Mozilla
Recent Mozilla Security Advisories
| Advisory | Title | Published |
|---|---|---|
| mfsa2023-39 | Security Issues in Mozilla VPN for Linux prior to v2.16.1 mfsa2023-39 | August 30, 2023 |
| mfsa2022-08 | Mozilla VPN local privilege escalation vis uncontrolled OpenSSL search path mfsa2022-08 | February 23, 2022 |
| mfsa2021-31 | Multiple Low Security Issues in Mozilla VPN mfsa2021-31 | July 14, 2021 |
| mfsa2020-48 | OAuth session fixation vulnerability in Mozilla VPN mfsa2020-48 | November 4, 2020 |
| mfsa2016-69 | Arbitrary file manipulation by local user through Mozilla updater and callback application path parameter mfsa2016-69 | August 2, 2016 |
| mfsa2016-55 | File overwrite and privilege escalation through Mozilla Windows updater mfsa2016-55 | June 7, 2016 |
| mfsa2015-100 | Arbitrary file manipulation by local user through Mozilla updater mfsa2015-100 | September 22, 2015 |
| mfsa2015-91 | Mozilla Content Security Policy allows for asterisk wildcards in violation of CSP specification mfsa2015-91 | August 11, 2015 |
| mfsa2015-84 | Arbitrary file overwriting through Mozilla Maintenance Service with hard links mfsa2015-84 | August 11, 2015 |
| mfsa2015-58 | Mozilla Windows updater can be run outside of application directory mfsa2015-58 | May 12, 2015 |
By the Year
In 2024 there have been 0 vulnerabilities in Mozilla . Mozilla did not have any published security vulnerabilities last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2024 | 0 | 0.00 |
| 2023 | 0 | 0.00 |
| 2022 | 0 | 0.00 |
| 2021 | 0 | 0.00 |
| 2020 | 0 | 0.00 |
| 2019 | 0 | 0.00 |
| 2018 | 0 | 0.00 |
It may take a day or so for new Mozilla vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Mozilla Security Vulnerabilities
Mozilla Firefox 3.0.13 and earlier, 3.5, 3.6 a1 pre, and 3.7 a1 pre; SeaMonkey 1.1.17; and Mozilla 1.7.x and earlier do not properly block data: URIs in Refresh headers in HTTP responses, which allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to (1) injecting a Refresh header
CVE-2009-3010
- August 31, 2009
Mozilla Firefox 3.0.13 and earlier, 3.5, 3.6 a1 pre, and 3.7 a1 pre; SeaMonkey 1.1.17; and Mozilla 1.7.x and earlier do not properly block data: URIs in Refresh headers in HTTP responses, which allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to (1) injecting a Refresh header that contains JavaScript sequences in a data:text/html URI or (2) entering a data:text/html URI with JavaScript sequences when specifying the content of a Refresh header. NOTE: in some product versions, the JavaScript executes outside of the context of the HTTP site.
XSS
The International Domain Name (IDN) support in Epiphany allows remote attackers to spoof domain names using punycode encoded domain names
CVE-2005-0238
- May 02, 2005
The International Domain Name (IDN) support in Epiphany allows remote attackers to spoof domain names using punycode encoded domain names that are decoded in URLs and SSL certificates in a way that uses homograph characters from other character sets, which facilitates phishing attacks.
Firefox before 1.0.1 and Mozilla before 1.7.6 allows remote malicious web sites to overwrite arbitrary files by tricking the user into downloading a .LNK (link) file twice, which overwrites the file
CVE-2005-0587
6.5 - Medium
- March 25, 2005
Firefox before 1.0.1 and Mozilla before 1.7.6 allows remote malicious web sites to overwrite arbitrary files by tricking the user into downloading a .LNK (link) file twice, which overwrites the file that was referenced in the first .LNK file.
insecure temporary file
The International Domain Name (IDN) support in Firefox 1.0, Camino .8.5, and Mozilla before 1.7.6 allows remote attackers to spoof domain names using punycode encoded domain names
CVE-2005-0233
- February 08, 2005
The International Domain Name (IDN) support in Firefox 1.0, Camino .8.5, and Mozilla before 1.7.6 allows remote attackers to spoof domain names using punycode encoded domain names that are decoded in URLs and SSL certificates in a way that uses homograph characters from other character sets, which facilitates phishing attacks.
Opera offers an Open button to verify
CVE-2004-2659
- December 31, 2004
Opera offers an Open button to verify that a user wishes to execute a downloaded file, which allows user-assisted remote attackers to construct a race condition that tricks a user into clicking Open via a request for a different mouse or keyboard action very shortly before the Open dialog appears. NOTE: this is a different issue than CVE-2005-2407.
Race Condition
The Script.prototype.freeze/thaw functionality in Mozilla 1.4 and earlier
CVE-2003-0791
9.8 - Critical
- October 07, 2003
The Script.prototype.freeze/thaw functionality in Mozilla 1.4 and earlier allows attackers to execute native methods by modifying the string used as input to the script.thaw JavaScript function, which is then deserialized and executed.
Marshaling, Unmarshaling
The Javascript "Same Origin Policy" (SOP), as implemented in (1) Netscape, (2) Mozilla, and (3) Internet Explorer
CVE-2002-0815
- August 12, 2002
The Javascript "Same Origin Policy" (SOP), as implemented in (1) Netscape, (2) Mozilla, and (3) Internet Explorer, allows a remote web server to access HTTP and SOAP/XML content from restricted sites by mapping the malicious server's parent DNS domain name to the restricted site, loading a page from the restricted site into one frame, and passing the information to the attacker-controlled frame, which is allowed because the document.domain of the two frames matches on the parent domain.
