Debian Firefox vulnerabilities
1,550 known vulnerabilities affecting debian/firefox.
Total CVEs
1,550
CISA KEV
11
actively exploited
Public exploits
39
Exploited in wild
20
Severity breakdown
CRITICAL333HIGH633MEDIUM542LOW42
Vulnerabilities
Page 51 of 78
CVE-2018-5105P4HIGHCVSS 7.8fixed in firefox 58.0-1 (sid)2018
CVE-2018-5105 [HIGH] CVE-2018-5105: firefox - WebExtensions can bypass user prompts to first save and then open an arbitrarily...
WebExtensions can bypass user prompts to first save and then open an arbitrarily downloaded file. This can result in an executable file running with local user privileges without explicit user consent. This vulnerability affects Firefox < 58.
Scope: local
sid: resolved (fixed in 58.0-1)
debian
CVE-2006-3113P4HIGHCVSS 7.5fixed in firefox 1.5.dfsg+1.5.0.5-1 (sid)2006
CVE-2006-3113 [HIGH] CVE-2006-3113: firefox - Mozilla Firefox 1.5 before 1.5.0.5, Thunderbird before 1.5.0.5, and SeaMonkey be...
Mozilla Firefox 1.5 before 1.5.0.5, Thunderbird before 1.5.0.5, and SeaMonkey before 1.0.3 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via simultaneous XPCOM events, which causes a timer object to be deleted in a way that triggers memory corruption.
Scope: local
sid: resolved (fixed in 1.5.dfsg+1.5.0.5-1)
debian
CVE-2018-12396P4MEDIUMCVSS 6.5fixed in firefox 63.0-1 (sid)2018
CVE-2018-12396 [MEDIUM] CVE-2018-12396: firefox - A vulnerability where a WebExtension can run content scripts in disallowed conte...
A vulnerability where a WebExtension can run content scripts in disallowed contexts following navigation or other events. This allows for potential privilege escalation by the WebExtension on sites where content scripts should not be run. This vulnerability affects Firefox ESR < 60.3 and Firefox < 63.
Scope: local
sid: resolved (fixed in 63.0-1)
debian
CVE-2022-42930P4HIGHCVSS 7.1fixed in firefox 106.0-1 (sid)2022
CVE-2022-42930 [HIGH] CVE-2022-42930: firefox - If two Workers were simultaneously initializing their CacheStorage, a data race ...
If two Workers were simultaneously initializing their CacheStorage, a data race could have occurred in the `ThirdPartyUtil` component. This vulnerability affects Firefox < 106.
Scope: local
sid: resolved (fixed in 106.0-1)
debian
CVE-2017-7844P4MEDIUMCVSS 6.5fixed in firefox 57.0.1-1 (sid)2017
CVE-2017-7844 [MEDIUM] CVE-2017-7844: firefox - A combination of an external SVG image referenced on a page and the coloring of ...
A combination of an external SVG image referenced on a page and the coloring of anchor links stored within this image can be used to determine which pages a user has in their history. This can allow a malicious website to query user history. Note: This issue only affects Firefox 57. Earlier releases are not affected. This vulnerability affects Firefox < 57.0.1.
Scop
debian
CVE-2024-5700P4HIGHCVSS 7.0fixed in firefox 127.0-1 (sid)2024
CVE-2024-5700 [HIGH] CVE-2024-5700: firefox - Memory safety bugs present in Firefox 126, Firefox ESR 115.11, and Thunderbird 1...
Memory safety bugs present in Firefox 126, Firefox ESR 115.11, and Thunderbird 115.11. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 127, Firefox ESR < 115.12, and Thunderbird < 115.12.
Scope: local
sid: resolved (fixed i
debian
CVE-2018-5152P4MEDIUMCVSS 6.5fixed in firefox 60.0-1 (sid)2018
CVE-2018-5152 [MEDIUM] CVE-2018-5152: firefox - WebExtensions with the appropriate permissions can attach content scripts to Moz...
WebExtensions with the appropriate permissions can attach content scripts to Mozilla sites such as accounts.firefox.com and listen to network traffic to the site through the "webRequest" API. For example, this allows for the interception of username and an encrypted password during login to Firefox Accounts. This issue does not expose synchronization traffic directl
debian
CVE-2006-0294P4HIGHCVSS 7.5fixed in firefox 1.5.dfsg+1.5.0.1-1 (sid)2006
CVE-2006-0294 [HIGH] CVE-2006-0294: firefox - Mozilla Firefox before 1.5.0.1, Thunderbird 1.5 if running Javascript in mail, a...
Mozilla Firefox before 1.5.0.1, Thunderbird 1.5 if running Javascript in mail, and SeaMonkey before 1.0 allow remote attackers to execute arbitrary code by changing an element's style from position:relative to position:static, which causes Gecko to operate on freed memory.
Scope: local
sid: resolved (fixed in 1.5.dfsg+1.5.0.1-1)
debian
CVE-2019-11725P4MEDIUMCVSS 6.5fixed in firefox 68.0-1 (sid)2019
CVE-2019-11725 [MEDIUM] CVE-2019-11725: firefox - When a user navigates to site marked as unsafe by the Safebrowsing API, warning ...
When a user navigates to site marked as unsafe by the Safebrowsing API, warning messages are displayed and navigation is interrupted but resources from the same site loaded through websockets are not blocked, leading to the loading of unsafe resources and bypassing safebrowsing protections. This vulnerability affects Firefox < 68.
Scope: local
sid: resolved (fixed
debian
CVE-2019-17020P4MEDIUMCVSS 6.5fixed in firefox 72.0-1 (sid)2019
CVE-2019-17020 [MEDIUM] CVE-2019-17020: firefox - If an XML file is served with a Content Security Policy and the XML file include...
If an XML file is served with a Content Security Policy and the XML file includes an XSL stylesheet, the Content Security Policy will not be applied to the contents of the XSL stylesheet. If the XSL sheet e.g. includes JavaScript, it would bypass any of the restrictions of the Content Security Policy applied to the XML document. This vulnerability affects Firefox
debian
CVE-2006-2775P4HIGHCVSS 7.5fixed in firefox 1.5.dfsg+1.5.0.4-1 (sid)2006
CVE-2006-2775 [HIGH] CVE-2006-2775: firefox - Mozilla Firefox and Thunderbird before 1.5.0.4 associates XUL attributes with th...
Mozilla Firefox and Thunderbird before 1.5.0.4 associates XUL attributes with the wrong URL under certain unspecified circumstances, which might allow remote attackers to bypass restrictions by causing a persisted string to be associated with the wrong URL.
Scope: local
sid: resolved (fixed in 1.5.dfsg+1.5.0.4-1)
debian
CVE-2023-5169P4MEDIUMCVSS 6.5fixed in firefox 118.0-1 (sid)2023
CVE-2023-5169 [MEDIUM] CVE-2023-5169: firefox - A compromised content process could have provided malicious data in a `PathRecor...
A compromised content process could have provided malicious data in a `PathRecording` resulting in an out-of-bounds write, leading to a potentially exploitable crash in a privileged process. This vulnerability affects Firefox < 118, Firefox ESR < 115.3, and Thunderbird < 115.3.
Scope: local
sid: resolved (fixed in 118.0-1)
debian
CVE-2022-45410P4MEDIUMCVSS 6.5fixed in firefox 107.0-1 (sid)2022
CVE-2022-45410 [MEDIUM] CVE-2022-45410: firefox - When a ServiceWorker intercepted a request with <code>FetchEvent</code>, the ori...
When a ServiceWorker intercepted a request with FetchEvent, the origin of the request was lost after the ServiceWorker took ownership of it. This had the effect of negating SameSite cookie protections. This was addressed in the spec and then in browsers. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107.
Scope: local
sid: resol
debian
CVE-2021-23982P4MEDIUMCVSS 6.5fixed in firefox 87.0-1 (sid)2021
CVE-2021-23982 [MEDIUM] CVE-2021-23982: firefox - Using techniques that built on the slipstream research, a malicious webpage coul...
Using techniques that built on the slipstream research, a malicious webpage could have scanned both an internal network's hosts as well as services running on the user's local machine utilizing WebRTC connections. This vulnerability affects Firefox ESR < 78.9, Firefox < 87, and Thunderbird < 78.9.
Scope: local
sid: resolved (fixed in 87.0-1)
debian
CVE-2024-0753P4MEDIUMCVSS 6.5fixed in firefox 122.0-1 (sid)2024
CVE-2024-0753 [MEDIUM] CVE-2024-0753: firefox - In specific HSTS configurations an attacker could have bypassed HSTS on a subdom...
In specific HSTS configurations an attacker could have bypassed HSTS on a subdomain. This vulnerability affects Firefox < 122, Firefox ESR < 115.7, and Thunderbird < 115.7.
Scope: local
sid: resolved (fixed in 122.0-1)
debian
CVE-2022-45408P4MEDIUMCVSS 6.5fixed in firefox 107.0-1 (sid)2022
CVE-2022-45408 [MEDIUM] CVE-2022-45408: firefox - Through a series of popups that reuse windowName, an attacker can cause a window...
Through a series of popups that reuse windowName, an attacker can cause a window to go fullscreen without the user seeing the notification prompt, resulting in potential user confusion or spoofing attacks. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107.
Scope: local
sid: resolved (fixed in 107.0-1)
debian
CVE-2023-37207P4MEDIUMCVSS 6.5fixed in firefox 115.0-1 (sid)2023
CVE-2023-37207 [MEDIUM] CVE-2023-37207: firefox - A website could have obscured the fullscreen notification by using a URL with a ...
A website could have obscured the fullscreen notification by using a URL with a scheme handled by an external program, such as a mailto URL. This could have led to user confusion and possible spoofing attacks. This vulnerability affects Firefox < 115, Firefox ESR < 102.13, and Thunderbird < 102.13.
Scope: local
sid: resolved (fixed in 115.0-1)
debian
CVE-2024-1547P4MEDIUMCVSS 6.5fixed in firefox 123.0-1 (sid)2024
CVE-2024-1547 [MEDIUM] CVE-2024-1547: firefox - Through a series of API calls and redirects, an attacker-controlled alert dialog...
Through a series of API calls and redirects, an attacker-controlled alert dialog could have been displayed on another website (with the victim website's URL shown). This vulnerability affects Firefox < 123, Firefox ESR < 115.8, and Thunderbird < 115.8.
Scope: local
sid: resolved (fixed in 123.0-1)
debian
CVE-2023-4053P4MEDIUMCVSS 6.5fixed in firefox 116.0-1 (sid)2023
CVE-2023-4053 [MEDIUM] CVE-2023-4053: firefox - A website could have obscured the full screen notification by using a URL with a...
A website could have obscured the full screen notification by using a URL with a scheme handled by an external program, such as a mailto URL. This could have led to user confusion and possible spoofing attacks. This vulnerability affects Firefox < 116, Firefox ESR < 115.2, and Thunderbird < 115.2.
Scope: local
sid: resolved (fixed in 116.0-1)
debian
CVE-2023-23598P4MEDIUMCVSS 6.5fixed in firefox 109.0-1 (sid)2023
CVE-2023-23598 [MEDIUM] CVE-2023-23598: firefox - Due to the Firefox GTK wrapper code's use of text/plain for drag data and GTK tr...
Due to the Firefox GTK wrapper code's use of text/plain for drag data and GTK treating all text/plain MIMEs containing file URLs as being dragged a website could arbitrarily read a file via a call to `DataTransfer.setData`. This vulnerability affects Firefox < 109, Firefox ESR < 102.7, and Thunderbird < 102.7.
Scope: local
sid: resolved (fixed in 109.0-1)
debian