Multiple vulnerabilities in Mozilla Firefox and Firefox ESR
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 13 |
| CVE-ID | CVE-2023-4573 CVE-2023-4574 CVE-2023-4575 CVE-2023-4576 CVE-2023-4579 CVE-2023-4581 CVE-2023-4584 CVE-2023-4577 CVE-2023-4578 CVE-2023-4580 CVE-2023-4582 CVE-2023-4583 CVE-2023-4585 |
| CWE-ID | CWE-416 CWE-190 CWE-20 CWE-357 CWE-119 CWE-400 CWE-312 CWE-200 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Mozilla Firefox Client/Desktop applications / Web browsers Firefox ESR Client/Desktop applications / Web browsers Firefox for Android Mobile applications / Apps for mobile phones |
| Vendor | Mozilla |
Security Bulletin
This security bulletin contains information about 13 vulnerabilities.
1) Use-after-free
EUVDB-ID: #VU80090
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-4573
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error in IPC CanvasTranslator. A remote attacker can trick the victim to open a specially crafted website, trigger memory corruption and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 100.0 - 116.0.3
Firefox ESR: 102.0 - 115.1.0
Firefox for Android: 100.1.0 - 116.3.0
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2023-34/
http://www.mozilla.org/en-US/security/advisories/mfsa2023-35/
http://www.mozilla.org/en-US/security/advisories/mfsa2023-36/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Use-after-free
EUVDB-ID: #VU80091
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-4574
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error in IPC ColorPickerShownCallback. A remote attacker can trick the victim to open a specially crafted website, trigger memory corruption and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 100.0 - 116.0.3
Firefox ESR: 102.0 - 115.1.0
Firefox for Android: 100.1.0 - 116.3.0
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2023-34/
http://www.mozilla.org/en-US/security/advisories/mfsa2023-35/
http://www.mozilla.org/en-US/security/advisories/mfsa2023-36/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Use-after-free
EUVDB-ID: #VU80092
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-4575
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error in IPC FilePickerShownCallback. A remote attacker can trick the victim to open a specially crafted website, trigger memory corruption and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 100.0 - 116.0.3
Firefox ESR: 102.0 - 115.1.0
Firefox for Android: 100.1.0 - 116.3.0
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2023-34/
http://www.mozilla.org/en-US/security/advisories/mfsa2023-35/
http://www.mozilla.org/en-US/security/advisories/mfsa2023-36/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Integer overflow
EUVDB-ID: #VU80093
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-4576
CWE-ID:
CWE-190 - Integer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to integer overflow in RecordedSourceSurfaceCreation. A remote attacker can trick the victim to visit a specially crafted website, trigger an integer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability affects Firefox installations on Windows only.
Install updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 100.0 - 116.0.3
Firefox ESR: 102.0 - 115.1.0
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2023-34/
http://www.mozilla.org/en-US/security/advisories/mfsa2023-35/
http://www.mozilla.org/en-US/security/advisories/mfsa2023-36/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Input validation error
EUVDB-ID: #VU80096
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-4579
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a spoofing attack.
The vulnerability exists due to insufficient validation of user-supplied input when handling persistent search terms. Search queries in the default search engine can appear to have been the currently navigated URL if the search query itself is a well formed URL. As a result, a remote attacker can perform a spoofing attack if it had been maliciously set as the default search engine.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 116.0 - 116.0.3
Firefox for Android: 116.0 - 116.3.0
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2023-34/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Insufficient UI Warning of Dangerous Operations
EUVDB-ID: #VU80094
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-4581
CWE-ID:
CWE-357 - Insufficient UI Warning of Dangerous Operations
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to a missing warning when downloading Excel .xll add-in files. A remote attacker can trick the victim to visit a specially crafted website and force the browser to download potentially dangerous files without any warning.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 100.0 - 116.0.3
Firefox ESR: 102.0 - 115.1.0
Firefox for Android: 100.1.0 - 116.3.0
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2023-34/
http://www.mozilla.org/en-US/security/advisories/mfsa2023-35/
http://www.mozilla.org/en-US/security/advisories/mfsa2023-36/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Buffer overflow
EUVDB-ID: #VU80095
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-4584
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 100.0 - 116.0.3
Firefox ESR: 102.0 - 115.1.0
Firefox for Android: 100.1.0 - 116.3.0
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2023-35/
http://www.mozilla.org/en-US/security/advisories/mfsa2023-34/
http://www.mozilla.org/en-US/security/advisories/mfsa2023-36/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Buffer overflow
EUVDB-ID: #VU80097
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-4577
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in JIT UpdateRegExpStatics when UpdateRegExpStatics attempted to access initialStringHeap. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 115.0 - 116.0.3
Firefox ESR: 115.0 - 115.1.0
Firefox for Android: 115.0 - 116.3.0
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2023-34/
http://www.mozilla.org/en-US/security/advisories/mfsa2023-36/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Resource exhaustion
EUVDB-ID: #VU80098
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-4578
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources in JS::CheckRegExpSyntax. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 115.0 - 116.0.3
Firefox ESR: 115.0 - 115.1.0
Firefox for Android: 115.0 - 116.3.0
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2023-34/
http://www.mozilla.org/en-US/security/advisories/mfsa2023-36/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Cleartext storage of sensitive information
EUVDB-ID: #VU80099
Risk: Low
CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-4580
CWE-ID:
CWE-312 - Cleartext Storage of Sensitive Information
Exploit availability: No
DescriptionThe vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to push notifications are saved to disk unencrypted. A local user can gain access to potentially sensitive information.
Install updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 115.0 - 116.0.3
Firefox ESR: 115.0 - 115.1.0
Firefox for Android: 115.0 - 116.3.0
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2023-34/
http://www.mozilla.org/en-US/security/advisories/mfsa2023-36/
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Buffer overflow
EUVDB-ID: #VU80100
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-4582
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in WebGL glGetProgramiv. A remote attacker can trick the victim to open a specially crafted website, trigger memory corruption and execute arbitrary code on the target system.
Note, the vulnerability affects only Firefox installations on macOS.
Install updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 115.0 - 116.0.3
Firefox ESR: 115.0 - 115.1.0
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2023-34/
http://www.mozilla.org/en-US/security/advisories/mfsa2023-36/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Information disclosure
EUVDB-ID: #VU80101
Risk: Low
CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-4583
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to private session data are not cleared in HttpBaseChannel when closing private window. A remote attacker can obtain information from the not cleared session.
Install updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 115.0 - 116.0.3
Firefox ESR: 115.0 - 115.1.0
Firefox for Android: 115.0 - 116.3.0
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2023-34/
http://www.mozilla.org/en-US/security/advisories/mfsa2023-36/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) Buffer overflow
EUVDB-ID: #VU80102
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-4585
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can trick the victim to visit a specially crafted website, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 115.0 - 116.0.3
Firefox ESR: 115.0 - 115.1.0
Firefox for Android: 115.0 - 116.3.0
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2023-34/
http://www.mozilla.org/en-US/security/advisories/mfsa2023-36/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
