The Mozilla Foundation reports of multiple security issues in Firefox, Seamonkey, and Thunderbird. Several of these issues can probably be used to run arbitrary code with the privilege of the user running the program.

• MFSA 2007-25 XPCNativeWrapper pollution
• MFSA 2007-24 Unauthorized access to wyciwyg:// documents
• MFSA 2007-21 Privilege escalation using an event handler attached to an element not in the document
• MFSA 2007-20 Frame spoofing while window is loading
• MFSA 2007-19 XSS using addEventListener and setTimeout
• MFSA 2007-18 Crashes with evidence of memory corruption

< 2.0.0.5,1

gt 3.*,1 lt 3.0.a2_3,1

< 2.0.0.5

< 1.1.3

< 3.0.a2007.12.12

< 2.0.a2007.12.12

gt 0

Mozilla Foundation reports:

MFSA 2016-16 Miscellaneous memory safety hazards (rv:45.0 / rv:38.7)

MFSA 2016-17 Local file overwriting and potential privilege escalation through CSP reports

MFSA 2016-18 CSP reports fail to strip location information for embedded iframe pages

MFSA 2016-19 Linux video memory DOS with Intel drivers

MFSA 2016-20 Memory leak in libstagefright when deleting an array during MP4 processing

MFSA 2016-21 Displayed page address can be overridden

MFSA 2016-22 Service Worker Manager out-of-bounds read in Service Worker Manager

MFSA 2016-23 Use-after-free in HTML5 string parser

MFSA 2016-24 Use-after-free in SetBody

MFSA 2016-25 Use-after-free when using multiple WebRTC data channels

MFSA 2016-26 Memory corruption when modifying a file being read by FileReader

MFSA 2016-27 Use-after-free during XML transformations

MFSA 2016-28 Addressbar spoofing though history navigation and Location protocol property

MFSA 2016-29 Same-origin policy violation using perfomance.getEntries and history navigation with session restore

MFSA 2016-31 Memory corruption with malicious NPAPI plugin

MFSA 2016-32 WebRTC and LibVPX vulnerabilities found through code inspection

MFSA 2016-33 Use-after-free in GetStaticInstance in WebRTC

MFSA 2016-34 Out-of-bounds read in HTML parser following a failed allocation

< 45.0,1

< 2.42

< 38.7.0,1

< 38.7.0

The Mozilla Project reports:

MFSA 2013-93 Miscellaneous memory safety hazards (rv:25.0 / rv:24.1 / rv:17.0.10)

MFSA 2013-94 Spoofing addressbar though SELECT element

MFSA 2013-95 Access violation with XSLT and uninitialized data

MFSA 2013-96 Improperly initialized memory and overflows in some JavaScript functions

MFSA 2013-97 Writing to cycle collected object during image decoding

MFSA 2013-98 Use-after-free when updating offline cache

MFSA 2013-99 Security bypass of PDF.js checks using iframes

MFSA 2013-100 Miscellaneous use-after-free issues found through ASAN fuzzing

MFSA 2013-101 Memory corruption in workers

MFSA 2013-102 Use-after-free in HTML document templates

< 24.1.0,1

< 25.0,1

< 2.22

< 24.1.0

< 2.22

< 24.1.0

The Mozilla Project reports:

MFSA-2015-46 Miscellaneous memory safety hazards (rv:38.0 / rv:31.7)

MFSA-2015-47 Buffer overflow parsing H.264 video with Linux Gstreamer

MFSA-2015-48 Buffer overflow with SVG content and CSS

MFSA-2015-49 Referrer policy ignored when links opened by middle-click and context menu

MFSA-2015-50 Out-of-bounds read and write in asm.js validation

MFSA-2015-51 Use-after-free during text processing with vertical text enabled

MFSA-2015-52 Sensitive URL encoded information written to Android logcat

MFSA-2015-53 Use-after-free due to Media Decoder Thread creation during shutdown

MFSA-2015-54 Buffer overflow when parsing compressed XML

MFSA-2015-55 Buffer overflow and out-of-bounds read while parsing MP4 video metadata

MFSA-2015-56 Untrusted site hosting trusted page can intercept webchannel responses

MFSA-2015-57 Privilege escalation through IPC channel messages

MFSA-2015-58 Mozilla Windows updater can be run outside of application directory

MFSA 2015-93 Integer overflows in libstagefright while processing MP4 video metadata

< 38.0,1

< 38.0,1

< 2.35

< 2.35

< 31.7.0,1

< 31.7.0

ge 32.0 lt 38.0

< 31.7.0

ge 32.0 lt 38.0

< 31.7.0

ge 32.0 lt 38.0

The Mozilla Project reports:

MFSA 2014-66 IFRAME sandbox same-origin access through redirect

MFSA 2014-65 Certificate parsing broken by non-standard character encoding

MFSA 2014-64 Crash in Skia library when scaling high quality images

MFSA 2014-63 Use-after-free while when manipulating certificates in the trusted cache

MFSA 2014-62 Exploitable WebGL crash with Cesium JavaScript library

MFSA 2014-61 Use-after-free with FireOnStateChange event

MFSA 2014-60 Toolbar dialog customization event spoofing

MFSA 2014-59 Use-after-free in DirectWrite font handling

MFSA 2014-58 Use-after-free in Web Audio due to incorrect control message ordering

MFSA 2014-57 Buffer overflow during Web Audio buffering for playback

MFSA 2014-56 Miscellaneous memory safety hazards (rv:31.0 / rv:24.7)

< 31.0,1

< 24.7.0,1

< 31.0,1

< 24.7.0

< 24.7.0

< 3.16.1_2

In a Mozilla bug report, Daniel Kleinsinger writes:

I was comparing treatment of attachments opened directly from emails on different platforms. I discovered that Linux builds save attachments in /tmp with world readable rights. This doesn't seem like a good thing. Couldn't someone else logged onto the same machine read your attachments?

This could expose the contents of downloaded files or email attachments to other users on a multi-user system.

< 0.9

< 1.0.r2,1

le 7.2

< 1.7.5

< 1.7.5,2

ge 0

Mozilla Foundation reports:

CVE-2018-12407: Buffer overflow with ANGLE library when using VertexBuffer11 module

CVE-2018-17466: Buffer overflow and out-of-bounds read in ANGLE library with TextureStorage11

CVE-2018-18492: Use-after-free with select element

CVE-2018-18493: Buffer overflow in accelerated 2D canvas with Skia

CVE-2018-18494: Same-origin policy violation using location attribute and performance.getEntries to steal cross-origin URLs

CVE-2018-18495: WebExtension content scripts can be loaded in about: pages

CVE-2018-18496: Embedded feed preview page can be abused for clickjacking

CVE-2018-18497: WebExtensions can load arbitrary URLs through pipe separators

CVE-2018-18498: Integer overflow when calculating buffer sizes for images

CVE-2018-12406: Memory safety bugs fixed in Firefox 64

CVE-2018-12405: Memory safety bugs fixed in Firefox 64 and Firefox ESR 60.4

< 64.0_3,1

< 56.2.6

< 2.53.0

< 60.4.0,1

< 60.4.0,2

< 60.4.0

Mozilla Foundation reports:

Please reference CVE/URL list for details

< 53.0_2,1

< 2.49.1

ge 46.0,1 lt 52.1.0_2,1

< 45.9.0,1

ge 46.0,2 lt 52.1.0,2

< 45.9.0,2

ge 46.0 lt 52.1.0

< 45.9.0

ge 46.0 lt 52.1.0

< 45.9.0

The Mozilla Project reports:

Using the Address Sanitizer tool, security researcher Abhishek Arya (Inferno) of the Google Chrome Security Team found an out-of-bounds write when buffering WebM format video containing frames with invalid tile sizes. This can lead to a potentially exploitable crash during WebM video playback.

< 1.4.0

< 33.0,1

< 31.1.2,1

< 33.0,1

< 2.30

< 31.1.2

< 2.30

< 31.1.2

< 31.1.2

Mozilla Foundation reports:

MFSA 2009-32 JavaScript chrome privilege escalation

MFSA 2009-31 XUL scripts bypass content-policy checks

MFSA 2009-30 Incorrect principal set for file: resources loaded via location bar

MFSA 2009-29 Arbitrary code execution using event listeners attached to an element whose owner document is null

MFSA 2009-28 Race condition while accessing the private data of a NPObject JS wrapper class object

MFSA 2009-27 SSL tampering via non-200 responses to proxy CONNECT requests

MFSA 2009-26 Arbitrary domain cookie access by local file: resources

MFSA 2009-25 URL spoofing with invalid unicode characters

MFSA 2009-24 Crashes with evidence of memory corruption (rv:1.9.0.11)

< 2.0.0.20_8,1

gt 3.*,1 lt 3.0.11,1

< 3.0.11

< 2.0.0.22

< 1.1.17

The Mozilla Project reports:

MFSA 2015-79 Miscellaneous memory safety hazards (rv:40.0 / rv:38.2)

MFSA 2015-80 Out-of-bounds read with malformed MP3 file

MFSA 2015-81 Use-after-free in MediaStream playback

MFSA 2015-82 Redefinition of non-configurable JavaScript object properties

MFSA 2015-83 Overflow issues in libstagefright

MFSA 2015-84 Arbitrary file overwriting through Mozilla Maintenance Service with hard links

MFSA 2015-85 Out-of-bounds write with Updater and malicious MAR file

MFSA 2015-86 Feed protocol with POST bypasses mixed content protections

MFSA 2015-87 Crash when using shared memory in JavaScript

MFSA 2015-88 Heap overflow in gdk-pixbuf when scaling bitmap images

MFSA 2015-90 Vulnerabilities found through code inspection

MFSA 2015-91 Mozilla Content Security Policy allows for asterisk wildcards in violation of CSP specification

MFSA 2015-92 Use-after-free in XMLHttpRequest with shared workers

< 40.0,1

< 40.0,1

ge 2.36 lt 2.37

< 2.35

ge 2.36 lt 2.37

< 2.35

< 38.2.0,1

< 38.2.0

< 38.2.0

< 38.2.0

The Mozilla Project reports:

MFSA 2015-59 Miscellaneous memory safety hazards (rv:39.0 / rv:31.8 / rv:38.1)

MFSA 2015-60 Local files or privileged URLs in pages can be opened into new tabs

MFSA 2015-61 Type confusion in Indexed Database Manager

MFSA 2015-62 Out-of-bound read while computing an oscillator rendering range in Web Audio

MFSA 2015-63 Use-after-free in Content Policy due to microtask execution error

MFSA 2015-64 ECDSA signature validation fails to handle some signatures correctly

MFSA 2015-65 Use-after-free in workers while using XMLHttpRequest

MFSA 2015-66 Vulnerabilities found through code inspection

MFSA 2015-67 Key pinning is ignored when overridable errors are encountered

MFSA 2015-68 OS X crash reports may contain entered key press information

MFSA 2015-69 Privilege escalation through internal workers

MFSA 2015-70 NSS accepts export-length DHE keys with regular DHE cipher suites

MFSA 2015-71 NSS incorrectly permits skipping of ServerKeyExchange

< 39.0,1

< 39.0,1

< 2.35

< 2.35

< 31.8.0,1

ge 38.0,1 lt 38.1.0,1

< 31.8.0

ge 38.0 lt 38.1.0

< 31.8.0

ge 38.0 lt 38.1.0

< 31.8.0

ge 38.0 lt 38.1.0

Mozilla Foundation reports:

Please reference CVE/URL list for details

< 54.0,1

< 2.49.1

< 52.2.0,1

< 52.2.0,2

< 52.2.0

The Mozilla Project reports:

MFSA 2013-116 JPEG information leak

MFSA 2013-105 Application Installation doorhanger persists on navigation

MFSA 2013-106 Character encoding cross-origin XSS attack

MFSA 2013-107 Sandbox restrictions not applied to nested object elements

MFSA 2013-108 Use-after-free in event listeners

MFSA 2013-109 Use-after-free during Table Editing

MFSA 2013-110 Potential overflow in JavaScript binary search algorithms

MFSA 2013-111 Segmentation violation when replacing ordered list elements

MFSA 2013-112 Linux clipboard information disclosure though selection paste

MFSA 2013-113 Trust settings for built-in roots ignored during EV certificate validation

MFSA 2013-114 Use-after-free in synthetic mouse movement

MFSA 2013-115 GetElementIC typed array stubs can be generated outside observed typesets

MFSA 2013-116 JPEG information leak

MFSA 2013-117 Mis-issued ANSSI/DCSSI certificate

gt 25.0,1 lt 26.0,1

< 24.2.0,1

< 26.0,1

< 2.23

< 24.2.0

< 2.23

< 24.2.0

The Mozilla Foundation reports:

CVE-2018-5146: Out of bounds memory write in libvorbis

An out of bounds memory write while processing Vorbis audio data was reported through the Pwn2Own contest.

CVE-2018-5147: Out of bounds memory write in libtremor

The libtremor library has the same flaw as CVE-2018-5146. This library is used by Firefox in place of libvorbis on Android and ARM platforms.

< 1.3.6,3

< 1.2.1.s20180316

< 59.0.1,1

< 56.0.4.36_3

< 2.49.3

< 52.7.2,1

< 52.7.2,2

< 52.7.3

< 52.7.0

The Mozilla Project reports:

MFSA 2011-29 Security issues addressed in Firefox 6

MFSA 2011-28 Security issues addressed in Firefox 3.6.20

gt 3.6.*,1 lt 3.6.20,1

gt 5.0.*,1 lt 6.0,1

< 2.3

< 3.6.20,1

< 3.1.12

< 3.1.12

Mozilla Foundation reports:

MFSA 2009-22: Firefox allows Refresh header to redirect to javascript: URIs

MFSA 2009-21: POST data sent to wrong site when saving web page with embedded frame

MFSA 2009-20: Malicious search plugins can inject code into arbitrary sites

MFSA 2009-19: Same-origin violations in XMLHttpRequest and XPCNativeWrapper.toString

MFSA 2009-18: XSS hazard using third-party stylesheets and XBL bindings

MFSA 2009-17: Same-origin violations when Adobe Flash loaded via view-source: scheme

MFSA 2009-16: jar: scheme ignores the content-disposition: header on the inner URI

MFSA 2009-15: URL spoofing with box drawing character

MFSA 2009-14 Crashes with evidence of memory corruption (rv:1.9.0.9)

< 2.0.0.20_7,1

gt 3.*,1 lt 3.0.9,1

< 3.0.9

gt 0

< 1.1.17

< 2.0.0.22

A Mozilla Foundation Security Advisory states:

An (sic) GIF processing error when parsing the obsolete Netscape extension 2 can lead to an exploitable heap overrun, allowing an attacker to run arbitrary code on the user's machine.

< 1.0.2,1

< 1.0.2

< 1.7.6,2

ge 1.8.*,2

< 1.7.6

ge 1.8.*

ge 0

ge 0

ge 0

Mozilla Foundation reports:

CVE-2017-7845: Buffer overflow when drawing and validating elements with ANGLE library using Direct 3D 9

CVE-2017-7846: JavaScript Execution via RSS in mailbox:// origin

CVE-2017-7847: Local path string can be leaked from RSS feed

CVE-2017-7848: RSS Feed vulnerable to new line Injection

CVE-2017-7829: Mailsploit part 1: From address with encoded null character is cut off in message header display

< 52.5.2

The Mozilla Foundation reports of multiple security issues in Firefox, Seamonkey, and Thunderbird. Several of these issues can probably be used to run arbitrary code with the privilege of the user running the program.

• MFSA 2007-08 onUnload + document.write() memory corruption
• MFSA 2007-07 Embedded nulls in location.hostname confuse same-domain checks
• MFSA 2007-06 Mozilla Network Security Services (NSS) SSLv2 buffer overflow
• MFSA 2007-05 XSS and local file access by opening blocked popups
• MFSA 2007-04 Spoofing using custom cursor and CSS3 hotspot
• MFSA 2007-03 Information disclosure through cache collisions
• MFSA 2007-02 Improvements to help protect against Cross-Site Scripting attacks
• MFSA 2007-01 Crashes with evidence of memory corruption (rv:1.8.0.10/1.8.1.2)

< 1.5.0.10,1

gt 2.*,1 lt 2.0.0.2,1

< 1.5.0.10

< 0.3.1

< 1.0.8

ge 1.1 lt 1.1.1

< 1.5.0.10

< 3.0.a2007.04.18

< 1.5.a2007.04.18

gt 0

The Mozilla Project reports:

MFSA 2013-21 Miscellaneous memory safety hazards (rv:19.0 / rv:17.0.3)

MFSA 2013-22 Out-of-bounds read in image rendering

MFSA 2013-23 Wrapped WebIDL objects can be wrapped again

MFSA 2013-24 Web content bypass of COW and SOW security wrappers

MFSA 2013-25 Privacy leak in JavaScript Workers

MFSA 2013-26 Use-after-free in nsImageLoadingContent

MFSA 2013-27 Phishing on HTTPS connection through malicious proxy

MFSA 2013-28 Use-after-free, out of bounds read, and buffer overflow issues found using Address Sanitizer

gt 18.0,1 lt 19.0,1

< 17.0.3,1

< 17.0.3,1

< 2.16

< 17.0.3

< 2.16

gt 11.0 lt 17.0.3

< 10.0.12

gt 1.9.2.* lt 10.0.12

The Mozilla Foundation reports of multiple security issues in Firefox, Seamonkey, and Thunderbird. Several of these issues can probably be used to run arbitrary code with the privilege of the user running the program.

• MFSA 2008-19 XUL popup spoofing variant (cross-tab popups)
• MFSA 2008-18 Java socket connection to any local port via LiveConnect
• MFSA 2008-17 Privacy issue with SSL Client Authentication
• MFSA 2008-16 HTTP Referrer spoofing with malformed URLs
• MFSA 2008-15 Crashes with evidence of memory corruption (rv:1.8.1.13)
• MFSA 2008-14 JavaScript privilege escalation and arbitrary code execution

< 2.0.0.13,1

< 2.0.0.13

< 1.1.9

< 1.1.1

gt 0

< 2.0.0.14

The Mozilla Project reports:

MFSA 2014-74 Miscellaneous memory safety hazards (rv:33.0 / rv:31.2)

MFSA 2014-75 Buffer overflow during CSS manipulation

MFSA 2014-76 Web Audio memory corruption issues with custom waveforms

MFSA 2014-78 Further uninitialized memory use during GIF

MFSA 2014-79 Use-after-free interacting with text directionality

MFSA 2014-80 Key pinning bypasses

MFSA 2014-81 Inconsistent video sharing within iframe

MFSA 2014-82 Accessing cross-origin objects via the Alarms API

< 33.0,1

< 31.2.0,1

< 33.0,1

< 2.30

< 31.2.0

< 2.30

< 31.2.0

< 31.2.0

The Mozilla Project reports:

MFSA 2012-90 Fixes for Location object issues

gt 11.0,1 lt 16.0.2,1

< 10.0.10,1

< 10.0.10,1

< 2.13.2

< 10.0.10

< 2.13.2

gt 11.0 lt 16.0.2

< 10.0.10

gt 1.9.2.* lt 10.0.10

Mozilla Foundation reports:

CVE-2018-12377: Use-after-free in refresh driver timers

CVE-2018-12378: Use-after-free in IndexedDB

CVE-2018-12379: Out-of-bounds write with malicious MAR file

CVE-2017-16541: Proxy bypass using automount and autofs

CVE-2018-12381: Dragging and dropping Outlook email message results in page navigation

CVE-2018-12382: Addressbar spoofing with javascript URI on Firefox for Android

CVE-2018-12383: Setting a master password post-Firefox 58 does not delete unencrypted previously stored passwords

CVE-2018-12375: Memory safety bugs fixed in Firefox 62

CVE-2018-12376: Memory safety bugs fixed in Firefox 62 and Firefox ESR 60.2

< 62.0_1,1

< 56.2.3

< 2.49.5

< 60.2.0_1,1

< 60.2.0,2

< 60.2

Mozilla Foundation reports:

CVE-2016-9894: Buffer overflow in SkiaGL

CVE-2016-9899: Use-after-free while manipulating DOM events and audio elements

CVE-2016-9895: CSP bypass using marquee tag

CVE-2016-9896: Use-after-free with WebVR

CVE-2016-9897: Memory corruption in libGLES

CVE-2016-9898: Use-after-free in Editor while manipulating DOM subtrees

CVE-2016-9900: Restricted external resources can be loaded by SVG images through data URLs

CVE-2016-9904: Cross-origin information leak in shared atoms

CVE-2016-9901: Data from Pocket server improperly sanitized before execution

CVE-2016-9902: Pocket extension does not validate the origin of events

CVE-2016-9903: XSS injection vulnerability in add-ons SDK

CVE-2016-9080: Memory safety bugs fixed in Firefox 50.1

CVE-2016-9893: Memory safety bugs fixed in Firefox 50.1 and Firefox ESR 45.6

< 50.1.0_1,1

< 2.47

< 45.6.0,1

< 45.6.0,2

< 45.6.0

Mozilla Foundation reports:

MFSA 2016-01 Miscellaneous memory safety hazards (rv:44.0 / rv:38.6)

MFSA 2016-02 Out of Memory crash when parsing GIF format images

MFSA 2016-03 Buffer overflow in WebGL after out of memory allocation

MFSA 2016-04 Firefox allows for control characters to be set in cookie names

MFSA 2016-06 Missing delay following user click events in protocol handler dialog

MFSA 2016-09 Addressbar spoofing attacks

MFSA 2016-10 Unsafe memory manipulation found through code inspection

MFSA 2016-11 Application Reputation service disabled in Firefox 43

< 44.0,1

< 2.41

< 38.6.0,1

< 38.6.0

The Mozilla Project reports:

ASN.1 DER decoding of lengths is too permissive, allowing undetected smuggling of arbitrary data

MFSA-2014-90 Apple CoreGraphics framework on OS X 10.10 logging input data to /tmp directory

MFSA-2014-89 Bad casting from the BasicThebesLayer to BasicContainerLayer

MFSA-2014-88 Buffer overflow while parsing media content

MFSA-2014-87 Use-after-free during HTML5 parsing

MFSA-2014-86 CSP leaks redirect data via violation reports

MFSA-2014-85 XMLHttpRequest crashes with some input streams

MFSA-2014-84 XBL bindings accessible via improper CSS declarations

MFSA-2014-83 Miscellaneous memory safety hazards (rv:34.0 / rv:31.3)

< 34.0,1

< 31.3.0,1

< 34.0,1

< 2.31

< 31.3.0

< 2.31

< 31.3.0

< 31.3.0

< 3.17.3

Mozilla Foundation reports:

CVE-2017-7828: Use-after-free of PressShell while restyling layout

CVE-2017-7830: Cross-origin URL information leak through Resource Timing API

CVE-2017-7831: Information disclosure of exposed properties on JavaScript proxy objects

CVE-2017-7832: Domain spoofing through use of dotless 'i' character followed by accent markers

CVE-2017-7833: Domain spoofing with Arabic and Indic vowel marker characters

CVE-2017-7834: data: URLs opened in new tabs bypass CSP protections

CVE-2017-7835: Mixed content blocking incorrectly applies with redirects

CVE-2017-7836: Pingsender dynamically loads libcurl on Linux and OS X

CVE-2017-7837: SVG loaded as can use meta tags to set cookies

CVE-2017-7838: Failure of individual decoding of labels in international domain names triggers punycode display of entire IDN

CVE-2017-7839: Control characters before javascript: URLs defeats self-XSS prevention mechanism

CVE-2017-7840: Exported bookmarks do not strip script elements from user-supplied tags

CVE-2017-7842: Referrer Policy is not always respected for elements

CVE-2017-7827: Memory safety bugs fixed in Firefox 57

CVE-2017-7826: Memory safety bugs fixed in Firefox 57 and Firefox ESR 52.5

< 56.0.2_10,1

< 2.49.2

< 52.5.0,1

< 52.5.0,2

< 52.5.0

The Mozilla Project reports:

MFSA 2013-29 Use-after-free in HTML Editor

gt 18.0,1 lt 19.0.2,1

< 17.0.3,1

< 17.0.4,1

< 2.16.1

< 17.0.4

< 2.16.1

gt 11.0 lt 17.0.4

< 10.0.12

Mozilla Foundation reports:

CVE-2018-5183: Backport critical security fixes in Skia

CVE-2018-5154: Use-after-free with SVG animations and clip paths

CVE-2018-5155: Use-after-free with SVG animations and text paths

CVE-2018-5157: Same-origin bypass of PDF Viewer to view protected PDF files

CVE-2018-5158: Malicious PDF can inject JavaScript into PDF Viewer

CVE-2018-5159: Integer overflow and out-of-bounds write in Skia

CVE-2018-5160: Uninitialized memory use by WebRTC encoder

CVE-2018-5152: WebExtensions information leak through webRequest API

CVE-2018-5153: Out-of-bounds read in mixed content websocket messages

CVE-2018-5163: Replacing cached data in JavaScript Start-up Bytecode Cache

CVE-2018-5164: CSP not applied to all multipart content sent with multipart/x-mixed-replace

CVE-2018-5166: WebExtension host permission bypass through filterReponseData

CVE-2018-5167: Improper linkification of chrome: and javascript: content in web console and JavaScript debugger

CVE-2018-5168: Lightweight themes can be installed without user interaction

CVE-2018-5169: Dragging and dropping link text onto home button can set home page to include chrome pages

CVE-2018-5172: Pasted script from clipboard can run in the Live Bookmarks page or PDF viewer

CVE-2018-5173: File name spoofing of Downloads panel with Unicode characters

CVE-2018-5174: Windows Defender SmartScreen UI runs with less secure behavior for downloaded files in Windows 10 April 2018 Update

CVE-2018-5175: Universal CSP bypass on sites using strict-dynamic in their policies

CVE-2018-5176: JSON Viewer script injection

CVE-2018-5177: Buffer overflow in XSLT during number formatting

CVE-2018-5165: Checkbox for enabling Flash protected mode is inverted in 32-bit Firefox

CVE-2018-5178: Buffer overflow during UTF-8 to Unicode string conversion through legacy extension

CVE-2018-5180: heap-use-after-free in mozilla::WebGLContext::DrawElementsInstanced

CVE-2018-5181: Local file can be displayed in noopener tab through drag and drop of hyperlink

CVE-2018-5182: Local file can be displayed from hyperlink dragged and dropped on addressbar

CVE-2018-5151: Memory safety bugs fixed in Firefox 60

CVE-2018-5150: Memory safety bugs fixed in Firefox 60 and Firefox ESR 52.8

< 60.0,1

< 56.1.0_18

< 2.49.4

< 52.8.0,1

< 52.8.0,2

< 52.8.0

Mozilla Foundation reports:

MFSA 2016-39 Miscellaneous memory safety hazards (rv:46.0 / rv:45.1 / rv:38.8)

MFSA 2016-42 Use-after-free and buffer overflow in Service Workers

MFSA 2016-44 Buffer overflow in libstagefright with CENC offsets

MFSA 2016-45 CSP not applied to pages sent with multipart/x-mixed-replace

MFSA 2016-46 Elevation of privilege with chrome.tabs.update API in web extensions

MFSA 2016-47 Write to invalid HashMap entry through JavaScript.watch()

MFSA 2016-48 Firefox Health Reports could accept events from untrusted domains

< 46.0,1

< 2.43

ge 39.0,1 lt 45.1.0,1

< 38.8.0,1

ge 39.0 lt 45.1.0

< 38.8.0

The Mozilla Project reports:

MFSA 2012-42 Miscellaneous memory safety hazards (rv:14.0/ rv:10.0.6)

MFSA 2012-43 Incorrect URL displayed in addressbar through drag and drop

MFSA 2012-44 Gecko memory corruption

MFSA 2012-45 Spoofing issue with location

MFSA 2012-46 XSS through data: URLs

MFSA 2012-47 Improper filtering of javascript in HTML feed-view

MFSA 2012-48 use-after-free in nsGlobalWindow::PageHidden

MFSA 2012-49 Same-compartment Security Wrappers can be bypassed

MFSA 2012-50 Out of bounds read in QCMS

MFSA 2012-51 X-Frame-Options header ignored when duplicated

MFSA 2012-52 JSDependentString::undepend string conversion results in memory corruption

MFSA 2012-53 Content Security Policy 1.0 implementation errors cause data leakage

MFSA 2012-54 Clickjacking of certificate warning page

MFSA 2012-55 feed: URLs with an innerURI inherit security context of page

MFSA 2012-56 Code execution through javascript: URLs

gt 11.0,1 lt 14.0.1,1

< 10.0.6,1

< 10.0.6,1

< 2.11

< 10.0.6

< 2.11

gt 11.0 lt 14.0

< 10.0.6

gt 1.9.2.* lt 10.0.6

Mozilla Foundation reports:

Please reference CVE/URL list for details

< 50.0_1,1

< 2.47

< 45.5.0,1

< 45.5.0,2

< 45.5.0

Chris Evans has discovered multiple vulnerabilities in libpng, which can be exploited by malicious people to compromise a vulnerable system or cause a DoS (Denial of Service).

le 1.2.5_7

le 1.0.14_3

ge 1.2 le 1.2.2

< 0.9.3

< 0.7.3

< 1.7.2

< 1.7.2

< 1.7.2,2

ge 1.8.a,2 le 1.8.a2,2

< 1.7.2

le 4.78

le 4.8

le 7.1

le 7.02

The Mozilla Project reports:

MFSA 2014-34 Miscellaneous memory safety hazards (rv:29.0 / rv:24.5)

MFSA 2014-35 Privilege escalation through Mozilla Maintenance Service Installer

MFSA 2014-36 Web Audio memory corruption issues

MFSA 2014-37 Out of bounds read while decoding JPG images

MFSA 2014-38 Buffer overflow when using non-XBL object as XBL

MFSA 2014-39 Use-after-free in the Text Track Manager for HTML video

MFSA 2014-41 Out-of-bounds write in Cairo

MFSA 2014-42 Privilege escalation through Web Notification API

MFSA 2014-43 Cross-site scripting (XSS) using history navigations

MFSA 2014-44 Use-after-free in imgLoader while resizing images

MFSA 2014-45 Incorrect IDNA domain name matching for wildcard certificates

MFSA 2014-46 Use-after-free in nsHostResolve

MFSA 2014-47 Debugger can bypass XrayWrappers with JavaScript

< 29.0,1

< 24.5.0,1

< 29.0,1

< 2.26

< 24.5.0

< 2.26

< 24.5.0

zen-parse discovered a heap buffer overflow in Mozilla's POP client implementation. A malicious POP server could exploit this vulnerability to cause Mozilla to execute arbitrary code.

< 1.7,2

< 1.7

< 7.2

< 0.7

Mozilla Foundation reports:

Fixes for security problems in the JavaScript engine described in MFSA 2008-15 introduced a stability problem, where some users experienced crashes during JavaScript garbage collection. This is being fixed primarily to address stability concerns. We have no demonstration that this particular crash is exploitable but are issuing this advisory because some crashes of this type have been shown to be exploitable in the past.

< 2.0.0.14,1

< 2.0.0.14

< 1.1.10

< 1.1.2

gt 0

< 2.0.0.14

The Mozilla Foundation reports of multiple security issues in Firefox, Seamonkey, and Thunderbird. Several of these issues can probably be used to run arbitrary code with the privilege of the user running the program.

• MFSA 2006-64 Crashes with evidence of memory corruption (rv:1.8.0.7)
• MFSA 2006-63 JavaScript execution in mail via XBL
• MFSA 2006-62 Popup-blocker cross-site scripting (XSS)
• MFSA 2006-61 Frame spoofing using document.open()
• MFSA 2006-60 RSA Signature Forgery
• MFSA 2006-59 Concurrency-related vulnerability
• MFSA 2006-58 Auto-Update compromise through DNS and SSL spoofing
• MFSA 2006-57 JavaScript Regular Expression Heap Corruption

< 1.5.0.7,1

gt 2.*,1 lt 2.0_1,1

< 1.5.0.7

< 1.0.5

< 1.5.0.7

< 3.0.a2006.09.21

< 1.5.a2006.09.21

gt 0

Mozilla Foundation reports:

CVE-2018-18356: Use-after-free in Skia

CVE-2019-5785: Integer overflow in Skia

CVE-2018-18511: Cross-origin theft of images with ImageBitmapRenderingContext

< 65.0.1,1

< 60.5.1,1

< 60.5.1

The Mozilla Project reports:

MFSA 2011-01 Miscellaneous memory safety hazards (rv:1.9.2.14/ 1.9.1.17)

MFSA 2011-02 Recursive eval call causes confirm dialogs to evaluate to true

MFSA 2011-03 Use-after-free error in JSON.stringify

MFSA 2011-04 Buffer overflow in JavaScript upvarMap

MFSA 2011-05 Buffer overflow in JavaScript atom map

MFSA 2011-06 Use-after-free error using Web Workers

MFSA 2011-07 Memory corruption during text run construction (Windows)

MFSA 2011-08 ParanoidFragmentSink allows javascript: URLs in chrome documents

MFSA 2011-09 Crash caused by corrupted JPEG image

MFSA 2011-10 CSRF risk with plugins and 307 redirects

gt 3.6.*,1 lt 3.6.14,1

gt 3.5.*,1 lt 3.5.17,1

gt 1.9.2.* lt 1.9.2.14

< 3.6.14,1

< 3.5.17

gt 2.0.* lt 2.0.12

ge 3.1 lt 3.1.8

gt 2.0.* lt 2.0.12

< 3.1.8

The Mozilla Foundation reports:

MFSA 2008-37

UTF-8 URL stack buffer overflow

MFSA 2008-38

nsXMLDocument::OnChannelRedirect() same-origin violation

MFSA 2008-39

Privilege escalation using feed preview page and XSS flaw

MFSA 2008-40

Forced mouse drag

MFSA 2008-41

Privilege escalation via XPCnativeWrapper pollution

MFSA 2008-42

Crashes with evidence of memory corruption (rv:1.9.0.2/1.8.1.17)

MFSA 2008-43

BOM characters stripped from JavaScript before execution

MFSA 2008-44

resource: traversal vulnerabilities

MFSA 2008-45

XBM image uninitialized memory reading

< 2.0.0.17,1

gt 3.*,1 lt 3.0.2,1

< 2.0.0.17

< 1.1.12

< 2.0.0.17

< 2.0

gt 0

A Mozilla Foundation Security Advisory reports of multiple issues. Several of which can be used to run arbitrary code with the privilege of the user running the program.

• MFSA 2006-56 chrome: scheme loading remote content
• MFSA 2006-55 Crashes with evidence of memory corruption (rv:1.8.0.5)
• MFSA 2006-54 XSS with XPCNativeWrapper(window).Function(...)
• MFSA 2006-53 UniversalBrowserRead privilege escalation
• MFSA 2006-52 PAC privilege escalation using Function.prototype.call
• MFSA 2006-51 Privilege escalation using named-functions and redefined "new Object()"
• MFSA 2006-50 JavaScript engine vulnerabilities
• MFSA 2006-49 Heap buffer overwrite on malformed VCard
• MFSA 2006-48 JavaScript new Function race condition
• MFSA 2006-47 Native DOM methods can be hijacked across domains
• MFSA 2006-46 Memory corruption with simultaneous events
• MFSA 2006-45 Javascript navigator Object Vulnerability
• MFSA 2006-44 Code execution through deleted frame reference

< 1.5.0.5,1

gt 2.*,1 lt 2.0_1,1

< 1.5.0.5

< 3.0.a2006.07.26

< 1.0.3

< 1.5.0.5

gt 0

A Mozilla Foundation Security Advisory reports of multiple issues. Several of which can be used to run arbitrary code with the privilege of the user running the program.

• MFSA 2006-29 Spoofing with translucent windows
• MFSA 2006-28 Security check of js_ValueToFunctionObject() can be circumvented
• MFSA 2006-26 Mail Multiple Information Disclosure
• MFSA 2006-25 Privilege escalation through Print Preview
• MFSA 2006-24 Privilege escalation using crypto.generateCRMFRequest
• MFSA 2006-23 File stealing by changing input type
• MFSA 2006-22 CSS Letter-Spacing Heap Overflow Vulnerability
• MFSA 2006-20 Crashes with evidence of memory corruption (rv:1.8.0.2)
• MFSA 2006-19 Cross-site scripting using .valueOf.call()
• MFSA 2006-18 Mozilla Firefox Tag Order Vulnerability
• MFSA 2006-17 cross-site scripting through window.controllers
• MFSA 2006-16 Accessing XBL compilation scope via valueOf.call()
• MFSA 2006-15 Privilege escalation using a JavaScript function's cloned parent
• MFSA 2006-14 Privilege escalation via XBL.method.eval
• MFSA 2006-13 Downloading executables with "Save Image As..."
• MFSA 2006-12 Secure-site spoof (requires security warning dialog)
• MFSA 2006-11 Crashes with evidence of memory corruption (rv:1.8)
• MFSA 2006-10 JavaScript garbage-collection hazard audit
• MFSA 2006-09 Cross-site JavaScript injection using event handlers

< 1.0.8,1

gt 1.5.*,1 lt 1.5.0.2,1

< 1.5.0.2

< 1.7.13,2

ge 1.8.*,2

< 1.7.13

gt 0

< 1.0.1

< 1.5.0.2

Mozilla Foundation reports:

Please reference CVE/URL list for details

< 51.0_1,1

< 2.48

< 45.7.0,1

< 45.7.0,2

< 45.7.0

The Mozilla Project reports:

MFSA 2015-134 Miscellaneous memory safety hazards (rv:43.0 / rv:38.5)

MFSA 2015-135 Crash with JavaScript variable assignment with unboxed objects

MFSA 2015-136 Same-origin policy violation using perfomance.getEntries and history navigation

MFSA 2015-137 Firefox allows for control characters to be set in cookies

MFSA 2015-138 Use-after-free in WebRTC when datachannel is used after being destroyed

MFSA 2015-139 Integer overflow allocating extremely large textures

MFSA 2015-140 Cross-origin information leak through web workers error events

MFSA 2015-141 Hash in data URI is incorrectly parsed

MFSA 2015-142 DOS due to malformed frames in HTTP/2

MFSA 2015-143 Linux file chooser crashes on malformed images due to flaws in Jasper library

MFSA 2015-144 Buffer overflows found through code inspection

MFSA 2015-145 Underflow through code inspection

MFSA 2015-146 Integer overflow in MP4 playback in 64-bit versions

MFSA 2015-147 Integer underflow and buffer overflow processing MP4 metadata in libstagefright

MFSA 2015-148 Privilege escalation vulnerabilities in WebExtension APIs

MFSA 2015-149 Cross-site reading attack through data and view-source URIs

< 43.0,1

< 43.0,1

< 2.40

< 2.40

< 38.5.0,1

< 38.5.0

< 38.5.0

< 38.5.0

Mozilla Foundation reports:

CVE-2018-18500: Use-after-free parsing HTML5 stream

CVE-2018-18503: Memory corruption with Audio Buffer

CVE-2018-18504: Memory corruption and out-of-bounds read of texture client buffer

CVE-2018-18505: Privilege escalation through IPC channel messages

CVE-2018-18506: Proxy Auto-Configuration file can define localhost access to be proxied

CVE-2018-18502: Memory safety bugs fixed in Firefox 65

CVE-2018-18501: Memory safety bugs fixed in Firefox 65 and Firefox ESR 60.5

< 65.0_1,1

< 56.2.7

< 2.53.0

< 60.5.0_1,1

< 60.5.0,2

< 60.5.0

Mozilla Foundation reports:

CVE-2016-2827 - Out-of-bounds read in mozilla::net::IsValidReferrerPolicy [low]

CVE-2016-5256 - Memory safety bugs fixed in Firefox 49 [critical]

CVE-2016-5257 - Memory safety bugs fixed in Firefox 49 and Firefox ESR 45.4 [critical]

CVE-2016-5270 - Heap-buffer-overflow in nsCaseTransformTextRunFactory::TransformString [high]

CVE-2016-5271 - Out-of-bounds read in PropertyProvider::GetSpacingInternal [low]

CVE-2016-5272 - Bad cast in nsImageGeometryMixin [high]

CVE-2016-5273 - crash in mozilla::a11y::HyperTextAccessible::GetChildOffset [high]

CVE-2016-5274 - use-after-free in nsFrameManager::CaptureFrameState [high]

CVE-2016-5275 - global-buffer-overflow in mozilla::gfx::FilterSupport::ComputeSourceNeededRegions [critical]

CVE-2016-5276 - Heap-use-after-free in mozilla::a11y::DocAccessible::ProcessInvalidationList [high]

CVE-2016-5277 - Heap-use-after-free in nsRefreshDriver::Tick [high]

CVE-2016-5278 - Heap-buffer-overflow in nsBMPEncoder::AddImageFrame [critical]

CVE-2016-5279 - Full local path of files is available to web pages after drag and drop [moderate]

CVE-2016-5280 - Use-after-free in mozilla::nsTextNodeDirectionalityMap::RemoveElementFromMap [high]

CVE-2016-5281 - use-after-free in DOMSVGLength [high]

CVE-2016-5282 - Don't allow content to request favicons from non-whitelisted schemes [moderate]

CVE-2016-5283 -