Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): cpe:2.3:a:mozilla:firefox:18.0:*:*:*:*:*:*:*
There are 1,206 matching records.
Displaying matches 1,161 through 1,180.
Vuln ID Summary CVSS Severity
CVE-2013-0773

The Chrome Object Wrapper (COW) and System Only Wrapper (SOW) implementations in Mozilla Firefox before 19.0, Firefox ESR 17.x before 17.0.3, Thunderbird before 17.0.3, Thunderbird ESR 17.x before 17.0.3, and SeaMonkey before 2.16 do not prevent modifications to a prototype, which allows remote attackers to obtain sensitive information from chrome objects or possibly execute arbitrary JavaScript code with chrome privileges via a crafted web site.

Published: February 19, 2013; 6:55:01 PM -0500
V3.x:(not available)
V2.0: 9.3 HIGH
CVE-2013-0772

The RasterImage::DrawFrameTo function in Mozilla Firefox before 19.0, Thunderbird before 17.0.3, and SeaMonkey before 2.16 allows remote attackers to obtain sensitive information from process memory or cause a denial of service (out-of-bounds read and application crash) via a crafted GIF image.

Published: February 19, 2013; 6:55:01 PM -0500
V3.x:(not available)
V2.0: 5.8 MEDIUM
CVE-2013-0765

Mozilla Firefox before 19.0, Thunderbird before 17.0.3, and SeaMonkey before 2.16 do not prevent multiple wrapping of WebIDL objects, which allows remote attackers to bypass intended access restrictions via unspecified vectors.

Published: February 19, 2013; 6:55:01 PM -0500
V3.x:(not available)
V2.0: 9.3 HIGH
CVE-2013-1489

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 10 and Update 11, when running on Windows using Internet Explorer, Firefox, Opera, and Google Chrome, allows remote attackers to bypass the "Very High" security level of the Java Control Panel and execute unsigned Java code without prompting the user via unknown vectors, aka "Issue 53" and the "Java Security Slider" vulnerability.

Published: January 31, 2013; 9:55:01 AM -0500
V3.x:(not available)
V2.0: 10.0 HIGH
CVE-2013-0764

The nsSOCKSSocketInfo::ConnectToProxy function in Mozilla Firefox before 18.0, Firefox ESR 17.x before 17.0.2, Thunderbird before 17.0.2, Thunderbird ESR 17.x before 17.0.2, and SeaMonkey before 2.15 does not ensure thread safety for SSL sessions, which allows remote attackers to execute arbitrary code via crafted data, as demonstrated by e-mail message data.

Published: January 13, 2013; 3:55:02 PM -0500
V3.x:(not available)
V2.0: 9.3 HIGH
CVE-2012-4930

The SPDY protocol 3 and earlier, as used in Mozilla Firefox, Google Chrome, and other products, can perform TLS encryption of compressed data without properly obfuscating the length of the unencrypted data, which allows man-in-the-middle attackers to obtain plaintext HTTP headers by observing length differences during a series of guesses in which a string in an HTTP request potentially matches an unknown string in an HTTP header, aka a "CRIME" attack.

Published: September 15, 2012; 2:55:03 PM -0400
V3.x:(not available)
V2.0: 2.6 LOW
CVE-2012-4929

The TLS protocol 1.2 and earlier, as used in Mozilla Firefox, Google Chrome, Qt, and other products, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which allows man-in-the-middle attackers to obtain plaintext HTTP headers by observing length differences during a series of guesses in which a string in an HTTP request potentially matches an unknown string in an HTTP header, aka a "CRIME" attack.

Published: September 15, 2012; 2:55:03 PM -0400
V3.x:(not available)
V2.0: 2.6 LOW
CVE-2011-3079

The Inter-process Communication (IPC) implementation in Google Chrome before 18.0.1025.168, as used in Mozilla Firefox before 38.0 and other products, does not properly validate messages, which has unspecified impact and attack vectors.

Published: May 01, 2012; 6:12:04 AM -0400
V3.x:(not available)
V2.0: 10.0 HIGH
CVE-2011-3384

Cross-site scripting (XSS) vulnerability in the Sage add-on 1.3.10 and earlier for Firefox allows remote attackers to inject arbitrary web script or HTML via a crafted feed, a different vulnerability than CVE-2009-4102.

Published: September 08, 2011; 2:55:01 PM -0400
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2011-3389

The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack.

Published: September 06, 2011; 3:55:03 PM -0400
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2011-0341

Stack-based buffer overflow in the pdfmoz_onmouse function in apps/mozilla/moz_main.c in the MuPDF plug-in 2008.09.02 for Firefox allows remote attackers to execute arbitrary code via a crafted web site.

Published: May 13, 2011; 1:05:41 PM -0400
V3.x:(not available)
V2.0: 9.3 HIGH
CVE-2011-1179

The SPICE Firefox plug-in (spice-xpi) 2.4, 2.3, 2.2, and possibly other versions allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via vectors related to (1) plugin/nsScriptablePeer.cpp and (2) plugin/plugin.cpp, which trigger multiple uses of an uninitialized pointer.

Published: April 18, 2011; 1:55:01 PM -0400
V3.x:(not available)
V2.0: 5.1 MEDIUM
CVE-2011-0012

The SPICE Firefox plug-in (spice-xpi) 2.4, 2.3, 2.2, and possibly other versions allows local users to overwrite arbitrary files via a symlink attack on the usbrdrctl log file, which has a predictable name.

Published: April 18, 2011; 1:55:00 PM -0400
V3.x:(not available)
V2.0: 3.3 LOW
CVE-2011-0064

The hb_buffer_ensure function in hb-buffer.c in HarfBuzz, as used in Pango 1.28.3, Firefox, and other products, does not verify that memory reallocations succeed, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) or possibly execute arbitrary code via crafted OpenType font data that triggers use of an incorrect index.

Published: March 07, 2011; 4:00:01 PM -0500
V3.x:(not available)
V2.0: 6.8 MEDIUM
CVE-2010-2794

The SPICE (aka spice-xpi) plug-in 2.2 for Firefox allows local users to overwrite arbitrary files via a symlink attack on an unspecified log file.

Published: August 30, 2010; 4:00:02 PM -0400
V3.x:(not available)
V2.0: 3.3 LOW
CVE-2010-2792

Race condition in the SPICE (aka spice-xpi) plug-in 2.2 for Firefox allows local users to obtain sensitive information, and conduct man-in-the-middle attacks, by providing a UNIX socket for communication between this plug-in and the client (aka qspice-client) in qspice 0.3.0, and then accessing this socket.

Published: August 30, 2010; 4:00:02 PM -0400
V3.x:(not available)
V2.0: 3.3 LOW
CVE-2010-2179

Cross-site scripting (XSS) vulnerability in Adobe Flash Player before 9.0.277.0 and 10.x before 10.1.53.64, and Adobe AIR before 2.0.2.12610, when Firefox or Chrome is used, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to URL parsing.

Published: June 15, 2010; 2:00:01 PM -0400
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2009-4630

Mozilla Necko, as used in Firefox, SeaMonkey, and other applications, performs DNS prefetching of domain names contained in links within local HTML documents, which makes it easier for remote attackers to determine the network location of the application's user by logging DNS requests. NOTE: the vendor disputes the significance of this issue, stating "I don't think we necessarily need to worry about that case."

Published: January 29, 2010; 1:30:00 PM -0500
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2009-4130

Visual truncation vulnerability in the MakeScriptDialogTitle function in nsGlobalWindow.cpp in Mozilla Firefox allows remote attackers to spoof the origin domain name of a script via a long name.

Published: December 14, 2009; 12:30:00 PM -0500
V3.x:(not available)
V2.0: 5.8 MEDIUM
CVE-2009-4129

Race condition in Mozilla Firefox allows remote attackers to produce a JavaScript message with a spoofed domain association by writing the message in between the document request and document load for a web page in a different domain.

Published: December 14, 2009; 12:30:00 PM -0500
V3.x:(not available)
V2.0: 5.8 MEDIUM