Vulnerabilities > Mozilla > Medium

DATE CVE VULNERABILITY TITLE RISK
2016-01-09 CVE-2015-8510 Cross-site Scripting vulnerability in Mozilla Firefox OS
Cross-site scripting (XSS) vulnerability in the internationalization feature in the default homescreen app in Mozilla Firefox OS before 2.5 allows user-assisted remote attackers to inject arbitrary web script or HTML via a crafted web site that is mishandled during "Add to home screen" bookmarking.
network
low complexity
mozilla CWE-79
6.1
2016-01-09 CVE-2015-7575 Data Processing Errors vulnerability in multiple products
Mozilla Network Security Services (NSS) before 3.20.2, as used in Mozilla Firefox before 43.0.2 and Firefox ESR 38.x before 38.5.2, does not reject MD5 signatures in Server Key Exchange messages in TLS 1.2 Handshake Protocol traffic, which makes it easier for man-in-the-middle attackers to spoof servers by triggering a collision.
network
high complexity
mozilla opensuse canonical CWE-19
5.9
2016-01-03 CVE-2015-8508 Cross-site Scripting vulnerability in Mozilla Bugzilla
Cross-site scripting (XSS) vulnerability in showdependencygraph.cgi in Bugzilla 2.x, 3.x, and 4.x before 4.2.16, 4.3.x and 4.4.x before 4.4.11, and 4.5.x and 5.0.x before 5.0.2, when a local dot configuration is used, allows remote attackers to inject arbitrary web script or HTML via a crafted bug summary.
network
high complexity
mozilla CWE-79
4.7
2014-04-30 CVE-2014-1530 Cross-site Scripting vulnerability in multiple products
The docshell implementation in Mozilla Firefox before 29.0, Firefox ESR 24.x before 24.5, Thunderbird before 24.5, and SeaMonkey before 2.26 allows remote attackers to trigger the loading of a URL with a spoofed baseURI property, and conduct cross-site scripting (XSS) attacks, via a crafted web site that performs history navigation.
6.1
2014-04-30 CVE-2014-1523 Out-of-bounds Write vulnerability in multiple products
Heap-based buffer overflow in the read_u32 function in Mozilla Firefox before 29.0, Firefox ESR 24.x before 24.5, Thunderbird before 24.5, and SeaMonkey before 2.26 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted JPEG image.
6.5
2014-03-19 CVE-2014-1496 Improper Privilege Management vulnerability in multiple products
Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and SeaMonkey before 2.25 might allow local users to gain privileges by modifying the extracted Mar contents during an update.
local
low complexity
mozilla suse CWE-269
5.5
2013-12-11 CVE-2013-6673 Cryptographic Issues vulnerability in multiple products
Mozilla Firefox before 26.0, Firefox ESR 24.x before 24.2, Thunderbird before 24.2, and SeaMonkey before 2.23 do not recognize a user's removal of trust from an EV X.509 certificate, which makes it easier for man-in-the-middle attackers to spoof SSL servers in opportunistic circumstances via a valid certificate that is unacceptable to the user.
5.9
2013-05-16 CVE-2013-1675 Improper Initialization vulnerability in multiple products
Mozilla Firefox before 21.0, Firefox ESR 17.x before 17.0.6, Thunderbird before 17.0.6, and Thunderbird ESR 17.x before 17.0.6 do not properly initialize data structures for the nsDOMSVGZoomEvent::mPreviousScale and nsDOMSVGZoomEvent::mNewScale functions, which allows remote attackers to obtain sensitive information from process memory via a crafted web site.
network
low complexity
mozilla canonical debian redhat opensuse CWE-665
6.5
2013-03-15 CVE-2013-2566 Inadequate Encryption Strength vulnerability in multiple products
The RC4 algorithm, as used in the TLS protocol and SSL protocol, has many single-byte biases, which makes it easier for remote attackers to conduct plaintext-recovery attacks via statistical analysis of ciphertext in a large number of sessions that use the same plaintext.
network
high complexity
oracle fujitsu canonical mozilla CWE-326
5.9
2009-07-30 CVE-2009-2408 Improper Certificate Validation vulnerability in multiple products
Mozilla Network Security Services (NSS) before 3.12.3, Firefox before 3.0.13, Thunderbird before 2.0.0.23, and SeaMonkey before 1.1.18 do not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.
network
high complexity
mozilla suse opensuse debian canonical CWE-295
5.9