| 863467
|
|
UTF-7 SVG files treated as UTF-8, resulting in possible XSS issues (exection of "non-existing" scripts)
|
Core
|
General
|
nobody
|
UNCO
|
---
|
2024-05-30
|
| 700979
|
|
Can force webpage links to open in Thunderbird Tabs
|
Thunderbird
|
Message Reader UI
|
nobody
|
NEW
|
---
|
2024-02-27
|
| 647010
|
|
Only present HTTP authentication dialogs if it is the top-level document initiating the auth
|
Core
|
Networking: HTTP
|
nobody
|
NEW
|
---
|
2023-05-04
|
| 1481994
|
|
URL Spoofing by delaying a navigation and using the onbeforeunload dialog
|
Core
|
DOM: Navigation
|
nobody
|
NEW
|
---
|
2024-05-30
|
| 1598175
|
|
Potential origin spoofing because address bar truncates "facebook.com.evil.com" to "facebook.com..." instead of "...evil.com"
|
Firefox
|
Address Bar
|
nobody
|
NEW
|
---
|
2024-05-08
|
| 1667481
|
|
Crash in [@ mozilla::ipc::MessagePumpForNonMainThreads::Run]
|
Core
|
IPC
|
nobody
|
NEW
|
---
|
2023-08-03
|
| 1670725
|
|
Truncate URL bar from the front, preserve the important parts of the domain
|
Fenix
|
Toolbar
|
nobody
|
NEW
|
---
|
Wed 07:47
|
| 1808236
|
|
Intermittent TSAN socketprocess netwerk/test/unit/test_ech_grease.js | data race in memcpy
|
Core
|
Networking
|
nobody
|
NEW
|
---
|
2023-01-24
|
| 354493
|
|
Mitigate CSRF attacks against internal networks (block rfc 1918 local addresses from non-local addresses)
|
Core
|
Networking
|
nobody
|
NEW
|
---
|
2024-04-03
|
| 656343
|
|
After redirect to page requiring HTTP or FTP basic/username/password auth, the redirect destination is not in the address bar
|
Core
|
Networking: HTTP
|
nobody
|
NEW
|
---
|
2022-10-17
|
| 791128
|
|
Investigate impact of "Cookie Tossing" vulnerability from Microsoft BH paper
|
Core
|
Networking: Cookies
|
nobody
|
NEW
|
---
|
2022-10-10
|
| 1262128
|
|
Cross-Protocol Theft from non-HTTP services via DNS rebinding + "HTTP/0.9"
|
Core
|
Networking
|
nobody
|
NEW
|
---
|
2023-10-30
|
| 1372288
|
|
[meta] WebExtensions can be used as user fingerprint
|
WebExtensions
|
General
|
nobody
|
NEW
|
---
|
2024-05-30
|
| 1631073
|
|
401 password prompt spoofing thing
|
Fenix
|
General
|
nobody
|
NEW
|
---
|
Wed 15:20
|
| 1670672
|
|
Never render redirect body (Controllable 302 to a ws://, wss://, or resource:// scheme executes an XSS payload)
|
Core
|
DOM: Navigation
|
nobody
|
NEW
|
---
|
2022-06-14
|
| 626414
|
|
Bug 394919 fix can fail if app runs out of memory
|
NSS
|
Libraries
|
nobody
|
NEW
|
---
|
2024-02-27
|
| 660749
|
|
Firefox doesn't (re)validate certificates when loading a HTTPS page from the cache
|
Core
|
Networking: Cache
|
nobody
|
NEW
|
---
|
2024-05-30
|
| 1269142
|
|
Privilege escalation via shfolder.dll due to unsafe temp directory created by 7-zip extractors
|
Firefox
|
Installer
|
nobody
|
NEW
|
---
|
2024-05-30
|
| 741050
|
|
Downloads initiated by other tabs are misleading
|
Firefox
|
File Handling
|
nobody
|
NEW
|
---
|
2024-05-29
|
| 822215
|
|
iframe-to-iframe cross-domain extraction method (UI Redressing)
|
Core
|
DOM: Copy & Paste an
|
nobody
|
NEW
|
---
|
2022-11-28
|
| 845194
|
|
Cross-domain drag and drop across IFrames.
|
Core
|
DOM: Copy & Paste an
|
nobody
|
NEW
|
---
|
2022-11-28
|
| 951804
|
|
Load order vulnerability may case Firefox to load untrusted dlls
|
Firefox
|
Security
|
nobody
|
NEW
|
---
|
2024-06-27
|
| 959893
|
|
[meta] WebRTC Internal IP Address Leakage
|
Core
|
WebRTC: Signaling
|
nobody
|
NEW
|
---
|
2023-05-16
|
| 1663987
|
|
Site Isolation enables timing attacks against partitioning across simultaneously open tabs
|
Core
|
Security
|
nobody
|
NEW
|
---
|
2024-03-14
|
| 1906831
|
|
Saved Passwords not protected by fingerprint if left open when you close phone or switch to another app
|
Fenix
|
Logins
|
nobody
|
NEW
|
---
|
2024-07-23
|
| 1741034
|
|
Guessing the URL a cross-origin iframe was redirected to by listening and counting the number of load events
|
Core
|
DOM: Navigation
|
afarre
|
ASSI
|
---
|
2024-05-30
|
| 1732421
|
|
Delay loading should use LOAD_WITH_ALTERED_SEARCH_PATH
|
Core
|
Security: Process Sa
|
bobowencode
|
ASSI
|
---
|
2023-06-22
|
| 1423437
|
|
Mailsploit: Do not unescape email addresses (forbidden by RFC 2047)
|
MailNews Core
|
MIME
|
kaie
|
ASSI
|
---
|
2023-02-28
|
| 381681
|
|
Form autocomplete information can be seen by evil sites convincing users to press arrow keys
|
Toolkit
|
Form Manager
|
nobody
|
REOP
|
---
|
2024-03-25
|
| 664633
|
|
Improve privacy & security of Thunderbird account autoconfiguration
|
Thunderbird
|
Account Manager
|
nobody
|
REOP
|
---
|
2024-06-13
|
| 1201160
|
|
Service workers violate SOP for "no-cors" CSS
|
Core
|
DOM: Service Workers
|
nobody
|
REOP
|
---
|
2023-01-04
|
| 1279126
|
|
Save hidden executable in users computer using 'Save Page As'
|
Firefox
|
File Handling
|
nobody
|
REOP
|
---
|
2024-05-30
|