Total
2917 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-0245 | 1 Mozilla | 1 Firefox | 2025-04-03 | N/A | 3.3 LOW |
| Under certain circumstances, a user opt-in setting that Focus should require authentication before use could have been be bypassed. This vulnerability affects Firefox < 134. | |||||
| CVE-2025-0246 | 2 Google, Mozilla | 2 Android, Firefox | 2025-04-03 | N/A | 6.5 MEDIUM |
| When using an invalid protocol scheme, an attacker could spoof the address bar. *Note: This issue only affected Android operating systems. Other operating systems are unaffected.* *Note: This issue is a different issue from CVE-2025-0244. This vulnerability affects Firefox < 134. | |||||
| CVE-2025-0247 | 1 Mozilla | 2 Firefox, Thunderbird | 2025-04-03 | N/A | 9.8 CRITICAL |
| Memory safety bugs present in Firefox 133 and Thunderbird 133. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 134 and Thunderbird < 134. | |||||
| CVE-2024-11700 | 1 Mozilla | 2 Firefox, Thunderbird | 2025-04-03 | N/A | 8.1 HIGH |
| Malicious websites may have been able to perform user intent confirmation through tapjacking. This could have led to users unknowingly approving the launch of external applications, potentially exposing them to underlying vulnerabilities. This vulnerability affects Firefox < 133 and Thunderbird < 133. | |||||
| CVE-2024-11693 | 1 Mozilla | 2 Firefox, Thunderbird | 2025-04-03 | N/A | 9.8 CRITICAL |
| The executable file warning was not presented when downloading .library-ms files. *Note: This issue only affected Windows operating systems. Other operating systems are unaffected.* This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Thunderbird < 133, and Thunderbird < 128.5. | |||||
| CVE-2025-27425 | 2 Apple, Mozilla | 2 Iphone Os, Firefox | 2025-04-03 | N/A | 4.3 MEDIUM |
| Scanning certain QR codes that included text with a website URL could allow the URL to be opened without presenting the user with a confirmation alert first This vulnerability affects Firefox for iOS < 136. | |||||
| CVE-2025-1943 | 1 Mozilla | 2 Firefox, Thunderbird | 2025-04-03 | N/A | 8.2 HIGH |
| Memory safety bugs present in Firefox 135 and Thunderbird 135. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 136 and Thunderbird < 136. | |||||
| CVE-2025-27426 | 2 Apple, Mozilla | 2 Iphone Os, Firefox | 2025-04-03 | N/A | 5.4 MEDIUM |
| Malicious websites utilizing a server-side redirect to an internal error page could result in a spoofed website URL This vulnerability affects Firefox for iOS < 136. | |||||
| CVE-2025-1940 | 1 Mozilla | 1 Firefox | 2025-04-03 | N/A | 7.1 HIGH |
| A select option could partially obscure the confirmation prompt shown before launching external apps. This could be used to trick a user in to launching an external app unexpectedly. *This issue only affects Android versions of Firefox.* This vulnerability affects Firefox < 136. | |||||
| CVE-2004-2225 | 1 Mozilla | 1 Firefox | 2025-04-03 | 5.0 MEDIUM | N/A |
| Mozilla Firefox before 0.10.1 allows remote attackers to delete arbitrary files in the download directory via a crafted data: URI that is not properly handled when the user clicks the Save button. | |||||
| CVE-2005-4809 | 1 Mozilla | 3 Firefox, Mozilla, Thunderbird | 2025-04-03 | 5.0 MEDIUM | N/A |
| Mozilla Firefox 1.0.1 and possibly other versions, including Mozilla and Thunderbird, allows remote attackers to spoof the URL in the Status Bar via an A HREF tag that contains a TABLE tag that contains another A tag. | |||||
| CVE-2006-1724 | 2 Debian, Mozilla | 5 Debian Linux, Firefox, Mozilla Suite and 2 more | 2025-04-03 | 7.5 HIGH | N/A |
| Unspecified vulnerability in Firefox and Thunderbird before 1.5.0.2, 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via attack vectors related to DHTML. | |||||
| CVE-2006-4568 | 1 Mozilla | 2 Firefox, Seamonkey | 2025-04-03 | 4.3 MEDIUM | N/A |
| Mozilla Firefox before 1.5.0.7 and SeaMonkey before 1.0.5 allows remote attackers to bypass the security model and inject content into the sub-frame of another site via targetWindow.frames[n].document.open(), which facilitates spoofing and other attacks. | |||||
| CVE-2006-3801 | 1 Mozilla | 2 Firefox, Seamonkey | 2025-04-03 | 7.5 HIGH | N/A |
| Mozilla Firefox 1.5 before 1.5.0.5 and SeaMonkey before 1.0.3 does not properly clear a JavaScript reference to a frame or window, which leaves a pointer to a deleted object that allows remote attackers to execute arbitrary native code. | |||||
| CVE-2005-0230 | 1 Mozilla | 1 Firefox | 2025-04-03 | 5.1 MEDIUM | N/A |
| Firefox 1.0 does not prevent the user from dragging an executable file to the desktop when it has an image/gif content type but has a dangerous extension such as .bat or .exe, which allows remote attackers to bypass the intended restriction and execute arbitrary commands via malformed GIF files that can still be parsed by the Windows batch file parser, aka "firedragging." | |||||
| CVE-2006-1732 | 1 Mozilla | 3 Firefox, Seamonkey, Thunderbird | 2025-04-03 | 4.3 MEDIUM | N/A |
| Unspecified vulnerability in Mozilla Firefox and Thunderbird 1.x before 1.5 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0 allows remote attackers to bypass same-origin protections and conduct cross-site scripting (XSS) attacks via unspecified vectors involving the window.controllers array. | |||||
| CVE-2006-2786 | 1 Mozilla | 2 Firefox, Thunderbird | 2025-04-03 | 2.6 LOW | N/A |
| HTTP response smuggling vulnerability in Mozilla Firefox and Thunderbird before 1.5.0.4, when used with certain proxy servers, allows remote attackers to cause Firefox to interpret certain responses as if they were responses from two different sites via (1) invalid HTTP response headers with spaces between the header name and the colon, which might not be ignored in some cases, or (2) HTTP 1.1 headers through an HTTP 1.0 proxy, which are ignored by the proxy but processed by the client. | |||||
| CVE-2006-4253 | 3 K-meleon Project, Mozilla, Netscape | 3 K-meleon, Firefox, Navigator | 2025-04-03 | 7.6 HIGH | N/A |
| Concurrency vulnerability in Mozilla Firefox 1.5.0.6 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via multiple Javascript timed events that load a deeply nested XML file, followed by redirecting the browser to another page, which leads to a concurrency failure that causes structures to be freed incorrectly, as demonstrated by (1) ffoxdie and (2) ffoxdie3. NOTE: it has been reported that Netscape 8.1 and K-Meleon 1.0.1 are also affected by ffoxdie. Mozilla confirmed to CVE that ffoxdie and ffoxdie3 trigger the same underlying vulnerability. NOTE: it was later reported that Firefox 2.0 RC2 and 1.5.0.7 are also affected. | |||||
| CVE-2004-1753 | 2 Mozilla, Netscape | 3 Firefox, Mozilla, Navigator | 2025-04-03 | 2.6 LOW | N/A |
| The Apple Java plugin, as used in Netscape 7.1 and 7.2, Mozilla 1.7.2, and Firefox 0.9.3 on MacOS X 10.3.5, when tabbed browsing is enabled, does not properly handle SetWindow(NULL) calls, which allows Java applets from one tab to draw to other tabs and facilitates phishing attacks that spoof tabs. | |||||
| CVE-2006-1727 | 2 Canonical, Mozilla | 5 Ubuntu Linux, Firefox, Mozilla Suite and 2 more | 2025-04-03 | 7.6 HIGH | N/A |
| Unspecified vulnerability in Mozilla Firefox and Thunderbird 1.x before 1.5.0.2 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0.1 allows remote attackers to gain chrome privileges via multiple attack vectors related to the use of XBL scripts with "Print Preview". | |||||