Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2012-4199

Summary
Assigner-mitre
Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At-16 Nov, 2012 | 11:00
Updated At-06 Aug, 2024 | 20:28
Rejected At-
Credits

template/en/default/bug/field-events.js.tmpl in Bugzilla 3.x before 3.6.12, 3.7.x and 4.0.x before 4.0.9, 4.1.x and 4.2.x before 4.2.4, and 4.3.x and 4.4.x before 4.4rc1 generates JavaScript function calls containing private product names or private component names in certain circumstances involving custom-field visibility control, which allows remote attackers to obtain sensitive information by reading HTML source code.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
â–¼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:mitre
Assigner Org ID:8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At:16 Nov, 2012 | 11:00
Updated At:06 Aug, 2024 | 20:28
Rejected At:
â–¼CVE Numbering Authority (CNA)

template/en/default/bug/field-events.js.tmpl in Bugzilla 3.x before 3.6.12, 3.7.x and 4.0.x before 4.0.9, 4.1.x and 4.2.x before 4.2.4, and 4.3.x and 4.4.x before 4.4rc1 generates JavaScript function calls containing private product names or private component names in certain circumstances involving custom-field visibility control, which allows remote attackers to obtain sensitive information by reading HTML source code.

Affected Products
Vendor
n/a
Product
n/a
Versions
Affected
  • n/a
Problem Types
TypeCWE IDDescription
textN/An/a
Type: text
CWE ID: N/A
Description: n/a
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://exchange.xforce.ibmcloud.com/vulnerabilities/80029
vdb-entry
x_refsource_XF
http://www.mandriva.com/security/advisories?name=MDVSA-2013:066
vendor-advisory
x_refsource_MANDRIVA
http://www.bugzilla.org/security/3.6.11/
x_refsource_CONFIRM
https://bugzilla.mozilla.org/show_bug.cgi?id=731178
x_refsource_CONFIRM
Hyperlink: https://exchange.xforce.ibmcloud.com/vulnerabilities/80029
Resource:
vdb-entry
x_refsource_XF
Hyperlink: http://www.mandriva.com/security/advisories?name=MDVSA-2013:066
Resource:
vendor-advisory
x_refsource_MANDRIVA
Hyperlink: http://www.bugzilla.org/security/3.6.11/
Resource:
x_refsource_CONFIRM
Hyperlink: https://bugzilla.mozilla.org/show_bug.cgi?id=731178
Resource:
x_refsource_CONFIRM
â–¼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://exchange.xforce.ibmcloud.com/vulnerabilities/80029
vdb-entry
x_refsource_XF
x_transferred
http://www.mandriva.com/security/advisories?name=MDVSA-2013:066
vendor-advisory
x_refsource_MANDRIVA
x_transferred
http://www.bugzilla.org/security/3.6.11/
x_refsource_CONFIRM
x_transferred
https://bugzilla.mozilla.org/show_bug.cgi?id=731178
x_refsource_CONFIRM
x_transferred
Hyperlink: https://exchange.xforce.ibmcloud.com/vulnerabilities/80029
Resource:
vdb-entry
x_refsource_XF
x_transferred
Hyperlink: http://www.mandriva.com/security/advisories?name=MDVSA-2013:066
Resource:
vendor-advisory
x_refsource_MANDRIVA
x_transferred
Hyperlink: http://www.bugzilla.org/security/3.6.11/
Resource:
x_refsource_CONFIRM
x_transferred
Hyperlink: https://bugzilla.mozilla.org/show_bug.cgi?id=731178
Resource:
x_refsource_CONFIRM
x_transferred
Information is not available yet
â–¼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@mitre.org
Published At:16 Nov, 2012 | 12:24
Updated At:29 Apr, 2026 | 01:13

template/en/default/bug/field-events.js.tmpl in Bugzilla 3.x before 3.6.12, 3.7.x and 4.0.x before 4.0.9, 4.1.x and 4.2.x before 4.2.4, and 4.3.x and 4.4.x before 4.4rc1 generates JavaScript function calls containing private product names or private component names in certain circumstances involving custom-field visibility control, which allows remote attackers to obtain sensitive information by reading HTML source code.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary2.04.3MEDIUM
AV:N/AC:M/Au:N/C:P/I:N/A:N
Type: Primary
Version: 2.0
Base score: 4.3
Base severity: MEDIUM
Vector:
AV:N/AC:M/Au:N/C:P/I:N/A:N
CPE Matches

Mozilla Corporation
mozilla
>>bugzilla>>Versions up to 3.6.11(inclusive)
cpe:2.3:a:mozilla:bugzilla:*:*:*:*:*:*:*:*
Mozilla Corporation
mozilla
>>bugzilla>>3.0
cpe:2.3:a:mozilla:bugzilla:3.0:*:*:*:*:*:*:*
Mozilla Corporation
mozilla
>>bugzilla>>3.0
cpe:2.3:a:mozilla:bugzilla:3.0:rc1:*:*:*:*:*:*
Mozilla Corporation
mozilla
>>bugzilla>>3.0.0
cpe:2.3:a:mozilla:bugzilla:3.0.0:*:*:*:*:*:*:*
Mozilla Corporation
mozilla
>>bugzilla>>3.0.1
cpe:2.3:a:mozilla:bugzilla:3.0.1:*:*:*:*:*:*:*
Mozilla Corporation
mozilla
>>bugzilla>>3.0.2
cpe:2.3:a:mozilla:bugzilla:3.0.2:*:*:*:*:*:*:*
Mozilla Corporation
mozilla
>>bugzilla>>3.0.3
cpe:2.3:a:mozilla:bugzilla:3.0.3:*:*:*:*:*:*:*
Mozilla Corporation
mozilla
>>bugzilla>>3.0.4
cpe:2.3:a:mozilla:bugzilla:3.0.4:*:*:*:*:*:*:*
Mozilla Corporation
mozilla
>>bugzilla>>3.0.5
cpe:2.3:a:mozilla:bugzilla:3.0.5:*:*:*:*:*:*:*
Mozilla Corporation
mozilla
>>bugzilla>>3.0.6
cpe:2.3:a:mozilla:bugzilla:3.0.6:*:*:*:*:*:*:*
Mozilla Corporation
mozilla
>>bugzilla>>3.0.7
cpe:2.3:a:mozilla:bugzilla:3.0.7:*:*:*:*:*:*:*
Mozilla Corporation
mozilla
>>bugzilla>>3.0.8
cpe:2.3:a:mozilla:bugzilla:3.0.8:*:*:*:*:*:*:*
Mozilla Corporation
mozilla
>>bugzilla>>3.0.9
cpe:2.3:a:mozilla:bugzilla:3.0.9:*:*:*:*:*:*:*
Mozilla Corporation
mozilla
>>bugzilla>>3.0.10
cpe:2.3:a:mozilla:bugzilla:3.0.10:*:*:*:*:*:*:*
Mozilla Corporation
mozilla
>>bugzilla>>3.0.11
cpe:2.3:a:mozilla:bugzilla:3.0.11:*:*:*:*:*:*:*
Mozilla Corporation
mozilla
>>bugzilla>>3.1.0
cpe:2.3:a:mozilla:bugzilla:3.1.0:*:*:*:*:*:*:*
Mozilla Corporation
mozilla
>>bugzilla>>3.1.1
cpe:2.3:a:mozilla:bugzilla:3.1.1:*:*:*:*:*:*:*
Mozilla Corporation
mozilla
>>bugzilla>>3.1.2
cpe:2.3:a:mozilla:bugzilla:3.1.2:*:*:*:*:*:*:*
Mozilla Corporation
mozilla
>>bugzilla>>3.1.3
cpe:2.3:a:mozilla:bugzilla:3.1.3:*:*:*:*:*:*:*
Mozilla Corporation
mozilla
>>bugzilla>>3.1.4
cpe:2.3:a:mozilla:bugzilla:3.1.4:*:*:*:*:*:*:*
Mozilla Corporation
mozilla
>>bugzilla>>3.2
cpe:2.3:a:mozilla:bugzilla:3.2:*:*:*:*:*:*:*
Mozilla Corporation
mozilla
>>bugzilla>>3.2
cpe:2.3:a:mozilla:bugzilla:3.2:rc1:*:*:*:*:*:*
Mozilla Corporation
mozilla
>>bugzilla>>3.2
cpe:2.3:a:mozilla:bugzilla:3.2:rc2:*:*:*:*:*:*
Mozilla Corporation
mozilla
>>bugzilla>>3.2.1
cpe:2.3:a:mozilla:bugzilla:3.2.1:*:*:*:*:*:*:*
Mozilla Corporation
mozilla
>>bugzilla>>3.2.2
cpe:2.3:a:mozilla:bugzilla:3.2.2:*:*:*:*:*:*:*
Mozilla Corporation
mozilla
>>bugzilla>>3.2.3
cpe:2.3:a:mozilla:bugzilla:3.2.3:*:*:*:*:*:*:*
Mozilla Corporation
mozilla
>>bugzilla>>3.2.4
cpe:2.3:a:mozilla:bugzilla:3.2.4:*:*:*:*:*:*:*
Mozilla Corporation
mozilla
>>bugzilla>>3.2.5
cpe:2.3:a:mozilla:bugzilla:3.2.5:*:*:*:*:*:*:*
Mozilla Corporation
mozilla
>>bugzilla>>3.2.6
cpe:2.3:a:mozilla:bugzilla:3.2.6:*:*:*:*:*:*:*
Mozilla Corporation
mozilla
>>bugzilla>>3.2.7
cpe:2.3:a:mozilla:bugzilla:3.2.7:*:*:*:*:*:*:*
Mozilla Corporation
mozilla
>>bugzilla>>3.2.8
cpe:2.3:a:mozilla:bugzilla:3.2.8:*:*:*:*:*:*:*
Mozilla Corporation
mozilla
>>bugzilla>>3.2.9
cpe:2.3:a:mozilla:bugzilla:3.2.9:*:*:*:*:*:*:*
Mozilla Corporation
mozilla
>>bugzilla>>3.2.10
cpe:2.3:a:mozilla:bugzilla:3.2.10:*:*:*:*:*:*:*
Mozilla Corporation
mozilla
>>bugzilla>>3.3
cpe:2.3:a:mozilla:bugzilla:3.3:*:*:*:*:*:*:*
Mozilla Corporation
mozilla
>>bugzilla>>3.3.1
cpe:2.3:a:mozilla:bugzilla:3.3.1:*:*:*:*:*:*:*
Mozilla Corporation
mozilla
>>bugzilla>>3.3.2
cpe:2.3:a:mozilla:bugzilla:3.3.2:*:*:*:*:*:*:*
Mozilla Corporation
mozilla
>>bugzilla>>3.3.3
cpe:2.3:a:mozilla:bugzilla:3.3.3:*:*:*:*:*:*:*
Mozilla Corporation
mozilla
>>bugzilla>>3.3.4
cpe:2.3:a:mozilla:bugzilla:3.3.4:*:*:*:*:*:*:*
Mozilla Corporation
mozilla
>>bugzilla>>3.4
cpe:2.3:a:mozilla:bugzilla:3.4:*:*:*:*:*:*:*
Mozilla Corporation
mozilla
>>bugzilla>>3.4
cpe:2.3:a:mozilla:bugzilla:3.4:rc1:*:*:*:*:*:*
Mozilla Corporation
mozilla
>>bugzilla>>3.4.1
cpe:2.3:a:mozilla:bugzilla:3.4.1:*:*:*:*:*:*:*
Mozilla Corporation
mozilla
>>bugzilla>>3.4.2
cpe:2.3:a:mozilla:bugzilla:3.4.2:*:*:*:*:*:*:*
Mozilla Corporation
mozilla
>>bugzilla>>3.4.3
cpe:2.3:a:mozilla:bugzilla:3.4.3:*:*:*:*:*:*:*
Mozilla Corporation
mozilla
>>bugzilla>>3.4.4
cpe:2.3:a:mozilla:bugzilla:3.4.4:*:*:*:*:*:*:*
Mozilla Corporation
mozilla
>>bugzilla>>3.4.5
cpe:2.3:a:mozilla:bugzilla:3.4.5:*:*:*:*:*:*:*
Mozilla Corporation
mozilla
>>bugzilla>>3.4.6
cpe:2.3:a:mozilla:bugzilla:3.4.6:*:*:*:*:*:*:*
Mozilla Corporation
mozilla
>>bugzilla>>3.4.7
cpe:2.3:a:mozilla:bugzilla:3.4.7:*:*:*:*:*:*:*
Mozilla Corporation
mozilla
>>bugzilla>>3.4.8
cpe:2.3:a:mozilla:bugzilla:3.4.8:*:*:*:*:*:*:*
Mozilla Corporation
mozilla
>>bugzilla>>3.4.9
cpe:2.3:a:mozilla:bugzilla:3.4.9:*:*:*:*:*:*:*
Mozilla Corporation
mozilla
>>bugzilla>>3.4.10
cpe:2.3:a:mozilla:bugzilla:3.4.10:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-200Primarynvd@nist.gov
CWE ID: CWE-200
Type: Primary
Source: nvd@nist.gov
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
http://www.bugzilla.org/security/3.6.11/cve@mitre.org
Vendor Advisory
http://www.mandriva.com/security/advisories?name=MDVSA-2013:066cve@mitre.org
N/A
https://bugzilla.mozilla.org/show_bug.cgi?id=731178cve@mitre.org
N/A
https://exchange.xforce.ibmcloud.com/vulnerabilities/80029cve@mitre.org
N/A
http://www.bugzilla.org/security/3.6.11/af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
http://www.mandriva.com/security/advisories?name=MDVSA-2013:066af854a3a-2127-422b-91ae-364da2661108
N/A
https://bugzilla.mozilla.org/show_bug.cgi?id=731178af854a3a-2127-422b-91ae-364da2661108
N/A
https://exchange.xforce.ibmcloud.com/vulnerabilities/80029af854a3a-2127-422b-91ae-364da2661108
N/A
Hyperlink: http://www.bugzilla.org/security/3.6.11/
Source: cve@mitre.org
Resource:
Vendor Advisory
Hyperlink: http://www.mandriva.com/security/advisories?name=MDVSA-2013:066
Source: cve@mitre.org
Resource: N/A
Hyperlink: https://bugzilla.mozilla.org/show_bug.cgi?id=731178
Source: cve@mitre.org
Resource: N/A
Hyperlink: https://exchange.xforce.ibmcloud.com/vulnerabilities/80029
Source: cve@mitre.org
Resource: N/A
Hyperlink: http://www.bugzilla.org/security/3.6.11/
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Vendor Advisory
Hyperlink: http://www.mandriva.com/security/advisories?name=MDVSA-2013:066
Source: af854a3a-2127-422b-91ae-364da2661108
Resource: N/A
Hyperlink: https://bugzilla.mozilla.org/show_bug.cgi?id=731178
Source: af854a3a-2127-422b-91ae-364da2661108
Resource: N/A
Hyperlink: https://exchange.xforce.ibmcloud.com/vulnerabilities/80029
Source: af854a3a-2127-422b-91ae-364da2661108
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

1455Records found

CVE-2020-6793
Matching Score-8
Assigner-Mozilla Corporation
ShareView Details
Matching Score-8
Assigner-Mozilla Corporation
CVSS Score-6.5||MEDIUM
EPSS-1.47% / 70.65%
||
7 Day CHG~0.00%
Published-02 Mar, 2020 | 04:05
Updated-04 Aug, 2024 | 09:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

When processing an email message with an ill-formed envelope, Thunderbird could read data from a random memory location. This vulnerability affects Thunderbird < 68.5.

Action-Not Available
Vendor-Mozilla Corporation
Product-thunderbirdThunderbird
CWE ID-CWE-908
Use of Uninitialized Resource
CVE-2020-6792
Matching Score-8
Assigner-Mozilla Corporation
ShareView Details
Matching Score-8
Assigner-Mozilla Corporation
CVSS Score-4.3||MEDIUM
EPSS-1.30% / 66.92%
||
7 Day CHG~0.00%
Published-02 Mar, 2020 | 04:05
Updated-04 Aug, 2024 | 09:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

When deriving an identifier for an email message, uninitialized memory was used in addition to the message contents. This vulnerability affects Thunderbird < 68.5.

Action-Not Available
Vendor-Mozilla CorporationCanonical Ltd.
Product-ubuntu_linuxthunderbirdThunderbird
CWE ID-CWE-909
Missing Initialization of Resource
CWE ID-CWE-908
Use of Uninitialized Resource
CVE-2020-6794
Matching Score-8
Assigner-Mozilla Corporation
ShareView Details
Matching Score-8
Assigner-Mozilla Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.99% / 58.25%
||
7 Day CHG~0.00%
Published-02 Mar, 2020 | 04:05
Updated-04 Aug, 2024 | 09:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

If a user saved passwords before Thunderbird 60 and then later set a master password, an unencrypted copy of these passwords is still accessible. This is because the older stored password file was not deleted when the data was copied to a new format starting in Thunderbird 60. The new master password is added only on the new file. This could allow the exposure of stored password data outside of user expectations. This vulnerability affects Thunderbird < 68.5.

Action-Not Available
Vendor-Mozilla CorporationCanonical Ltd.
Product-ubuntu_linuxthunderbirdThunderbird
CWE ID-CWE-312
Cleartext Storage of Sensitive Information
CWE ID-CWE-459
Incomplete Cleanup
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2020-35111
Matching Score-8
Assigner-Mozilla Corporation
ShareView Details
Matching Score-8
Assigner-Mozilla Corporation
CVSS Score-4.3||MEDIUM
EPSS-1.17% / 63.63%
||
7 Day CHG-0.01%
Published-07 Jan, 2021 | 13:50
Updated-04 Aug, 2024 | 16:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

When an extension with the proxy permission registered to receive <all_urls>, the proxy.onRequest callback was not triggered for view-source URLs. While web content cannot navigate to such URLs, a user opening View Source could have inadvertently leaked their IP address. This vulnerability affects Firefox < 84, Thunderbird < 78.6, and Firefox ESR < 78.6.

Action-Not Available
Vendor-Mozilla Corporation
Product-firefoxthunderbirdfirefox_esrFirefoxFirefox ESRThunderbird
CVE-2008-5697
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-2.17% / 80.12%
||
7 Day CHG~0.00%
Published-22 Dec, 2008 | 15:00
Updated-23 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The skype_tool.copy_num method in the Skype extension BETA 2.2.0.95 for Firefox allows remote attackers to write arbitrary data to the clipboard via a string argument.

Action-Not Available
Vendor-skypen/aMozilla Corporation
Product-skype_extension_for_firefoxfirefoxn/a
CVE-2020-26965
Matching Score-8
Assigner-Mozilla Corporation
ShareView Details
Matching Score-8
Assigner-Mozilla Corporation
CVSS Score-6.5||MEDIUM
EPSS-1.24% / 65.44%
||
7 Day CHG-0.00%
Published-09 Dec, 2020 | 00:24
Updated-04 Aug, 2024 | 16:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Some websites have a feature "Show Password" where clicking a button will change a password field into a textbook field, revealing the typed password. If, when using a software keyboard that remembers user input, a user typed their password and used that feature, the type of the password field was changed, resulting in a keyboard layout change and the possibility for the software keyboard to remember the typed password. This vulnerability affects Firefox < 83, Firefox ESR < 78.5, and Thunderbird < 78.5.

Action-Not Available
Vendor-Mozilla Corporation
Product-firefoxthunderbirdfirefox_esrFirefoxFirefox ESRThunderbird
CWE ID-CWE-212
Improper Removal of Sensitive Information Before Storage or Transfer
CVE-2020-15661
Matching Score-8
Assigner-Mozilla Corporation
ShareView Details
Matching Score-8
Assigner-Mozilla Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.84% / 53.53%
||
7 Day CHG~0.00%
Published-10 Aug, 2020 | 17:43
Updated-04 Aug, 2024 | 13:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A rogue webpage could override the injected WKUserScript used by the logins autofill, this exploit could result in leaking a password for the current domain. This vulnerability affects Firefox for iOS < 28.

Action-Not Available
Vendor-Mozilla Corporation
Product-firefoxFirefox for iOS
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2020-15652
Matching Score-8
Assigner-Mozilla Corporation
ShareView Details
Matching Score-8
Assigner-Mozilla Corporation
CVSS Score-6.5||MEDIUM
EPSS-1.26% / 66.12%
||
7 Day CHG~0.00%
Published-10 Aug, 2020 | 17:43
Updated-21 Oct, 2024 | 13:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

By observing the stack trace for JavaScript errors in web workers, it was possible to leak the result of a cross-origin redirect. This applied only to content that can be parsed as script. This vulnerability affects Firefox < 79, Firefox ESR < 68.11, Firefox ESR < 78.1, Thunderbird < 68.11, and Thunderbird < 78.1.

Action-Not Available
Vendor-Mozilla CorporationCanonical Ltd.
Product-firefoxubuntu_linuxthunderbirdfirefox_esrFirefoxFirefox ESRThunderbird
CWE ID-CWE-346
Origin Validation Error
CVE-2020-15655
Matching Score-8
Assigner-Mozilla Corporation
ShareView Details
Matching Score-8
Assigner-Mozilla Corporation
CVSS Score-6.5||MEDIUM
EPSS-1.53% / 71.66%
||
7 Day CHG~0.00%
Published-10 Aug, 2020 | 17:43
Updated-04 Aug, 2024 | 13:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A redirected HTTP request which is observed or modified through a web extension could bypass existing CORS checks, leading to potential disclosure of cross-origin information. This vulnerability affects Firefox ESR < 78.1, Firefox < 79, and Thunderbird < 78.1.

Action-Not Available
Vendor-Canonical Ltd.openSUSEMozilla Corporation
Product-ubuntu_linuxthunderbirdfirefoxfirefox_esrleapFirefoxFirefox ESRThunderbird
CVE-2020-16012
Matching Score-8
Assigner-Chrome
ShareView Details
Matching Score-8
Assigner-Chrome
CVSS Score-4.3||MEDIUM
EPSS-2.47% / 82.56%
||
7 Day CHG~0.00%
Published-08 Jan, 2021 | 17:48
Updated-04 Aug, 2024 | 13:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Side-channel information leakage in graphics in Google Chrome prior to 87.0.4280.66 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

Action-Not Available
Vendor-Mozilla CorporationGoogle LLC
Product-chromefirefoxChrome
CVE-2020-15646
Matching Score-8
Assigner-Mozilla Corporation
ShareView Details
Matching Score-8
Assigner-Mozilla Corporation
CVSS Score-5.9||MEDIUM
EPSS-0.96% / 57.25%
||
7 Day CHG+0.01%
Published-08 Oct, 2020 | 13:37
Updated-04 Aug, 2024 | 13:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

If an attacker intercepts Thunderbird's initial attempt to perform automatic account setup using the Microsoft Exchange autodiscovery mechanism, and the attacker sends a crafted response, then Thunderbird sends username and password over https to a server controlled by the attacker. This vulnerability affects Thunderbird < 68.10.0.

Action-Not Available
Vendor-Mozilla Corporation
Product-thunderbirdThunderbird
CVE-2020-15666
Matching Score-8
Assigner-Mozilla Corporation
ShareView Details
Matching Score-8
Assigner-Mozilla Corporation
CVSS Score-6.5||MEDIUM
EPSS-1.23% / 65.39%
||
7 Day CHG~0.00%
Published-01 Oct, 2020 | 18:42
Updated-04 Aug, 2024 | 13:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

When trying to load a non-video in an audio/video context the exact status code (200, 302, 404, 500, 412, 403, etc.) was disclosed via the MediaError Message. This level of information leakage is inconsistent with the standardized onerror/onsuccess disclosure and can lead to inferring login status to services or device discovery on a local network among other attacks. This vulnerability affects Firefox < 80 and Firefox for Android < 80.

Action-Not Available
Vendor-Mozilla Corporation
Product-firefoxFirefoxFirefox for Android
CWE ID-CWE-209
Generation of Error Message Containing Sensitive Information
CVE-2007-0800
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-1.67% / 73.97%
||
7 Day CHG~0.00%
Published-07 Feb, 2007 | 11:00
Updated-23 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-zone vulnerability in Mozilla Firefox 1.5.0.9 considers blocked popups to have an internal zone origin, which allows user-assisted remote attackers to cross zone restrictions and read arbitrary file:// URIs by convincing a user to show a blocked popup.

Action-Not Available
Vendor-n/aMozilla Corporation
Product-firefoxn/a
CVE-2020-12404
Matching Score-8
Assigner-Mozilla Corporation
ShareView Details
Matching Score-8
Assigner-Mozilla Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.78% / 51.57%
||
7 Day CHG~0.00%
Published-09 Jul, 2020 | 14:44
Updated-04 Aug, 2024 | 11:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

For native-to-JS bridging the app requires a unique token to be passed that ensures non-app code can't call the bridging functions. That token could leak when used for downloading files. This vulnerability affects Firefox for iOS < 26.

Action-Not Available
Vendor-Mozilla Corporation
Product-firefoxFirefox for iOS
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-12398
Matching Score-8
Assigner-Mozilla Corporation
ShareView Details
Matching Score-8
Assigner-Mozilla Corporation
CVSS Score-7.5||HIGH
EPSS-0.98% / 57.81%
||
7 Day CHG~0.00%
Published-09 Jul, 2020 | 14:45
Updated-04 Aug, 2024 | 11:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

If Thunderbird is configured to use STARTTLS for an IMAP server, and the server sends a PREAUTH response, then Thunderbird will continue with an unencrypted connection, causing email data to be sent without protection. This vulnerability affects Thunderbird < 68.9.0.

Action-Not Available
Vendor-Mozilla CorporationCanonical Ltd.
Product-ubuntu_linuxthunderbirdThunderbird
CWE ID-CWE-319
Cleartext Transmission of Sensitive Information
CVE-2020-12418
Matching Score-8
Assigner-Mozilla Corporation
ShareView Details
Matching Score-8
Assigner-Mozilla Corporation
CVSS Score-6.5||MEDIUM
EPSS-3.03% / 85.88%
||
7 Day CHG~0.00%
Published-09 Jul, 2020 | 14:19
Updated-04 Aug, 2024 | 11:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Manipulating individual parts of a URL object could have caused an out-of-bounds read, leaking process memory to malicious JavaScript. This vulnerability affects Firefox ESR < 68.10, Firefox < 78, and Thunderbird < 68.10.0.

Action-Not Available
Vendor-Canonical Ltd.openSUSEMozilla Corporation
Product-ubuntu_linuxthunderbirdfirefoxfirefox_esrleapFirefoxFirefox ESRThunderbird
CWE ID-CWE-125
Out-of-bounds Read
CVE-2017-7830
Matching Score-8
Assigner-Mozilla Corporation
ShareView Details
Matching Score-8
Assigner-Mozilla Corporation
CVSS Score-6.5||MEDIUM
EPSS-2.48% / 82.66%
||
7 Day CHG~0.00%
Published-11 Jun, 2018 | 21:00
Updated-25 Nov, 2025 | 17:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Resource Timing API incorrectly revealed navigations in cross-origin iframes. This is a same-origin policy violation and could allow for data theft of URLs loaded by users. This vulnerability affects Firefox < 57, Firefox ESR < 52.5, and Thunderbird < 52.5.

Action-Not Available
Vendor-Mozilla CorporationDebian GNU/LinuxRed Hat, Inc.
Product-thunderbirdfirefoxenterprise_linux_desktopenterprise_linux_serverdebian_linuxenterprise_linux_server_eusenterprise_linux_workstationenterprise_linux_server_ausFirefoxFirefox ESRThunderbird
CVE-2026-8965
Matching Score-6
Assigner-Mozilla Corporation
ShareView Details
Matching Score-6
Assigner-Mozilla Corporation
CVSS Score-7.5||HIGH
EPSS-0.32% / 24.22%
||
7 Day CHG~0.00%
Published-19 May, 2026 | 12:30
Updated-20 May, 2026 | 17:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Information disclosure in the DOM: Security component

Information disclosure in the DOM: Security component. This vulnerability was fixed in Firefox 151 and Thunderbird 151.

Action-Not Available
Vendor-Mozilla Corporation
Product-firefoxthunderbirdFirefoxThunderbird
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2026-8966
Matching Score-6
Assigner-Mozilla Corporation
ShareView Details
Matching Score-6
Assigner-Mozilla Corporation
CVSS Score-7.5||HIGH
EPSS-0.33% / 25.16%
||
7 Day CHG~0.00%
Published-19 May, 2026 | 12:30
Updated-20 May, 2026 | 17:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Information disclosure in the IP Protection component

Information disclosure in the IP Protection component. This vulnerability was fixed in Firefox 151 and Thunderbird 151.

Action-Not Available
Vendor-Mozilla Corporation
Product-firefoxthunderbirdFirefoxThunderbird
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2026-8967
Matching Score-6
Assigner-Mozilla Corporation
ShareView Details
Matching Score-6
Assigner-Mozilla Corporation
CVSS Score-7.5||HIGH
EPSS-0.33% / 25.16%
||
7 Day CHG~0.00%
Published-19 May, 2026 | 12:30
Updated-20 May, 2026 | 17:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Information disclosure in the Graphics: WebGPU component

Information disclosure in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 151 and Thunderbird 151.

Action-Not Available
Vendor-Mozilla Corporation
Product-firefoxthunderbirdFirefoxThunderbird
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2014-1515
Matching Score-6
Assigner-Mozilla Corporation
ShareView Details
Matching Score-6
Assigner-Mozilla Corporation
CVSS Score-1.9||LOW
EPSS-0.28% / 20.08%
||
7 Day CHG~0.00%
Published-25 Mar, 2014 | 01:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Mozilla Firefox before 28.0.1 on Android processes a file: URL by copying a local file onto the SD card, which allows attackers to obtain sensitive information from the Firefox profile directory via a crafted application.

Action-Not Available
Vendor-n/aMozilla CorporationGoogle LLC
Product-firefoxandroidn/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2014-1571
Matching Score-6
Assigner-Mozilla Corporation
ShareView Details
Matching Score-6
Assigner-Mozilla Corporation
CVSS Score-4||MEDIUM
EPSS-1.35% / 68.17%
||
7 Day CHG~0.00%
Published-13 Oct, 2014 | 01:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Bugzilla 2.x through 4.0.x before 4.0.15, 4.1.x and 4.2.x before 4.2.11, 4.3.x and 4.4.x before 4.4.6, and 4.5.x before 4.5.6 allows remote authenticated users to obtain sensitive private-comment information by leveraging a role as a flag recipient, related to Bug.pm, Flag.pm, and a mail template.

Action-Not Available
Vendor-n/aMozilla CorporationFedora Project
Product-bugzillafedoran/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2014-1505
Matching Score-6
Assigner-Mozilla Corporation
ShareView Details
Matching Score-6
Assigner-Mozilla Corporation
CVSS Score-7.5||HIGH
EPSS-4.00% / 89.28%
||
7 Day CHG~0.00%
Published-19 Mar, 2014 | 10:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The SVG filter implementation in Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and SeaMonkey before 2.25 allows remote attackers to obtain sensitive displacement-correlation information, and possibly bypass the Same Origin Policy and read text from a different domain, via a timing attack involving feDisplacementMap elements, a related issue to CVE-2013-1693.

Action-Not Available
Vendor-n/aCanonical Ltd.openSUSENovellSUSERed Hat, Inc.Mozilla CorporationDebian GNU/Linux
Product-thunderbirdsuse_linux_enterprise_software_development_kitdebian_linuxubuntu_linuxseamonkeyenterprise_linux_server_tusenterprise_linux_desktopenterprise_linux_server_eusenterprise_linux_server_ausfirefoxenterprise_linux_serverenterprise_linux_workstationsuse_linux_enterprise_serverenterprise_linux_eussuse_linux_enterprise_desktopopensusen/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2014-1484
Matching Score-6
Assigner-Mozilla Corporation
ShareView Details
Matching Score-6
Assigner-Mozilla Corporation
CVSS Score-5||MEDIUM
EPSS-1.56% / 72.17%
||
7 Day CHG~0.00%
Published-06 Feb, 2014 | 02:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Mozilla Firefox before 27.0 on Android 4.2 and earlier creates system-log entries containing profile paths, which allows attackers to obtain sensitive information via a crafted application.

Action-Not Available
Vendor-n/aopenSUSEGoogle LLCOracle CorporationSUSEMozilla Corporation
Product-firefoxlinux_enterprise_desktoplinux_enterprise_serversolarisandroidlinux_enterprise_software_development_kitopensusen/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2013-6629
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-5||MEDIUM
EPSS-10.12% / 95.08%
||
7 Day CHG~0.00%
Published-15 Nov, 2013 | 20:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The get_sos function in jdmarker.c in (1) libjpeg 6b and (2) libjpeg-turbo through 1.3.0, as used in Google Chrome before 31.0.1650.48, Ghostscript, and other products, does not check for certain duplications of component data during the reading of segments that follow Start Of Scan (SOS) JPEG markers, which allows remote attackers to obtain sensitive information from uninitialized memory locations via a crafted JPEG image.

Action-Not Available
Vendor-libjpeg-turbon/aCanonical Ltd.openSUSEGoogle LLCOracle CorporationDebian GNU/LinuxMozilla CorporationArtifex Software Inc.Fedora Project
Product-thunderbirddebian_linuxubuntu_linuxfirefoxseamonkeylibjpeg-turbosolarisfedorachromegpl_ghostscriptopensusen/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2026-6756
Matching Score-6
Assigner-Mozilla Corporation
ShareView Details
Matching Score-6
Assigner-Mozilla Corporation
CVSS Score-7.5||HIGH
EPSS-0.24% / 14.94%
||
7 Day CHG~0.00%
Published-21 Apr, 2026 | 12:40
Updated-26 May, 2026 | 18:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Mitigation bypass in Firefox for Android

Mitigation bypass in Firefox for Android. This vulnerability was fixed in Firefox 150.

Action-Not Available
Vendor-Mozilla Corporation
Product-firefoxFirefox
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2026-6770
Matching Score-6
Assigner-Mozilla Corporation
ShareView Details
Matching Score-6
Assigner-Mozilla Corporation
CVSS Score-6.5||MEDIUM
EPSS-4.94% / 91.09%
||
7 Day CHG~0.00%
Published-21 Apr, 2026 | 12:41
Updated-27 May, 2026 | 17:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Other issue in the Storage: IndexedDB component

Other issue in the Storage: IndexedDB component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.

Action-Not Available
Vendor-Mozilla Corporation
Product-thunderbirdfirefoxFirefoxThunderbird
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2026-6782
Matching Score-6
Assigner-Mozilla Corporation
ShareView Details
Matching Score-6
Assigner-Mozilla Corporation
CVSS Score-7.5||HIGH
EPSS-0.25% / 16.56%
||
7 Day CHG~0.00%
Published-21 Apr, 2026 | 12:41
Updated-27 May, 2026 | 17:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Information disclosure in the IP Protection component

Information disclosure in the IP Protection component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.

Action-Not Available
Vendor-Mozilla Corporation
Product-thunderbirdfirefoxFirefoxThunderbird
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2013-0786
Matching Score-6
Assigner-Mozilla Corporation
ShareView Details
Matching Score-6
Assigner-Mozilla Corporation
CVSS Score-5||MEDIUM
EPSS-1.66% / 73.74%
||
7 Day CHG~0.00%
Published-24 Feb, 2013 | 11:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Bugzilla::Search::build_subselect function in Bugzilla 2.x and 3.x before 3.6.13 and 3.7.x and 4.0.x before 4.0.10 generates different error messages for invalid product queries depending on whether a product exists, which allows remote attackers to discover private product names by using debug mode for a query.

Action-Not Available
Vendor-n/aMozilla Corporation
Product-bugzillan/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2012-4198
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4||MEDIUM
EPSS-0.87% / 54.52%
||
7 Day CHG~0.00%
Published-16 Nov, 2012 | 11:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The User.get method in Bugzilla/WebService/User.pm in Bugzilla 3.7.x and 4.0.x before 4.0.9, 4.1.x and 4.2.x before 4.2.4, and 4.3.x and 4.4.x before 4.4rc1 has a different outcome for a groups request depending on whether a group exists, which allows remote authenticated users to discover private group names by observing whether a call throws an error.

Action-Not Available
Vendor-n/aMozilla Corporation
Product-bugzillan/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2025-11717
Matching Score-6
Assigner-Mozilla Corporation
ShareView Details
Matching Score-6
Assigner-Mozilla Corporation
CVSS Score-9.1||CRITICAL
EPSS-0.24% / 15.47%
||
7 Day CHG~0.00%
Published-14 Oct, 2025 | 12:27
Updated-13 Apr, 2026 | 15:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
The password edit screen was not hidden in Android card view

When switching between Android apps using the card carousel Firefox shows a black screen as its card image when a password-related screen was the last one being used. Prior to Firefox 144 the password edit screen was visible. This vulnerability was fixed in Firefox 144.

Action-Not Available
Vendor-Google LLCMozilla Corporation
Product-firefoxandroidFirefox
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2012-4197
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-5||MEDIUM
EPSS-1.54% / 71.93%
||
7 Day CHG~0.00%
Published-16 Nov, 2012 | 11:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Bugzilla/Attachment.pm in attachment.cgi in Bugzilla 2.x and 3.x before 3.6.12, 3.7.x and 4.0.x before 4.0.9, 4.1.x and 4.2.x before 4.2.4, and 4.3.x and 4.4.x before 4.4rc1 allows remote attackers to read attachment descriptions from private bugs via an obsolete=1 insert action.

Action-Not Available
Vendor-n/aMozilla Corporation
Product-bugzillan/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2012-3972
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-5||MEDIUM
EPSS-3.96% / 89.17%
||
7 Day CHG~0.00%
Published-29 Aug, 2012 | 10:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The format-number functionality in the XSLT implementation in Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird before 15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey before 2.12 allows remote attackers to obtain sensitive information via unspecified vectors that trigger a heap-based buffer over-read.

Action-Not Available
Vendor-n/aCanonical Ltd.openSUSESUSERed Hat, Inc.Mozilla CorporationDebian GNU/Linux
Product-thunderbirdfirefoxubuntu_linuxseamonkeylinux_enterprise_desktopenterprise_linux_serverenterprise_linux_workstationthunderbird_esrdebian_linuxenterprise_linux_desktoplinux_enterprise_serverenterprise_linux_server_eusenterprise_linux_euslinux_enterprise_software_development_kitopensusen/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2025-10535
Matching Score-6
Assigner-Mozilla Corporation
ShareView Details
Matching Score-6
Assigner-Mozilla Corporation
CVSS Score-7.5||HIGH
EPSS-0.29% / 21.07%
||
7 Day CHG~0.00%
Published-16 Sep, 2025 | 12:26
Updated-13 Apr, 2026 | 15:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Information disclosure, mitigation bypass in the Privacy component in Firefox for Android

Information disclosure, mitigation bypass in the Privacy component in Firefox for Android. This vulnerability was fixed in Firefox 143.

Action-Not Available
Vendor-Mozilla Corporation
Product-firefoxFirefox
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2012-1960
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-5||MEDIUM
EPSS-1.77% / 75.36%
||
7 Day CHG~0.00%
Published-18 Jul, 2012 | 10:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The qcms_transform_data_rgb_out_lut_sse2 function in the QCMS implementation in Mozilla Firefox 4.x through 13.0, Thunderbird 5.0 through 13.0, and SeaMonkey before 2.11 might allow remote attackers to obtain sensitive information from process memory via a crafted color profile that triggers an out-of-bounds read operation.

Action-Not Available
Vendor-n/aMozilla Corporation
Product-thunderbirdfirefoxseamonkeyn/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2012-1945
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-2.9||LOW
EPSS-0.46% / 36.84%
||
7 Day CHG~0.00%
Published-05 Jun, 2012 | 23:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Mozilla Firefox 4.x through 12.0, Firefox ESR 10.x before 10.0.5, Thunderbird 5.0 through 12.0, Thunderbird ESR 10.x before 10.0.5, and SeaMonkey before 2.10 allow local users to obtain sensitive information via an HTML document that loads a shortcut (aka .lnk) file for display within an IFRAME element, as demonstrated by a network share implemented by (1) Microsoft Windows or (2) Samba.

Action-Not Available
Vendor-n/aMozilla Corporation
Product-thunderbirdfirefoxthunderbird_esrseamonkeyn/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2019-17018
Matching Score-6
Assigner-Mozilla Corporation
ShareView Details
Matching Score-6
Assigner-Mozilla Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.87% / 54.44%
||
7 Day CHG~0.00%
Published-08 Jan, 2020 | 21:28
Updated-05 Aug, 2024 | 01:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

When in Private Browsing Mode on Windows 10, the Windows keyboard may retain word suggestions to improve the accuracy of the keyboard. This vulnerability affects Firefox < 72.

Action-Not Available
Vendor-Mozilla Corporation
Product-firefoxFirefox
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2012-0456
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-5||MEDIUM
EPSS-2.61% / 83.55%
||
7 Day CHG~0.00%
Published-14 Mar, 2012 | 19:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The SVG Filters implementation in Mozilla Firefox before 3.6.28 and 4.x through 10.0, Firefox ESR 10.x before 10.0.3, Thunderbird before 3.1.20 and 5.0 through 10.0, Thunderbird ESR 10.x before 10.0.3, and SeaMonkey before 2.8 might allow remote attackers to obtain sensitive information from process memory via vectors that trigger an out-of-bounds read.

Action-Not Available
Vendor-n/aMozilla Corporation
Product-thunderbirdfirefoxthunderbird_esrseamonkeyn/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2011-3653
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-5||MEDIUM
EPSS-1.03% / 59.37%
||
7 Day CHG~0.00%
Published-09 Nov, 2011 | 11:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Mozilla Firefox before 8.0 and Thunderbird before 8.0 on Mac OS X do not properly interact with the GPU memory behavior of a certain driver for Intel integrated GPUs, which allows remote attackers to bypass the Same Origin Policy and read image data via vectors related to WebGL textures.

Action-Not Available
Vendor-n/aMozilla CorporationApple Inc.
Product-thunderbirdfirefoxmac_os_xn/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2011-2986
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-5||MEDIUM
EPSS-1.19% / 64.04%
||
7 Day CHG~0.00%
Published-18 Aug, 2011 | 18:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Mozilla Firefox 4.x through 5, Thunderbird before 6, SeaMonkey 2.x before 2.3, and possibly other products, when the Direct2D (aka D2D) API is used on Windows, allows remote attackers to bypass the Same Origin Policy, and obtain sensitive image data from a different domain, by inserting this data into a canvas.

Action-Not Available
Vendor-n/aMozilla Corporation
Product-thunderbirdfirefoxseamonkeyn/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2024-6612
Matching Score-6
Assigner-Mozilla Corporation
ShareView Details
Matching Score-6
Assigner-Mozilla Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.50% / 38.94%
||
7 Day CHG~0.00%
Published-09 Jul, 2024 | 14:26
Updated-30 Oct, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
CSP violation leakage when using devtools

CSP violations generated links in the console tab of the developer tools, pointing to the violating resource. This caused a DNS prefetch which leaked that a CSP violation happened. This vulnerability affects Firefox < 128 and Thunderbird < 128.

Action-Not Available
Vendor-Mozilla Corporation
Product-thunderbirdfirefoxFirefoxThunderbirdfirefoxthunderbird
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2011-2380
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-5||MEDIUM
EPSS-1.77% / 75.36%
||
7 Day CHG~0.00%
Published-09 Aug, 2011 | 19:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Bugzilla 2.23.3 through 2.22.7, 3.0.x through 3.3.x, 3.4.x before 3.4.12, 3.5.x, 3.6.x before 3.6.6, 3.7.x, 4.0.x before 4.0.2, and 4.1.x before 4.1.3 allows remote attackers to determine the existence of private group names via a crafted parameter during (1) bug creation or (2) bug editing.

Action-Not Available
Vendor-n/aMozilla Corporation
Product-bugzillan/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2022-31746
Matching Score-6
Assigner-Mozilla Corporation
ShareView Details
Matching Score-6
Assigner-Mozilla Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.41% / 33.12%
||
7 Day CHG~0.00%
Published-22 Dec, 2022 | 00:00
Updated-15 Apr, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Internal URLs are protected by a secret UUID key, which could have been leaked to web page through the Referrer header. This vulnerability affects Firefox for iOS < 102.

Action-Not Available
Vendor-Mozilla Corporation
Product-firefoxFirefox for iOS
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2022-29916
Matching Score-6
Assigner-Mozilla Corporation
ShareView Details
Matching Score-6
Assigner-Mozilla Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.72% / 49.50%
||
7 Day CHG~0.00%
Published-22 Dec, 2022 | 00:00
Updated-15 Apr, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Firefox behaved slightly differently for already known resources when loading CSS resources involving CSS variables. This could have been used to probe the browser history. This vulnerability affects Thunderbird < 91.9, Firefox ESR < 91.9, and Firefox < 100.

Action-Not Available
Vendor-Mozilla Corporation
Product-firefox_esrthunderbirdfirefoxThunderbirdFirefox ESRFirefox
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2010-3764
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-5||MEDIUM
EPSS-2.39% / 81.94%
||
7 Day CHG~0.00%
Published-05 Nov, 2010 | 16:28
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Old Charts implementation in Bugzilla 2.12 through 3.2.8, 3.4.8, 3.6.2, 3.7.3, and 4.1 creates graph files with predictable names in graphs/, which allows remote attackers to obtain sensitive information via a modified URL.

Action-Not Available
Vendor-n/aMozilla Corporation
Product-bugzillan/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2010-1125
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-5.8||MEDIUM
EPSS-2.02% / 78.56%
||
7 Day CHG+0.02%
Published-26 Mar, 2010 | 20:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The JavaScript implementation in Mozilla Firefox 3.x before 3.5.10 and 3.6.x before 3.6.4, and SeaMonkey before 2.0.5, allows remote attackers to send selected keystrokes to a form field in a hidden frame, instead of the intended form field in a visible frame, via certain calls to the focus method.

Action-Not Available
Vendor-n/aMozilla Corporation
Product-firefoxseamonkeyn/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2022-22745
Matching Score-6
Assigner-Mozilla Corporation
ShareView Details
Matching Score-6
Assigner-Mozilla Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.65% / 46.48%
||
7 Day CHG~0.00%
Published-22 Dec, 2022 | 00:00
Updated-16 Apr, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Securitypolicyviolation events could have leaked cross-origin information for frame-ancestors violations. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5.

Action-Not Available
Vendor-Mozilla Corporation
Product-thunderbirdfirefox_esrfirefoxFirefox ESRFirefoxThunderbird
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2009-0776
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-7.1||HIGH
EPSS-1.60% / 72.83%
||
7 Day CHG~0.00%
Published-05 Mar, 2009 | 02:00
Updated-23 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

nsIRDFService in Mozilla Firefox before 3.0.7, Thunderbird before 2.0.0.21, and SeaMonkey before 1.1.15 allows remote attackers to bypass the same-origin policy and read XML data from another domain via a cross-domain redirect.

Action-Not Available
Vendor-n/aMozilla Corporation
Product-thunderbirdfirefoxseamonkeyn/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2009-0358
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-3.3||LOW
EPSS-0.52% / 40.42%
||
7 Day CHG~0.00%
Published-04 Feb, 2009 | 19:00
Updated-23 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Mozilla Firefox 3.x before 3.0.6 does not properly implement the (1) no-store and (2) no-cache Cache-Control directives, which allows local users to obtain sensitive information by using the (a) back button or (b) history list of the victim's browser, as demonstrated by reading the response page of an https POST request.

Action-Not Available
Vendor-n/aMozilla Corporation
Product-firefoxn/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2008-7292
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-2.1||LOW
EPSS-0.38% / 30.38%
||
7 Day CHG~0.00%
Published-09 Aug, 2011 | 19:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Bugzilla 2.20.x before 2.20.5, 2.22.x before 2.22.3, and 3.0.x before 3.0.3 on Windows does not delete the temporary files associated with uploaded attachments, which allows local users to obtain sensitive information by reading these files, a different vulnerability than CVE-2011-2977.

Action-Not Available
Vendor-n/aMozilla CorporationMicrosoft Corporation
Product-windowsbugzillan/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
  • Previous
  • 1
  • 2
  • 3
  • 4
  • 5
  • ...
  • 29
  • 30
  • Next
Details not found