http://www.open-source-security-software.net/project/TorBrowser/cves.atom 2025-05-03T02:35:22.846998+00:00 python-feedgen CVE-2023-23589 2023-01-14T01:15:00+00:00 The SafeSocks option in Tor before 0.4.7.13 has a logic error in which the unsafe SOCKS4 protocol can be used but not the safe SOCKS4a protocol, aka TROVE-2022-002. 2023-01-14T01:15:00+00:00 CVE-2022-33903 2022-07-17T23:15:00+00:00 Tor 0.4.7.x before 0.4.7.8 allows a denial of service via the wedging of RTT estimation. 2022-07-17T23:15:00+00:00 CVE-2021-46702 2022-02-26T03:15:00+00:00 Tor Browser 9.0.7 on Windows 10 build 10586 is vulnerable to information disclosure. This could allow local attackers to bypass the intended anonymity feature and obtain information regarding the onion services visited by a local user. This can be accomplished by analyzing RAM memory even several hours after the local user used the product. This occurs because the product doesn't properly free memory. 2022-02-26T03:15:00+00:00 CVE-2021-39246 2021-09-24T19:15:00+00:00 Tor Browser through 10.5.6 and 11.x through 11.0a4 allows a correlation attack that can compromise the privacy of visits to v2 onion addresses. Exact timestamps of these onion-service visits are logged locally, and an attacker might be able to compare them to timestamp data collected by the destination server (or collected by a rogue site within the Tor network). 2021-09-24T19:15:00+00:00 CVE-2021-38385 2021-08-30T05:15:00+00:00 Tor before 0.3.5.16, 0.4.5.10, and 0.4.6.7 mishandles the relationship between batch-signature verification and single-signature verification, leading to a remote assertion failure, aka TROVE-2021-007. 2021-08-30T05:15:00+00:00 CVE-2021-34549 2021-06-29T12:15:00+00:00 An issue was discovered in Tor before 0.4.6.5, aka TROVE-2021-005. Hashing is mishandled for certain retrieval of circuit data. Consequently. an attacker can trigger the use of an attacker-chosen circuit ID to cause algorithm inefficiency. 2021-06-29T12:15:00+00:00 CVE-2021-34550 2021-06-29T12:15:00+00:00 An issue was discovered in Tor before 0.4.6.5, aka TROVE-2021-006. The v3 onion service descriptor parsing allows out-of-bounds memory access, and a client crash, via a crafted onion service descriptor 2021-06-29T12:15:00+00:00 CVE-2021-34548 2021-06-29T11:15:00+00:00 An issue was discovered in Tor before 0.4.6.5, aka TROVE-2021-003. An attacker can forge RELAY_END or RELAY_RESOLVED to bypass the intended access control for ending a stream. 2021-06-29T11:15:00+00:00 CVE-2021-28090 2021-03-19T05:15:00+00:00 Tor before 0.4.5.7 allows a remote attacker to cause Tor directory authorities to exit with an assertion failure, aka TROVE-2021-002. 2021-03-19T05:15:00+00:00 CVE-2021-28089 2021-03-19T05:15:00+00:00 Tor before 0.4.5.7 allows a remote participant in the Tor directory protocol to exhaust CPU resources on a target, aka TROVE-2021-001. 2021-03-19T05:15:00+00:00 CVE-2019-8955 2019-02-21T23:29:00+00:00 In Tor before 0.3.3.12, 0.3.4.x before 0.3.4.11, 0.3.5.x before 0.3.5.8, and 0.4.x before 0.4.0.2-alpha, remote denial of service against Tor clients and relays can occur via memory exhaustion in the KIST cell scheduler. 2019-02-21T23:29:00+00:00 CVE-2020-8516 2020-02-02T13:15:00+00:00 ** DISPUTED ** The daemon in Tor through 0.4.1.8 and 0.4.2.x through 0.4.2.6 does not verify that a rendezvous node is known before attempting to connect to it, which might make it easier for remote attackers to discover circuit information. NOTE: The network team of Tor claims this is an intended behavior and not a vulnerability. 2020-02-02T13:15:00+00:00 CVE-2016-9079 2018-06-11T21:29:00+00:00 A use-after-free vulnerability in SVG Animation has been discovered. An exploit built on this vulnerability has been discovered in the wild targeting Firefox and Tor Browser users on Windows. This vulnerability affects Firefox < 50.0.2, Firefox ESR < 45.5.1, and Thunderbird < 45.5.1. 2018-06-11T21:29:00+00:00 CVE-2016-8860 2017-01-04T20:59:00+00:00 Tor before 0.2.8.9 and 0.2.9.x before 0.2.9.4-alpha had internal functions that were entitled to expect that buf_t data had NUL termination, but the implementation of or/buffers.c did not ensure that NUL termination was present, which allows remote attackers to cause a denial of service (client, hidden service, relay, or authority crash) via crafted data. 2017-01-04T20:59:00+00:00 CVE-2018-16983 2018-09-13T04:29:00+00:00 NoScript Classic before 5.1.8.7, as used in Tor Browser 7.x and other products, allows attackers to bypass script blocking via the text/html;/json Content-Type value. 2018-09-13T04:29:00+00:00 CVE-2020-15572 2020-07-15T17:15:00+00:00 Tor before 0.4.3.6 has an out-of-bounds memory access that allows a remote denial-of-service (crash) attack against Tor instances built to use Mozilla Network Security Services (NSS), aka TROVE-2020-001. 2020-07-15T17:15:00+00:00 CVE-2013-7295 2014-01-17T21:55:00+00:00 Tor before 0.2.4.20, when OpenSSL 1.x is used in conjunction with a certain HardwareAccel setting on Intel Sandy Bridge and Ivy Bridge platforms, does not properly generate random numbers for (1) relay identity keys and (2) hidden-service identity keys, which might make it easier for remote attackers to bypass cryptographic protection mechanisms via unspecified vectors. 2014-01-17T21:55:00+00:00 CVE-2019-13075 2019-06-30T14:15:00+00:00 Tor Browser through 8.5.3 has an information exposure vulnerability. It allows remote attackers to detect the browser's language via vectors involving an IFRAME element, because text in that language is included in the title attribute of a LINK element for a non-HTML page. This is related to a behavior of Firefox before 68. 2019-06-30T14:15:00+00:00 CVE-2017-16639 2018-09-14T21:29:00+00:00 Tor Browser on Windows before 8.0 allows remote attackers to bypass the intended anonymity feature and discover a client IP address, a different vulnerability than CVE-2017-16541. User interaction is required to trigger this vulnerability. 2018-09-14T21:29:00+00:00 CVE-2017-16541 2017-11-04T18:29:00+00:00 Tor Browser before 7.0.9 on macOS and Linux allows remote attackers to bypass the intended anonymity feature and discover a client IP address via vectors involving a crafted web site that leverages file:// mishandling in Firefox, aka TorMoil. NOTE: Tails is unaffected. 2017-11-04T18:29:00+00:00 CVE-2012-5573 2013-01-01T12:35:00+00:00 The connection_edge_process_relay_cell function in or/relay.c in Tor before 0.2.3.25 maintains circuits even if an unexpected SENDME cell arrives, which might allow remote attackers to cause a denial of service (memory consumption or excessive cell reception rate) or bypass intended flow-control restrictions via a RELAY_COMMAND_SENDME command. 2013-01-01T12:35:00+00:00 CVE-2019-12383 2019-05-28T03:29:00+00:00 Tor Browser before 8.0.1 has an information exposure vulnerability. It allows remote attackers to detect the browser's UI locale by measuring a button width, even if the user has a "Don't send my language" setting. 2019-05-28T03:29:00+00:00 CVE-2014-5117 2014-07-30T16:55:00+00:00 Tor before 0.2.4.23 and 0.2.5 before 0.2.5.6-alpha maintains a circuit after an inbound RELAY_EARLY cell is received by a client, which makes it easier for remote attackers to conduct traffic-confirmation attacks by using the pattern of RELAY and RELAY_EARLY cells as a means of communicating information about hidden service names. 2014-07-30T16:55:00+00:00 CVE-2012-4922 2012-09-14T18:55:00+00:00 The tor_timegm function in common/util.c in Tor before 0.2.2.39, and 0.2.3.x before 0.2.3.22-rc, does not properly validate time values, which allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a malformed directory object, a different vulnerability than CVE-2012-4419. 2012-09-14T18:55:00+00:00 CVE-2016-1254 2017-12-05T16:29:00+00:00 Tor before 0.2.8.12 might allow remote attackers to cause a denial of service (client crash) via a crafted hidden service descriptor. 2017-12-05T16:29:00+00:00 CVE-2012-4419 2012-09-14T18:55:00+00:00 The compare_tor_addr_to_addr_policy function in or/policies.c in Tor before 0.2.2.39, and 0.2.3.x before 0.2.3.21-rc, allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a zero-valued port field that is not properly handled during policy comparison. 2012-09-14T18:55:00+00:00 CVE-2015-2928 2020-01-24T18:15:00+00:00 The Hidden Service (HS) server implementation in Tor before 0.2.4.27, 0.2.5.x before 0.2.5.12, and 0.2.6.x before 0.2.6.7 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via unspecified vectors. 2020-01-24T18:15:00+00:00 CVE-2015-2929 2020-01-24T18:15:00+00:00 The Hidden Service (HS) client implementation in Tor before 0.2.4.27, 0.2.5.x before 0.2.5.12, and 0.2.6.x before 0.2.6.7 allows remote servers to cause a denial of service (assertion failure and application exit) via a malformed HS descriptor. 2020-01-24T18:15:00+00:00 CVE-2015-2688 2020-01-24T18:15:00+00:00 buf_pullup in Tor before 0.2.4.26 and 0.2.5.x before 0.2.5.11 does not properly handle unexpected arrival times of buffers with invalid layouts, which allows remote attackers to cause a denial of service (assertion failure and daemon exit) via crafted packets. 2020-01-24T18:15:00+00:00 CVE-2012-2249 2014-02-03T03:55:00+00:00 Tor before 0.2.3.23-rc allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a renegotiation attempt that occurs after the initiation of the V3 link protocol. 2014-02-03T03:55:00+00:00 CVE-2015-2689 2020-01-24T18:15:00+00:00 Tor before 0.2.4.26 and 0.2.5.x before 0.2.5.11 does not properly handle pending-connection resolve states during periods of high DNS load, which allows remote attackers to cause a denial of service (assertion failure and daemon exit) via crafted packets. 2020-01-24T18:15:00+00:00 CVE-2012-2250 2014-02-03T03:55:00+00:00 Tor before 0.2.3.24-rc allows remote attackers to cause a denial of service (assertion failure and daemon exit) by performing link protocol negotiation incorrectly. 2014-02-03T03:55:00+00:00 CVE-2020-10592 2020-03-23T13:15:00+00:00 Tor before 0.3.5.10, 0.4.x before 0.4.1.9, and 0.4.2.x before 0.4.2.7 allows remote attackers to cause a Denial of Service (CPU consumption), aka TROVE-2020-002. 2020-03-23T13:15:00+00:00 CVE-2020-10593 2020-03-23T13:15:00+00:00 Tor before 0.3.5.10, 0.4.x before 0.4.1.9, and 0.4.2.x before 0.4.2.7 allows remote attackers to cause a Denial of Service (memory leak), aka TROVE-2020-004. This occurs in circpad_setup_machine_on_circ because a circuit-padding machine can be negotiated twice on the same circuit. 2020-03-23T13:15:00+00:00 CVE-2018-0490 2018-03-05T15:29:00+00:00 An issue was discovered in Tor before 0.2.9.15, 0.3.1.x before 0.3.1.10, and 0.3.2.x before 0.3.2.10. The directory-authority protocol-list subprotocol implementation allows remote attackers to cause a denial of service (NULL pointer dereference and directory-authority crash) via a misformatted relay descriptor that is mishandled during voting. 2018-03-05T15:29:00+00:00 CVE-2018-0491 2018-03-05T15:29:00+00:00 A use-after-free issue was discovered in Tor 0.3.2.x before 0.3.2.10. It allows remote attackers to cause a denial of service (relay crash) because the KIST implementation allows a channel to be added more than once in the pending list. 2018-03-05T15:29:00+00:00 CVE-2017-0376 2017-06-09T17:29:00+00:00 The hidden-service feature in Tor before 0.3.0.8 allows a denial of service (assertion failure and daemon exit) in the connection_edge_process_relay_cell function via a BEGIN_DIR cell on a rendezvous circuit. 2017-06-09T17:29:00+00:00 CVE-2017-0377 2017-07-02T15:29:00+00:00 Tor 0.3.x before 0.3.0.9 has a guard-selection algorithm that only considers the exit relay (not the exit relay's family), which might allow remote attackers to defeat intended anonymity properties by leveraging the existence of large families. 2017-07-02T15:29:00+00:00 CVE-2017-0375 2017-06-09T17:29:00+00:00 The hidden-service feature in Tor before 0.3.0.8 allows a denial of service (assertion failure and daemon exit) in the relay_send_end_cell_from_edge_ function via a malformed BEGIN cell. 2017-06-09T17:29:00+00:00 CVE-2017-0380 2017-09-18T16:29:00+00:00 The rend_service_intro_established function in or/rendservice.c in Tor before 0.2.8.15, 0.2.9.x before 0.2.9.12, 0.3.0.x before 0.3.0.11, 0.3.1.x before 0.3.1.7, and 0.3.2.x before 0.3.2.1-alpha, when SafeLogging is disabled, allows attackers to obtain sensitive information by leveraging access to the log files of a hidden service, because uninitialized stack data is included in an error message about construction of an introduction point circuit. 2017-09-18T16:29:00+00:00 CVE-2018-16983 2018-09-13T00:29:00.280000+00:00 NoScript Classic before 5.1.8.7, as used in Tor Browser 7.x and other products, allows attackers to bypass script blocking via the text/html;/json Content-Type value. 2018-09-13T00:29:00.280000+00:00 CVE-2019-13075 2019-06-30T10:15:09.483000+00:00 Tor Browser through 8.5.3 has an information exposure vulnerability. It allows remote attackers to detect the browser's language via vectors involving an IFRAME element, because text in that language is included in the title attribute of a LINK element for a non-HTML page. This is related to a behavior of Firefox before 68. 2019-06-30T10:15:09.483000+00:00 CVE-2019-12383 2019-05-27T23:29:00.513000+00:00 Tor Browser before 8.0.1 has an information exposure vulnerability. It allows remote attackers to detect the browser's UI locale by measuring a button width, even if the user has a "Don't send my language" setting. 2019-05-27T23:29:00.513000+00:00 CVE-2019-8955 2019-02-21T18:29:00.267000+00:00 In Tor before 0.3.3.12, 0.3.4.x before 0.3.4.11, 0.3.5.x before 0.3.5.8, and 0.4.x before 0.4.0.2-alpha, remote denial of service against Tor clients and relays can occur via memory exhaustion in the KIST cell scheduler. 2019-02-21T18:29:00.267000+00:00 CVE-2017-16639 2018-09-14T17:29:03.100000+00:00 Tor Browser on Windows before 8.0 allows remote attackers to bypass the intended anonymity feature and discover a client IP address, a different vulnerability than CVE-2017-16541. User interaction is required to trigger this vulnerability. 2018-09-14T17:29:03.100000+00:00 CVE-2016-9079 2018-06-11T17:29:01.797000+00:00 A use-after-free vulnerability in SVG Animation has been discovered. An exploit built on this vulnerability has been discovered in the wild targeting Firefox and Tor Browser users on Windows. This vulnerability affects Firefox < 50.0.2, Firefox ESR < 45.5.1, and Thunderbird < 45.5.1. 2018-06-11T17:29:01.797000+00:00 CVE-2018-0490 2018-03-05T10:29:00.207000+00:00 An issue was discovered in Tor before 0.2.9.15, 0.3.1.x before 0.3.1.10, and 0.3.2.x before 0.3.2.10. The directory-authority protocol-list subprotocol implementation allows remote attackers to cause a denial of service (NULL pointer dereference and directory-authority crash) via a misformatted relay descriptor that is mishandled during voting. 2018-03-05T10:29:00.207000+00:00 CVE-2008-5264 2008-11-28T14:00:00.233000+00:00 Cross-site scripting (XSS) vulnerability in searcher.exe in Tornado Knowledge Retrieval System 4.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the p parameter in a root action. 2008-11-28T14:00:00.233000+00:00 CVE-2012-4419 2012-09-14T14:55:04.917000+00:00 The compare_tor_addr_to_addr_policy function in or/policies.c in Tor before 0.2.2.39, and 0.2.3.x before 0.2.3.21-rc, allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a zero-valued port field that is not properly handled during policy comparison. 2012-09-14T14:55:04.917000+00:00 CVE-2012-4922 2012-09-14T14:55:04.980000+00:00 The tor_timegm function in common/util.c in Tor before 0.2.2.39, and 0.2.3.x before 0.2.3.22-rc, does not properly validate time values, which allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a malformed directory object, a different vulnerability than CVE-2012-4419. 2012-09-14T14:55:04.980000+00:00 CVE-2012-5573 2013-01-01T07:35:14.617000+00:00 The connection_edge_process_relay_cell function in or/relay.c in Tor before 0.2.3.25 maintains circuits even if an unexpected SENDME cell arrives, which might allow remote attackers to cause a denial of service (memory consumption or excessive cell reception rate) or bypass intended flow-control restrictions via a RELAY_COMMAND_SENDME command. 2013-01-01T07:35:14.617000+00:00 CVE-2013-7295 2014-01-17T16:55:14.613000+00:00 Tor before 0.2.4.20, when OpenSSL 1.x is used in conjunction with a certain HardwareAccel setting on Intel Sandy Bridge and Ivy Bridge platforms, does not properly generate random numbers for (1) relay identity keys and (2) hidden-service identity keys, which might make it easier for remote attackers to bypass cryptographic protection mechanisms via unspecified vectors. 2014-01-17T16:55:14.613000+00:00 CVE-2012-2249 2014-02-02T22:55:03.627000+00:00 Tor before 0.2.3.23-rc allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a renegotiation attempt that occurs after the initiation of the V3 link protocol. 2014-02-02T22:55:03.627000+00:00 CVE-2012-2250 2014-02-02T22:55:03.660000+00:00 Tor before 0.2.3.24-rc allows remote attackers to cause a denial of service (assertion failure and daemon exit) by performing link protocol negotiation incorrectly. 2014-02-02T22:55:03.660000+00:00 CVE-2014-5751 2014-09-09T06:55:10.973000+00:00 The Tor Browser the Short Guide (aka com.wTorShortUserManual) application 0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. 2014-09-09T06:55:10.973000+00:00 CVE-2014-5117 2014-07-30T12:55:07.073000+00:00 Tor before 0.2.4.23 and 0.2.5 before 0.2.5.6-alpha maintains a circuit after an inbound RELAY_EARLY cell is received by a client, which makes it easier for remote attackers to conduct traffic-confirmation attacks by using the pattern of RELAY and RELAY_EARLY cells as a means of communicating information about hidden service names. 2014-07-30T12:55:07.073000+00:00 CVE-2016-8860 2017-01-04T15:59:00.340000+00:00 Tor before 0.2.8.9 and 0.2.9.x before 0.2.9.4-alpha had internal functions that were entitled to expect that buf_t data had NUL termination, but the implementation of or/buffers.c did not ensure that NUL termination was present, which allows remote attackers to cause a denial of service (client, hidden service, relay, or authority crash) via crafted data. 2017-01-04T15:59:00.340000+00:00 CVE-2016-3180 2017-02-07T12:59:00.427000+00:00 Tor Browser Launcher (aka torbrowser-launcher) before 0.2.4, during the initial run, allows man-in-the-middle attackers to bypass the PGP signature verification and execute arbitrary code via a Trojan horse tar file and a signature file with the valid tarball and signature. 2017-02-07T12:59:00.427000+00:00 CVE-2017-0375 2017-06-09T13:29:00.217000+00:00 The hidden-service feature in Tor before 0.3.0.8 allows a denial of service (assertion failure and daemon exit) in the relay_send_end_cell_from_edge_ function via a malformed BEGIN cell. 2017-06-09T13:29:00.217000+00:00 CVE-2017-0376 2017-06-09T13:29:00.263000+00:00 The hidden-service feature in Tor before 0.3.0.8 allows a denial of service (assertion failure and daemon exit) in the connection_edge_process_relay_cell function via a BEGIN_DIR cell on a rendezvous circuit. 2017-06-09T13:29:00.263000+00:00 CVE-2017-0377 2017-07-02T11:29:00.187000+00:00 Tor 0.3.x before 0.3.0.9 has a guard-selection algorithm that only considers the exit relay (not the exit relay's family), which might allow remote attackers to defeat intended anonymity properties by leveraging the existence of large families. 2017-07-02T11:29:00.187000+00:00 CVE-2017-0380 2017-09-18T12:29:00.207000+00:00 The rend_service_intro_established function in or/rendservice.c in Tor before 0.2.8.15, 0.2.9.x before 0.2.9.12, 0.3.0.x before 0.3.0.11, 0.3.1.x before 0.3.1.7, and 0.3.2.x before 0.3.2.1-alpha, when SafeLogging is disabled, allows attackers to obtain sensitive information by leveraging access to the log files of a hidden service, because uninitialized stack data is included in an error message about construction of an introduction point circuit. 2017-09-18T12:29:00.207000+00:00 CVE-2017-16541 2017-11-04T14:29:00.187000+00:00 Tor Browser before 7.0.9 on macOS and Linux allows remote attackers to bypass the intended anonymity feature and discover a client IP address via vectors involving a crafted web site that leverages file:// mishandling in Firefox, aka TorMoil. NOTE: Tails is unaffected. 2017-11-04T14:29:00.187000+00:00 CVE-2016-1254 2017-12-05T11:29:00.313000+00:00 Tor before 0.2.8.12 might allow remote attackers to cause a denial of service (client crash) via a crafted hidden service descriptor. 2017-12-05T11:29:00.313000+00:00 CVE-2014-6027 2018-01-16T14:29:00.230000+00:00 Multiple cross-site scripting (XSS) vulnerabilities in TorrentFlux 2.4 allow (1) remote attackers to inject arbitrary web script or HTML by leveraging failure to encode file contents when downloading a torrent file or (2) remote authenticated users to inject arbitrary web script or HTML via vectors involving a link to torrent details. 2018-01-16T14:29:00.230000+00:00