Mozilla Firefox vulnerabilities

CVE-2004-1200 [MEDIUM] CVE-2004-1200: Firefox and Mozilla allow remote attackers to cause a denial of service (application crash from memo Firefox and Mozilla allow remote attackers to cause a denial of service (application crash from memory consumption), as demonstrated using Javascript code that continuously creates nested arrays and then sorts the newly created arrays.

CVE-2004-1753 [LOW] CVE-2004-1753: The Apple Java plugin, as used in Netscape 7.1 and 7.2, Mozilla 1.7.2, and Firefox 0.9.3 on MacOS X The Apple Java plugin, as used in Netscape 7.1 and 7.2, Mozilla 1.7.2, and Firefox 0.9.3 on MacOS X 10.3.5, when tabbed browsing is enabled, does not properly handle SetWindow(NULL) calls, which allows Java applets from one tab to draw to other tabs and facilitates phishing attacks that spoof tabs.

CVE-2004-2657 [LOW] CVE-2004-2657: Mozilla Firefox 1.5.0.1, and possibly other versions, preserves some records of user activity even a Mozilla Firefox 1.5.0.1, and possibly other versions, preserves some records of user activity even after uninstalling, which allows local users who share a Windows profile to view the records after a new installation of Firefox, as reported for the list of Passwords Never Saved web sites. NOTE: The vendor has disputed this issue, stating that "The uninstaller is

CVE-2004-0867 [HIGH] CWE-264 CVE-2004-0867: Mozilla Firefox 0.9.2 allows web sites to set cookies for country-specific top-level domains, such a Mozilla Firefox 0.9.2 allows web sites to set cookies for country-specific top-level domains, such as .ltd.uk, .plc.uk, and .sch.uk, which could allow remote attackers to perform a session fixation attack and hijack a user's HTTP session. NOTE: it was later reported that 2.x is also affected.

CVE-2004-1381 [MEDIUM] CVE-2004-1381: Firefox before 1.0 and Mozilla before 1.7.5 allow inactive (background) tabs to focus on input being Firefox before 1.0 and Mozilla before 1.7.5 allow inactive (background) tabs to focus on input being entered in the active tab, as originally reported using form fields, which allows remote attackers to steal sensitive data that is intended for other sites, which could facilitate phishing attacks.

CVE-2004-1380 [MEDIUM] CVE-2004-1380: Firefox before 1.0 and Mozilla before 1.7.5 allows inactive (background) tabs to launch dialog boxes Firefox before 1.0 and Mozilla before 1.7.5 allows inactive (background) tabs to launch dialog boxes, which can allow remote attackers to spoof the dialog boxes from web sites in other windows and facilitate phishing attacks, aka the "Dialog Box Spoofing Vulnerability."

CVE-2004-0866 [HIGH] CVE-2004-0866: Internet Explorer 6.0 allows web sites to set cookies for country-specific top-level domains, such a Internet Explorer 6.0 allows web sites to set cookies for country-specific top-level domains, such as .ltd.uk, .plc.uk, and .sch.uk, which could allow remote attackers to perform a session fixation attack and hijack a user's HTTP session.

CVE-2004-0905 [MEDIUM] CVE-2004-0905: Mozilla Firefox before the Preview Release, Mozilla before 1.7.3, and Thunderbird before 0.8 allows Mozilla Firefox before the Preview Release, Mozilla before 1.7.3, and Thunderbird before 0.8 allows remote attackers to perform cross-domain scripting and possibly execute arbitrary code by convincing a user to drag and drop javascript: links to a frame or page in another domain.

CVE-2004-0764 [CRITICAL] CVE-2004-0764: Mozilla before 1.7, Firefox before 0.9, and Thunderbird before 0.7, allow remote web sites to hijack Mozilla before 1.7, Firefox before 0.9, and Thunderbird before 0.7, allow remote web sites to hijack the user interface via the "chrome" flag and XML User Interface Language (XUL) files.

CVE-2004-0757 [CRITICAL] CVE-2004-0757: Heap-based buffer overflow in the SendUidl in the POP3 capability for Mozilla before 1.7, Firefox be Heap-based buffer overflow in the SendUidl in the POP3 capability for Mozilla before 1.7, Firefox before 0.9, and Thunderbird before 0.7, may allow remote POP3 mail servers to execute arbitrary code.

CVE-2004-0765 [HIGH] CVE-2004-0765: The cert_TestHostName function in Mozilla before 1.7, Firefox before 0.9, and Thunderbird before 0.7 The cert_TestHostName function in Mozilla before 1.7, Firefox before 0.9, and Thunderbird before 0.7, only checks the hostname portion of a certificate when the hostname portion of the URI is not a fully qualified domain name (FQDN), which allows remote attackers to spoof trusted certificates.

CVE-2004-0779 [HIGH] CVE-2004-0779: The (1) Mozilla 1.6, (2) Firebird 0.7 and (3) Firefox 0.8 web browsers do not properly verify that c The (1) Mozilla 1.6, (2) Firebird 0.7 and (3) Firefox 0.8 web browsers do not properly verify that cached passwords for SSL encrypted sites are only sent via SSL encrypted sessions to the site, which allows a remote attacker to cause a cached password to be sent in cleartext to a spoofed site.

CVE-2004-0761 [MEDIUM] CVE-2004-0761: Mozilla before 1.7, Firefox before 0.9, and Thunderbird before 0.7, allow remote attackers to use ce Mozilla before 1.7, Firefox before 0.9, and Thunderbird before 0.7, allow remote attackers to use certain redirect sequences to spoof the security lock icon that makes a web page appear to be encrypted.

CVE-2004-0763 [MEDIUM] CVE-2004-0763: Mozilla Firefox 0.9.1 and 0.9.2 allows remote web sites to spoof certificates of trusted web sites v Mozilla Firefox 0.9.1 and 0.9.2 allows remote web sites to spoof certificates of trusted web sites via redirects and Javascript that uses the "onunload" method.

CVE-2004-0762 [MEDIUM] CVE-2004-0762: Mozilla before 1.7, Firefox before 0.9, and Thunderbird before 0.7, allow remote web sites to instal Mozilla before 1.7, Firefox before 0.9, and Thunderbird before 0.7, allow remote web sites to install arbitrary extensions by using interactive events to manipulate the XPInstall Security dialog box.

CVE-2004-0648 [CRITICAL] CVE-2004-0648: Mozilla (Suite) before 1.7.1, Firefox before 0.9.2, and Thunderbird before 0.7.2 allow remote attack Mozilla (Suite) before 1.7.1, Firefox before 0.9.2, and Thunderbird before 0.7.2 allow remote attackers to launch arbitrary programs via a URI referencing the shell: protocol.

CVE-2021-43527 [CRITICAL] Mozilla Foundation Security Advisory 2021-50: CVE-2021-43527 Mozilla Foundation Security Advisory 2021-50 CVE: CVE-2021-43527 Product: Thunderbird Impact: high Fixed in: Thunderbird 91.3

CVE-2021-32810 [CRITICAL] Mozilla Foundation Security Advisory 2021-47: CVE-2021-32810 Mozilla Foundation Security Advisory 2021-47 CVE: CVE-2021-32810 Product: Thunderbird Impact: high Fixed in: Thunderbird 91.2

CVE-2026-5731 [CRITICAL] Mozilla Foundation Security Advisory 2026-28: CVE-2026-5731 Mozilla Foundation Security Advisory 2026-28 CVE: CVE-2026-5731 Product: Thunderbird Impact: high Fixed in: Thunderbird 149.0.2

CVE-2021-44538 [CRITICAL] Mozilla Foundation Security Advisory 2021-55: CVE-2021-44538 Mozilla Foundation Security Advisory 2021-55 CVE: CVE-2021-44538 Product: Thunderbird Impact: moderate Fixed in: Thunderbird 91.4.1