MozillaFirefox (SUSE:Linux Enterprise Server 12 SP4-ESPOS) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the SUSE:Linux Enterprise Server 12 SP4-ESPOS package MozillaFirefox, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (63)
CVE-2023-34416 — CVSS 9.8 (critical): Memory safety bugs present in Firefox 113, Firefox ESR 102.11, and Thunderbird 102.12. Some of these bugs showed evidence of memory…
CVE-2023-29531 — CVSS 9.8 (critical): An attacker could have caused an out of bounds memory access using WebGL APIs, leading to memory corruption and a potentially exploitable…
CVE-2023-29542 — CVSS 9.8 (critical): A newline in a filename could have been used to bypass the file extension security mechanisms that replace malicious file extensions such…
CVE-2023-25746 — CVSS 8.8 (high): Memory safety bugs present in Firefox ESR 102.7. Some of these bugs showed evidence of memory corruption and we presume that with enough…
CVE-2023-25729 — CVSS 8.8 (high): Permission prompts for opening external schemes were only shown for <code>ContentPrincipals</code> resulting in extensions being able to…
CVE-2023-25732 — CVSS 8.8 (high): When encoding data from an <code>inputStream</code> in <code>xpcom</code> the size of the input being encoded was not correctly calculated…
CVE-2023-25735 — CVSS 8.8 (high): Cross-compartment wrappers wrapping a scripted proxy could have caused objects from other compartments to be stored in the main compartment…
CVE-2023-25737 — CVSS 8.8 (high): An invalid downcast from <code>nsTextNode</code> to <code>SVGElement</code> could have lead to undefined behavior. This vulnerability…
CVE-2023-25739 — CVSS 8.8 (high): Module load requests that failed were not being checked as to whether or not they were cancelled causing a use-after-free in…
CVE-2023-25744 — CVSS 8.8 (high): Mmemory safety bugs present in Firefox 109 and Firefox ESR 102.7. Some of these bugs showed evidence of memory corruption and we presume…
CVE-2023-0767 — CVSS 8.8 (high): An attacker could construct a PKCS 12 cert bundle in such a way that could allow for arbitrary memory writes via PKCS 12 Safe Bag…
CVE-2023-28161 — CVSS 8.8 (high): If temporary "one-time" permissions, such as the ability to use the Camera, were granted to a document loaded using a file: URL, that…
CVE-2023-28162 — CVSS 8.8 (high): While implementing AudioWorklets, some code may have casted one type to another, invalid, dynamic type. This could have led to a…
CVE-2023-28176 — CVSS 8.8 (high): Memory safety bugs present in Firefox 110 and Firefox ESR 102.8. Some of these bugs showed evidence of memory corruption and we presume…
CVE-2023-28177 — CVSS 8.8 (high): Memory safety bugs present in Firefox 110. Some of these bugs showed evidence of memory corruption and we presume that with enough effort…
CVE-2023-29536 — CVSS 8.8 (high): An attacker could cause the memory manager to incorrectly free a pointer that addresses attacker-controlled memory, resulting in an…
CVE-2023-29539 — CVSS 8.8 (high): When handling the filename directive in the Content-Disposition header, the filename would be truncated if the filename contained a NULL…
CVE-2023-29541 — CVSS 8.8 (high): Firefox did not properly handle downloads of files ending in <code>.desktop</code>, which can be interpreted to run attacker-controlled…
CVE-2023-29550 — CVSS 8.8 (high): Memory safety bugs present in Firefox 111 and Firefox ESR 102.9. Some of these bugs showed evidence of memory corruption and we presume…
CVE-2023-32207 — CVSS 8.8 (high): A missing delay in popup notifications could have made it possible for an attacker to trick a user into granting permissions. This…
CVE-2023-32213 — CVSS 8.8 (high): When reading a file, an uninitialized value could have been used as read limit. This vulnerability affects Firefox < 113, Firefox ESR <…
CVE-2023-32215 — CVSS 8.8 (high): Mozilla developers and community members Gabriele Svelto, Andrew Osmond, Emily McDonough, Sebastian Hengst, Andrew McCreight and the…
CVE-2023-3600 — CVSS 8.8 (high): During the worker lifecycle, a use-after-free condition could have occurred, which could have led to a potentially exploitable crash. This…
CVE-2023-37201 — CVSS 8.8 (high): An attacker could have triggered a use-after-free condition when creating a WebRTC connection over HTTPS. This vulnerability affects…
CVE-2023-37202 — CVSS 8.8 (high): Cross-compartment wrappers wrapping a scripted proxy could have caused objects from other compartments to be stored in the main compartment…
CVE-2023-37209 — CVSS 8.8 (high): A use-after-free condition existed in `NotifyOnHistoryReload` where a `LoadingSessionHistoryEntry` object was freed and a reference to that…
CVE-2023-37211 — CVSS 8.8 (high): Memory safety bugs present in Firefox 114, Firefox ESR 102.12, and Thunderbird 102.12. Some of these bugs showed evidence of memory…
CVE-2023-37212 — CVSS 8.8 (high): Memory safety bugs present in Firefox 114. Some of these bugs showed evidence of memory corruption and we presume that with enough effort…
CVE-2023-25734 — CVSS 8.1 (high): After downloading a Windows <code>.url</code> shortcut from the local filesystem, an attacker could supply a remote path that would lead to…
CVE-2023-37208 — CVSS 7.8 (high): When opening Diagcab files, Firefox did not warn the user that these files may contain malicious code. This vulnerability affects Firefox <…
CVE-2023-37203 — CVSS 7.8 (high): Insufficient validation in the Drag and Drop API in conjunction with social engineering, may have allowed an attacker to trick end-users…
CVE-2023-25743 — CVSS 7.5 (high): A lack of in app notification for entering fullscreen mode could have lead to a malicious website spoofing browser chrome.<br>*This bug…
CVE-2023-32214 — CVSS 7.5 (high): Protocol handlers `ms-cxh` and `ms-cxh-full` could have been leveraged to trigger a denial of service. *Note: This attack only affects…
CVE-2023-25728 — CVSS 6.5 (medium): The <code>Content-Security-Policy-Report-Only</code> header could allow an attacker to leak a child iframe's unredacted URI when…
CVE-2023-29545 — CVSS 6.5 (medium): Similar to CVE-2023-28163, this time when choosing 'Save Link As', suggested filenames containing environment variable names would have…
CVE-2023-29548 — CVSS 6.5 (medium): A wrong lowering instruction in the ARM64 Ion compiler resulted in a wrong optimization result. This vulnerability affects Firefox < 112…
CVE-2023-1945 — CVSS 6.5 (medium): Unexpected data returned from the Safe Browsing API could have led to memory corruption and a potentially exploitable crash. This…
CVE-2023-32206 — CVSS 6.5 (medium): An out-of-bound read could have led to a crash in the RLBox Expat driver. This vulnerability affects Firefox < 113, Firefox ESR < 102.11…
CVE-2023-37204 — CVSS 6.5 (medium): A website could have obscured the fullscreen notification by using an option element by introducing lag via an expensive computational…
CVE-2023-32211 — CVSS 6.5 (medium): A type checking bug would have led to invalid code being compiled. This vulnerability affects Firefox < 113, Firefox ESR < 102.11, and…
CVE-2023-25738 — CVSS 6.5 (medium): Members of the <code>DEVMODEW</code> struct set by the printer device driver weren't being validated and could have resulted in invalid…
CVE-2023-28164 — CVSS 6.5 (medium): Dragging a URL from a cross-origin iframe that was removed during the drag could have led to user confusion and website spoofing attacks…
CVE-2023-25742 — CVSS 6.5 (medium): When importing a SPKI RSA public key as ECDSA P-256, the key would be handled incorrectly causing the tab to crash. This vulnerability…
CVE-2023-37205 — CVSS 6.5 (medium): The use of RTL Arabic characters in the address bar may have allowed for URL spoofing. This vulnerability affects Firefox < 115.
CVE-2023-25751 — CVSS 6.5 (medium): Sometimes, when invalidating JIT code while following an iterator, the newly generated code could be overwritten incorrectly. This could…
CVE-2023-3482 — CVSS 6.5 (medium): When Firefox is configured to block storage of all cookies, it was still possible to store data in localstorage by using an iframe with a…
CVE-2023-29535 — CVSS 6.5 (medium): Following a Garbage Collector compaction, weak maps may have been accessed before they were correctly traced. This resulted in memory…
CVE-2023-37207 — CVSS 6.5 (medium): A website could have obscured the fullscreen notification by using a URL with a scheme handled by an external program, such as a mailto…
CVE-2023-37210 — CVSS 6.5 (medium): A website could prevent a user from exiting full-screen mode via alert and prompt calls. This could lead to user confusion and possible…
CVE-2023-25752 — CVSS 6.5 (medium): When accessing throttled streams, the count of available bytes needed to be checked in the calling function to be within bounds. This may…
CVE-2023-28163 — CVSS 6.5 (medium): When downloading files through the Save As dialog on Windows with suggested filenames containing environment variable names, Windows would…
CVE-2023-37206 — CVSS 6.5 (medium): Uploading files which contain symlinks may have allowed an attacker to trick a user into submitting sensitive data to a malicious website…
CVE-2023-28160 — CVSS 6.5 (medium): When following a redirect to a publicly accessible web extension file, the URL may have been translated to the actual local path, leaking…
CVE-2023-29532 — CVSS 5.5 (medium): A local attacker can trick the Mozilla Maintenance Service into applying an unsigned update file by pointing the service at an update file…
CVE-2023-25730 — CVSS 5.4 (medium): A background script invoking <code>requestFullscreen</code> and then blocking the main thread could force the browser into fullscreen mode…
CVE-2023-29533 — CVSS 4.3 (medium): A website could have obscured the fullscreen notification by using a combination of <code>window.open</code>, fullscreen requests…
CVE-2023-25750 — CVSS 4.3 (medium): Under certain circumstances, a ServiceWorker's offline cache may have leaked to the file system when using private browsing mode. This…
CVE-2023-25749 — CVSS 4.3 (medium): Android applications with unpatched vulnerabilities can be launched from a browser using Intents, exposing users to these vulnerabilities…
CVE-2023-28159 — CVSS 4.3 (medium): The fullscreen notification could have been hidden on Firefox for Android by using download popups, resulting in potential user confusion…
CVE-2023-25748 — CVSS 4.3 (medium): By displaying a prompt with a long description, the fullscreen notification could have been hidden, resulting in potential user confusion…
CVE-2023-32212 — CVSS 4.3 (medium): An attacker could have positioned a `datalist` element to obscure the address bar. This vulnerability affects Firefox < 113, Firefox ESR <…
CVE-2023-32205 — CVSS 4.3 (medium): In multiple cases browser prompts could have been obscured by popups controlled by content. These could have led to potential user…
CVE-2023-34414 — CVSS 3.1 (low): The error page for sites with invalid TLS certificates was missing the activation-delay Firefox uses to protect prompts and permission…