MozillaFirefox-branding-SLE (SUSE:Linux Enterprise Server for SAP Applications 15 SP3) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the SUSE:Linux Enterprise Server for SAP Applications 15 SP3 package MozillaFirefox-branding-SLE, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (68)
CVE-2025-6424 — CVSS 9.8 (critical): A use-after-free in FontFaceSet resulted in a potentially exploitable crash. This vulnerability was fixed in Firefox 140, Firefox ESR…
CVE-2025-8038 — CVSS 9.8 (critical): Thunderbird ignored paths when checking the validity of navigations in a frame. This vulnerability was fixed in Firefox 141, Firefox ESR…
CVE-2025-8031 — CVSS 9.8 (critical): The `username:password` part was not correctly stripped from URLs in CSP reports potentially leaking HTTP Basic Authentication credentials…
CVE-2025-6433 — CVSS 9.8 (critical): If a user visited a webpage with an invalid TLS certificate, and granted an exception, the webpage was able to provide a WebAuthn challenge…
CVE-2024-6602 — CVSS 9.8 (critical): A mismatch between allocator and deallocator could have led to memory corruption. This vulnerability affects Firefox < 128, Firefox ESR <…
CVE-2025-8028 — CVSS 9.8 (critical): On arm64, a WASM `br_table` instruction with a lot of entries could lead to the label being too far from the instruction causing truncation…
CVE-2024-6611 — CVSS 9.8 (critical): A nested iframe, triggering a cross-site navigation, could send SameSite=Strict or Lax cookies. This vulnerability affects Firefox < 128…
CVE-2024-7519 — CVSS 9.6 (critical): Insufficient checks when processing graphics shared memory could have led to memory corruption. This could be leveraged by an attacker to…
CVE-2025-8037 — CVSS 9.1 (critical): Setting a nameless cookie with an equals sign in the value shadowed other cookies. Even if the nameless cookie was set over HTTP and the…
CVE-2025-6427 — CVSS 9.1 (critical): An attacker was able to bypass the `connect-src` directive of a Content Security Policy by manipulating subdocuments. This would have also…
CVE-2024-6607 — CVSS 8.8 (high): It was possible to prevent a user from exiting pointerlock when pressing escape and to overlay customValidity notifications from a…
CVE-2025-6426 — CVSS 8.8 (high): The executable file warning did not warn users before opening files with the `terminal` extension. *This bug only affects Firefox for…
CVE-2023-37201 — CVSS 8.8 (high): An attacker could have triggered a use-after-free condition when creating a WebRTC connection over HTTPS. This vulnerability affects…
CVE-2023-37202 — CVSS 8.8 (high): Cross-compartment wrappers wrapping a scripted proxy could have caused objects from other compartments to be stored in the main compartment…
CVE-2025-8040 — CVSS 8.8 (high): Memory safety bugs present in Firefox ESR 140.0, Thunderbird ESR 140.0, Firefox 140 and Thunderbird 140. Some of these bugs showed evidence…
CVE-2023-37209 — CVSS 8.8 (high): A use-after-free condition existed in `NotifyOnHistoryReload` where a `LoadingSessionHistoryEntry` object was freed and a reference to that…
CVE-2023-37211 — CVSS 8.8 (high): Memory safety bugs present in Firefox 114, Firefox ESR 102.12, and Thunderbird 102.12. Some of these bugs showed evidence of memory…
CVE-2023-37212 — CVSS 8.8 (high): Memory safety bugs present in Firefox 114. Some of these bugs showed evidence of memory corruption and we presume that with enough effort…
CVE-2024-6605 — CVSS 8.8 (high): Firefox Android allowed immediate interaction with permission prompts. This could be used for tapjacking. This vulnerability affects…
CVE-2024-6609 — CVSS 8.8 (high): When almost out-of-memory an elliptic curve key which was never allocated could have been freed again. This vulnerability affects Firefox <…
CVE-2024-6615 — CVSS 8.8 (high): Memory safety bugs present in Firefox 127 and Thunderbird 127. Some of these bugs showed evidence of memory corruption and we presume that…
CVE-2024-7520 — CVSS 8.8 (high): A type confusion bug in WebAssembly could be leveraged by an attacker to potentially achieve code execution. This vulnerability affects…
CVE-2024-7521 — CVSS 8.8 (high): Incomplete WebAssembly exception handing could have led to a use-after-free. This vulnerability affects Firefox < 129, Firefox ESR <…
CVE-2024-7522 — CVSS 8.8 (high): Editor code failed to check an attribute value. This could have led to an out-of-bounds read. This vulnerability affects Firefox < 129…
CVE-2024-7527 — CVSS 8.8 (high): Unexpected marking work at the start of sweeping could have led to a use-after-free. This vulnerability affects Firefox < 129, Firefox ESR…
CVE-2024-7528 — CVSS 8.8 (high): Incorrect garbage collection interaction in IndexedDB could have led to a use-after-free. This vulnerability affects Firefox < 129, Firefox…
CVE-2025-6432 — CVSS 8.6 (high): When Multi-Account Containers was enabled, DNS requests could have bypassed a SOCKS proxy when the domain name was invalid or the SOCKS…
CVE-2024-6606 — CVSS 8.2 (high): Clipboard code failed to check the index on an array access. This could have led to an out-of-bounds read. This vulnerability affects…
CVE-2025-8036 — CVSS 8.1 (high): Thunderbird cached CORS preflight responses across IP address changes. This allowed circumventing CORS with DNS rebinding. This…
CVE-2025-8039 — CVSS 8.1 (high): In some cases search terms persisted in the URL bar even after navigating away from the search page. This vulnerability was fixed in…
CVE-2025-6436 — CVSS 8.1 (high): Memory safety bugs present in Firefox 139 and Thunderbird 139. Some of these bugs showed evidence of memory corruption and we presume that…
CVE-2025-6435 — CVSS 8.1 (high): If a user saved a response from the Network tab in Devtools using the Save As context menu option, that file may not have been saved with…
CVE-2025-8029 — CVSS 8.1 (high): Thunderbird executed `javascript:` URLs when used in `object` and `embed` tags. This vulnerability was fixed in Firefox 141, Firefox ESR…
CVE-2025-8032 — CVSS 8.1 (high): XSLT document loading did not correctly propagate the source document which bypassed its CSP. This vulnerability was fixed in Firefox 141…
CVE-2024-7525 — CVSS 8.1 (high): It was possible for a web extension with minimal permissions to create a `StreamFilter` which could be used to read and modify the response…
CVE-2025-8030 — CVSS 8.1 (high): Insufficient escaping in the “Copy as cURL” feature could potentially be used to trick a user into executing unexpected code. This…
CVE-2023-37203 — CVSS 7.8 (high): Insufficient validation in the Drag and Drop API in conjunction with social engineering, may have allowed an attacker to trick end-users…
CVE-2023-37208 — CVSS 7.8 (high): When opening Diagcab files, Firefox did not warn the user that these files may contain malicious code. This vulnerability affects Firefox <…
CVE-2024-6604 — CVSS 7.5 (high): Memory safety bugs present in Firefox 127, Firefox ESR 115.12, and Thunderbird 115.12. Some of these bugs showed evidence of memory…
CVE-2024-6603 — CVSS 7.4 (high): In an out-of-memory scenario an allocation could fail but free would have been called on the pointer afterwards leading to memory…
CVE-2023-3482 — CVSS 6.5 (medium): When Firefox is configured to block storage of all cookies, it was still possible to store data in localstorage by using an iframe with a…
CVE-2024-7531 — CVSS 6.5 (medium): Calling `PK11_Encrypt()` in NSS using CKM_CHACHA20 and the same buffer for input and output can result in plaintext on an Intel Sandy…
CVE-2024-7529 — CVSS 6.5 (medium): The date picker could partially obscure security prompts. This could be used by a malicious site to trick a user into granting permissions…
CVE-2023-37204 — CVSS 6.5 (medium): A website could have obscured the fullscreen notification by using an option element by introducing lag via an expensive computational…
CVE-2025-6429 — CVSS 6.5 (medium): Firefox could have incorrectly parsed a URL and rewritten it to the youtube.com domain when parsing the URL specified in an `embed` tag…
CVE-2023-37207 — CVSS 6.5 (medium): A website could have obscured the fullscreen notification by using a URL with a scheme handled by an external program, such as a mailto…
CVE-2023-37210 — CVSS 6.5 (medium): A website could prevent a user from exiting full-screen mode via alert and prompt calls. This could lead to user confusion and possible…
CVE-2025-8033 — CVSS 6.5 (medium): The JavaScript engine did not handle closed generators correctly and it was possible to resume them leading to a nullptr deref. This…
CVE-2025-6431 — CVSS 6.5 (medium): When a link can be opened in an external application, Firefox for Android will, by default, prompt the user before doing so. An attacker…
CVE-2024-7526 — CVSS 6.5 (medium): ANGLE failed to initialize parameters which lead to reading from uninitialized memory. This could be leveraged to leak sensitive data from…
CVE-2023-37205 — CVSS 6.5 (medium): The use of RTL Arabic characters in the address bar may have allowed for URL spoofing. This vulnerability affects Firefox < 115.
CVE-2024-7518 — CVSS 6.5 (medium): Select options could obscure the fullscreen notification dialog. This could be used by a malicious site to perform a spoofing attack. This…
CVE-2023-37206 — CVSS 6.5 (medium): Uploading files which contain symlinks may have allowed an attacker to trick a user into submitting sensitive data to a malicious website…
CVE-2025-8027 — CVSS 6.5 (medium): On 64-bit platforms IonMonkey-JIT only wrote 32 bits of the 64-bit return value space on the stack. Baseline-JIT, however, read the entire…
CVE-2024-6600 — CVSS 6.3 (medium): Due to large allocation checks in Angle for GLSL shaders being too lenient an out-of-bounds access could occur when allocating more than…
CVE-2025-6430 — CVSS 6.1 (medium): When a file download is specified via the `Content-Disposition` header, that directive would be ignored if the file was included via a…
CVE-2024-7524 — CVSS 6.1 (medium): Firefox adds web-compatibility shims in place of some tracking scripts blocked by Enhanced Tracking Protection. On a site protected by…
CVE-2024-6613 — CVSS 5.5 (medium): The frame iterator could get stuck in a loop when encountering certain wasm frames leading to incorrect stack traces. This vulnerability…
CVE-2024-6612 — CVSS 5.3 (medium): CSP violations generated links in the console tab of the developer tools, pointing to the violating resource. This caused a DNS prefetch…
CVE-2024-6601 — CVSS 4.7 (medium): A race condition could lead to a cross-origin container obtaining permissions of the top-level origin. This vulnerability affects Firefox <…
CVE-2025-6425 — CVSS 4.3 (medium): An attacker who enumerated resources from the WebCompat extension could have obtained a persistent UUID that identified the browser, and…
CVE-2024-6614 — CVSS 4.3 (medium): The frame iterator could get stuck in a loop when encountering certain wasm frames leading to incorrect stack traces. This vulnerability…
CVE-2025-6434 — CVSS 4.3 (medium): The exception page for the HTTPS-Only feature, displayed when a website is opened via HTTP, lacked an anti-clickjacking delay, potentially…
CVE-2024-6608 — CVSS 4.3 (medium): It was possible to move the cursor using pointerlock from an iframe. This allowed moving the cursor outside of the viewport and the Firefox…
CVE-2025-6428 — CVSS 4.3 (medium): When a URL was provided in a link querystring parameter, Firefox for Android would follow that URL instead of the correct URL, potentially…
CVE-2024-6610 — CVSS 4.3 (medium): Form validation popups could capture escape key presses. Therefore, spamming form validation messages could be used to prevent users from…