Mozilla Firefox vulnerabilities

3,197 known vulnerabilities affecting mozilla/firefox.

Total CVEs

3,197

CISA KEV

actively exploited

Public exploits

122

Exploited in wild

Severity breakdown

CRITICAL865HIGH944MEDIUM1312LOW71UNKNOWN5

Vulnerabilities

Page 130 of 160

CVE-2009-3982CRITICALCVSS 9.3v3.5.1v3.5.2+3 more2009-12-17

CVE-2009-3982 [CRITICAL] CVE-2009-3982: Multiple unspecified vulnerabilities in the JavaScript engine in Mozilla Firefox 3.5.x before 3.5.6, Multiple unspecified vulnerabilities in the JavaScript engine in Mozilla Firefox 3.5.x before 3.5.6, SeaMonkey before 2.0.1, and Thunderbird allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.

nvd

CVE-2009-3980CRITICALCVSS 9.3v3.5.1v3.5.2+3 more2009-12-17

CVE-2009-3980 [CRITICAL] CWE-399 CVE-2009-3980: Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox 3.5.x before 3.5.6, Se Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox 3.5.x before 3.5.6, SeaMonkey before 2.0.1, and Thunderbird allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.

nvd

CVE-2009-3979CRITICALCVSS 9.3≤ 3.0.15v0.1+97 more2009-12-17

CVE-2009-3979 [CRITICAL] CVE-2009-3979: Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 3.0.16 and 3.5. Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 3.0.16 and 3.5.x before 3.5.6, SeaMonkey before 2.0.1, and Thunderbird allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.

nvd

CVE-2009-3987HIGHCVSS 7.8≤ 3.0.15v0.1+97 more2009-12-17

CVE-2009-3987 [HIGH] CWE-200 CVE-2009-3987: The GeckoActiveXObject function in Mozilla Firefox before 3.0.16 and 3.5.x before 3.5.6, and SeaMonk The GeckoActiveXObject function in Mozilla Firefox before 3.0.16 and 3.5.x before 3.5.6, and SeaMonkey before 2.0.1, generates different exception messages depending on whether the referenced COM object is listed in the registry, which allows remote attackers to obtain potentially sensitive information about installed software by making multiple calls t

nvd

CVE-2009-3986HIGHCVSS 7.6≤ 3.0.15v0.1+97 more2009-12-17

CVE-2009-3986 [HIGH] CWE-94 CVE-2009-3986: Mozilla Firefox before 3.0.16 and 3.5.x before 3.5.6, and SeaMonkey before 2.0.1, allows remote atta Mozilla Firefox before 3.0.16 and 3.5.x before 3.5.6, and SeaMonkey before 2.0.1, allows remote attackers to execute arbitrary JavaScript with chrome privileges by leveraging a reference to a chrome window from a content window, related to the window.opener property.

nvd

CVE-2009-3983MEDIUMCVSS 6.8≤ 3.0.15v0.1+97 more2009-12-17

CVE-2009-3983 [MEDIUM] CVE-2009-3983: Mozilla Firefox before 3.0.16 and 3.5.x before 3.5.6, and SeaMonkey before 2.0.1, allows remote atta Mozilla Firefox before 3.0.16 and 3.5.x before 3.5.6, and SeaMonkey before 2.0.1, allows remote attackers to send authenticated requests to arbitrary applications by replaying the NTLM credentials of a browser user.

nvd

CVE-2009-3985MEDIUMCVSS 6.8PoC≤ 3.0.15v0.1+97 more2009-12-17

CVE-2009-3985 [MEDIUM] CVE-2009-3985: Mozilla Firefox before 3.0.16 and 3.5.x before 3.5.6, and SeaMonkey before 2.0.1, allows remote atta Mozilla Firefox before 3.0.16 and 3.5.x before 3.5.6, and SeaMonkey before 2.0.1, allows remote attackers to associate spoofed content with an invalid URL by setting document.location to this URL, and then writing arbitrary web script or HTML to the associated blank document, a related issue to CVE-2009-2654.

nvd

CVE-2009-3984MEDIUMCVSS 6.8≤ 3.0.15v0.1+97 more2009-12-17

CVE-2009-3984 [MEDIUM] CVE-2009-3984: Mozilla Firefox before 3.0.16 and 3.5.x before 3.5.6, and SeaMonkey before 2.0.1, allows remote atta Mozilla Firefox before 3.0.16 and 3.5.x before 3.5.6, and SeaMonkey before 2.0.1, allows remote attackers to spoof an SSL indicator for an http URL or a file URL by setting document.location to an https URL corresponding to a site that responds with a No Content (aka 204) status code and an empty body.

nvd

CVE-2009-3978MEDIUMCVSS 4.3≤ 3.5.4v0.1+64 more2009-11-19

CVE-2009-3978 [MEDIUM] CVE-2009-3978: The nsGIFDecoder2::GifWrite function in decoders/gif/nsGIFDecoder2.cpp in libpr0n in Mozilla Firefox The nsGIFDecoder2::GifWrite function in decoders/gif/nsGIFDecoder2.cpp in libpr0n in Mozilla Firefox before 3.5.5 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an animated GIF file with a large image size, a different vulnerability than CVE-2009-3373.

nvd

CVE-2009-3378CRITICALCVSS 9.3v3.5.1v3.5.2+1 more2009-10-29

CVE-2009-3378 [CRITICAL] CVE-2009-3378: The oggplay_data_handle_theora_frame function in media/liboggplay/src/liboggplay/oggplay_data.c in l The oggplay_data_handle_theora_frame function in media/liboggplay/src/liboggplay/oggplay_data.c in liboggplay, as used in Mozilla Firefox 3.5.x before 3.5.4, attempts to reuse an earlier frame data structure upon encountering a decoding error for the first frame, which allows remote attackers to cause a denial of service (NULL pointer dereference and applic

nvd

CVE-2009-3383CRITICALCVSS 10.0v3.5.1v3.5.2+1 more2009-10-29

CVE-2009-3383 [CRITICAL] CVE-2009-3383: Multiple unspecified vulnerabilities in the JavaScript engine in Mozilla Firefox 3.5.x before 3.5.4 Multiple unspecified vulnerabilities in the JavaScript engine in Mozilla Firefox 3.5.x before 3.5.4 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.

nvd

CVE-2009-3371CRITICALCVSS 10.0v3.5.1v3.5.2+2 more2009-10-29

CVE-2009-3371 [CRITICAL] CWE-399 CVE-2009-3371: Use-after-free vulnerability in Mozilla Firefox 3.5.x before 3.5.4 allows remote attackers to cause Use-after-free vulnerability in Mozilla Firefox 3.5.x before 3.5.4 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code by creating JavaScript web-workers recursively.

nvd

CVE-2009-3382CRITICALCVSS 10.0PoCv3.0.1v3.0.2+12 more2009-10-29

CVE-2009-3382 [CRITICAL] CVE-2009-3382: layout/base/nsCSSFrameConstructor.cpp in the browser engine in Mozilla Firefox 3.0.x before 3.0.15 d layout/base/nsCSSFrameConstructor.cpp in the browser engine in Mozilla Firefox 3.0.x before 3.0.15 does not properly handle first-letter frames, which allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unspecified vectors.

nvd

CVE-2009-3377CRITICALCVSS 10.0v3.5v3.5.1+2 more2009-10-29

CVE-2009-3377 [CRITICAL] CVE-2009-3377: Multiple unspecified vulnerabilities in liboggz before cf5feeaab69b05e24, as used in Mozilla Firefox Multiple unspecified vulnerabilities in liboggz before cf5feeaab69b05e24, as used in Mozilla Firefox 3.5.x before 3.5.4, allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unknown vectors.

nvd

CVE-2009-3379CRITICALCVSS 10.0v3.5.1v3.5.2+1 more2009-10-29

CVE-2009-3379 [CRITICAL] CVE-2009-3379: Multiple unspecified vulnerabilities in libvorbis, as used in Mozilla Firefox 3.5.x before 3.5.4, al Multiple unspecified vulnerabilities in libvorbis, as used in Mozilla Firefox 3.5.x before 3.5.4, allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unknown vectors. NOTE: this might overlap CVE-2009-2663.

nvd

CVE-2009-3373CRITICALCVSS 10.0PoCv3.0v3.0.1+16 more2009-10-29

CVE-2009-3373 [CRITICAL] CWE-119 CVE-2009-3373: Heap-based buffer overflow in the GIF image parser in Mozilla Firefox before 3.0.15 and 3.5.x before Heap-based buffer overflow in the GIF image parser in Mozilla Firefox before 3.0.15 and 3.5.x before 3.5.4, and SeaMonkey before 2.0, allows remote attackers to execute arbitrary code via unspecified vectors.

nvd

CVE-2009-3376CRITICALCVSS 9.3v3.0v3.0.1+15 more2009-10-29

CVE-2009-3376 [CRITICAL] CWE-16 CVE-2009-3376: Mozilla Firefox before 3.0.15 and 3.5.x before 3.5.4, and SeaMonkey before 2.0, does not properly ha Mozilla Firefox before 3.0.15 and 3.5.x before 3.5.4, and SeaMonkey before 2.0, does not properly handle a right-to-left override (aka RLO or U+202E) Unicode character in a download filename, which allows remote attackers to spoof file extensions via a crafted filename, as demonstrated by displaying a non-executable extension for an executable file.

nvd

CVE-2009-3380CRITICALCVSS 10.0v3.0.1v3.0.2+15 more2009-10-29

CVE-2009-3380 [CRITICAL] CVE-2009-3380: Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox 3.0.x before 3.0.15 an Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox 3.0.x before 3.0.15 and 3.5.x before 3.5.4 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.

nvd

CVE-2009-3381CRITICALCVSS 10.0v3.5.1v3.5.2+1 more2009-10-29

CVE-2009-3381 [CRITICAL] CVE-2009-3381: Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox 3.5.x before 3.5.4 all Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox 3.5.x before 3.5.4 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.

nvd

CVE-2009-3372CRITICALCVSS 9.3v3.0v3.0.1+15 more2009-10-29

CVE-2009-3372 [CRITICAL] CVE-2009-3372: Mozilla Firefox before 3.0.15 and 3.5.x before 3.5.4, and SeaMonkey before 2.0, allows remote attack Mozilla Firefox before 3.0.15 and 3.5.x before 3.5.4, and SeaMonkey before 2.0, allows remote attackers to execute arbitrary code via a crafted regular expression in a Proxy Auto-configuration (PAC) file.

nvd

← Previous130 / 160Next →