CVSS: 6.1EPSS: 0%CPEs: 6EXPL: 2CVE-2009-3010
https://notcve.org/view.php?id=CVE-2009-3010
31 Aug 2009 — Mozilla Firefox 3.0.13 and earlier, 3.5, 3.6 a1 pre, and 3.7 a1 pre; SeaMonkey 1.1.17; and Mozilla 1.7.x and earlier do not properly block data: URIs in Refresh headers in HTTP responses, which allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to (1) injecting a Refresh header that contains JavaScript sequences in a data:text/html URI or (2) entering a data:text/html URI with JavaScript sequences when specifying the content of a Refresh header. NOTE: in some product v... • http://websecurity.com.ua/3315 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 12%CPEs: 24EXPL: 2CVE-2006-0496 – Mozilla Firefox 1.0/1.5 XBL - MOZ-BINDING Property Cross-Domain Scripting
https://notcve.org/view.php?id=CVE-2006-0496
01 Feb 2006 — Cross-site scripting (XSS) vulnerability in Mozilla 1.7.12 and possibly earlier, Mozilla Firefox 1.0.7 and possibly earlier, and Netscape 8.1 and possibly earlier, allows remote attackers to inject arbitrary web script or HTML via the -moz-binding (Cascading Style Sheets) CSS property, which does not require that the style sheet have the same origin as the web page, as demonstrated by the compromise of a large number of LiveJournal accounts. Vulnerabilidad de XSS en Mozilla 1.7.12 y posiblemente versiones a... • https://www.exploit-db.com/exploits/27150 •
CVSS: 6.4EPSS: 0%CPEs: 79EXPL: 0CVE-2005-4685
https://notcve.org/view.php?id=CVE-2005-4685
31 Dec 2005 — Firefox and Mozilla can associate a cookie with multiple domains when the DNS resolver has a non-root domain in its search list, which allows remote attackers to trick a user into accepting a cookie for a hostname formed via search-list expansion of the hostname entered by the user, or steal a cookie for an expanded hostname, as demonstrated by an attacker who operates an ap1.com Internet web site to steal cookies associated with an ap1.com.example.com intranet web site. • http://archives.neohapsis.com/archives/fulldisclosure/2005-11/0123.html •
CVSS: 9.1EPSS: 0%CPEs: 62EXPL: 0CVE-2005-0143
https://notcve.org/view.php?id=CVE-2005-0143
29 Jan 2005 — Firefox before 1.0 and Mozilla before 1.7.5 display the SSL lock icon when an insecure page loads a binary file from a trusted site, which could facilitate phishing attacks. • http://www.mozilla.org/security/announce/mfsa2005-03.html •
CVSS: 6.5EPSS: 1%CPEs: 43EXPL: 4CVE-2004-1613
https://notcve.org/view.php?id=CVE-2004-1613
18 Oct 2004 — Mozilla allows remote attackers to cause a denial of service (application crash from null dereference or infinite loop) via a web page that contains a (1) TEXTAREA, (2) INPUT, (3) FRAMESET or (4) IMG tag followed by a null character and some trailing characters, as demonstrated by mangleme. • http://lcamtuf.coredump.cx/mangleme/gallery •
CVSS: 7.5EPSS: 1%CPEs: 27EXPL: 2CVE-2004-1614
https://notcve.org/view.php?id=CVE-2004-1614
18 Oct 2004 — Mozilla allows remote attackers to cause a denial of service (application crash from invalid memory access) via an "unusual combination of visual elements," including several large MARQUEE tags with large height parameters, as demonstrated by mangleme. • http://lcamtuf.coredump.cx/mangleme/gallery •