cbcvebase.

Debian Firefox vulnerabilities

1,550 known vulnerabilities affecting debian/firefox.

Total CVEs
1,550
CISA KEV
11
actively exploited
Public exploits
39
Exploited in wild
20
Severity breakdown
CRITICAL333HIGH633MEDIUM542LOW42

Vulnerabilities

Page 60 of 78
CVE-2023-37210P4MEDIUMCVSS 6.5fixed in firefox 115.0-1 (sid)2023
CVE-2023-37210 [MEDIUM] CVE-2023-37210: firefox - A website could prevent a user from exiting full-screen mode via alert and promp... A website could prevent a user from exiting full-screen mode via alert and prompt calls. This could lead to user confusion and possible spoofing attacks. This vulnerability affects Firefox < 115. Scope: local sid: resolved (fixed in 115.0-1)
debian
CVE-2025-11711P4MEDIUMCVSS 6.5fixed in firefox 144.0-1 (sid)2025
CVE-2025-11711 [MEDIUM] CVE-2025-11711: firefox - There was a way to change the value of JavaScript Object properties that were su... There was a way to change the value of JavaScript Object properties that were supposed to be non-writeable. This vulnerability affects Firefox < 144, Firefox ESR < 115.29, Firefox ESR < 140.4, Thunderbird < 144, and Thunderbird < 140.4. Scope: local sid: resolved (fixed in 144.0-1)
debian
CVE-2024-2609P4MEDIUMCVSS 6.1fixed in firefox 124.0-1 (sid)2024
CVE-2024-2609 [MEDIUM] CVE-2024-2609: firefox - The permission prompt input delay could expire while the window is not in focus.... The permission prompt input delay could expire while the window is not in focus. This makes it vulnerable to clickjacking by malicious websites. This vulnerability affects Firefox < 124, Firefox ESR < 115.10, and Thunderbird < 115.10. Scope: local sid: resolved (fixed in 124.0-1)
debian
CVE-2024-5693P4MEDIUMCVSS 6.1fixed in firefox 127.0-1 (sid)2024
CVE-2024-5693 [MEDIUM] CVE-2024-5693: firefox - Offscreen Canvas did not properly track cross-origin tainting, which could be us... Offscreen Canvas did not properly track cross-origin tainting, which could be used to access image data from another site in violation of same-origin policy. This vulnerability affects Firefox < 127, Firefox ESR < 115.12, and Thunderbird < 115.12. Scope: local sid: resolved (fixed in 127.0-1)
debian
CVE-2023-4049P4MEDIUMCVSS 5.9fixed in firefox 116.0-1 (sid)2023
CVE-2023-4049 [MEDIUM] CVE-2023-4049: firefox - Race conditions in reference counting code were found through code inspection. T... Race conditions in reference counting code were found through code inspection. These could have resulted in potentially exploitable use-after-free vulnerabilities. This vulnerability affects Firefox < 116, Firefox ESR < 102.14, and Firefox ESR < 115.1. Scope: local sid: resolved (fixed in 116.0-1)
debian
CVE-2017-7791P4MEDIUMCVSS 5.3fixed in firefox 55.0-1 (sid)2017
CVE-2017-7791 [MEDIUM] CVE-2017-7791: firefox - On pages containing an iframe, the "data:" protocol can be used to create a moda... On pages containing an iframe, the "data:" protocol can be used to create a modal alert that will render over arbitrary domains following page navigation, spoofing of the origin of the modal alert from the iframe content. This vulnerability affects Thunderbird < 52.3, Firefox ESR < 52.3, and Firefox < 55. Scope: local sid: resolved (fixed in 55.0-1)
debian
CVE-2021-29955P4MEDIUMCVSS 5.3fixed in firefox 87.0-1 (sid)2021
CVE-2021-29955 [MEDIUM] CVE-2021-29955: firefox - A transient execution vulnerability, named Floating Point Value Injection (FPVI)... A transient execution vulnerability, named Floating Point Value Injection (FPVI) allowed an attacker to leak arbitrary memory addresses and may have also enabled JIT type confusion attacks. (A related vulnerability, Speculative Code Store Bypass (SCSB), did not affect Firefox.). This vulnerability affects Firefox ESR < 78.9 and Firefox < 87. Scope: local sid: reso
debian
CVE-2019-11698P4MEDIUMCVSS 5.3fixed in firefox 67.0-2 (sid)2019
CVE-2019-11698 [MEDIUM] CVE-2019-11698: firefox - If a crafted hyperlink is dragged and dropped to the bookmark bar or sidebar and... If a crafted hyperlink is dragged and dropped to the bookmark bar or sidebar and the resulting bookmark is subsequently dragged and dropped into the web content area, an arbitrary query of a user's browser history can be run and transmitted to the content page via drop event data. This allows for the theft of browser history by a malicious site. This vulnerability
debian
CVE-2016-1956P4MEDIUMCVSS 6.5fixed in firefox 45.0-1 (sid)2016
CVE-2016-1956 [MEDIUM] CVE-2016-1956: firefox - Mozilla Firefox before 45.0 on Linux, when an Intel video driver is used, allows... Mozilla Firefox before 45.0 on Linux, when an Intel video driver is used, allows remote attackers to cause a denial of service (memory consumption or stack memory corruption) by triggering use of a WebGL shader. Scope: local sid: resolved (fixed in 45.0-1)
debian
CVE-2018-5111P4MEDIUMCVSS 6.5fixed in firefox 58.0-1 (sid)2018
CVE-2018-5111 [MEDIUM] CVE-2018-5111: firefox - When the text of a specially formatted URL is dragged to the addressbar from pag... When the text of a specially formatted URL is dragged to the addressbar from page content, the displayed URL can be spoofed to show a different site than the one loaded. This allows for phishing attacks where a malicious page can spoof the identify of another site. This vulnerability affects Firefox < 58. Scope: local sid: resolved (fixed in 58.0-1)
debian
CVE-2021-43545P4MEDIUMCVSS 6.5fixed in firefox 95.0-1 (sid)2021
CVE-2021-43545 [MEDIUM] CVE-2021-43545: firefox - Using the Location API in a loop could have caused severe application hangs and ... Using the Location API in a loop could have caused severe application hangs and crashes. This vulnerability affects Thunderbird < 91.4.0, Firefox ESR < 91.4.0, and Firefox < 95. Scope: local sid: resolved (fixed in 95.0-1)
debian
CVE-2018-5133P4MEDIUMCVSS 6.5fixed in firefox 59.0-1 (sid)2018
CVE-2018-5133 [MEDIUM] CVE-2018-5133: firefox - If the "app.support.baseURL" preference is changed by a malicious local program ... If the "app.support.baseURL" preference is changed by a malicious local program to contain HTML and script content, this content is not sanitized. It will be executed if a user loads "chrome://browser/content/preferences/in-content/preferences.xul" directly in a tab and executes a search. This stored preference is also executed whenever an EME video player plugin di
debian
CVE-2019-11721P4MEDIUMCVSS 6.5fixed in firefox 68.0-1 (sid)2019
CVE-2019-11721 [MEDIUM] CVE-2019-11721: firefox - The unicode latin 'kra' character can be used to spoof a standard 'k' character ... The unicode latin 'kra' character can be used to spoof a standard 'k' character in the addressbar. This allows for domain spoofing attacks as do not display as punycode text, allowing for user confusion. This vulnerability affects Firefox < 68. Scope: local sid: resolved (fixed in 68.0-1)
debian
CVE-2016-5260P4MEDIUMCVSS 6.5fixed in firefox 48.0-1 (sid)2016
CVE-2016-5260 [MEDIUM] CVE-2016-5260: firefox - Mozilla Firefox before 48.0 mishandles changes from 'INPUT type="password"' to '... Mozilla Firefox before 48.0 mishandles changes from 'INPUT type="password"' to 'INPUT type="text"' within a single Session Manager session, which might allow attackers to discover cleartext passwords by reading a session restoration file. Scope: local sid: resolved (fixed in 48.0-1)
debian
CVE-2019-17023P4MEDIUMCVSS 6.5fixed in firefox 72.0-1 (sid)2019
CVE-2019-17023 [MEDIUM] CVE-2019-17023: firefox - After a HelloRetryRequest has been sent, the client may negotiate a lower protoc... After a HelloRetryRequest has been sent, the client may negotiate a lower protocol that TLS 1.3, resulting in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming Application Data records will be ignored. This vulnerability affects Firefox < 72. Scope: local sid: resolved (fixed in 72.0-1)
debian
CVE-2016-2829P4MEDIUMCVSS 6.5fixed in firefox 47.0-1 (sid)2016
CVE-2016-2829 [MEDIUM] CVE-2016-2829: firefox - Mozilla Firefox before 47.0 allows remote attackers to spoof permission notifica... Mozilla Firefox before 47.0 allows remote attackers to spoof permission notifications via a crafted web site that rapidly triggers permission requests, as demonstrated by the microphone permission or the geolocation permission. Scope: local sid: resolved (fixed in 47.0-1)
debian
CVE-2019-11750P4MEDIUMCVSS 6.5fixed in firefox 69.0-1 (sid)2019
CVE-2019-11750 [MEDIUM] CVE-2019-11750: firefox - A type confusion vulnerability exists in Spidermonkey, which results in a non-ex... A type confusion vulnerability exists in Spidermonkey, which results in a non-exploitable crash. This vulnerability affects Firefox < 69 and Firefox ESR < 68.1. Scope: local sid: resolved (fixed in 69.0-1)
debian
CVE-2020-6808P4MEDIUMCVSS 6.5fixed in firefox 74.0-1 (sid)2020
CVE-2020-6808 [MEDIUM] CVE-2020-6808: firefox - When a JavaScript URL (javascript:) is evaluated and the result is a string, thi... When a JavaScript URL (javascript:) is evaluated and the result is a string, this string is parsed to create an HTML document, which is then presented. Previously, this document's URL (as reported by the document.location property, for example) was the originating javascript: URL which could lead to spoofing attacks; it is now correctly the URL of the originating do
debian
CVE-2021-23970P4MEDIUMCVSS 6.5fixed in firefox 86.0-1 (sid)2021
CVE-2021-23970 [MEDIUM] CVE-2021-23970: firefox - Context-specific code was included in a shared jump table; resulting in assertio... Context-specific code was included in a shared jump table; resulting in assertions being triggered in multithreaded wasm code. This vulnerability affects Firefox < 86. Scope: local sid: resolved (fixed in 86.0-1)
debian
CVE-2019-17016P4MEDIUMCVSS 6.1fixed in firefox 72.0-1 (sid)2019
CVE-2019-17016 [MEDIUM] CVE-2019-17016: firefox - When pasting a &lt;style&gt; tag from the clipboard into a rich text editor, the... When pasting a tag from the clipboard into a rich text editor, the CSS sanitizer incorrectly rewrites a @namespace rule. This could allow for injection into certain types of websites resulting in data exfiltration. This vulnerability affects Firefox ESR < 68.4 and Firefox < 72. Scope: local sid: resolved (fixed in 72.0-1)
debian
Debian Firefox vulnerabilities | cvebase