Mozilla Mozilla

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in Mozilla.

Recent Mozilla Security Advisories

Advisory Title Published
mfsa2025-48 Security Issue fixed in Mozilla VPN for macOS v2.28.0 mfsa2025-48 May 30, 2025
mfsa2023-39 Security Issues in Mozilla VPN for Linux prior to v2.16.1 mfsa2023-39 August 30, 2023
mfsa2022-08 Mozilla VPN local privilege escalation vis uncontrolled OpenSSL search path mfsa2022-08 February 23, 2022
mfsa2021-31 Multiple Low Security Issues in Mozilla VPN mfsa2021-31 July 14, 2021
mfsa2020-48 OAuth session fixation vulnerability in Mozilla VPN mfsa2020-48 November 4, 2020
mfsa2016-69 Arbitrary file manipulation by local user through Mozilla updater and callback application path parameter mfsa2016-69 August 2, 2016
mfsa2016-55 File overwrite and privilege escalation through Mozilla Windows updater mfsa2016-55 June 7, 2016
mfsa2015-100 Arbitrary file manipulation by local user through Mozilla updater mfsa2015-100 September 22, 2015
mfsa2015-91 Mozilla Content Security Policy allows for asterisk wildcards in violation of CSP specification mfsa2015-91 August 11, 2015
mfsa2015-84 Arbitrary file overwriting through Mozilla Maintenance Service with hard links mfsa2015-84 August 11, 2015

By the Year

In 2025 there have been 0 vulnerabilities in Mozilla. Mozilla did not have any published security vulnerabilities last year.




Year Vulnerabilities Average Score
2025 0 0.00
2024 0 0.00
2023 0 0.00
2022 0 0.00
2021 0 0.00
2020 0 0.00
2019 0 0.00
2018 0 0.00

It may take a day or so for new Mozilla vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Mozilla Security Vulnerabilities

Mozilla Firefox 3.0.13 and earlier, 3.5, 3.6 a1 pre, and 3.7 a1 pre; SeaMonkey 1.1.17; and Mozilla 1.7.x and earlier do not properly block data: URIs in Refresh headers in HTTP responses, which allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to (1) injecting a Refresh header

CVE-2009-3010 - August 31, 2009

Mozilla Firefox 3.0.13 and earlier, 3.5, 3.6 a1 pre, and 3.7 a1 pre; SeaMonkey 1.1.17; and Mozilla 1.7.x and earlier do not properly block data: URIs in Refresh headers in HTTP responses, which allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to (1) injecting a Refresh header that contains JavaScript sequences in a data:text/html URI or (2) entering a data:text/html URI with JavaScript sequences when specifying the content of a Refresh header. NOTE: in some product versions, the JavaScript executes outside of the context of the HTTP site.

XSS

Argument injection vulnerability involving Mozilla, when certain URIs are registered

CVE-2007-4039 - July 27, 2007

Argument injection vulnerability involving Mozilla, when certain URIs are registered, allows remote attackers to conduct cross-browser scripting attacks and execute arbitrary commands via shell metacharacters in an unspecified URI, which are inserted into the command line when invoking the handling process, a similar issue to CVE-2007-3670.

XSS

The International Domain Name (IDN) support in Epiphany allows remote attackers to spoof domain names using punycode encoded domain names

CVE-2005-0238 - May 02, 2005

The International Domain Name (IDN) support in Epiphany allows remote attackers to spoof domain names using punycode encoded domain names that are decoded in URLs and SSL certificates in a way that uses homograph characters from other character sets, which facilitates phishing attacks.

Firefox before 1.0.1 and Mozilla before 1.7.6 allows remote malicious web sites to overwrite arbitrary files by tricking the user into downloading a .LNK (link) file twice, which overwrites the file

CVE-2005-0587 6.5 - Medium - March 25, 2005

Firefox before 1.0.1 and Mozilla before 1.7.6 allows remote malicious web sites to overwrite arbitrary files by tricking the user into downloading a .LNK (link) file twice, which overwrites the file that was referenced in the first .LNK file.

insecure temporary file

The International Domain Name (IDN) support in Firefox 1.0, Camino .8.5, and Mozilla before 1.7.6 allows remote attackers to spoof domain names using punycode encoded domain names

CVE-2005-0233 - February 08, 2005

The International Domain Name (IDN) support in Firefox 1.0, Camino .8.5, and Mozilla before 1.7.6 allows remote attackers to spoof domain names using punycode encoded domain names that are decoded in URLs and SSL certificates in a way that uses homograph characters from other character sets, which facilitates phishing attacks.

Opera offers an Open button to verify

CVE-2004-2659 - December 31, 2004

Opera offers an Open button to verify that a user wishes to execute a downloaded file, which allows user-assisted remote attackers to construct a race condition that tricks a user into clicking Open via a request for a different mouse or keyboard action very shortly before the Open dialog appears. NOTE: this is a different issue than CVE-2005-2407.

Race Condition

The Script.prototype.freeze/thaw functionality in Mozilla 1.4 and earlier

CVE-2003-0791 9.8 - Critical - October 07, 2003

The Script.prototype.freeze/thaw functionality in Mozilla 1.4 and earlier allows attackers to execute native methods by modifying the string used as input to the script.thaw JavaScript function, which is then deserialized and executed.

Marshaling, Unmarshaling

The Javascript "Same Origin Policy" (SOP), as implemented in (1) Netscape, (2) Mozilla, and (3) Internet Explorer

CVE-2002-0815 - August 12, 2002

The Javascript "Same Origin Policy" (SOP), as implemented in (1) Netscape, (2) Mozilla, and (3) Internet Explorer, allows a remote web server to access HTTP and SOAP/XML content from restricted sites by mapping the malicious server's parent DNS domain name to the restricted site, loading a page from the restricted site into one frame, and passing the information to the attacker-controlled frame, which is allowed because the document.domain of the two frames matches on the parent domain.

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Microsoft Internet Explorer (IE) or by Mozilla? Click the Watch button to subscribe.

Mozilla
Vendor

Mozilla
Product

subscribe