Mozilla FireFox Extended Support Release (ESR)

On some systemsdepending on the graphics settings and driversit was possible to force an out-of-bounds read and leak memory data into the images created on the

CVE-2023-6204 6.5 - Medium - November 21, 2023

On some systemsdepending on the graphics settings and driversit was possible to force an out-of-bounds read and leak memory data into the images created on the canvas element. This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.

Out-of-bounds Read

It was possible to cause the use of a MessagePort after it had already been freed, which could potentially have led to an exploitable crash

CVE-2023-6205 6.5 - Medium - November 21, 2023

It was possible to cause the use of a MessagePort after it had already been freed, which could potentially have led to an exploitable crash. This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.

Dangling pointer

The black fade animation when exiting fullscreen is roughly the length of the anti-clickjacking delay on permission prompts

CVE-2023-6206 5.4 - Medium - November 21, 2023

The black fade animation when exiting fullscreen is roughly the length of the anti-clickjacking delay on permission prompts. It was possible to use this fact to surprise users by luring them to click where the permission grant button would be about to appear. This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.

Clickjacking

Ownership mismanagement led to a use-after-free in ReadableByteStreams This vulnerability affects Firefox < 120

CVE-2023-6207 8.8 - High - November 21, 2023

Ownership mismanagement led to a use-after-free in ReadableByteStreams This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.

Dangling pointer

When using X11

CVE-2023-6208 8.8 - High - November 21, 2023

When using X11, text selected by the page using the Selection API was erroneously copied into the primary selection, a temporary storage not unlike the clipboard. *This bug only affects Firefox on X11. Other systems are unaffected.* This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.

Relative URLs starting with three slashes were incorrectly parsed, and a path-traversal "/

CVE-2023-6209 6.5 - Medium - November 21, 2023

Relative URLs starting with three slashes were incorrectly parsed, and a path-traversal "/../" part in the path could be used to override the specified host. This could contribute to security problems in web sites. This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.

Directory traversal

Memory safety bugs present in Firefox 119, Firefox ESR 115.4, and Thunderbird 115.4

CVE-2023-6212 8.8 - High - November 21, 2023

Memory safety bugs present in Firefox 119, Firefox ESR 115.4, and Thunderbird 115.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.

Memory Corruption

Drivers are not always robust to extremely large draw calls and in some cases this scenario could have led to a crash

CVE-2023-5724 7.5 - High - October 25, 2023

Drivers are not always robust to extremely large draw calls and in some cases this scenario could have led to a crash. This vulnerability affects Firefox < 119, Firefox ESR < 115.4, and Thunderbird < 115.4.1.

A malicious installed WebExtension could open arbitrary URLs

CVE-2023-5725 4.3 - Medium - October 25, 2023

A malicious installed WebExtension could open arbitrary URLs, which under the right circumstance could be leveraged to collect sensitive user data. This vulnerability affects Firefox < 119, Firefox ESR < 115.4, and Thunderbird < 115.4.1.

During garbage collection extra operations were performed on a object that should not be

CVE-2023-5728 7.5 - High - October 25, 2023

During garbage collection extra operations were performed on a object that should not be. This could have led to a potentially exploitable crash. This vulnerability affects Firefox < 119, Firefox ESR < 115.4, and Thunderbird < 115.4.1.

It was possible for certain browser prompts and dialogs to be activated or dismissed unintentionally by the user due to an insufficient activation-delay

CVE-2023-5721 4.3 - Medium - October 25, 2023

It was possible for certain browser prompts and dialogs to be activated or dismissed unintentionally by the user due to an insufficient activation-delay. This vulnerability affects Firefox < 119, Firefox ESR < 115.4, and Thunderbird < 115.4.1.

Clickjacking

Memory safety bugs present in Firefox 118, Firefox ESR 115.3, and Thunderbird 115.3

CVE-2023-5730 9.8 - Critical - October 25, 2023

Memory safety bugs present in Firefox 118, Firefox ESR 115.3, and Thunderbird 115.3. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 119, Firefox ESR < 115.4, and Thunderbird < 115.4.1.

Memory Corruption

An attacker could have created a malicious link using bidirectional characters to spoof the location in the address bar when visited

CVE-2023-5732 6.5 - Medium - October 25, 2023

An attacker could have created a malicious link using bidirectional characters to spoof the location in the address bar when visited. This vulnerability affects Firefox < 117, Firefox ESR < 115.4, and Thunderbird < 115.4.1.

Heap buffer overflow in vp8 encoding in libvpx in Google Chrome prior to 117.0.5938.132 and libvpx 1.13.1

CVE-2023-5217 8.8 - High - September 28, 2023

Heap buffer overflow in vp8 encoding in libvpx in Google Chrome prior to 117.0.5938.132 and libvpx 1.13.1 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Memory Corruption

A compromised content process could have provided malicious data in a `PathRecording` resulting in an out-of-bounds write

CVE-2023-5169 6.5 - Medium - September 27, 2023

A compromised content process could have provided malicious data in a `PathRecording` resulting in an out-of-bounds write, leading to a potentially exploitable crash in a privileged process. This vulnerability affects Firefox < 118, Firefox ESR < 115.3, and Thunderbird < 115.3.

Memory Corruption

During Ion compilation, a Garbage Collection could have resulted in a use-after-free condition, allowing an attacker to write two NUL bytes

CVE-2023-5171 6.5 - Medium - September 27, 2023

During Ion compilation, a Garbage Collection could have resulted in a use-after-free condition, allowing an attacker to write two NUL bytes, and cause a potentially exploitable crash. This vulnerability affects Firefox < 118, Firefox ESR < 115.3, and Thunderbird < 115.3.

Dangling pointer

Memory safety bugs present in Firefox 117, Firefox ESR 115.2, and Thunderbird 115.2

CVE-2023-5176 9.8 - Critical - September 27, 2023

Memory safety bugs present in Firefox 117, Firefox ESR 115.2, and Thunderbird 115.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 118, Firefox ESR < 115.3, and Thunderbird < 115.3.

Memory Corruption

Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2

CVE-2023-4863 8.8 - High - September 12, 2023

Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical)

Memory Corruption

When calling `JS::CheckRegExpSyntax` a Syntax Error could have been set which would end in calling `convertToRuntimeErrorAndClear`

CVE-2023-4578 6.5 - Medium - September 11, 2023

When calling `JS::CheckRegExpSyntax` a Syntax Error could have been set which would end in calling `convertToRuntimeErrorAndClear`. A path in the function could attempt to allocate memory when none is available which would have caused a newly created Out of Memory exception to be mishandled as a Syntax Error. This vulnerability affects Firefox < 117, Firefox ESR < 115.2, and Thunderbird < 115.2.

Allocation of Resources Without Limits or Throttling

Push notifications stored on disk in private browsing mode were not being encrypted potentially allowing the leak of sensitive information

CVE-2023-4580 6.5 - Medium - September 11, 2023

Push notifications stored on disk in private browsing mode were not being encrypted potentially allowing the leak of sensitive information. This vulnerability affects Firefox < 117, Firefox ESR < 115.2, and Thunderbird < 115.2.

Missing Encryption of Sensitive Data

Excel `.xll` add-in files did not have a blocklist entry in Firefox's executable blocklist which

CVE-2023-4581 4.3 - Medium - September 11, 2023

Excel `.xll` add-in files did not have a blocklist entry in Firefox's executable blocklist which allowed them to be downloaded without any warning of their potential harm. This vulnerability affects Firefox < 117, Firefox ESR < 102.15, Firefox ESR < 115.2, Thunderbird < 102.15, and Thunderbird < 115.2.

When checking if the Browsing Context had been discarded in `HttpBaseChannel`, if the load group was not available then it was assumed to have already been discarded

CVE-2023-4583 7.5 - High - September 11, 2023

When checking if the Browsing Context had been discarded in `HttpBaseChannel`, if the load group was not available then it was assumed to have already been discarded which was not always the case for private channels after the private session had ended. This vulnerability affects Firefox < 117, Firefox ESR < 115.2, and Thunderbird < 115.2.

Memory safety bugs present in Firefox 116, Firefox ESR 102.14, Firefox ESR 115.1, Thunderbird 102.14, and Thunderbird 115.1

CVE-2023-4584 8.8 - High - September 11, 2023

Memory safety bugs present in Firefox 116, Firefox ESR 102.14, Firefox ESR 115.1, Thunderbird 102.14, and Thunderbird 115.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 117, Firefox ESR < 102.15, Firefox ESR < 115.2, Thunderbird < 102.15, and Thunderbird < 115.2.

Memory Corruption

Memory safety bugs present in Firefox 116, Firefox ESR 115.1, and Thunderbird 115.1

CVE-2023-4585 8.8 - High - September 11, 2023

Memory safety bugs present in Firefox 116, Firefox ESR 115.1, and Thunderbird 115.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 117, Firefox ESR < 115.2, and Thunderbird < 115.2.

Memory Corruption

When creating a callback over IPC for showing the Color Picker window

CVE-2023-4574 6.5 - Medium - September 11, 2023

When creating a callback over IPC for showing the Color Picker window, multiple of the same callbacks could have been created at a time and eventually all simultaneously destroyed as soon as one of the callbacks finished. This could have led to a use-after-free causing a potentially exploitable crash. This vulnerability affects Firefox < 117, Firefox ESR < 102.15, Firefox ESR < 115.2, Thunderbird < 102.15, and Thunderbird < 115.2.

Dangling pointer

When creating a callback over IPC for showing the File Picker window

CVE-2023-4575 6.5 - Medium - September 11, 2023

When creating a callback over IPC for showing the File Picker window, multiple of the same callbacks could have been created at a time and eventually all simultaneously destroyed as soon as one of the callbacks finished. This could have led to a use-after-free causing a potentially exploitable crash. This vulnerability affects Firefox < 117, Firefox ESR < 102.15, Firefox ESR < 115.2, Thunderbird < 102.15, and Thunderbird < 115.2.

Dangling pointer

When `UpdateRegExpStatics` attempted to access `initialStringHeap` it could already have been garbage collected prior to entering the function

CVE-2023-4577 6.5 - Medium - September 11, 2023

When `UpdateRegExpStatics` attempted to access `initialStringHeap` it could already have been garbage collected prior to entering the function, which could potentially have led to an exploitable crash. This vulnerability affects Firefox < 117, Firefox ESR < 115.2, and Thunderbird < 115.2.

When receiving rendering data over IPC `mStream` could have been destroyed when initialized

CVE-2023-4573 6.5 - Medium - September 11, 2023

When receiving rendering data over IPC `mStream` could have been destroyed when initialized, which could have led to a use-after-free causing a potentially exploitable crash. This vulnerability affects Firefox < 117, Firefox ESR < 102.15, Firefox ESR < 115.2, Thunderbird < 102.15, and Thunderbird < 115.2.

Dangling pointer

When the number of cookies per domain was exceeded in `document.cookie`

CVE-2023-4055 7.5 - High - August 01, 2023

When the number of cookies per domain was exceeded in `document.cookie`, the actual cookie jar sent to the host was no longer consistent with expected cookie jar state. This could have caused requests to be sent with some cookies missing. This vulnerability affects Firefox < 116, Firefox ESR < 102.14, and Firefox ESR < 115.1.

Memory safety bugs present in Firefox 115, Firefox ESR 115.0, Firefox ESR 102.13, Thunderbird 115.0, and Thunderbird 102.13

CVE-2023-4056 9.8 - Critical - August 01, 2023

Memory safety bugs present in Firefox 115, Firefox ESR 115.0, Firefox ESR 102.13, Thunderbird 115.0, and Thunderbird 102.13. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 116, Firefox ESR < 102.14, and Firefox ESR < 115.1.

Memory Corruption

Memory safety bugs present in Firefox 115, Firefox ESR 115.0, and Thunderbird 115.0

CVE-2023-4057 9.8 - Critical - August 01, 2023

Memory safety bugs present in Firefox 115, Firefox ESR 115.0, and Thunderbird 115.0. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 116, Firefox ESR < 115.1, and Thunderbird < 115.1.

Memory Corruption

Offscreen Canvas did not properly track cross-origin tainting, which could have been used to access image data

CVE-2023-4045 5.3 - Medium - August 01, 2023

Offscreen Canvas did not properly track cross-origin tainting, which could have been used to access image data from another site in violation of same-origin policy. This vulnerability affects Firefox < 116, Firefox ESR < 102.14, and Firefox ESR < 115.1.

Origin Validation Error

In some circumstances, a stale value could have been used for a global variable in WASM JIT analysis

CVE-2023-4046 5.3 - Medium - August 01, 2023

In some circumstances, a stale value could have been used for a global variable in WASM JIT analysis. This resulted in incorrect compilation and a potentially exploitable crash in the content process. This vulnerability affects Firefox < 116, Firefox ESR < 102.14, and Firefox ESR < 115.1.

A bug in popup notifications delay calculation could have made it possible for an attacker to trick a user into granting permissions

CVE-2023-4047 8.8 - High - August 01, 2023

A bug in popup notifications delay calculation could have made it possible for an attacker to trick a user into granting permissions. This vulnerability affects Firefox < 116, Firefox ESR < 102.14, and Firefox ESR < 115.1.

Race conditions in reference counting code were found through code inspection

CVE-2023-4049 5.9 - Medium - August 01, 2023

Race conditions in reference counting code were found through code inspection. These could have resulted in potentially exploitable use-after-free vulnerabilities. This vulnerability affects Firefox < 116, Firefox ESR < 102.14, and Firefox ESR < 115.1.

Race Condition

In some cases, an untrusted input stream was copied to a stack buffer without checking its size

CVE-2023-4050 7.5 - High - August 01, 2023

In some cases, an untrusted input stream was copied to a stack buffer without checking its size. This resulted in a potentially exploitable crash which could have led to a sandbox escape. This vulnerability affects Firefox < 116, Firefox ESR < 102.14, and Firefox ESR < 115.1.

Memory Corruption

An out-of-bounds read could have led to an exploitable crash when parsing HTML with DOMParser in low memory situations

CVE-2023-4048 7.5 - High - August 01, 2023

An out-of-bounds read could have led to an exploitable crash when parsing HTML with DOMParser in low memory situations. This vulnerability affects Firefox < 116, Firefox ESR < 102.14, and Firefox ESR < 115.1.

Out-of-bounds Read

The Firefox updater created a directory writable by non-privileged users

CVE-2023-4052 6.5 - Medium - August 01, 2023

The Firefox updater created a directory writable by non-privileged users. When uninstalling Firefox, any files in that directory would be recursively deleted with the permissions of the uninstalling user account. This could be combined with creation of a junction (a form of symbolic link) to allow arbitrary file deletion controlled by the non-privileged user. *This bug only affects Firefox on Windows. Other operating systems are unaffected.* This vulnerability affects Firefox < 116, Firefox ESR < 115.1, and Thunderbird < 115.1.

insecure temporary file

During the worker lifecycle, a use-after-free condition could have occured, which could have led to a potentially exploitable crash

CVE-2023-3600 8.8 - High - July 12, 2023

During the worker lifecycle, a use-after-free condition could have occured, which could have led to a potentially exploitable crash. This vulnerability affects Firefox < 115.0.2, Firefox ESR < 115.0.2, and Thunderbird < 115.0.1.

Dangling pointer

Memory safety bugs present in Firefox 114, Firefox ESR 102.12, and Thunderbird 102.12

CVE-2023-37211 8.8 - High - July 05, 2023

Memory safety bugs present in Firefox 114, Firefox ESR 102.12, and Thunderbird 102.12. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 115, Firefox ESR < 102.13, and Thunderbird < 102.13.

Memory Corruption

A website could have obscured the fullscreen notification by using a URL with a scheme handled by an external program, such as a mailto URL

CVE-2023-37207 6.5 - Medium - July 05, 2023

A website could have obscured the fullscreen notification by using a URL with a scheme handled by an external program, such as a mailto URL. This could have led to user confusion and possible spoofing attacks. This vulnerability affects Firefox < 115, Firefox ESR < 102.13, and Thunderbird < 102.13.

Reflection Injection

When opening Diagcab files, Firefox did not warn the user that these files may contain malicious code

CVE-2023-37208 7.8 - High - July 05, 2023

When opening Diagcab files, Firefox did not warn the user that these files may contain malicious code. This vulnerability affects Firefox < 115, Firefox ESR < 102.13, and Thunderbird < 102.13.

An attacker could have triggered a use-after-free condition when creating a WebRTC connection over HTTPS

CVE-2023-37201 8.8 - High - July 05, 2023

An attacker could have triggered a use-after-free condition when creating a WebRTC connection over HTTPS. This vulnerability affects Firefox < 115, Firefox ESR < 102.13, and Thunderbird < 102.13.

Dangling pointer

Cross-compartment wrappers wrapping a scripted proxy could have caused objects

CVE-2023-37202 8.8 - High - July 05, 2023

Cross-compartment wrappers wrapping a scripted proxy could have caused objects from other compartments to be stored in the main compartment resulting in a use-after-free. This vulnerability affects Firefox < 115, Firefox ESR < 102.13, and Thunderbird < 102.13.

Dangling pointer

The error page for sites with invalid TLS certificates was missing the activation-delay Firefox uses to protect prompts and permission dialogs from attacks

CVE-2023-34414 3.1 - Low - June 19, 2023

The error page for sites with invalid TLS certificates was missing the activation-delay Firefox uses to protect prompts and permission dialogs from attacks that exploit human response time delays. If a malicious page elicited user clicks in precise locations immediately before navigating to a site with a certificate error and made the renderer extremely busy at the same time, it could create a gap between when the error page was loaded and when the display actually refreshed. With the right timing the elicited clicks could land in that gap and activate the button that overrides the certificate error for that site. This vulnerability affects Firefox ESR < 102.12, Firefox < 114, and Thunderbird < 102.12.

Improper Certificate Validation

Memory safety bugs present in Firefox 113, Firefox ESR 102.11, and Thunderbird 102.12

CVE-2023-34416 9.8 - Critical - June 19, 2023

Memory safety bugs present in Firefox 113, Firefox ESR 102.11, and Thunderbird 102.12. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 102.12, Firefox < 114, and Thunderbird < 102.12.

Memory Corruption

Similar to CVE-2023-28163, this time when choosing 'Save Link As', suggested filenames containing environment variable names

CVE-2023-29545 6.5 - Medium - June 19, 2023

Similar to CVE-2023-28163, this time when choosing 'Save Link As', suggested filenames containing environment variable names would have resolved those in the context of the current user. *This bug only affects Firefox and Thunderbird on Windows. Other versions of Firefox and Thunderbird are unaffected.* This vulnerability affects Firefox < 112, Firefox ESR < 102.10, and Thunderbird < 102.10.

When reading a file, an uninitialized value could have been used as read limit

CVE-2023-32213 8.8 - High - June 02, 2023

When reading a file, an uninitialized value could have been used as read limit. This vulnerability affects Firefox < 113, Firefox ESR < 102.11, and Thunderbird < 102.11.

Use of Uninitialized Resource

Mozilla developers and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 108 and Firefox ESR 102.6

CVE-2023-23605 8.8 - High - June 02, 2023

Mozilla developers and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 108 and Firefox ESR 102.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 109, Thunderbird < 102.7, and Firefox ESR < 102.7.

Memory Corruption

Regular expressions used to filter out forbidden properties and values

CVE-2023-23603 6.5 - Medium - June 02, 2023

Regular expressions used to filter out forbidden properties and values from style directives in calls to <code>console.log</code> weren't accounting for external URLs. Data could then be potentially exfiltrated from the browser. This vulnerability affects Firefox < 109, Thunderbird < 102.7, and Firefox ESR < 102.7.

When encoding data from an <code>inputStream</code> in <code>xpcom</code> the size of the input being encoded was not correctly calculated potentially leading to an out of bounds memory write

CVE-2023-25732 8.8 - High - June 02, 2023

When encoding data from an <code>inputStream</code> in <code>xpcom</code> the size of the input being encoded was not correctly calculated potentially leading to an out of bounds memory write. This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8.

Memory Corruption

Permission prompts for opening external schemes were only shown for <code>ContentPrincipals</code> resulting in extensions being able to open them without user interaction

CVE-2023-25729 8.8 - High - June 02, 2023

Permission prompts for opening external schemes were only shown for <code>ContentPrincipals</code> resulting in extensions being able to open them without user interaction via <code>ExpandedPrincipals</code>. This could lead to further malicious actions such as downloading files or interacting with software already installed on the system. This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8.

The <code>Content-Security-Policy-Report-Only</code> header could allow an attacker to leak a child iframe's unredacted URI when interaction with

CVE-2023-25728 6.5 - Medium - June 02, 2023

The <code>Content-Security-Policy-Report-Only</code> header could allow an attacker to leak a child iframe's unredacted URI when interaction with that iframe triggers a redirect. This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8.

Due to the Firefox GTK wrapper code's use of text/plain for drag data and GTK treating all text/plain MIMEs containing file URLs as being dragged a website could arbitrarily read a file

CVE-2023-23598 6.5 - Medium - June 02, 2023

Due to the Firefox GTK wrapper code's use of text/plain for drag data and GTK treating all text/plain MIMEs containing file URLs as being dragged a website could arbitrarily read a file via a call to <code>DataTransfer.setData</code>. This vulnerability affects Firefox < 109, Thunderbird < 102.7, and Firefox ESR < 102.7.

Unexpected data returned from the Safe Browsing API could have led to memory corruption and a potentially exploitable crash

CVE-2023-1945 6.5 - Medium - June 02, 2023

Unexpected data returned from the Safe Browsing API could have led to memory corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 102.10 and Firefox ESR < 102.10.

Memory Corruption

Sometimes, when invalidating JIT code while following an iterator, the newly generated code could be overwritten incorrectly

CVE-2023-25751 6.5 - Medium - June 02, 2023

Sometimes, when invalidating JIT code while following an iterator, the newly generated code could be overwritten incorrectly. This could lead to a potentially exploitable crash. This vulnerability affects Firefox < 111, Firefox ESR < 102.9, and Thunderbird < 102.9.

Mozilla developers Philipp and Gabriele Svelto reported memory safety bugs present in Firefox ESR 102.7

CVE-2023-25746 8.8 - High - June 02, 2023

Mozilla developers Philipp and Gabriele Svelto reported memory safety bugs present in Firefox ESR 102.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Thunderbird < 102.8 and Firefox ESR < 102.8.

Memory Corruption

Mozilla developers Kershaw Chang and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 109 and Firefox ESR 102.7

CVE-2023-25744 8.8 - High - June 02, 2023

Mozilla developers Kershaw Chang and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 109 and Firefox ESR 102.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 110 and Firefox ESR < 102.8.

Memory Corruption

When importing a SPKI RSA public key as ECDSA P-256, the key would be handled incorrectly causing the tab to crash

CVE-2023-25742 6.5 - Medium - June 02, 2023

When importing a SPKI RSA public key as ECDSA P-256, the key would be handled incorrectly causing the tab to crash. This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8.

Module load requests

CVE-2023-25739 8.8 - High - June 02, 2023

Module load requests that failed were not being checked as to whether or not they were cancelled causing a use-after-free in <code>ScriptLoadContext</code>. This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8.

Dangling pointer

An invalid downcast from <code>nsTextNode</code> to <code>SVGElement</code> could have lead to undefined behavior

CVE-2023-25737 8.8 - High - June 02, 2023

An invalid downcast from <code>nsTextNode</code> to <code>SVGElement</code> could have lead to undefined behavior. This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8.

Cross-compartment wrappers wrapping a scripted proxy could have caused objects

CVE-2023-25735 8.8 - High - June 02, 2023

Cross-compartment wrappers wrapping a scripted proxy could have caused objects from other compartments to be stored in the main compartment resulting in a use-after-free after unwrapping the proxy. This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8.

Dangling pointer

A background script invoking <code>requestFullscreen</code> and then blocking the main thread could force the browser into fullscreen mode indefinitely

CVE-2023-25730 5.4 - Medium - June 02, 2023

A background script invoking <code>requestFullscreen</code> and then blocking the main thread could force the browser into fullscreen mode indefinitely, resulting in potential user confusion or spoofing attacks. This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8.

A mishandled security check when creating a WebSocket in a WebWorker caused the Content Security Policy connect-src header to be ignored

CVE-2023-23602 6.5 - Medium - June 02, 2023

A mishandled security check when creating a WebSocket in a WebWorker caused the Content Security Policy connect-src header to be ignored. This could lead to connections to restricted origins from inside WebWorkers. This vulnerability affects Firefox < 109, Thunderbird < 102.7, and Firefox ESR < 102.7.

Improper Check for Unusual or Exceptional Conditions

Navigations were being

CVE-2023-23601 6.5 - Medium - June 02, 2023

Navigations were being allowed when dragging a URL from a cross-origin iframe into the same tab which could lead to website spoofing attacks. This vulnerability affects Firefox < 109, Thunderbird < 102.7, and Firefox ESR < 102.7.

Origin Validation Error

When downloading files through the Save As dialog on Windows with suggested filenames containing environment variable names, Windows

CVE-2023-28163 6.5 - Medium - June 02, 2023

When downloading files through the Save As dialog on Windows with suggested filenames containing environment variable names, Windows would have resolved those in the context of the current user. <br>*This bug only affects Firefox on Windows. Other versions of Firefox are unaffected.*. This vulnerability affects Firefox < 111, Firefox ESR < 102.9, and Thunderbird < 102.9.

Mozilla developers and community members Gabriele Svelto

CVE-2023-32215 8.8 - High - June 02, 2023

Mozilla developers and community members Gabriele Svelto, Andrew Osmond, Emily McDonough, Sebastian Hengst, Andrew McCreight and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 112 and Firefox ESR 102.10. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 113, Firefox ESR < 102.11, and Thunderbird < 102.11.

Memory Corruption

An attacker could have positioned a <code>datalist</code> element to obscure the address bar

CVE-2023-32212 4.3 - Medium - June 02, 2023

An attacker could have positioned a <code>datalist</code> element to obscure the address bar. This vulnerability affects Firefox < 113, Firefox ESR < 102.11, and Thunderbird < 102.11.

A type checking bug would have led to invalid code being compiled

CVE-2023-32211 6.5 - Medium - June 02, 2023

A type checking bug would have led to invalid code being compiled. This vulnerability affects Firefox < 113, Firefox ESR < 102.11, and Thunderbird < 102.11.

A missing delay in popup notifications could have made it possible for an attacker to trick a user into granting permissions

CVE-2023-32207 8.8 - High - June 02, 2023

A missing delay in popup notifications could have made it possible for an attacker to trick a user into granting permissions. This vulnerability affects Firefox < 113, Firefox ESR < 102.11, and Thunderbird < 102.11.

Authentication Bypass by Spoofing

An out-of-bound read could have led to a crash in the RLBox Expat driver

CVE-2023-32206 6.5 - Medium - June 02, 2023

An out-of-bound read could have led to a crash in the RLBox Expat driver. This vulnerability affects Firefox < 113, Firefox ESR < 102.11, and Thunderbird < 102.11.

Out-of-bounds Read

In multiple cases browser prompts could have been obscured by popups controlled by content

CVE-2023-32205 4.3 - Medium - June 02, 2023

In multiple cases browser prompts could have been obscured by popups controlled by content. These could have led to potential user confusion and spoofing attacks. This vulnerability affects Firefox < 113, Firefox ESR < 102.11, and Thunderbird < 102.11.

Mozilla developers Randell Jesup

CVE-2023-29550 8.8 - High - June 02, 2023

Mozilla developers Randell Jesup, Andrew Osmond, Sebastian Hengst, Andrew McCreight, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 111 and Firefox ESR 102.9. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 112, Focus for Android < 112, Firefox ESR < 102.10, Firefox for Android < 112, and Thunderbird < 102.10.

A wrong lowering instruction in the ARM64 Ion compiler resulted in a wrong optimization result

CVE-2023-29548 6.5 - Medium - June 02, 2023

A wrong lowering instruction in the ARM64 Ion compiler resulted in a wrong optimization result. This vulnerability affects Firefox < 112, Focus for Android < 112, Firefox ESR < 102.10, Firefox for Android < 112, and Thunderbird < 102.10.

When a secure cookie existed in the Firefox cookie jar an insecure cookie for the same domain could have been created

CVE-2023-29547 6.5 - Medium - June 02, 2023

When a secure cookie existed in the Firefox cookie jar an insecure cookie for the same domain could have been created, when it should have silently failed. This could have led to a desynchronization in expected results when reading from the secure cookie. This vulnerability affects Firefox for Android < 112, Firefox < 112, and Focus for Android < 112.

Firefox did not properly handle downloads of files ending in <code>.desktop</code>

CVE-2023-29541 8.8 - High - June 02, 2023

Firefox did not properly handle downloads of files ending in <code>.desktop</code>, which can be interpreted to run attacker-controlled commands. <br>*This bug only affects Firefox for Linux on certain Distributions. Other operating systems are unaffected, and Mozilla is unable to enumerate all affected Linux Distributions.*. This vulnerability affects Firefox < 112, Focus for Android < 112, Firefox ESR < 102.10, Firefox for Android < 112, and Thunderbird < 102.10.

Output Sanitization

When handling the filename directive in the Content-Disposition header, the filename

CVE-2023-29539 8.8 - High - June 02, 2023

When handling the filename directive in the Content-Disposition header, the filename would be truncated if the filename contained a NULL character. This could have led to reflected file download attacks potentially tricking users to install malware. This vulnerability affects Firefox < 112, Focus for Android < 112, Firefox ESR < 102.10, Firefox for Android < 112, and Thunderbird < 102.10.

NULL Pointer Dereference

An attacker could cause the memory manager to incorrectly free a pointer

CVE-2023-29536 8.8 - High - June 02, 2023

An attacker could cause the memory manager to incorrectly free a pointer that addresses attacker-controlled memory, resulting in an assertion, memory corruption, or a potentially exploitable crash. This vulnerability affects Firefox < 112, Focus for Android < 112, Firefox ESR < 102.10, Firefox for Android < 112, and Thunderbird < 102.10.

Dangling pointer

Following a Garbage Collector compaction, weak maps may have been accessed before they were correctly traced

CVE-2023-29535 6.5 - Medium - June 02, 2023

Following a Garbage Collector compaction, weak maps may have been accessed before they were correctly traced. This resulted in memory corruption and a potentially exploitable crash. This vulnerability affects Firefox < 112, Focus for Android < 112, Firefox ESR < 102.10, Firefox for Android < 112, and Thunderbird < 102.10.

A website could have obscured the fullscreen notification by using a combination of <code>window.open</code>

CVE-2023-29533 4.3 - Medium - June 02, 2023

A website could have obscured the fullscreen notification by using a combination of <code>window.open</code>, fullscreen requests, <code>window.name</code> assignments, and <code>setInterval</code> calls. This could have led to user confusion and possible spoofing attacks. This vulnerability affects Firefox < 112, Focus for Android < 112, Firefox ESR < 102.10, Firefox for Android < 112, and Thunderbird < 102.10.

Mozilla developers Timothy Nikkel

CVE-2023-28176 8.8 - High - June 02, 2023

Mozilla developers Timothy Nikkel, Andrew McCreight, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 110 and Firefox ESR 102.8. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 111, Firefox ESR < 102.9, and Thunderbird < 102.9.

Memory Corruption

Dragging a URL from a cross-origin iframe that was removed during the drag could have led to user confusion and website spoofing attacks

CVE-2023-28164 6.5 - Medium - June 02, 2023

Dragging a URL from a cross-origin iframe that was removed during the drag could have led to user confusion and website spoofing attacks. This vulnerability affects Firefox < 111, Firefox ESR < 102.9, and Thunderbird < 102.9.

While implementing AudioWorklets, some code may have casted one type to another, invalid, dynamic type

CVE-2023-28162 8.8 - High - June 02, 2023

While implementing AudioWorklets, some code may have casted one type to another, invalid, dynamic type. This could have led to a potentially exploitable crash. This vulnerability affects Firefox < 111, Firefox ESR < 102.9, and Thunderbird < 102.9.

Incorrect Type Conversion or Cast

An attacker could construct a PKCS 12 cert bundle in such a way

CVE-2023-0767 8.8 - High - June 02, 2023

An attacker could construct a PKCS 12 cert bundle in such a way that could allow for arbitrary memory writes via PKCS 12 Safe Bag attributes being mishandled. This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8.

When accessing throttled streams, the count of available bytes needed to be checked in the calling function to be within bounds

CVE-2023-25752 6.5 - Medium - June 02, 2023

When accessing throttled streams, the count of available bytes needed to be checked in the calling function to be within bounds. This may have lead future code to be incorrect and vulnerable. This vulnerability affects Firefox < 111, Firefox ESR < 102.9, and Thunderbird < 102.9.

When copying a network request from the developer tools panel as a curl command the output was not being properly sanitized and could

CVE-2023-23599 6.5 - Medium - June 02, 2023

When copying a network request from the developer tools panel as a curl command the output was not being properly sanitized and could allow arbitrary commands to be hidden within. This vulnerability affects Firefox < 109, Thunderbird < 102.7, and Firefox ESR < 102.7.

Output Sanitization

The Raccoon attack is a timing attack on DHE ciphersuites inherit in the TLS specification

CVE-2020-12413 5.9 - Medium - February 16, 2023

The Raccoon attack is a timing attack on DHE ciphersuites inherit in the TLS specification. To mitigate this vulnerability, Firefox disabled support for DHE ciphersuites.

Side Channel Attack

When installing an add-on, Firefox verified the signature before prompting the user; but while the user was confirming the prompt, the underlying add-on file could have been modified and Firefox

CVE-2022-26387 7.5 - High - December 22, 2022

When installing an add-on, Firefox verified the signature before prompting the user; but while the user was confirming the prompt, the underlying add-on file could have been modified and Firefox would not have noticed. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.

TOCTTOU

Through a series of popups

CVE-2022-45408 6.5 - Medium - December 22, 2022

Through a series of popups that reuse windowName, an attacker can cause a window to go fullscreen without the user seeing the notification prompt, resulting in potential user confusion or spoofing attacks. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107.

When resizing a popup after requesting fullscreen access, the popup would not display the fullscreen notification

CVE-2022-26383 4.3 - Medium - December 22, 2022

When resizing a popup after requesting fullscreen access, the popup would not display the fullscreen notification. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.

An attacker could have caused a use-after-free by forcing a text reflow in an SVG object leading to a potentially exploitable crash

CVE-2022-26381 8.8 - High - December 22, 2022

An attacker could have caused a use-after-free by forcing a text reflow in an SVG object leading to a potentially exploitable crash. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.

Dangling pointer

The Mozilla Fuzzing Team reported potential vulnerabilities present in Thunderbird 91.10

CVE-2022-34484 8.8 - High - December 22, 2022

The Mozilla Fuzzing Team reported potential vulnerabilities present in Thunderbird 91.10. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102, and Thunderbird < 91.11.

Dangling pointer

In the <code>nsTArray_Impl::ReplaceElementsAt()</code> function

CVE-2022-34481 8.8 - High - December 22, 2022

In the <code>nsTArray_Impl::ReplaceElementsAt()</code> function, an integer overflow could have occurred when the number of elements to replace was too large for the container. This vulnerability affects Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102, and Thunderbird < 91.11.

Integer Overflow or Wraparound

An iframe that was not permitted to run scripts could do so if the user clicked on a <code>javascript:</code> link

CVE-2022-34468 8.8 - High - December 22, 2022

An iframe that was not permitted to run scripts could do so if the user clicked on a <code>javascript:</code> link. This vulnerability affects Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102, and Thunderbird < 91.11.

Documents in deeply-nested cross-origin browsing contexts could have obtained permissions granted to the top-level origin

CVE-2022-29909 8.8 - High - December 22, 2022

Documents in deeply-nested cross-origin browsing contexts could have obtained permissions granted to the top-level origin, bypassing the existing prompt and wrongfully inheriting the top-level permissions. This vulnerability affects Thunderbird < 91.9, Firefox ESR < 91.9, and Firefox < 100.

Incorrect Default Permissions

Mozilla developers and community members Nika Layzell

CVE-2022-28289 8.8 - High - December 22, 2022

Mozilla developers and community members Nika Layzell, Andrew McCreight, Gabriele Svelto, and the Mozilla Fuzzing Team reported memory safety bugs present in Thunderbird 91.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Thunderbird < 91.8, Firefox < 99, and Firefox ESR < 91.8.

Memory Corruption

Due to a layout change, iframe contents could have been rendered outside of its border

CVE-2022-28286 5.4 - Medium - December 22, 2022

Due to a layout change, iframe contents could have been rendered outside of its border. This could have led to user confusion or spoofing attacks. This vulnerability affects Thunderbird < 91.8, Firefox < 99, and Firefox ESR < 91.8.

Clickjacking

When generating the assembly code for <code>MLoadTypedArrayElementHole</code>, an incorrect AliasSet was used

CVE-2022-28285 6.5 - Medium - December 22, 2022

When generating the assembly code for <code>MLoadTypedArrayElementHole</code>, an incorrect AliasSet was used. In conjunction with another vulnerability this could have been used for an out of bounds memory read. This vulnerability affects Thunderbird < 91.8, Firefox < 99, and Firefox ESR < 91.8.

Out-of-bounds Read

By using a link with <code>rel="localization"</code> a use-after-free could have been triggered by destroying an object during JavaScript execution and then referencing the object through a freed pointer

CVE-2022-28282 6.5 - Medium - December 22, 2022

By using a link with <code>rel="localization"</code> a use-after-free could have been triggered by destroying an object during JavaScript execution and then referencing the object through a freed pointer, leading to a potential exploitable crash. This vulnerability affects Thunderbird < 91.8, Firefox < 99, and Firefox ESR < 91.8.

Dangling pointer

A missing check related to tex units could have led to a use-after-free and potentially exploitable crash

CVE-2022-46880 6.5 - Medium - December 22, 2022

A missing check related to tex units could have led to a use-after-free and potentially exploitable crash.<br />*Note*: This advisory was added on December 13th, 2022 after we better understood the impact of the issue. The fix was included in the original release of Firefox 105. This vulnerability affects Firefox ESR < 102.6, Firefox < 105, and Thunderbird < 102.6.

Dangling pointer