Debian Firefox vulnerabilities
1,550 known vulnerabilities affecting debian/firefox.
Total CVEs
1,550
CISA KEV
11
actively exploited
Public exploits
39
Exploited in wild
20
Severity breakdown
CRITICAL333HIGH633MEDIUM542LOW42
Vulnerabilities
Page 58 of 78
CVE-2024-2610P4MEDIUMCVSS 6.1fixed in firefox 124.0-1 (sid)2024
CVE-2024-2610 [MEDIUM] CVE-2024-2610: firefox - Using a markup injection an attacker could have stolen nonce values. This could ...
Using a markup injection an attacker could have stolen nonce values. This could have been used to bypass strict content security policies. This vulnerability affects Firefox < 124, Firefox ESR < 115.9, and Thunderbird < 115.9.
Scope: local
sid: resolved (fixed in 124.0-1)
debian
CVE-2024-9397P4MEDIUMCVSS 6.1fixed in firefox 131.0-1 (sid)2024
CVE-2024-9397 [MEDIUM] CVE-2024-9397: firefox - A missing delay in directory upload UI could have made it possible for an attack...
A missing delay in directory upload UI could have made it possible for an attacker to trick a user into granting permission via clickjacking. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Thunderbird < 128.3, and Thunderbird < 131.
Scope: local
sid: resolved (fixed in 131.0-1)
debian
CVE-2024-3859P4MEDIUMCVSS 5.9fixed in firefox 125.0.1-1 (sid)2024
CVE-2024-3859 [MEDIUM] CVE-2024-3859: firefox - On 32-bit versions there were integer-overflows that led to an out-of-bounds-rea...
On 32-bit versions there were integer-overflows that led to an out-of-bounds-read that potentially could be triggered by a malformed OpenType font. This vulnerability affects Firefox < 125, Firefox ESR < 115.10, and Thunderbird < 115.10.
Scope: local
sid: resolved (fixed in 125.0.1-1)
debian
CVE-2019-11727P4LOWCVSS 5.3fixed in firefox 68.0-1 (sid)2019
CVE-2019-11727 [MEDIUM] CVE-2019-11727: firefox - A vulnerability exists where it possible to force Network Security Services (NSS...
A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This vulnerability affects Firefox < 68.
Scope: local
sid: resolved (fixed in 68.0
debian
CVE-2025-0237P4MEDIUMCVSS 5.4fixed in firefox 134.0-1 (sid)2025
CVE-2025-0237 [MEDIUM] CVE-2025-0237: firefox - The WebChannel API, which is used to transport various information across proces...
The WebChannel API, which is used to transport various information across processes, did not check the sending principal but rather accepted the principal being sent. This could have led to privilege escalation attacks. This vulnerability affects Firefox < 134, Firefox ESR < 128.6, Thunderbird < 134, and Thunderbird < 128.6.
Scope: local
sid: resolved (fixed in 134.
debian
CVE-2006-6501P4HIGHCVSS 6.8fixed in firefox 45.0-1 (sid)2006
CVE-2006-6501 [MEDIUM] CVE-2006-6501: firefox - Unspecified vulnerability in Mozilla Firefox 2.x before 2.0.0.1, 1.5.x before 1....
Unspecified vulnerability in Mozilla Firefox 2.x before 2.0.0.1, 1.5.x before 1.5.0.9, Thunderbird before 1.5.0.9, and SeaMonkey before 1.0.7 allows remote attackers to gain privileges and install malicious code via the watch Javascript function.
Scope: local
sid: resolved (fixed in 45.0-1)
debian
CVE-2018-12398P4MEDIUMCVSS 6.5fixed in firefox 63.0-1 (sid)2018
CVE-2018-12398 [MEDIUM] CVE-2018-12398: firefox - By using the reflected URL in some special resource URIs, such as chrome:, it is...
By using the reflected URL in some special resource URIs, such as chrome:, it is possible to inject stylesheets and bypass Content Security Policy (CSP). This vulnerability affects Firefox < 63.
Scope: local
sid: resolved (fixed in 63.0-1)
debian
CVE-2018-18494P4MEDIUMCVSS 6.5fixed in firefox 64.0-1 (sid)2018
CVE-2018-18494 [MEDIUM] CVE-2018-18494: firefox - A same-origin policy violation allowing the theft of cross-origin URL entries wh...
A same-origin policy violation allowing the theft of cross-origin URL entries when using the Javascript location property to cause a redirection to another site using performance.getEntries(). This is a same-origin policy violation and could allow for data theft. This vulnerability affects Thunderbird < 60.4, Firefox ESR < 60.4, and Firefox < 64.
Scope: local
sid:
debian
CVE-2018-5132P4MEDIUMCVSS 6.5fixed in firefox 59.0-1 (sid)2018
CVE-2018-5132 [MEDIUM] CVE-2018-5132: firefox - The Find API for WebExtensions can search some privileged pages, such as "about:...
The Find API for WebExtensions can search some privileged pages, such as "about:debugging", if these pages are open in a tab. This could allow a malicious WebExtension to search for otherwise protected data if a user has it open. This vulnerability affects Firefox < 59.
Scope: local
sid: resolved (fixed in 59.0-1)
debian
CVE-2020-12424P4MEDIUMCVSS 6.5fixed in firefox 78.0-1 (sid)2020
CVE-2020-12424 [MEDIUM] CVE-2020-12424: firefox - When constructing a permission prompt for WebRTC, a URI was supplied from the co...
When constructing a permission prompt for WebRTC, a URI was supplied from the content process. This URI was untrusted, and could have been the URI of an origin that was previously granted permission; bypassing the prompt. This vulnerability affects Firefox < 78.
Scope: local
sid: resolved (fixed in 78.0-1)
debian
CVE-2020-12425P4MEDIUMCVSS 6.5fixed in firefox 78.0-1 (sid)2020
CVE-2020-12425 [MEDIUM] CVE-2020-12425: firefox - Due to confusion processing a hyphen character in Date.parse(), a one-byte out o...
Due to confusion processing a hyphen character in Date.parse(), a one-byte out of bounds read could have occurred, leading to potential information disclosure. This vulnerability affects Firefox < 78.
Scope: local
sid: resolved (fixed in 78.0-1)
debian
CVE-2020-15652P4MEDIUMCVSS 6.5fixed in firefox 79.0-1 (sid)2020
CVE-2020-15652 [MEDIUM] CVE-2020-15652: firefox - By observing the stack trace for JavaScript errors in web workers, it was possib...
By observing the stack trace for JavaScript errors in web workers, it was possible to leak the result of a cross-origin redirect. This applied only to content that can be parsed as script. This vulnerability affects Firefox < 79, Firefox ESR < 68.11, Firefox ESR < 78.1, Thunderbird < 68.11, and Thunderbird < 78.1.
Scope: local
sid: resolved (fixed in 79.0-1)
debian
CVE-2017-7781P4MEDIUMCVSS 5.9fixed in firefox 55.0-1 (sid)2017
CVE-2017-7781 [MEDIUM] CVE-2017-7781: firefox - An error occurs in the elliptic curve point addition algorithm that uses mixed J...
An error occurs in the elliptic curve point addition algorithm that uses mixed Jacobian-affine coordinates where it can yield a result "POINT_AT_INFINITY" when it should not. A man-in-the-middle attacker could use this to interfere with a connection, resulting in an attacked party computing an incorrect shared secret. This vulnerability affects Firefox < 55.
Scope:
debian
CVE-2021-29945P4MEDIUMCVSS 6.5fixed in firefox 88.0-1 (sid)2021
CVE-2021-29945 [MEDIUM] CVE-2021-29945: firefox - The WebAssembly JIT could miscalculate the size of a return type, which could le...
The WebAssembly JIT could miscalculate the size of a return type, which could lead to a null read and result in a crash. *Note: This issue only affected x86-32 platforms. Other platforms are unaffected.*. This vulnerability affects Firefox ESR < 78.10, Thunderbird < 78.10, and Firefox < 88.
Scope: local
sid: resolved (fixed in 88.0-1)
debian
CVE-2019-5785P4MEDIUMCVSS 6.5fixed in firefox 65.0.1-1 (sid)2019
CVE-2019-5785 [MEDIUM] CVE-2019-5785: firefox - Incorrect convexity calculations in Skia in Google Chrome prior to 72.0.3626.81 ...
Incorrect convexity calculations in Skia in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page.
Scope: local
sid: resolved (fixed in 65.0.1-1)
debian
CVE-2006-2778P4HIGHCVSS 5.0fixed in firefox 1.5.dfsg+1.5.0.4-1 (sid)2006
CVE-2006-2778 [MEDIUM] CVE-2006-2778: firefox - The crypto.signText function in Mozilla Firefox and Thunderbird before 1.5.0.4 a...
The crypto.signText function in Mozilla Firefox and Thunderbird before 1.5.0.4 allows remote attackers to execute arbitrary code via certain optional Certificate Authority name arguments, which causes an invalid array index and triggers a buffer overflow.
Scope: local
sid: resolved (fixed in 1.5.dfsg+1.5.0.4-1)
debian
CVE-2020-26961P4MEDIUMCVSS 6.5fixed in firefox 83.0-1 (sid)2020
CVE-2020-26961 [MEDIUM] CVE-2020-26961: firefox - When DNS over HTTPS is in use, it intentionally filters RFC1918 and related IP r...
When DNS over HTTPS is in use, it intentionally filters RFC1918 and related IP ranges from the responses as these do not make sense coming from a DoH resolver. However when an IPv4 address was mapped through IPv6, these addresses were erroneously let through, leading to a potential DNS Rebinding attack. This vulnerability affects Firefox < 83, Firefox ESR < 78.5,
debian
CVE-2018-18499P4MEDIUMCVSS 6.5fixed in firefox 62.0-1 (sid)2018
CVE-2018-18499 [MEDIUM] CVE-2018-18499: firefox - A same-origin policy violation allowing the theft of cross-origin URL entries wh...
A same-origin policy violation allowing the theft of cross-origin URL entries when using a meta http-equiv="refresh" on a page to cause a redirection to another site using performance.getEntries(). This is a same-origin policy violation and could allow for data theft. This vulnerability affects Firefox < 62, Firefox ESR < 60.2, and Thunderbird < 60.2.1.
Scope: loc
debian
CVE-2019-11748P4MEDIUMCVSS 6.5fixed in firefox 69.0-1 (sid)2019
CVE-2019-11748 [MEDIUM] CVE-2019-11748: firefox - WebRTC in Firefox will honor persisted permissions given to sites for access to ...
WebRTC in Firefox will honor persisted permissions given to sites for access to microphone and camera resources even when in a third-party context. In light of recent high profile vulnerabilities in other software, a decision was made to no longer persist these permissions. This avoids the possibility of trusted WebRTC resources being invisibly embedded in web con
debian
CVE-2021-29975P4MEDIUMCVSS 6.5fixed in firefox 90.0-1 (sid)2021
CVE-2021-29975 [MEDIUM] CVE-2021-29975: firefox - Through a series of DOM manipulations, a message, over which the attacker had co...
Through a series of DOM manipulations, a message, over which the attacker had control of the text but not HTML or formatting, could be overlaid on top of another domain (with the new domain correctly shown in the address bar) resulting in possible user confusion. This vulnerability affects Firefox < 90.
Scope: local
sid: resolved (fixed in 90.0-1)
debian