| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Sandbox escape due to integer overflow in the Graphics: Canvas2D component. This vulnerability affects Firefox < 143.0.3. |
| Taguette is an open source qualitative research tool. An issue has been discovered in Taguette versions prior to 1.5.0. It was possible for an attacker to request password reset email containing a malicious link, allowing the attacker to set the email if clicked by the victim. This issue has been patched in version 1.5.0. |
| An issue was discovered in the futures-task crate before 0.3.6 for Rust. futures_task::waker may cause a use-after-free in a non-static type situation. |
| In the Linux kernel, the following vulnerability has been resolved:
netlink: prevent potential spectre v1 gadgets
Most netlink attributes are parsed and validated from
__nla_validate_parse() or validate_nla()
u16 type = nla_type(nla);
if (type == 0 || type > maxtype) {
/* error or continue */
}
@type is then used as an array index and can be used
as a Spectre v1 gadget.
array_index_nospec() can be used to prevent leaking
content of kernel memory to malicious users.
This should take care of vast majority of netlink uses,
but an audit is needed to take care of others where
validation is not yet centralized in core netlink functions. |
| In quickjs, in js_print_object, when printing an array, the function first fetches the array length and then loops over it. The issue is, printing a value is not side-effect free. An attacker-defined callback could run during js_print_value, during which the array could get resized and len1 become out of bounds. This results in a use-after-free.A second instance occurs in the same function during printing of a map or set objects. The code iterates over ms->records list, but once again, elements could be removed from the list during js_print_value call. |
| A Use-After-Free (UAF) vulnerability exists in the QuickJS engine's standard library when iterating over the global list of unhandled rejected promises (ts->rejected_promise_list).
* The function js_std_promise_rejection_check attempts to iterate over the rejected_promise_list to report unhandled rejections using a standard list loop.
* The reason for a promise rejection is processed inside the loop, including calling js_std_dump_error1(ctx, rp->reason).
* If the promise rejection reason is an Error object that defines a custom property getter (e.g., via Object.defineProperty), this getter is executed during the error dumping process.
* The malicious custom getter can execute JavaScript code that calls catch() on the same rejected promise being processed.
* Calling catch() internally triggers js_std_promise_rejection_tracker, which then removes and frees the current promise entry (JSRejectedPromiseEntry) from the rejected_promise_list.
* Since the list iteration continues using the now-freed memory pointer (el), the subsequent loop access results in a Use-After-Free condition. |
| In the Linux kernel, the following vulnerability has been resolved:
net: mdio: validate parameter addr in mdiobus_get_phy()
The caller may pass any value as addr, what may result in an out-of-bounds
access to array mdio_map. One existing case is stmmac_init_phy() that
may pass -1 as addr. Therefore validate addr before using it. |
| Firefox Android allowed immediate interaction with permission prompts. This could be used for tapjacking. This vulnerability affects Firefox < 128. |
| Memory safety bugs present in Firefox 127 and Thunderbird 127. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 128 and Thunderbird < 128. |
| Memory safety bugs present in Firefox 127, Firefox ESR 115.12, and Thunderbird 115.12. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 128, Firefox ESR < 115.13, Thunderbird < 115.13, and Thunderbird < 128. |
| LangGraph SQLite Checkpoint is an implementation of LangGraph CheckpointSaver that uses SQLite DB (both sync and async, via aiosqlite). Prior to 2.0.11, LangGraph's SQLite store implementation contains SQL injection vulnerabilities using direct string concatenation without proper parameterization, allowing attackers to inject arbitrary SQL and bypass access controls. This vulnerability is fixed in 2.0.11. |
| In an out-of-memory scenario an allocation could fail but free would have been called on the pointer afterwards leading to memory corruption. This vulnerability affects Firefox < 128, Firefox ESR < 115.13, Thunderbird < 115.13, and Thunderbird < 128. |
| It was possible to prevent a user from exiting pointerlock when pressing escape and to overlay customValidity notifications from a `<select>` element over certain permission prompts. This could be used to confuse a user into giving a site unintended permissions. This vulnerability affects Firefox < 128 and Thunderbird < 128. |
| An error in the ECMA-262 specification relating to Async Generators could have resulted in a type confusion, potentially leading to memory corruption and an exploitable crash. This vulnerability affects Firefox < 128, Firefox ESR < 115.13, Thunderbird < 115.13, and Thunderbird < 128. |
| Malicious scripts could bypass the popup blocker to spam new tabs, potentially resulting in denial of service attacks This vulnerability affects Firefox for iOS < 142. |
| The Firefox and Firefox Focus UI for the Android custom tab feature only showed the "site" that was loaded, not the full hostname. User supplied content hosted on a subdomain of a site could have been used to fool a user into thinking it was content from a different subdomain of that site. This vulnerability affects Firefox < 144. |
| When Multi-Account Containers was enabled, DNS requests could have bypassed a SOCKS proxy when the domain name was invalid or the SOCKS proxy was not responding. This vulnerability affects Firefox < 140 and Thunderbird < 140. |
| Memory safety bugs present in Firefox 138 and Thunderbird 138. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 139 and Thunderbird < 139. |
| In certain cases, SNI could have been sent unencrypted even when encrypted DNS was enabled. This vulnerability affects Firefox < 139 and Thunderbird < 139. |
| The executable file warning did not warn users before opening files with the `terminal` extension.
*This bug only affects Firefox for macOS. Other versions of Firefox are unaffected.* This vulnerability affects Firefox < 140, Firefox ESR < 128.12, Thunderbird < 140, and Thunderbird < 128.12. |
