CVSS: 8.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-8039 – openSUSE Security Advisory - openSUSE-SU-2025:15386-1
https://notcve.org/view.php?id=CVE-2025-8039
22 Jul 2025 — In some cases search terms persisted in the URL bar even after navigating away from the search page. This vulnerability affects Firefox < 141, Firefox ESR < 140.1, Thunderbird < 141, and Thunderbird < 140.1. These are all security issues fixed in the MozillaThunderbird-140.1.0-1.1 package on the GA media of openSUSE Tumbleweed. • https://bugzilla.mozilla.org/show_bug.cgi?id=1970997 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 10.0EPSS: 0%CPEs: 19EXPL: 0CVE-2025-8038 – openSUSE Security Advisory - openSUSE-SU-2025:15386-1
https://notcve.org/view.php?id=CVE-2025-8038
22 Jul 2025 — Thunderbird ignored paths when checking the validity of navigations in a frame. This vulnerability affects Firefox < 141, Firefox ESR < 140.1, Thunderbird < 141, and Thunderbird < 140.1. Firefox ignored paths when checking the validity of navigations in a frame. This vulnerability affects Firefox < 141, Firefox ESR < 140.1, Thunderbird < 141, and Thunderbird < 140.1. These are all security issues fixed in the MozillaThunderbird-140.1.0-1.1 package on the GA media of openSUSE Tumbleweed. • https://bugzilla.mozilla.org/show_bug.cgi?id=1808979 • CWE-345: Insufficient Verification of Data Authenticity •
CVSS: 8.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-8032 – firefox: thunderbird: XSLT documents could bypass CSP
https://notcve.org/view.php?id=CVE-2025-8032
22 Jul 2025 — XSLT document loading did not correctly propagate the source document which bypassed its CSP. This vulnerability affects Firefox < 141, Firefox ESR < 128.13, Firefox ESR < 140.1, Thunderbird < 141, Thunderbird < 128.13, and Thunderbird < 140.1. A flaw was found in Firefox and Thunderbird. The Mozilla Foundation's Security Advisory describes the following issue: XSLT document loading incorrectly propagates the source document which bypassed its CSP. Several security issues were discovered in the Linux kernel... • https://bugzilla.mozilla.org/show_bug.cgi?id=1974407 • CWE-693: Protection Mechanism Failure •
CVSS: 9.8EPSS: 0%CPEs: 5EXPL: 0CVE-2025-8031 – firefox: thunderbird: Incorrect URL stripping in CSP reports
https://notcve.org/view.php?id=CVE-2025-8031
22 Jul 2025 — The `username:password` part was not correctly stripped from URLs in CSP reports potentially leaking HTTP Basic Authentication credentials. This vulnerability affects Firefox < 141, Firefox ESR < 128.13, Firefox ESR < 140.1, Thunderbird < 141, Thunderbird < 128.13, and Thunderbird < 140.1. A flaw was found in Firefox and Thunderbird. The Mozilla Foundation's Security Advisory describes the following issue: The username:password part is incorrectly stripped from URLs in CSP reports, potentially ... • https://bugzilla.mozilla.org/show_bug.cgi?id=1971719 • CWE-276: Incorrect Default Permissions •
CVSS: 8.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-8030 – firefox: thunderbird: Potential user-assisted code execution in “Copy as cURL” command
https://notcve.org/view.php?id=CVE-2025-8030
22 Jul 2025 — Insufficient escaping in the “Copy as cURL” feature could potentially be used to trick a user into executing unexpected code. This vulnerability affects Firefox < 141, Firefox ESR < 128.13, Firefox ESR < 140.1, Thunderbird < 141, Thunderbird < 128.13, and Thunderbird < 140.1. A flaw was found in Firefox and Thunderbird. The Mozilla Foundation's Security Advisory describes the following issue: Insufficient escaping in the “Copy as cURL” feature could potentially be used to trick a user into executing unexpec... • https://bugzilla.mozilla.org/show_bug.cgi?id=1968414 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-8037 – openSUSE Security Advisory - openSUSE-SU-2025:15386-1
https://notcve.org/view.php?id=CVE-2025-8037
22 Jul 2025 — Setting a nameless cookie with an equals sign in the value shadowed other cookies. Even if the nameless cookie was set over HTTP and the shadowed cookie included the `Secure` attribute. This vulnerability affects Firefox < 141, Firefox ESR < 140.1, Thunderbird < 141, and Thunderbird < 140.1. These are all security issues fixed in the MozillaThunderbird-140.1.0-1.1 package on the GA media of openSUSE Tumbleweed. • https://bugzilla.mozilla.org/show_bug.cgi?id=1964767 • CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute •
CVSS: 9.4EPSS: 0%CPEs: 19EXPL: 0CVE-2025-8036 – openSUSE Security Advisory - openSUSE-SU-2025:15386-1
https://notcve.org/view.php?id=CVE-2025-8036
22 Jul 2025 — Thunderbird cached CORS preflight responses across IP address changes. This allowed circumventing CORS with DNS rebinding. This vulnerability affects Firefox < 141, Firefox ESR < 140.1, Thunderbird < 141, and Thunderbird < 140.1. Firefox cached CORS preflight responses across IP address changes. This allowed circumventing CORS with DNS rebinding. • https://bugzilla.mozilla.org/show_bug.cgi?id=1960834 • CWE-350: Reliance on Reverse DNS Resolution for a Security-Critical Action •
CVSS: 9.4EPSS: 0%CPEs: 33EXPL: 0CVE-2025-8029 – firefox: thunderbird: javascript: URLs executed on object and embed tags
https://notcve.org/view.php?id=CVE-2025-8029
22 Jul 2025 — Thunderbird executed `javascript:` URLs when used in `object` and `embed` tags. This vulnerability affects Firefox < 141, Firefox ESR < 128.13, Firefox ESR < 140.1, Thunderbird < 141, Thunderbird < 128.13, and Thunderbird < 140.1. Firefox executed `javascript:` URLs when used in `object` and `embed` tags. This vulnerability affects Firefox < 141, Firefox ESR < 128.13, Firefox ESR < 140.1, Thunderbird < 141, Thunderbird < 128.13, and Thunderbird < 140.1. A flaw was found in Firefox and Thunderbird. • https://bugzilla.mozilla.org/show_bug.cgi?id=1928021 • CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVSS: 9.8EPSS: 0%CPEs: 5EXPL: 0CVE-2025-8028 – firefox: thunderbird: Large branch table could lead to truncated instruction
https://notcve.org/view.php?id=CVE-2025-8028
22 Jul 2025 — On arm64, a WASM `br_table` instruction with a lot of entries could lead to the label being too far from the instruction causing truncation and incorrect computation of the branch address. This vulnerability affects Firefox < 141, Firefox ESR < 115.26, Firefox ESR < 128.13, Firefox ESR < 140.1, Thunderbird < 141, Thunderbird < 128.13, and Thunderbird < 140.1. A flaw was found in Firefox and Thunderbird. The Mozilla Foundation's Security Advisory describes the following issue: On arm64, a WASM br_table... • https://bugzilla.mozilla.org/show_bug.cgi?id=1971581 • CWE-1332: Improper Handling of Faults that Lead to Instruction Skips •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-8027 – firefox: thunderbird: JavaScript engine only wrote partial return value to stack
https://notcve.org/view.php?id=CVE-2025-8027
22 Jul 2025 — On 64-bit platforms IonMonkey-JIT only wrote 32 bits of the 64-bit return value space on the stack. Baseline-JIT, however, read the entire 64 bits. This vulnerability affects Firefox < 141, Firefox ESR < 115.26, Firefox ESR < 128.13, Firefox ESR < 140.1, Thunderbird < 141, Thunderbird < 128.13, and Thunderbird < 140.1. A flaw was found in Firefox and Thunderbird. The Mozilla Foundation's Security Advisory describes the following issue: On 64-bit platforms, IonMonkey-JIT only wrote 32 bits of the 64-bit retu... • https://bugzilla.mozilla.org/show_bug.cgi?id=1968423 • CWE-457: Use of Uninitialized Variable •