Mozilla Firefox vulnerabilities
3,197 known vulnerabilities affecting mozilla/firefox.
Total CVEs
3,197
CISA KEV
17
actively exploited
Public exploits
122
Exploited in wild
22
Severity breakdown
CRITICAL865HIGH944MEDIUM1312LOW71UNKNOWN5
Vulnerabilities
Page 122 of 160
CVE-2008-7293MEDIUMCVSS 5.8≤ 4.0v1.0+105 more2011-08-09
CVE-2008-7293 [MEDIUM] CWE-264 CVE-2008-7293: Mozilla Firefox before 4 cannot properly restrict modifications to cookies established in HTTPS sess
Mozilla Firefox before 4 cannot properly restrict modifications to cookies established in HTTPS sessions, which allows man-in-the-middle attackers to overwrite or delete arbitrary cookies via a Set-Cookie header in an HTTP response, related to lack of the HTTP Strict Transport Security (HSTS) includeSubDomains feature, aka a "cookie forcing" issue.
nvd
CVE-2011-0083CRITICALCVSS 10.0≤ 3.6.17v1.0+103 more2011-06-30
CVE-2011-0083 [CRITICAL] CWE-399 CVE-2011-0083: Use-after-free vulnerability in the nsSVGPathSegList::ReplaceItem function in the implementation of
Use-after-free vulnerability in the nsSVGPathSegList::ReplaceItem function in the implementation of SVG element lists in Mozilla Firefox before 3.6.18, Thunderbird before 3.1.11, and SeaMonkey through 2.0.14 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via vectors involving a user-supplie
nvd
CVE-2011-2375CRITICALCVSS 10.0≤ 4.0.1v1.0+105 more2011-06-30
CVE-2011-2375 [CRITICAL] CVE-2011-2375: Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 5.0 and Thunder
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 5.0 and Thunderbird through 3.1.11 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.
nvd
CVE-2011-2365CRITICALCVSS 10.0v3.6.2v3.6.3+13 more2011-06-30
CVE-2011-2365 [CRITICAL] CVE-2011-2365: Unspecified vulnerability in the browser engine in Mozilla Firefox 3.6.x before 3.6.18 and Thunderbi
Unspecified vulnerability in the browser engine in Mozilla Firefox 3.6.x before 3.6.18 and Thunderbird before 3.1.11 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors, a different vulnerability than CVE-2011-2364.
nvd
CVE-2011-2368CRITICALCVSS 10.0v4.0v4.0.12011-06-30
CVE-2011-2368 [CRITICAL] CWE-264 CVE-2011-2368: The WebGL implementation in Mozilla Firefox 4.x through 4.0.1 does not properly restrict write opera
The WebGL implementation in Mozilla Firefox 4.x through 4.0.1 does not properly restrict write operations, which allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via unspecified vectors.
nvd
CVE-2011-2364CRITICALCVSS 10.0v3.6.2v3.6.3+13 more2011-06-30
CVE-2011-2364 [CRITICAL] CVE-2011-2364: Unspecified vulnerability in the browser engine in Mozilla Firefox 3.6.x before 3.6.18 and Thunderbi
Unspecified vulnerability in the browser engine in Mozilla Firefox 3.6.x before 3.6.18 and Thunderbird before 3.1.11 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors, a different vulnerability than CVE-2011-2365.
nvd
CVE-2011-2376CRITICALCVSS 10.0≤ 3.6.17v1.0+103 more2011-06-30
CVE-2011-2376 [CRITICAL] CVE-2011-2376: Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 3.6.18 and Thun
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 3.6.18 and Thunderbird before 3.1.11 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.
nvd
CVE-2011-2363CRITICALCVSS 10.0≤ 3.6.17v1.0+103 more2011-06-30
CVE-2011-2363 [CRITICAL] CWE-399 CVE-2011-2363: Use-after-free vulnerability in the nsSVGPointList::AppendElement function in the implementation of
Use-after-free vulnerability in the nsSVGPointList::AppendElement function in the implementation of SVG element lists in Mozilla Firefox before 3.6.18, Thunderbird before 3.1.11, and SeaMonkey through 2.0.14 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via vectors involving a user-supplie
nvd
CVE-2011-0085CRITICALCVSS 10.0≤ 3.6.17v1.0+103 more2011-06-30
CVE-2011-0085 [CRITICAL] CWE-399 CVE-2011-0085: Use-after-free vulnerability in the nsXULCommandDispatcher function in Mozilla Firefox before 3.6.18
Use-after-free vulnerability in the nsXULCommandDispatcher function in Mozilla Firefox before 3.6.18, Thunderbird before 3.1.11, and SeaMonkey through 2.0.14 allows remote attackers to execute arbitrary code via a crafted XUL document that dequeues the current command updater.
nvd
CVE-2011-2374CRITICALCVSS 10.0≤ 3.6.17v1.0+105 more2011-06-30
CVE-2011-2374 [CRITICAL] CVE-2011-2374: Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 3.6.18 and 4.x
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 3.6.18 and 4.x through 4.0.1, and Thunderbird before 3.1.11, allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.
nvd
CVE-2011-2371CRITICALCVSS 10.0PoC≤ 3.6.17v1.0+105 more2011-06-30
CVE-2011-2371 [CRITICAL] CWE-189 CVE-2011-2371: Integer overflow in the Array.reduceRight method in Mozilla Firefox before 3.6.18 and 4.x through 4.
Integer overflow in the Array.reduceRight method in Mozilla Firefox before 3.6.18 and 4.x through 4.0.1, Thunderbird before 3.1.11, and SeaMonkey through 2.0.14 allows remote attackers to execute arbitrary code via vectors involving a long JavaScript Array object.
nvd
CVE-2011-2373HIGHCVSS 7.6≤ 3.6.17v1.0+105 more2011-06-30
CVE-2011-2373 [HIGH] CWE-399 CVE-2011-2373: Use-after-free vulnerability in Mozilla Firefox before 3.6.18 and 4.x through 4.0.1, Thunderbird bef
Use-after-free vulnerability in Mozilla Firefox before 3.6.18 and 4.x through 4.0.1, Thunderbird before 3.1.11, and SeaMonkey through 2.0.14, when JavaScript is disabled, allows remote attackers to execute arbitrary code via a crafted XUL document.
nvd
CVE-2011-2370MEDIUMCVSS 5.0≤ 4.0.1v1.0+105 more2011-06-30
CVE-2011-2370 [MEDIUM] CWE-264 CVE-2011-2370: Mozilla Firefox before 5.0 does not properly enforce the whitelist for the xpinstall functionality,
Mozilla Firefox before 5.0 does not properly enforce the whitelist for the xpinstall functionality, which allows remote attackers to trigger an installation dialog for a (1) add-on or (2) theme via unspecified vectors.
nvd
CVE-2011-2377MEDIUMCVSS 5.0≤ 3.6.17v1.0+105 more2011-06-30
CVE-2011-2377 [MEDIUM] CWE-119 CVE-2011-2377: Mozilla Firefox before 3.6.18 and 4.x through 4.0.1, Thunderbird before 3.1.11, and SeaMonkey throug
Mozilla Firefox before 3.6.18 and 4.x through 4.0.1, Thunderbird before 3.1.11, and SeaMonkey through 2.0.14 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via a multipart/x-mixed-replace image.
nvd
CVE-2011-2369MEDIUMCVSS 4.3v4.0v4.0.12011-06-30
CVE-2011-2369 [MEDIUM] CWE-79 CVE-2011-2369: Cross-site scripting (XSS) vulnerability in Mozilla Firefox 4.x through 4.0.1 allows remote attacker
Cross-site scripting (XSS) vulnerability in Mozilla Firefox 4.x through 4.0.1 allows remote attackers to inject arbitrary web script or HTML via an SVG element containing an HTML-encoded entity.
nvd
CVE-2011-2598MEDIUMCVSS 4.3v4.0v4.0.12011-06-30
CVE-2011-2598 [MEDIUM] CWE-200 CVE-2011-2598: The WebGL implementation in Mozilla Firefox 4.x allows remote attackers to obtain screenshots of the
The WebGL implementation in Mozilla Firefox 4.x allows remote attackers to obtain screenshots of the windows of arbitrary desktop applications via vectors involving an SVG filter, an IFRAME element, and uninitialized data in graphics memory.
nvd
CVE-2011-2605MEDIUMCVSS 4.3≤ 3.6.17v1.0+105 more2011-06-30
CVE-2011-2605 [MEDIUM] CVE-2011-2605: CRLF injection vulnerability in the nsCookieService::SetCookieStringInternal function in netwerk/coo
CRLF injection vulnerability in the nsCookieService::SetCookieStringInternal function in netwerk/cookie/nsCookieService.cpp in Mozilla Firefox before 3.6.18 and 4.x through 4.0.1, and Thunderbird before 3.1.11, allows remote attackers to bypass intended access restrictions via a string containing a \n (newline) character, which is not properly handled in a Ja
nvd
CVE-2011-2367MEDIUMCVSS 6.4v4.0v4.0.12011-06-30
CVE-2011-2367 [MEDIUM] CWE-264 CVE-2011-2367: The WebGL implementation in Mozilla Firefox 4.x through 4.0.1 does not properly restrict read operat
The WebGL implementation in Mozilla Firefox 4.x through 4.0.1 does not properly restrict read operations, which allows remote attackers to obtain sensitive information from GPU memory associated with an arbitrary process, or cause a denial of service (application crash), via unspecified vectors.
nvd
CVE-2011-2362MEDIUMCVSS 5.0≤ 3.6.17v1.0+103 more2011-06-30
CVE-2011-2362 [MEDIUM] CWE-264 CVE-2011-2362: Mozilla Firefox before 3.6.18, Thunderbird before 3.1.11, and SeaMonkey through 2.0.14 do not distin
Mozilla Firefox before 3.6.18, Thunderbird before 3.1.11, and SeaMonkey through 2.0.14 do not distinguish between cookies for two domain names that differ only in a trailing dot, which allows remote web servers to bypass the Same Origin Policy via Set-Cookie headers.
nvd
CVE-2011-2366MEDIUMCVSS 4.3≤ 4.0.1v0.1+115 more2011-06-30
CVE-2011-2366 [MEDIUM] CWE-20 CVE-2011-2366: Mozilla Gecko before 5.0, as used in Firefox before 5.0 and Thunderbird before 5.0, does not block u
Mozilla Gecko before 5.0, as used in Firefox before 5.0 and Thunderbird before 5.0, does not block use of a cross-domain image as a WebGL texture, which allows remote attackers to obtain approximate copies of arbitrary images via a timing attack involving a crafted WebGL fragment shader.
nvd