozilla.org/security/announce/2011/mfsa2011-26.html
http://www.mozilla.org/security/announce/2011/mfsa2011-27.html
http://www.mozilla.org/security/announce/2011/mfsa2011-28.html
6cec1b0a-da15-467d-8691-1dea392d4c8dmozilla -- multiple vulnerabilities

Mozilla Foundation reports:

Please reference CVE/URL list for details


Discovery 2017-06-13
Entry 2017-06-13
Modified 2017-09-19
firefox
lt 54.0,1

seamonkey
linux-seamonkey
lt 2.49.1

firefox-esr
lt 52.2.0,1

linux-firefox
lt 52.2.0,2

libxul
thunderbird
linux-thunderbird
lt 52.2.0

CVE-2017-5470
CVE-2017-5471
CVE-2017-5472
CVE-2017-7749
CVE-2017-7750
CVE-2017-7751
CVE-2017-7752
CVE-2017-7754
CVE-2017-7755
CVE-2017-7756
CVE-2017-7757
CVE-2017-7758
CVE-2017-7759
CVE-2017-7760
CVE-2017-7761
CVE-2017-7762
CVE-2017-7763
CVE-2017-7764
CVE-2017-7765
CVE-2017-7766
CVE-2017-7767
CVE-2017-7768
CVE-2017-7778
https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/
https://www.mozilla.org/en-US/security/advisories/mfsa2017-16/
7943794f-707f-4e31-9fea-3bbf1ddcedc1mozilla -- multiple vulnerabilities

The Mozilla Foundation reports:

CVE-2018-5146: Out of bounds memory write in libvorbis

An out of bounds memory write while processing Vorbis audio data was reported through the Pwn2Own contest.

CVE-2018-5147: Out of bounds memory write in libtremor

The libtremor library has the same flaw as CVE-2018-5146. This library is used by Firefox in place of libvorbis on Android and ARM platforms.


Discovery 2018-03-16
Entry 2018-03-16
Modified 2018-03-31
libvorbis
lt 1.3.6,3

libtremor
lt 1.2.1.s20180316

firefox
lt 59.0.1,1

waterfox
lt 56.0.4.36_3

seamonkey
linux-seamonkey
lt 2.49.3

firefox-esr
lt 52.7.2,1

linux-firefox
lt 52.7.2,2

libxul
lt 52.7.3

thunderbird
linux-thunderbird
lt 52.7.0

CVE-2018-5146
CVE-2018-5147
https://www.mozilla.org/security/advisories/mfsa2018-08/
https://www.mozilla.org/security/advisories/mfsa2018-09/
834591a9-c82f-11e0-897d-6c626dd55a41mozilla -- multiple vulnerabilities

The Mozilla Project reports:

MFSA 2011-29 Security issues addressed in Firefox 6

MFSA 2011-28 Security issues addressed in Firefox 3.6.20


Discovery 2011-08-16
Entry 2011-08-16
firefox
gt 3.6.*,1 lt 3.6.20,1

gt 5.0.*,1 lt 6.0,1

seamonkey
lt 2.3

linux-firefox
lt 3.6.20,1

thunderbird
lt 3.1.12

linux-thunderbird
lt 3.1.12

CVE-2011-2992
http://www.mozilla.org/security/announce/2011/mfsa2011-29.html
http://www.mozilla.org/security/announce/2011/mfsa2011-30.html
CVE-2011-2982
CVE-2011-0084
CVE-2011-2981
CVE-2011-2378
CVE-2011-2984
CVE-2011-2980
CVE-2011-2983
CVE-2011-2989
CVE-2011-2991
CVE-2011-2985
CVE-2011-2993
CVE-2011-2988
CVE-2011-2987
CVE-2011-0084
CVE-2011-2990
CVE-2011-2986
5e0a038a-ca30-416d-a2f5-38cbf5e7df33mozilla -- multiple vulnerabilities

Mozilla Foundation reports:

Please reference CVE/URL list for details


Discovery 2017-04-19
Entry 2017-04-19
Modified 2017-09-19
firefox
lt 53.0_2,1

seamonkey
linux-seamonkey
lt 2.49.1

firefox-esr
ge 46.0,1 lt 52.1.0_2,1

lt 45.9.0,1

linux-firefox
ge 46.0,2 lt 52.1.0,2

lt 45.9.0,2

libxul
ge 46.0 lt 52.1.0

lt 45.9.0

thunderbird
linux-thunderbird
ge 46.0 lt 52.1.0

lt 45.9.0

CVE-2017-5433
CVE-2017-5435
CVE-2017-5436
CVE-2017-5461
CVE-2017-5459
CVE-2017-5466
CVE-2017-5434
CVE-2017-5432
CVE-2017-5460
CVE-2017-5438
CVE-2017-5439
CVE-2017-5440
CVE-2017-5441
CVE-2017-5442
CVE-2017-5464
CVE-2017-5443
CVE-2017-5444
CVE-2017-5446
CVE-2017-5447
CVE-2017-5465
CVE-2017-5448
CVE-2017-5437
CVE-2017-5454
CVE-2017-5455
CVE-2017-5456
CVE-2017-5469
CVE-2017-5445
CVE-2017-5449
CVE-2017-5450
CVE-2017-5451
CVE-2017-5462
CVE-2017-5463
CVE-2017-5467
CVE-2017-5452
CVE-2017-5453
CVE-2017-5458
CVE-2017-5468
CVE-2017-5430
CVE-2017-5429
https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/
https://www.mozilla.org/en-US/security/advisories/mfsa2017-11/
https://www.mozilla.org/en-US/security/advisories/mfsa2017-12/
23f59689-0152-42d3-9ade-1658d6380567mozilla -- use-after-free in compositor

The Mozilla Foundation reports:

CVE-2018-5148: Use-after-free in compositor

A use-after-free vulnerability can occur in the compositor during certain graphics operations when a raw pointer is used instead of a reference counted one. This results in a potentially exploitable crash.


Discovery 2018-03-26
Entry 2018-03-27
Modified 2018-03-31
firefox
lt 59.0.2,1

waterfox
lt 56.0.4.36_3

seamonkey
linux-seamonkey
lt 2.49.3

firefox-esr
lt 52.7.3,1

linux-firefox
lt 52.7.3,2

libxul
lt 52.7.3

linux-thunderbird
lt 52.7.1

thunderbird
lt 52.7.0_1

CVE-2018-5148
https://www.mozilla.org/security/advisories/mfsa2018-10/
1fade8a3-e9e8-11e0-9580-4061862b8c22Mozilla -- multiple vulnerabilities

The Mozilla Project reports:

MFSA 2011-36 Miscellaneous memory safety hazards (rv:7.0 / rv:1.9.2.23)

MFSA 2011-37 Integer underflow when using JavaScript RegExp

MFSA 2011-38 XSS via plugins and shadowed window.location object

MFSA 2011-39 Defense against multiple Location headers due to CRLF Injection

MFSA 2011-40 Code installation through holding down Enter

MFSA 2011-41 Potentially exploitable WebGL crashes

MFSA 2011-42 Potentially exploitable crash in the YARR regular expression library

MFSA 2011-43 loadSubScript unwraps XPCNativeWrapper scope parameter

MFSA 2011-44 Use after free reading OGG headers

MFSA 2011-45 Inferring Keystrokes from motion data


Discovery 2011-09-27
Entry 2011-09-28
firefox
gt 4.0,1 lt 7.0,1

gt 3.6.*,1 lt 3.6.23,1

libxul
gt 1.9.2.* lt 1.9.2.23

linux-firefox
lt 7.0,1

linux-seamonkey
lt 2.4

linux-thunderbird
lt 7.0

seamonkey
lt 2.4

thunderbird
gt 4.0 lt 7.0

lt 3.1.15

CVE-2011-2372
CVE-2011-2995
CVE-2011-2996
CVE-2011-2997
CVE-2011-2999
CVE-2011-3000
CVE-2011-3001
CVE-2011-3002
CVE-2011-3003
CVE-2011-3004
CVE-2011-3005
CVE-2011-3232
http://www.mozilla.org/security/announce/2011/mfsa2011-36.html
http://www.mozilla.org/security/announce/2011/mfsa2011-37.html
http://www.mozilla.org/security/announce/2011/mfsa2011-38.html
http://www.mozilla.org/security/announce/2011/mfsa2011-39.html
http://www.mozilla.org/security/announce/2011/mfsa2011-40.html
http://www.mozilla.org/security/announce/2011/mfsa2011-41.html
http://www.mozilla.org/security/announce/2011/mfsa2011-42.html
http://www.mozilla.org/security/announce/2011/mfsa2011-43.html
http://www.mozilla.org/security/announce/2011/mfsa2011-44.html
http://www.mozilla.org/security/announce/2011/mfsa2011-45.html
96eca031-1313-4daf-9be2-9d6e1c4f1eb5mozilla -- multiple vulnerabilities

Mozilla Foundation reports:

Please reference CVE/URL list for details


Discovery 2017-03-07
Entry 2017-03-07
firefox
lt 52.0_1,1

seamonkey
linux-seamonkey
lt 2.49

firefox-esr
ge 46.0,1 lt 52.0,1

lt 45.8.0_1,1

linux-firefox
ge 46.0,2 lt 52.0,2

lt 45.8.0_1,2

libxul
ge 46.0 lt 52.0

lt 45.8.0_1

thunderbird
linux-thunderbird
ge 46.0 lt 52.0

lt 45.8.0

CVE-2017-5400
CVE-2017-5401
CVE-2017-5402
CVE-2017-5403
CVE-2017-5404
CVE-2017-5406
CVE-2017-5407
CVE-2017-5410
CVE-2017-5411
CVE-2017-5409
CVE-2017-5408
CVE-2017-5412
CVE-2017-5413
CVE-2017-5414
CVE-2017-5415
CVE-2017-5416
CVE-2017-5417
CVE-2017-5425
CVE-2017-5426
CVE-2017-5427
CVE-2017-5418
CVE-2017-5419
CVE-2017-5420
CVE-2017-5405
CVE-2017-5421
CVE-2017-5422
CVE-2017-5399
CVE-2017-5398
https://www.mozilla.org/security/advisories/mfsa2017-05/
https://www.mozilla.org/security/advisories/mfsa2017-06/
6c8ad3e8-0a30-11e1-9580-4061862b8c22mozilla -- multiple vulnerabilities

The Mozilla Project reports:

MFSA 2011-46 loadSubScript unwraps XPCNativeWrapper scope parameter (1.9.2 branch)

MFSA 2011-47 Potential XSS against sites using Shift-JIS

MFSA 2011-48 Miscellaneous memory safety hazards (rv:8.0)

MFSA 2011-49 Memory corruption while profiling using Firebug

MFSA 2011-50 Cross-origin data theft using canvas and Windows D2D

MFSA 2011-51 Cross-origin image theft on Mac with integrated Intel GPU

MFSA 2011-52 Code execution via NoWaiverWrapper


Discovery 2011-11-08
Entry 2011-11-08
firefox
gt 4.0,1 lt 8.0,1

gt 3.6.*,1 lt 3.6.24,1

libxul
gt 1.9.2.* lt 1.9.2.24

linux-firefox
lt 8.0,1

linux-thunderbird
lt 8.0

thunderbird
gt 4.0 lt 8.0

lt 3.1.16

CVE-2011-3647
CVE-2011-3648
CVE-2011-3649
CVE-2011-3650
CVE-2011-3651
CVE-2011-3652
CVE-2011-3653
CVE-2011-3654
CVE-2011-3655
http://www.mozilla.org/security/announce/2011/mfsa2011-46.html
http://www.mozilla.org/security/announce/2011/mfsa2011-47.html
http://www.mozilla.org/security/announce/2011/mfsa2011-48.html
http://www.mozilla.org/security/announce/2011/mfsa2011-49.html
http://www.mozilla.org/security/announce/2011/mfsa2011-50.html
http://www.mozilla.org/security/announce/2011/mfsa2011-51.html
http://www.mozilla.org/security/announce/2011/mfsa2011-52.html
e60169c4-aa86-46b0-8ae2-0d81f683df09mozilla -- multiple vulnerabilities

Mozilla Foundation reports:

Please reference CVE/URL list for details


Discovery 2017-01-24
Entry 2017-01-24
firefox
lt 51.0_1,1

seamonkey
linux-seamonkey
lt 2.48

firefox-esr
lt 45.7.0,1

linux-firefox
lt 45.7.0,2

libxul
thunderbird
linux-thunderbird
lt 45.7.0

CVE-2017-5373
CVE-2017-5374
CVE-2017-5375
CVE-2017-5376
CVE-2017-5377
CVE-2017-5378
CVE-2017-5379
CVE-2017-5380
CVE-2017-5381
CVE-2017-5382
CVE-2017-5383
CVE-2017-5384
CVE-2017-5385
CVE-2017-5386
CVE-2017-5387
CVE-2017-5388
CVE-2017-5389
CVE-2017-5390
CVE-2017-5391
CVE-2017-5392
CVE-2017-5393
CVE-2017-5394
CVE-2017-5395
CVE-2017-5396
https://www.mozilla.org/security/advisories/mfsa2017-01/
https://www.mozilla.org/security/advisories/mfsa2017-02/
49beb00f-a6e1-4a42-93df-9cb14b4c2beeMozilla -- multiple vulnerabilities

Mozilla Foundation reports:

CVE-2019-11707: Type confusion in Array.pop

A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash. We are aware of targeted attacks in the wild abusing this flaw.

CVE-2019-11708: sandbox escape using Prompt:Open

Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes can result in the non-sandboxed parent process opening web content chosen by a compromised child process. When combined with additional vulnerabilities this could result in executing arbitrary code on the user's computer.


Discovery 2019-06-20
Entry 2019-06-21
thunderbird
lt thunderbird-60.7.2

https://www.mozilla.org/en-US/security/advisories/mfsa2019-20/
CVE-2019-11707
CVE-2019-11708
c71cdc95-3c18-45b7-866a-af28b59aabb5mozilla -- multiple vulnerabilities

Mozilla Foundation reports:

CVE-2018-5127: Buffer overflow manipulating SVG animatedPathSegList

CVE-2018-5128: Use-after-free manipulating editor selection ranges

CVE-2018-5129: Out-of-bounds write with malformed IPC messages

CVE-2018-5130: Mismatched RTP payload type can trigger memory corruption

CVE-2018-5131: Fetch API improperly returns cached copies of no-store/no-cache resources

CVE-2018-5132: WebExtension Find API can search privileged pages

CVE-2018-5133: Value of the app.support.baseURL preference is not properly sanitized

CVE-2018-5134: WebExtensions may use view-source: URLs to bypass content restrictions

CVE-2018-5135: WebExtension browserAction can inject scripts into unintended contexts

CVE-2018-5136: Same-origin policy violation with data: URL shared workers

CVE-2018-5137: Script content can access legacy extension non-contentaccessible resources

CVE-2018-5138: Android Custom Tab address spoofing through long domain names

CVE-2018-5140: Moz-icon images accessible to web content through moz-icon: protocol

CVE-2018-5141: DOS attack through notifications Push API

CVE-2018-5142: Media Capture and Streams API permissions display incorrect origin with data: and blob: URLs

CVE-2018-5143: Self-XSS pasting javascript: URL with embedded tab into addressbar

CVE-2018-5126: Memory safety bugs fixed in Firefox 59

CVE-2018-5125: Memory safety bugs fixed in Firefox 59 and Firefox ESR 52.7


Discovery 2018-03-13
Entry 2018-03-13
Modified 2018-03-16
firefox
lt 59.0_1,1

waterfox
lt 56.0.4.36_3

seamonkey
linux-seamonkey
lt 2.49.3

firefox-esr
lt 52.7.0,1

linux-firefox
lt 52.7.0,2

libxul
thunderbird
linux-thunderbird
lt 52.7.0

CVE-2018-5125
CVE-2018-5126
CVE-2018-5127
CVE-2018-5128
CVE-2018-5129
CVE-2018-5130
CVE-2018-5131
CVE-2018-5132
CVE-2018-5133
CVE-2018-5134
CVE-2018-5135
CVE-2018-5136
CVE-2018-5137
CVE-2018-5138
CVE-2018-5140
CVE-2018-5141
CVE-2018-5142
CVE-2018-5143
https://www.mozilla.org/security/advisories/mfsa2018-06/
https://www.mozilla.org/security/advisories/mfsa2018-07/
512c0ffd-cd39-4da4-b2dc-81ff4ba8e238mozilla -- multiple vulnerabilities

Mozilla Foundation reports:

CVE-2016-9894: Buffer overflow in SkiaGL

CVE-2016-9899: Use-after-free while manipulating DOM events and audio elements

CVE-2016-9895: CSP bypass using marquee tag

CVE-2016-9896: Use-after-free with WebVR

CVE-2016-9897: Memory corruption in libGLES

CVE-2016-9898: Use-after-free in Editor while manipulating DOM subtrees

CVE-2016-9900: Restricted external resources can be loaded by SVG images through data URLs

CVE-2016-9904: Cross-origin information leak in shared atoms

CVE-2016-9901: Data from Pocket server improperly sanitized before execution

CVE-2016-9902: Pocket extension does not validate the origin of events

CVE-2016-9903: XSS injection vulnerability in add-ons SDK

CVE-2016-9080: Memory safety bugs fixed in Firefox 50.1

CVE-2016-9893: Memory safety bugs fixed in Firefox 50.1 and Firefox ESR 45.6


Discovery 2016-12-13
Entry 2016-12-14
firefox
lt 50.1.0_1,1

seamonkey
linux-seamonkey
lt 2.47

firefox-esr
lt 45.6.0,1

linux-firefox
lt 45.6.0,2

libxul
thunderbird
linux-thunderbird
lt 45.6.0

CVE-2016-9894
CVE-2016-9899
CVE-2016-9895
CVE-2016-9896
CVE-2016-9897
CVE-2016-9898
CVE-2016-9900
CVE-2016-9904
CVE-2016-9901
CVE-2016-9902
CVE-2016-9903
CVE-2016-9080
CVE-2016-9893
https://www.mozilla.org/security/advisories/mfsa2016-94/
https://www.mozilla.org/security/advisories/mfsa2016-95/
380e8c56-8e32-11e1-9580-4061862b8c22mozilla -- multiple vulnerabilities

The Mozilla Project reports:

MFSA 2012-20 Miscellaneous memory safety hazards (rv:12.0/ rv:10.0.4)

MFSA 2012-21 Multiple security flaws fixed in FreeType v2.4.9

MFSA 2012-22 use-after-free in IDBKeyRange

MFSA 2012-23 Invalid frees causes heap corruption in gfxImageSurface

MFSA 2012-24 Potential XSS via multibyte content processing errors

MFSA 2012-25 Potential memory corruption during font rendering using cairo-dwrite

MFSA 2012-26 WebGL.drawElements may read illegal video memory due to FindMaxUshortElement error

MFSA 2012-27 Page load short-circuit can lead to XSS

MFSA 2012-28 Ambiguous IPv6 in Origin headers may bypass webserver access restrictions

MFSA 2012-29 Potential XSS through ISO-2022-KR/ISO-2022-CN decoding issues

MFSA 2012-30 Crash with WebGL content using textImage2D

MFSA 2012-31 Off-by-one error in OpenType Sanitizer

MFSA 2012-32 HTTP Redirections and remote content can be read by javascript errors

MFSA 2012-33 Potential site identity spoofing when loading RSS and Atom feeds


Discovery 2012-04-24
Entry 2012-04-24
firefox
gt 11.0,1 lt 12.0,1

lt 10.0.4,1

linux-firefox
lt 10.0.4,1

linux-seamonkey
lt 2.9

linux-thunderbird
lt 10.0.4

seamonkey
lt 2.9

thunderbird
gt 11.0 lt 12.0

lt 10.0.4

libxul
gt 1.9.2.* lt 10.0.4

CVE-2011-1187
CVE-2011-3062
CVE-2012-0467
CVE-2012-0468
CVE-2012-0469
CVE-2012-0470
CVE-2012-0471
CVE-2012-0472
CVE-2012-0473
CVE-2012-0474
CVE-2012-0475
CVE-2012-0477
CVE-2012-0478
CVE-2012-0479
CVE-2012-1126
CVE-2012-1127
CVE-2012-1128
CVE-2012-1129
CVE-2012-1130
CVE-2012-1131
CVE-2012-1132
CVE-2012-1133
CVE-2012-1134
CVE-2012-1135
CVE-2012-1136
CVE-2012-1137
CVE-2012-1138
CVE-2012-1139
CVE-2012-1140
CVE-2012-1141
CVE-2012-1142
CVE-2012-1143
CVE-2012-1144
http://www.mozilla.org/security/announce/2012/mfsa2012-20.html
http://www.mozilla.org/security/announce/2012/mfsa2012-21.html
http://www.mozilla.org/security/announce/2012/mfsa2012-22.html
http://www.mozilla.org/security/announce/2012/mfsa2012-23.html
http://www.mozilla.org/security/announce/2012/mfsa2012-24.html
http://www.mozilla.org/security/announce/2012/mfsa2012-25.html
http://www.mozilla.org/security/announce/2012/mfsa2012-26.html
http://www.mozilla.org/security/announce/2012/mfsa2012-27.html
http://www.mozilla.org/security/announce/2012/mfsa2012-28.html
http://www.mozilla.org/security/announce/2012/mfsa2012-29.html
http://www.mozilla.org/security/announce/2012/mfsa2012-30.html
http://www.mozilla.org/security/announce/2012/mfsa2012-31.html
http://www.mozilla.org/security/announce/2012/mfsa2012-32.html
http://www.mozilla.org/security/announce/2012/mfsa2012-33.html
d10b49b2-8d02-49e8-afde-0844626317afmozilla -- multiple vulnerabilities

Mozilla Foundation reports:

CVE-2018-12407: Buffer overflow with ANGLE library when using VertexBuffer11 module

CVE-2018-17466: Buffer overflow and out-of-bounds read in ANGLE library with TextureStorage11

CVE-2018-18492: Use-after-free with select element

CVE-2018-18493: Buffer overflow in accelerated 2D canvas with Skia

CVE-2018-18494: Same-origin policy violation using location attribute and performance.getEntries to steal cross-origin URLs

CVE-2018-18495: WebExtension content scripts can be loaded in about: pages

CVE-2018-18496: Embedded feed preview page can be abused for clickjacking

CVE-2018-18497: WebExtensions can load arbitrary URLs through pipe separators

CVE-2018-18498: Integer overflow when calculating buffer sizes for images

CVE-2018-12406: Memory safety bugs fixed in Firefox 64

CVE-2018-12405: Memory safety bugs fixed in Firefox 64 and Firefox ESR 60.4


Discovery 2018-12-11
Entry 2018-12-11
Modified 2019-07-23
firefox
lt 64.0_3,1

waterfox
lt 56.2.6

seamonkey
linux-seamonkey
lt 2.53.0

firefox-esr
lt 60.4.0,1

linux-firefox
lt 60.4.0,2

libxul
thunderbird
linux-thunderbird
lt 60.4.0

CVE-2018-12405
CVE-2018-12406
CVE-2018-12407
CVE-2018-17466
CVE-2018-18492
CVE-2018-18493
CVE-2018-18494
CVE-2018-18495
CVE-2018-18496
CVE-2018-18497
CVE-2018-18498
https://www.mozilla.org/en-US/security/advisories/mfsa2018-29/
https://www.mozilla.org/en-US/security/advisories/mfsa2018-30/
5aefc41e-d304-4ec8-8c82-824f84f08244mozilla -- multiple vulnerabilities

Mozilla Foundation reports:

CVE-2018-5183: Backport critical security fixes in Skia

CVE-2018-5154: Use-after-free with SVG animations and clip paths

CVE-2018-5155: Use-after-free with SVG animations and text paths

CVE-2018-5157: Same-origin bypass of PDF Viewer to view protected PDF files

CVE-2018-5158: Malicious PDF can inject JavaScript into PDF Viewer

CVE-2018-5159: Integer overflow and out-of-bounds write in Skia

CVE-2018-5160: Uninitialized memory use by WebRTC encoder

CVE-2018-5152: WebExtensions information leak through webRequest API

CVE-2018-5153: Out-of-bounds read in mixed content websocket messages

CVE-2018-5163: Replacing cached data in JavaScript Start-up Bytecode Cache

CVE-2018-5164: CSP not applied to all multipart content sent with multipart/x-mixed-replace

CVE-2018-5166: WebExtension host permission bypass through filterReponseData

CVE-2018-5167: Improper linkification of chrome: and javascript: content in web console and JavaScript debugger

CVE-2018-5168: Lightweight themes can be installed without user interaction

CVE-2018-5169: Dragging and dropping link text onto home button can set home page to include chrome pages

CVE-2018-5172: Pasted script from clipboard can run in the Live Bookmarks page or PDF viewer

CVE-2018-5173: File name spoofing of Downloads panel with Unicode characters

CVE-2018-5174: Windows Defender SmartScreen UI runs with less secure behavior for downloaded files in Windows 10 April 2018 Update

CVE-2018-5175: Universal CSP bypass on sites using strict-dynamic in their policies

CVE-2018-5176: JSON Viewer script injection

CVE-2018-5177: Buffer overflow in XSLT during number formatting

CVE-2018-5165: Checkbox for enabling Flash protected mode is inverted in 32-bit Firefox

CVE-2018-5178: Buffer overflow during UTF-8 to Unicode string conversion through legacy extension

CVE-2018-5180: heap-use-after-free in mozilla::WebGLContext::DrawElementsInstanced

CVE-2018-5181: Local file can be displayed in noopener tab through drag and drop of hyperlink

CVE-2018-5182: Local file can be displayed from hyperlink dragged and dropped on addressbar

CVE-2018-5151: Memory safety bugs fixed in Firefox 60

CVE-2018-5150: Memory safety bugs fixed in Firefox 60 and Firefox ESR 52.8


Discovery 2018-05-09
Entry 2018-05-09
firefox
lt 60.0,1

waterfox
lt 56.1.0_18

seamonkey
linux-seamonkey
lt 2.49.4

firefox-esr
lt 52.8.0,1

linux-firefox
lt 52.8.0,2

libxul
thunderbird
linux-thunderbird
lt 52.8.0

CVE-2018-5150
CVE-2018-5151
CVE-2018-5152
CVE-2018-5153
CVE-2018-5154
CVE-2018-5155
CVE-2018-5157
CVE-2018-5158
CVE-2018-5159
CVE-2018-5160
CVE-2018-5163
CVE-2018-5164
CVE-2018-5165
CVE-2018-5166
CVE-2018-5167
CVE-2018-5168
CVE-2018-5169
CVE-2018-5172
CVE-2018-5173
CVE-2018-5174
CVE-2018-5175
CVE-2018-5176
CVE-2018-5177
CVE-2018-5178
CVE-2018-5180
CVE-2018-5181
CVE-2018-5182
CVE-2018-5183
https://www.mozilla.org/security/advisories/mfsa2018-11/
https://www.mozilla.org/security/advisories/mfsa2018-12/
18f39fb6-7400-4063-acaf-0806e92c094fMozilla -- SVG Animation Remote Code Execution

The Mozilla Foundation reports:

A use-after-free vulnerability in SVG Animation has been discovered. An exploit built on this vulnerability has been discovered in the wild targeting Firefox and Tor Browser users on Windows.


Discovery 2016-11-30
Entry 2016-12-01
Modified 2016-12-16
firefox
lt 50.0.2,1

firefox-esr
lt 45.5.1,1

linux-firefox
lt 45.5.1,2

seamonkey
lt 2.46

linux-seamonkey
lt 2.46

libxul
lt 45.5.1

thunderbird
lt 45.5.1

linux-thunderbird
lt 45.5.1

CVE-2016-9079
https://www.mozilla.org/en-US/security/advisories/mfsa2016-92/
bfecf7c1-af47-11e1-9580-4061862b8c22mozilla -- multiple vulnerabilities

The Mozilla Project reports:

MFSA 2012-34 Miscellaneous memory safety hazards (rv:13.0/ rv:10.0.5)

MFSA 2012-36 Content Security Policy inline-script bypass

MFSA 2012-37 Information disclosure though Windows file shares and shortcut files

MFSA 2012-38 Use-after-free while replacing/inserting a node in a document

MFSA 2012-39 NSS parsing errors with zero length items

MFSA 2012-40 Buffer overflow and use-after-free issues found using Address Sanitizer


Discovery 2012-06-05
Entry 2012-06-05
firefox
gt 11.0,1 lt 13.0,1

lt 10.0.5,1

linux-firefox
lt 10.0.5,1

linux-seamonkey
lt 2.10

linux-thunderbird
lt 10.0.5

seamonkey
lt 2.10

thunderbird
gt 11.0 lt 13.0

lt 10.0.5

libxul
gt 1.9.2.* lt 10.0.5

CVE-2011-3101
CVE-2012-0441
CVE-2012-1938
CVE-2012-1939
CVE-2012-1937
CVE-2012-1940
CVE-2012-1941
CVE-2012-1944
CVE-2012-1945
CVE-2012-1946
CVE-2012-1947
http://www.mozilla.org/security/known-vulnerabilities/
http://www.mozilla.org/security/announce/2012/mfsa2012-34.html
http://www.mozilla.org/security/announce/2012/mfsa2012-36.html
http://www.mozilla.org/security/announce/2012/mfsa2012-37.html
http://www.mozilla.org/security/announce/2012/mfsa2012-38.html
http://www.mozilla.org/security/announce/2012/mfsa2012-39.html
http://www.mozilla.org/security/announce/2012/mfsa2012-40.html
d1853110-07f4-4645-895b-6fd462ad0589mozilla -- multiple vulnerabilities

Mozilla Foundation reports:

Please reference CVE/URL list for details


Discovery 2016-11-15
Entry 2016-11-16
firefox
lt 50.0_1,1

seamonkey
linux-seamonkey
lt 2.47

firefox-esr
lt 45.5.0,1

linux-firefox
lt 45.5.0,2

libxul
thunderbird
linux-thunderbird
lt 45.5.0

CVE-2016-5289
CVE-2016-5290
CVE-2016-5291
CVE-2016-5292
CVE-2016-5293
CVE-2016-5294
CVE-2016-5295
CVE-2016-5296
CVE-2016-5297
CVE-2016-5298
CVE-2016-5299
CVE-2016-9061
CVE-2016-9062
CVE-2016-9063
CVE-2016-9064
CVE-2016-9065
CVE-2016-9066
CVE-2016-9067
CVE-2016-9068
CVE-2016-9070
CVE-2016-9071
CVE-2016-9072
CVE-2016-9073
CVE-2016-9074
CVE-2016-9075
CVE-2016-9076
CVE-2016-9077
https://www.mozilla.org/security/advisories/mfsa2016-89/
https://www.mozilla.org/security/advisories/mfsa2016-90/
dbf338d0-dce5-11e1-b655-14dae9ebcf89mozilla -- multiple vulnerabilities

The Mozilla Project reports:

MFSA 2012-42 Miscellaneous memory safety hazards (rv:14.0/ rv:10.0.6)

MFSA 2012-43 Incorrect URL displayed in addressbar through drag and drop

MFSA 2012-44 Gecko memory corruption

MFSA 2012-45 Spoofing issue with location

MFSA 2012-46 XSS through data: URLs

MFSA 2012-47 Improper filtering of javascript in HTML feed-view

MFSA 2012-48 use-after-free in nsGlobalWindow::PageHidden

MFSA 2012-49 Same-compartment Security Wrappers can be bypassed

MFSA 2012-50 Out of bounds read in QCMS

MFSA 2012-51 X-Frame-Options header ignored when duplicated

MFSA 2012-52 JSDependentString::undepend string conversion results in memory corruption

MFSA 2012-53 Content Security Policy 1.0 implementation errors cause data leakage

MFSA 2012-54 Clickjacking of certificate warning page

MFSA 2012-55 feed: URLs with an innerURI inherit security context of page

MFSA 2012-56 Code execution through javascript: URLs


Discovery 2012-07-17
Entry 2012-08-02
firefox
gt 11.0,1 lt 14.0.1,1

lt 10.0.6,1

linux-firefox
lt 10.0.6,1

linux-seamonkey
lt 2.11

linux-thunderbird
lt 10.0.6

seamonkey
lt 2.11

thunderbird
gt 11.0 lt 14.0

lt 10.0.6

libxul
gt 1.9.2.* lt 10.0.6

CVE-2012-1949
CVE-2012-1950
CVE-2012-1951
CVE-2012-1952
CVE-2012-1953
CVE-2012-1954
CVE-2012-1955
CVE-2012-1957
CVE-2012-1958
CVE-2012-1959
CVE-2012-1960
CVE-2012-1961
CVE-2012-1962
CVE-2012-1963
CVE-2012-1964
CVE-2012-1965
CVE-2012-1966
CVE-2012-1967
http://www.mozilla.org/security/known-vulnerabilities/
http://www.mozilla.org/security/announce/2012/mfsa2012-42.html
http://www.mozilla.org/security/announce/2012/mfsa2012-43.html
http://www.mozilla.org/security/announce/2012/mfsa2012-44.html
http://www.mozilla.org/security/announce/2012/mfsa2012-45.html
http://www.mozilla.org/security/announce/2012/mfsa2012-46.html
http://www.mozilla.org/security/announce/2012/mfsa2012-47.html
http://www.mozilla.org/security/announce/2012/mfsa2012-48.html
http://www.mozilla.org/security/announce/2012/mfsa2012-49.html
http://www.mozilla.org/security/announce/2012/mfsa2012-50.html
http://www.mozilla.org/security/announce/2012/mfsa2012-51.html
http://www.mozilla.org/security/announce/2012/mfsa2012-52.html
http://www.mozilla.org/security/announce/2012/mfsa2012-53.html
http://www.mozilla.org/security/announce/2012/mfsa2012-54.html
http://www.mozilla.org/security/announce/2012/mfsa2012-55.html
http://www.mozilla.org/security/announce/2012/mfsa2012-56.html
2c57c47e-8bb3-4694-83c8-9fc3abad3964mozilla -- multiple vulnerabilities

Mozilla Foundation reports:

CVE-2016-2827 - Out-of-bounds read in mozilla::net::IsValidReferrerPolicy [low]

CVE-2016-5256 - Memory safety bugs fixed in Firefox 49 [critical]

CVE-2016-5257 - Memory safety bugs fixed in Firefox 49 and Firefox ESR 45.4 [critical]

CVE-2016-5270 - Heap-buffer-overflow in nsCaseTransformTextRunFactory::TransformString [high]

CVE-2016-5271 - Out-of-bounds read in PropertyProvider::GetSpacingInternal [low]

CVE-2016-5272 - Bad cast in nsImageGeometryMixin [high]

CVE-2016-5273 - crash in mozilla::a11y::HyperTextAccessible::GetChildOffset [high]

CVE-2016-5274 - use-after-free in nsFrameManager::CaptureFrameState [high]

CVE-2016-5275 - global-buffer-overflow in mozilla::gfx::FilterSupport::ComputeSourceNeededRegions [critical]

CVE-2016-5276 - Heap-use-after-free in mozilla::a11y::DocAccessible::ProcessInvalidationList [high]

CVE-2016-5277 - Heap-use-after-free in nsRefreshDriver::Tick [high]

CVE-2016-5278 - Heap-buffer-overflow in nsBMPEncoder::AddImageFrame [critical]

CVE-2016-5279 - Full local path of files is available to web pages after drag and drop [moderate]

CVE-2016-5280 - Use-after-free in mozilla::nsTextNodeDirectionalityMap::RemoveElementFromMap [high]

CVE-2016-5281 - use-after-free in DOMSVGLength [high]

CVE-2016-5282 - Don't allow content to request favicons from non-whitelisted schemes [moderate]

CVE-2016-5283 -