CVSS: 10.0EPSS: 0%CPEs: 5EXPL: 0CVE-2025-1014 – firefox: thunderbird: Certificate length was not properly checked
https://notcve.org/view.php?id=CVE-2025-1014
04 Feb 2025 — Certificate length was not properly checked when added to a certificate store. In practice only trusted data was processed. This vulnerability affects Firefox < 135, Firefox ESR < 128.7, Thunderbird < 128.7, and Thunderbird < 135. Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information across domains, or execute arbitrary code. • https://bugzilla.mozilla.org/show_bug.cgi?id=1940804 • CWE-295: Improper Certificate Validation CWE-1284: Improper Validation of Specified Quantity in Input •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-1013 – firefox: thunderbird: Potential opening of private browsing tabs in normal browsing windows
https://notcve.org/view.php?id=CVE-2025-1013
04 Feb 2025 — A race condition could have led to private browsing tabs being opened in normal browsing windows. This could have resulted in a potential privacy leak. This vulnerability affects Firefox < 135, Firefox ESR < 128.7, Thunderbird < 128.7, and Thunderbird < 135. Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information across domains, or execute arbit... • https://bugzilla.mozilla.org/show_bug.cgi?id=1932555 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 5.0EPSS: 0%CPEs: 2EXPL: 0CVE-2025-1019 – Ubuntu Security Notice USN-7263-1
https://notcve.org/view.php?id=CVE-2025-1019
04 Feb 2025 — The z-order of the browser windows could be manipulated to hide the fullscreen notification. This could potentially be leveraged to perform a spoofing attack. This vulnerability affects Firefox < 135 and Thunderbird < 135. Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information across domains, or execute arbitrary code. • https://bugzilla.mozilla.org/show_bug.cgi?id=1940162 • CWE-1021: Improper Restriction of Rendered UI Layers or Frames •
CVSS: 9.8EPSS: 0%CPEs: 5EXPL: 0CVE-2025-1012 – firefox: thunderbird: Use-after-free during concurrent delazification
https://notcve.org/view.php?id=CVE-2025-1012
04 Feb 2025 — A race during concurrent delazification could have led to a use-after-free. This vulnerability affects Firefox < 135, Firefox ESR < 115.20, Firefox ESR < 128.7, Thunderbird < 128.7, and Thunderbird < 135. A flaw was found in Firefox. The Mozilla Foundation's Security Advisory describes the following issue: A race during concurrent delazification could have led to a use-after-free. Multiple security issues were discovered in Firefox. • https://bugzilla.mozilla.org/show_bug.cgi?id=1939710 • CWE-416: Use After Free •
CVSS: 10.0EPSS: 0%CPEs: 5EXPL: 0CVE-2025-1011 – firefox: thunderbird: A bug in WebAssembly code generation could result in a crash
https://notcve.org/view.php?id=CVE-2025-1011
04 Feb 2025 — A bug in WebAssembly code generation could have lead to a crash. It may have been possible for an attacker to leverage this to achieve code execution. This vulnerability affects Firefox < 135, Firefox ESR < 128.7, Thunderbird < 128.7, and Thunderbird < 135. Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code. • https://bugzilla.mozilla.org/show_bug.cgi?id=1936454 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 7.3EPSS: 0%CPEs: 2EXPL: 0CVE-2025-1018 – Ubuntu Security Notice USN-7263-1
https://notcve.org/view.php?id=CVE-2025-1018
04 Feb 2025 — The fullscreen notification is prematurely hidden when fullscreen is re-requested quickly by the user. This could have been leveraged to perform a potential spoofing attack. This vulnerability affects Firefox < 135 and Thunderbird < 135. Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information across domains, or execute arbitrary code. • https://bugzilla.mozilla.org/show_bug.cgi?id=1910818 • CWE-1021: Improper Restriction of Rendered UI Layers or Frames •
CVSS: 10.0EPSS: 0%CPEs: 5EXPL: 0CVE-2025-1010 – firefox: thunderbird: Use-after-free in Custom Highlight
https://notcve.org/view.php?id=CVE-2025-1010
04 Feb 2025 — An attacker could have caused a use-after-free via the Custom Highlight API, leading to a potentially exploitable crash. This vulnerability affects Firefox < 135, Firefox ESR < 115.20, Firefox ESR < 128.7, Thunderbird < 128.7, and Thunderbird < 135. Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information across domains, or execute arbitrary code... • https://bugzilla.mozilla.org/show_bug.cgi?id=1936982 • CWE-416: Use After Free •
CVSS: 10.0EPSS: 0%CPEs: 5EXPL: 1CVE-2025-1009 – firefox: thunderbird: Use-after-free in XSLT
https://notcve.org/view.php?id=CVE-2025-1009
04 Feb 2025 — An attacker could have caused a use-after-free via crafted XSLT data, leading to a potentially exploitable crash. This vulnerability affects Firefox < 135, Firefox ESR < 115.20, Firefox ESR < 128.7, Thunderbird < 128.7, and Thunderbird < 135. A flaw was found in Firefox. The Mozilla Foundation's Security Advisory describes the following issue: An attacker could have caused a use-after-free via crafted XSLT data, leading to a potentially exploitable crash. Multiple security issues were discovered in Firefox.... • https://packetstorm.news/files/id/189614 • CWE-416: Use After Free •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2025-23109
https://notcve.org/view.php?id=CVE-2025-23109
11 Jan 2025 — Long hostnames in URLs could be leveraged to obscure the actual host of the website or spoof the website address This vulnerability affects Firefox for iOS < 134. • https://bugzilla.mozilla.org/show_bug.cgi?id=1419275 • CWE-346: Origin Validation Error •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2025-23108
https://notcve.org/view.php?id=CVE-2025-23108
11 Jan 2025 — Opening Javascript links in a new tab via long-press in the Firefox iOS client could result in a malicious script spoofing the URL of the new tab. This vulnerability affects Firefox for iOS < 134. • https://bugzilla.mozilla.org/show_bug.cgi?id=1933172 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •