Mozilla Firefox vulnerabilities
3,148 known vulnerabilities affecting mozilla/firefox.
Total CVEs
3,148
CISA KEV
17
actively exploited
Public exploits
122
Exploited in wild
22
Severity breakdown
CRITICAL862HIGH921MEDIUM1295LOW70
Vulnerabilities
Page 89 of 158
CVE-2015-7204MEDIUMCVSS 6.8≤ 42.0v41.0+2 more2015-12-16
CVE-2015-7204 [MEDIUM] CWE-17 CVE-2015-7204: Mozilla Firefox before 43.0 does not properly store the properties of unboxed objects, which allows
Mozilla Firefox before 43.0 does not properly store the properties of unboxed objects, which allows remote attackers to execute arbitrary code via crafted JavaScript variable assignments.
nvdosv
CVE-2015-7222MEDIUMCVSS 6.8v38.0v38.0.1+8 more2015-12-16
CVE-2015-7222 [MEDIUM] CWE-189 CVE-2015-7222: Integer underflow in the Metadata::setData function in MetaData.cpp in libstagefright in Mozilla Fir
Integer underflow in the Metadata::setData function in MetaData.cpp in libstagefright in Mozilla Firefox before 43.0 and Firefox ESR 38.x before 38.5 allows remote attackers to execute arbitrary code or cause a denial of service (incorrect memory allocation and application crash) via an MP4 video file with crafted covr metadata that triggers a buffer
nvdosv
CVE-2015-7214MEDIUMCVSS 5.0v38.0v38.0.1+8 more2015-12-16
CVE-2015-7214 [MEDIUM] CWE-200 CVE-2015-7214: Mozilla Firefox before 43.0 and Firefox ESR 38.x before 38.5 allow remote attackers to bypass the Sa
Mozilla Firefox before 43.0 and Firefox ESR 38.x before 38.5 allow remote attackers to bypass the Same Origin Policy via data: and view-source: URIs.
nvdosv
CVE-2015-7216MEDIUMCVSS 6.8≤ 42.02015-12-16
CVE-2015-7216 [MEDIUM] CWE-20 CVE-2015-7216: The gdk-pixbuf configuration in Mozilla Firefox before 43.0 on Linux GNOME platforms incorrectly ena
The gdk-pixbuf configuration in Mozilla Firefox before 43.0 on Linux GNOME platforms incorrectly enables the JasPer decoder, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted JPEG 2000 image.
nvdosv
CVE-2015-7211MEDIUMCVSS 5.0≤ 42.02015-12-16
CVE-2015-7211 [MEDIUM] CWE-20 CVE-2015-7211: Mozilla Firefox before 43.0 mishandles the # (number sign) character in a data: URI, which allows re
Mozilla Firefox before 43.0 mishandles the # (number sign) character in a data: URI, which allows remote attackers to spoof web sites via unspecified vectors.
nvdosv
CVE-2015-7182CRITICALCVSS 9.8v38.0v38.0.1+7 more2015-11-05
CVE-2015-7182 [CRITICAL] CWE-119 CVE-2015-7182: Heap-based buffer overflow in the ASN.1 decoder in Mozilla Network Security Services (NSS) before 3.
Heap-based buffer overflow in the ASN.1 decoder in Mozilla Network Security Services (NSS) before 3.19.2.1 and 3.20.x before 3.20.1, as used in Firefox before 42.0 and Firefox ESR 38.x before 38.4 and other products, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via crafted OCTET STRING d
nvd
CVE-2015-4514HIGHCVSS 7.5≤ 41.0.2v38.0+7 more2015-11-05
CVE-2015-4514 [HIGH] CWE-119 CVE-2015-4514: Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 42.0 allow remo
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 42.0 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.
nvdosv
CVE-2015-7198HIGHCVSS 7.5v38.0v38.0.1+7 more2015-11-05
CVE-2015-7198 [HIGH] CWE-119 CVE-2015-7198: Buffer overflow in the rx::TextureStorage11 class in ANGLE, as used in Mozilla Firefox before 42.0 a
Buffer overflow in the rx::TextureStorage11 class in ANGLE, as used in Mozilla Firefox before 42.0 and Firefox ESR 38.x before 38.4, allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via crafted texture data.
nvdosv
CVE-2015-7193HIGHCVSS 7.5v38.0v38.0.1+7 more2015-11-05
CVE-2015-7193 [HIGH] CWE-254 CVE-2015-7193: Mozilla Firefox before 42.0 and Firefox ESR 38.x before 38.4 improperly follow the CORS cross-origin
Mozilla Firefox before 42.0 and Firefox ESR 38.x before 38.4 improperly follow the CORS cross-origin request algorithm for the POST method in situations involving an unspecified Content-Type header manipulation, which allows remote attackers to bypass the Same Origin Policy by leveraging the lack of a preflight-request step.
nvdosv
CVE-2015-7181HIGHCVSS 7.5≤ 41.0.2v38.0+7 more2015-11-05
CVE-2015-7181 [HIGH] CWE-119 CVE-2015-7181: The sec_asn1d_parse_leaf function in Mozilla Network Security Services (NSS) before 3.19.2.1 and 3.2
The sec_asn1d_parse_leaf function in Mozilla Network Security Services (NSS) before 3.19.2.1 and 3.20.x before 3.20.1, as used in Firefox before 42.0 and Firefox ESR 38.x before 38.4 and other products, improperly restricts access to an unspecified data structure, which allows remote attackers to cause a denial of service (application crash) or possibly
nvd
CVE-2015-7188HIGHCVSS 7.5≤ 41.0.2v38.0+7 more2015-11-05
CVE-2015-7188 [HIGH] CWE-254 CVE-2015-7188: Mozilla Firefox before 42.0 and Firefox ESR 38.x before 38.4 allow remote attackers to bypass the Sa
Mozilla Firefox before 42.0 and Firefox ESR 38.x before 38.4 allow remote attackers to bypass the Same Origin Policy for an IP address origin, and conduct cross-site scripting (XSS) attacks, by appending whitespace characters to an IP address string.
nvdosv
CVE-2015-7199HIGHCVSS 7.5≤ 41.0.2v38.0+7 more2015-11-05
CVE-2015-7199 [HIGH] CWE-119 CVE-2015-7199: The (1) AddWeightedPathSegLists and (2) SVGPathSegListSMILType::Interpolate functions in Mozilla Fir
The (1) AddWeightedPathSegLists and (2) SVGPathSegListSMILType::Interpolate functions in Mozilla Firefox before 42.0 and Firefox ESR 38.x before 38.4 lack status checking, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted SVG document.
nvdosv
CVE-2015-4513HIGHCVSS 7.5≤ 41.0.2v38.0+7 more2015-11-05
CVE-2015-4513 [HIGH] CWE-119 CVE-2015-4513: Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 42.0 and Firefo
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 42.0 and Firefox ESR 38.x before 38.4 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.
nvdosv
CVE-2015-7194HIGHCVSS 7.5≤ 41.0.2v38.0+7 more2015-11-05
CVE-2015-7194 [HIGH] CWE-119 CVE-2015-7194: Buffer underflow in libjar in Mozilla Firefox before 42.0 and Firefox ESR 38.x before 38.4 allows re
Buffer underflow in libjar in Mozilla Firefox before 42.0 and Firefox ESR 38.x before 38.4 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted ZIP archive.
nvdosv
CVE-2015-7200HIGHCVSS 7.5≤ 41.0.2v38.0+7 more2015-11-05
CVE-2015-7200 [HIGH] CWE-17 CVE-2015-7200: The CryptoKey interface implementation in Mozilla Firefox before 42.0 and Firefox ESR 38.x before 38
The CryptoKey interface implementation in Mozilla Firefox before 42.0 and Firefox ESR 38.x before 38.4 lacks status checking, which allows attackers to have an unspecified impact via vectors related to a cryptographic key.
nvdosv
CVE-2015-7192HIGHCVSS 7.5≤ 41.0.22015-11-05
CVE-2015-7192 [HIGH] CWE-17 CVE-2015-7192: The accessibility-tools feature in Mozilla Firefox before 42.0 on OS X improperly interacts with the
The accessibility-tools feature in Mozilla Firefox before 42.0 on OS X improperly interacts with the implementation of the TABLE element, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code by using an NSAccessibilityIndexAttribute value to reference a row index.
nvd
CVE-2015-7183HIGHCVSS 7.5≤ 41.0.2v38.0+7 more2015-11-05
CVE-2015-7183 [HIGH] CWE-119 CVE-2015-7183: Integer overflow in the PL_ARENA_ALLOCATE implementation in Netscape Portable Runtime (NSPR) in Mozi
Integer overflow in the PL_ARENA_ALLOCATE implementation in Netscape Portable Runtime (NSPR) in Mozilla Network Security Services (NSS) before 3.19.2.1 and 3.20.x before 3.20.1, as used in Firefox before 42.0 and Firefox ESR 38.x before 38.4 and other products, allows remote attackers to execute arbitrary code or cause a denial of service (memory corrup
nvd
CVE-2015-7197MEDIUMCVSS 5.0≤ 41.0.2v38.0+7 more2015-11-05
CVE-2015-7197 [MEDIUM] CWE-264 CVE-2015-7197: Mozilla Firefox before 42.0 and Firefox ESR 38.x before 38.4 improperly control the ability of a web
Mozilla Firefox before 42.0 and Firefox ESR 38.x before 38.4 improperly control the ability of a web worker to create a WebSocket object, which allows remote attackers to bypass intended mixed-content restrictions via crafted JavaScript code.
nvdosv
CVE-2015-7189MEDIUMCVSS 6.8v38.0v38.0.1+7 more2015-11-05
CVE-2015-7189 [MEDIUM] CWE-119 CVE-2015-7189: Race condition in the JPEGEncoder function in Mozilla Firefox before 42.0 and Firefox ESR 38.x befor
Race condition in the JPEGEncoder function in Mozilla Firefox before 42.0 and Firefox ESR 38.x before 38.4 allows remote attackers to execute arbitrary code or cause a denial of service (heap-based buffer overflow) via vectors involving a CANVAS element and crafted JavaScript code.
nvdosv
CVE-2015-7191MEDIUMCVSS 4.3≤ 41.0.22015-11-05
CVE-2015-7191 [MEDIUM] CWE-79 CVE-2015-7191: Mozilla Firefox before 42.0 on Android improperly restricts URL strings in intents, which allows att
Mozilla Firefox before 42.0 on Android improperly restricts URL strings in intents, which allows attackers to conduct cross-site scripting (XSS) attacks via vectors involving an intent: URL and fallback navigation, aka "Universal XSS (UXSS)."
nvd