U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
  • CPE Product Version: cpe:/a:mozilla:firefox:4.0:beta7
There are 151 matching records.
Displaying matches 21 through 40.
Vuln ID Summary CVSS Severity
CVE-2014-1501

Mozilla Firefox before 28.0 on Android allows remote attackers to bypass the Same Origin Policy and access arbitrary file: URLs via vectors involving the "Open Link in New Tab" menu selection.

Published: March 19, 2014; 6:55:06 AM -0400
V3.x:(not available)
V2.0: 5.8 MEDIUM
CVE-2014-1489

Mozilla Firefox before 27.0 does not properly restrict access to about:home buttons by script on other pages, which allows user-assisted remote attackers to cause a denial of service (session restore) via a crafted web site.

Published: February 06, 2014; 12:44:25 AM -0500
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2014-1484

Mozilla Firefox before 27.0 on Android 4.2 and earlier creates system-log entries containing profile paths, which allows attackers to obtain sensitive information via a crafted application.

Published: February 06, 2014; 12:44:24 AM -0500
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2013-5611

Mozilla Firefox before 26.0 does not properly remove the Application Installation doorhanger, which makes it easier for remote attackers to spoof a Web App installation site by controlling the timing of page navigation.

Published: December 11, 2013; 10:55:12 AM -0500
V3.x:(not available)
V2.0: 5.8 MEDIUM
CVE-2013-0790

Unspecified vulnerability in the browser engine in Mozilla Firefox before 20.0 on Android allows remote attackers to cause a denial of service (stack memory corruption and application crash) or possibly execute arbitrary code via unknown vectors involving a plug-in.

Published: April 03, 2013; 7:56:21 AM -0400
V3.x:(not available)
V2.0: 10.0 HIGH
CVE-2013-0751

Mozilla Firefox before 18.0 on Android and SeaMonkey before 2.15 do not restrict a touch event to a single IFRAME element, which allows remote attackers to obtain sensitive information or possibly conduct cross-site scripting (XSS) attacks via a crafted HTML document.

Published: January 13, 2013; 3:55:01 PM -0500
V3.x:(not available)
V2.0: 5.8 MEDIUM
CVE-2012-5837

The Web Developer Toolbar in Mozilla Firefox before 17.0 executes script with chrome privileges, which allows user-assisted remote attackers to conduct cross-site scripting (XSS) attacks via a crafted string.

Published: November 21, 2012; 7:55:03 AM -0500
V3.x:(not available)
V2.0: 6.8 MEDIUM
CVE-2012-4210

The Style Inspector in Mozilla Firefox before 17.0 and Firefox ESR 10.x before 10.0.11 does not properly restrict the context of HTML markup and Cascading Style Sheets (CSS) token sequences, which allows user-assisted remote attackers to execute arbitrary JavaScript code with chrome privileges via a crafted stylesheet.

Published: November 21, 2012; 7:55:02 AM -0500
V3.x:(not available)
V2.0: 9.3 HIGH
CVE-2012-4206

Untrusted search path vulnerability in the installer in Mozilla Firefox before 17.0 and Firefox ESR 10.x before 10.0.11 on Windows allows local users to gain privileges via a Trojan horse DLL in the default downloads directory.

Published: November 21, 2012; 7:55:01 AM -0500
V3.x:(not available)
V2.0: 6.9 MEDIUM
CVE-2012-4203

The New Tab page in Mozilla Firefox before 17.0 uses a privileged context for execution of JavaScript code by bookmarklets, which allows user-assisted remote attackers to run arbitrary programs by leveraging a javascript: URL in a bookmark.

Published: November 21, 2012; 7:55:01 AM -0500
V3.x:(not available)
V2.0: 6.8 MEDIUM
CVE-2012-4190

The FT2FontEntry::CreateFontEntry function in FreeType, as used in the Android build of Mozilla Firefox before 16.0.1 on CyanogenMod 10, allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unspecified vectors.

Published: October 12, 2012; 6:44:20 AM -0400
V3.x:(not available)
V2.0: 10.0 HIGH
CVE-2012-3993

The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbird before 16.0, Thunderbird ESR 10.x before 10.0.8, and SeaMonkey before 2.13 does not properly interact with failures of InstallTrigger methods, which allows remote attackers to execute arbitrary JavaScript code with chrome privileges via a crafted web site, related to an "XrayWrapper pollution" issue.

Published: October 10, 2012; 1:55:02 PM -0400
V3.x:(not available)
V2.0: 9.3 HIGH
CVE-2012-3987

Mozilla Firefox before 16.0 on Android assigns chrome privileges to Reader Mode pages, which allows user-assisted remote attackers to bypass intended access restrictions via a crafted web site.

Published: October 10, 2012; 1:55:01 PM -0400
V3.x:(not available)
V2.0: 4.0 MEDIUM
CVE-2012-3980

The web console in Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird before 15.0, and Thunderbird ESR 10.x before 10.0.7 allows user-assisted remote attackers to execute arbitrary JavaScript code with chrome privileges via a crafted web site that injects this code and triggers an eval operation.

Published: August 29, 2012; 6:56:41 AM -0400
V3.x:(not available)
V2.0: 9.3 HIGH
CVE-2012-3979

Mozilla Firefox before 15.0 on Android does not properly implement unspecified callers of the __android_log_print function, which allows remote attackers to execute arbitrary code via a crafted web page that calls the JavaScript dump function.

Published: August 29, 2012; 6:56:41 AM -0400
V3.x:(not available)
V2.0: 6.8 MEDIUM
CVE-2012-3978

The nsLocation::CheckURL function in Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird before 15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey before 2.12 does not properly follow the security model of the location object, which allows remote attackers to bypass intended content-loading restrictions or possibly have unspecified other impact via vectors involving chrome code.

Published: August 29, 2012; 6:56:41 AM -0400
V3.x:(not available)
V2.0: 6.8 MEDIUM
CVE-2012-3975

The DOMParser component in Mozilla Firefox before 15.0, Thunderbird before 15.0, and SeaMonkey before 2.12 loads subresources during parsing of text/html data within an extension, which allows remote attackers to obtain sensitive information by providing crafted data to privileged extension code.

Published: August 29, 2012; 6:56:41 AM -0400
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2012-3974

Untrusted search path vulnerability in the installer in Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird before 15.0, and Thunderbird ESR 10.x before 10.0.7 on Windows allows local users to gain privileges via a Trojan horse executable file in a root directory.

Published: August 29, 2012; 6:56:41 AM -0400
V3.x:(not available)
V2.0: 6.9 MEDIUM
CVE-2012-3973

The debugger in the developer-tools subsystem in Mozilla Firefox before 15.0, when remote debugging is disabled, does not properly restrict access to the remote-debugging service, which allows remote attackers to execute arbitrary code by leveraging the presence of the HTTPMonitor extension and connecting to that service through the HTTPMonitor port.

Published: August 29, 2012; 6:56:41 AM -0400
V3.x:(not available)
V2.0: 7.6 HIGH
CVE-2012-3971

Summer Institute of Linguistics (SIL) Graphite 2, as used in Mozilla Firefox before 15.0, Thunderbird before 15.0, and SeaMonkey before 2.12, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via vectors related to the (1) Silf::readClassMap and (2) Pass::readPass functions.

Published: August 29, 2012; 6:56:40 AM -0400
V3.x:(not available)
V2.0: 10.0 HIGH