cbcvebase.

Debian Firefox vulnerabilities

1,550 known vulnerabilities affecting debian/firefox.

Total CVEs
1,550
CISA KEV
11
actively exploited
Public exploits
39
Exploited in wild
20
Severity breakdown
CRITICAL333HIGH633MEDIUM542LOW42

Vulnerabilities

Page 67 of 78
CVE-2026-0890P4MEDIUMCVSS 5.4fixed in firefox 147.0-1 (sid)2026
CVE-2026-0890 [MEDIUM] CVE-2026-0890: firefox - Spoofing issue in the DOM: Copy & Paste and Drag & Drop component. This vulnerab... Spoofing issue in the DOM: Copy & Paste and Drag & Drop component. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. Scope: local sid: resolved (fixed in 147.0-1)
debian
CVE-2024-3862P4MEDIUMCVSS 5.3fixed in firefox 125.0.1-1 (sid)2024
CVE-2024-3862 [MEDIUM] CVE-2024-3862: firefox - The MarkStack assignment operator, part of the JavaScript engine, could access u... The MarkStack assignment operator, part of the JavaScript engine, could access uninitialized memory if it were used in a self-assignment. This vulnerability affects Firefox < 125. Scope: local sid: resolved (fixed in 125.0.1-1)
debian
CVE-2006-5462P4HIGHCVSS 4.0fixed in firefox 45.0-1 (sid)2006
CVE-2006-5462 [MEDIUM] CVE-2006-5462: firefox - Mozilla Network Security Service (NSS) library before 3.11.3, as used in Mozilla... Mozilla Network Security Service (NSS) library before 3.11.3, as used in Mozilla Firefox before 1.5.0.8, Thunderbird before 1.5.0.8, and SeaMonkey before 1.0.6, when using an RSA key with exponent 3, does not properly handle extra data in a signature, which allows remote attackers to forge signatures for SSL/TLS and email certificates. NOTE: this identifier is for u
debian
CVE-2018-18510P4MEDIUMCVSS 6.5fixed in firefox 64.0-1 (sid)2018
CVE-2018-18510 [MEDIUM] CVE-2018-18510: firefox - The about:crashcontent and about:crashparent pages can be triggered by web conte... The about:crashcontent and about:crashparent pages can be triggered by web content. These pages are used to crash the loaded page or the browser for test purposes. This issue allows for a non-persistent denial of service (DOS) attack by a malicious site which links to these pages. This vulnerability affects Firefox < 64. Scope: local sid: resolved (fixed in 64.0-1
debian
CVE-2006-3803P4HIGHCVSS 5.1fixed in firefox 1.5.dfsg+1.5.0.5-1 (sid)2006
CVE-2006-3803 [MEDIUM] CVE-2006-3803: firefox - Race condition in the JavaScript garbage collection in Mozilla Firefox 1.5 befor... Race condition in the JavaScript garbage collection in Mozilla Firefox 1.5 before 1.5.0.5, Thunderbird before 1.5.0.5, and SeaMonkey before 1.0.3 might allow remote attackers to execute arbitrary code by causing the garbage collector to delete a temporary variable while it is still being used during the creation of a new Function object. Scope: local sid: resolved (
debian
CVE-2016-9895P4MEDIUMCVSS 6.1fixed in firefox 50.1.0-1 (sid)2016
CVE-2016-9895 [MEDIUM] CVE-2016-9895: firefox - Event handlers on "marquee" elements were executed despite a strict Content Secu... Event handlers on "marquee" elements were executed despite a strict Content Security Policy (CSP) that disallowed inline JavaScript. This vulnerability affects Firefox < 50.1, Firefox ESR < 45.6, and Thunderbird < 45.6. Scope: local sid: resolved (fixed in 50.1.0-1)
debian
CVE-2018-5164P4MEDIUMCVSS 6.1fixed in firefox 60.0-1 (sid)2018
CVE-2018-5164 [MEDIUM] CVE-2018-5164: firefox - Content Security Policy (CSP) is not applied correctly to all parts of multipart... Content Security Policy (CSP) is not applied correctly to all parts of multipart content sent with the "multipart/x-mixed-replace" MIME type. This could allow for script to run where CSP should block it, allowing for cross-site scripting (XSS) and other attacks. This vulnerability affects Firefox < 60. Scope: local sid: resolved (fixed in 60.0-1)
debian
CVE-2017-5458P4MEDIUMCVSS 6.1fixed in firefox 52.0.1-1 (sid)2017
CVE-2017-5458 [MEDIUM] CVE-2017-5458: firefox - When a "javascript:" URL is drag and dropped by a user into the addressbar, the ... When a "javascript:" URL is drag and dropped by a user into the addressbar, the URL will be processed and executed. This allows for users to be socially engineered to execute an XSS attack on themselves. This vulnerability affects Firefox < 53. Scope: local sid: resolved (fixed in 52.0.1-1)
debian
CVE-2017-7799P4MEDIUMCVSS 6.1fixed in firefox 55.0-1 (sid)2017
CVE-2017-7799 [MEDIUM] CVE-2017-7799: firefox - JavaScript in the "about:webrtc" page is not sanitized properly being assigned t... JavaScript in the "about:webrtc" page is not sanitized properly being assigned to "innerHTML". Data on this page is supplied by WebRTC usage and is not under third-party control, making this difficult to exploit, but the vulnerability could possibly be used for a cross-site scripting (XSS) attack. This vulnerability affects Firefox < 55. Scope: local sid: resolved (
debian
CVE-2021-43543P4MEDIUMCVSS 6.1fixed in firefox 95.0-1 (sid)2021
CVE-2021-43543 [MEDIUM] CVE-2021-43543: firefox - Documents loaded with the CSP sandbox directive could have escaped the sandbox's... Documents loaded with the CSP sandbox directive could have escaped the sandbox's script restriction by embedding additional content. This vulnerability affects Thunderbird < 91.4.0, Firefox ESR < 91.4.0, and Firefox < 95. Scope: local sid: resolved (fixed in 95.0-1)
debian
CVE-2006-0296P4MEDIUMCVSS 5.0fixed in firefox 1.5.dfsg+1.5.0.1-1 (sid)2006
CVE-2006-0296 [MEDIUM] CVE-2006-0296: firefox - The XULDocument.persist function in Mozilla, Firefox before 1.5.0.1, and SeaMonk... The XULDocument.persist function in Mozilla, Firefox before 1.5.0.1, and SeaMonkey before 1.0 does not validate the attribute name, which allows remote attackers to execute arbitrary Javascript by injecting RDF data into the user's localstore.rdf file. Scope: local sid: resolved (fixed in 1.5.dfsg+1.5.0.1-1)
debian
CVE-2020-26956P4MEDIUMCVSS 6.1fixed in firefox 83.0-1 (sid)2020
CVE-2020-26956 [MEDIUM] CVE-2020-26956: firefox - In some cases, removing HTML elements during sanitization would keep existing SV... In some cases, removing HTML elements during sanitization would keep existing SVG event handlers and therefore lead to XSS. This vulnerability affects Firefox < 83, Firefox ESR < 78.5, and Thunderbird < 78.5. Scope: local sid: resolved (fixed in 83.0-1)
debian
CVE-2019-17000P4MEDIUMCVSS 6.1fixed in firefox 70.0-1 (sid)2019
CVE-2019-17000 [MEDIUM] CVE-2019-17000: firefox - An object tag with a data URI did not correctly inherit the document's Content S... An object tag with a data URI did not correctly inherit the document's Content Security Policy. This allowed a CSP bypass in a cross-origin frame if the document's policy explicitly allowed data: URIs. This vulnerability affects Firefox < 70. Scope: local sid: resolved (fixed in 70.0-1)
debian
CVE-2021-23955P4MEDIUMCVSS 6.1fixed in firefox 85.0-1 (sid)2021
CVE-2021-23955 [MEDIUM] CVE-2021-23955: firefox - The browser could have been confused into transferring a pointer lock state into... The browser could have been confused into transferring a pointer lock state into another tab, which could have lead to clickjacking attacks. This vulnerability affects Firefox < 85. Scope: local sid: resolved (fixed in 85.0-1)
debian
CVE-2019-11741P4MEDIUMCVSS 6.1fixed in firefox 69.0-1 (sid)2019
CVE-2019-11741 [MEDIUM] CVE-2019-11741: firefox - A compromised sandboxed content process can perform a Universal Cross-site Scrip... A compromised sandboxed content process can perform a Universal Cross-site Scripting (UXSS) attack on content from any site it can cause to be loaded in the same process. Because addons.mozilla.org and accounts.firefox.com have close ties to the Firefox product, malicious manipulation of these sites within the browser can potentially be used to modify a user's Fir
debian
CVE-2017-5383P4MEDIUMCVSS 5.3fixed in firefox 51.0-1 (sid)2017
CVE-2017-5383 [MEDIUM] CVE-2017-5383: firefox - URLs containing certain unicode glyphs for alternative hyphens and quotes do not... URLs containing certain unicode glyphs for alternative hyphens and quotes do not properly trigger punycode display, allowing for domain name spoofing attacks in the location bar. This vulnerability affects Thunderbird < 45.7, Firefox ESR < 45.7, and Firefox < 51. Scope: local sid: resolved (fixed in 51.0-1)
debian
CVE-2023-29540P4MEDIUMCVSS 6.1fixed in firefox 112.0-1 (sid)2023
CVE-2023-29540 [MEDIUM] CVE-2023-29540: firefox - Using a redirect embedded into <code>sourceMappingUrls</code> could allow for na... Using a redirect embedded into sourceMappingUrls could allow for navigation to external protocol links in sandboxed iframes without allow-top-navigation-to-custom-protocols. This vulnerability affects Firefox for Android < 112, Firefox < 112, and Focus for Android < 112. Scope: local sid: resolved (fixed in 112.0-1)
debian
CVE-2024-4775P4MEDIUMCVSS 5.9fixed in firefox 126.0-1 (sid)2024
CVE-2024-4775 [MEDIUM] CVE-2024-4775: firefox - An iterator stop condition was missing when handling WASM code in the built-in p... An iterator stop condition was missing when handling WASM code in the built-in profiler, potentially leading to invalid memory access and undefined behavior. *Note:* This issue only affects the application when the profiler is running. This vulnerability affects Firefox < 126. Scope: local sid: resolved (fixed in 126.0-1)
debian
CVE-2018-5114P4MEDIUMCVSS 5.3fixed in firefox 58.0-1 (sid)2018
CVE-2018-5114 [MEDIUM] CVE-2018-5114: firefox - If an existing cookie is changed to be "HttpOnly" while a document is open, the ... If an existing cookie is changed to be "HttpOnly" while a document is open, the original value remains accessible through script until that document is closed. Network requests correctly use the changed HttpOnly cookie. This vulnerability affects Firefox < 58. Scope: local sid: resolved (fixed in 58.0-1)
debian
CVE-2017-7842P4MEDIUMCVSS 5.3fixed in firefox 57.0-1 (sid)2017
CVE-2017-7842 [MEDIUM] CVE-2017-7842: firefox - If a document's Referrer Policy attribute is set to "no-referrer" sometimes two ... If a document's Referrer Policy attribute is set to "no-referrer" sometimes two network requests are made for "" elements instead of one. One of these requests includes the referrer instead of respecting the set policy to not include a referrer on requests. This vulnerability affects Firefox < 57. Scope: local sid: resolved (fixed in 57.0-1)
debian
Debian Firefox vulnerabilities | cvebase