Debian Firefox vulnerabilities
1,550 known vulnerabilities affecting debian/firefox.
Total CVEs
1,550
CISA KEV
11
actively exploited
Public exploits
39
Exploited in wild
20
Severity breakdown
CRITICAL333HIGH633MEDIUM542LOW42
Vulnerabilities
Page 70 of 78
CVE-2017-5427P4MEDIUMCVSS 5.5fixed in firefox 52.0-1 (sid)2017
CVE-2017-5427 [MEDIUM] CVE-2017-5427: firefox - A non-existent chrome.manifest file will attempt to be loaded during startup fro...
A non-existent chrome.manifest file will attempt to be loaded during startup from the primary installation directory. If a malicious user with local access puts chrome.manifest and other referenced files in this directory, they will be loaded and activated during startup. This could result in malicious software being added without consent or modification of referenc
debian
CVE-2022-36318P4MEDIUMCVSS 5.3fixed in firefox 103.0-1 (sid)2022
CVE-2022-36318 [MEDIUM] CVE-2022-36318: firefox - When visiting directory listings for `chrome://` URLs as source text, some param...
When visiting directory listings for `chrome://` URLs as source text, some parameters were reflected. This vulnerability affects Firefox ESR < 102.1, Firefox ESR < 91.12, Firefox < 103, Thunderbird < 102.1, and Thunderbird < 91.12.
Scope: local
sid: resolved (fixed in 103.0-1)
debian
CVE-2024-10468P4MEDIUMCVSS 5.3fixed in firefox 132.0-1 (sid)2024
CVE-2024-10468 [MEDIUM] CVE-2024-10468: firefox - Potential race conditions in IndexedDB could have caused memory corruption, lead...
Potential race conditions in IndexedDB could have caused memory corruption, leading to a potentially exploitable crash. This vulnerability affects Firefox < 132 and Thunderbird < 132.
Scope: local
sid: resolved (fixed in 132.0-1)
debian
CVE-2021-38509P4MEDIUMCVSS 4.3fixed in firefox 94.0-1 (sid)2021
CVE-2021-38509 [MEDIUM] CVE-2021-38509: firefox - Due to an unusual sequence of attacker-controlled events, a Javascript alert() d...
Due to an unusual sequence of attacker-controlled events, a Javascript alert() dialog with arbitrary (although unstyled) contents could be displayed over top an uncontrolled webpage of the attacker's choosing. This vulnerability affects Firefox < 94, Thunderbird < 91.3, and Firefox ESR < 91.3.
Scope: local
sid: resolved (fixed in 94.0-1)
debian
CVE-2025-4087P4MEDIUMCVSS 4.8fixed in firefox 138.0-1 (sid)2025
CVE-2025-4087 [MEDIUM] CVE-2025-4087: firefox - A vulnerability was identified in Thunderbird where XPath parsing could trigger ...
A vulnerability was identified in Thunderbird where XPath parsing could trigger undefined behavior due to missing null checks during attribute access. This could lead to out-of-bounds read access and potentially, memory corruption. This vulnerability affects Firefox < 138, Firefox ESR < 128.10, Thunderbird < 138, and Thunderbird < 128.10.
Scope: local
sid: resolved
debian
CVE-2006-5748P4HIGHCVSS 5.0fixed in firefox 45.0-1 (sid)2006
CVE-2006-5748 [MEDIUM] CVE-2006-5748: firefox - Multiple unspecified vulnerabilities in the JavaScript engine in Mozilla Firefox...
Multiple unspecified vulnerabilities in the JavaScript engine in Mozilla Firefox before 1.5.0.8, Thunderbird before 1.5.0.8, and SeaMonkey before 1.0.6 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unspecified vectors that trigger memory corruption.
Scope: local
sid: resolved (fixed in 45.0-1)
debian
CVE-2016-2827P4MEDIUMCVSS 6.5fixed in firefox 49.0-1 (sid)2016
CVE-2016-2827 [MEDIUM] CVE-2016-2827: firefox - The mozilla::net::IsValidReferrerPolicy function in Mozilla Firefox before 49.0 ...
The mozilla::net::IsValidReferrerPolicy function in Mozilla Firefox before 49.0 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a Content Security Policy (CSP) referrer directive with zero values.
Scope: local
sid: resolved (fixed in 49.0-1)
debian
CVE-2016-5271P4MEDIUMCVSS 6.5fixed in firefox 49.0-1 (sid)2016
CVE-2016-5271 [MEDIUM] CVE-2016-5271: firefox - The PropertyProvider::GetSpacingInternal function in Mozilla Firefox before 49.0...
The PropertyProvider::GetSpacingInternal function in Mozilla Firefox before 49.0 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via text runs in conjunction with a "display: contents" Cascading Style Sheets (CSS) property.
Scope: local
sid: resolved (fixed in 49.0-1)
debian
CVE-2019-11715P4MEDIUMCVSS 6.1fixed in firefox 68.0-1 (sid)2019
CVE-2019-11715 [MEDIUM] CVE-2019-11715: firefox - Due to an error while parsing page content, it is possible for properly sanitize...
Due to an error while parsing page content, it is possible for properly sanitized user input to be misinterpreted and lead to XSS hazards on web sites in certain circumstances. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.
Scope: local
sid: resolved (fixed in 68.0-1)
debian
CVE-2016-5262P4MEDIUMCVSS 6.1fixed in firefox 48.0-1 (sid)2016
CVE-2016-5262 [MEDIUM] CVE-2016-5262: firefox - Mozilla Firefox before 48.0 and Firefox ESR 45.x before 45.3 process JavaScript ...
Mozilla Firefox before 48.0 and Firefox ESR 45.x before 45.3 process JavaScript event-handler attributes of a MARQUEE element within a sandboxed IFRAME element that lacks the sandbox="allow-scripts" attribute value, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via a crafted web site.
Scope: local
sid: resolved (fixed in 48
debian
CVE-2017-7839P4MEDIUMCVSS 6.1fixed in firefox 57.0-1 (sid)2017
CVE-2017-7839 [MEDIUM] CVE-2017-7839: firefox - Control characters prepended before "javascript:" URLs pasted in the addressbar ...
Control characters prepended before "javascript:" URLs pasted in the addressbar can cause the leading characters to be ignored and the pasted JavaScript to be executed instead of being blocked. This could be used in social engineering and self-cross-site-scripting (self-XSS) attacks where users are convinced to copy and paste text into the addressbar. This vulnerabi
debian
CVE-2019-11763P4MEDIUMCVSS 6.1fixed in firefox 70.0-1 (sid)2019
CVE-2019-11763 [MEDIUM] CVE-2019-11763: firefox - Failure to correctly handle null bytes when processing HTML entities resulted in...
Failure to correctly handle null bytes when processing HTML entities resulted in Firefox incorrectly parsing these entities. This could have led to HTML comment text being treated as HTML which could have led to XSS in a web application under certain conditions. It could have also led to HTML entities being masked from filters - enabling the use of entities to mas
debian
CVE-2018-5143P4MEDIUMCVSS 6.1fixed in firefox 59.0-1 (sid)2018
CVE-2018-5143 [MEDIUM] CVE-2018-5143: firefox - URLs using "javascript:" have the protocol removed when pasted into the addressb...
URLs using "javascript:" have the protocol removed when pasted into the addressbar to protect users from cross-site scripting (XSS) attacks, but if a tab character is embedded in the "javascript:" URL the protocol is not removed and the script will execute. This could allow users to be socially engineered to run an XSS attack against themselves. This vulnerability a
debian
CVE-2017-5393P4MEDIUMCVSS 6.1fixed in firefox 51.0-1 (sid)2017
CVE-2017-5393 [MEDIUM] CVE-2017-5393: firefox - The "mozAddonManager" allows for the installation of extensions from the CDN for...
The "mozAddonManager" allows for the installation of extensions from the CDN for addons.mozilla.org, a publicly accessible site. This could allow malicious extensions to install additional extensions from the CDN in combination with an XSS attack on Mozilla AMO sites. This vulnerability affects Firefox < 51.
Scope: local
sid: resolved (fixed in 51.0-1)
debian
CVE-2022-34473P4MEDIUMCVSS 6.1fixed in firefox 102.0-1 (sid)2022
CVE-2022-34473 [MEDIUM] CVE-2022-34473: firefox - The HTML Sanitizer should have sanitized the <code>href</code> attribute of SVG ...
The HTML Sanitizer should have sanitized the href attribute of SVG tags; however it incorrectly did not sanitize xlink:href attributes. This vulnerability affects Firefox < 102.
Scope: local
sid: resolved (fixed in 102.0-1)
debian
CVE-2016-5265P4MEDIUMCVSS 5.5fixed in firefox 48.0-1 (sid)2016
CVE-2016-5265 [MEDIUM] CVE-2016-5265: firefox - Mozilla Firefox before 48.0 and Firefox ESR 45.x before 45.3 allow user-assisted...
Mozilla Firefox before 48.0 and Firefox ESR 45.x before 45.3 allow user-assisted remote attackers to bypass the Same Origin Policy, and conduct Universal XSS (UXSS) attacks or read arbitrary files, by arranging for the presence of a crafted HTML document and a crafted shortcut file in the same local directory.
Scope: local
sid: resolved (fixed in 48.0-1)
debian
CVE-2005-3896P4LOWCVSS 7.8fixed in firefox 1.5.dfsg-1 (sid)2005
CVE-2005-3896 [HIGH] CVE-2005-3896: firefox - Mozilla allows remote attackers to cause a denial of service (CPU consumption) v...
Mozilla allows remote attackers to cause a denial of service (CPU consumption) via a Javascript BODY onload event that calls the window function.
Scope: local
sid: resolved (fixed in 1.5.dfsg-1)
debian
CVE-2020-12405P4MEDIUMCVSS 5.3fixed in firefox 77.0-1 (sid)2020
CVE-2020-12405 [MEDIUM] CVE-2020-12405: firefox - When browsing a malicious page, a race condition in our SharedWorkerService coul...
When browsing a malicious page, a race condition in our SharedWorkerService could occur and lead to a potentially exploitable crash. This vulnerability affects Thunderbird < 68.9.0, Firefox < 77, and Firefox ESR < 68.9.
Scope: local
sid: resolved (fixed in 77.0-1)
debian
CVE-2018-5106P4MEDIUMCVSS 5.3fixed in firefox 58.0-1 (sid)2018
CVE-2018-5106 [MEDIUM] CVE-2018-5106: firefox - Style editor traffic in the Developer Tools can be routed through a service work...
Style editor traffic in the Developer Tools can be routed through a service worker hosted on a third party website if a user selects error links when these tools are open. This can allow style editor information used within Developer Tools to leak cross-origin. This vulnerability affects Firefox < 58.
Scope: local
sid: resolved (fixed in 58.0-1)
debian
CVE-2017-7808P4MEDIUMCVSS 5.3fixed in firefox 55.0-1 (sid)2017
CVE-2017-7808 [MEDIUM] CVE-2017-7808: firefox - A content security policy (CSP) "frame-ancestors" directive containing origins w...
A content security policy (CSP) "frame-ancestors" directive containing origins with paths allows for comparisons against those paths instead of the origin. This results in a cross-origin information leak of this path information. This vulnerability affects Firefox < 55.
Scope: local
sid: resolved (fixed in 55.0-1)
debian