2024

2023

2022

2021

2020

2019

CVE-2019-11712 (v3: 8.8) 23 Jul 2019
POST requests made by NPAPI plugins, such as Flash, that receive a status 308 redirect response can bypass CORS requirements. This can allow an attacker to perform Cross-Site Request Forgery (CSRF) attacks. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.

2018

CVE-2018-5123 (v3: 8.8) 29 Apr 2019
A third party website can access information available to a user with access to a restricted bug entry using the image generation in report.cgi in all Bugzilla versions prior to 4.4.

2017

2016

2015

CVE-2015-0807 (v2: 6.8) 1 Apr 2015
The navigator.sendBeacon implementation in Mozilla Firefox before 37.0, Firefox ESR 31.x before 31.6, and Thunderbird before 31.6 processes HTTP 30x status codes for redirects after a preflight request has occurred, which allows remote attackers to bypass intended CORS access-control checks and conduct cross-site request forgery (CSRF) attacks via a crafted web site, a similar issue to CVE-2014-8638.