Debian Firefox vulnerabilities
1,550 known vulnerabilities affecting debian/firefox.
Total CVEs
1,550
CISA KEV
11
actively exploited
Public exploits
39
Exploited in wild
20
Severity breakdown
CRITICAL333HIGH633MEDIUM542LOW42
Vulnerabilities
Page 57 of 78
CVE-2018-5131P4MEDIUMCVSS 5.9fixed in firefox 59.0-1 (sid)2018
CVE-2018-5131 [MEDIUM] CVE-2018-5131: firefox - Under certain circumstances the "fetch()" API can return transient local copies ...
Under certain circumstances the "fetch()" API can return transient local copies of resources that were sent with a "no-store" or "no-cache" cache header instead of downloading a copy from the network as it should. This can result in previously stored, locally cached data of a website being accessible to users if they share a common profile while browsing. This vulne
debian
CVE-2023-25741P4MEDIUMCVSS 6.5fixed in firefox 110.0-1 (sid)2023
CVE-2023-25741 [MEDIUM] CVE-2023-25741: firefox - When dragging and dropping an image cross-origin, the image's size could potenti...
When dragging and dropping an image cross-origin, the image's size could potentially be leaked. This behavior was shipped in 109 and caused web compatibility problems as well as this security concern, so the behavior was disabled until further review. This vulnerability affects Firefox < 110.
Scope: local
sid: resolved (fixed in 110.0-1)
debian
CVE-2023-32211P4MEDIUMCVSS 6.5fixed in firefox 113.0-1 (sid)2023
CVE-2023-32211 [MEDIUM] CVE-2023-32211: firefox - A type checking bug would have led to invalid code being compiled. This vulnerab...
A type checking bug would have led to invalid code being compiled. This vulnerability affects Firefox < 113, Firefox ESR < 102.11, and Thunderbird < 102.11.
Scope: local
sid: resolved (fixed in 113.0-1)
debian
CVE-2022-22748P4MEDIUMCVSS 6.5fixed in firefox 96.0-1 (sid)2022
CVE-2022-22748 [MEDIUM] CVE-2022-22748: firefox - Malicious websites could have confused Firefox into showing the wrong origin whe...
Malicious websites could have confused Firefox into showing the wrong origin when asking to launch a program and handling an external URL protocol. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5.
Scope: local
sid: resolved (fixed in 96.0-1)
debian
CVE-2022-29916P4MEDIUMCVSS 6.5fixed in firefox 100.0-1 (sid)2022
CVE-2022-29916 [MEDIUM] CVE-2022-29916: firefox - Firefox behaved slightly differently for already known resources when loading CS...
Firefox behaved slightly differently for already known resources when loading CSS resources involving CSS variables. This could have been used to probe the browser history. This vulnerability affects Thunderbird < 91.9, Firefox ESR < 91.9, and Firefox < 100.
Scope: local
sid: resolved (fixed in 100.0-1)
debian
CVE-2023-25751P4MEDIUMCVSS 6.5fixed in firefox 111.0-1 (sid)2023
CVE-2023-25751 [MEDIUM] CVE-2023-25751: firefox - Sometimes, when invalidating JIT code while following an iterator, the newly gen...
Sometimes, when invalidating JIT code while following an iterator, the newly generated code could be overwritten incorrectly. This could lead to a potentially exploitable crash. This vulnerability affects Firefox < 111, Firefox ESR < 102.9, and Thunderbird < 102.9.
Scope: local
sid: resolved (fixed in 111.0-1)
debian
CVE-2022-45416P4MEDIUMCVSS 6.5fixed in firefox 107.0-1 (sid)2022
CVE-2022-45416 [MEDIUM] CVE-2022-45416: firefox - Keyboard events reference strings like "KeyA" that were at fixed, known, and wid...
Keyboard events reference strings like "KeyA" that were at fixed, known, and widely-spread addresses. Cache-based timing attacks such as Prime+Probe could have possibly figured out which keys were being pressed. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107.
Scope: local
sid: resolved (fixed in 107.0-1)
debian
CVE-2023-6872P4MEDIUMCVSS 6.5fixed in firefox 121.0-1 (sid)2023
CVE-2023-6872 [MEDIUM] CVE-2023-6872: firefox - Browser tab titles were being leaked by GNOME to system logs. This could potenti...
Browser tab titles were being leaked by GNOME to system logs. This could potentially expose the browsing habits of users running in a private tab. This vulnerability affects Firefox < 121.
Scope: local
sid: resolved (fixed in 121.0-1)
debian
CVE-2022-22745P4MEDIUMCVSS 6.5fixed in firefox 96.0-1 (sid)2022
CVE-2022-22745 [MEDIUM] CVE-2022-22745: firefox - Securitypolicyviolation events could have leaked cross-origin information for fr...
Securitypolicyviolation events could have leaked cross-origin information for frame-ancestors violations. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5.
Scope: local
sid: resolved (fixed in 96.0-1)
debian
CVE-2022-29914P4MEDIUMCVSS 6.5fixed in firefox 100.0-1 (sid)2022
CVE-2022-29914 [MEDIUM] CVE-2022-29914: firefox - When reusing existing popups Firefox would have allowed them to cover the fullsc...
When reusing existing popups Firefox would have allowed them to cover the fullscreen notification UI, which could have enabled browser spoofing attacks. This vulnerability affects Thunderbird < 91.9, Firefox ESR < 91.9, and Firefox < 100.
Scope: local
sid: resolved (fixed in 100.0-1)
debian
CVE-2022-31742P4MEDIUMCVSS 6.5fixed in firefox 101.0-1 (sid)2022
CVE-2022-31742 [MEDIUM] CVE-2022-31742: firefox - An attacker could have exploited a timing attack by sending a large number of al...
An attacker could have exploited a timing attack by sending a large number of allowCredential entries and detecting the difference between invalid key handles and cross-origin key handles. This could have led to cross-origin account linking in violation of WebAuthn goals. This vulnerability affects Thunderbird < 91.10, Firefox < 101, and Firefox ESR < 91.10.
Scope
debian
CVE-2022-31738P4MEDIUMCVSS 6.5fixed in firefox 101.0-1 (sid)2022
CVE-2022-31738 [MEDIUM] CVE-2022-31738: firefox - When exiting fullscreen mode, an iframe could have confused the browser about th...
When exiting fullscreen mode, an iframe could have confused the browser about the current state of fullscreen, resulting in potential user confusion or spoofing attacks. This vulnerability affects Thunderbird < 91.10, Firefox < 101, and Firefox ESR < 91.10.
Scope: local
sid: resolved (fixed in 101.0-1)
debian
CVE-2023-6869P4MEDIUMCVSS 6.5fixed in firefox 121.0-1 (sid)2023
CVE-2023-6869 [MEDIUM] CVE-2023-6869: firefox - A `<dialog>` element could have been manipulated to paint content outside of ...
A ` ` element could have been manipulated to paint content outside of a sandboxed iframe. This could allow untrusted content to display under the guise of trusted content. This vulnerability affects Firefox < 121.
Scope: local
sid: resolved (fixed in 121.0-1)
debian
CVE-2024-1556P4MEDIUMCVSS 6.5fixed in firefox 123.0-1 (sid)2024
CVE-2024-1556 [MEDIUM] CVE-2024-1556: firefox - The incorrect object was checked for NULL in the built-in profiler, potentially ...
The incorrect object was checked for NULL in the built-in profiler, potentially leading to invalid memory access and undefined behavior. *Note:* This issue only affects the application when the profiler is running. This vulnerability affects Firefox < 123.
Scope: local
sid: resolved (fixed in 123.0-1)
debian
CVE-2023-23604P4MEDIUMCVSS 6.5fixed in firefox 109.0-1 (sid)2023
CVE-2023-23604 [MEDIUM] CVE-2023-23604: firefox - A duplicate `SystemPrincipal` object could be created when parsing a non-system ...
A duplicate `SystemPrincipal` object could be created when parsing a non-system html document via `DOMParser::ParseFromSafeString`. This could have lead to bypassing web security checks. This vulnerability affects Firefox < 109.
Scope: local
sid: resolved (fixed in 109.0-1)
debian
CVE-2023-4580P4MEDIUMCVSS 6.5fixed in firefox 117.0-1 (sid)2023
CVE-2023-4580 [MEDIUM] CVE-2023-4580: firefox - Push notifications stored on disk in private browsing mode were not being encryp...
Push notifications stored on disk in private browsing mode were not being encrypted potentially allowing the leak of sensitive information. This vulnerability affects Firefox < 117, Firefox ESR < 115.2, and Thunderbird < 115.2.
Scope: local
sid: resolved (fixed in 117.0-1)
debian
CVE-2025-8027P4MEDIUMCVSS 6.5fixed in firefox 141.0-1 (sid)2025
CVE-2025-8027 [MEDIUM] CVE-2025-8027: firefox - On 64-bit platforms IonMonkey-JIT only wrote 32 bits of the 64-bit return value ...
On 64-bit platforms IonMonkey-JIT only wrote 32 bits of the 64-bit return value space on the stack. Baseline-JIT, however, read the entire 64 bits. This vulnerability affects Firefox < 141, Firefox ESR < 115.26, Firefox ESR < 128.13, Firefox ESR < 140.1, Thunderbird < 141, Thunderbird < 128.13, and Thunderbird < 140.1.
Scope: local
sid: resolved (fixed in 141.0-1)
debian
CVE-2023-28164P4MEDIUMCVSS 6.5fixed in firefox 111.0-1 (sid)2023
CVE-2023-28164 [MEDIUM] CVE-2023-28164: firefox - Dragging a URL from a cross-origin iframe that was removed during the drag could...
Dragging a URL from a cross-origin iframe that was removed during the drag could have led to user confusion and website spoofing attacks. This vulnerability affects Firefox < 111, Firefox ESR < 102.9, and Thunderbird < 102.9.
Scope: local
sid: resolved (fixed in 111.0-1)
debian
CVE-2023-29549P4MEDIUMCVSS 6.5fixed in firefox 112.0-1 (sid)2023
CVE-2023-29549 [MEDIUM] CVE-2023-29549: firefox - Under certain circumstances, a call to the <code>bind</code> function may have r...
Under certain circumstances, a call to the bind function may have resulted in the incorrect realm. This may have created a vulnerability relating to JavaScript-implemented sandboxes such as SES. This vulnerability affects Firefox for Android < 112, Firefox < 112, and Focus for Android < 112.
Scope: local
sid: resolved (fixed in 112.0-1)
debian
CVE-2022-22757P4MEDIUMCVSS 6.5fixed in firefox 97.0-1 (sid)2022
CVE-2022-22757 [MEDIUM] CVE-2022-22757: firefox - Remote Agent, used in WebDriver, did not validate the Host or Origin headers. Th...
Remote Agent, used in WebDriver, did not validate the Host or Origin headers. This could have allowed websites to connect back locally to the user's browser to control it. *This bug only affected Firefox when WebDriver was enabled, which is not the default configuration.*. This vulnerability affects Firefox < 97.
Scope: local
sid: resolved (fixed in 97.0-1)
debian