| 1464833
|
|
Downloads path can be made to point to and open an executable.
|
Toolkit
|
Downloads API
|
nobody
|
UNCO
|
---
|
2024-05-30
|
| 847147
|
|
Security Bug: Firefox will parse malformed HTTP responses
|
Core
|
Networking: HTTP
|
nobody
|
NEW
|
---
|
2024-06-20
|
| 1303183
|
|
Add-on update metadata needs to use content-signing
|
Toolkit
|
Add-ons Manager
|
nobody
|
NEW
|
---
|
2021-05-21
|
| 1390740
|
|
No safe warning or sandbox when load an add-on from about:debugging#addons
|
DevTools
|
about:debugging
|
nobody
|
NEW
|
---
|
2022-10-11
|
| 916281
|
|
pop3/imap/smtp servers should always be resolved as FQDNs
|
Thunderbird
|
Security
|
nobody
|
NEW
|
---
|
2022-10-10
|
| 1546656
|
|
mXSS via <math>
|
Core
|
DOM: Serializers
|
nobody
|
REOP
|
---
|
2022-10-11
|
| 1814314
|
|
Assertion failure: mPresContext->mLayoutPhaseCount[nsLayoutPhase::Paint] == 0 (constructing frames in the middle of a paint), at /builds/worker/checkouts/gecko/layout/base/nsAutoLayoutPhase.cpp:65
|
Core
|
Audio/Video: Playbac
|
alwu
|
RESO
|
FIXE
|
2023-10-17
|
| 1344034
|
|
A single RWX page is getting allocated on Windows
|
Core
|
Security
|
arthuredelstein
|
RESO
|
FIXE
|
2024-05-30
|
| 946351
|
|
Misissued Google certificates from DCSSI
|
NSS
|
CA Certificates Code
|
brian
|
RESO
|
FIXE
|
2014-03-05
|
| 1451943
|
|
Social site timing attacks potentially preventable with Same-site cookies
|
Core
|
DOM: Security
|
ckerschb
|
RESO
|
FIXE
|
2018-11-05
|
| 1377959
|
|
jvm_android.cc passes va_list to varags methods
|
Core
|
WebRTC
|
froydnj+bz
|
RESO
|
FIXE
|
2018-02-01
|
| 1558548
|
|
Upgrade Firefox 60 ESR to use NSS 3.36.8
|
Core
|
Security: PSM
|
jc
|
RESO
|
FIXE
|
2023-12-11
|
| 1558549
|
|
Upgrade Firefox 68 to use NSS 3.44.1
|
Core
|
Security: PSM
|
jc
|
RESO
|
FIXE
|
2023-12-11
|
| 1551907
|
|
WeakMaps can become gray after being marked black
|
Core
|
JavaScript: GC
|
jcoppeard
|
RESO
|
FIXE
|
2022-03-02
|
| 1544792
|
|
Spidermonkey: definite properties are incorrectly computed in some cases, leading to uninitialized memory access when unboxed objects are enabled
|
Core
|
JavaScript Engine
|
jdemooij
|
RESO
|
FIXE
|
2020-06-04
|
| 1275339
|
|
Crash in _cairo_surface_get_extents with FFMPEG 0.10
|
Core
|
Audio/Video: Playbac
|
jya-moz
|
RESO
|
FIXE
|
2016-09-22
|
| 1639224
|
|
Verify signature if local timestamp is in the future
|
Firefox
|
Remote Settings Clie
|
mathieu
|
RESO
|
FIXE
|
2020-12-18
|
| 1414282
|
|
LayerTransactionParent::RecvUpdate - Arbitrary gfx::ScaledFont Object Pointer
|
Core
|
Graphics: Layers
|
matt.woodrow
|
RESO
|
FIXE
|
2021-10-20
|
| 1532599
|
|
Spidermonkey: IonMonkey leaks JS_OPTIMIZED_OUT magic value to script
|
Core
|
JavaScript Engine: J
|
nicolas.b.pierron
|
RESO
|
FIXE
|
2022-10-31
|
| 1547976
|
|
Crash in void js::gc::TraceEdgeInternal<T> while tracing ProxyObject
|
Core
|
JavaScript: GC
|
nobody
|
RESO
|
WORK
|
2023-06-25
|
| 856060
|
|
Name Constraints ignored by libPKIX verification engine (in both intermediate and toplevel CA certificates)
|
NSS
|
Libraries
|
ryan.sleevi
|
RESO
|
FIXE
|
2014-01-20
|
| 903885
|
|
Hostname matching code violates RFC 6125 for IDNA
|
NSS
|
Libraries
|
sites
|
RESO
|
FIXE
|
2014-09-12
|
| 1582343
|
|
Soft token MAC verification not constant time
|
NSS
|
Libraries
|
deian
|
RESO
|
FIXE
|
2020-06-05
|
| 1505887
|
|
Can insert content inside a UA widget shadow root and XBL anon tree (ranges are exposed in window.getSelection())
|
Core
|
DOM: Core & HTML
|
emilio
|
RESO
|
FIXE
|
2020-02-16
|
| 1546157
|
|
Crashing with prototype GC code
|
Core
|
JavaScript: WebAssem
|
jseward
|
RESO
|
FIXE
|
2020-06-05
|
| 1544190
|
|
Crash in [@ AddrHostRecord::~AddrHostRecord]
|
Core
|
Networking: DNS
|
kershaw
|
RESO
|
FIXE
|
2022-08-26
|
| 1513586
|
|
ServerHello.random does not include downgrade sentinel when negotiating TLS 1.1 or earlier
|
NSS
|
Libraries
|
kjacobs.bugzilla
|
RESO
|
FIXE
|
2020-08-08
|
| 1566601
|
|
AES-KW implementation allows shorter-than-permissible inputs
|
NSS
|
Libraries
|
kjacobs.bugzilla
|
RESO
|
FIXE
|
2020-08-08
|
| 1535194
|
|
Silent overflow in diffB during far jump setup leads to branch-to-wild-location
|
Core
|
JavaScript: WebAssem
|
lhansen
|
RESO
|
FIXE
|
2020-06-04
|
| 1646787
|
|
clear high bits of i32 return values to as short-term Spectre mitigation
|
Core
|
JavaScript: WebAssem
|
lhansen
|
RESO
|
FIXE
|
2021-01-07
|
| 1140192
|
|
RSS/ATOM feeds with SSL encryption show gray moon icon (unencrypted) when they are in fact encrypted SSL connections
|
Firefox Graveyard
|
RSS Discovery and Pr
|
nobody
|
RESO
|
DUPL
|
2018-12-20
|
| 1471684
|
|
Firefox WebCrypto Private Key Recovery Attack on DH small subgroups
|
Core
|
DOM: Web Crypto
|
nobody
|
RESO
|
FIXE
|
2024-05-30
|
| 1791201
|
|
SameSite=Strict cookie bypass on Android via fallback URLs in intent:// scheme
|
Fenix
|
General
|
royang
|
RESO
|
FIXE
|
2024-05-30
|
| 616491
|
|
Large number of groups in regex causes too-much-recursion crash (YARR)
|
Core
|
JavaScript Engine
|
sean.stangl
|
RESO
|
WONT
|
2014-09-09
|
| 1483510
|
|
SafeBrowsing bypass by web socket
|
Toolkit
|
Safe Browsing
|
dlee
|
RESO
|
FIXE
|
2024-05-30
|
| 1528997
|
|
mXSS: Potential XSS via noscript tags parsed by DOMParser APIs
|
Core
|
DOM: Serializers
|
hsivonen
|
RESO
|
FIXE
|
2024-05-30
|
| 1278071
|
|
increase number of iterations for export to PKCS #12
|
NSS
|
Libraries
|
kaie
|
RESO
|
FIXE
|
2019-06-25
|
| 1432170
|
|
CSP sandbox bypass with Blob
|
Core
|
DOM: Security
|
n.goeggi
|
RESO
|
FIXE
|
2024-05-30
|
| 1120350
|
|
Firefox unable to use client certificates in Windows certificate store
|
Core
|
Security: PSM
|
nobody
|
RESO
|
DUPL
|
2020-03-16
|
| 1387108
|
|
8175110, CVE-2017-10118: Higher quality ECDSA operations
|
NSS
|
Libraries
|
nobody
|
RESO
|
FIXE
|
2020-12-18
|
| 1393880
|
|
Opaque data URL allows mixed content
|
Core
|
DOM: Security
|
nobody
|
RESO
|
DUPL
|
2024-05-30
|
| 1692623
|
|
Cross-origin read SOP violation by extension via search provider
|
Firefox
|
Search
|
standard8
|
RESO
|
FIXE
|
2024-05-30
|
| 1694183
|
|
Cross-origin read SOP violation by extension via search provider via redirect
|
Firefox
|
Search
|
standard8
|
RESO
|
FIXE
|
2024-05-30
|
| 944373
|
|
Security vulnerability: Weak randomness of profile directories
|
Firefox for Android
|
General
|
nobody
|
RESO
|
INCO
|
2024-05-30
|
| 1344415
|
|
Privilege escalation/Sandbox escape using PFileSystemRequestConstructor
|
Core
|
Security: Process Sa
|
amarchesini
|
RESO
|
FIXE
|
2021-10-20
|
| 1344957
|
|
Read file system access sandbox bypass using FileCreationRequest from PContent.ipdl
|
Core
|
DOM: Content Process
|
amarchesini
|
RESO
|
FIXE
|
2022-01-04
|
| 1290244
|
|
Crash: double-free [@xcb_render_create_picture]
|
Core
|
Graphics: Layers
|
andrew
|
RESO
|
FIXE
|
2017-02-09
|
| 1750935
|
|
Differential Testing: Different output message involving RegExp and --fast-warmup
|
Core
|
JavaScript Engine
|
arai.unmht
|
RESO
|
FIXE
|
2024-05-30
|
| 1134989
|
|
Hotfix to mark Komodia root certificates as untrusted in NSS once the relevant software has been removed
|
NSS
|
CA Certificates Code
|
bugs
|
RESO
|
WONT
|
2022-06-01
|
| 1591315
|
|
Should NSC_DecryptFinal return value be treated as secret?
|
NSS
|
Libraries
|
deian
|
RESO
|
FIXE
|
2020-08-08
|
| 845880
|
|
Drag-and-Drop and File Extension Bugs Enable Dropping of Malicious File
|
Core
|
DOM: Copy & Paste an
|
enndeakin
|
RESO
|
FIXE
|
2023-01-16
|
| 1293334
|
|
Replace unreliable divSpoiler (timing side-channel defense)
|
NSS
|
Libraries
|
franziskuskiefer
|
RESO
|
FIXE
|
2017-02-09
|
| 1485864
|
|
Vulnerability disclosure Bleichenbacher attack
|
NSS
|
Libraries
|
franziskuskiefer
|
RESO
|
FIXE
|
2019-03-24
|
| 817285
|
|
YARR: RegExp with too many groups crashes
|
Core
|
JavaScript Engine
|
general
|
RESO
|
DUPL
|
2012-12-11
|
| 1281787
|
|
foo.com can access view-source:blob:http://foo.com/<uuid> for valid blob URIs (but not view-source:http://foo.com/ )
|
Core
|
Security: CAPS
|
gijskruitbosch+bugs
|
RESO
|
FIXE
|
2017-02-09
|
| 1439396
|
|
A specially-crafted javascript: URL may be pasted into the Addressbar leading to Self-XSS Attack (similar to bug 1402896)
|
Firefox
|
Address Bar
|
gijskruitbosch+bugs
|
RESO
|
FIXE
|
2024-05-30
|
| 1401339
|
|
The pingsender executable dynamically loads libcurl, using dlopen and hardcoded library list. [Mac/Linux]
|
Toolkit
|
Telemetry
|
gsvelto
|
RESO
|
FIXE
|
2024-05-30
|
| 1261751
|
|
Problems with OS X Sandboxed TempDir and Rules
|
Core
|
Security: Process Sa
|
haftandilian
|
RESO
|
FIXE
|
2017-07-28
|
| 1546544
|
|
macOS: disable hyperthreading on threads that run content JS
|
Core
|
DOM: Workers
|
haftandilian
|
RESO
|
FIXE
|
2022-02-18
|
| 1277866
|
|
Out-of-bounds write to unboxed object in arm64 backend
|
Core
|
JavaScript Engine: J
|
jcoppeard
|
RESO
|
FIXE
|
2017-02-09
|
| 1400912
|
|
AddressSanitizer: stack-use-after-scope when plugging in webcam (regression)
|
Core
|
WebRTC: Audio/Video
|
jib
|
RESO
|
FIXE
|
2020-02-28
|
| 1190201
|
|
CORS after preflight should not follow same origin redirect when using asyncOpen2() in sendBeacon
|
Core
|
DOM: Security
|
jonas
|
RESO
|
WORK
|
2017-11-15
|
| 1249562
|
|
Unexpected Behaviour in Mozilla ThunderBird That Assists Phishing Attacks
|
Thunderbird
|
Security
|
jsbruner
|
RESO
|
FIXE
|
2024-05-30
|
| 795592
|
|
invalid cast leading to out of bounds read in nsSVGUtils::GetCanvasTM
|
Core
|
SVG
|
jwatt
|
RESO
|
FIXE
|
2024-05-30
|
| 787969
|
|
Buffer Overflow Crash [@ UnlockEnumerator(imgIRequest*, unsigned int, void*) ]
|
Core
|
General
|
nobody
|
RESO
|
WONT
|
2012-09-17
|
| 877724
|
|
X-Frame-Options origin checks should check entire frame tree (like IE 9)
|
Core
|
DOM: Core & HTML
|
nobody
|
RESO
|
DUPL
|
2024-05-30
|
| 915745
|
|
HTTP Digest Authentication in Firefox is vulnerable to Man-In-The-Middle attack described in RFC 2617
|
Core
|
Networking
|
nobody
|
RESO
|
WONT
|
2016-02-22
|
| 1045770
|
|
Flash object can stealth observe keypresses
|
Core Graveyard
|
Plug-ins
|
nobody
|
RESO
|
FIXE
|
2024-05-30
|
| 1108861
|
|
TLS negotiation fails with Postfix
|
Thunderbird
|
Untriaged
|
nobody
|
RESO
|
INVA
|
2014-12-08
|
| 1181727
|
|
SEGV in mozilla::H264Converter::IsHardwareAccelerated()
|
Core
|
Audio/Video
|
nobody
|
RESO
|
DUPL
|
2016-11-02
|
| 1183756
|
|
OpenH264: NULL deref [@WelsDec::PrefetchPic]
|
Core
|
Audio/Video: GMP
|
nobody
|
RESO
|
FIXE
|
2022-09-09
|
| 1184104
|
|
Secure Connection Failed - (Error code: ssl_error_weak_server_ephemeral_dh_key)
|
Firefox
|
Security
|
nobody
|
RESO
|
INVA
|
2016-06-07
|
| 1266421
|
|
Fix unsafe casts in the different TextureHost::SetCompositor implementations
|
Core
|
Graphics: Layers
|
nobody
|
RESO
|
FIXE
|
2017-01-05
|
| 1553002
|
|
DDoS using Alt-Svc on Firefox
|
Core
|
Networking: HTTP
|
nobody
|
RESO
|
DUPL
|
2023-05-22
|
| 1639192
|
|
SIGBUS crashes tab whilst fuzzing with WEBP
|
Core
|
Graphics: ImageLib
|
nobody
|
RESO
|
INCO
|
2024-05-30
|
| 932795
|
|
Remove unnecessary systemXHR permission
|
Firefox OS Graveyard
|
Gaia::Video
|
nth10sd
|
RESO
|
FIXE
|
2013-11-11
|
| 1134506
|
|
Mark "Superfish, Inc." root certificate as untrusted in NSS
|
NSS
|
CA Certificates Code
|
rlb
|
RESO
|
WONT
|
2015-03-02
|
| 1657026
|
|
Any websites can run with PWA privileges on Fenix
|
Fenix
|
General
|
s.kaspari
|
RESO
|
FIXE
|
2024-05-30
|
| 1684627
|
|
Any websites can run with PWA privileges on Fenix (bypassing fix of Bug 1657026)
|
Fenix
|
General
|
s.kaspari
|
RESO
|
FIXE
|
2024-05-30
|
| 1526134
|
|
Firefox Focus (iOS): Recovery of previous searches across app closure/Browser Clear
|
Focus
|
Security: iOS
|
sarentz
|
RESO
|
FIXE
|
2024-05-30
|
| 802985
|
|
frame-poisoned crash in nsHTMLInputElement
|
Core
|
DOM: Core & HTML
|
smaug
|
RESO
|
FIXE
|
2012-12-07
|
| 1162263
|
|
Hazard build failures are ignored
|
Core
|
JavaScript: GC
|
sphink
|
RESO
|
FIXE
|
2020-08-08
|
| 1288555
|
|
wrong compartment while structured cloning a cross-compartment ArrayBuffer
|
Core
|
JavaScript Engine
|
sphink
|
RESO
|
FIXE
|
2017-02-09
|
| 1560651
|
|
Workers may not be clamping/jittering time
|
Core
|
DOM: Workers
|
tom
|
RESO
|
FIXE
|
2020-06-05
|
| 1191423
|
|
allowing vertical tab in cookies leads to cookie injection on some servers
|
Core
|
Networking: Cookies
|
u408661
|
RESO
|
FIXE
|
2024-05-30
|
| 1241896
|
|
Improper usage of ReadBytes in mozilla::net::NetAddr
|
Core
|
Networking: DNS
|
u408661
|
RESO
|
FIXE
|
2024-02-23
|
| 1432358
|
|
Universal CSP strict-dynamic bypass via require.js of browser resource
|
Core
|
DOM: Security
|
ckerschb
|
VERI
|
FIXE
|
2024-05-30
|
| 1757604
|
|
Stylesheet's CSP bypass via reflected URL in chrome:// directories still broken
|
Core
|
DOM: Security
|
emilio
|
VERI
|
FIXE
|
2023-01-16
|
| 1316826
|
|
CSP bypass with DOM events and 'strict-dynamic'
|
Core
|
DOM: Security
|
fbraun
|
VERI
|
FIXE
|
2024-05-30
|
| 1402896
|
|
Specially-crafted JavaScript may be pasted into the address bar
|
Firefox
|
Address Bar
|
gijskruitbosch+bugs
|
VERI
|
FIXE
|
2021-08-16
|
| 1753004
|
|
Do not automatically open SVG files and run script in them from file:/// URLs
|
Firefox
|
File Handling
|
gijskruitbosch+bugs
|
VERI
|
FIXE
|
2022-08-27
|
| 1447080
|
|
Security: SEE_MASK_FLAG_NO_UI behavior changes in Windows 10, allowing SmartScreen bypass
|
Core
|
Widget: Win32
|
jmathies
|
VERI
|
FIXE
|
2019-01-15
|
| 1346653
|
|
[Test Pilot] HTML injection in "Containers" experiment popout
|
Firefox
|
Untriaged
|
jonathan
|
VERI
|
FIXE
|
2024-05-30
|
| 1552632
|
|
globalThis does not appear in property names of window until specifically referenced
|
Core
|
JavaScript Engine
|
jorendorff
|
VERI
|
FIXE
|
2020-06-05
|
| 1415313
|
|
Assertion failure: isDouble(), at js/Value.h:344 with TypedObject
|
Core
|
JavaScript Engine
|
kvijayan
|
VERI
|
FIXE
|
2023-12-06
|
| 1617423
|
|
Accessing about:* internal pages via intent:// URIs
|
Firefox for Android
|
General
|
petru
|
VERI
|
FIXE
|
2024-06-08
|
| 1747388
|
|
Able to escape HTML comments by using a comment within a comment
|
Core
|
DOM: HTML Parser
|
hsivonen
|
VERI
|
FIXE
|
2024-05-30
|
| 1770123
|
|
Firefox allows user to visit webpages with revoked certificate when non-resolving proxy is set
|
Core
|
Networking
|
kershaw
|
VERI
|
FIXE
|
2023-01-16
|
| 1488061
|
|
Directory indices shouldn't just echo all URL input
|
Core
|
Networking
|
valentin.gosu
|
VERI
|
FIXE
|
2022-03-01
|
| 1263888
|
|
Assertion failure: MIR instruction returned object with unexpected type, at js/src/jit/MacroAssembler.cpp:1454
|
Core
|
JavaScript Engine
|
arai.unmht
|
VERI
|
FIXE
|
2016-06-04
|
| 1264823
|
|
Assertion failure: val.isNull(), at js/src/builtin/MapObject.cpp:205 with OOM
|
Core
|
JavaScript Engine
|
arai.unmht
|
VERI
|
FIXE
|
2016-06-04
|
| 1277475
|
|
XSS out of iframe sandbox, iframe disabled javascript. marquee
|
Core
|
DOM: Security
|
bobowencode
|
VERI
|
FIXE
|
2024-05-30
|
| 1434273
|
|
Crash in nsContentUtils::ContentIsDraggable
|
Core
|
DOM: Core & HTML
|
bzbarsky
|
VERI
|
FIXE
|
2019-03-13
|
| 788031
|
|
Content Policy callbacks (including CSP) for the Java plugin should receive the java codebase as a URI
|
Core Graveyard
|
Plug-ins
|
john
|
VERI
|
FIXE
|
2022-05-16
|
| 812161
|
|
Out of bounds read in nsSVGPathElement::GetPathLengthScale
|
Core
|
SVG
|
longsonr
|
VERI
|
FIXE
|
2024-05-30
|
| 1843758
|
|
.xll file extension = A malicious attack using abusing the XLL File starts with the delivery of a malicious file with the extension "XLL"
|
Firefox
|
File Handling
|
mak
|
VERI
|
FIXE
|
2024-05-30
|
| 1276897
|
|
Type confusion in nsDisplayList::HitTest
|
Core
|
Layout
|
matt.woodrow
|
VERI
|
FIXE
|
2024-05-30
|
| 911547
|
|
data-URI + Firefox restart = CSP bypass
|
Core
|
Security
|
mozbugs
|
VERI
|
FIXE
|
2015-02-25
|
| 1264708
|
|
Written URL is remembered in web address bar in Private Browsing mode
|
Firefox OS Graveyard
|
Gaia::Browser
|
nobody
|
VERI
|
WONT
|
2019-05-21
|
| 1297934
|
|
Bad cast in nsImageGeometryMixin
|
Core
|
Layout
|
tnikkel
|
VERI
|
FIXE
|
2024-05-30
|