| 827853
|
|
Parent side of HTTP channel implementation does not do input validation of child process's requests
|
Core
|
Networking
|
nobody
|
NEW
|
---
|
2022-10-10
|
| 1839370
|
|
No security time delay in Firefox Executable Opening Warning
|
Toolkit
|
Downloads API
|
nobody
|
NEW
|
---
|
2024-05-30
|
| 1290635
|
|
Insecure temporary files for child process crash-time metadata
|
Toolkit
|
Crash Reporting
|
nobody
|
NEW
|
---
|
2022-10-11
|
| 1732421
|
|
Delay loading should use LOAD_WITH_ALTERED_SEARCH_PATH
|
Core
|
Security: Process Sa
|
bobowencode
|
ASSI
|
---
|
2023-06-22
|
| 1755081
|
|
Cross-origin embeds/objects can obtain permissions of the top-level origin
|
Core
|
DOM: Security
|
afarre
|
RESO
|
FIXE
|
2024-07-02
|
| 1308688
|
|
Prevent WebExtensions from modifying requests to hosts with mozAddonManager permissions
|
WebExtensions
|
Request Handling
|
andrew.swan
|
RESO
|
FIXE
|
2018-06-19
|
| 1431371
|
|
activeTab permission allows executing scripts on pages it shouldn't
|
WebExtensions
|
General
|
andrew.swan
|
RESO
|
FIXE
|
2024-05-30
|
| 1490234
|
|
Shared memory should not allow executable images to be mapped on Windows.
|
Core
|
IPC
|
bobowencode
|
RESO
|
FIXE
|
2021-10-21
|
| 1497749
|
|
IPC channels created via Endpoint passing don't authenticate the client
|
Core
|
IPC
|
bobowencode
|
RESO
|
FIXE
|
2019-08-07
|
| 1554110
|
|
Windows sandbox: renderer processes can open each and unrelated Chromium processes
|
Core
|
Security: Process Sa
|
bobowencode
|
RESO
|
FIXE
|
2024-05-30
|
| 1599005
|
|
Race condition in firefox!sandbox::SharedMemIPCServer::Init leading to relative out-of-bounds read/write in the broker process (Sandbox escape / LPE)
|
Core
|
Security: Process Sa
|
bobowencode
|
RESO
|
FIXE
|
2024-05-30
|
| 1618911
|
|
Firefox: Default Content Process DACL Sandbox Escape
|
Core
|
Security: Process Sa
|
bobowencode
|
RESO
|
FIXE
|
2021-10-20
|
| 1552206
|
|
Permissions overwrite via folder symlink TOCTOU by Maintenance Service
|
Toolkit
|
Application Update
|
bytesized
|
RESO
|
FIXE
|
2024-05-30
|
| 1690062
|
|
Windows Maintenance Service has a Weak DACL for Domain Networks
|
Toolkit
|
Application Update
|
bytesized
|
RESO
|
FIXE
|
2021-11-29
|
| 1732435
|
|
Arbitrary permissions overwrite due to folder locking TOCTOU in Maintenance Service
|
Toolkit
|
Application Update
|
bytesized
|
RESO
|
FIXE
|
2024-05-30
|
| 1806394
|
|
Mar File Lock Bypass Leads to Privilege Escalation via Mozilla Maintenance Service
|
Toolkit
|
Application Update
|
bytesized
|
RESO
|
FIXE
|
2024-05-30
|
| 1318911
|
|
Chrome code execution through several small bugs and user interaction
|
Core
|
DOM: Security
|
bzbarsky
|
RESO
|
FIXE
|
2024-05-30
|
| 820560
|
|
Security audit of ptrace
|
Core
|
General
|
cjones.bugs
|
RESO
|
FIXE
|
2012-12-18
|
| 1017616
|
|
"export" in Certificate Viewer can cause navigation to arbitrary filesystem paths
|
Core
|
Security: PSM
|
cykesiopka.bmo+mozbz
|
RESO
|
FIXE
|
2024-05-30
|
| 796866
|
|
Arbitrary code execution from Style Inspector
|
DevTools
|
Inspector
|
dave.camp
|
RESO
|
FIXE
|
2024-05-30
|
| 1411631
|
|
PluginModuleChromeParent::AnswerGetFileName - Grant Arbitrary File Read Access.
|
Core Graveyard
|
Plug-ins
|
davidp99
|
RESO
|
FIXE
|
2022-05-16
|
| 1792138
|
|
Extensions are not prompted before opening external schemes, leading to security issues
|
Firefox
|
File Handling
|
dtownsend
|
RESO
|
FIXE
|
2024-05-30
|
| 1568003
|
|
On Windows, python files get executed instead of opened by notepad, because both Windows and the network suggest the file is text/plain, but ShellExecuteW will then open the file with python
|
Firefox
|
File Handling
|
gijskruitbosch+bugs
|
RESO
|
FIXE
|
2023-06-28
|
| 1632387
|
|
Firefox iOS Security Token Hijack By Overriding window.webkit
|
Firefox for iOS
|
General
|
gkeeley
|
RESO
|
FIXE
|
2024-05-30
|
| 1652612
|
|
DNS-rebinding vulnerability to RCE in geckodriver
|
Testing
|
geckodriver
|
james
|
RESO
|
FIXE
|
2024-05-30
|
| 1566020
|
|
Update vulnerable lodash version in DevTools Debugger
|
DevTools
|
Debugger
|
jdescottes
|
RESO
|
FIXE
|
2020-12-18
|
| 1527534
|
|
On Android, Gecko always tries to load a library from an all-user-writable path APITRACE_LIB
|
Core
|
Graphics
|
jgilbert
|
RESO
|
FIXE
|
2019-08-07
|
| 1565744
|
|
MemMapSnapshot can be written by a malicious child process
|
Core
|
IPC
|
jld
|
RESO
|
FIXE
|
2020-06-05
|
| 1454909
|
|
No check for privileged permissions for WebExtension experiments
|
WebExtensions
|
Experiments
|
jonathan
|
RESO
|
FIXE
|
2019-08-07
|
| 1566036
|
|
Update vulnerable lodash dependency in browser/components/newtab
|
Firefox
|
New Tab Page
|
khudson
|
RESO
|
FIXE
|
2020-08-08
|
| 1762803
|
|
Unsafe subdomain check for install_origins
|
Toolkit
|
Add-ons Manager
|
lgreco
|
RESO
|
FIXE
|
2023-01-16
|
| 1559858
|
|
Sending `Prompt:Open` from the child allows for a sandbox escape
|
Firefox
|
Security
|
mail
|
RESO
|
FIXE
|
2024-05-02
|
| 920823
|
|
Binder permissions wide open on B2G
|
Firefox OS Graveyard
|
General
|
mvines
|
RESO
|
FIXE
|
2015-02-25
|
| 1388143
|
|
Language packs can be used to bypass extension restrictions
|
Toolkit
|
Add-ons Manager
|
nobody
|
RESO
|
WONT
|
2018-11-05
|
| 1434086
|
|
ESR version of sanitization patch from bug 1432778/1432966
|
Firefox
|
Security
|
nobody
|
RESO
|
WONT
|
2018-11-05
|
| 1489946
|
|
Firefox for Android App allow attackers to modify apps without affecting their signature.
|
Firefox Build System
|
Android Studio and G
|
nobody
|
RESO
|
FIXE
|
2022-08-27
|
| 757128
|
|
Remote debugging is possible even when disabled if netmonitor is enabled
|
DevTools
|
Debugger
|
pastith
|
RESO
|
FIXE
|
2018-06-13
|
| 1538007
|
|
[ZDI-CAN-8374] Sandbox escape: XUL injection in language pack
|
Core
|
Internationalization
|
peterv
|
RESO
|
FIXE
|
2021-10-20
|
| 1617928
|
|
Firefox for Android - Directory Traversal can lead to network hijacking
|
Firefox for Android
|
General
|
petru
|
RESO
|
FIXE
|
2024-06-08
|
| 1619997
|
|
GeckoView: Directory Traversal can lead to network hijacking
|
GeckoView
|
General
|
petru
|
RESO
|
FIXE
|
2024-06-08
|
| 1487353
|
|
Extensions can run content scripts in local files and read any other local file
|
WebExtensions
|
General
|
rob
|
RESO
|
FIXE
|
2020-08-08
|
| 1750565
|
|
Extension permission prompts skipped via dictionary
|
Toolkit
|
Add-ons Manager
|
rob
|
RESO
|
FIXE
|
2024-06-28
|
| 1865689
|
|
Privilege escalation through devtools.inspectedWindow.eval
|
WebExtensions
|
Developer Tools
|
rob
|
RESO
|
FIXE
|
2024-05-16
|
| 1828334
|
|
Protocol handler warning should not be skipped for external scheme URLs entered directly in the addressbar (or other UI)
|
Firefox
|
Security
|
sclements
|
RESO
|
FIXE
|
2024-05-30
|
| 1372517
|
|
(Self-)XSS in about:config in Android
|
Firefox for Android
|
General
|
snorp
|
RESO
|
FIXE
|
2020-12-21
|
| 1442722
|
|
Assertion failure: point.canPeek(), at js/src/vm/StructuredClone.cpp:648 or various crashes with invalid free
|
Core
|
JavaScript Engine
|
sphink
|
RESO
|
FIXE
|
2021-10-06
|
| 1538008
|
|
[ ZDI-CAN-8375] UXSS priv-esc via sync (install arbitrary extensions & set arbitrary preferences)
|
Firefox
|
Sync
|
tom
|
RESO
|
FIXE
|
2021-10-20
|
| 1396399
|
|
An extension can XSS any domain with only the ActiveTab permission using frames
|
WebExtensions
|
Compatibility
|
andrew.swan
|
RESO
|
FIXE
|
2024-05-30
|
| 1666184
|
|
Defer Loading Object in nsObjectLoadingContent
|
Core
|
DOM: Core & HTML
|
echen
|
RESO
|
FIXE
|
2022-08-26
|
| 810652
|
|
XSS in Settings App via a web app manifest fields
|
Firefox OS Graveyard
|
Gaia::Settings
|
etienne
|
RESO
|
FIXE
|
2013-11-07
|
| 1429379
|
|
Web extensions can open any url using view-source:
|
WebExtensions
|
Untriaged
|
gijskruitbosch+bugs
|
RESO
|
FIXE
|
2024-05-30
|
| 1562756
|
|
Code Injection in Firefox macOS desktop client
|
Core
|
Security: Process Sa
|
haftandilian
|
RESO
|
FIXE
|
2024-05-30
|
| 1777800
|
|
devtools "Copy as cURL (Windows)" allows custom code execution in CMD
|
DevTools
|
Netmonitor
|
hmanilla
|
RESO
|
FIXE
|
2024-05-30
|
| 1727849
|
|
Fenix & Focus include a "live" dependency on small third party library, com.jraska:Falcon
|
Fenix
|
General
|
irios.mozilla
|
RESO
|
FIXE
|
2023-10-17
|
| 1776755
|
|
Logic depending on ExpandedPrincipal ordering in `Document::MaybeDowngradePrincipal` is broken
|
Core
|
Security: CAPS
|
jewilde
|
RESO
|
FIXE
|
2023-10-17
|
| 1566608
|
|
IPC passing of Windows HANDLEs and macOS Mach ports is insecure
|
Core
|
IPC
|
jld
|
RESO
|
FIXE
|
2022-08-26
|
| 1415644
|
|
Should extensions get access to accounts.firefox.com
|
WebExtensions
|
General
|
kmaglione+bmo
|
RESO
|
FIXE
|
2022-07-07
|
| 1614919
|
|
browser.identity.launchWebAuthFlow() exposes redirect_url no matter what it is.
|
WebExtensions
|
Request Handling
|
mixedpuppy
|
RESO
|
FIXE
|
2024-05-30
|
| 1746139
|
|
Thunderbird Windows - Drag&Drop limited to 128 chars, allowing to change the file extension on drop
|
Core
|
Widget: Win32
|
mkmelin+mozilla
|
RESO
|
FIXE
|
2024-05-30
|
| 1367529
|
|
Require user interaction for downloads.open()
|
WebExtensions
|
General
|
mstriemer
|
RESO
|
DUPL
|
2020-08-08
|
| 1538028
|
|
Privilege escalation from web to file process
|
Core
|
DOM: Navigation
|
nika
|
RESO
|
FIXE
|
2024-05-30
|
| 1429881
|
|
view-source: pages can be used to gain cross-origin access to restricted domains
|
WebExtensions
|
Untriaged
|
nobody
|
RESO
|
FIXE
|
2024-05-30
|
| 1565614
|
|
lodash vulnerability in shipped versions Firefox
|
Firefox
|
PDF Viewer
|
nobody
|
RESO
|
FIXE
|
2020-12-18
|
| 1588884
|
|
Possibility of tricking the maintenance service into updating a non-secure location
|
Toolkit
|
Application Update
|
nobody
|
RESO
|
DUPL
|
2021-07-15
|
| 1715334
|
|
Firefox Windows Installer Local Privilege Escalation
|
Firefox
|
Installer
|
nobody
|
RESO
|
WONT
|
2024-05-30
|
| 1527717
|
|
Windows programs that aren't "URL Handlers" exposed to web content
|
Firefox
|
File Handling
|
robert.strong.bugs
|
RESO
|
FIXE
|
2019-08-07
|
| 1548306
|
|
Caret character (^) not escaped for unsuffixed origins
|
Core
|
Networking
|
valentin.gosu
|
RESO
|
FIXE
|
2020-02-13
|
| 1602485
|
|
[meta] Given an arbitrary read/write primitive, it shouldn't be to easy to gain chrome privileges
|
Firefox
|
Security
|
VYV03354
|
RESO
|
FIXE
|
2020-12-18
|
| 1796460
|
|
Intermittent Hit MOZ_CRASH(CacheCreator not thread-safe) at /builds/worker/checkouts/gecko/xpcom/base/nsISupportsImpl.cpp:43
|
Core
|
DOM: Workers
|
ystartsev
|
RESO
|
FIXE
|
2023-06-12
|
| 1512511
|
|
Remove input.mozilla.org from browser/app/permissions
|
Firefox
|
General
|
fbraun
|
RESO
|
FIXE
|
2019-10-24
|
| 1530709
|
|
Use CSSOM to insert rules in SelectParentHelper.
|
Core
|
Layout: Form Control
|
fbraun
|
RESO
|
FIXE
|
2024-02-06
|
| 1272880
|
|
chrome.webRequest API should not emit events if a request is generated on `moz-extension://` page
|
WebExtensions
|
Request Handling
|
nobody
|
RESO
|
FIXE
|
2020-02-16
|
| 1296976
|
|
CSP sandbox allows script execution with data: scheme hyperlink
|
Core
|
DOM: Security
|
nobody
|
RESO
|
FIXE
|
2024-05-30
|
| 1361953
|
|
Consider preventing Web Extensions interacting with privileged Firefox web URLs
|
WebExtensions
|
General
|
nobody
|
RESO
|
FIXE
|
2020-08-08
|
| 1408349
|
|
Possible unsanitized write to innerHTML for Activity Stream's snippets
|
Firefox
|
New Tab Page
|
nobody
|
RESO
|
FIXE
|
2020-06-05
|
| 1426353
|
|
Do not load content process generated alternate data in the parent process.
|
Core
|
Networking: Cache
|
valentin.gosu
|
RESO
|
FIXE
|
2018-08-28
|
| 1321814
|
|
Maintenance Service Updater Callback Parameter File Deletion Elevation of Privilege
|
Toolkit
|
Application Update
|
agashlin+bz
|
RESO
|
FIXE
|
2024-05-30
|
| 967653
|
|
[Inter-App Communication API] parent process security checks
|
Core Graveyard
|
DOM: Apps
|
airpingu
|
RESO
|
FIXE
|
2017-10-22
|
| 1445234
|
|
IPC: crash [@get_gtk_cursor]
|
Core
|
DOM: Content Process
|
alex.gaynor
|
RESO
|
FIXE
|
2019-05-24
|
| 1405195
|
|
Web content can specify arbitrary triggering principal for images
|
Core
|
DOM: Core & HTML
|
allstars.chh
|
RESO
|
FIXE
|
2019-03-13
|
| 1684623
|
|
Remote code execution and privilege escalation in mozilla-vpn-client
|
Mozilla VPN
|
Client for Linux
|
amarchesini
|
RESO
|
FIXE
|
Wed 01:05
|
| 1713638
|
|
The site permissions feature is leaking permissions to sites with the same scheme/port.
|
Fenix
|
General
|
amejiamarmol
|
RESO
|
FIXE
|
2022-11-03
|
| 1163109
|
|
Inline JPEG images fail to load
|
Core
|
DOM: Core & HTML
|
bent.mozilla
|
RESO
|
FIXE
|
2016-07-02
|
| 792350
|
|
Arbitrary code execution with CrossCompartmentWrapper/CrossOriginWrapper
|
Core
|
Security
|
bholley
|
RESO
|
FIXE
|
2014-01-10
|
| 793121
|
|
nsLocation::CheckURL can use the wrong principal
|
Core
|
Security
|
bholley
|
RESO
|
FIXE
|
2013-01-10
|
| 871368
|
|
Arbitrary code execution using crypto.generateCRMFRequest
|
Core
|
Security
|
bholley
|
RESO
|
FIXE
|
2014-11-19
|
| 1092388
|
|
nsGlobalWindow::SecurityCheckURL can allow content to load restricted URIs
|
Core
|
DOM: Core & HTML
|
bholley
|
RESO
|
FIXE
|
2019-03-13
|
| 1120261
|
|
Setting prototype to a Proxy object allows content to influence chrome:// code
|
Core
|
XPConnect
|
bholley
|
RESO
|
FIXE
|
2024-05-30
|
| 1087565
|
|
IPC Channel does not validate the listener.
|
Core
|
IPC
|
bobowencode
|
RESO
|
FIXE
|
2021-10-21
|
| 804979
|
|
DLL Hijacking - Seamonkey installer
|
SeaMonkey
|
Installer
|
bugzilla
|
RESO
|
FIXE
|
2024-05-30
|
| 1595470
|
|
AddressSanitizer: heap-buffer-overflow [@ __asan_wrap_memmove] with WRITE of size 104
|
Toolkit
|
Application Update
|
bytesized
|
RESO
|
FIXE
|
2022-01-10
|
| 1824420
|
|
Firefox arbitrary file delete vulnerability
|
Toolkit
|
Application Update
|
bytesized
|
RESO
|
FIXE
|
2024-05-30
|
| 1424474
|
|
Changing attributes using the web inspector seems to ignore security checks
|
DevTools
|
Inspector
|
bzbarsky
|
RESO
|
FIXE
|
2018-10-09
|
| 1361592
|
|
China Edition installer DLL Hijacking
|
Mozilla China
|
General
|
bzhao
|
RESO
|
FIXE
|
2018-12-16
|
| 860934
|
|
Device Storage - Security issues with OOP on FirefoxOS
|
Core
|
DOM: Device Interfac
|
dhylands
|
RESO
|
FIXE
|
2014-11-19
|
| 851586
|
|
URI_SAFE_FOR_UNTRUSTED_CONTENT is apparently ignored for custom about modules
|
Core
|
Security: CAPS
|
gavin.sharp
|
RESO
|
FIXE
|
2014-11-19
|
| 1333210
|
|
JSON Viewer: Make even top level windows protected from content level window access.
|
DevTools
|
JSON Viewer
|
gijskruitbosch+bugs
|
RESO
|
FIXE
|
2024-05-30
|
| 1447853
|
|
iframe sandbox escape
|
Firefox for iOS
|
General
|
gkeeley
|
RESO
|
FIXE
|
2024-05-30
|
| 1607280
|
|
Additional Firefox iOS webkit.messagehandler SECURITY_TOKEN check bypass
|
Firefox for iOS
|
General
|
gkeeley
|
RESO
|
FIXE
|
2020-08-08
|
| 1610426
|
|
No validation of array index (key) in xul!mozilla::ipc::CrashReporterMetadataShmem::ReadAppNotes leads to Stack Out-Of-Bounds write in the broker process (Sandbox Escape / LPE)
|
Toolkit
|
Crash Reporting
|
gsvelto
|
RESO
|
FIXE
|
2024-05-30
|
| 974356
|
|
MemoryTexture's do not validate that the client is same-process
|
Core
|
Graphics
|
jacob.benoit.1
|
RESO
|
FIXE
|
2015-08-30
|
| 1334933
|
|
targeted ASM.JS JIT-Spray allows bypassing ASLR and DEP
|
Core
|
JavaScript Engine: J
|
jdemooij
|
RESO
|
FIXE
|
2024-05-30
|
| 1692972
|
|
FPVI & SCSB Disclosure (Feb 12, ‘21)
|
Core
|
JavaScript Engine: J
|
jdemooij
|
RESO
|
FIXE
|
2024-05-30
|
| 1172226
|
|
Arbitrary code execution via pocket tags
|
Firefox
|
Pocket
|
jdinbox
|
RESO
|
FIXE
|
2024-05-30
|
| 958895
|
|
[meta] Import upstream chromium security fixes into our IPC implementation
|
Core
|
IPC
|
jld
|
RESO
|
FIXE
|
2020-08-08
|
| 1194678
|
|
Incorrect check for SUID/SGID/fscaps programs
|
NSPR
|
NSPR
|
jld
|
RESO
|
FIXE
|
2019-08-22
|
| 1117140
|
|
GMP sandbox break-out on Windows through process handle
|
Core
|
IPC
|
jmathies
|
RESO
|
FIXE
|
2024-05-30
|
| 1381800
|
|
XUL Injection in responsive mode (responsive.html/components/browser.js)
|
DevTools
|
Responsive Design Mo
|
jryans
|
RESO
|
FIXE
|
2018-06-13
|
| 898563
|
|
Parent side of APZC messaging needs to be hardened against malicious children
|
Core
|
Graphics: Layers
|
kats
|
RESO
|
FIXE
|
2015-08-30
|
| 1103087
|
|
Local HTML injection with collection name
|
Firefox OS Graveyard
|
Gaia::Homescreen
|
kevin+bugzilla
|
RESO
|
FIXE
|
2024-05-30
|
| 1658214
|
|
InstallTrigger can take the principal from the wrong inner window when initialized
|
Toolkit
|
Add-ons Manager
|
kmaglione+bmo
|
RESO
|
FIXE
|
2024-05-30
|
| 796475
|
|
HTTPS can be effectively disabled by attackers on rogue networks using a proxy that returns 407 with embedded script
|
Core
|
Networking: HTTP
|
mcmanus
|
RESO
|
FIXE
|
2024-05-30
|
| 1320273
|
|
DLL Hijacking - Firefox installer on Windows 7
|
Firefox
|
Installer
|
molly
|
RESO
|
DUPL
|
2024-05-30
|
| 1606596
|
|
File association Remote Code Execution via command line parameter injection in Firefox
|
Firefox
|
Installer
|
molly
|
RESO
|
FIXE
|
2024-05-30
|
| 854088
|
|
old MozillaMaintenance Service registry entry not updated, leads to Trusted Path Privilege Escalation
|
Toolkit
|
Application Update
|
netzen
|
RESO
|
FIXE
|
2024-05-30
|
| 867056
|
|
Arbitrary code execution using a temporarily inaccessible file
|
Toolkit
|
Application Update
|
netzen
|
RESO
|
FIXE
|
2024-05-30
|
| 888314
|
|
Buffer overflow in Updater
|
Toolkit
|
Application Update
|
netzen
|
RESO
|
FIXE
|
2024-05-30
|
| 890853
|
|
MAR signature bypass in Updater could lead to downgrade
|
Toolkit
|
Application Update
|
netzen
|
RESO
|
FIXE
|
2024-05-30
|
| 816289
|
|
Create about:config pref for allowing non-AMO addon installs
|
Firefox for Android
|
Add-on Manager
|
nobody
|
RESO
|
WORK
|
2020-12-21
|
| 873938
|
|
ADB runs as root on buri device
|
Firefox OS Graveyard
|
GonkIntegration
|
nobody
|
RESO
|
FIXE
|
2015-06-17
|
| 985057
|
|
Check for DLL injection with installer
|
Firefox
|
Installer
|
nobody
|
RESO
|
DUPL
|
2020-08-08
|
| 985059
|
|
Check for DLL injection with stub installer
|
Firefox
|
Installer
|
nobody
|
RESO
|
DUPL
|
2020-08-08
|
| 1013808
|
|
Flash .swf served from file:// can steal local files
|
Core Graveyard
|
Plug-ins
|
nobody
|
RESO
|
WORK
|
2022-05-16
|
| 1177368
|
|
Unsafe inter-app communication in Customizer (spoofing risk)
|
Firefox OS Graveyard
|
Gaia::Customizer
|
nobody
|
RESO
|
WORK
|
2017-11-15
|
| 1194680
|
|
Environment variables are unsafe in SUID/SGID/fscaps programs
|
NSS
|
Libraries
|
nobody
|
RESO
|
FIXE
|
2019-03-24
|
| 1208703
|
|
Combinations of keys pressed on the keyboard into the Private Browsing home page(about:privatebrowsing) which is opened after that a dialog window is opened (window.showModalDialog), leads to Arbitrary Code Execution.
|
Core
|
DOM: Core & HTML
|
nobody
|
RESO
|
WORK
|
2024-05-30
|
| 1231331
|
|
Adb access with USB debugging disabled
|
Firefox OS Graveyard
|
GonkIntegration
|
nobody
|
RESO
|
INCO
|
2018-05-09
|
| 1244131
|
|
Locale packs can escalate privileges via chrome URI override
|
Toolkit
|
Add-ons Manager
|
nobody
|
RESO
|
WONT
|
2024-05-30
|
| 1361328
|
|
Dll hijack Mozilla Thunderbird
|
Thunderbird
|
Security
|
nobody
|
RESO
|
FIXE
|
2018-05-09
|
| 1390882
|
|
WebExtension can bypass warnings and run arbitrary programs with download.download & downloads.open
|
Toolkit
|
Downloads API
|
nobody
|
RESO
|
FIXE
|
2024-05-30
|
| 1451276
|
|
WebExtensions can attach content scripts to PDF Viewer, gaining ability to modify pdfjs.* preferences
|
WebExtensions
|
General
|
nobody
|
RESO
|
DUPL
|
2024-05-30
|
| 1484929
|
|
Change of trust root via signed recipe
|
Core
|
Security: PSM
|
nobody
|
RESO
|
DUPL
|
2023-05-22
|
| 1489950
|
|
Firefox Focus for Android v6.1.1 allow attackers to modify apps without affecting their signature
|
Focus
|
General
|
nobody
|
RESO
|
FIXE
|
2022-11-03
|
| 1539591
|
|
Remove special navigator.mozAddonManager API from addons.mozilla.org
|
Toolkit
|
Add-ons Manager
|
nobody
|
RESO
|
WONT
|
2020-06-04
|
| 1575289
|
|
Privilege escalation via maintenance service in the wild
|
Toolkit
|
Application Update
|
nobody
|
RESO
|
DUPL
|
2023-05-22
|
| 1579996
|
|
XXE attack in java updater code
|
Firefox for Android
|
General
|
nobody
|
RESO
|
WONT
|
2024-05-30
|
| 1613941
|
|
It is possible to bypass fingerprint authentication in firefox focus by using an intent to launch a URI from another app
|
Focus
|
General
|
nobody
|
RESO
|
FIXE
|
2024-05-30
|
| 1659333
|
|
QR code 'javascript://' schemes allow same-origin policy violations
|
Firefox for iOS
|
General
|
nobody
|
RESO
|
DUPL
|
2024-05-30
|
| 1745842
|
|
Receiving a malicious javascript URL as text via a SEND intent may cause XSS
|
Fenix
|
General
|
nobody
|
RESO
|
DUPL
|
2024-05-30
|
| 1297361
|
|
JSON Viewer: use listeners instead of exporting postChromeMessage
|
DevTools
|
JSON Viewer
|
odvarko
|
RESO
|
FIXE
|
2024-05-30
|
| 1394681
|
|
network monitor replaced with web content
|
DevTools
|
Netmonitor
|
odvarko
|
RESO
|
FIXE
|
2018-06-13
|
| 1658276
|
|
Use CSP on Fenix error pages and other resources
|
Fenix
|
General
|
petru
|
RESO
|
FIXE
|
2022-11-03
|
| 1542732
|
|
HTML injection in moz-extension://
|
WebExtensions
|
Developer Outreach
|
raluca.sofian
|
RESO
|
FIXE
|
2019-04-29
|
| 883322
|
|
Medium integrity DLL Hijacking - Thunderbird and SeaMonkey Full installer
|
MailNews Core
|
Build Config
|
robert.strong.bugs
|
RESO
|
FIXE
|
2016-06-04
|
| 1171518
|
|
[Win] Privileged update processes writing to user writable locations can overwrite non-user writable locations using hard links
|
Toolkit
|
Application Update
|
robert.strong.bugs
|
RESO
|
FIXE
|
2015-09-01
|
| 1336964
|
|
Arbitrary file "deletion" as SYSTEM with maintenance service
|
Toolkit
|
Application Update
|
robert.strong.bugs
|
RESO
|
FIXE
|
2024-05-30
|
| 1336979
|
|
32 byte arbitrary file reads as SYSTEM with maintenance service
|
Toolkit
|
Application Update
|
robert.strong.bugs
|
RESO
|
FIXE
|
2024-05-30
|
| 1342742
|
|
Arbitrary code execution as SYSTEM using Updater to overwrite updater.ini
|
Toolkit
|
Application Update
|
robert.strong.bugs
|
RESO
|
FIXE
|
2024-05-30
|
| 1348645
|
|
Maintenance Service updater PatchFile file manipulation
|
Toolkit
|
Application Update
|
robert.strong.bugs
|
RESO
|
FIXE
|
2024-05-30
|
| 1712240
|
|
Firefox webpages can launch custom tabs via intents (and cause crash)
|
Fenix
|
General
|
royang
|
RESO
|
FIXE
|
2023-10-10
|
| 1656746
|
|
iframe sandbox bypass by fenix://open
|
Fenix
|
General
|
s.kaspari
|
RESO
|
FIXE
|
2024-05-30
|
| 1657055
|
|
HTTPS certificate verification bypass with reflected XSS in error page(s) in Fenix
|
GeckoView
|
General
|
s.kaspari
|
RESO
|
FIXE
|
2024-05-30
|
| 1658144
|
|
Fenix: XSS on error pages allows access to privileged APIs
|
Fenix
|
General
|
s.kaspari
|
RESO
|
DUPL
|
2024-05-30
|
| 1657178
|
|
Bypassing App Lock [Firefox Lockwise - iOS]
|
Lockwise Graveyard
|
Security
|
sarentz
|
RESO
|
FIXE
|
2024-05-30
|
| 1830820
|
|
Queued up rendering can allow websites to clickjack
|
Core
|
DOM: Navigation
|
sefeng
|
RESO
|
FIXE
|
2024-06-02
|
| 1238602
|
|
Improper unserialization of GonkNativeHandle
|
Core
|
Graphics
|
sotaro.ikeda.g
|
RESO
|
FIXE
|
2022-01-04
|
| 1412329
|
|
CompositorBridgeParent::RecvMakeSnapshot - Arbitrary Memory Write
|
Core
|
Graphics: Layers
|
sotaro.ikeda.g
|
RESO
|
INVA
|
2021-10-21
|
| 848417
|
|
Mozilla Maintenance Service buffer overflow allowing privilege escalation
|
Toolkit
|
Application Update
|
spohl.mozilla.bugs
|
RESO
|
FIXE
|
2024-05-30
|
| 803515
|
|
DLL Hijacking - Thunderbird installer
|
Thunderbird
|
Installer
|
standard8
|
RESO
|
FIXE
|
2016-06-04
|
| 811227
|
|
DLL Hijacking - Thunderbird installer - Part 2
|
Thunderbird
|
Installer
|
standard8
|
RESO
|
FIXE
|
2016-06-04
|
| 1372849
|
|
WindowsDllDetourPatcher Destructor Exploit Primitive
|
Core
|
Security
|
stephen
|
RESO
|
FIXE
|
2018-02-01
|
| 1328325
|
|
JavaScript injection on FxA domain through firefox://?fxa scheme
|
Firefox for iOS
|
Firefox Accounts
|
vbudhram
|
RESO
|
FIXE
|
2024-05-30
|
| 1558299
|
|
file: URIs SOP Bypass: local HTML file can lead to file stealing (similar to CVE-2015-7186)
|
Core
|
DOM: Security
|
amarchesini
|
VERI
|
FIXE
|
2024-06-04
|
| 1426363
|
|
Host permissions with scheme wildcard (*://...) are not shown in permissions doorhangers
|
WebExtensions
|
Frontend
|
andrew.swan
|
VERI
|
FIXE
|
2024-05-30
|
| 1300083
|
|
64-bit NPAPI sandbox isn't enabled on fresh profile
|
Core
|
Security: Process Sa
|
bobowencode
|
VERI
|
FIXE
|
2017-02-24
|
| 1722204
|
|
AddressSanitizer: attempting double-free from gfx::RecordedFillGlyphs and UAF (0xe5e5e5e5e5e5e5e5 on crash report)
|
Core
|
Graphics: Layers
|
bobowencode
|
VERI
|
FIXE
|
2024-05-30
|
| 1691153
|
|
Blob URLs loaded by system principal may be given the incorrect principal
|
Core
|
DOM: File
|
echuang
|
VERI
|
FIXE
|
2021-11-22
|
| 813906
|
|
Content can access chrome-privileged pages using plugin objects
|
Core Graveyard
|
Plug-ins
|
gfritzsche
|
VERI
|
FIXE
|
2024-05-30
|
| 1596668
|
|
Firefox for macOS: extensions with downloads.open permission can execute code on the device using .fileloc files
|
Firefox
|
File Handling
|
gijskruitbosch+bugs
|
VERI
|
FIXE
|
2024-05-30
|
| 1731779
|
|
download protection bypass on macOS with .inetloc
|
Firefox
|
File Handling
|
gijskruitbosch+bugs
|
VERI
|
FIXE
|
2024-05-30
|
| 1615471
|
|
Command injection in the "Copy as cURL (Windows)" feature
|
DevTools
|
Netmonitor
|
hmanilla
|
VERI
|
FIXE
|
2024-05-30
|
| 1770048
|
|
Top-Level Await must not rely on Array.prototype
|
Core
|
JavaScript Engine
|
iireland
|
VERI
|
FIXE
|
2023-01-23
|
| 1325200
|
|
lack of executable-code quota allows full bypass of ASLR and DEP
|
Core
|
JavaScript Engine: J
|
jdemooij
|
VERI
|
FIXE
|
2024-05-30
|
| 1372509
|
|
Self-XSS XUL Injection in about:webrtc
|
Core
|
WebRTC
|
jib
|
VERI
|
FIXE
|
2021-10-21
|
| 1432778
|
|
Chrome level XSS in LightWeight theme prompts
|
WebExtensions
|
Frontend
|
kmaglione+bmo
|
VERI
|
FIXE
|
2021-11-19
|
| 1436482
|
|
Content scripts sometimes match the document URI rather than the principal URI
|
WebExtensions
|
General
|
kmaglione+bmo
|
VERI
|
FIXE
|
2024-05-30
|
| 1227462
|
|
chrome.tabs.update/create APIs should call checkLoadURI with DISALLOW_INHERIT_PRINCIPAL
|
WebExtensions
|
Untriaged
|
lgreco
|
VERI
|
FIXE
|
2024-05-30
|
| 1481907
|
|
MozillaMaintenance service arbitrary file creation privilege escalation on Windows
|
Toolkit
|
Application Update
|
molly
|
VERI
|
FIXE
|
2024-05-30
|
| 1765049
|
|
Possible download files like exe to user Startup folder on windows, which may cause RCE
|
Firefox
|
Downloads Panel
|
molly
|
VERI
|
FIXE
|
2024-05-30
|
| 1752888
|
|
Confirming install prompt for trusted addon may execute arbitrary privileged code instead
|
Toolkit
|
Add-ons Manager
|
nobody
|
VERI
|
FIXE
|
2024-05-30
|
| 1826116
|
|
Clickjacking to allowed location permission (bypassing button-enable delay)
|
Firefox
|
Site Permissions
|
pbz
|
VERI
|
FIXE
|
2024-06-02
|
| 1839073
|
|
Bypass site permission clickjacking protections on Desktop by opening a new tab with window.open() and closing it after the permission timeout has expired
|
Toolkit
|
PopupNotifications a
|
pbz
|
VERI
|
FIXE
|
2024-06-02
|
| 1863083
|
|
Clickjacking to allow permission using window.moveTo in a popup
|
Toolkit
|
PopupNotifications a
|
pbz
|
VERI
|
FIXE
|
2024-06-02
|
| 1539759
|
|
Stop allowing markup injection via DTD in system-privileged contexts
|
Core
|
XML
|
peterv
|
VERI
|
FIXE
|
2022-02-15
|
| 1488180
|
|
Extensions can load arbitrary URLs in new windows via "|" separators
|
WebExtensions
|
General
|
rob
|
VERI
|
FIXE
|
2020-02-16
|
| 1530103
|
|
URI handler Remote Code Execution via command line parameter injection in Firefox
|
Toolkit
|
Startup and Profile
|
robert.strong.bugs
|
VERI
|
FIXE
|
2024-05-30
|
| 1574980
|
|
Privilege Escalation via Mozilla Maintenance Service if Firefox is Installed to a Writable Location
|
Toolkit
|
Application Update
|
robert.strong.bugs
|
VERI
|
FIXE
|
2024-05-30
|
| 1452075
|
|
PDF Viewer will run code from PDF files, missing validation for /Domain and /Range parameters
|
Firefox
|
PDF Viewer
|
ydelendik
|
VERI
|
FIXE
|
2024-05-30
|
| 1549833
|
|
Lack of mitigation on external protocol execution (res: protocol)
|
Core
|
Networking
|
gijskruitbosch+bugs
|
VERI
|
FIXE
|
2024-05-30
|
| 1552627
|
|
Lack of mitigation on external protocol execution (res: protocol)
|
Core
|
Networking
|
gijskruitbosch+bugs
|
VERI
|
FIXE
|
2024-05-30
|
| 1749028
|
|
Hold Down / repeatedly pressing Enter Key will still Automatically Launch Downloaded Executable File
|
Firefox
|
Downloads Panel
|
gijskruitbosch+bugs
|
VERI
|
FIXE
|
2023-07-07
|
| 1737252
|
|
Escape issue in "Copy as cURL" enables execution of arbitrary commands on users computer
|
DevTools
|
Netmonitor
|
hmanilla
|
VERI
|
FIXE
|
2024-05-30
|
| 1427289
|
|
Executing JS on addons.mozilla.org using webRequestBlocking
|
WebExtensions
|
Request Handling
|
kmaglione+bmo
|
VERI
|
FIXE
|
2024-05-30
|
| 1743226
|
|
Hold Down Enter Key will Automatically Launch Downloaded Executable File
|
Firefox
|
Downloads Panel
|
kpatenio
|
VERI
|
FIXE
|
2024-05-30
|
| 1786188
|
|
Mozilla Firefox Download Protections were bypassed by .atloc / .ftploc files on MacOS
|
Firefox
|
File Handling
|
mak
|
VERI
|
FIXE
|
2023-07-17
|
| 1643199
|
|
Mozilla Maintenance Service Privilege Escalation via updater.exe if Firefox is installed in non-default location
|
Toolkit
|
Application Update
|
molly
|
VERI
|
FIXE
|
2024-05-30
|
| 1811181
|
|
Giving the camera permission to a local .html file means giving this permission to all the local .html files opened in the same tab
|
Firefox
|
Site Permissions
|
pbz
|
VERI
|
FIXE
|
2024-05-30
|
| 1771685
|
|
Cross-origin frames can obtain top-level permissions b/c XSLT transform resets FeaturePolicy
|
Core
|
XSLT
|
peterv
|
VERI
|
FIXE
|
2024-06-17
|
| 1557074
|
|
Re-Enable Mozilla Content Process Isolation
|
Core
|
DOM: Content Process
|
tom
|
VERI
|
FIXE
|
2020-06-10
|
| 1521542
|
|
iframe sandbox can be escaped with rel=noopener/noreferrer when "allow-popups" specified, or in general with fission
|
Core
|
DOM: Security
|
sstreich
|
VERI
|
FIXE
|
2024-04-17
|
| 873966
|
|
Arbitrary code execution from Profiler
|
DevTools
|
Performance Tools (P
|
anton
|
VERI
|
FIXE
|
2024-05-30
|
| 1450534
|
|
Aborting load potentially exposes PDF Viewer APIs to webpages
|
Firefox
|
PDF Viewer
|
bdahl
|
VERI
|
FIXE
|
2024-05-30
|
| 1518026
|
|
RCE via "copy as curl" on mac
|
DevTools
|
Netmonitor
|
bgrinstead
|
VERI
|
FIXE
|
2024-05-30
|
| 801305
|
|
nsLocation::CheckURL still can use the wrong principal
|
Core
|
Security
|
bholley
|
VERI
|
FIXE
|
2013-04-08
|
| 1144991
|
|
Privilege escalation from resource:// document (e.g. pdf viewer) (ZDI-CAN-2826)
|
Core
|
DOM: Core & HTML
|
bzbarsky
|
VERI
|
FIXE
|
2019-03-13
|
| 924329
|
|
Reading wrapper-protected information using InstallTrigger
|
Firefox
|
General
|
gijskruitbosch+bugs
|
VERI
|
FIXE
|
2024-05-30
|
| 1208141
|
|
about:home's search doesn't sanitize input and uses it for .innerHTML (CSS running, JavaScript on events)
|
Firefox
|
Security
|
gijskruitbosch+bugs
|
VERI
|
FIXE
|
2015-11-03
|
| 1320039
|
|
Pocket extension unnecessarily exposes its messaging interface to web pages
|
Firefox
|
Pocket
|
gijskruitbosch+bugs
|
VERI
|
FIXE
|
2024-05-30
|
| 1320057
|
|
Remote code execution vulnerability in Pocket extension
|
Firefox
|
Pocket
|
gijskruitbosch+bugs
|
VERI
|
FIXE
|
2024-05-30
|
| 1449548
|
|
Lightweight themes can be installed automatically, without user's consent
|
Toolkit
|
Add-ons Manager
|
gijskruitbosch+bugs
|
VERI
|
FIXE
|
2024-05-30
|
| 1572838
|
|
URI Handler Command Injection Vulnerability [iDefense V-bsk2ottbf1]
|
Toolkit
|
Startup and Profile
|
gijskruitbosch+bugs
|
VERI
|
FIXE
|
2020-06-05
|
| 1372112
|
|
XUL Injection in Inspector Image Tooltip
|
DevTools
|
Inspector
|
jdescottes
|
VERI
|
FIXE
|
2018-06-13
|
| 1341191
|
|
Feed Reader IPC can be used to bypass process sandboxing
|
Firefox Graveyard
|
RSS Discovery and Pr
|
jonathan
|
VERI
|
FIXE
|
2018-12-20
|
| 1246972
|
|
Arbitrary target directory for result files of update process
|
Toolkit
|
Application Update
|
molly
|
VERI
|
FIXE
|
2024-05-30
|
| 1361326
|
|
DLL Hijacking Firefox installer
|
Firefox
|
Installer
|
molly
|
VERI
|
FIXE
|
2024-05-30
|
| 792106
|
|
DLL Hijacking - Firefox installer
|
Firefox
|
Installer
|
netzen
|
VERI
|
FIXE
|
2024-05-30
|
| 830134
|
|
The updater.exe loads the cryptsp.dll from the update directory while perfoming an update.
|
Toolkit
|
Application Update
|
netzen
|
VERI
|
FIXE
|
2024-05-30
|
| 859072
|
|
The updater.exe loads the profapi.dll from the update directory
|
Toolkit
|
Application Update
|
netzen
|
VERI
|
FIXE
|
2024-05-30
|
| 961676
|
|
Unsafe temp directory usage in maintenservice_installer.exe lead to possible privilege escalation
|
Firefox
|
Installer
|
netzen
|
VERI
|
FIXE
|
2024-05-30
|
| 1215648
|
|
Maintenance Service helper.exe File Deletion Elevation of Privilege
|
Firefox
|
Installer
|
nobody
|
VERI
|
FIXE
|
2024-05-30
|
| 1371586
|
|
XUL injection in StyleEditorUI.jsm
|
DevTools
|
Style Editor
|
ntim.bugs
|
VERI
|
FIXE
|
2018-06-13
|
| 1487478
|
|
"file:///*" extension permission has no warning
|
WebExtensions
|
General
|
rob
|
VERI
|
FIXE
|
2020-02-16
|
| 811557
|
|
DLL Hijacking - Firefox Stub installer
|
Firefox
|
Installer
|
robert.strong.bugs
|
VERI
|
FIXE
|
2023-08-14
|
| 883165
|
|
Medium integrity DLL Hijacking - Firefox Full installer and Stub installer
|
Firefox
|
Installer
|
robert.strong.bugs
|
VERI
|
FIXE
|
2023-08-14
|
| 925747
|
|
Files extracted from Mar file are not locked during update
|
Toolkit
|
Application Update
|
robert.strong.bugs
|
VERI
|
FIXE
|
2024-05-30
|
| 945192
|
|
The updater.exe loads the bcrypt.dll and other dll's from the working and binary directory when not using the service (Application Update)
|
Toolkit
|
Application Update
|
robert.strong.bugs
|
VERI
|
FIXE
|
2024-05-30
|
| 1127481
|
|
Run updater.exe from the application directory when not using the service for an update
|
Toolkit
|
Application Update
|
robert.strong.bugs
|
VERI
|
FIXE
|
2016-07-02
|
| 1129209
|
|
The updater.exe loads the SxS comctl32.dll from the updater.exe.Local directory when not using the service (Application Update)
|
Toolkit
|
Application Update
|
robert.strong.bugs
|
VERI
|
FIXE
|
2016-07-02
|
| 1177861
|
|
Arbitrary file manipulation through updater.exe (Privilege Escalation)
|
Toolkit
|
Application Update
|
robert.strong.bugs
|
VERI
|
FIXE
|
2024-05-30
|
| 895557
|
|
It's possible to set a document's URI to a different document's URI by confusing docshell
|
Core
|
DOM: Navigation
|
smaug
|
VERI
|
FIXE
|
2015-08-30
|
| 1539595
|
|
Consider an origin-whitelist for early site isolation for AMO and accounts.firefox.com
|
Core
|
DOM: Content Process
|
tom
|
VERI
|
FIXE
|
2022-10-24
|
| 920515
|
|
pdf.js iframe injection allows sites to load local files or even chrome privileged pages into an iframe
|
Firefox
|
PDF Viewer
|
ydelendik
|
VERI
|
FIXE
|
2024-05-30
|