cbcvebase.

Debian Firefox vulnerabilities

1,550 known vulnerabilities affecting debian/firefox.

Total CVEs
1,550
CISA KEV
11
actively exploited
Public exploits
39
Exploited in wild
20
Severity breakdown
CRITICAL333HIGH633MEDIUM542LOW42

Vulnerabilities

Page 71 of 78
CVE-2019-9817P4MEDIUMCVSS 5.3fixed in firefox 67.0-2 (sid)2019
CVE-2019-9817 [MEDIUM] CVE-2019-9817: firefox - Images from a different domain can be read using a canvas object in some circums... Images from a different domain can be read using a canvas object in some circumstances. This could be used to steal image data from a different site in violation of same-origin policy. This vulnerability affects Thunderbird < 60.7, Firefox < 67, and Firefox ESR < 60.7. Scope: local sid: resolved (fixed in 67.0-2)
debian
CVE-2025-4089P4MEDIUMCVSS 5.1fixed in firefox 138.0-1 (sid)2025
CVE-2025-4089 [MEDIUM] CVE-2025-4089: firefox - Due to insufficient escaping of special characters in the "copy as cURL" feature... Due to insufficient escaping of special characters in the "copy as cURL" feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system. This vulnerability affects Firefox < 138 and Thunderbird < 138. Scope: local sid: resolved (fixed in 138.0-1)
debian
CVE-2019-11720P4MEDIUMCVSS 6.1fixed in firefox 68.0-1 (sid)2019
CVE-2019-11720 [MEDIUM] CVE-2019-11720: firefox - Some unicode characters are incorrectly treated as whitespace during the parsing... Some unicode characters are incorrectly treated as whitespace during the parsing of web content instead of triggering parsing errors. This allows malicious code to then be processed, evading cross-site scripting (XSS) filtering. This vulnerability affects Firefox < 68. Scope: local sid: resolved (fixed in 68.0-1)
debian
CVE-2006-2784P4MEDIUMCVSS 5.1fixed in firefox 1.5.dfsg+1.5.0.4-1 (sid)2006
CVE-2006-2784 [MEDIUM] CVE-2006-2784: firefox - The PLUGINSPAGE functionality in Mozilla Firefox before 1.5.0.4 allows remote us... The PLUGINSPAGE functionality in Mozilla Firefox before 1.5.0.4 allows remote user-assisted attackers to execute privileged code by tricking a user into installing missing plugins and selecting the "Manual Install" button, then using nested javascript: URLs. NOTE: the manual install button is used for downloading software from a remote web site, so this issue would
debian
CVE-2006-3810P4HIGHCVSS 6.8fixed in firefox 1.5.dfsg+1.5.0.5-1 (sid)2006
CVE-2006-3810 [MEDIUM] CVE-2006-3810: firefox - Cross-site scripting (XSS) vulnerability in Mozilla Firefox 1.5 before 1.5.0.5, ... Cross-site scripting (XSS) vulnerability in Mozilla Firefox 1.5 before 1.5.0.5, Thunderbird before 1.5.0.5, and SeaMonkey before 1.0.3 allows remote attackers to inject arbitrary web script or HTML via the XPCNativeWrapper(window).Function construct. Scope: local sid: resolved (fixed in 1.5.dfsg+1.5.0.5-1)
debian
CVE-2017-5414P4MEDIUMCVSS 5.5fixed in firefox 52.0-1 (sid)2017
CVE-2017-5414 [MEDIUM] CVE-2017-5414: firefox - The file picker dialog can choose and display the wrong local default directory ... The file picker dialog can choose and display the wrong local default directory when instantiated. On some operating systems, this can lead to information disclosure, such as the operating system or the local account name. This vulnerability affects Firefox < 52 and Thunderbird < 52. Scope: local sid: resolved (fixed in 52.0-1)
debian
CVE-2006-1729P4MEDIUMCVSS 4.3fixed in firefox 1.5.dfsg+1.5.0.2-1 (sid)2006
CVE-2006-1729 [MEDIUM] CVE-2006-1729: firefox - Mozilla Firefox 1.x before 1.5.0.2 and 1.0.x before 1.0.8, Mozilla Suite before ... Mozilla Firefox 1.x before 1.5.0.2 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0.1 allows remote attackers to read arbitrary files by (1) inserting the target filename into a text box, then turning that box into a file upload control, or (2) changing the type of the input control that is associated with an event handler. Scope: local
debian
CVE-2024-5691P4MEDIUMCVSS 4.7fixed in firefox 127.0-1 (sid)2024
CVE-2024-5691 [MEDIUM] CVE-2024-5691: firefox - By tricking the browser with a `X-Frame-Options` header, a sandboxed iframe coul... By tricking the browser with a `X-Frame-Options` header, a sandboxed iframe could have presented a button that, if clicked by a user, would bypass restrictions to open a new window. This vulnerability affects Firefox < 127, Firefox ESR < 115.12, and Thunderbird < 115.12. Scope: local sid: resolved (fixed in 127.0-1)
debian
CVE-2024-6601P4MEDIUMCVSS 4.7fixed in firefox 128.0-1 (sid)2024
CVE-2024-6601 [MEDIUM] CVE-2024-6601: firefox - A race condition could lead to a cross-origin container obtaining permissions of... A race condition could lead to a cross-origin container obtaining permissions of the top-level origin. This vulnerability affects Firefox < 128, Firefox ESR < 115.13, Thunderbird < 115.13, and Thunderbird < 128. Scope: local sid: resolved (fixed in 128.0-1)
debian
CVE-2025-5264P4MEDIUMCVSS 4.8fixed in firefox 139.0-1 (sid)2025
CVE-2025-5264 [MEDIUM] CVE-2025-5264: firefox - Due to insufficient escaping of the newline character in the “Copy as cURL” feat... Due to insufficient escaping of the newline character in the “Copy as cURL” feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system. This vulnerability affects Firefox < 139, Firefox ESR < 115.24, Firefox ESR < 128.11, Thunderbird < 139, and Thunderbird < 128.11. Scope: local sid: resolved (fi
debian
CVE-2024-0748P4MEDIUMCVSS 4.3fixed in firefox 122.0-1 (sid)2024
CVE-2024-0748 [MEDIUM] CVE-2024-0748: firefox - A compromised content process could have updated the document URI. This could ha... A compromised content process could have updated the document URI. This could have allowed an attacker to set an arbitrary URI in the address bar or history. This vulnerability affects Firefox < 122. Scope: local sid: resolved (fixed in 122.0-1)
debian
CVE-2006-6585P4MEDIUMCVSS 6.4fixed in firefox 45.0-1 (sid)2006
CVE-2006-6585 [MEDIUM] CVE-2006-6585: firefox - The Extensions manager in Mozilla Firefox 2.0 does not properly populate the lis... The Extensions manager in Mozilla Firefox 2.0 does not properly populate the list of local extensions, which allows attackers to construct an extension that hides itself by finding its name in the list and then calling RemoveElement, as demonstrated by the FFsniFF extension. NOTE: it was later reported that 3.0 is also affected. Scope: local sid: resolved (fixed in
debian
CVE-2006-1742P4MEDIUMCVSS 5.0fixed in firefox 1.5.dfsg+1.5.0.2-2 (sid)2006
CVE-2006-1742 [MEDIUM] CVE-2006-1742: firefox - The JavaScript engine in Mozilla Firefox and Thunderbird 1.x before 1.5 and 1.0.... The JavaScript engine in Mozilla Firefox and Thunderbird 1.x before 1.5 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0 does not properly handle temporary variables that are not garbage collected, which might allow remote attackers to trigger operations on freed memory and cause memory corruption. Scope: local sid: resolved (fixed in 1.
debian
CVE-2024-3860P4MEDIUMCVSS 6.2fixed in firefox 125.0.1-1 (sid)2024
CVE-2024-3860 [MEDIUM] CVE-2024-3860: firefox - An out-of-memory condition during object initialization could result in an empty... An out-of-memory condition during object initialization could result in an empty shape list. If the JIT subsequently traced the object it would crash. This vulnerability affects Firefox < 125. Scope: local sid: resolved (fixed in 125.0.1-1)
debian
CVE-2006-6503P4HIGHCVSS 6.8fixed in firefox 45.0-1 (sid)2006
CVE-2006-6503 [MEDIUM] CVE-2006-6503: firefox - Mozilla Firefox 2.x before 2.0.0.1, 1.5.x before 1.5.0.9, Thunderbird before 1.5... Mozilla Firefox 2.x before 2.0.0.1, 1.5.x before 1.5.0.9, Thunderbird before 1.5.0.9, and SeaMonkey before 1.0.7 allows remote attackers to bypass cross-site scripting (XSS) protection by changing the src attribute of an IMG element to a javascript: URI. Scope: local sid: resolved (fixed in 45.0-1)
debian
CVE-2006-6502P4HIGHCVSS 7.1fixed in firefox 45.0-1 (sid)2006
CVE-2006-6502 [HIGH] CVE-2006-6502: firefox - Use-after-free vulnerability in the LiveConnect bridge code for Mozilla Firefox ... Use-after-free vulnerability in the LiveConnect bridge code for Mozilla Firefox 2.x before 2.0.0.1, 1.5.x before 1.5.0.9, Thunderbird before 1.5.0.9, and SeaMonkey before 1.0.7 allows remote attackers to cause a denial of service (crash) via unknown vectors. Scope: local sid: resolved (fixed in 45.0-1)
debian
CVE-2019-11728P4MEDIUMCVSS 4.7fixed in firefox 68.0-1 (sid)2019
CVE-2019-11728 [MEDIUM] CVE-2019-11728: firefox - The HTTP Alternative Services header, Alt-Svc, can be used by a malicious site t... The HTTP Alternative Services header, Alt-Svc, can be used by a malicious site to scan all TCP ports of any host that the accessible to a user when web content is loaded. This vulnerability affects Firefox < 68. Scope: local sid: resolved (fixed in 68.0-1)
debian
CVE-2007-0801P4LOWCVSS 4.3fixed in firefox 45.0-1 (sid)2007
CVE-2007-0801 [MEDIUM] CVE-2007-0801: firefox - The nsExternalAppHandler::SetUpTempFile function in Mozilla Firefox 1.5.0.9 crea... The nsExternalAppHandler::SetUpTempFile function in Mozilla Firefox 1.5.0.9 creates temporary files with predictable filenames based on creation time, which allows remote attackers to execute arbitrary web script or HTML via a crafted XMLHttpRequest. Scope: local sid: resolved (fixed in 45.0-1)
debian
CVE-2018-5172P4MEDIUMCVSS 4.3fixed in firefox 60.0-1 (sid)2018
CVE-2018-5172 [MEDIUM] CVE-2018-5172: firefox - The Live Bookmarks page and the PDF viewer can run injected script content if a ... The Live Bookmarks page and the PDF viewer can run injected script content if a user pastes script from the clipboard into them while viewing RSS feeds or PDF files. This could allow a malicious site to socially engineer a user to copy and paste malicious script content that could then run with the context of either page but does not allow for privilege escalation.
debian
CVE-2016-2832P4MEDIUMCVSS 4.3fixed in firefox 47.0-1 (sid)2016
CVE-2016-2832 [MEDIUM] CVE-2016-2832: firefox - Mozilla Firefox before 47.0 allows remote attackers to discover the list of disa... Mozilla Firefox before 47.0 allows remote attackers to discover the list of disabled plugins via a fingerprinting attack involving Cascading Style Sheets (CSS) pseudo-classes. Scope: local sid: resolved (fixed in 47.0-1)
debian
Debian Firefox vulnerabilities | cvebase