412363
|
|
Buffer overflow in external MIME bodies
|
MailNews Core
|
MIME
|
bugmil.ebirol
|
RESO
|
FIXE
|
2008-07-31
|
267833
|
|
[FIX]Fire XBL constructors from EndUpdate(), not before
|
Core
|
XBL
|
bzbarsky
|
RESO
|
FIXE
|
2008-03-08
|
362901
|
|
[FIX]nsCSSFrameConstructor::HaveFirstLetterStyle broken in the presence of asynchronous restyles or batching
|
Core
|
Layout
|
bzbarsky
|
RESO
|
FIXE
|
2018-08-29
|
369814
|
|
jar: protocol is an XSS hazard due to ignoring mime type and being considered same-origin with hosting site
|
Core
|
Networking: JAR
|
dave.camp
|
RESO
|
FIXE
|
2011-05-03
|
403331
|
|
Sort out jar: behavior on HTTP redirects
|
Core
|
Networking: JAR
|
dave.camp
|
RESO
|
FIXE
|
2008-03-20
|
413250
|
|
chrome directory traversal (local disk access via "flat" addons)
|
Core
|
General
|
dveditz
|
RESO
|
FIXE
|
2009-06-16
|
408076
|
|
out of bounds read in BMP decoder can lead to information disclosure
|
Core
|
Graphics: ImageLib
|
gavin.sharp
|
RESO
|
FIXE
|
2008-03-12
|
384925
|
|
plug-in finder service does not use https for all XPI installation URIs
|
Toolkit Graveyard
|
Plugin Finder Servic
|
benjamin
|
RESO
|
FIXE
|
2014-09-24
|
336303
|
|
[FIX]nsPrincipal::GetOrigin should dig into nested URIs
|
Core
|
Security
|
bzbarsky
|
RESO
|
FIXE
|
2008-03-25
|
402649
|
|
[FIX]window.location race condition can be used to spoof referer header
|
Core
|
DOM: Core & HTML
|
bzbarsky
|
RESO
|
FIXE
|
2019-03-13
|
295922
|
|
Client Auth "select cert automatically" is considered a privacy issue
|
Core Graveyard
|
Security: UI
|
dveditz
|
RESO
|
FIXE
|
2016-09-27
|
417086
|
|
Use of colon (:) in hash/anchor part of chrome URL when using window.open results in an error.
|
Firefox
|
General
|
dveditz
|
RESO
|
FIXE
|
2008-03-22
|
376473
|
|
[mz2] file action dialog controls vulnerable to refocus race
|
Firefox
|
Security
|
gavin.sharp
|
RESO
|
FIXE
|
2008-03-18
|
405818
|
|
[FIX]Opening about:config results in warning about unresponsive script
|
Core
|
CSS Parsing and Comp
|
bzbarsky
|
RESO
|
FIXE
|
2008-03-20
|
392149
|
|
-osint protection can be subverted via remote options
|
Toolkit
|
Startup and Profile
|
ajschult784
|
RESO
|
FIXE
|
2008-07-31
|
178993
|
|
MSIE-extension: HttpOnly cookie attribute for cross-site scripting vulnerability prevention
|
Core
|
Networking: Cookies
|
avva
|
RESO
|
FIXE
|
2008-03-19
|
371572
|
|
Release SpiderMonkey 1.6.1
|
Core
|
JavaScript Engine
|
bob
|
RESO
|
FIXE
|
2008-10-12
|
353962
|
|
Firefox 2.0 often hangs in Intel Mac OS X 10.4.7
|
Core
|
JavaScript Engine
|
brendan
|
RESO
|
FIXE
|
2008-08-31
|
345305
|
|
Arbitrary code execution with Venkman JavaScript Debugger
|
Other Applications G
|
Venkman JS Debugger
|
bugzilla-mozilla-20000923
|
RESO
|
FIXE
|
2018-10-16
|
387258
|
|
plain text txt file viewing capability lost after having downloaded a txt file with content-disposition: attachment and content-type: plain/text
|
Core Graveyard
|
File Handling
|
bzbarsky
|
RESO
|
FIXE
|
2016-08-26
|
396613
|
|
Crash [@gklayout!nsTableFrame::GetFrameAtOrBefore]
|
Core
|
Layout
|
bzbarsky
|
RESO
|
FIXE
|
2008-05-23
|
397427
|
|
[FIX]Stylesheet href property shows redirected URL unlike other browsers
|
Core
|
CSS Parsing and Comp
|
bzbarsky
|
RESO
|
FIXE
|
2010-02-23
|
346664
|
|
Arbitrary code execution with FireBug by using document.open or document.write
|
Core
|
Security
|
dveditz
|
RESO
|
FIXE
|
2013-03-31
|
387543
|
|
web content can set httponly cookie by overwriting a non-httponly one
|
Core
|
Networking: Cookies
|
dveditz
|
RESO
|
FIXE
|
2008-03-20
|
383181
|
|
Prevent creating/overwriting HttpOnly cookies from web content
|
Core
|
Networking: Cookies
|
dwitte
|
RESO
|
FIXE
|
2008-03-20
|
325761
|
|
memory corruption in mozilla <object data='x-jsd:help'>
|
Other Applications G
|
Venkman JS Debugger
|
gijskruitbosch+bugs
|
RESO
|
FIXE
|
2018-10-16
|
360701
|
|
Crash in js1_7/extensions/regress-355410.js browser with WAY_TOO_MUCH_GC
|
Core
|
JavaScript Engine
|
igor
|
RESO
|
FIXE
|
2008-09-29
|
393537
|
|
Heap corruption on Out-of-Memory in jsopcode.c
|
Core
|
JavaScript Engine
|
igor
|
RESO
|
FIXE
|
2008-03-20
|
402087
|
|
Setting GC-Zeal before JS_CompileScript() causes null-deref (obj->map == 0x0) in JSOP_DEFFUN
|
Core
|
JavaScript Engine
|
igor
|
RESO
|
FIXE
|
2008-03-22
|
381300
|
|
Frame spoofing is possible within a short time frame while the window is loading.
|
Core
|
DOM: Core & HTML
|
jstenback+bmo
|
RESO
|
FIXE
|
2019-03-13
|
240261
|
|
[1.8 branch] peer-trusted certs can use alt names to spoof
|
Core
|
Security: PSM
|
kaie
|
RESO
|
FIXE
|
2008-07-04
|
279505
|
|
Crash in pop-up window on parent.close() due to double free. [@ nsCSSFrameConstructor::RestyleEvent::HandleEvent]
|
Core
|
DOM: Events
|
MatsPalmgren_bugz
|
RESO
|
FIXE
|
2008-03-21
|
372075
|
|
javascript: URI evaluation should use sandboxed context for toString, etc
|
Core
|
DOM: Core & HTML
|
mrbkap
|
RESO
|
FIXE
|
2019-03-13
|
386695
|
|
PAC privilege escalation using exception objects came from outside of sandbox
|
Core
|
Security
|
mrbkap
|
RESO
|
FIXE
|
2008-03-22
|
387881
|
|
Arbitrary code execution by polluting implicit XPCNativeWrapper (using Script object)
|
Core
|
Security
|
mrbkap
|
RESO
|
FIXE
|
2008-03-20
|
346663
|
|
Arbitrary code execution with DOM Inspector by using document.open or document.write
|
Other Applications
|
DOM Inspector
|
nobody
|
RESO
|
FIXE
|
2009-01-25
|
378787
|
|
IE 7 and Firefox Browsers Digest Authentication Request Splitting
|
Core
|
Networking: HTTP
|
sayrer
|
RESO
|
FIXE
|
2008-03-20
|
373911
|
|
xbl destructor bound to body causes trouble [@ nsXBLBinding::AllowScripts]
|
Core
|
XBL
|
smaug
|
RESO
|
FIXE
|
2008-03-08
|
384105
|
|
Crash [@ PresShell::AttributeChanged] with menuitem sizetopopup="always", position: absolute and tree stuff
|
Core
|
Layout
|
smaug
|
RESO
|
FIXE
|
2011-06-13
|
387033
|
|
Script may run when initializing nsTextBoxFrame
|
Core
|
Layout
|
smaug
|
RESO
|
FIXE
|
2009-04-24
|
388784
|
|
Firefox file input focus stealing vulnerability
|
Core
|
Layout: Form Control
|
smaug
|
RESO
|
FIXE
|
2008-03-20
|
361745
|
|
svg viewbox=twisted and image {width,height,x,y}=twisted [@ memset - fbRasterizeTrapezoid]
|
Core
|
Graphics
|
tor
|
RESO
|
FIXE
|
2011-06-13
|
391028
|
|
drawImage with broken PNG draws random memory
|
Core
|
Graphics: Canvas2D
|
vladimir
|
RESO
|
FIXE
|
2008-03-20
|
393326
|
|
[FIX]Crash [@ nsCSSFrameConstructor::RemoveFirstLetterFrames] with quotes, binding, position: fixed, display: -moz-box and first-letter
|
Core
|
Layout
|
bzbarsky
|
VERI
|
FIXE
|
2011-06-13
|
400556
|
|
[FIX]Vulnerability allows script to see where user is headed, sniff history, and crash [@ nsDocShell::Destroy()] the browser too
|
Core
|
DOM: Core & HTML
|
bzbarsky
|
VERI
|
FIXE
|
2019-03-13
|
402150
|
|
Buffer overrun [@ nsDocument::RetrieveRelevantHeaders] at provided URL
|
Core
|
DOM: Core & HTML
|
dveditz
|
VERI
|
FIXE
|
2019-03-13
|
408256
|
|
Use a constant-size buffer in BMP decoder to reduce fragmentation
|
Core
|
Graphics: ImageLib
|
gavin.sharp
|
VERI
|
FIXE
|
2008-03-12
|
399298
|
|
Bypassing XPCNativeWrapper by redefining XPCNativeWrapper
|
Core
|
Security
|
mrbkap
|
VERI
|
FIXE
|
2008-03-22
|
406572
|
|
JSOP_CLOSURE unconditionally replaces properties of the variable object
|
Core
|
JavaScript Engine
|
igor
|
VERI
|
FIXE
|
2012-10-16
|
404252
|
|
Potential XSS vulnerability because of U+0008 being treated as whitespace
|
Core
|
DOM: HTML Parser
|
mrbkap
|
VERI
|
FIXE
|
2008-05-08
|
197052
|
|
crash if modification innerHTML of element in this element [@ js_EmitTree ]
|
Core
|
DOM: Core & HTML
|
smaug
|
VERI
|
FIXE
|
2011-06-09
|
373344
|
|
Mousedown event listener changing body style and alert()ing crashes [@ PresShell::HandleEventInternal] browser
|
Core
|
DOM: UI Events & Foc
|
smaug
|
VERI
|
FIXE
|
2019-03-13
|
407161
|
|
Garbled Japanese after bug 381412, XSS variant still possible
|
Core
|
DOM: HTML Parser
|
VYV03354
|
VERI
|
FIXE
|
2008-03-25
|
364801
|
|
ASSERTION: Some frame destructors were not called with this testcase that makes scrollbars disappear
|
Core
|
Layout
|
roc
|
VERI
|
FIXE
|
2008-03-20
|
393141
|
|
Crash [@ nsAccessibilityService::GetAccessible] with display:none option inside optgroup
|
Core
|
Disability Access AP
|
aaronlev
|
VERI
|
FIXE
|
2011-06-13
|
309322
|
|
Evil testcase using multiple display:table-caption causes crash if you are really determined [@ nsIFrame::HasView]
|
Core
|
Layout: Tables
|
bernd_mozilla
|
VERI
|
FIXE
|
2013-10-13
|
388121
|
|
[FIX]about:blank loaded by chrome in particular ways has chrome privileges
|
Core
|
DOM: Core & HTML
|
bzbarsky
|
VERI
|
FIXE
|
2019-03-13
|
404627
|
|
[FIX]XPinstall whitelist bypass using refresh after fix for bug 402649
|
Core
|
DOM: Core & HTML
|
bzbarsky
|
VERI
|
FIXE
|
2019-03-13
|
358594
|
|
"Assertion failure: vlength > n" calling uneval(this) (involves __proto__ and serialization using sharps?)
|
Core
|
JavaScript Engine
|
crowderbt
|
VERI
|
FIXE
|
2008-03-08
|
372309
|
|
Crash in [@SetArrayElement] using canvas
|
Core
|
JavaScript Engine
|
crowderbt
|
VERI
|
FIXE
|
2008-03-08
|
395942
|
|
QuickTime flaw allows launching default browser with arbitrary parameters on Windows ("quicktime pwns firefox")
|
Core
|
General
|
dveditz
|
VERI
|
FIXE
|
2008-03-20
|
390078
|
|
GC hazard with JSstackFrame.argv[-1]
|
Core
|
JavaScript Engine
|
igor
|
VERI
|
FIXE
|
2008-03-20
|
398085
|
|
Crash with large switch statement [@ js_Interpret]
|
Core
|
JavaScript Engine
|
igor
|
VERI
|
FIXE
|
2012-01-23
|
407720
|
|
js_FindClassObject causes crashes with getter/setter
|
Core
|
JavaScript Engine
|
igor
|
VERI
|
FIXE
|
2008-03-25
|
390597
|
|
watch point + eval-as-setter allows access to dead JSStackFrame
|
Core
|
JavaScript Engine
|
mrbkap
|
VERI
|
FIXE
|
2008-03-29
|
346405
|
|
[columns] crash [@ nsColumnSetFrame::GetContentInsertionFrame] and [@ nsLineLayout::TrimTrailingWhiteSpaceIn]
|
Core
|
Layout
|
roc
|
VERI
|
FIXE
|
2011-06-13
|
386914
|
|
Crash [@ nsXULDocument::ExecuteOnBroadcastHandlerFor] with DOMAttrModified event handler and observes
|
Core
|
XUL
|
smaug
|
VERI
|
FIXE
|
2011-06-13
|
393762
|
|
Arbitrary code execution using an event handler attached to an element whose owner document has no script global object
|
Core
|
Security
|
smaug
|
VERI
|
FIXE
|
2009-03-19
|
398088
|
|
Crash [@ nsXBLPrototypeBinding::AttributeChanged] with DOMAttrModified, <xul:progressmeter mode>
|
Core
|
XBL
|
smaug
|
VERI
|
FIXE
|
2011-06-13
|
405299
|
|
Firefox file input focus stealing through label element dispatch mouse click event
|
Core
|
Layout: Form Control
|
smaug
|
VERI
|
FIXE
|
2008-03-22
|
411072
|
|
"focus" Event can be used to set focus on file input and selectively capture keystrokes, which can be used to upload arbitrary files
|
Core
|
Security
|
smaug
|
VERI
|
FIXE
|
2008-09-29
|