Mozilla
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Mozilla.
Recent Mozilla Security Advisories
Advisory | Title | Published |
---|---|---|
mfsa2025-48 | Security Issue fixed in Mozilla VPN for macOS v2.28.0 mfsa2025-48 | May 30, 2025 |
mfsa2023-39 | Security Issues in Mozilla VPN for Linux prior to v2.16.1 mfsa2023-39 | August 30, 2023 |
mfsa2022-08 | Mozilla VPN local privilege escalation vis uncontrolled OpenSSL search path mfsa2022-08 | February 23, 2022 |
mfsa2021-31 | Multiple Low Security Issues in Mozilla VPN mfsa2021-31 | July 14, 2021 |
mfsa2020-48 | OAuth session fixation vulnerability in Mozilla VPN mfsa2020-48 | November 4, 2020 |
mfsa2016-69 | Arbitrary file manipulation by local user through Mozilla updater and callback application path parameter mfsa2016-69 | August 2, 2016 |
mfsa2016-55 | File overwrite and privilege escalation through Mozilla Windows updater mfsa2016-55 | June 7, 2016 |
mfsa2015-100 | Arbitrary file manipulation by local user through Mozilla updater mfsa2015-100 | September 22, 2015 |
mfsa2015-91 | Mozilla Content Security Policy allows for asterisk wildcards in violation of CSP specification mfsa2015-91 | August 11, 2015 |
mfsa2015-84 | Arbitrary file overwriting through Mozilla Maintenance Service with hard links mfsa2015-84 | August 11, 2015 |
By the Year
In 2025 there have been 0 vulnerabilities in Mozilla. Mozilla did not have any published security vulnerabilities last year.
Year | Vulnerabilities | Average Score |
---|---|---|
2025 | 0 | 0.00 |
2024 | 0 | 0.00 |
2023 | 0 | 0.00 |
2022 | 0 | 0.00 |
2021 | 0 | 0.00 |
2020 | 0 | 0.00 |
2019 | 0 | 0.00 |
2018 | 0 | 0.00 |
It may take a day or so for new Mozilla vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Mozilla Security Vulnerabilities
Mozilla Firefox 3.0.13 and earlier, 3.5, 3.6 a1 pre, and 3.7 a1 pre; SeaMonkey 1.1.17; and Mozilla 1.7.x and earlier do not properly block data: URIs in Refresh headers in HTTP responses, which allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to (1) injecting a Refresh header
CVE-2009-3010
- August 31, 2009
Mozilla Firefox 3.0.13 and earlier, 3.5, 3.6 a1 pre, and 3.7 a1 pre; SeaMonkey 1.1.17; and Mozilla 1.7.x and earlier do not properly block data: URIs in Refresh headers in HTTP responses, which allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to (1) injecting a Refresh header that contains JavaScript sequences in a data:text/html URI or (2) entering a data:text/html URI with JavaScript sequences when specifying the content of a Refresh header. NOTE: in some product versions, the JavaScript executes outside of the context of the HTTP site.
XSS
Argument injection vulnerability involving Mozilla, when certain URIs are registered
CVE-2007-4039
- July 27, 2007
Argument injection vulnerability involving Mozilla, when certain URIs are registered, allows remote attackers to conduct cross-browser scripting attacks and execute arbitrary commands via shell metacharacters in an unspecified URI, which are inserted into the command line when invoking the handling process, a similar issue to CVE-2007-3670.
XSS
The International Domain Name (IDN) support in Epiphany allows remote attackers to spoof domain names using punycode encoded domain names
CVE-2005-0238
- May 02, 2005
The International Domain Name (IDN) support in Epiphany allows remote attackers to spoof domain names using punycode encoded domain names that are decoded in URLs and SSL certificates in a way that uses homograph characters from other character sets, which facilitates phishing attacks.
Firefox before 1.0.1 and Mozilla before 1.7.6 allows remote malicious web sites to overwrite arbitrary files by tricking the user into downloading a .LNK (link) file twice, which overwrites the file
CVE-2005-0587
6.5 - Medium
- March 25, 2005
Firefox before 1.0.1 and Mozilla before 1.7.6 allows remote malicious web sites to overwrite arbitrary files by tricking the user into downloading a .LNK (link) file twice, which overwrites the file that was referenced in the first .LNK file.
insecure temporary file
The International Domain Name (IDN) support in Firefox 1.0, Camino .8.5, and Mozilla before 1.7.6 allows remote attackers to spoof domain names using punycode encoded domain names
CVE-2005-0233
- February 08, 2005
The International Domain Name (IDN) support in Firefox 1.0, Camino .8.5, and Mozilla before 1.7.6 allows remote attackers to spoof domain names using punycode encoded domain names that are decoded in URLs and SSL certificates in a way that uses homograph characters from other character sets, which facilitates phishing attacks.
Opera offers an Open button to verify
CVE-2004-2659
- December 31, 2004
Opera offers an Open button to verify that a user wishes to execute a downloaded file, which allows user-assisted remote attackers to construct a race condition that tricks a user into clicking Open via a request for a different mouse or keyboard action very shortly before the Open dialog appears. NOTE: this is a different issue than CVE-2005-2407.
Race Condition
The Script.prototype.freeze/thaw functionality in Mozilla 1.4 and earlier
CVE-2003-0791
9.8 - Critical
- October 07, 2003
The Script.prototype.freeze/thaw functionality in Mozilla 1.4 and earlier allows attackers to execute native methods by modifying the string used as input to the script.thaw JavaScript function, which is then deserialized and executed.
Marshaling, Unmarshaling
The Javascript "Same Origin Policy" (SOP), as implemented in (1) Netscape, (2) Mozilla, and (3) Internet Explorer
CVE-2002-0815
- August 12, 2002
The Javascript "Same Origin Policy" (SOP), as implemented in (1) Netscape, (2) Mozilla, and (3) Internet Explorer, allows a remote web server to access HTTP and SOAP/XML content from restricted sites by mapping the malicious server's parent DNS domain name to the restricted site, loading a page from the restricted site into one frame, and passing the information to the attacker-controlled frame, which is allowed because the document.domain of the two frames matches on the parent domain.