FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The last vuln.xml file processed by FreshPorts is:

nothing found there

List all Vulnerabilities, by package

List all Vulnerabilities, by date

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
bd62c640-9bb9-11e4-a5ad-000c297fb80fmozilla -- multiple vulnerabilities

The Mozilla Project reports:

MFSA-2015-01 Miscellaneous memory safety hazards (rv:35.0 / rv:31.4)

MFSA-2015-02 Uninitialized memory use during bitmap rendering

MFSA-2015-03 sendBeacon requests lack an Origin header

MFSA-2015-04 Cookie injection through Proxy Authenticate responses

MFSA-2015-05 Read of uninitialized memory in Web Audio

MFSA-2015-06 Read-after-free in WebRTC

MFSA-2015-07 Gecko Media Plugin sandbox escape

MFSA-2015-08 Delegated OCSP responder certificates failure with id-pkix-ocsp-nocheck extension

MFSA-2015-09 XrayWrapper bypass through DOM objects


Discovery 2015-01-13
Entry 2015-01-14
firefox
lt 35.0,1

firefox-esr
lt 31.4.0,1

linux-firefox
lt 35.0,1

linux-seamonkey
lt 2.32

linux-thunderbird
lt 31.4.0

seamonkey
lt 2.32

thunderbird
lt 31.4.0

libxul
lt 31.4.0

CVE-2014-8634
CVE-2014-8635
CVE-2014-8637
CVE-2014-8638
CVE-2014-8639
CVE-2014-8640
CVE-2014-8641
CVE-2014-8642
CVE-2014-8643
CVE-2014-8636
https://www.mozilla.org/en-US/security/advisories/mfsa2015-01/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-02/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-03/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-04/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-05/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-06/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-07/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-08/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-09/
https://www.mozilla.org/security/advisories/
c71cdc95-3c18-45b7-866a-af28b59aabb5mozilla -- multiple vulnerabilities

Mozilla Foundation reports:

CVE-2018-5127: Buffer overflow manipulating SVG animatedPathSegList

CVE-2018-5128: Use-after-free manipulating editor selection ranges

CVE-2018-5129: Out-of-bounds write with malformed IPC messages

CVE-2018-5130: Mismatched RTP payload type can trigger memory corruption

CVE-2018-5131: Fetch API improperly returns cached copies of no-store/no-cache resources

CVE-2018-5132: WebExtension Find API can search privileged pages

CVE-2018-5133: Value of the app.support.baseURL preference is not properly sanitized

CVE-2018-5134: WebExtensions may use view-source: URLs to bypass content restrictions

CVE-2018-5135: WebExtension browserAction can inject scripts into unintended contexts

CVE-2018-5136: Same-origin policy violation with data: URL shared workers

CVE-2018-5137: Script content can access legacy extension non-contentaccessible resources

CVE-2018-5138: Android Custom Tab address spoofing through long domain names

CVE-2018-5140: Moz-icon images accessible to web content through moz-icon: protocol

CVE-2018-5141: DOS attack through notifications Push API

CVE-2018-5142: Media Capture and Streams API permissions display incorrect origin with data: and blob: URLs

CVE-2018-5143: Self-XSS pasting javascript: URL with embedded tab into addressbar

CVE-2018-5126: Memory safety bugs fixed in Firefox 59

CVE-2018-5125: Memory safety bugs fixed in Firefox 59 and Firefox ESR 52.7


Discovery 2018-03-13
Entry 2018-03-13
Modified 2018-03-16
firefox
lt 59.0_1,1

waterfox
lt 56.0.4.36_3

seamonkey
linux-seamonkey
lt 2.49.3

firefox-esr
lt 52.7.0,1

linux-firefox
lt 52.7.0,2

libxul
thunderbird
linux-thunderbird
lt 52.7.0

CVE-2018-5125
CVE-2018-5126
CVE-2018-5127
CVE-2018-5128
CVE-2018-5129
CVE-2018-5130
CVE-2018-5131
CVE-2018-5132
CVE-2018-5133
CVE-2018-5134
CVE-2018-5135
CVE-2018-5136
CVE-2018-5137
CVE-2018-5138
CVE-2018-5140
CVE-2018-5141
CVE-2018-5142
CVE-2018-5143
https://www.mozilla.org/security/advisories/mfsa2018-06/
https://www.mozilla.org/security/advisories/mfsa2018-07/
a891c5b4-3d7a-4de9-9c71-eef3fd698c77mozilla -- multiple vulnerabilities

Mozilla Foundation reports:

CVE-2018-5091: Use-after-free with DTMF timers

CVE-2018-5092: Use-after-free in Web Workers

CVE-2018-5093: Buffer overflow in WebAssembly during Memory/Table resizing

CVE-2018-5094: Buffer overflow in WebAssembly with garbage collection on uninitialized memory

CVE-2018-5095: Integer overflow in Skia library during edge builder allocation

CVE-2018-5097: Use-after-free when source document is manipulated during XSLT

CVE-2018-5098: Use-after-free while manipulating form input elements

CVE-2018-5099: Use-after-free with widget listener

CVE-2018-5100: Use-after-free when IsPotentiallyScrollable arguments are freed from memory

CVE-2018-5101: Use-after-free with floating first-letter style elements

CVE-2018-5102: Use-after-free in HTML media elements

CVE-2018-5103: Use-after-free during mouse event handling

CVE-2018-5104: Use-after-free during font face manipulation

CVE-2018-5105: WebExtensions can save and execute files on local file system without user prompts

CVE-2018-5106: Developer Tools can expose style editor information cross-origin through service worker

CVE-2018-5107: Printing process will follow symlinks for local file access

CVE-2018-5108: Manually entered blob URL can be accessed by subsequent private browsing tabs

CVE-2018-5109: Audio capture prompts and starts with incorrect origin attribution

CVE-2018-5110: Cursor can be made invisible on OS X

CVE-2018-5111: URL spoofing in addressbar through drag and drop

CVE-2018-5112: Extension development tools panel can open a non-relative URL in the panel

CVE-2018-5113: WebExtensions can load non-HTTPS pages with browser.identity.launchWebAuthFlow

CVE-2018-5114: The old value of a cookie changed to HttpOnly remains accessible to scripts

CVE-2018-5115: Background network requests can open HTTP authentication in unrelated foreground tabs

CVE-2018-5116: WebExtension ActiveTab permission allows cross-origin frame content access

CVE-2018-5117: URL spoofing with right-to-left text aligned left-to-right

CVE-2018-5118: Activity Stream images can attempt to load local content through file:

CVE-2018-5119: Reader view will load cross-origin content in violation of CORS headers

CVE-2018-5121: OS X Tibetan characters render incompletely in the addressbar

CVE-2018-5122: Potential integer overflow in DoCrypt

CVE-2018-5090: Memory safety bugs fixed in Firefox 58

CVE-2018-5089: Memory safety bugs fixed in Firefox 58 and Firefox ESR 52.6


Discovery 2018-01-23
Entry 2018-01-23
Modified 2018-01-29
firefox
lt 58.0_1,1

waterfox
lt 56.0.3.63

seamonkey
linux-seamonkey
lt 2.49.2

firefox-esr
lt 52.6.0_1,1

linux-firefox
lt 52.6.0,2

libxul
thunderbird
linux-thunderbird
lt 52.6.0

CVE-2018-5089
CVE-2018-5090
CVE-2018-5091
CVE-2018-5092
CVE-2018-5093
CVE-2018-5094
CVE-2018-5095
CVE-2018-5097
CVE-2018-5098
CVE-2018-5099
CVE-2018-5100
CVE-2018-5101
CVE-2018-5102
CVE-2018-5103
CVE-2018-5104
CVE-2018-5105
CVE-2018-5106
CVE-2018-5107
CVE-2018-5108
CVE-2018-5109
CVE-2018-5110
CVE-2018-5111
CVE-2018-5112
CVE-2018-5113
CVE-2018-5114
CVE-2018-5115
CVE-2018-5116
CVE-2018-5117
CVE-2018-5118
CVE-2018-5119
CVE-2018-5121
CVE-2018-5122
https://www.mozilla.org/security/advisories/mfsa2018-02/
https://www.mozilla.org/security/advisories/mfsa2018-03/
44d9daee-940c-4179-86bb-6e3ffd617869mozilla -- multiple vulnerabilities

The Mozilla Project reports:

MFSA 2015-59 Miscellaneous memory safety hazards (rv:39.0 / rv:31.8 / rv:38.1)

MFSA 2015-60 Local files or privileged URLs in pages can be opened into new tabs

MFSA 2015-61 Type confusion in Indexed Database Manager

MFSA 2015-62 Out-of-bound read while computing an oscillator rendering range in Web Audio

MFSA 2015-63 Use-after-free in Content Policy due to microtask execution error

MFSA 2015-64 ECDSA signature validation fails to handle some signatures correctly

MFSA 2015-65 Use-after-free in workers while using XMLHttpRequest

MFSA 2015-66 Vulnerabilities found through code inspection

MFSA 2015-67 Key pinning is ignored when overridable errors are encountered

MFSA 2015-68 OS X crash reports may contain entered key press information

MFSA 2015-69 Privilege escalation through internal workers

MFSA 2015-70 NSS accepts export-length DHE keys with regular DHE cipher suites

MFSA 2015-71 NSS incorrectly permits skipping of ServerKeyExchange


Discovery 2015-07-02
Entry 2015-07-16
Modified 2015-09-22
firefox
lt 39.0,1

linux-firefox
lt 39.0,1

seamonkey
lt 2.35

linux-seamonkey
lt 2.35

firefox-esr
lt 31.8.0,1

ge 38.0,1 lt 38.1.0,1

libxul
lt 31.8.0

ge 38.0 lt 38.1.0

thunderbird
lt 31.8.0

ge 38.0 lt 38.1.0

linux-thunderbird
lt 31.8.0

ge 38.0 lt 38.1.0

CVE-2015-2721
CVE-2015-2722
CVE-2015-2724
CVE-2015-2725
CVE-2015-2726
CVE-2015-2727
CVE-2015-2728
CVE-2015-2729
CVE-2015-2730
CVE-2015-2731
CVE-2015-2733
CVE-2015-2734
CVE-2015-2735
CVE-2015-2736
CVE-2015-2737
CVE-2015-2738
CVE-2015-2739
CVE-2015-2740
CVE-2015-2741
CVE-2015-2742
CVE-2015-2743
CVE-2015-4000
https://www.mozilla.org/security/advisories/mfsa2015-59/
https://www.mozilla.org/security/advisories/mfsa2015-60/
https://www.mozilla.org/security/advisories/mfsa2015-61/
https://www.mozilla.org/security/advisories/mfsa2015-62/
https://www.mozilla.org/security/advisories/mfsa2015-63/
https://www.mozilla.org/security/advisories/mfsa2015-64/
https://www.mozilla.org/security/advisories/mfsa2015-65/
https://www.mozilla.org/security/advisories/mfsa2015-66/
https://www.mozilla.org/security/advisories/mfsa2015-67/
https://www.mozilla.org/security/advisories/mfsa2015-68/
https://www.mozilla.org/security/advisories/mfsa2015-69/
https://www.mozilla.org/security/advisories/mfsa2015-70/
https://www.mozilla.org/security/advisories/mfsa2015-71/
380e8c56-8e32-11e1-9580-4061862b8c22mozilla -- multiple vulnerabilities

The Mozilla Project reports:

MFSA 2012-20 Miscellaneous memory safety hazards (rv:12.0/ rv:10.0.4)

MFSA 2012-21 Multiple security flaws fixed in FreeType v2.4.9

MFSA 2012-22 use-after-free in IDBKeyRange

MFSA 2012-23 Invalid frees causes heap corruption in gfxImageSurface

MFSA 2012-24 Potential XSS via multibyte content processing errors

MFSA 2012-25 Potential memory corruption during font rendering using cairo-dwrite

MFSA 2012-26 WebGL.drawElements may read illegal video memory due to FindMaxUshortElement error

MFSA 2012-27 Page load short-circuit can lead to XSS

MFSA 2012-28 Ambiguous IPv6 in Origin headers may bypass webserver access restrictions

MFSA 2012-29 Potential XSS through ISO-2022-KR/ISO-2022-CN decoding issues

MFSA 2012-30 Crash with WebGL content using textImage2D

MFSA 2012-31 Off-by-one error in OpenType Sanitizer

MFSA 2012-32 HTTP Redirections and remote content can be read by javascript errors

MFSA 2012-33 Potential site identity spoofing when loading RSS and Atom feeds


Discovery 2012-04-24
Entry 2012-04-24
firefox
gt 11.0,1 lt 12.0,1

lt 10.0.4,1

linux-firefox
lt 10.0.4,1

linux-seamonkey
lt 2.9

linux-thunderbird
lt 10.0.4

seamonkey
lt 2.9

thunderbird
gt 11.0 lt 12.0

lt 10.0.4

libxul
gt 1.9.2.* lt 10.0.4

CVE-2011-1187
CVE-2011-3062
CVE-2012-0467
CVE-2012-0468
CVE-2012-0469
CVE-2012-0470
CVE-2012-0471
CVE-2012-0472
CVE-2012-0473
CVE-2012-0474
CVE-2012-0475
CVE-2012-0477
CVE-2012-0478
CVE-2012-0479
CVE-2012-1126
CVE-2012-1127
CVE-2012-1128
CVE-2012-1129
CVE-2012-1130
CVE-2012-1131
CVE-2012-1132
CVE-2012-1133
CVE-2012-1134
CVE-2012-1135
CVE-2012-1136
CVE-2012-1137
CVE-2012-1138
CVE-2012-1139
CVE-2012-1140
CVE-2012-1141
CVE-2012-1142
CVE-2012-1143
CVE-2012-1144
http://www.mozilla.org/security/announce/2012/mfsa2012-20.html
http://www.mozilla.org/security/announce/2012/mfsa2012-21.html
http://www.mozilla.org/security/announce/2012/mfsa2012-22.html
http://www.mozilla.org/security/announce/2012/mfsa2012-23.html
http://www.mozilla.org/security/announce/2012/mfsa2012-24.html
http://www.mozilla.org/security/announce/2012/mfsa2012-25.html
http://www.mozilla.org/security/announce/2012/mfsa2012-26.html
http://www.mozilla.org/security/announce/2012/mfsa2012-27.html
http://www.mozilla.org/security/announce/2012/mfsa2012-28.html
http://www.mozilla.org/security/announce/2012/mfsa2012-29.html
http://www.mozilla.org/security/announce/2012/mfsa2012-30.html
http://www.mozilla.org/security/announce/2012/mfsa2012-31.html
http://www.mozilla.org/security/announce/2012/mfsa2012-32.html
http://www.mozilla.org/security/announce/2012/mfsa2012-33.html
d0c97697-df2c-4b8b-bff2-cec24dc35af8mozilla -- multiple vulnerabilities

The Mozilla Project reports:

MFSA-2015-30 Miscellaneous memory safety hazards (rv:37.0 / rv:31.6)

MFSA-2015-31 Use-after-free when using the Fluendo MP3 GStreamer plugin

MFSA-2015-32 Add-on lightweight theme installation approval bypassed through MITM attack

MFSA-2015-33 resource:// documents can load privileged pages

MFSA-2015-34 Out of bounds read in QCMS library

MFSA-2015-35 Cursor clickjacking with flash and images

MFSA-2015-36 Incorrect memory management for simple-type arrays in WebRTC

MFSA-2015-37 CORS requests should not follow 30x redirections after preflight

MFSA-2015-38 Memory corruption crashes in Off Main Thread Compositing

MFSA-2015-39 Use-after-free due to type confusion flaws

MFSA-2015-40 Same-origin bypass through anchor navigation

MFSA-2015-41 PRNG weakness allows for DNS poisoning on Android

MFSA-2015-42 Windows can retain access to privileged content on navigation to unprivileged pages


Discovery 2015-03-31
Entry 2015-03-31
firefox
lt 37.0,1

firefox-esr
lt 31.6.0,1

linux-firefox
lt 37.0,1

linux-seamonkey
lt 2.34

linux-thunderbird
lt 31.6.0

seamonkey
lt 2.34

thunderbird
lt 31.6.0

libxul
lt 31.6.0

CVE-2012-2808
CVE-2015-0800
CVE-2015-0801
CVE-2015-0802
CVE-2015-0803
CVE-2015-0804
CVE-2015-0805
CVE-2015-0806
CVE-2015-0807
CVE-2015-0808
CVE-2015-0810
CVE-2015-0811
CVE-2015-0812
CVE-2015-0813
CVE-2015-0814
CVE-2015-0815
CVE-2015-0816
https://www.mozilla.org/security/advisories/mfsa2015-30/
https://www.mozilla.org/security/advisories/mfsa2015-31/
https://www.mozilla.org/security/advisories/mfsa2015-32/
https://www.mozilla.org/security/advisories/mfsa2015-33/
https://www.mozilla.org/security/advisories/mfsa2015-34/
https://www.mozilla.org/security/advisories/mfsa2015-35/
https://www.mozilla.org/security/advisories/mfsa2015-36/
https://www.mozilla.org/security/advisories/mfsa2015-37/
https://www.mozilla.org/security/advisories/mfsa2015-38/
https://www.mozilla.org/security/advisories/mfsa2015-39/
https://www.mozilla.org/security/advisories/mfsa2015-40/
https://www.mozilla.org/security/advisories/mfsa2015-41/
https://www.mozilla.org/security/advisories/mfsa2015-42/
https://www.mozilla.org/security/advisories/
23f59689-0152-42d3-9ade-1658d6380567mozilla -- use-after-free in compositor

The Mozilla Foundation reports:

CVE-2018-5148: Use-after-free in compositor

A use-after-free vulnerability can occur in the compositor during certain graphics operations when a raw pointer is used instead of a reference counted one. This results in a potentially exploitable crash.


Discovery 2018-03-26
Entry 2018-03-27
Modified 2018-03-31
firefox
lt 59.0.2,1

waterfox
lt 56.0.4.36_3

seamonkey
linux-seamonkey
lt 2.49.3

firefox-esr
lt 52.7.3,1

linux-firefox
lt 52.7.3,2

libxul
lt 52.7.3

linux-thunderbird
lt 52.7.1

thunderbird
lt 52.7.0_1

CVE-2018-5148
https://www.mozilla.org/security/advisories/mfsa2018-10/
bfecf7c1-af47-11e1-9580-4061862b8c22mozilla -- multiple vulnerabilities

The Mozilla Project reports:

MFSA 2012-34 Miscellaneous memory safety hazards (rv:13.0/ rv:10.0.5)

MFSA 2012-36 Content Security Policy inline-script bypass

MFSA 2012-37 Information disclosure though Windows file shares and shortcut files

MFSA 2012-38 Use-after-free while replacing/inserting a node in a document

MFSA 2012-39 NSS parsing errors with zero length items

MFSA 2012-40 Buffer overflow and use-after-free issues found using Address Sanitizer


Discovery 2012-06-05
Entry 2012-06-05
firefox
gt 11.0,1 lt 13.0,1

lt 10.0.5,1

linux-firefox
lt 10.0.5,1

linux-seamonkey
lt 2.10

linux-thunderbird
lt 10.0.5

seamonkey
lt 2.10

thunderbird
gt 11.0 lt 13.0

lt 10.0.5

libxul
gt 1.9.2.* lt 10.0.5

CVE-2011-3101
CVE-2012-0441
CVE-2012-1938
CVE-2012-1939
CVE-2012-1937
CVE-2012-1940
CVE-2012-1941
CVE-2012-1944
CVE-2012-1945
CVE-2012-1946
CVE-2012-1947
http://www.mozilla.org/security/known-vulnerabilities/
http://www.mozilla.org/security/announce/2012/mfsa2012-34.html
http://www.mozilla.org/security/announce/2012/mfsa2012-36.html
http://www.mozilla.org/security/announce/2012/mfsa2012-37.html
http://www.mozilla.org/security/announce/2012/mfsa2012-38.html
http://www.mozilla.org/security/announce/2012/mfsa2012-39.html
http://www.mozilla.org/security/announce/2012/mfsa2012-40.html
dbf338d0-dce5-11e1-b655-14dae9ebcf89mozilla -- multiple vulnerabilities

The Mozilla Project reports:

MFSA 2012-42 Miscellaneous memory safety hazards (rv:14.0/ rv:10.0.6)

MFSA 2012-43 Incorrect URL displayed in addressbar through drag and drop

MFSA 2012-44 Gecko memory corruption

MFSA 2012-45 Spoofing issue with location

MFSA 2012-46 XSS through data: URLs

MFSA 2012-47 Improper filtering of javascript in HTML feed-view

MFSA 2012-48 use-after-free in nsGlobalWindow::PageHidden

MFSA 2012-49 Same-compartment Security Wrappers can be bypassed

MFSA 2012-50 Out of bounds read in QCMS

MFSA 2012-51 X-Frame-Options header ignored when duplicated

MFSA 2012-52 JSDependentString::undepend string conversion results in memory corruption

MFSA 2012-53 Content Security Policy 1.0 implementation errors cause data leakage

MFSA 2012-54 Clickjacking of certificate warning page

MFSA 2012-55 feed: URLs with an innerURI inherit security context of page

MFSA 2012-56 Code execution through javascript: URLs


Discovery 2012-07-17
Entry 2012-08-02
firefox
gt 11.0,1 lt 14.0.1,1

lt 10.0.6,1

linux-firefox
lt 10.0.6,1

linux-seamonkey
lt 2.11

linux-thunderbird
lt 10.0.6

seamonkey
lt 2.11

thunderbird
gt 11.0 lt 14.0

lt 10.0.6

libxul
gt 1.9.2.* lt 10.0.6

CVE-2012-1949
CVE-2012-1950
CVE-2012-1951
CVE-2012-1952
CVE-2012-1953
CVE-2012-1954
CVE-2012-1955
CVE-2012-1957
CVE-2012-1958
CVE-2012-1959
CVE-2012-1960
CVE-2012-1961
CVE-2012-1962
CVE-2012-1963
CVE-2012-1964
CVE-2012-1965
CVE-2012-1966
CVE-2012-1967
http://www.mozilla.org/security/known-vulnerabilities/
http://www.mozilla.org/security/announce/2012/mfsa2012-42.html
http://www.mozilla.org/security/announce/2012/mfsa2012-43.html
http://www.mozilla.org/security/announce/2012/mfsa2012-44.html
http://www.mozilla.org/security/announce/2012/mfsa2012-45.html
http://www.mozilla.org/security/announce/2012/mfsa2012-46.html
http://www.mozilla.org/security/announce/2012/mfsa2012-47.html
http://www.mozilla.org/security/announce/2012/mfsa2012-48.html
http://www.mozilla.org/security/announce/2012/mfsa2012-49.html
http://www.mozilla.org/security/announce/2012/mfsa2012-50.html
http://www.mozilla.org/security/announce/2012/mfsa2012-51.html
http://www.mozilla.org/security/announce/2012/mfsa2012-52.html
http://www.mozilla.org/security/announce/2012/mfsa2012-53.html
http://www.mozilla.org/security/announce/2012/mfsa2012-54.html
http://www.mozilla.org/security/announce/2012/mfsa2012-55.html
http://www.mozilla.org/security/announce/2012/mfsa2012-56.html
9c1495ac-8d8c-4789-a0f3-8ca6b476619cmozilla -- multiple vulnerabilities

The Mozilla Project reports:

MFSA 2014-74 Miscellaneous memory safety hazards (rv:33.0 / rv:31.2)

MFSA 2014-75 Buffer overflow during CSS manipulation

MFSA 2014-76 Web Audio memory corruption issues with custom waveforms

MFSA 2014-78 Further uninitialized memory use during GIF

MFSA 2014-79 Use-after-free interacting with text directionality

MFSA 2014-80 Key pinning bypasses

MFSA 2014-81 Inconsistent video sharing within iframe

MFSA 2014-82 Accessing cross-origin objects via the Alarms API


Discovery 2014-10-14
Entry 2014-10-14
Modified 2015-08-12
firefox
lt 33.0,1

firefox-esr
lt 31.2.0,1

linux-firefox
lt 33.0,1

linux-seamonkey
lt 2.30

linux-thunderbird
lt 31.2.0

seamonkey
lt 2.30

thunderbird
lt 31.2.0

libxul
lt 31.2.0

CVE-2014-1575
CVE-2014-1574
CVE-2014-1576
CVE-2014-1577
CVE-2014-1580
CVE-2014-1581
CVE-2014-1582
CVE-2014-1583
CVE-2014-1584
CVE-2014-1585
CVE-2014-1586
https://www.mozilla.org/security/announce/2014/mfsa2014-74.html
https://www.mozilla.org/security/announce/2014/mfsa2014-75.html
https://www.mozilla.org/security/announce/2014/mfsa2014-76.html
https://www.mozilla.org/security/announce/2014/mfsa2014-78.html
https://www.mozilla.org/security/announce/2014/mfsa2014-79.html
https://www.mozilla.org/security/announce/2014/mfsa2014-80.html
https://www.mozilla.org/security/announce/2014/mfsa2014-81.html
https://www.mozilla.org/security/announce/2014/mfsa2014-82.html
https://www.mozilla.org/security/announce/
aa5bc971-d635-11e0-b3cf-080027ef73ecnss/ca_root_nss -- fraudulent certificates issued by DigiNotar.nl

Heather Adkins, Google's Information Security Manager, reported that Google received

[...] reports of attempted SSL man-in-the-middle (MITM) attacks against Google users, whereby someone tried to get between them and encrypted Google services. The people affected were primarily located in Iran. The attacker used a fraudulent SSL certificate issued by DigiNotar, a root certificate authority that should not issue certificates for Google (and has since revoked it). [...]

VASCO Data Security International Inc., owner of DigiNotar, issued a press statement confirming this incident:

On July 19th 2011, DigiNotar detected an intrusion into its Certificate Authority (CA) infrastructure, which resulted in the fraudulent issuance of public key certificate requests for a number of domains, including Google.com. [...] an external security audit concluded that all fraudulently issued certificates were revoked. Recently, it was discovered that at least one fraudulent certificate had not been revoked at the time. [...]

Mozilla, maintainer of the NSS package, from which FreeBSD derived ca_root_nss, stated that they:

revoked our trust in the DigiNotar certificate authority from all Mozilla software. This is not a temporary suspension, it is a complete removal from our trusted root program. Complete revocation of trust is a decision we treat with careful consideration, and employ as a last resort.

Three central issues informed our decision:

  1. Failure to notify. [...]
  2. The scope of the breach remains unknown. [...]
  3. The attack is not theoretical.

Discovery 2011-07-19
Entry 2011-09-03
Modified 2011-09-06
nss
lt 3.12.11

ca_root_nss
lt 3.12.11

firefox
gt 3.6.*,1 lt 3.6.22,1

gt 4.0.*,1 lt 6.0.2,1

seamonkey
lt 2.3.2

linux-firefox
lt 3.6.22,1

thunderbird
gt 3.1.* lt 3.1.14

gt 5.0.* lt 6.0.2

linux-thunderbird
lt 3.1.14

linux-seamonkey
lt 2.3.2

http://www.vasco.com/company/press_room/news_archive/2011/news_diginotar_reports_security_incident.aspx
http://www.mozilla.org/security/announce/2011/mfsa2011-34.html
http://googleonlinesecurity.blogspot.com/2011/08/update-on-attempted-man-in-middle.html
7dfed67b-20aa-11e3-b8d8-0025905a4771mozilla -- multiple vulnerabilities

The Mozilla Project reports:

MFSA 2013-76 Miscellaneous memory safety hazards (rv:24.0 / rv:17.0.9)

MFSA 2013-77 Improper state in HTML5 Tree Builder with templates

MFSA 2013-78 Integer overflow in ANGLE library

MFSA 2013-79 Use-after-free in Animation Manager during stylesheet cloning

MFSA 2013-80 NativeKey continues handling key messages after widget is destroyed

MFSA 2013-81 Use-after-free with select element

MFSA 2013-82 Calling scope for new Javascript objects can lead to memory corruption

MFSA 2013-83 Mozilla Updater does not lock MAR file after signature verification

MFSA 2013-84 Same-origin bypass through symbolic links

MFSA 2013-85 Uninitialized data in IonMonkey

MFSA 2013-86 WebGL Information disclosure through OS X NVIDIA graphic drivers

MFSA 2013-87 Shared object library loading from writable location

MFSA 2013-88 compartment mismatch re-attaching XBL-backed nodes

MFSA 2013-89 Buffer overflow with multi-column, lists, and floats

MFSA 2013-90 Memory corruption involving scrolling

MFSA 2013-91 User-defined properties on DOM proxies get the wrong "this" object

MFSA 2013-92 GC hazard with default compartments and frame chain restoration


Discovery 2013-08-17
Entry 2013-08-18
Modified 2013-09-19
firefox
gt 18.0,1 lt 24.0,1

lt 17.0.9,1

linux-firefox
lt 17.0.9,1

linux-seamonkey
lt 2.21

linux-thunderbird
lt 17.0.9

seamonkey
lt 2.21

thunderbird
lt 24.0

CVE-2013-1722
CVE-2013-1718
CVE-2013-1719
CVE-2013-1720
CVE-2013-1721
CVE-2013-1723
CVE-2013-1724
CVE-2013-1725
CVE-2013-1726
CVE-2013-1727
CVE-2013-1728
CVE-2013-1729
CVE-2013-1730
CVE-2013-1731
CVE-2013-1732
CVE-2013-1735
CVE-2013-1736
CVE-2013-1737
CVE-2013-1738
https://www.mozilla.org/security/announce/2013/mfsa2013-76.html
https://www.mozilla.org/security/announce/2013/mfsa2013-77.html
https://www.mozilla.org/security/announce/2013/mfsa2013-78.html
https://www.mozilla.org/security/announce/2013/mfsa2013-79.html
https://www.mozilla.org/security/announce/2013/mfsa2013-80.html
https://www.mozilla.org/security/announce/2013/mfsa2013-81.html
https://www.mozilla.org/security/announce/2013/mfsa2013-82.html
https://www.mozilla.org/security/announce/2013/mfsa2013-83.html
https://www.mozilla.org/security/announce/2013/mfsa2013-84.html
https://www.mozilla.org/security/announce/2013/mfsa2013-85.html
https://www.mozilla.org/security/announce/2013/mfsa2013-86.html
https://www.mozilla.org/security/announce/2013/mfsa2013-87.html
https://www.mozilla.org/security/announce/2013/mfsa2013-88.html
https://www.mozilla.org/security/announce/2013/mfsa2013-89.html
https://www.mozilla.org/security/announce/2013/mfsa2013-90.html
https://www.mozilla.org/security/announce/2013/mfsa2013-91.html
https://www.mozilla.org/security/announce/2013/mfsa2013-92.html
http://www.mozilla.org/security/known-vulnerabilities/
18f39fb6-7400-4063-acaf-0806e92c094fMozilla -- SVG Animation Remote Code Execution

The Mozilla Foundation reports:

A use-after-free vulnerability in SVG Animation has been discovered. An exploit built on this vulnerability has been discovered in the wild targeting Firefox and Tor Browser users on Windows.


Discovery 2016-11-30
Entry 2016-12-01
Modified 2016-12-16
firefox
lt 50.0.2,1

firefox-esr
lt 45.5.1,1

linux-firefox
lt 45.5.1,2

seamonkey
lt 2.46

linux-seamonkey
lt 2.46

libxul
lt 45.5.1

thunderbird
lt 45.5.1

linux-thunderbird
lt 45.5.1

CVE-2016-9079
https://www.mozilla.org/en-US/security/advisories/mfsa2016-92/
1bcfd963-e483-41b8-ab8e-bad5c3ce49c9brotli -- buffer overflow

Google Chrome Releases reports:

[583607] High CVE-2016-1624: Buffer overflow in Brotli. Credit to lukezli.

Mozilla Foundation reports:

Security researcher Luke Li reported a pointer underflow bug in the Brotli library's decompression that leads to a buffer overflow. This results in a potentially exploitable crash when triggered.


Discovery 2016-02-08
Entry 2016-03-08
Modified 2016-03-08
brotli
ge 0.3.0 lt 0.3.0_1

lt 0.2.0_2

libbrotli
lt 0.3.0_3

chromium
chromium-npapi
chromium-pulse
lt 48.0.2564.109

firefox
linux-firefox
lt 45.0,1

seamonkey
linux-seamonkey
lt 2.42

firefox-esr
lt 38.7.0,1

libxul
thunderbird
linux-thunderbird
lt 38.7.0

CVE-2016-1624
CVE-2016-1968
https://github.com/google/brotli/commit/37a320dd81db8d546cd24a45b4c61d87b45dcade
https://chromium.googlesource.com/chromium/src/+/7716418a27d561ee295a99f11fd3865580748de2%5E!/
https://www.mozilla.org/security/advisories/mfsa2016-30/
https://hg.mozilla.org/releases/mozilla-release/rev/4a5d8ade4e3e
6b3b1b97-207c-11e2-a03f-c8600054b392mozilla -- multiple vulnerabilities

The Mozilla Project reports:

MFSA 2012-90 Fixes for Location object issues


Discovery 2012-10-26
Entry 2012-10-27
firefox
gt 11.0,1 lt 16.0.2,1

lt 10.0.10,1

linux-firefox
lt 10.0.10,1

linux-seamonkey
lt 2.13.2

linux-thunderbird
lt 10.0.10

seamonkey
lt 2.13.2

thunderbird
gt 11.0 lt 16.0.2

lt 10.0.10

libxul
gt 1.9.2.* lt 10.0.10

CVE-2012-4194
CVE-2012-4195
CVE-2012-4196
http://www.mozilla.org/security/known-vulnerabilities/
http://www.mozilla.org/security/announce/2012/mfsa2012-90.html
7ae61870-9dd2-4884-a2f2-f19bb5784d09mozilla -- multiple vulnerabilities

The Mozilla Project reports:

ASN.1 DER decoding of lengths is too permissive, allowing undetected smuggling of arbitrary data

MFSA-2014-90 Apple CoreGraphics framework on OS X 10.10 logging input data to /tmp directory

MFSA-2014-89 Bad casting from the BasicThebesLayer to BasicContainerLayer

MFSA-2014-88 Buffer overflow while parsing media content

MFSA-2014-87 Use-after-free during HTML5 parsing

MFSA-2014-86 CSP leaks redirect data via violation reports

MFSA-2014-85 XMLHttpRequest crashes with some input streams

MFSA-2014-84 XBL bindings accessible via improper CSS declarations

MFSA-2014-83 Miscellaneous memory safety hazards (rv:34.0 / rv:31.3)


Discovery 2014-12-01
Entry 2014-12-02
firefox
lt 34.0,1

firefox-esr
lt 31.3.0,1

linux-firefox
lt 34.0,1

linux-seamonkey
lt 2.31

linux-thunderbird
lt 31.3.0

seamonkey
lt 2.31

thunderbird
lt 31.3.0

libxul
lt 31.3.0

nss
lt 3.17.3

CVE-2014-1587
CVE-2014-1588
CVE-2014-1589
CVE-2014-1590
CVE-2014-1591
CVE-2014-1592
CVE-2014-1593
CVE-2014-1594
CVE-2014-1595
CVE-2014-1569
https://www.mozilla.org/security/advisories/mfsa2014-83
https://www.mozilla.org/security/advisories/mfsa2014-84
https://www.mozilla.org/security/advisories/mfsa2014-85
https://www.mozilla.org/security/advisories/mfsa2014-86
https://www.mozilla.org/security/advisories/mfsa2014-87
https://www.mozilla.org/security/advisories/mfsa2014-88
https://www.mozilla.org/security/advisories/mfsa2014-89
https://www.mozilla.org/security/advisories/mfsa2014-90
https://www.mozilla.org/security/advisories/
a4ed6632-5aa9-11e2-8fcb-c8600054b392mozilla -- multiple vulnerabilities

The Mozilla Project reports:

MFSA 2013-01 Miscellaneous memory safety hazards (rv:18.0/ rv:10.0.12 / rv:17.0.2)

MFSA 2013-02 Use-after-free and buffer overflow issues found using Address Sanitizer

MFSA 2013-03 Buffer Overflow in Canvas

MFSA 2013-04 URL spoofing in addressbar during page loads

MFSA 2013-05 Use-after-free when displaying table with many columns and column groups

MFSA 2013-06 Touch events are shared across iframes

MFSA 2013-07 Crash due to handling of SSL on threads

MFSA 2013-08 AutoWrapperChanger fails to keep objects alive during garbage collection

MFSA 2013-09 Compartment mismatch with quickstubs returned values

MFSA 2013-10 Event manipulation in plugin handler to bypass same-origin policy

MFSA 2013-11 Address space layout leaked in XBL objects

MFSA 2013-12 Buffer overflow in Javascript string concatenation

MFSA 2013-13 Memory corruption in XBL with XML bindings containing SVG

MFSA 2013-14 Chrome Object Wrapper (COW) bypass through changing prototype

MFSA 2013-15 Privilege escalation through plugin objects

MFSA 2013-16 Use-after-free in serializeToStream

MFSA 2013-17 Use-after-free in ListenerManager

MFSA 2013-18 Use-after-free in Vibrate

MFSA 2013-19 Use-after-free in Javascript Proxy objects

MFSA 2013-20 Mis-issued TURKTRUST certificates


Discovery 2013-01-08
Entry 2013-01-09
firefox
gt 11.0,1 lt 17.0.2,1

lt 10.0.12,1

linux-firefox
lt 17.0.2,1

linux-seamonkey
lt 2.15

linux-thunderbird
lt 17.0.2

seamonkey
lt 2.15

thunderbird
gt 11.0 lt 17.0.2

lt 10.0.12

libxul
gt 1.9.2.* lt 10.0.12

ca_root_nss
lt 3.14.1

CVE-2012-5829
CVE-2013-0743
CVE-2013-0744
CVE-2013-0745
CVE-2013-0746
CVE-2013-0747
CVE-2013-0748
CVE-2013-0749
CVE-2013-0750
CVE-2013-0751
CVE-2013-0752
CVE-2013-0753
CVE-2013-0754
CVE-2013-0755
CVE-2013-0756
CVE-2013-0757
CVE-2013-0758
CVE-2013-0759
CVE-2013-0760
CVE-2013-0761
CVE-2013-0762
CVE-2013-0763
CVE-2013-0764
CVE-2013-0766
CVE-2013-0767
CVE-2013-0768
CVE-2013-0769
CVE-2013-0770
CVE-2013-0771
http://www.mozilla.org/security/announce/2013/mfsa2013-01.html
http://www.mozilla.org/security/announce/2013/mfsa2013-02.html
http://www.mozilla.org/security/announce/2013/mfsa2013-03.html
http://www.mozilla.org/security/announce/2013/mfsa2013-04.html
http://www.mozilla.org/security/announce/2013/mfsa2013-05.html
http://www.mozilla.org/security/announce/2013/mfsa2013-06.html
http://www.mozilla.org/security/announce/2013/mfsa2013-07.html
http://www.mozilla.org/security/announce/2013/mfsa2013-08.html
http://www.mozilla.org/security/announce/2013/mfsa2013-09.html
http://www.mozilla.org/security/announce/2013/mfsa2013-10.html
http://www.mozilla.org/security/announce/2013/mfsa2013-11.html
http://www.mozilla.org/security/announce/2013/mfsa2013-12.html
http://www.mozilla.org/security/announce/2013/mfsa2013-13.html
http://www.mozilla.org/security/announce/2013/mfsa2013-14.html
http://www.mozilla.org/security/announce/2013/mfsa2013-15.html
http://www.mozilla.org/security/announce/2013/mfsa2013-16.html
http://www.mozilla.org/security/announce/2013/mfsa2013-17.html
http://www.mozilla.org/security/announce/2013/mfsa2013-18.html
http://www.mozilla.org/security/announce/2013/mfsa2013-19.html
http://www.mozilla.org/security/announce/2013/mfsa2013-20.html
http://www.mozilla.org/security/known-vulnerabilities/
1753f0ff-8dd5-11e3-9b45-b4b52fce4ce8mozilla -- multiple vulnerabilities

The Mozilla Project reports:

MFSA 2014-01 Miscellaneous memory safety hazards (rv:27.0 / rv:24.3)

MFSA 2014-02 Clone protected content with XBL scopes

MFSA 2014-03 UI selection timeout missing on download prompts

MFSA 2014-04 Incorrect use of discarded images by RasterImage

MFSA 2014-05 Information disclosure with *FromPoint on iframes

MFSA 2014-06 Profile path leaks to Android system log

MFSA 2014-07 XSLT stylesheets treated as styles in Content Security Policy

MFSA 2014-08 Use-after-free with imgRequestProxy and image proccessing

MFSA 2014-09 Cross-origin information leak through web workers

MFSA 2014-10 Firefox default start page UI content invokable by script

MFSA 2014-11 Crash when using web workers with asm.js

MFSA 2014-12 NSS ticket handling issues

MFSA 2014-13 Inconsistent JavaScript handling of access to Window objects


Discovery 2014-02-04
Entry 2014-02-04
firefox
gt 25.0,1 lt 27.0,1

lt 24.3.0,1

linux-firefox
lt 27.0,1

linux-seamonkey
lt 2.24

linux-thunderbird
lt 24.3.0

seamonkey
lt 2.24

thunderbird
lt 24.3.0

CVE-2014-1477
CVE-2014-1478
CVE-2014-1479
CVE-2014-1480
CVE-2014-1481
CVE-2014-1482
CVE-2014-1483
CVE-2014-1484
CVE-2014-1485
CVE-2014-1486
CVE-2014-1487
CVE-2014-1488
CVE-2014-1489
CVE-2014-1490
CVE-2014-1491
https://www.mozilla.org/security/announce/2014/mfsa2014-01.html
https://www.mozilla.org/security/announce/2014/mfsa2014-02.html
https://www.mozilla.org/security/announce/2014/mfsa2014-03.html
https://www.mozilla.org/security/announce/2014/mfsa2014-04.html
https://www.mozilla.org/security/announce/2014/mfsa2014-05.html
https://www.mozilla.org/security/announce/2014/mfsa2014-06.html
https://www.mozilla.org/security/announce/2014/mfsa2014-07.html
https://www.mozilla.org/security/announce/2014/mfsa2014-08.html
https://www.mozilla.org/security/announce/2014/mfsa2014-09.html
https://www.mozilla.org/security/announce/2014/mfsa2014-10.html
https://www.mozilla.org/security/announce/2014/mfsa2014-11.html
https://www.mozilla.org/security/announce/2014/mfsa2014-12.html
http://www.mozilla.org/security/known-vulnerabilities/
6e5a9afd-12d3-11e2-b47d-c8600054b392mozilla -- multiple vulnerabilities

The Mozilla Project reports:

MFSA 2012-74 Miscellaneous memory safety hazards (rv:16.0/ rv:10.0.8)

MFSA 2012-75 select element persistance allows for attacks

MFSA 2012-76 Continued access to initial origin after setting document.domain

MFSA 2012-77 Some DOMWindowUtils methods bypass security checks

MFSA 2012-78 Reader Mode pages have chrome privileges

MFSA 2012-79 DOS and crash with full screen and history navigation

MFSA 2012-80 Crash with invalid cast when using instanceof operator

MFSA 2012-81 GetProperty function can bypass security checks

MFSA 2012-82 top object and location property accessible by plugins

MFSA 2012-83 Chrome Object Wrapper (COW) does not disallow acces to privileged functions or properties

MFSA 2012-84 Spoofing and script injection through location.hash

MFSA 2012-85 Use-after-free, buffer overflow, and out of bounds read issues found using Address Sanitizer

MFSA 2012-86 Heap memory corruption issues found using Address Sanitizer

MFSA 2012-87 Use-after-free in the IME State Manager

MFSA 2012-88 Miscellaneous memory safety hazards (rv:16.0.1)

MFSA 2012-89 defaultValue security checks not applied


Discovery 2012-10-09
Entry 2012-10-10
Modified 2012-10-11
firefox
gt 11.0,1 lt 16.0.1,1

lt 10.0.9,1

linux-firefox
lt 10.0.9,1

linux-seamonkey
lt 2.13.1

linux-thunderbird
lt 10.0.9

seamonkey
lt 2.13.1

thunderbird
gt 11.0 lt 16.0.1

lt 10.0.9

libxul
gt 1.9.2.* lt 10.0.9

CVE-2012-3982
CVE-2012-3983
CVE-2012-3984
CVE-2012-3985
CVE-2012-3986
CVE-2012-3987
CVE-2012-3988
CVE-2012-3989
CVE-2012-3990
CVE-2012-3991
CVE-2012-3992
CVE-2012-3993
CVE-2012-3994
CVE-2012-3995
CVE-2012-4179
CVE-2012-4180
CVE-2012-4181
CVE-2012-4182
CVE-2012-4183
CVE-2012-4184
CVE-2012-4186
CVE-2012-4187
CVE-2012-4188
CVE-2012-4190
CVE-2012-4191
CVE-2012-4192
CVE-2012-4193
http://www.mozilla.org/security/known-vulnerabilities/
http://www.mozilla.org/security/announce/2012/mfsa2012-74.html
http://www.mozilla.org/security/announce/2012/mfsa2012-75.html
http://www.mozilla.org/security/announce/2012/mfsa2012-76.html
http://www.mozilla.org/security/announce/2012/mfsa2012-77.html
http://www.mozilla.org/security/announce/2012/mfsa2012-78.html
http://www.mozilla.org/security/announce/2012/mfsa2012-79.html
http://www.mozilla.org/security/announce/2012/mfsa2012-80.html
http://www.mozilla.org/security/announce/2012/mfsa2012-81.html
http://www.mozilla.org/security/announce/2012/mfsa2012-82.html
http://www.mozilla.org/security/announce/2012/mfsa2012-83.html
http://www.mozilla.org/security/announce/2012/mfsa2012-84.html
http://www.mozilla.org/security/announce/2012/mfsa2012-85.html
http://www.mozilla.org/security/announce/2012/mfsa2012-86.html
http://www.mozilla.org/security/announce/2012/mfsa2012-87.html
http://www.mozilla.org/security/announce/2012/mfsa2012-88.html
http://www.mozilla.org/security/announce/2012/mfsa2012-89.html
05da6b56-3e66-4306-9ea3-89fafe939726mozilla -- multiple vulnerabilities

Mozilla Foundation reports:

CVE-2019-9790: Use-after-free when removing in-use DOM elements

CVE-2019-9791: Type inference is incorrect for constructors entered through on-stack replacement with IonMonkey

CVE-2019-9792: IonMonkey leaks JS_OPTIMIZED_OUT magic value to script

CVE-2019-9793: Improper bounds checks when Spectre mitigations are disabled

CVE-2019-9794: Command line arguments not discarded during execution

CVE-2019-9795: Type-confusion in IonMonkey JIT compiler

CVE-2019-9796: Use-after-free with SMIL animation controller

CVE-2019-9797: Cross-origin theft of images with createImageBitmap

CVE-2019-9798: Library is loaded from world writable APITRACE_LIB location

CVE-2019-9799: Information disclosure via IPC channel messages

CVE-2019-9801: Windows programs that are not 'URL Handlers' are exposed to web content

CVE-2019-9802: Chrome process information leak

CVE-2019-9803: Upgrade-Insecure-Requests incorrectly enforced for same-origin navigation

CVE-2019-9804: Code execution through 'Copy as cURL' in Firefox Developer Tools on macOS

CVE-2019-9805: Potential use of uninitialized memory in Prio

CVE-2019-9806: Denial of service through successive FTP authorization prompts

CVE-2019-9807: Text sent through FTP connection can be incorporated into alert messages

CVE-2019-9809: Denial of service through FTP modal alert error messages

CVE-2019-9808: WebRTC permissions can display incorrect origin with data: and blob: URLs

CVE-2019-9789: Memory safety bugs fixed in Firefox 66

CVE-2019-9788: Memory safety bugs fixed in Firefox 66 and Firefox ESR 60.6


Discovery 2019-03-19
Entry 2019-03-19
Modified 2019-07-23
firefox
lt 66.0_3,1

waterfox
lt 56.2.9

seamonkey
linux-seamonkey
lt 2.53.0

firefox-esr
lt 60.6.0,1

linux-firefox
lt 60.6.0,2

libxul
thunderbird
linux-thunderbird
lt 60.6.0

CVE-2019-9788
CVE-2019-9789
CVE-2019-9790
CVE-2019-9791
CVE-2019-9792
CVE-2019-9793
CVE-2019-9794
CVE-2019-9795
CVE-2019-9796
CVE-2019-9797
CVE-2019-9798
CVE-2019-9799
CVE-2019-9801
CVE-2019-9802
CVE-2019-9803
CVE-2019-9804
CVE-2019-9805
CVE-2019-9806
CVE-2019-9807
CVE-2019-9808
CVE-2019-9809
https://www.mozilla.org/security/advisories/mfsa2019-07/
https://www.mozilla.org/security/advisories/mfsa2019-08/
d23119df-335d-11e2-b64c-c8600054b392mozilla -- multiple vulnerabilities

The Mozilla Project reports:

MFSA 2012-91 Miscellaneous memory safety hazards (rv:17.0/ rv:10.0.11)

MFSA 2012-92 Buffer overflow while rendering GIF images

MFSA 2012-93 evalInSanbox location context incorrectly applied

MFSA 2012-94 Crash when combining SVG text on path with CSS

MFSA 2012-95 Javascript: URLs run in privileged context on New Tab page

MFSA 2012-96 Memory corruption in str_unescape

MFSA 2012-97 XMLHttpRequest inherits incorrect principal within sandbox

MFSA 2012-98 Firefox installer DLL hijacking

MFSA 2012-99 XrayWrappers exposes chrome-only properties when not in chrome compartment

MFSA 2012-100 Improper security filtering for cross-origin wrappers

MFSA 2012-101 Improper character decoding in HZ-GB-2312 charset

MFSA 2012-102 Script entered into Developer Toolbar runs with chrome privileges

MFSA 2012-103 Frames can shadow top.location

MFSA 2012-104 CSS and HTML injection through Style Inspector

MFSA 2012-105 Use-after-free and buffer overflow issues found

MFSA 2012-106 Use-after-free, buffer overflow, and memory corruption issues found using Address Sanitizer


Discovery 2012-11-20
Entry 2012-11-20
firefox
gt 11.0,1 lt 17.0,1

lt 10.0.11,1

linux-firefox
lt 10.0.11,1

linux-seamonkey
lt 2.14

linux-thunderbird
lt 10.0.11

seamonkey
lt 2.14

thunderbird
gt 11.0 lt 17.0

lt 10.0.11

libxul
gt 1.9.2.* lt 10.0.11

CVE-2012-4201
CVE-2012-4202
CVE-2012-4203
CVE-2012-4204
CVE-2012-4205
CVE-2012-4206
CVE-2012-4207
CVE-2012-4208
CVE-2012-4209
CVE-2012-4210
CVE-2012-4212
CVE-2012-4213
CVE-2012-4214
CVE-2012-4215
CVE-2012-4216
CVE-2012-4217
CVE-2012-4218
CVE-2012-5829
CVE-2012-5830
CVE-2012-5833
CVE-2012-5835
CVE-2012-5836
CVE-2012-5837
CVE-2012-5838
CVE-2012-5839
CVE-2012-5840
CVE-2012-5841
CVE-2012-5842
CVE-2012-5843
http://www.mozilla.org/security/announce/2012/mfsa2012-90.html
http://www.mozilla.org/security/announce/2012/mfsa2012-91.html
http://www.mozilla.org/security/announce/2012/mfsa2012-92.html
http://www.mozilla.org/security/announce/2012/mfsa2012-93.html
http://www.mozilla.org/security/announce/2012/mfsa2012-94.html
http://www.mozilla.org/security/announce/2012/mfsa2012-95.html
http://www.mozilla.org/security/announce/2012/mfsa2012-96.html
http://www.mozilla.org/security/announce/2012/mfsa2012-97.html
http://www.mozilla.org/security/announce/2012/mfsa2012-98.html
http://www.mozilla.org/security/announce/2012/mfsa2012-99.html
http://www.mozilla.org/security/announce/2012/mfsa2012-100.html
http://www.mozilla.org/security/announce/2012/mfsa2012-101.html
http://www.mozilla.org/security/announce/2012/mfsa2012-102.html
http://www.mozilla.org/security/announce/2012/mfsa2012-103.html
http://www.mozilla.org/security/announce/2012/mfsa2012-104.html
http://www.mozilla.org/security/announce/2012/mfsa2012-105.html
http://www.mozilla.org/security/announce/2012/mfsa2012-106.html
http://www.mozilla.org/security/known-vulnerabilities/
555b244e-6b20-4546-851f-d8eb7d6c1ffamozilla -- multiple vulnerabilities

Mozilla Foundation reports:

Please reference CVE/URL list for details


Discovery 2017-08-08
Entry 2017-08-08
firefox
lt 55.0,1

seamonkey
linux-seamonkey
lt 2.49.1

firefox-esr
lt 52.3.0,1

linux-firefox
lt 52.3.0,2

libxul
thunderbird
linux-thunderbird
lt 52.3.0

CVE-2017-7753
CVE-2017-7779
CVE-2017-7780
CVE-2017-7781
CVE-2017-7782
CVE-2017-7783
CVE-2017-7784
CVE-2017-7785
CVE-2017-7786
CVE-2017-7787
CVE-2017-7788
CVE-2017-7789
CVE-2017-7790
CVE-2017-7791
CVE-2017-7792
CVE-2017-7794
CVE-2017-7796
CVE-2017-7797
CVE-2017-7798
CVE-2017-7799
CVE-2017-7800
CVE-2017-7801
CVE-2017-7802
CVE-2017-7803
CVE-2017-7804
CVE-2017-7806
CVE-2017-7807
CVE-2017-7808
https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/
6cec1b0a-da15-467d-8691-1dea392d4c8dmozilla -- multiple vulnerabilities

Mozilla Foundation reports:

Please reference CVE/URL list for details


Discovery 2017-06-13
Entry 2017-06-13
Modified 2017-09-19
firefox
lt 54.0,1

seamonkey
linux-seamonkey
lt 2.49.1

firefox-esr
lt 52.2.0,1

linux-firefox
lt 52.2.0,2

libxul
thunderbird
linux-thunderbird
lt 52.2.0

CVE-2017-5470
CVE-2017-5471
CVE-2017-5472
CVE-2017-7749
CVE-2017-7750
CVE-2017-7751
CVE-2017-7752
CVE-2017-7754
CVE-2017-7755
CVE-2017-7756
CVE-2017-7757
CVE-2017-7758
CVE-2017-7759
CVE-2017-7760
CVE-2017-7761
CVE-2017-7762
CVE-2017-7763
CVE-2017-7764
CVE-2017-7765
CVE-2017-7766
CVE-2017-7767
CVE-2017-7768
CVE-2017-7778
https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/
https://www.mozilla.org/en-US/security/advisories/mfsa2017-16/
985d4d6c-cfbd-11e3-a003-b4b52fce4ce8mozilla -- multiple vulnerabilities

The Mozilla Project reports:

MFSA 2014-34 Miscellaneous memory safety hazards (rv:29.0 / rv:24.5)

MFSA 2014-35 Privilege escalation through Mozilla Maintenance Service Installer

MFSA 2014-36 Web Audio memory corruption issues

MFSA 2014-37 Out of bounds read while decoding JPG images

MFSA 2014-38 Buffer overflow when using non-XBL object as XBL

MFSA 2014-39 Use-after-free in the Text Track Manager for HTML video

MFSA 2014-41 Out-of-bounds write in Cairo

MFSA 2014-42 Privilege escalation through Web Notification API

MFSA 2014-43 Cross-site scripting (XSS) using history navigations

MFSA 2014-44 Use-after-free in imgLoader while resizing images

MFSA 2014-45 Incorrect IDNA domain name matching for wildcard certificates

MFSA 2014-46 Use-after-free in nsHostResolve

MFSA 2014-47 Debugger can bypass XrayWrappers with JavaScript


Discovery 2014-04-29
Entry 2014-04-29
firefox
lt 29.0,1

firefox-esr
lt 24.5.0,1

linux-firefox
lt 29.0,1

linux-seamonkey
lt 2.26

linux-thunderbird
lt 24.5.0

seamonkey
lt 2.26

thunderbird
lt 24.5.0

CVE-2014-1529
CVE-2014-1492
CVE-2014-1518
CVE-2014-1519
CVE-2014-1520
CVE-2014-1522
CVE-2014-1523
CVE-2014-1524
CVE-2014-1525
CVE-2014-1526
CVE-2014-1527
CVE-2014-1528
CVE-2014-1530
CVE-2014-1531
CVE-2014-1532
https://www.mozilla.org/security/announce/2014/mfsa2014-34.html
https://www.mozilla.org/security/announce/2014/mfsa2014-35.html
https://www.mozilla.org/security/announce/2014/mfsa2014-36.html
https://www.mozilla.org/security/announce/2014/mfsa2014-37.html
https://www.mozilla.org/security/announce/2014/mfsa2014-38.html
https://www.mozilla.org/security/announce/2014/mfsa2014-39.html
https://www.mozilla.org/security/announce/2014/mfsa2014-41.html
https://www.mozilla.org/security/announce/2014/mfsa2014-42.html
https://www.mozilla.org/security/announce/2014/mfsa2014-43.html
https://www.mozilla.org/security/announce/2014/mfsa2014-44.html
https://www.mozilla.org/security/announce/2014/mfsa2014-45.html
https://www.mozilla.org/security/announce/2014/mfsa2014-46.html
https://www.mozilla.org/security/announce/2014/mfsa2014-47.html
http://www.mozilla.org/security/known-vulnerabilities/
2b8cad90-f289-11e1-a215-14dae9ebcf89mozilla -- multiple vulnerabilities

The Mozilla Project reports:

MFSA 2012-57 Miscellaneous memory safety hazards (rv:15.0/ rv:10.0.7)

MFSA 2012-58 Use-after-free issues found using Address Sanitizer

MFSA 2012-59 Location object can be shadowed using Object.defineProperty

MFSA 2012-60 Escalation of privilege through about:newtab

MFSA 2012-61 Memory corruption with bitmap format images with negative height

MFSA 2012-62 WebGL use-after-free and memory corruption

MFSA 2012-63 SVG buffer overflow and use-after-free issues

MFSA 2012-64 Graphite 2 memory corruption

MFSA 2012-65 Out-of-bounds read in format-number in XSLT

MFSA 2012-66 HTTPMonitor extension allows for remote debugging without explicit activation

MFSA 2012-67 Installer will launch incorrect executable following new installation

MFSA 2012-68 DOMParser loads linked resources in extensions when parsing text/html

MFSA 2012-69 Incorrect site SSL certificate data display

MFSA 2012-70 Location object security checks bypassed by chrome code

MFSA 2012-71 Insecure use of __android_log_print

MFSA 2012-72 Web console eval capable of executing chrome-privileged code


Discovery 2012-08-28
Entry 2012-08-30
firefox
gt 11.0,1 lt 15.0,1

lt 10.0.7,1

linux-firefox
lt 10.0.7,1

linux-seamonkey
lt 2.12

linux-thunderbird
lt 10.0.7

seamonkey
lt 2.12

thunderbird
gt 11.0 lt 15.0

lt 10.0.7

libxul
gt 1.9.2.* lt 10.0.7

CVE-2012-1956
CVE-2012-1970
CVE-2012-1971
CVE-2012-1972
CVE-2012-1973
CVE-2012-1974
CVE-2012-1975
CVE-2012-1976
CVE-2012-3956
CVE-2012-3957
CVE-2012-3958
CVE-2012-3959
CVE-2012-3960
CVE-2012-3961
CVE-2012-3962
CVE-2012-3963
CVE-2012-3964
CVE-2012-3965
CVE-2012-3966
CVE-2012-3967
CVE-2012-3968
CVE-2012-3969
CVE-2012-3970
CVE-2012-3971
CVE-2012-3972
CVE-2012-3973
CVE-2012-3974
CVE-2012-3975
CVE-2012-3976
CVE-2012-3978
CVE-2012-3979
CVE-2012-3980
http://www.mozilla.org/security/known-vulnerabilities/
http://www.mozilla.org/security/announce/2012/mfsa2012-57.html
http://www.mozilla.org/security/announce/2012/mfsa2012-58.html
http://www.mozilla.org/security/announce/2012/mfsa2012-59.html
http://www.mozilla.org/security/announce/2012/mfsa2012-60.html
http://www.mozilla.org/security/announce/2012/mfsa2012-61.html
http://www.mozilla.org/security/announce/2012/mfsa2012-62.html
http://www.mozilla.org/security/announce/2012/mfsa2012-63.html
http://www.mozilla.org/security/announce/2012/mfsa2012-64.html
http://www.mozilla.org/security/announce/2012/mfsa2012-65.html
http://www.mozilla.org/security/announce/2012/mfsa2012-66.html
http://www.mozilla.org/security/announce/2012/mfsa2012-67.html
http://www.mozilla.org/security/announce/2012/mfsa2012-68.html
http://www.mozilla.org/security/announce/2012/mfsa2012-69.html
http://www.mozilla.org/security/announce/2012/mfsa2012-70.html
http://www.mozilla.org/security/announce/2012/mfsa2012-71.html
http://www.mozilla.org/security/announce/2012/mfsa2012-72.html
98f1241f-8c09-4237-ad0d-67fb4158ea7aMozilla -- multiple vulnerabilities

Mozilla Foundation reports:

CVE-2019-11703: Heap buffer overflow in icalparser.c

A flaw in Thunderbird's implementation of iCal causes a heap buffer overflow in parser_get_next_char when processing certain email messages, resulting in a potentially exploitable crash.

CVE-2019-11704: Heap buffer overflow in icalvalue.c

A flaw in Thunderbird's implementation of iCal causes a heap buffer overflow in icalmemory_strdup_and_dequote when processing certain email messages, resulting in a potentially exploitable crash.

CVE-2019-11705: Stack buffer overflow in icalrecur.c

A flaw in Thunderbird's implementation of iCal causes a stack buffer overflow in icalrecur_add_bydayrules when processing certain email messages, resulting in a potentially exploitable crash.

CVE-2019-11706: Type confusion in icalproperty.c

A flaw in Thunderbird's implementation of iCal causes a type confusion in icaltimezone_get_vtimezone_properties when processing certain email messages, resulting in a crash.


Discovery 2019-06-13
Entry 2019-06-21
thunderbird
lt 60.7.1

https://www.mozilla.org/en-US/security/advisories/mfsa2019-17/
CVE-2019-11703
CVE-2019-11704
CVE-2019-11705
CVE-2019-11706
aa1aefe3-6e37-47db-bfda-343ef4acb1b5Mozilla -- multiple vulnerabilities

Mozilla Foundation reports:

Please reference CVE/URL list for details


Discovery 2016-08-02
Entry 2016-09-07
Modified 2016-09-20
firefox
lt 48.0,1

seamonkey
linux-seamonkey
lt 2.45

firefox-esr
lt 45.3.0,1

linux-firefox
lt 45.3.0,2

libxul
thunderbird
linux-thunderbird
lt 45.3.0

CVE-2016-0718
CVE-2016-2830
CVE-2016-2835
CVE-2016-2836
CVE-2016-2837
CVE-2016-2838
CVE-2016-2839
CVE-2016-5250
CVE-2016-5251
CVE-2016-5252
CVE-2016-5253
CVE-2016-5254
CVE-2016-5255
CVE-2016-5258
CVE-2016-5259
CVE-2016-5260
CVE-2016-5261
CVE-2016-5262
CVE-2016-5263
CVE-2016-5264
CVE-2016-5265
CVE-2016-5266
CVE-2016-5267
CVE-2016-5268
https://www.mozilla.org/en-US/security/advisories/mfsa2016-62/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-63/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-64/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-65/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-66/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-67/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-68/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-69/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-70/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-71/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-72/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-73/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-74/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-75/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-76/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-77/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-78/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-79/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-80/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-81/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-82/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-83/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-84/
888a0262-f0d9-11e3-ba0c-b4b52fce4ce8mozilla -- multiple vulnerabilities

The Mozilla Project reports:

MFSA 2014-48 Miscellaneous memory safety hazards (rv:30.0 / rv:24.6)

MFSA 2014-49 Use-after-free and out of bounds issues found using Address Sanitizer

MFSA 2014-51 Use-after-free in Event Listener Manager

MFSA 2014-52 Use-after-free with SMIL Animation Controller

MFSA 2014-53 Buffer overflow in Web Audio Speex resampler

MFSA 2014-54 Buffer overflow in Gamepad API

MFSA 2014-55 Out of bounds write in NSPR


Discovery 2014-06-10
Entry 2014-06-10
firefox
lt 30.0,1

firefox-esr
lt 24.6.0,1

seamonkey
lt 2.26.1

linux-firefox
lt 30.0,1

linux-seamonkey
lt 2.26.1

linux-thunderbird
lt 24.6.0

nspr
lt 4.10.6

thunderbird
lt 24.6.0

CVE-2014-1533
CVE-2014-1534
CVE-2014-1536
CVE-2014-1537
CVE-2014-1540
CVE-2014-1541
CVE-2014-1542
CVE-2014-1543
CVE-2014-1545
https://www.mozilla.org/security/announce/2014/mfsa2014-48.html
https://www.mozilla.org/security/announce/2014/mfsa2014-49.html
https://www.mozilla.org/security/announce/2014/mfsa2014-51.html
https://www.mozilla.org/security/announce/2014/mfsa2014-52.html
https://www.mozilla.org/security/announce/2014/mfsa2014-53.html
https://www.mozilla.org/security/announce/2014/mfsa2014-54.html
https://www.mozilla.org/security/announce/2014/mfsa2014-55.html
610de647-af8d-11e3-a25b-b4b52fce4ce8mozilla -- multiple vulnerabilities

The Mozilla Project reports:

MFSA 2014-15 Miscellaneous memory safety hazards (rv:28.0 / rv:24.4)

MFSA 2014-16 Files extracted during updates are not always read only

MFSA 2014-17 Out of bounds read during WAV file decoding

MFSA 2014-18 crypto.generateCRMFRequest does not validate type of key

MFSA 2014-19 Spoofing attack on WebRTC permission prompt

MFSA 2014-20 onbeforeunload and Javascript navigation DOS

MFSA 2014-21 Local file access via Open Link in new tab

MFSA 2014-22 WebGL content injection from one domain to rendering in another

MFSA 2014-23 Content Security Policy for data: documents not preserved by session restore

MFSA 2014-24 Android Crash Reporter open to manipulation

MFSA 2014-25 Firefox OS DeviceStorageFile object vulnerable to relative path escape

MFSA 2014-26 Information disclosure through polygon rendering in MathML

MFSA 2014-27 Memory corruption in Cairo during PDF font rendering

MFSA 2014-28 SVG filters information disclosure through feDisplacementMap

MFSA 2014-29 Privilege escalation using WebIDL-implemented APIs

MFSA 2014-30 Use-after-free in TypeObject

MFSA 2014-31 Out-of-bounds read/write through neutering ArrayBuffer objects

MFSA 2014-32 Out-of-bounds write through TypedArrayObject after neutering


Discovery 2014-03-19
Entry 2014-03-19
Modified 2014-03-20
firefox
lt 28.0,1

firefox-esr
lt 24.4.0,1

linux-firefox
lt 28.0,1

linux-seamonkey
lt 2.25

linux-thunderbird
lt 24.4.0

seamonkey
lt 2.25

thunderbird
lt 24.4.0

CVE-2014-1493
CVE-2014-1494
CVE-2014-1496
CVE-2014-1497
CVE-2014-1498
CVE-2014-1499
CVE-2014-1500
CVE-2014-1501
CVE-2014-1502
CVE-2014-1504
CVE-2014-1505
CVE-2014-1506
CVE-2014-1507
CVE-2014-1508
CVE-2014-1509
CVE-2014-1510
CVE-2014-1511
CVE-2014-1512
CVE-2014-1513
CVE-2014-1514
https://www.mozilla.org/security/announce/2014/mfsa2014-15.html
https://www.mozilla.org/security/announce/2014/mfsa2014-16.html
https://www.mozilla.org/security/announce/2014/mfsa2014-17.html
https://www.mozilla.org/security/announce/2014/mfsa2014-18.html
https://www.mozilla.org/security/announce/2014/mfsa2014-19.html
https://www.mozilla.org/security/announce/2014/mfsa2014-20.html
https://www.mozilla.org/security/announce/2014/mfsa2014-21.html
https://www.mozilla.org/security/announce/2014/mfsa2014-22.html
https://www.mozilla.org/security/announce/2014/mfsa2014-23.html
https://www.mozilla.org/security/announce/2014/mfsa2014-24.html
https://www.mozilla.org/security/announce/2014/mfsa2014-25.html
https://www.mozilla.org/security/announce/2014/mfsa2014-26.html
https://www.mozilla.org/security/announce/2014/mfsa2014-27.html
https://www.mozilla.org/security/announce/2014/mfsa2014-28.html
https://www.mozilla.org/security/announce/2014/mfsa2014-29.html
https://www.mozilla.org/security/announce/2014/mfsa2014-30.html
https://www.mozilla.org/security/announce/2014/mfsa2014-31.html
https://www.mozilla.org/security/announce/2014/mfsa2014-32.html
http://www.mozilla.org/security/known-vulnerabilities/
44b6dfbf-4ef7-4d52-ad52-2b1b05d81272mozilla -- multiple vulnerabilities

Mozilla Foundation reports:

CVE-2019-9815: Disable hyperthreading on content JavaScript threads on macOS

CVE-2019-9816: Type confusion with object groups and UnboxedObjects

CVE-2019-9817: Stealing of cross-domain images using canvas

CVE-2019-9818: Use-after-free in crash generation server

CVE-2019-9819: Compartment mismatch with fetch API

CVE-2019-9820: Use-after-free of ChromeEventHandler by DocShell

CVE-2019-9821: Use-after-free in AssertWorkerThread

CVE-2019-11691: Use-after-free in XMLHttpRequest

CVE-2019-11692: Use-after-free removing listeners in the event listener manager

CVE-2019-11693: Buffer overflow in WebGL bufferdata on Linux

CVE-2019-7317: Use-after-free in png_image_free of libpng library

CVE-2019-11694: Uninitialized memory memory leakage in Windows sandbox

CVE-2019-11695: Custom cursor can render over user interface outside of web content

CVE-2019-11696: Java web start .JNLP files are not recognized as executable files for download prompts

CVE-2019-11697: Pressing key combinations can bypass installation prompt delays and install extensions

CVE-2019-11698: Theft of user history data through drag and drop of hyperlinks to and from bookmarks

CVE-2019-11700: res: protocol can be used to open known local files

CVE-2019-11699: Incorrect domain name highlighting during page navigation

CVE-2019-11701: webcal: protocol default handler loads vulnerable web page

CVE-2019-9814: Memory safety bugs fixed in Firefox 67

CVE-2019-9800: Memory safety bugs fixed in Firefox 67 and Firefox ESR 60.7


Discovery 2019-05-21
Entry 2019-05-22
Modified 2019-07-23
firefox
lt 67.0,1

waterfox
lt 56.2.10

seamonkey
linux-seamonkey
lt 2.53.0

firefox-esr
lt 60.7.0,1

linux-firefox
lt 60.7.0,2

libxul
thunderbird
linux-thunderbird
lt 60.7.0

CVE-2019-9815
CVE-2019-9816
CVE-2019-9817
CVE-2019-9818
CVE-2019-9819
CVE-2019-9820
CVE-2019-9821
CVE-2019-11691
CVE-2019-11692
CVE-2019-11693
CVE-2019-7317
CVE-2019-11694
CVE-2019-11695
CVE-2019-11696
CVE-2019-11697
CVE-2019-11698
CVE-2019-11700
CVE-2019-11699
CVE-2019-11701
CVE-2019-9814
CVE-2019-9800
https://www.mozilla.org/security/advisories/mfsa2019-13/
https://www.mozilla.org/security/advisories/mfsa2019-14/
https://www.mozilla.org/security/advisories/mfsa2019-15/
6c8ad3e8-0a30-11e1-9580-4061862b8c22mozilla -- multiple vulnerabilities

The Mozilla Project reports:

MFSA 2011-46 loadSubScript unwraps XPCNativeWrapper scope parameter (1.9.2 branch)

MFSA 2011-47 Potential XSS against sites using Shift-JIS

MFSA 2011-48 Miscellaneous memory safety hazards (rv:8.0)

MFSA 2011-49 Memory corruption while profiling using Firebug

MFSA 2011-50 Cross-origin data theft using canvas and Windows D2D

MFSA 2011-51 Cross-origin image theft on Mac with integrated Intel GPU

MFSA 2011-52 Code execution via NoWaiverWrapper


Discovery 2011-11-08
Entry 2011-11-08
firefox
gt 4.0,1 lt 8.0,1

gt 3.6.*,1 lt 3.6.24,1

libxul
gt 1.9.2.* lt 1.9.2.24

linux-firefox
lt 8.0,1

linux-thunderbird
lt 8.0

thunderbird
gt 4.0 lt 8.0

lt 3.1.16

CVE-2011-3647
CVE-2011-3648
CVE-2011-3649
CVE-2011-3650
CVE-2011-3651
CVE-2011-3652
CVE-2011-3653
CVE-2011-3654
CVE-2011-3655
http://www.mozilla.org/security/announce/2011/mfsa2011-46.html
http://www.mozilla.org/security/announce/2011/mfsa2011-47.html
http://www.mozilla.org/security/announce/2011/mfsa2011-48.html
http://www.mozilla.org/security/announce/2011/mfsa2011-49.html
http://www.mozilla.org/security/announce/2011/mfsa2011-50.html
http://www.mozilla.org/security/announce/2011/mfsa2011-51.html
http://www.mozilla.org/security/announce/2011/mfsa2011-52.html
1098a15b-b0f6-42b7-b5c7-8a8646e8be07mozilla -- multiple vulnerabilities

Mozilla Foundation reports:

CVE-2017-7793: Use-after-free with Fetch API

CVE-2017-7817: Firefox for Android address bar spoofing through fullscreen mode

CVE-2017-7818: Use-after-free during ARIA array manipulation

CVE-2017-7819: Use-after-free while resizing images in design mode

CVE-2017-7824: Buffer overflow when drawing and validating elements with ANGLE

CVE-2017-7805: Use-after-free in TLS 1.2 generating handshake hashes

CVE-2017-7812: Drag and drop of malicious page content to the tab bar can open locally stored files

CVE-2017-7814: Blob and data URLs bypass phishing and malware protection warnings

CVE-2017-7813: Integer truncation in the JavaScript parser

CVE-2017-7825: OS X fonts render some Tibetan and Arabic unicode characters as spaces

CVE-2017-7815: Spoofing attack with modal dialogs on non-e10s installations

CVE-2017-7816: WebExtensions can load about: URLs in extension UI

CVE-2017-7821: WebExtensions can download and open non-executable files without user interaction

CVE-2017-7823: CSP sandbox directive did not create a unique origin

CVE-2017-7822: WebCrypto allows AES-GCM with 0-length IV

CVE-2017-7820: Xray wrapper bypass with new tab and web console

CVE-2017-7811: Memory safety bugs fixed in Firefox 56

CVE-2017-7810: Memory safety bugs fixed in Firefox 56 and Firefox ESR 52.4


Discovery 2017-09-28
Entry 2017-09-29
Modified 2017-10-03
firefox
lt 56.0,1

seamonkey
linux-seamonkey
lt 2.49.1

firefox-esr
lt 52.4.0,1

linux-firefox
lt 52.4.0,2

libxul
thunderbird
linux-thunderbird
lt 52.4.0

CVE-2017-7793
CVE-2017-7805
CVE-2017-7810
CVE-2017-7811
CVE-2017-7812
CVE-2017-7813
CVE-2017-7814
CVE-2017-7815
CVE-2017-7816
CVE-2017-7817
CVE-2017-7818
CVE-2017-7819
CVE-2017-7820
CVE-2017-7821
CVE-2017-7822
CVE-2017-7823
CVE-2017-7824
CVE-2017-7825
https://www.mozilla.org/en-US/security/advisories/mfsa2017-21/
https://www.mozilla.org/en-US/security/advisories/mfsa2017-22/
81f866ad-41a4-11e3-a4af-0025905a4771mozilla -- multiple vulnerabilities

The Mozilla Project reports:

MFSA 2013-93 Miscellaneous memory safety hazards (rv:25.0 / rv:24.1 / rv:17.0.10)

MFSA 2013-94 Spoofing addressbar though SELECT element

MFSA 2013-95 Access violation with XSLT and uninitialized data

MFSA 2013-96 Improperly initialized memory and overflows in some JavaScript functions

MFSA 2013-97 Writing to cycle collected object during image decoding

MFSA 2013-98 Use-after-free when updating offline cache

MFSA 2013-99 Security bypass of PDF.js checks using iframes

MFSA 2013-100 Miscellaneous use-after-free issues found through ASAN fuzzing

MFSA 2013-101 Memory corruption in workers

MFSA 2013-102 Use-after-free in HTML document templates


Discovery 2013-10-29
Entry 2013-10-30
Modified 2013-10-31
firefox
lt 24.1.0,1

linux-firefox
lt 25.0,1

linux-seamonkey
lt 2.22

linux-thunderbird
lt 24.1.0

seamonkey
lt 2.22

thunderbird
lt 24.1.0

CVE-2013-1739
CVE-2013-5590
CVE-2013-5591
CVE-2013-5592
CVE-2013-5593
CVE-2013-5595
CVE-2013-5596
CVE-2013-5597
CVE-2013-5598
CVE-2013-5599
CVE-2013-5600
CVE-2013-5601
CVE-2013-5602
CVE-2013-5603
CVE-2013-5604
https://www.mozilla.org/security/announce/2013/mfsa2013-93.html
https://www.mozilla.org/security/announce/2013/mfsa2013-94.html
https://www.mozilla.org/security/announce/2013/mfsa2013-95.html
https://www.mozilla.org/security/announce/2013/mfsa2013-96.html
https://www.mozilla.org/security/announce/2013/mfsa2013-97.html
https://www.mozilla.org/security/announce/2013/mfsa2013-98.html
https://www.mozilla.org/security/announce/2013/mfsa2013-99.html
https://www.mozilla.org/security/announce/2013/mfsa2013-100.html
https://www.mozilla.org/security/announce/2013/mfsa2013-101.html
https://www.mozilla.org/security/announce/2013/mfsa2013-102.html
http://www.mozilla.org/security/known-vulnerabilities/
4f00dac0-1e18-4481-95af-7aaad63fd303mozilla -- multiple vulnerabilities

Mozilla Foundation reports:

MFSA 2016-01 Miscellaneous memory safety hazards (rv:44.0 / rv:38.6)

MFSA 2016-02 Out of Memory crash when parsing GIF format images

MFSA 2016-03 Buffer overflow in WebGL after out of memory allocation

MFSA 2016-04 Firefox allows for control characters to be set in cookie names

MFSA 2016-06 Missing delay following user click events in protocol handler dialog

MFSA 2016-09 Addressbar spoofing attacks

MFSA 2016-10 Unsafe memory manipulation found through code inspection

MFSA 2016-11 Application Reputation service disabled in Firefox 43


Discovery 2016-01-26
Entry 2016-02-01
Modified 2016-03-08
firefox
linux-firefox
lt 44.0,1

seamonkey
linux-seamonkey
lt 2.41

firefox-esr
lt 38.6.0,1

libxul
thunderbird
linux-thunderbird
lt 38.6.0

CVE-2015-7208
CVE-2016-1930
CVE-2016-1931
CVE-2016-1933
CVE-2016-1935
CVE-2016-1937
CVE-2016-1939
CVE-2016-1942
CVE-2016-1943
CVE-2016-1944
CVE-2016-1945
CVE-2016-1946
CVE-2016-1947
https://www.mozilla.org/security/advisories/mfsa2016-01/
https://www.mozilla.org/security/advisories/mfsa2016-02/
https://www.mozilla.org/security/advisories/mfsa2016-03/
https://www.mozilla.org/security/advisories/mfsa2016-04/
https://www.mozilla.org/security/advisories/mfsa2016-06/
https://www.mozilla.org/security/advisories/mfsa2016-09/
https://www.mozilla.org/security/advisories/mfsa2016-10/
https://www.mozilla.org/security/advisories/mfsa2016-11/
cd81806c-26e7-4d4a-8425-02724a2f48afmozilla -- multiple vulnerabilities

Mozilla Foundation reports:

CVE-2018-12359: Buffer overflow using computed size of canvas element

CVE-2018-12360: Use-after-free when using focus()

CVE-2018-12361: Integer overflow in SwizzleData

CVE-2018-12358: Same-origin bypass using service worker and redirection

CVE-2018-12362: Integer overflow in SSSE3 scaler

CVE-2018-5156: Media recorder segmentation fault when track type is changed during capture

CVE-2018-12363: Use-after-free when appending DOM nodes

CVE-2018-12364: CSRF attacks through 307 redirects and NPAPI plugins

CVE-2018-12365: Compromised IPC child process can list local filenames

CVE-2018-12371: Integer overflow in Skia library during edge builder allocation

CVE-2018-12366: Invalid data handling during QCMS transformations

CVE-2018-12367: Timing attack mitigation of PerformanceNavigationTiming

CVE-2018-12368: No warning when opening executable SettingContent-ms files

CVE-2018-12369: WebExtension security permission checks bypassed by embedded experiments

CVE-2018-12370: SameSite cookie protections bypassed when exiting Reader View

CVE-2018-5186: Memory safety bugs fixed in Firefox 61

CVE-2018-5187: Memory safety bugs fixed in Firefox 60 and Firefox ESR 60.1

CVE-2018-5188: Memory safety bugs fixed in Firefox 60, Firefox ESR 60.1, and Firefox ESR 52.9


Discovery 2018-06-26
Entry 2018-06-26
Modified 2018-07-07
firefox
lt 61.0_1,1

waterfox
lt 56.2.1.19_2

seamonkey
linux-seamonkey
lt 2.49.4

firefox-esr
ge 60.0,1 lt 60.1.0_1,1

lt 52.9.0_1,1

linux-firefox
lt 52.9.0,2

libxul
thunderbird
linux-thunderbird
lt 52.9.0

CVE-2018-12362
CVE-2018-5156
CVE-2018-5186
CVE-2018-5187
CVE-2018-5188
CVE-2018-12358
CVE-2018-12359
CVE-2018-12360
CVE-2018-12361
CVE-2018-12363
CVE-2018-12364
CVE-2018-12365
CVE-2018-12366
CVE-2018-12367
CVE-2018-12368
CVE-2018-12369
CVE-2018-12370
CVE-2018-12371
https://www.mozilla.org/en-US/security/advisories/mfsa2018-15/
https://www.mozilla.org/en-US/security/advisories/mfsa2018-16/
https://www.mozilla.org/en-US/security/advisories/mfsa2018-17/
2d56c7f4-b354-428f-8f48-38150c607a05mozilla -- multiple vulnerabilities

The Mozilla Project reports:

MFSA 2015-96 Miscellaneous memory safety hazards (rv:41.0 / rv:38.3)

MFSA 2015-97 Memory leak in mozTCPSocket to servers

MFSA 2015-98 Out of bounds read in QCMS library with ICC V4 profile attributes

MFSA 2015-99 Site attribute spoofing on Android by pasting URL with unknown scheme

MFSA 2015-100 Arbitrary file manipulation by local user through Mozilla updater

MFSA 2015-101 Buffer overflow in libvpx while parsing vp9 format video

MFSA 2015-102 Crash when using debugger with SavedStacks in JavaScript

MFSA 2015-103 URL spoofing in reader mode

MFSA 2015-104 Use-after-free with shared workers and IndexedDB

MFSA 2015-105 Buffer overflow while decoding WebM video

MFSA 2015-106 Use-after-free while manipulating HTML media content

MFSA 2015-107 Out-of-bounds read during 2D canvas display on Linux 16-bit color depth systems

MFSA 2015-108 Scripted proxies can access inner window

MFSA 2015-109 JavaScript immutable property enforcement can be bypassed

MFSA 2015-110 Dragging and dropping images exposes final URL after redirects

MFSA 2015-111 Errors in the handling of CORS preflight request headers

MFSA 2015-112 Vulnerabilities found through code inspection

MFSA 2015-113 Memory safety errors in libGLES in the ANGLE graphics library

MFSA 2015-114 Information disclosure via the High Resolution Time API


Discovery 2015-09-22
Entry 2015-09-22
firefox
lt 41.0,1

linux-firefox
lt 41.0,1

seamonkey
lt 2.38

linux-seamonkey
lt 2.38

firefox-esr
lt 38.3.0,1

libxul
lt 38.3.0

thunderbird
lt 38.3.0

linux-thunderbird
lt 38.3.0

CVE-2015-4476
CVE-2015-4500
CVE-2015-4501
CVE-2015-4502
CVE-2015-4503
CVE-2015-4504
CVE-2015-4505
CVE-2015-4506
CVE-2015-4507
CVE-2015-4508
CVE-2015-4509
CVE-2015-4510
CVE-2015-4512
CVE-2015-4516
CVE-2015-4517
CVE-2015-4519
CVE-2015-4520
CVE-2015-4521
CVE-2015-4522
CVE-2015-7174
CVE-2015-7175
CVE-2015-7176
CVE-2015-7177
CVE-2015-7178
CVE-2015-7179
CVE-2015-7180
https://www.mozilla.org/security/advisories/mfsa2015-96/
https://www.mozilla.org/security/advisories/mfsa2015-97/
https://www.mozilla.org/security/advisories/mfsa2015-98/
https://www.mozilla.org/security/advisories/mfsa2015-99/
https://www.mozilla.org/security/advisories/mfsa2015-100/
https://www.mozilla.org/security/advisories/mfsa2015-101/
https://www.mozilla.org/security/advisories/mfsa2015-102/
https://www.mozilla.org/security/advisories/mfsa2015-103/
https://www.mozilla.org/security/advisories/mfsa2015-104/
https://www.mozilla.org/security/advisories/mfsa2015-105/
https://www.mozilla.org/security/advisories/mfsa2015-106/
https://www.mozilla.org/security/advisories/mfsa2015-107/
https://www.mozilla.org/security/advisories/mfsa2015-108/
https://www.mozilla.org/security/advisories/mfsa2015-109/
https://www.mozilla.org/security/advisories/mfsa2015-110/
https://www.mozilla.org/security/advisories/mfsa2015-111/
https://www.mozilla.org/security/advisories/mfsa2015-112/
https://www.mozilla.org/security/advisories/mfsa2015-113/
https://www.mozilla.org/security/advisories/mfsa2015-114/
e3f0374a-7ad6-11e2-84cd-d43d7e0c7c02mozilla -- multiple vulnerabilities

The Mozilla Project reports:

MFSA 2013-21 Miscellaneous memory safety hazards (rv:19.0 / rv:17.0.3)

MFSA 2013-22 Out-of-bounds read in image rendering

MFSA 2013-23 Wrapped WebIDL objects can be wrapped again

MFSA 2013-24 Web content bypass of COW and SOW security wrappers

MFSA 2013-25 Privacy leak in JavaScript Workers

MFSA 2013-26 Use-after-free in nsImageLoadingContent

MFSA 2013-27 Phishing on HTTPS connection through malicious proxy

MFSA 2013-28 Use-after-free, out of bounds read, and buffer overflow issues found using Address Sanitizer


Discovery 2013-02-19
Entry 2013-02-19
Modified 2013-02-20
firefox
gt 18.0,1 lt 19.0,1

lt 17.0.3,1

linux-firefox
lt 17.0.3,1

linux-seamonkey
lt 2.16

linux-thunderbird
lt 17.0.3

seamonkey
lt 2.16

thunderbird
gt 11.0 lt 17.0.3

lt 10.0.12

libxul
gt 1.9.2.* lt 10.0.12

CVE-2013-0765
CVE-2013-0772
CVE-2013-0773
CVE-2013-0774
CVE-2013-0775
CVE-2013-0776
CVE-2013-0783
CVE-2013-0784
http://www.mozilla.org/security/announce/2013/mfsa2013-20.html
http://www.mozilla.org/security/announce/2013/mfsa2013-21.html
http://www.mozilla.org/security/announce/2013/mfsa2013-22.html
http://www.mozilla.org/security/announce/2013/mfsa2013-23.html
http://www.mozilla.org/security/announce/2013/mfsa2013-24.html
http://www.mozilla.org/security/announce/2013/mfsa2013-25.html
http://www.mozilla.org/security/announce/2013/mfsa2013-26.html
http://www.mozilla.org/security/announce/2013/mfsa2013-27.html
http://www.mozilla.org/security/known-vulnerabilities/
2c57c47e-8bb3-4694-83c8-9fc3abad3964mozilla -- multiple vulnerabilities

Mozilla Foundation reports:

CVE-2016-2827 - Out-of-bounds read in mozilla::net::IsValidReferrerPolicy [low]

CVE-2016-5256 - Memory safety bugs fixed in Firefox 49 [critical]

CVE-2016-5257 - Memory safety bugs fixed in Firefox 49 and Firefox ESR 45.4 [critical]

CVE-2016-5270 - Heap-buffer-overflow in nsCaseTransformTextRunFactory::TransformString [high]

CVE-2016-5271 - Out-of-bounds read in PropertyProvider::GetSpacingInternal [low]

CVE-2016-5272 - Bad cast in nsImageGeometryMixin [high]

CVE-2016-5273 - crash in mozilla::a11y::HyperTextAccessible::GetChildOffset [high]

CVE-2016-5274 - use-after-free in nsFrameManager::CaptureFrameState [high]

CVE-2016-5275 - global-buffer-overflow in mozilla::gfx::FilterSupport::ComputeSourceNeededRegions [critical]

CVE-2016-5276 - Heap-use-after-free in mozilla::a11y::DocAccessible::ProcessInvalidationList [high]

CVE-2016-5277 - Heap-use-after-free in nsRefreshDriver::Tick [high]

CVE-2016-5278 - Heap-buffer-overflow in nsBMPEncoder::AddImageFrame [critical]

CVE-2016-5279 - Full local path of files is available to web pages after drag and drop [moderate]

CVE-2016-5280 - Use-after-free in mozilla::nsTextNodeDirectionalityMap::RemoveElementFromMap [high]

CVE-2016-5281 - use-after-free in DOMSVGLength [high]

CVE-2016-5282 - Don't allow content to request favicons from non-whitelisted schemes [moderate]

CVE-2016-5283 -