Search Results (Refine Search)

Search Parameters:
  • CPE Product Version: cpe:/a:mozilla:firefox:1.8
There are 1,544 matching records.
Displaying matches 1,481 through 1,500.
Vuln ID Summary CVSS Severity
CVE-2008-2807

Mozilla Firefox before 2.0.0.15 and SeaMonkey before 1.1.10 do not properly handle an invalid .properties file for an add-on, which allows remote attackers to read uninitialized memory, as demonstrated by use of ISO 8859 encoding instead of UTF-8 encoding in a French .properties file.

Published: July 07, 2008; 7:41:00 PM -0400
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2008-2810

Mozilla Firefox before 2.0.0.15 and SeaMonkey before 1.1.10 do not properly identify the context of Windows shortcut files, which allows user-assisted remote attackers to bypass the Same Origin Policy via a crafted web site for which the user has previously saved a shortcut.

Published: July 07, 2008; 7:41:00 PM -0400
V3.x:(not available)
V2.0: 6.8 MEDIUM
CVE-2008-2811

The block reflow implementation in Mozilla Firefox before 2.0.0.15, Thunderbird 2.0.0.14 and earlier, and SeaMonkey before 1.1.10 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via an image whose display requires more pixels than nscoord_MAX, related to nsBlockFrame::DrainOverflowLines.

Published: July 07, 2008; 7:41:00 PM -0400
V3.x:(not available)
V2.0: 10.0 HIGH
CVE-2008-2785

Mozilla Firefox before 2.0.0.16 and 3.x before 3.0.1, Thunderbird before 2.0.0.16, and SeaMonkey before 1.1.11 use an incorrect integer data type as a CSS object reference counter in the CSSValue array (aka nsCSSValue:Array) data structure, which allows remote attackers to execute arbitrary code via a large number of references to a common CSS object, leading to a counter overflow and a free of in-use memory, aka ZDI-CAN-349.

Published: June 19, 2008; 5:41:00 PM -0400
V3.x:(not available)
V2.0: 9.3 HIGH
CVE-2008-2399

Directory traversal vulnerability in the FireFTP add-on before 0.98.20080518 for Firefox allows remote FTP servers to create or overwrite arbitrary files via ..\ (dot dot backslash) sequences in responses to (1) MLSD and (2) LIST commands, a related issue to CVE-2002-1345. NOTE: this can be leveraged for code execution by writing to a Startup folder.

Published: May 22, 2008; 9:09:00 AM -0400
V3.x:(not available)
V2.0: 9.3 HIGH
CVE-2007-6715

Mozilla Firefox allows remote attackers to cause a denial of service (crash) via crafted image, as demonstrated by the zzuf lol-firefox.gif test case.

Published: April 17, 2008; 6:05:00 PM -0400
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2008-1380

The JavaScript engine in Mozilla Firefox before 2.0.0.14, Thunderbird before 2.0.0.14, and SeaMonkey before 1.1.10 allows remote attackers to cause a denial of service (garbage collector crash) and possibly have other impacts via a crafted web page. NOTE: this is due to an incorrect fix for CVE-2008-1237.

Published: April 17, 2008; 3:05:00 PM -0400
V3.x:(not available)
V2.0: 9.3 HIGH
CVE-2008-1240

LiveConnect in Mozilla Firefox before 2.0.0.13 and SeaMonkey before 1.1.9 does not properly parse the content origin for jar: URIs before sending them to the Java plugin, which allows remote attackers to access arbitrary ports on the local machine. NOTE: this is closely related to CVE-2008-1195.

Published: March 27, 2008; 9:44:00 PM -0400
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2008-1233

Unspecified vulnerability in Mozilla Firefox before 2.0.0.13, Thunderbird before 2.0.0.13, and SeaMonkey before 1.1.9 allows remote attackers to execute arbitrary code via "XPCNativeWrapper pollution."

Published: March 27, 2008; 6:44:00 AM -0400
V3.x:(not available)
V2.0: 6.8 MEDIUM
CVE-2008-1234

Cross-site scripting (XSS) vulnerability in Mozilla Firefox before 2.0.0.13, Thunderbird before 2.0.0.13, and SeaMonkey before 1.1.9 allows remote attackers to inject arbitrary web script or HTML via event handlers, aka "Universal XSS using event handlers."

Published: March 27, 2008; 6:44:00 AM -0400
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2008-1235

Unspecified vulnerability in Mozilla Firefox before 2.0.0.13, Thunderbird before 2.0.0.13, and SeaMonkey before 1.1.9 allows remote attackers to execute arbitrary code via unknown vectors that cause JavaScript to execute with the wrong principal, aka "Privilege escalation via incorrect principals."

Published: March 27, 2008; 6:44:00 AM -0400
V3.x:(not available)
V2.0: 9.3 HIGH
CVE-2008-1236

Multiple unspecified vulnerabilities in Mozilla Firefox before 2.0.0.13, Thunderbird before 2.0.0.13, and SeaMonkey before 1.1.9 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown vectors related to the layout engine.

Published: March 27, 2008; 6:44:00 AM -0400
V3.x:(not available)
V2.0: 6.8 MEDIUM
CVE-2008-1237

Multiple unspecified vulnerabilities in Mozilla Firefox before 2.0.0.13, Thunderbird before 2.0.0.13, and SeaMonkey before 1.1.9 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown vectors related to the JavaScript engine.

Published: March 27, 2008; 6:44:00 AM -0400
V3.x:(not available)
V2.0: 6.8 MEDIUM
CVE-2008-1238

Mozilla Firefox before 2.0.0.13 and SeaMonkey before 1.1.9, when generating the HTTP Referer header, does not list the entire URL when it contains Basic Authentication credentials without a username, which makes it easier for remote attackers to bypass application protection mechanisms that rely on Referer headers, such as with some Cross-Site Request Forgery (CSRF) mechanisms.

Published: March 27, 2008; 6:44:00 AM -0400
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2008-1241

GUI overlay vulnerability in Mozilla Firefox before 2.0.0.13 and SeaMonkey before 1.1.9 allows remote attackers to spoof form elements and redirect user inputs via a borderless XUL pop-up window from a background tab.

Published: March 27, 2008; 6:44:00 AM -0400
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2008-0416

Multiple cross-site scripting (XSS) vulnerabilities in Mozilla Firefox before 2.0.0.12, Thunderbird before 2.0.0.12, and SeaMonkey before 1.1.8 allow remote attackers to inject arbitrary web script or HTML via certain character encodings, including (1) a backspace character that is treated as whitespace, (2) 0x80 with Shift_JIS encoding, and (3) "zero-length non-ASCII sequences" in certain Asian character sets.

Published: February 11, 2008; 10:00:00 PM -0500
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2008-0420

modules/libpr0n/decoders/bmp/nsBMPDecoder.cpp in Mozilla Firefox before 2.0.0.12, Thunderbird before 2.0.0.12, and SeaMonkey before 1.1.8 does not properly perform certain calculations related to the mColors table, which allows remote attackers to read portions of memory uninitialized via a crafted 8-bit bitmap (BMP) file that triggers an out-of-bounds read within the heap, as demonstrated using a CANVAS element; or cause a denial of service (application crash) via a crafted 8-bit bitmap file that triggers an out-of-bounds read. NOTE: the initial public reports stated that this affected Firefox in Ubuntu 6.06 through 7.10.

Published: February 11, 2008; 10:00:00 PM -0500
V3.x:(not available)
V2.0: 9.3 HIGH
CVE-2008-0593

Gecko-based browsers, including Mozilla Firefox before 2.0.0.12 and SeaMonkey before 1.1.8, modify the .href property of stylesheet DOM nodes to the final URI of a 302 redirect, which might allow remote attackers to bypass the Same Origin Policy and read sensitive information from the original URL, such as with Single-Signon systems.

Published: February 08, 2008; 8:00:00 PM -0500
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2008-0594

Mozilla Firefox before 2.0.0.12 does not always display a web forgery warning dialog if the entire contents of a web page are in a DIV tag that uses absolute positioning, which makes it easier for remote attackers to conduct phishing attacks.

Published: February 08, 2008; 8:00:00 PM -0500
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2008-0591

Mozilla Firefox before 2.0.0.12 and Thunderbird before 2.0.0.12 does not properly manage a delay timer used in confirmation dialogs, which might allow remote attackers to trick users into confirming an unsafe action, such as remote file execution, by using a timer to change the window focus, aka the "dialog refocus bug" or "ffclick2".

Published: February 08, 2008; 7:00:00 PM -0500
V3.x:(not available)
V2.0: 4.3 MEDIUM