Mozilla: >> Firefox Security Vulnerabilities
Memory corruption in the networking stack could have led to a potentially exploitable crash. This vulnerability affects Firefox < 125, Firefox ESR < 115.12, and Thunderbird < 115.12.
CVSS Score
7.5
EPSS Score
0.008
Published
2024-06-11
If a specific sequence of actions is performed when opening a new tab, the triggering principal associated with the new tab may have been incorrect. The triggering principal is used to calculate many values, including the `Referer` and `Sec-*` headers, meaning there is the potential for incorrect security checks within the browser in addition to incorrect or misleading information sent to remote websites.
*This bug only affects Firefox for Android. Other versions of Firefox are unaffected.* This vulnerability affects Firefox < 127.
CVSS Score
5.3
EPSS Score
0.006
Published
2024-06-11
If a garbage collection was triggered at the right time, a use-after-free could have occurred during object transplant. This vulnerability affects Firefox < 127, Firefox ESR < 115.12, and Thunderbird < 115.12.
CVSS Score
8.1
EPSS Score
0.013
Published
2024-06-11
In addition to detecting when a user was taking a screenshot (XXX), a website was able to overlay the 'My Shots' button that appeared, and direct the user to a replica Firefox Screenshots page that could be used for phishing. This vulnerability affects Firefox < 127.
CVSS Score
4.3
EPSS Score
0.008
Published
2024-06-11
By monitoring the time certain operations take, an attacker could have guessed which external protocol handlers were functional on a user's system. This vulnerability affects Firefox < 127, Firefox ESR < 115.12, and Thunderbird < 115.12.
CVSS Score
4.3
EPSS Score
0.04
Published
2024-06-11
By tricking the browser with a `X-Frame-Options` header, a sandboxed iframe could have presented a button that, if clicked by a user, would bypass restrictions to open a new window. This vulnerability affects Firefox < 127, Firefox ESR < 115.12, and Thunderbird < 115.12.
CVSS Score
4.7
EPSS Score
0.002
Published
2024-06-11
On Windows 10, when using the 'Save As' functionality, an attacker could have tricked the browser into saving the file with a disallowed extension such as `.url` by including an invalid character in the extension. *Note:* This issue only affected Windows operating systems. Other operating systems are unaffected. This vulnerability affects Firefox < 127, Firefox ESR < 115.12, and Thunderbird < 115.12.
CVSS Score
6.5
EPSS Score
0.004
Published
2024-06-11
Offscreen Canvas did not properly track cross-origin tainting, which could be used to access image data from another site in violation of same-origin policy. This vulnerability affects Firefox < 127, Firefox ESR < 115.12, and Thunderbird < 115.12.
CVSS Score
6.1
EPSS Score
0.016
Published
2024-06-11
An attacker could have caused a use-after-free in the JavaScript engine to read memory in the JavaScript string section of the heap. This vulnerability affects Firefox < 127.
CVSS Score
7.5
EPSS Score
0.004
Published
2024-06-11
A file dialog shown while in full-screen mode could have resulted in the window remaining disabled. This vulnerability affects Firefox < 126.
CVSS Score
8.2
EPSS Score
0.005
Published
2024-05-14