Debian Firefox vulnerabilities
1,550 known vulnerabilities affecting debian/firefox.
Total CVEs
1,550
CISA KEV
11
actively exploited
Public exploits
39
Exploited in wild
20
Severity breakdown
CRITICAL333HIGH633MEDIUM542LOW42
Vulnerabilities
Page 44 of 78
CVE-2019-17025P3HIGHCVSS 8.8fixed in firefox 72.0-1 (sid)2019
CVE-2019-17025 [HIGH] CVE-2019-17025: firefox - Mozilla developers reported memory safety bugs present in Firefox 71. Some of th...
Mozilla developers reported memory safety bugs present in Firefox 71. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 72.
Scope: local
sid: resolved (fixed in 72.0-1)
debian
CVE-2019-11712P3HIGHCVSS 8.8fixed in firefox 68.0-1 (sid)2019
CVE-2019-11712 [HIGH] CVE-2019-11712: firefox - POST requests made by NPAPI plugins, such as Flash, that receive a status 308 re...
POST requests made by NPAPI plugins, such as Flash, that receive a status 308 redirect response can bypass CORS requirements. This can allow an attacker to perform Cross-Site Request Forgery (CSRF) attacks. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.
Scope: local
sid: resolved (fixed in 68.0-1)
debian
CVE-2017-7807P3HIGHCVSS 8.1fixed in firefox 55.0-1 (sid)2017
CVE-2017-7807 [HIGH] CVE-2017-7807: firefox - A mechanism that uses AppCache to hijack a URL in a domain using fallback by ser...
A mechanism that uses AppCache to hijack a URL in a domain using fallback by serving the files from a sub-path on the domain. This has been addressed by requiring fallback files be inside the manifest directory. This vulnerability affects Thunderbird < 52.3, Firefox ESR < 52.3, and Firefox < 55.
Scope: local
sid: resolved (fixed in 55.0-1)
debian
CVE-2016-9896P3HIGHCVSS 8.1fixed in firefox 50.1.0-1 (sid)2016
CVE-2016-9896 [HIGH] CVE-2016-9896: firefox - Use-after-free while manipulating the "navigator" object within WebVR. Note: Web...
Use-after-free while manipulating the "navigator" object within WebVR. Note: WebVR is not currently enabled by default. This vulnerability affects Firefox < 50.1.
Scope: local
sid: resolved (fixed in 50.1.0-1)
debian
CVE-2006-0749P3LOWCVSS 9.3fixed in firefox 1.5.dfsg+1.5.0.2 (sid)2006
CVE-2006-0749 [CRITICAL] CVE-2006-0749: firefox - nsHTMLContentSink.cpp in Mozilla Firefox and Thunderbird 1.x before 1.5 and 1.0....
nsHTMLContentSink.cpp in Mozilla Firefox and Thunderbird 1.x before 1.5 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown vectors involving a "particular sequence of HTML tags" that leads to memory corruption.
Scope: local
sid: r
debian
CVE-2016-9904P3HIGHCVSS 7.5fixed in firefox 50.1.0-1 (sid)2016
CVE-2016-9904 [HIGH] CVE-2016-9904: firefox - An attacker could use a JavaScript Map/Set timing attack to determine whether an...
An attacker could use a JavaScript Map/Set timing attack to determine whether an atom is used by another compartment/zone in specific contexts. This could be used to leak information, such as usernames embedded in JavaScript code, across websites. This vulnerability affects Firefox < 50.1, Firefox ESR < 45.6, and Thunderbird < 45.6.
Scope: local
sid: resolved (fixed i
debian
CVE-2017-7754P3HIGHCVSS 7.5fixed in firefox 54.0-1 (sid)2017
CVE-2017-7754 [HIGH] CVE-2017-7754: firefox - An out-of-bounds read in WebGL with a maliciously crafted "ImageInfo" object dur...
An out-of-bounds read in WebGL with a maliciously crafted "ImageInfo" object during WebGL operations. This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2.
Scope: local
sid: resolved (fixed in 54.0-1)
debian
CVE-2016-2812P3HIGHCVSS 7.5fixed in firefox 46.0-1 (sid)2016
CVE-2016-2812 [HIGH] CVE-2016-2812: firefox - Race condition in the get implementation in the ServiceWorkerManager class in th...
Race condition in the get implementation in the ServiceWorkerManager class in the Service Worker subsystem in Mozilla Firefox before 46.0 allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) via a crafted web site.
Scope: local
sid: resolved (fixed in 46.0-1)
debian
CVE-2024-4776P3HIGHCVSS 8.2fixed in firefox 126.0-1 (sid)2024
CVE-2024-4776 [HIGH] CVE-2024-4776: firefox - A file dialog shown while in full-screen mode could have resulted in the window ...
A file dialog shown while in full-screen mode could have resulted in the window remaining disabled. This vulnerability affects Firefox < 126.
Scope: local
sid: resolved (fixed in 126.0-1)
debian
CVE-2017-7803P3HIGHCVSS 7.5fixed in firefox 55.0-1 (sid)2017
CVE-2017-7803 [HIGH] CVE-2017-7803: firefox - When a page's content security policy (CSP) header contains a "sandbox" directiv...
When a page's content security policy (CSP) header contains a "sandbox" directive, other directives are ignored. This results in the incorrect enforcement of CSP. This vulnerability affects Thunderbird < 52.3, Firefox ESR < 52.3, and Firefox < 55.
Scope: local
sid: resolved (fixed in 55.0-1)
debian
CVE-2017-7811P3CRITICALCVSS 9.8fixed in firefox 56.0-1 (sid)2017
CVE-2017-7811 [CRITICAL] CVE-2017-7811: firefox - Memory safety bugs were reported in Firefox 55. Some of these bugs showed eviden...
Memory safety bugs were reported in Firefox 55. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Firefox < 56.
Scope: local
sid: resolved (fixed in 56.0-1)
debian
CVE-2018-5090P3CRITICALCVSS 9.8fixed in firefox 58.0-1 (sid)2018
CVE-2018-5090 [CRITICAL] CVE-2018-5090: firefox - Memory safety bugs were reported in Firefox 57. Some of these bugs showed eviden...
Memory safety bugs were reported in Firefox 57. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Firefox < 58.
Scope: local
sid: resolved (fixed in 58.0-1)
debian
CVE-2017-7762P3HIGHCVSS 7.5fixed in firefox 54.0-1 (sid)2017
CVE-2017-7762 [HIGH] CVE-2017-7762: firefox - When entered directly, Reader Mode did not strip the username and password secti...
When entered directly, Reader Mode did not strip the username and password section of URLs displayed in the addressbar. This can be used for spoofing the domain of the current page. This vulnerability affects Firefox < 54.
Scope: local
sid: resolved (fixed in 54.0-1)
debian
CVE-2017-5450P3HIGHCVSS 7.5fixed in firefox 52.0.1-1 (sid)2017
CVE-2017-5450 [HIGH] CVE-2017-5450: firefox - A mechanism to spoof the Firefox for Android addressbar using a "javascript:" UR...
A mechanism to spoof the Firefox for Android addressbar using a "javascript:" URI. On Firefox for Android, the base domain is parsed incorrectly, making the resulting location less visibly a spoofed site and showing an incorrect domain in appended notifications. This vulnerability affects Firefox < 53.
Scope: local
sid: resolved (fixed in 52.0.1-1)
debian
CVE-2017-5379P3HIGHCVSS 7.5fixed in firefox 51.0-1 (sid)2017
CVE-2017-5379 [HIGH] CVE-2017-5379: firefox - Use-after-free vulnerability in Web Animations when interacting with cycle colle...
Use-after-free vulnerability in Web Animations when interacting with cycle collection found through fuzzing. This vulnerability affects Firefox < 51.
Scope: local
sid: resolved (fixed in 51.0-1)
debian
CVE-2025-8039P3HIGHCVSS 8.1fixed in firefox 141.0-1 (sid)2025
CVE-2025-8039 [HIGH] CVE-2025-8039: firefox - In some cases search terms persisted in the URL bar even after navigating away f...
In some cases search terms persisted in the URL bar even after navigating away from the search page. This vulnerability affects Firefox < 141, Firefox ESR < 140.1, Thunderbird < 141, and Thunderbird < 140.1.
Scope: local
sid: resolved (fixed in 141.0-1)
debian
CVE-2006-2723P4LOWCVSS 5.0PoCfixed in firefox 45.0-1 (sid)2006
CVE-2006-2723 [MEDIUM] CVE-2006-2723: firefox - Unspecified versions of Mozilla Firefox allow remote attackers to cause a denial...
Unspecified versions of Mozilla Firefox allow remote attackers to cause a denial of service (crash) via a web page that contains a large number of nested marquee tags. NOTE: a followup post indicated that the initial report could not be verified.
Scope: local
sid: resolved (fixed in 45.0-1)
debian
CVE-2018-5153P3HIGHCVSS 7.5fixed in firefox 60.0-1 (sid)2018
CVE-2018-5153 [HIGH] CVE-2018-5153: firefox - If websocket data is sent with mixed text and binary in a single message, the bi...
If websocket data is sent with mixed text and binary in a single message, the binary data can be corrupted. This can result in an out-of-bounds read with the read memory sent to the originating server in response. This vulnerability affects Firefox < 60.
Scope: local
sid: resolved (fixed in 60.0-1)
debian
CVE-2016-9073P3HIGHCVSS 7.5fixed in firefox 50.0-1 (sid)2016
CVE-2016-9073 [HIGH] CVE-2016-9073: firefox - WebExtensions can bypass security checks to load privileged URLs and potentially...
WebExtensions can bypass security checks to load privileged URLs and potentially escape the WebExtension sandbox. This vulnerability affects Firefox < 50.
Scope: local
sid: resolved (fixed in 50.0-1)
debian
CVE-2019-9809P3HIGHCVSS 7.5fixed in firefox 66.0-1 (sid)2019
CVE-2019-9809 [HIGH] CVE-2019-9809: firefox - If the source for resources on a page is through an FTP connection, it is possib...
If the source for resources on a page is through an FTP connection, it is possible to trigger a series of modal alert messages for these resources through invalid credentials or locations. These messages cannot be immediately dismissed, allowing for a denial of service (DOS) attack. This vulnerability affects Firefox < 66.
Scope: local
sid: resolved (fixed in 66.0-1)
debian