This CPE summary could be partial or incomplete. Please contact us for a detailed listing.

Summary

Detail
Vendor Mozilla First view 2011-03-10
Product Firefox Last view 2020-07-09
Version 9.0 Type Application
Update *  
Edition *  
Language *  
Sofware Edition *  
Target Software *  
Target Hardware *  
Other *  
 
CPE Product cpe:2.3:a:mozilla:firefox

Activity : Overall

Related : CVE

This CPE have more than 25 Relations. If you want to see a complete summary for this CPE, please contact us.
  Date Alert Description
8.8 2020-07-09 CVE-2020-12426

Mozilla developers and community members reported memory safety bugs present in Firefox 77. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 78.

6.5 2020-07-09 CVE-2020-12425

Due to confusion processing a hyphen character in Date.parse(), a one-byte out of bounds read could have occurred, leading to potential information disclosure. This vulnerability affects Firefox < 78.

6.5 2020-07-09 CVE-2020-12424

When constructing a permission prompt for WebRTC, a URI was supplied from the content process. This URI was untrusted, and could have been the URI of an origin that was previously granted permission; bypassing the prompt. This vulnerability affects Firefox < 78.

7.8 2020-07-09 CVE-2020-12423

When the Windows DLL "webauthn.dll" was missing from the Operating System, and a malicious one was placed in a folder in the user's %PATH%, Firefox may have loaded the DLL, leading to arbitrary code execution. *Note: This issue only affects the Windows operating system; other operating systems are unaffected.* This vulnerability affects Firefox < 78.

8.8 2020-07-09 CVE-2020-12422

In non-standard configurations, a JPEG image created by JavaScript could have caused an internal variable to overflow, resulting in an out of bounds write, memory corruption, and a potentially exploitable crash. This vulnerability affects Firefox < 78.

6.5 2020-07-09 CVE-2020-12421

When performing add-on updates, certificate chains terminating in non-built-in-roots were rejected (even if they were legitimately added by an administrator.) This could have caused add-ons to become out-of-date silently without notification to the user. This vulnerability affects Firefox ESR < 68.10, Firefox < 78, and Thunderbird < 68.10.0.

8.8 2020-07-09 CVE-2020-12420

When trying to connect to a STUN server, a race condition could have caused a use-after-free of a pointer, leading to memory corruption and a potentially exploitable crash. This vulnerability affects Firefox ESR < 68.10, Firefox < 78, and Thunderbird < 68.10.0.

8.8 2020-07-09 CVE-2020-12419

When processing callbacks that occurred during window flushing in the parent process, the associated window may die; causing a use-after-free condition. This could have led to memory corruption and a potentially exploitable crash. This vulnerability affects Firefox ESR < 68.10, Firefox < 78, and Thunderbird < 68.10.0.

6.5 2020-07-09 CVE-2020-12418

Manipulating individual parts of a URL object could have caused an out-of-bounds read, leaking process memory to malicious JavaScript. This vulnerability affects Firefox ESR < 68.10, Firefox < 78, and Thunderbird < 68.10.0.

8.8 2020-07-09 CVE-2020-12417

Due to confusion about ValueTags on JavaScript Objects, an object may pass through the type barrier, resulting in memory corruption and a potentially exploitable crash. *Note: this issue only affects Firefox on ARM64 platforms.* This vulnerability affects Firefox ESR < 68.10, Firefox < 78, and Thunderbird < 68.10.0.

8.8 2020-07-09 CVE-2020-12416

A VideoStreamEncoder may have been freed in a race condition with VideoBroadcaster::AddOrUpdateSink, resulting in a use-after-free, memory corruption, and a potentially exploitable crash. This vulnerability affects Firefox < 78.

6.5 2020-07-09 CVE-2020-12415

When "%2F" was present in a manifest URL, Firefox's AppCache behavior may have become confused and allowed a manifest to be served from a subdirectory. This could cause the appcache to be used to service requests for the top level directory. This vulnerability affects Firefox < 78.

6.5 2020-07-09 CVE-2020-12414

IndexedDB should be cleared when leaving private browsing mode and it is not, the API for WKWebViewConfiguration was being used incorrectly and requires the private instance of this object be deleted when leaving private mode. This vulnerability affects Firefox for iOS < 27.

4.3 2020-07-09 CVE-2020-12412

By navigating a tab using the history API, an attacker could cause the address bar to display the incorrect domain (with the https:// scheme, a blocked port number such as '1', and without a lock icon) while controlling the page contents. This vulnerability affects Firefox < 70.

8.8 2020-07-09 CVE-2020-12411

Mozilla developers reported memory safety bugs present in Firefox 76. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 77.

8.8 2020-07-09 CVE-2020-12410

Mozilla developers reported memory safety bugs present in Firefox 76 and Firefox ESR 68.8. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Thunderbird < 68.9.0, Firefox < 77, and Firefox ESR < 68.9.

8.8 2020-07-09 CVE-2020-12409

When using certain blank characters in a URL, they where incorrectly rendered as spaces instead of an encoded URL. This vulnerability affects Firefox < 77.

6.5 2020-07-09 CVE-2020-12408

When browsing a document hosted on an IP address, an attacker could insert certain characters to flip domain and path information in the address bar. This vulnerability affects Firefox < 77.

6.5 2020-07-09 CVE-2020-12407

Mozilla Developer Nicolas Silva found that when using WebRender, Firefox would under certain conditions leak arbitrary GPU memory to the visible screen. The leaked memory content was visible to the user, but not observable from web content. This vulnerability affects Firefox < 77.

8.8 2020-07-09 CVE-2020-12406

Mozilla Developer Iain Ireland discovered a missing type check during unboxed objects removal, resulting in a crash. We presume that with enough effort that it could be exploited to run arbitrary code. This vulnerability affects Thunderbird < 68.9.0, Firefox < 77, and Firefox ESR < 68.9.

5.3 2020-07-09 CVE-2020-12405

When browsing a malicious page, a race condition in our SharedWorkerService could occur and lead to a potentially exploitable crash. This vulnerability affects Thunderbird < 68.9.0, Firefox < 77, and Firefox ESR < 68.9.

4.3 2020-07-09 CVE-2020-12404

For native-to-JS bridging the app requires a unique token to be passed that ensures non-app code can't call the bridging functions. That token could leak when used for downloading files. This vulnerability affects Firefox for iOS < 26.

4.4 2020-07-09 CVE-2020-12402

During RSA key generation, bignum implementations used a variation of the Binary Extended Euclidean Algorithm which entailed significantly input-dependent flow. This allowed an attacker able to perform electromagnetic-based side channel attacks to record traces leading to the recovery of the secret primes. *Note:* An unmodified Firefox browser does not generate RSA keys in normal operation and is not affected, but products built on top of it might. This vulnerability affects Firefox < 78.

4.4 2020-07-09 CVE-2020-12399

NSS has shown timing differences when performing DSA signatures, which was exploitable and could eventually leak private keys. This vulnerability affects Thunderbird < 68.9.0, Firefox < 77, and Firefox ESR < 68.9.

8.8 2020-07-09 CVE-2018-12371

An integer overflow vulnerability in the Skia library when allocating memory for edge builders on some systems with at least 16 GB of RAM. This results in the use of uninitialized memory, resulting in a potentially exploitable crash. This vulnerability affects Firefox ESR < 60.1, Thunderbird < 60, and Firefox < 61.

CWE : Common Weakness Enumeration

This CPE have more than 25 Relations. If you want to see a complete summary for this CPE, please contact us.
%idName
24% (268) CWE-119 Failure to Constrain Operations within the Bounds of a Memory Buffer
10% (114) CWE-20 Improper Input Validation
9% (108) CWE-416 Use After Free
9% (103) CWE-200 Information Exposure
7% (86) CWE-264 Permissions, Privileges, and Access Controls
6% (71) CWE-399 Resource Management Errors
4% (52) CWE-79 Failure to Preserve Web Page Structure ('Cross-site Scripting')
2% (24) CWE-254 Security Features
2% (23) CWE-125 Out-of-bounds Read
1% (21) CWE-787 Out-of-bounds Write
1% (21) CWE-189 Numeric Errors
1% (16) CWE-17 Code
1% (15) CWE-362 Race Condition
1% (14) CWE-346 Origin Validation Error
1% (13) CWE-284 Access Control (Authorization) Issues
1% (13) CWE-190 Integer Overflow or Wraparound
1% (12) CWE-269 Improper Privilege Management
1% (12) CWE-94 Failure to Control Generation of Code ('Code Injection')
0% (10) CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflo...
0% (8) CWE-704 Incorrect Type Conversion or Cast
0% (8) CWE-310 Cryptographic Issues
0% (7) CWE-352 Cross-Site Request Forgery (CSRF)
0% (6) CWE-276 Incorrect Default Permissions
0% (5) CWE-732 Incorrect Permission Assignment for Critical Resource
0% (5) CWE-74 Failure to Sanitize Data into a Different Plane ('Injection')

SAINT Exploits

Description Link
Firefox AttributeChildRemoved Use After Free More info here
Mozilla Firefox onreadystatechange Event Use After Free More info here
Mozilla Firefox XMLSerializer serializeToStream Use-after-free Vulnerability More info here
Firefox crypto.generateCRMFRequest command execution More info here

Open Source Vulnerability Database (OSVDB)

id Description
72475 Google Chrome Cross-Origin Error Message Leak Same Origin Policy Bypass

ExploitDB Exploits

id Description
34363 Firefox toString console.time Privileged Javascript Injection
30474 Firefox 5.0 - 15.0.1 - __exposedProps__ XCS Code Execution

OpenVAS Exploits

This CPE have more than 25 Relations. If you want to see a complete summary for this CPE, please contact us.
id Description
2013-09-18 Name : Debian Security Advisory DSA 2406-1 (icedove - several vulnerabilities)
File : nvt/deb_2406_1.nasl
2013-09-18 Name : Debian Security Advisory DSA 2457-2 (iceweasel - several vulnerabilities)
File : nvt/deb_2457_2.nasl
2013-09-18 Name : Debian Security Advisory DSA 2458-2 (iceape - several vulnerabilities)
File : nvt/deb_2458_2.nasl
2013-09-18 Name : Debian Security Advisory DSA 2513-1 (iceape - several vulnerabilities)
File : nvt/deb_2513_1.nasl
2013-09-18 Name : Debian Security Advisory DSA 2553-1 (iceweasel - several vulnerabilities)
File : nvt/deb_2553_1.nasl
2013-09-18 Name : Debian Security Advisory DSA 2583-1 (iceweasel - several vulnerabilities)
File : nvt/deb_2583_1.nasl
2013-09-18 Name : Debian Security Advisory DSA 2584-1 (iceape - several vulnerabilities)
File : nvt/deb_2584_1.nasl
2013-09-18 Name : Debian Security Advisory DSA 2588-1 (icedove - several vulnerabilities)
File : nvt/deb_2588_1.nasl
2013-04-01 Name : Mozilla Firefox ESR Code Execution Vulnerabilities - November12 (Mac OS X)
File : nvt/gb_mozilla_firefox_esr_code_exec_vuln_nov12_macosx.nasl
2013-04-01 Name : Mozilla Firefox ESR Code Execution Vulnerabilities - November12 (Windows)
File : nvt/gb_mozilla_firefox_esr_code_exec_vuln_nov12_win.nasl
2012-12-13 Name : SuSE Update for MozillaFirefox, openSUSE-SU-2012:0760-1 (MozillaFirefox,)
File : nvt/gb_suse_2012_0760_1.nasl
2012-12-13 Name : SuSE Update for MozillaFirefox openSUSE-SU-2012:0899-1 (MozillaFirefox)
File : nvt/gb_suse_2012_0899_1.nasl
2012-12-13 Name : SuSE Update for MozillaThunderbird openSUSE-SU-2012:0917-1 (MozillaThunderbird)
File : nvt/gb_suse_2012_0917_1.nasl
2012-12-13 Name : SuSE Update for xulrunner openSUSE-SU-2012:0924-1 (xulrunner)
File : nvt/gb_suse_2012_0924_1.nasl
2012-12-13 Name : SuSE Update for seamonkey openSUSE-SU-2012:0935-1 (seamonkey)
File : nvt/gb_suse_2012_0935_1.nasl
2012-12-13 Name : SuSE Update for MozillaFirefox openSUSE-SU-2012:1064-1 (MozillaFirefox)
File : nvt/gb_suse_2012_1064_1.nasl
2012-12-13 Name : SuSE Update for MozillaFirefox openSUSE-SU-2012:1345-1 (MozillaFirefox)
File : nvt/gb_suse_2012_1345_1.nasl
2012-12-13 Name : SuSE Update for Mozilla Suite openSUSE-SU-2012:1412-1 (Mozilla Suite)
File : nvt/gb_suse_2012_1412_1.nasl
2012-12-06 Name : Fedora Update for seamonkey FEDORA-2012-18931
File : nvt/gb_fedora_2012_18931_seamonkey_fc16.nasl
2012-12-06 Name : Fedora Update for seamonkey FEDORA-2012-18952
File : nvt/gb_fedora_2012_18952_seamonkey_fc17.nasl
2012-12-04 Name : Ubuntu Update for firefox USN-1638-3
File : nvt/gb_ubuntu_USN_1638_3.nasl
2012-11-26 Name : FreeBSD Ports: firefox
File : nvt/freebsd_firefox72.nasl
2012-11-26 Name : Mozilla Firefox Code Execution Vulnerabilities - November12 (Mac OS X)
File : nvt/gb_mozilla_firefox_code_exec_vuln_nov12_macosx.nasl
2012-11-26 Name : Mozilla Firefox Code Execution Vulnerabilities - November12 (Windows)
File : nvt/gb_mozilla_firefox_code_exec_vuln_nov12_win.nasl
2012-11-26 Name : Mozilla Firefox ESR Multiple Vulnerabilities-01 November12 (Windows)
File : nvt/gb_mozilla_firefox_esr_mult_vuln01_nov12_win.nasl

Information Assurance Vulnerability Management (IAVM)

id Description
2015-A-0223 Multiple Security Vulnerabilities in Mozilla Products
Severity: Category I - VMSKEY: V0061473
2014-A-0113 Multiple Vulnerabilities in Mozilla Products
Severity: Category I - VMSKEY: V0053309
2014-A-0082 Multiple Vulnerabilities in Mozilla Products
Severity: Category I - VMSKEY: V0052487
2014-A-0064 Multiple Vulnerabilities in Mozilla Products
Severity: Category I - VMSKEY: V0050011
2014-A-0043 Multiple Vulnerabilities in Mozilla Products
Severity: Category I - VMSKEY: V0046769
2014-A-0021 Multiple Vulnerabilities in Mozilla Products
Severity: Category I - VMSKEY: V0043921
2013-A-0233 Multiple Vulnerabilities in Mozilla Products
Severity: Category I - VMSKEY: V0042596
2013-A-0220 Multiple Vulnerabilities in Mozilla Products
Severity: Category I - VMSKEY: V0042380
2013-A-0203 Multiple Vulnerabilities in Mozilla Products
Severity: Category I - VMSKEY: V0041365
2012-A-0189 Multiple Vulnerabilities in VMware ESXi 4.1 and ESX 4.1
Severity: Category I - VMSKEY: V0035032

Snort® IPS/IDS

This CPE have more than 25 Relations. If you want to see a complete summary for this CPE, please contact us.
Date Description
2020-07-23 Mozilla Firefox ReadableStreamCloseInternal out-of-bounds access attempt
RuleID : 54380 - Type : BROWSER-FIREFOX - Revision : 1
2020-07-23 Mozilla Firefox ReadableStreamCloseInternal out-of-bounds access attempt
RuleID : 54379 - Type : BROWSER-FIREFOX - Revision : 1
2020-05-07 Mozilla Firefox potential use after free attempt
RuleID : 53581 - Type : BROWSER-FIREFOX - Revision : 1
2020-05-07 Mozilla Firefox potential use after free attempt
RuleID : 53580 - Type : BROWSER-FIREFOX - Revision : 1
2020-02-11 Mozilla multiple products SharedWorker MessagePort memory corruption attempt
RuleID : 52569 - Type : BROWSER-FIREFOX - Revision : 1
2020-01-14 IonMonkey MArraySlice buffer overflow attempt
RuleID : 52431 - Type : BROWSER-FIREFOX - Revision : 1
2020-01-14 IonMonkey MArraySlice buffer overflow attempt
RuleID : 52430 - Type : BROWSER-FIREFOX - Revision : 1
2020-01-14 Mozilla Firefox RemotePrompt sandbox escape attempt
RuleID : 52425 - Type : BROWSER-FIREFOX - Revision : 1
2020-01-14 Mozilla Firefox RemotePrompt sandbox escape attempt
RuleID : 52424 - Type : BROWSER-FIREFOX - Revision : 1
2019-10-08 Mozilla Firefox Custom Elements write-after-free attempt
RuleID : 51440 - Type : BROWSER-FIREFOX - Revision : 1
2019-10-08 Mozilla Firefox Custom Elements write-after-free attempt
RuleID : 51439 - Type : BROWSER-FIREFOX - Revision : 1
2019-08-13 Mozilla Firefox RemotePrompt sandbox escape attempt
RuleID : 50697 - Type : BROWSER-FIREFOX - Revision : 2
2019-08-13 Mozilla Firefox RemotePrompt sandbox escape attempt
RuleID : 50696 - Type : BROWSER-FIREFOX - Revision : 2
2019-07-31 Mozilla Firefox Array.prototype.pop type confusion attempt
RuleID : 50519 - Type : BROWSER-FIREFOX - Revision : 2
2019-07-31 Mozilla Firefox Array.prototype.pop type confusion attempt
RuleID : 50518 - Type : BROWSER-FIREFOX - Revision : 2
2019-05-24 Mozilla Firefox DOMSVGLength appendItem use after free attempt
RuleID : 49918 - Type : BROWSER-FIREFOX - Revision : 1
2019-05-24 Mozilla Firefox DOMSVGLength appendItem use after free attempt
RuleID : 49917 - Type : BROWSER-FIREFOX - Revision : 1
2019-01-17 Mozilla Firefox method array.prototype.push remote code execution attempt
RuleID : 48626 - Type : BROWSER-FIREFOX - Revision : 2
2019-01-17 Mozilla Firefox method array.prototype.push remote code execution attempt
RuleID : 48625 - Type : BROWSER-FIREFOX - Revision : 2
2019-01-10 Mozilla Firefox javascript type confusion code execution attempt
RuleID : 48565 - Type : BROWSER-FIREFOX - Revision : 1
2019-01-10 Mozilla Firefox javascript type confusion code execution attempt
RuleID : 48564 - Type : BROWSER-FIREFOX - Revision : 1
2018-12-07 out-of-bounds write attempt with malicious MAR file detected
RuleID : 48296 - Type : FILE-OTHER - Revision : 2
2018-12-07 out-of-bounds write attempt with malicious MAR file detected
RuleID : 48295 - Type : FILE-OTHER - Revision : 2
2018-11-10 libvorbis VORBIS audio data out of bounds write attempt
RuleID : 48106 - Type : FILE-MULTIMEDIA - Revision : 1
2018-11-10 libvorbis VORBIS audio data out of bounds write attempt
RuleID : 48105 - Type : FILE-MULTIMEDIA - Revision : 1

Nessus® Vulnerability Scanner

This CPE have more than 25 Relations. If you want to see a complete summary for this CPE, please contact us.
id Description
2019-01-03 Name: The remote Fedora host is missing a security update.
File: fedora_2018-34f7f68029.nasl - Type: ACT_GATHER_INFO
2019-01-03 Name: The remote Fedora host is missing a security update.
File: fedora_2018-def329f680.nasl - Type: ACT_GATHER_INFO
2019-01-03 Name: The remote Fedora host is missing a security update.
File: fedora_2018-fd194a1f14.nasl - Type: ACT_GATHER_INFO
2018-12-28 Name: The remote EulerOS host is missing multiple security updates.
File: EulerOS_SA-2018-1414.nasl - Type: ACT_GATHER_INFO
2018-12-27 Name: The remote CentOS host is missing a security update.
File: centos_RHSA-2018-3831.nasl - Type: ACT_GATHER_INFO
2018-12-27 Name: The remote CentOS host is missing a security update.
File: centos_RHSA-2018-3833.nasl - Type: ACT_GATHER_INFO
2018-12-18 Name: A web browser installed on the remote macOS host is affected by multiple vuln...
File: macosx_firefox_62_0.nasl - Type: ACT_GATHER_INFO
2018-12-14 Name: The remote Debian host is missing a security update.
File: debian_DLA-1605.nasl - Type: ACT_GATHER_INFO
2018-12-13 Name: The remote Debian host is missing a security-related update.
File: debian_DSA-4354.nasl - Type: ACT_GATHER_INFO
2018-12-13 Name: The remote FreeBSD host is missing one or more security-related updates.
File: freebsd_pkg_d10b49b28d0249e8afde0844626317af.nasl - Type: ACT_GATHER_INFO
2018-12-12 Name: A web browser installed on the remote macOS host is affected by multiple vuln...
File: macosx_firefox_60_4_esr.nasl - Type: ACT_GATHER_INFO
2018-12-12 Name: A web browser installed on the remote macOS host is affected by multiple vuln...
File: macosx_firefox_64_0.nasl - Type: ACT_GATHER_INFO
2018-12-12 Name: A web browser installed on the remote Windows host is affected by multiple vu...
File: mozilla_firefox_60_4_esr.nasl - Type: ACT_GATHER_INFO
2018-12-12 Name: A web browser installed on the remote Windows host is affected by multiple vu...
File: mozilla_firefox_64_0.nasl - Type: ACT_GATHER_INFO
2018-12-11 Name: The remote EulerOS host is missing multiple security updates.
File: EulerOS_SA-2018-1384.nasl - Type: ACT_GATHER_INFO
2018-11-27 Name: The remote Virtuozzo host is missing a security update.
File: Virtuozzo_VZLSA-2017-2831.nasl - Type: ACT_GATHER_INFO
2018-11-27 Name: The remote Virtuozzo host is missing a security update.
File: Virtuozzo_VZLSA-2017-2885.nasl - Type: ACT_GATHER_INFO
2018-11-26 Name: The remote Gentoo host is missing one or more security-related patches.
File: gentoo_GLSA-201811-10.nasl - Type: ACT_GATHER_INFO
2018-11-26 Name: The remote Gentoo host is missing one or more security-related patches.
File: gentoo_GLSA-201811-13.nasl - Type: ACT_GATHER_INFO
2018-11-21 Name: The remote CentOS host is missing a security update.
File: centos_RHSA-2018-3531.nasl - Type: ACT_GATHER_INFO
2018-11-21 Name: The remote CentOS host is missing a security update.
File: centos_RHSA-2018-3532.nasl - Type: ACT_GATHER_INFO
2018-11-13 Name: The remote Debian host is missing a security update.
File: debian_DLA-1575.nasl - Type: ACT_GATHER_INFO
2018-11-13 Name: The remote Debian host is missing a security-related update.
File: debian_DSA-4337.nasl - Type: ACT_GATHER_INFO
2018-11-09 Name: The remote CentOS host is missing a security update.
File: centos_RHSA-2018-3403.nasl - Type: ACT_GATHER_INFO
2018-11-09 Name: The remote Gentoo host is missing one or more security-related patches.
File: gentoo_GLSA-201811-04.nasl - Type: ACT_GATHER_INFO