SUSE update for MozillaFirefox, MozillaFirefox-branding-SLE
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 13 |
| CVE-ID | CVE-2023-3482 CVE-2023-37201 CVE-2023-37202 CVE-2023-37203 CVE-2023-37204 CVE-2023-37205 CVE-2023-37206 CVE-2023-37207 CVE-2023-37208 CVE-2023-37209 CVE-2023-37210 CVE-2023-37211 CVE-2023-37212 |
| CWE-ID | CWE-254 CWE-416 CWE-20 CWE-357 CWE-451 CWE-61 CWE-119 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Desktop Applications Module Operating systems & Components / Operating system SUSE Linux Enterprise Server for SAP Applications 15 Operating systems & Components / Operating system SUSE Linux Enterprise Server 15 Operating systems & Components / Operating system SUSE Linux Enterprise Real Time 15 Operating systems & Components / Operating system SUSE Linux Enterprise High Performance Computing 15 Operating systems & Components / Operating system SUSE Linux Enterprise Desktop 15 Operating systems & Components / Operating system SUSE Linux Enterprise Server 15 SP3 LTSS Operating systems & Components / Operating system SUSE Linux Enterprise Server 15 SP2 LTSS Operating systems & Components / Operating system SUSE Linux Enterprise High Performance Computing LTSS 15 Operating systems & Components / Operating system SUSE Linux Enterprise High Performance Computing ESPOS 15 Operating systems & Components / Operating system SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS Operating systems & Components / Operating system openSUSE Leap Operating systems & Components / Operating system SUSE Enterprise Storage Operating systems & Components / Operating system SUSE Manager Retail Branch Server Operating systems & Components / Operating system SUSE Manager Server Operating systems & Components / Operating system SUSE Manager Proxy Operating systems & Components / Operating system MozillaFirefox-devel Operating systems & Components / Operating system package or component MozillaFirefox-branding-upstream Operating systems & Components / Operating system package or component MozillaFirefox-translations-other Operating systems & Components / Operating system package or component MozillaFirefox-debuginfo Operating systems & Components / Operating system package or component MozillaFirefox-branding-SLE Operating systems & Components / Operating system package or component MozillaFirefox-debugsource Operating systems & Components / Operating system package or component MozillaFirefox-translations-common Operating systems & Components / Operating system package or component MozillaFirefox Operating systems & Components / Operating system package or component |
| Vendor | SUSE |
Security Bulletin
This security bulletin contains information about 13 vulnerabilities.
1) Security features bypass
EUVDB-ID: #VU77945
Risk: Medium
CVSSv3.1: 4.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-3482
CWE-ID:
CWE-254 - Security Features
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to an error when Firefox is configured to block storage of all cookies. It is still possible to store data in localstorage by using an iframe
with a source of 'about:blank'. A remote attacker can abuse such behavior to store tracking data without victim's permission.
Update the affected package MozillaFirefox, MozillaFirefox-branding-SLE to the latest version.
Vulnerable software versionsDesktop Applications Module: 15-SP4 - 15-SP5
SUSE Linux Enterprise Server for SAP Applications 15: SP2 - SP5
SUSE Linux Enterprise Server 15: SP2 - SP5
SUSE Linux Enterprise Real Time 15: SP3 - SP5
SUSE Linux Enterprise High Performance Computing 15: SP2 - SP5
SUSE Linux Enterprise Desktop 15: SP4 - SP5
SUSE Linux Enterprise Server 15 SP3 LTSS: 15-SP3
SUSE Linux Enterprise Server 15 SP2 LTSS: 15-SP2
SUSE Linux Enterprise High Performance Computing LTSS 15: SP3
SUSE Linux Enterprise High Performance Computing ESPOS 15: SP3
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS: 15-SP2
openSUSE Leap: 15.4 - 15.5
SUSE Enterprise Storage: 7.1
SUSE Manager Retail Branch Server: 4.3
SUSE Manager Server: 4.3
SUSE Manager Proxy: 4.3
MozillaFirefox-devel: before 115.0-150200.152.93.1
MozillaFirefox-branding-upstream: before 115.0-150200.152.93.1
MozillaFirefox-translations-other: before 115.0-150200.152.93.1
MozillaFirefox-debuginfo: before 115.0-150200.152.93.1
MozillaFirefox-branding-SLE: before 115-150200.9.13.1
MozillaFirefox-debugsource: before 115.0-150200.152.93.1
MozillaFirefox-translations-common: before 115.0-150200.152.93.1
MozillaFirefox: before 115.0-150200.152.93.1
External linkshttp://www.suse.com/support/update/announcement/2023/suse-su-20232886-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Use-after-free
EUVDB-ID: #VU77940
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-37201
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error in WebRTC. A remote attacker can trick the victim to visit a specially crafted website, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationUpdate the affected package MozillaFirefox, MozillaFirefox-branding-SLE to the latest version.
Vulnerable software versionsDesktop Applications Module: 15-SP4 - 15-SP5
SUSE Linux Enterprise Server for SAP Applications 15: SP2 - SP5
SUSE Linux Enterprise Server 15: SP2 - SP5
SUSE Linux Enterprise Real Time 15: SP3 - SP5
SUSE Linux Enterprise High Performance Computing 15: SP2 - SP5
SUSE Linux Enterprise Desktop 15: SP4 - SP5
SUSE Linux Enterprise Server 15 SP3 LTSS: 15-SP3
SUSE Linux Enterprise Server 15 SP2 LTSS: 15-SP2
SUSE Linux Enterprise High Performance Computing LTSS 15: SP3
SUSE Linux Enterprise High Performance Computing ESPOS 15: SP3
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS: 15-SP2
openSUSE Leap: 15.4 - 15.5
SUSE Enterprise Storage: 7.1
SUSE Manager Retail Branch Server: 4.3
SUSE Manager Server: 4.3
SUSE Manager Proxy: 4.3
MozillaFirefox-devel: before 115.0-150200.152.93.1
MozillaFirefox-branding-upstream: before 115.0-150200.152.93.1
MozillaFirefox-translations-other: before 115.0-150200.152.93.1
MozillaFirefox-debuginfo: before 115.0-150200.152.93.1
MozillaFirefox-branding-SLE: before 115-150200.9.13.1
MozillaFirefox-debugsource: before 115.0-150200.152.93.1
MozillaFirefox-translations-common: before 115.0-150200.152.93.1
MozillaFirefox: before 115.0-150200.152.93.1
External linkshttp://www.suse.com/support/update/announcement/2023/suse-su-20232886-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Use-after-free
EUVDB-ID: #VU77941
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-37202
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error in Cross-compartment wrappers. A remote attacker can trick the victim to open a specially crafted website, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationUpdate the affected package MozillaFirefox, MozillaFirefox-branding-SLE to the latest version.
Vulnerable software versionsDesktop Applications Module: 15-SP4 - 15-SP5
SUSE Linux Enterprise Server for SAP Applications 15: SP2 - SP5
SUSE Linux Enterprise Server 15: SP2 - SP5
SUSE Linux Enterprise Real Time 15: SP3 - SP5
SUSE Linux Enterprise High Performance Computing 15: SP2 - SP5
SUSE Linux Enterprise Desktop 15: SP4 - SP5
SUSE Linux Enterprise Server 15 SP3 LTSS: 15-SP3
SUSE Linux Enterprise Server 15 SP2 LTSS: 15-SP2
SUSE Linux Enterprise High Performance Computing LTSS 15: SP3
SUSE Linux Enterprise High Performance Computing ESPOS 15: SP3
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS: 15-SP2
openSUSE Leap: 15.4 - 15.5
SUSE Enterprise Storage: 7.1
SUSE Manager Retail Branch Server: 4.3
SUSE Manager Server: 4.3
SUSE Manager Proxy: 4.3
MozillaFirefox-devel: before 115.0-150200.152.93.1
MozillaFirefox-branding-upstream: before 115.0-150200.152.93.1
MozillaFirefox-translations-other: before 115.0-150200.152.93.1
MozillaFirefox-debuginfo: before 115.0-150200.152.93.1
MozillaFirefox-branding-SLE: before 115-150200.9.13.1
MozillaFirefox-debugsource: before 115.0-150200.152.93.1
MozillaFirefox-translations-common: before 115.0-150200.152.93.1
MozillaFirefox: before 115.0-150200.152.93.1
External linkshttp://www.suse.com/support/update/announcement/2023/suse-su-20232886-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Input validation error
EUVDB-ID: #VU77946
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-37203
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to insufficient validation in the Drag and Drop API. A remote attacker trick the victim into creating a shortcut to local system files and leverage the Drag and Drop API behavior to execute arbitrary code.
Update the affected package MozillaFirefox, MozillaFirefox-branding-SLE to the latest version.
Vulnerable software versionsDesktop Applications Module: 15-SP4 - 15-SP5
SUSE Linux Enterprise Server for SAP Applications 15: SP2 - SP5
SUSE Linux Enterprise Server 15: SP2 - SP5
SUSE Linux Enterprise Real Time 15: SP3 - SP5
SUSE Linux Enterprise High Performance Computing 15: SP2 - SP5
SUSE Linux Enterprise Desktop 15: SP4 - SP5
SUSE Linux Enterprise Server 15 SP3 LTSS: 15-SP3
SUSE Linux Enterprise Server 15 SP2 LTSS: 15-SP2
SUSE Linux Enterprise High Performance Computing LTSS 15: SP3
SUSE Linux Enterprise High Performance Computing ESPOS 15: SP3
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS: 15-SP2
openSUSE Leap: 15.4 - 15.5
SUSE Enterprise Storage: 7.1
SUSE Manager Retail Branch Server: 4.3
SUSE Manager Server: 4.3
SUSE Manager Proxy: 4.3
MozillaFirefox-devel: before 115.0-150200.152.93.1
MozillaFirefox-branding-upstream: before 115.0-150200.152.93.1
MozillaFirefox-translations-other: before 115.0-150200.152.93.1
MozillaFirefox-debuginfo: before 115.0-150200.152.93.1
MozillaFirefox-branding-SLE: before 115-150200.9.13.1
MozillaFirefox-debugsource: before 115.0-150200.152.93.1
MozillaFirefox-translations-common: before 115.0-150200.152.93.1
MozillaFirefox: before 115.0-150200.152.93.1
External linkshttp://www.suse.com/support/update/announcement/2023/suse-su-20232886-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Insufficient UI Warning of Dangerous Operations
EUVDB-ID: #VU77947
Risk: Medium
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-37204
CWE-ID:
CWE-357 - Insufficient UI Warning of Dangerous Operations
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to the way fullscreen notifications are handled within the browser. A remote attacker can obscure the fullscreen notification by using an option element by introducing lag via an expensive computational function and perform spoofing attack. MitigationUpdate the affected package MozillaFirefox, MozillaFirefox-branding-SLE to the latest version.
Vulnerable software versionsDesktop Applications Module: 15-SP4 - 15-SP5
SUSE Linux Enterprise Server for SAP Applications 15: SP2 - SP5
SUSE Linux Enterprise Server 15: SP2 - SP5
SUSE Linux Enterprise Real Time 15: SP3 - SP5
SUSE Linux Enterprise High Performance Computing 15: SP2 - SP5
SUSE Linux Enterprise Desktop 15: SP4 - SP5
SUSE Linux Enterprise Server 15 SP3 LTSS: 15-SP3
SUSE Linux Enterprise Server 15 SP2 LTSS: 15-SP2
SUSE Linux Enterprise High Performance Computing LTSS 15: SP3
SUSE Linux Enterprise High Performance Computing ESPOS 15: SP3
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS: 15-SP2
openSUSE Leap: 15.4 - 15.5
SUSE Enterprise Storage: 7.1
SUSE Manager Retail Branch Server: 4.3
SUSE Manager Server: 4.3
SUSE Manager Proxy: 4.3
MozillaFirefox-devel: before 115.0-150200.152.93.1
MozillaFirefox-branding-upstream: before 115.0-150200.152.93.1
MozillaFirefox-translations-other: before 115.0-150200.152.93.1
MozillaFirefox-debuginfo: before 115.0-150200.152.93.1
MozillaFirefox-branding-SLE: before 115-150200.9.13.1
MozillaFirefox-debugsource: before 115.0-150200.152.93.1
MozillaFirefox-translations-common: before 115.0-150200.152.93.1
MozillaFirefox: before 115.0-150200.152.93.1
External linkshttp://www.suse.com/support/update/announcement/2023/suse-su-20232886-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Spoofing attack
EUVDB-ID: #VU77948
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-37205
CWE-ID:
CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to incorrect processing of user-supplied data when processing RTL Arabic characters in the address bar. A remote attacker can spoof URL in the address bar.
Update the affected package MozillaFirefox, MozillaFirefox-branding-SLE to the latest version.
Vulnerable software versionsDesktop Applications Module: 15-SP4 - 15-SP5
SUSE Linux Enterprise Server for SAP Applications 15: SP2 - SP5
SUSE Linux Enterprise Server 15: SP2 - SP5
SUSE Linux Enterprise Real Time 15: SP3 - SP5
SUSE Linux Enterprise High Performance Computing 15: SP2 - SP5
SUSE Linux Enterprise Desktop 15: SP4 - SP5
SUSE Linux Enterprise Server 15 SP3 LTSS: 15-SP3
SUSE Linux Enterprise Server 15 SP2 LTSS: 15-SP2
SUSE Linux Enterprise High Performance Computing LTSS 15: SP3
SUSE Linux Enterprise High Performance Computing ESPOS 15: SP3
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS: 15-SP2
openSUSE Leap: 15.4 - 15.5
SUSE Enterprise Storage: 7.1
SUSE Manager Retail Branch Server: 4.3
SUSE Manager Server: 4.3
SUSE Manager Proxy: 4.3
MozillaFirefox-devel: before 115.0-150200.152.93.1
MozillaFirefox-branding-upstream: before 115.0-150200.152.93.1
MozillaFirefox-translations-other: before 115.0-150200.152.93.1
MozillaFirefox-debuginfo: before 115.0-150200.152.93.1
MozillaFirefox-branding-SLE: before 115-150200.9.13.1
MozillaFirefox-debugsource: before 115.0-150200.152.93.1
MozillaFirefox-translations-common: before 115.0-150200.152.93.1
MozillaFirefox: before 115.0-150200.152.93.1
External linkshttp://www.suse.com/support/update/announcement/2023/suse-su-20232886-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) UNIX symbolic link following
EUVDB-ID: #VU77949
Risk: Low
CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-37206
CWE-ID:
CWE-61 - UNIX Symbolic Link (Symlink) Following
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to a symlink following issue in the FileSystem API. A remote attacker can trick the victim into uploading a file, which contain a symlink to a critical file, and gain access to potentially sensitive information.
Update the affected package MozillaFirefox, MozillaFirefox-branding-SLE to the latest version.
Vulnerable software versionsDesktop Applications Module: 15-SP4 - 15-SP5
SUSE Linux Enterprise Server for SAP Applications 15: SP2 - SP5
SUSE Linux Enterprise Server 15: SP2 - SP5
SUSE Linux Enterprise Real Time 15: SP3 - SP5
SUSE Linux Enterprise High Performance Computing 15: SP2 - SP5
SUSE Linux Enterprise Desktop 15: SP4 - SP5
SUSE Linux Enterprise Server 15 SP3 LTSS: 15-SP3
SUSE Linux Enterprise Server 15 SP2 LTSS: 15-SP2
SUSE Linux Enterprise High Performance Computing LTSS 15: SP3
SUSE Linux Enterprise High Performance Computing ESPOS 15: SP3
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS: 15-SP2
openSUSE Leap: 15.4 - 15.5
SUSE Enterprise Storage: 7.1
SUSE Manager Retail Branch Server: 4.3
SUSE Manager Server: 4.3
SUSE Manager Proxy: 4.3
MozillaFirefox-devel: before 115.0-150200.152.93.1
MozillaFirefox-branding-upstream: before 115.0-150200.152.93.1
MozillaFirefox-translations-other: before 115.0-150200.152.93.1
MozillaFirefox-debuginfo: before 115.0-150200.152.93.1
MozillaFirefox-branding-SLE: before 115-150200.9.13.1
MozillaFirefox-debugsource: before 115.0-150200.152.93.1
MozillaFirefox-translations-common: before 115.0-150200.152.93.1
MozillaFirefox: before 115.0-150200.152.93.1
External linkshttp://www.suse.com/support/update/announcement/2023/suse-su-20232886-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Insufficient UI Warning of Dangerous Operations
EUVDB-ID: #VU77942
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-37207
CWE-ID:
CWE-357 - Insufficient UI Warning of Dangerous Operations
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to the way fullscreen notifications are handled within the browser. A remote attacker can trick the victim to visit a specially crafted website that can obscure the fullscreen notification by using a URL
with a scheme handled by an external program, such as a mailto URL, and perform spoofing attack.
Update the affected package MozillaFirefox, MozillaFirefox-branding-SLE to the latest version.
Vulnerable software versionsDesktop Applications Module: 15-SP4 - 15-SP5
SUSE Linux Enterprise Server for SAP Applications 15: SP2 - SP5
SUSE Linux Enterprise Server 15: SP2 - SP5
SUSE Linux Enterprise Real Time 15: SP3 - SP5
SUSE Linux Enterprise High Performance Computing 15: SP2 - SP5
SUSE Linux Enterprise Desktop 15: SP4 - SP5
SUSE Linux Enterprise Server 15 SP3 LTSS: 15-SP3
SUSE Linux Enterprise Server 15 SP2 LTSS: 15-SP2
SUSE Linux Enterprise High Performance Computing LTSS 15: SP3
SUSE Linux Enterprise High Performance Computing ESPOS 15: SP3
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS: 15-SP2
openSUSE Leap: 15.4 - 15.5
SUSE Enterprise Storage: 7.1
SUSE Manager Retail Branch Server: 4.3
SUSE Manager Server: 4.3
SUSE Manager Proxy: 4.3
MozillaFirefox-devel: before 115.0-150200.152.93.1
MozillaFirefox-branding-upstream: before 115.0-150200.152.93.1
MozillaFirefox-translations-other: before 115.0-150200.152.93.1
MozillaFirefox-debuginfo: before 115.0-150200.152.93.1
MozillaFirefox-branding-SLE: before 115-150200.9.13.1
MozillaFirefox-debugsource: before 115.0-150200.152.93.1
MozillaFirefox-translations-common: before 115.0-150200.152.93.1
MozillaFirefox: before 115.0-150200.152.93.1
External linkshttp://www.suse.com/support/update/announcement/2023/suse-su-20232886-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Insufficient UI Warning of Dangerous Operations
EUVDB-ID: #VU77943
Risk: Medium
CVSSv3.1: 5.9 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-37208
CWE-ID:
CWE-357 - Insufficient UI Warning of Dangerous Operations
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to a missing warning when opening Diagcab files. A remote attacker can trick the victim into downloading a malicious Diagcab file and compromise the affected system.
Update the affected package MozillaFirefox, MozillaFirefox-branding-SLE to the latest version.
Vulnerable software versionsDesktop Applications Module: 15-SP4 - 15-SP5
SUSE Linux Enterprise Server for SAP Applications 15: SP2 - SP5
SUSE Linux Enterprise Server 15: SP2 - SP5
SUSE Linux Enterprise Real Time 15: SP3 - SP5
SUSE Linux Enterprise High Performance Computing 15: SP2 - SP5
SUSE Linux Enterprise Desktop 15: SP4 - SP5
SUSE Linux Enterprise Server 15 SP3 LTSS: 15-SP3
SUSE Linux Enterprise Server 15 SP2 LTSS: 15-SP2
SUSE Linux Enterprise High Performance Computing LTSS 15: SP3
SUSE Linux Enterprise High Performance Computing ESPOS 15: SP3
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS: 15-SP2
openSUSE Leap: 15.4 - 15.5
SUSE Enterprise Storage: 7.1
SUSE Manager Retail Branch Server: 4.3
SUSE Manager Server: 4.3
SUSE Manager Proxy: 4.3
MozillaFirefox-devel: before 115.0-150200.152.93.1
MozillaFirefox-branding-upstream: before 115.0-150200.152.93.1
MozillaFirefox-translations-other: before 115.0-150200.152.93.1
MozillaFirefox-debuginfo: before 115.0-150200.152.93.1
MozillaFirefox-branding-SLE: before 115-150200.9.13.1
MozillaFirefox-debugsource: before 115.0-150200.152.93.1
MozillaFirefox-translations-common: before 115.0-150200.152.93.1
MozillaFirefox: before 115.0-150200.152.93.1
External linkshttp://www.suse.com/support/update/announcement/2023/suse-su-20232886-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Use-after-free
EUVDB-ID: #VU77950
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-37209
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error in NotifyOnHistoryReload. A remote attacker can trick the victim to visit a specially crafted website, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationUpdate the affected package MozillaFirefox, MozillaFirefox-branding-SLE to the latest version.
Vulnerable software versionsDesktop Applications Module: 15-SP4 - 15-SP5
SUSE Linux Enterprise Server for SAP Applications 15: SP2 - SP5
SUSE Linux Enterprise Server 15: SP2 - SP5
SUSE Linux Enterprise Real Time 15: SP3 - SP5
SUSE Linux Enterprise High Performance Computing 15: SP2 - SP5
SUSE Linux Enterprise Desktop 15: SP4 - SP5
SUSE Linux Enterprise Server 15 SP3 LTSS: 15-SP3
SUSE Linux Enterprise Server 15 SP2 LTSS: 15-SP2
SUSE Linux Enterprise High Performance Computing LTSS 15: SP3
SUSE Linux Enterprise High Performance Computing ESPOS 15: SP3
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS: 15-SP2
openSUSE Leap: 15.4 - 15.5
SUSE Enterprise Storage: 7.1
SUSE Manager Retail Branch Server: 4.3
SUSE Manager Server: 4.3
SUSE Manager Proxy: 4.3
MozillaFirefox-devel: before 115.0-150200.152.93.1
MozillaFirefox-branding-upstream: before 115.0-150200.152.93.1
MozillaFirefox-translations-other: before 115.0-150200.152.93.1
MozillaFirefox-debuginfo: before 115.0-150200.152.93.1
MozillaFirefox-branding-SLE: before 115-150200.9.13.1
MozillaFirefox-debugsource: before 115.0-150200.152.93.1
MozillaFirefox-translations-common: before 115.0-150200.152.93.1
MozillaFirefox: before 115.0-150200.152.93.1
External linkshttp://www.suse.com/support/update/announcement/2023/suse-su-20232886-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Insufficient UI Warning of Dangerous Operations
EUVDB-ID: #VU77951
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-37210
CWE-ID:
CWE-357 - Insufficient UI Warning of Dangerous Operations
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to the way the browser exists the fullscreen mode. A remote attacker can prevent a user from exiting full-screen mode via alert and prompt calls and perform spoofing attack. MitigationUpdate the affected package MozillaFirefox, MozillaFirefox-branding-SLE to the latest version.
Vulnerable software versionsDesktop Applications Module: 15-SP4 - 15-SP5
SUSE Linux Enterprise Server for SAP Applications 15: SP2 - SP5
SUSE Linux Enterprise Server 15: SP2 - SP5
SUSE Linux Enterprise Real Time 15: SP3 - SP5
SUSE Linux Enterprise High Performance Computing 15: SP2 - SP5
SUSE Linux Enterprise Desktop 15: SP4 - SP5
SUSE Linux Enterprise Server 15 SP3 LTSS: 15-SP3
SUSE Linux Enterprise Server 15 SP2 LTSS: 15-SP2
SUSE Linux Enterprise High Performance Computing LTSS 15: SP3
SUSE Linux Enterprise High Performance Computing ESPOS 15: SP3
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS: 15-SP2
openSUSE Leap: 15.4 - 15.5
SUSE Enterprise Storage: 7.1
SUSE Manager Retail Branch Server: 4.3
SUSE Manager Server: 4.3
SUSE Manager Proxy: 4.3
MozillaFirefox-devel: before 115.0-150200.152.93.1
MozillaFirefox-branding-upstream: before 115.0-150200.152.93.1
MozillaFirefox-translations-other: before 115.0-150200.152.93.1
MozillaFirefox-debuginfo: before 115.0-150200.152.93.1
MozillaFirefox-branding-SLE: before 115-150200.9.13.1
MozillaFirefox-debugsource: before 115.0-150200.152.93.1
MozillaFirefox-translations-common: before 115.0-150200.152.93.1
MozillaFirefox: before 115.0-150200.152.93.1
External linkshttp://www.suse.com/support/update/announcement/2023/suse-su-20232886-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Buffer overflow
EUVDB-ID: #VU77944
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-37211
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can trick the victim to open a specially crafted website, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected package MozillaFirefox, MozillaFirefox-branding-SLE to the latest version.
Vulnerable software versionsDesktop Applications Module: 15-SP4 - 15-SP5
SUSE Linux Enterprise Server for SAP Applications 15: SP2 - SP5
SUSE Linux Enterprise Server 15: SP2 - SP5
SUSE Linux Enterprise Real Time 15: SP3 - SP5
SUSE Linux Enterprise High Performance Computing 15: SP2 - SP5
SUSE Linux Enterprise Desktop 15: SP4 - SP5
SUSE Linux Enterprise Server 15 SP3 LTSS: 15-SP3
SUSE Linux Enterprise Server 15 SP2 LTSS: 15-SP2
SUSE Linux Enterprise High Performance Computing LTSS 15: SP3
SUSE Linux Enterprise High Performance Computing ESPOS 15: SP3
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS: 15-SP2
openSUSE Leap: 15.4 - 15.5
SUSE Enterprise Storage: 7.1
SUSE Manager Retail Branch Server: 4.3
SUSE Manager Server: 4.3
SUSE Manager Proxy: 4.3
MozillaFirefox-devel: before 115.0-150200.152.93.1
MozillaFirefox-branding-upstream: before 115.0-150200.152.93.1
MozillaFirefox-translations-other: before 115.0-150200.152.93.1
MozillaFirefox-debuginfo: before 115.0-150200.152.93.1
MozillaFirefox-branding-SLE: before 115-150200.9.13.1
MozillaFirefox-debugsource: before 115.0-150200.152.93.1
MozillaFirefox-translations-common: before 115.0-150200.152.93.1
MozillaFirefox: before 115.0-150200.152.93.1
External linkshttp://www.suse.com/support/update/announcement/2023/suse-su-20232886-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) Buffer overflow
EUVDB-ID: #VU77952
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-37212
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can trick the victim to visit a malicious website, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected package MozillaFirefox, MozillaFirefox-branding-SLE to the latest version.
Vulnerable software versionsDesktop Applications Module: 15-SP4 - 15-SP5
SUSE Linux Enterprise Server for SAP Applications 15: SP2 - SP5
SUSE Linux Enterprise Server 15: SP2 - SP5
SUSE Linux Enterprise Real Time 15: SP3 - SP5
SUSE Linux Enterprise High Performance Computing 15: SP2 - SP5
SUSE Linux Enterprise Desktop 15: SP4 - SP5
SUSE Linux Enterprise Server 15 SP3 LTSS: 15-SP3
SUSE Linux Enterprise Server 15 SP2 LTSS: 15-SP2
SUSE Linux Enterprise High Performance Computing LTSS 15: SP3
SUSE Linux Enterprise High Performance Computing ESPOS 15: SP3
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS: 15-SP2
openSUSE Leap: 15.4 - 15.5
SUSE Enterprise Storage: 7.1
SUSE Manager Retail Branch Server: 4.3
SUSE Manager Server: 4.3
SUSE Manager Proxy: 4.3
MozillaFirefox-devel: before 115.0-150200.152.93.1
MozillaFirefox-branding-upstream: before 115.0-150200.152.93.1
MozillaFirefox-translations-other: before 115.0-150200.152.93.1
MozillaFirefox-debuginfo: before 115.0-150200.152.93.1
MozillaFirefox-branding-SLE: before 115-150200.9.13.1
MozillaFirefox-debugsource: before 115.0-150200.152.93.1
MozillaFirefox-translations-common: before 115.0-150200.152.93.1
MozillaFirefox: before 115.0-150200.152.93.1
External linkshttp://www.suse.com/support/update/announcement/2023/suse-su-20232886-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
