Mozilla Program Statistics

View program

75 total issues disclosed

$23,700 total paid publicly

Most disclosed (21 disclosures) — Misconfiguration

Disclosed Reports

Report Title Vulnerability Type Disclosed By Severity Disclosed on
Bypass of Restricted Keyword "Mozilla" in Display Name Field via Unicode Homoglyphs on addons.allizom.org Improper Input Validation icecream_23 Low 2026-04-27
[Vertical Privilege Escalation] User can Unapproved any Approved Translation at [/translations/unapprove/] Privilege Escalation adilnbabras Medium 2026-04-10
User Can Delete Other Users' Personal Access Tokens at /delete-token/{token_id}/ on Mozilla Pontoon Improper Access Control - Generic adilnbabras Low 2026-04-10
[Privilege Escalation] User can Pin|Unpin Any Comment on Any Project or Locale Privilege Escalation adilnbabras Low 2026-03-20
Microsoft `x-apikey` Exposed in Mozilla CI Public Logs Cleartext Storage of Sensitive Information xhacking_z Medium 2025-11-03
Bypass "No Links" Restriction in Biography via Protocol-Relative URL (//) Improper Input Validation yoyomiski Low 2025-07-29
Mozilla VPN Clients: RCE via file write and path traversal Path Traversal trein High 2025-07-29
MozillaVPN: Elevation of Privilege via a Logic Vulnerability Improper Link Resolution Before File Access ('Link Following') northsea Medium 2025-07-03
MozillaVPN: Elevation of Privilege via a Race Condition Vulnerability Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') northsea Medium 2025-07-03
Subdomain takeover on a subdomain under firefox.com Misconfiguration martinvw Medium 2025-07-03
IDOR: Account Deletion via Session Misbinding – Attacker Can Delete Victim Account Insecure Direct Object Reference (IDOR) z3phyrus High 2025-06-03
Netlify Authentication Token Exposed in Public Mozilla CI Logs Information Disclosure samirsec0x01 Critical 2025-05-13
Bypass Email verification for monitoring at `monitor.mozilla.org` Business Logic Errors 0d_amrr Medium 2025-01-22
Denial of Access to Static Resources via Cache Poisoning on addons.allizom.org Cache Poisoning jabiyev Low 2025-01-08
Bypass Email Verification on Add Email Monitoring Information Disclosure dotxml Medium 2025-01-07
RCE on worker host due to unsanitized "env" variable name in task definition on community-tc.services.mozilla.com Code Injection ebrietas Low 2024-12-08
[ addons-preview-cdn.mozilla.net ] A subdomain takeover is available via unregistered domain in Fastly Misconfiguration haveaniceday Medium 2024-12-06
csrftoken not unique to session or specific user and csrfmiddlewaretoken can be altered Cross-Site Request Forgery (CSRF) bashbdeer Low 2024-11-20
Leakage of traffic in plaintext towards the IP address of VPN server Cleartext Transmission of Sensitive Information vanhoefm Low 2024-11-08
Leaking VPN traffic through non-RFC1918 local IP addresses Cleartext Transmission of Sensitive Information vanhoefm Medium 2024-11-08
Information disclosure on password cancel endpoint Information Disclosure hackeriron1 Low 2024-10-29
sentry Auth Token exposed publicly in docker hub image Information Disclosure ghaazy None 2024-10-18
paypal client_id And stripe api key indexed on web archive Information Disclosure ghaazy None 2024-10-18
Race condition leads to add more than 5 email at Data breaches monitor system at https://stage.firefoxmonitor.nonprod.cloudops.mozgcp.net Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') sushantd19 Low 2024-10-18
two aws access key and secret key and database username and password exposed Information Disclosure ghaazy Critical 2024-10-18
User API Key leakage in Github commit leads to unauthorized access to sql.telemetry.mozilla.org Information Disclosure anhchangmutrang High 2024-10-08
Private Emails of Moz Workers Leaked in Public file None supplied bd3b2acc340d2664004d535acbc0b None 2024-09-04
Subdomain takeover on one of the subdomains under mozaws.net Misconfiguration d0xing Medium 2024-07-25
Subdomain takeover on one of the subdomains under mozaws.net Misconfiguration d0xing Medium 2024-07-25
Account deletion using the /v1/account/destroy API endpoint using account password without 2FA verification Improper Authentication - Generic erdy Medium 2024-06-17
Jira Credential Disclosure within Mozilla Slack Information Disclosure griffinf Critical 2024-04-23
Insecure S3 Bucket Exposing Git Directory in Mozilla Foundation Infographics Project Improper Access Control - Generic psycho_012 Low 2024-03-13
IDOR on Delete Email address features Insecure Direct Object Reference (IDOR) ryujinx High 2024-03-07
Subdomain takeover on one of the subdomain under mozgcp.net Misconfiguration d0xing Medium 2024-02-11
Subdomain takeover on one of the subdomain under mozaws.net Misconfiguration d0xing Medium 2024-02-11
Subdomain takeover on one of the subdomain under mozaws.net Misconfiguration d0xing Medium 2024-02-11
Subdomain takeover on one of the subdomain under mozaws.net Misconfiguration d0xing Medium 2024-02-11
Subdomain takeover on one of the subdomain under mozaws.net Misconfiguration d0xing Medium 2024-02-11
Subdomain takeover on one of the subdomain under mozaws.net Improper Resource Shutdown or Release proabiral Medium 2024-02-11
Subdomain takeover on one of the subdomain under mozaws.net Misconfiguration d0xing Medium 2024-02-03
SQL Injection on prod.oidc-proxy.prod.webservices.mozgcp.net via invite_code parameter - Mozilla social inscription SQL Injection supr4s Critical 2024-01-30
Remote code execution and exfiltration of secret tokens by poisoning the mozilla/fxa CI build cache Code Injection 0x90security Critical 2024-01-20
Internal Blind Server-Side Request Forgery (SSRF) allows scanning internal ports Server-Side Request Forgery (SSRF) harshdranjan None 2024-01-12
Exposure of account recovery hint by querying by user email Exposure of Sensitive Information Due to Incompatible Policies francisconeves97 Low 2024-01-11
Subdomain takeover on one of the subdomain under mozaws.net Misconfiguration holybugx Medium 2024-01-04
Subdomain takeover on one of the subdomain under mozaws.net Misconfiguration holybugx Medium 2024-01-04
Subdomain takeover on one of the subdomain under mozaws.net Misconfiguration holybugx Medium 2024-01-04
Subdomain takeover on one of the subdomain under mozaws.net Misconfiguration holybugx Medium 2024-01-04
Mozilla Employee's Token for sql.telemetry.mozilla.org Exposed in Git Commit Cleartext Storage of Sensitive Information yakirka Critical 2023-12-18
Mozilla FuzzManager API Token Exposed in Git Commit Cleartext Storage of Sensitive Information yakirka Critical 2023-11-29
CSRF to Information disclosure on password reset Cross-Site Request Forgery (CSRF) hackeriron1 Low 2023-11-27
Subdomain takeover on one of the subdomain under mozgcp.net Misconfiguration mikey96 Medium 2023-11-12
Subdomain takeover on one of the subdomain under mozgcp.net Misconfiguration d0xing Medium 2023-11-12
Subdomain takeover on one of the subdomain under mozgcp.net Misconfiguration d0xing Medium 2023-11-12
Security bug https://bugzilla.mozilla.org/oauth/authorize - CRLF Header injection via "redirect_uri" parameter CRLF Injection oja Low 2023-10-28
Possibility of Deface through translation tool - www.mozilla.com Information Disclosure astrounder Low 2023-10-27
Flickr API key leaked in GitHub commit Information Disclosure m4y4nk Low 2023-10-26
After the upload of an private file, using transformations, the file becomes public without the possibility of changing it. Improper Access Control - Generic limusec Medium 2023-10-20
HTML Injection at https://stage.firefoxmonitor.nonprod.cloudops.mozgcp.net/user/unsubscribe Cross-Site Scripting (XSS) avram Low 2023-10-20
Exposing Django Debug Panel and Sensitive Infrastructure Information at https://dev.fxprivaterelay.nonprod.cloudops.mozgcp.net Improper Access Control - Generic aliend89 Low 2023-10-13
Subdomain takeover on one of the subdomain under mozaws.net Misconfiguration holybugx Medium 2023-10-13
Potential Spoofing Risk through Firefox Private Relay Service Content Spoofing nicholas_cw Medium 2023-10-13
Subdomain takeover on one of the subdomain under mozilla.org Misconfiguration d0xing Medium 2023-10-04
Subdomain takeover on one of the subdomain under mozaws.net Misconfiguration d0xing Medium 2023-10-04
Subdomain takeover on one of the subdomain under mozaws.net Misconfiguration mikey96 Medium 2023-09-27
Missing Function Level Access Control in Mozilla formula containsRegular Expression Denial of Service (CVE-2023-25166) Uncontrolled Resource Consumption hackeronanywhere Medium 2023-09-27
If rate limit is hit, IP address is leaked to anyone who tries to login Information Disclosure anish-kosaraju Low 2023-09-20
Stored Xss on bugzilla.mozilla.org via comment edit feature from non-admin to admin. Cross-site Scripting (XSS) - Stored r3dpars3c Low 2023-09-20
IDOR - send a message on behalf of other user Insecure Direct Object Reference (IDOR) lamscun Medium 2023-09-20
Mozilla Mastodon Staging Instance Admin API Key Disclosure Through Slack Insecure Storage of Sensitive Information griffinf High 2023-09-11
Response Manipulation to enable Account recovery key with out current password Improper Access Control - Generic saiteja12313234 No rating 2023-09-11
[Hubs] - Broken access control in placing objects in hubs room Improper Access Control - Generic quikke Medium 2023-07-20
DOS via cache poisoning on [developer.mozilla.org] Cache Poisoning zhero_ Low 2023-06-05
Email user account in indexacao waybackurl Brute Force kauenavarro Medium 2023-04-05
HTML Injection / Reflected Cross-Site Scripting with CSP on https://accounts.firefox.com/settings Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) celesian Medium 2023-04-04