MozillaFirefox (SUSE:Manager 2.1) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the SUSE:Manager 2.1 package MozillaFirefox, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (106)
CVE-2016-6354 — CVSS 9.8 (critical): Heap-based buffer overflow in the yy_get_next_buffer function in Flex before 2.6.1 might allow context-dependent attackers to cause a…
CVE-2017-5435 — CVSS 9.8 (critical): A use-after-free vulnerability occurs during transaction processing in the editor during design mode interactions. This results in a…
CVE-2017-5434 — CVSS 9.8 (critical): A use-after-free vulnerability occurs when redirecting focus handling which results in a potentially exploitable crash. This vulnerability…
CVE-2017-5433 — CVSS 9.8 (critical): A use-after-free vulnerability in SMIL animation functions occurs when pointers to animation elements in an array are dropped from the…
CVE-2017-5432 — CVSS 9.8 (critical): A use-after-free vulnerability occurs during certain text input selection resulting in a potentially exploitable crash. This vulnerability…
CVE-2017-5429 — CVSS 9.8 (critical): Memory safety bugs were reported in Firefox 52, Firefox ESR 45.8, Firefox ESR 52, and Thunderbird 52. Some of these bugs showed evidence of…
CVE-2016-9893 — CVSS 9.8 (critical): Memory safety bugs were reported in Thunderbird 45.5. Some of these bugs showed evidence of memory corruption and we presume that with…
CVE-2017-5410 — CVSS 9.8 (critical): Memory corruption resulting in a potentially exploitable crash during garbage collection of JavaScript due errors in how incremental…
CVE-2017-5404 — CVSS 9.8 (critical): A use-after-free error can occur when manipulating ranges in selections with one node inside a native anonymous tree and one node outside…
CVE-2016-9898 — CVSS 9.8 (critical): Use-after-free resulting in potentially exploitable crash when manipulating DOM subtrees in the Editor. This vulnerability affects Firefox…
CVE-2016-9899 — CVSS 9.8 (critical): Use-after-free while manipulating DOM events and removing audio elements due to errors in the handling of node adoption. This vulnerability…
CVE-2017-5402 — CVSS 9.8 (critical): A use-after-free can occur when events are fired for a "FontFace" object after the object has been already been destroyed while working…
CVE-2016-9901 — CVSS 9.8 (critical): HTML tags received from the Pocket server will be processed without sanitization and any JavaScript code executed will be run in the…
CVE-2017-5401 — CVSS 9.8 (critical): A crash triggerable by web content in which an "ErrorResult" references unassigned memory due to a logic error. The resulting crash may be…
CVE-2017-5400 — CVSS 9.8 (critical): JIT-spray targeting asm.js combined with a heap spray allows for a bypass of ASLR and DEP protections leading to potential memory…
CVE-2016-5254 — CVSS 9.8 (critical): Use-after-free vulnerability in the nsXULPopupManager::KeyDown function in Mozilla Firefox before 48.0 and Firefox ESR 45.x before 45.3…
CVE-2017-5373 — CVSS 9.8 (critical): Memory safety bugs were reported in Firefox 50.1 and Firefox ESR 45.6. Some of these bugs showed evidence of memory corruption and we…
CVE-2017-5375 — CVSS 9.8 (critical): JIT code allocation can allow for a bypass of ASLR and DEP protections leading to potential memory corruption attacks. This vulnerability…
CVE-2017-5376 — CVSS 9.8 (critical): Use-after-free while manipulating XSL in XSLT documents. This vulnerability affects Thunderbird < 45.7, Firefox ESR < 45.7, and Firefox <…
CVE-2017-5398 — CVSS 9.8 (critical): Memory safety bugs were reported in Thunderbird 45.7. Some of these bugs showed evidence of memory corruption and we presume that with…
CVE-2017-5380 — CVSS 9.8 (critical): A potential use-after-free found through fuzzing during DOM manipulation of SVG content. This vulnerability affects Thunderbird < 45.7…
CVE-2017-5396 — CVSS 9.8 (critical): A use-after-free vulnerability in the Media Decoder when working with media files when some events are fired after the media elements are…
CVE-2017-5390 — CVSS 9.8 (critical): The JSON viewer in the Developer Tools uses insecure methods to create a communication channel for copying and viewing JSON or HTTP headers…
CVE-2016-5257 — CVSS 9.8 (critical): Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 49.0, Firefox ESR 45.x before 45.4 and Thunderbird <…
CVE-2016-5297 — CVSS 9.8 (critical): An error in argument length checking in JavaScript, leading to potential integer overflows or other bounds checking issues. This…
CVE-2017-5438 — CVSS 9.8 (critical): A use-after-free vulnerability during XSLT processing due to the result handler being held by a freed handler during handling. This results…
CVE-2017-5461 — CVSS 9.8 (critical): Mozilla Network Security Services (NSS) before 3.21.4, 3.22.x through 3.28.x before 3.28.4, 3.29.x before 3.29.5, and 3.30.x before 3.30.1…
CVE-2017-5460 — CVSS 9.8 (critical): A use-after-free vulnerability in frame selection triggered by a combination of malicious script content and key presses by a user. This…
CVE-2017-5446 — CVSS 9.8 (critical): An out-of-bounds read when an HTTP/2 connection to a servers sends "DATA" frames with incorrect data content. This leads to a potentially…
CVE-2017-5464 — CVSS 9.8 (critical): During DOM manipulations of the accessibility tree through script, the DOM tree can become out of sync with the accessibility tree, leading…
CVE-2017-5459 — CVSS 9.8 (critical): A buffer overflow in WebGL triggerable by web content, resulting in a potentially exploitable crash. This vulnerability affects Thunderbird…
CVE-2017-5443 — CVSS 9.8 (critical): An out-of-bounds write vulnerability while decoding improperly formed BinHex format archives. This vulnerability affects Thunderbird <…
CVE-2016-5270 — CVSS 9.8 (critical): Heap-based buffer overflow in the nsCaseTransformTextRunFactory::TransformString function in Mozilla Firefox before 49.0, Firefox ESR 45.x…
CVE-2016-5274 — CVSS 9.8 (critical): Use-after-free vulnerability in the nsFrameManager::CaptureFrameState function in Mozilla Firefox before 49.0, Firefox ESR 45.x before…
CVE-2016-5276 — CVSS 9.8 (critical): Use-after-free vulnerability in the mozilla::a11y::DocAccessible::ProcessInvalidationList function in Mozilla Firefox before 49.0, Firefox…
CVE-2016-5277 — CVSS 9.8 (critical): Use-after-free vulnerability in the nsRefreshDriver::Tick function in Mozilla Firefox before 49.0, Firefox ESR 45.x before 45.4, and…
CVE-2017-5469 — CVSS 9.8 (critical): Fixed potential buffer overflows in generated Firefox code due to CVE-2016-6354 issue in Flex. This vulnerability affects Thunderbird <…
CVE-2016-5280 — CVSS 9.8 (critical): Use-after-free vulnerability in the mozilla::nsTextNodeDirectionalityMap::RemoveElementFromMap function in Mozilla Firefox before 49.0…
CVE-2016-5281 — CVSS 9.8 (critical): Use-after-free vulnerability in the DOMSVGLength class in Mozilla Firefox before 49.0, Firefox ESR 45.x before 45.4, and Thunderbird < 45.4…
CVE-2017-5442 — CVSS 9.8 (critical): A use-after-free vulnerability during changes in style when manipulating DOM elements. This results in a potentially exploitable crash…
CVE-2017-5441 — CVSS 9.8 (critical): A use-after-free vulnerability when holding a selection during scroll events. This results in a potentially exploitable crash. This…
CVE-2016-5290 — CVSS 9.8 (critical): Memory safety bugs were reported in Firefox 49 and Firefox ESR 45.4. Some of these bugs showed evidence of memory corruption and we presume…
CVE-2017-5440 — CVSS 9.8 (critical): A use-after-free vulnerability during XSLT processing due to a failure to propagate error conditions during matching while evaluating…
CVE-2017-5439 — CVSS 9.8 (critical): A use-after-free vulnerability during XSLT processing due to poor handling of template parameters. This results in a potentially…
CVE-2017-5465 — CVSS 9.1 (critical): An out-of-bounds read while processing SVG content in "ConvolvePixel". This results in a crash and also allows for otherwise inaccessible…
CVE-2017-5447 — CVSS 9.1 (critical): An out-of-bounds read during the processing of glyph widths during text layout. This results in a potentially exploitable crash and could…
CVE-2016-5261 — CVSS 8.8 (high): Integer overflow in the WebSocketChannel class in the WebSockets subsystem in Mozilla Firefox before 48.0 and Firefox ESR < 45.4 allows…
CVE-2016-2805 — CVSS 8.8 (high): Unspecified vulnerability in the browser engine in Mozilla Firefox ESR 38.x before 38.8 allows remote attackers to cause a denial of…
CVE-2016-2807 — CVSS 8.8 (high): Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 46.0, Firefox ESR 38.x before 38.8, and Firefox ESR…
CVE-2016-2814 — CVSS 8.8 (high): Heap-based buffer overflow in the stagefright::SampleTable::parseSampleCencInfo function in libstagefright in Mozilla Firefox before 46.0…
CVE-2016-2815 — CVSS 8.8 (high): Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 47.0 allow remote attackers to cause a denial of…
CVE-2016-2818 — CVSS 8.8 (high): Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 47.0 and Firefox ESR 45.x before 45.2 allow remote…
CVE-2016-2819 — CVSS 8.8 (high): Heap-based buffer overflow in Mozilla Firefox before 47.0 and Firefox ESR 45.x before 45.2 allows remote attackers to execute arbitrary…
CVE-2016-2824 — CVSS 8.8 (high): The TSymbolTableLevel class in ANGLE, as used in Mozilla Firefox before 47.0 and Firefox ESR 45.x before 45.2 on Windows, allows remote…
CVE-2016-2828 — CVSS 8.8 (high): Use-after-free vulnerability in Mozilla Firefox before 47.0 and Firefox ESR 45.x before 45.2 allows remote attackers to execute arbitrary…
CVE-2016-2831 — CVSS 8.8 (high): Mozilla Firefox before 47.0 and Firefox ESR 45.x before 45.2 do not ensure that the user approves the fullscreen and pointerlock settings…
CVE-2016-2834 — CVSS 8.8 (high): Mozilla Network Security Services (NSS) before 3.23, as used in Mozilla Firefox before 47.0, allows remote attackers to cause a denial of…
CVE-2016-2835 — CVSS 8.8 (high): Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 48.0 allow remote attackers to cause a denial of…
CVE-2016-2836 — CVSS 8.8 (high): Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 48.0 and Firefox ESR 45.x before 45.3 allow remote…
CVE-2016-2838 — CVSS 8.8 (high): Heap-based buffer overflow in the nsBidi::BracketData::AddOpening function in Mozilla Firefox before 48.0 and Firefox ESR 45.x before 45.3…
CVE-2016-5252 — CVSS 8.8 (high): Stack-based buffer underflow in the mozilla::gfx::BasePoint4d function in Mozilla Firefox before 48.0 and Firefox ESR 45.x before 45.3…
CVE-2016-5258 — CVSS 8.8 (high): Use-after-free vulnerability in the WebRTC socket thread in Mozilla Firefox before 48.0 and Firefox ESR 45.x before 45.3 allows remote…
CVE-2016-5259 — CVSS 8.8 (high): Use-after-free vulnerability in the CanonicalizeXPCOMParticipant function in Mozilla Firefox before 48.0 and Firefox ESR 45.x before 45.3…
CVE-2016-1950 — CVSS 8.8 (high): Heap-based buffer overflow in Mozilla Network Security Services (NSS) before 3.19.2.3 and 3.20.x and 3.21.x before 3.21.1, as used in…
CVE-2016-5263 — CVSS 8.8 (high): The nsDisplayList::HitTest function in Mozilla Firefox before 48.0 and Firefox ESR 45.x before 45.3 mishandles rendering display…
CVE-2016-5264 — CVSS 8.8 (high): Use-after-free vulnerability in the nsNodeUtils::NativeAnonymousChildListChange function in Mozilla Firefox before 48.0 and Firefox ESR…
CVE-2016-5272 — CVSS 8.8 (high): The nsImageGeometryMixin class in Mozilla Firefox before 49.0, Firefox ESR 45.x before 45.4, and Thunderbird < 45.4 does not properly…
CVE-2016-5278 — CVSS 8.8 (high): Heap-based buffer overflow in the nsBMPEncoder::AddImageFrame function in Mozilla Firefox before 49.0, Firefox ESR 45.x before 45.4, and…
CVE-2016-9905 — CVSS 8.8 (high): A potentially exploitable crash in "EnumerateSubDocuments" while adding or removing sub-documents. This vulnerability affects Firefox ESR <…
CVE-2017-5436 — CVSS 8.8 (high): An out-of-bounds write in the Graphite 2 library triggered with a maliciously crafted Graphite font. This results in a potentially…
CVE-2017-5448 — CVSS 8.6 (high): An out-of-bounds write in "ClearKeyDecryptor" while decrypting some Clearkey-encrypted media content. The "ClearKeyDecryptor" code runs…
CVE-2016-2821 — CVSS 7.5 (high): Use-after-free vulnerability in the mozilla::dom::Element class in Mozilla Firefox before 47.0 and Firefox ESR 45.x before 45.2, when…
CVE-2016-9900 — CVSS 7.5 (high): External resources that should be blocked when loaded by SVG images can bypass security restrictions through the use of "data:" URLs. This…
CVE-2016-9897 — CVSS 7.5 (high): Memory corruption resulting in a potentially exploitable crash during WebGL functions using a vector constructor with a varying array…
CVE-2017-5378 — CVSS 7.5 (high): Hashed codes of JavaScript objects are shared between pages. This allows for pointer leaks because an object's address can be discovered…
CVE-2016-9904 — CVSS 7.5 (high): An attacker could use a JavaScript Map/Set timing attack to determine whether an atom is used by another compartment/zone in specific…
CVE-2016-9066 — CVSS 7.5 (high): A buffer overflow resulting in a potentially exploitable crash due to memory allocation issues when handling large amounts of incoming…
CVE-2016-2808 — CVSS 7.5 (high): The watch implementation in the JavaScript engine in Mozilla Firefox before 46.0, Firefox ESR 38.x before 38.8, and Firefox ESR 45.x before…
CVE-2016-9902 — CVSS 7.5 (high): The Pocket toolbar button, once activated, listens for events fired from it's own pages but does not verify the origin of incoming events…
CVE-2016-5296 — CVSS 7.5 (high): A heap-buffer-overflow in Cairo when processing SVG content caused by compiler optimization, resulting in a potentially exploitable crash…
CVE-2016-5285 — CVSS 7.5 (high): A Null pointer dereference vulnerability exists in Mozilla Network Security Services due to a missing NULL check in PK11_SignWithSymKey /…
CVE-2017-5444 — CVSS 7.5 (high): A buffer overflow vulnerability while parsing "application/http-index-format" format content when the header contains improperly formatted…
CVE-2017-5445 — CVSS 7.5 (high): A vulnerability while parsing "application/http-index-format" format content where uninitialized values are used to create an array. This…
CVE-2016-5284 — CVSS 7.4 (high): Mozilla Firefox before 49.0, Firefox ESR 45.x before 45.4, and Thunderbird < 45.4 rely on unintended expiration dates for Preloaded Public…
CVE-2017-5386 — CVSS 7.3 (high): WebExtension scripts can use the "data:" protocol to affect pages loaded by other web extensions using this protocol, leading to potential…
CVE-2016-2839 — CVSS 6.5 (medium): Mozilla Firefox before 48.0 and Firefox ESR 45.x before 45.3 on Linux make cairo _cairo_surface_get_extents calls that do not properly…
CVE-2016-2822 — CVSS 6.5 (medium): Mozilla Firefox before 47.0 and Firefox ESR 45.x before 45.2 allow remote attackers to spoof the address bar via a SELECT element with a…
CVE-2017-5407 — CVSS 6.5 (medium): Using SVG filters that don't use the fixed point math implementation on a target iframe, a malicious page can extract pixel values from a…
CVE-2016-2837 — CVSS 6.3 (medium): Heap-based buffer overflow in the ClearKey Content Decryption Module (CDM) in the Encrypted Media Extensions (EME) API in Mozilla Firefox…
CVE-2016-5262 — CVSS 6.1 (medium): Mozilla Firefox before 48.0 and Firefox ESR 45.x before 45.3 process JavaScript event-handler attributes of a MARQUEE element within a…
CVE-2016-9895 — CVSS 6.1 (medium): Event handlers on "marquee" elements were executed despite a strict Content Security Policy (CSP) that disallowed inline JavaScript. This…
CVE-2016-9064 — CVSS 5.9 (medium): Add-on updates failed to verify that the add-on ID inside the signed package matched the ID of the add-on being updated. An attacker who…
CVE-2016-9074 — CVSS 5.9 (medium): An existing mitigation of timing side-channel attacks is insufficient in some circumstances. This issue is addressed in Network Security…
CVE-2016-9574 — CVSS 5.9 (medium): nss before version 3.30 is vulnerable to a remote denial of service during the session handshake when using SessionTicket extension and…
CVE-2016-5265 — CVSS 5.5 (medium): Mozilla Firefox before 48.0 and Firefox ESR 45.x before 45.3 allow user-assisted remote attackers to bypass the Same Origin Policy, and…
CVE-2016-5291 — CVSS 5.5 (medium): A same-origin policy bypass with local shortcut files to load arbitrary local content from disk. This vulnerability affects Thunderbird <…
CVE-2017-5409 — CVSS 5.5 (medium): The Mozilla Windows updater can be called by a non-privileged user to delete an arbitrary local file by passing a special path to the…
CVE-2016-8635 — CVSS 5.3 (medium): It was found that Diffie Hellman Client key exchange handling in NSS 3.21.x was vulnerable to small subgroup confinement attack. An…
CVE-2017-5405 — CVSS 5.3 (medium): Certain response codes in FTP connections can result in the use of uninitialized values for ports in FTP operations. This vulnerability…
CVE-2017-5408 — CVSS 5.3 (medium): Video files loaded video captions cross-origin without checking for the presence of CORS headers permitting such cross-origin use, leading…
CVE-2017-5383 — CVSS 5.3 (medium): URLs containing certain unicode glyphs for alternative hyphens and quotes do not properly trigger punycode display, allowing for domain…
CVE-2017-5462 — CVSS 5.3 (medium): A flaw in DRBG number generation within the Network Security Services (NSS) library where the internal state V does not correctly carry…
CVE-2016-2830 — CVSS 4.3 (medium): Mozilla Firefox before 48.0 and Firefox ESR 45.x before 45.3 preserve the network connection used for favicon resource retrieval after the…
CVE-2016-5250 — CVSS 4.3 (medium): Mozilla Firefox before 48.0, Firefox ESR < 45.4 and Thunderbird < 45.4 allow remote attackers to obtain sensitive information about the…
CVE-2017-5437: Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2016-10195, CVE-2016-10196, CVE-2016-10197. Reason: This candidate is a…