Multiple vulnerabilities in Mozilla Firefox
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 19 |
| CVE-ID | CVE-2023-6856 CVE-2023-6865 CVE-2023-6857 CVE-2023-6858 CVE-2023-6859 CVE-2023-6860 CVE-2023-6867 CVE-2023-6861 CVE-2023-6862 CVE-2023-6863 CVE-2023-6864 CVE-2023-6871 CVE-2023-6870 CVE-2023-6869 CVE-2023-6868 CVE-2023-6135 CVE-2023-6866 CVE-2023-6873 CVE-2023-6872 |
| CWE-ID | CWE-122 CWE-457 CWE-124 CWE-416 CWE-254 CWE-450 CWE-758 CWE-119 CWE-357 CWE-284 CWE-203 CWE-755 CWE-532 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Mozilla Firefox Client/Desktop applications / Web browsers Firefox ESR Client/Desktop applications / Web browsers Firefox for Android Mobile applications / Apps for mobile phones |
| Vendor | Mozilla |
Security Bulletin
This security bulletin contains information about 19 vulnerabilities.
1) Heap-based buffer overflow
EUVDB-ID: #VU84557
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-6856
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the WebGL DrawElementsInstanced method when used on systems with the Mesa VM driver. A remote attacker can trick the victim to visit a specially crafted website, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 100.0 - 120.0.1
Firefox ESR: 102.0 - 115.5.0
Firefox for Android: 66.0.4 - 120.1.1
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2023-56/
http://www.mozilla.org/en-US/security/advisories/mfsa2023-54/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Use of Uninitialized Variable
EUVDB-ID: #VU84558
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-6865
CWE-ID:
CWE-457 - Use of Uninitialized Variable
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to access to uninitialized data in EncryptingOutputStream. A remote attacker can trick the victim to visit a specially crafted website, trigger memory corruption and write data to a local disk, which may have implications for private browsing mode.
Install updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 100.0 - 120.0.1
Firefox ESR: 102.0 - 115.5.0
Firefox for Android: 66.0.4 - 120.1.1
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2023-54/
http://www.mozilla.org/en-US/security/advisories/mfsa2023-56/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Buffer Underwrite ('Buffer Underflow')
EUVDB-ID: #VU84559
Risk: Low
CVSSv3.1: 2.2 [CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-6857
CWE-ID:
CWE-124 - Buffer Underwrite ('Buffer Underflow')
Exploit availability: No
DescriptionThe vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to an error when handling symbolic links. A local user can trigger a race when the browser resolves a symbolic link, where the buffer passed to readlink may actually be smaller than necessary. A local user can gain access to potentially sensitive information.
The vulnerability affects Unix based operating systems only (e.g. Android, Linux, MacOS).
Install updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 100.0 - 120.0.1
Firefox ESR: 102.0 - 115.5.0
Firefox for Android: 66.0.4 - 120.1.1
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2023-54/
http://www.mozilla.org/en-US/security/advisories/mfsa2023-56/
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Heap-based buffer overflow
EUVDB-ID: #VU84560
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-6858
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in nsTextFragment when handling out-of-memory situations. A remote attacker can trick the victim to visit a specially crafted website, trigger a heap overflow and crash the browser.
Install updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 100.0 - 120.0.1
Firefox ESR: 102.0 - 115.5.0
Firefox for Android: 66.0.4 - 120.1.1
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2023-54/
http://www.mozilla.org/en-US/security/advisories/mfsa2023-56/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Use-after-free
EUVDB-ID: #VU84561
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-6859
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a use-after-free error in PR_GetIdentitiesLayer when creating the TLS socket. A remote attacker can trick the victim to visit a specially crafted website and crash the browser.
Install updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 100.0 - 120.0.1
Firefox ESR: 102.0 - 115.5.0
Firefox for Android: 66.0.4 - 120.1.1
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2023-54/
http://www.mozilla.org/en-US/security/advisories/mfsa2023-56/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Security features bypass
EUVDB-ID: #VU84562
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-6860
CWE-ID:
CWE-254 - Security Features
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to VideoBridge lack of texture validation. A remote attacker can trick the victim to open a specially crafted website, escape the sandbox and gain access to sensitive information.
Install updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 100.0 - 120.0.1
Firefox ESR: 102.0 - 115.5.0
Firefox for Android: 66.0.4 - 120.1.1
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2023-54/
http://www.mozilla.org/en-US/security/advisories/mfsa2023-56/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Multiple Interpretations of UI Input
EUVDB-ID: #VU84563
Risk: Medium
CVSSv3.1: 4.1 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-6867
CWE-ID:
CWE-450 - Multiple Interpretations of UI Input
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform clickjacking attack.
The vulnerability exists due to a timing issue when the user clicks on a button. The timing of a button click causing a popup to disappear was approximately the same length as the anti-clickjacking delay on permission prompts. A remote attacker can perform clickjacking attack.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 100.0 - 120.0.1
Firefox ESR: 102.0 - 115.5.0
Firefox for Android: 66.0.4 - 120.1.1
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2023-54/
http://www.mozilla.org/en-US/security/advisories/mfsa2023-56/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Heap-based buffer overflow
EUVDB-ID: #VU84564
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-6861
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the nsWindow::PickerOpen(void) method when the browser is running in headless mode. A remote attacker can trick the victim to visit a specially crafted website, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 100.0 - 120.0.1
Firefox ESR: 102.0 - 115.5.0
Firefox for Android: 66.0.4 - 120.1.1
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2023-54/
http://www.mozilla.org/en-US/security/advisories/mfsa2023-56/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Use-after-free
EUVDB-ID: #VU84565
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-6862
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to crash the browser.
The vulnerability exists due to a use-after-free error in nsDNSService::Init during browser startup. A remote attacker with control over the DNS server can cause the browser to crash.
Install updates from vendor's website.
Vulnerable software versionsFirefox ESR: 115.0 - 115.5.0
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2023-54/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Reliance on undefined behavior
EUVDB-ID: #VU84566
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-6863
CWE-ID:
CWE-758 - Reliance on Undefined, Unspecified, or Implementation-Defined Behavior
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service attack.
The vulnerability exists due to reliance on undefined behavior in ShutdownObserver(). A remote attacker can crash the browser.
Install updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 100.0 - 120.0.1
Firefox ESR: 102.0 - 115.5.0
Firefox for Android: 66.0.4 - 120.1.1
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2023-54/
http://www.mozilla.org/en-US/security/advisories/mfsa2023-56/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Buffer overflow
EUVDB-ID: #VU84567
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-6864
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 100.0 - 120.0.1
Firefox ESR: 102.0 - 115.5.0
Firefox for Android: 66.0.4 - 120.1.1
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2023-54/
http://www.mozilla.org/en-US/security/advisories/mfsa2023-56/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Insufficient UI Warning of Dangerous Operations
EUVDB-ID: #VU84573
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-6871
CWE-ID:
CWE-357 - Insufficient UI Warning of Dangerous Operations
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to lack of protocol handler warning when navigating to a new protocol handler. A remote attacker can perform spoofing attack.
Install updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 116.0 - 120.0.1
Firefox for Android: 116.0 - 120.1.1
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2023-56/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) Insufficient UI Warning of Dangerous Operations
EUVDB-ID: #VU84572
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-6870
CWE-ID:
CWE-357 - Insufficient UI Warning of Dangerous Operations
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to an error when handling Toast notifications. Applications which spawn a Toast notification in a background thread can obscure fullscreen notifications displayed by the browser.
MitigationInstall updates from vendor's website.
Vulnerable software versionsFirefox for Android: 120.0 - 120.1.1
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2023-56/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to perform certain actions on the device.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
14) Multiple Interpretations of UI Input
EUVDB-ID: #VU84571
Risk: Low
CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-6869
CWE-ID:
CWE-450 - Multiple Interpretations of UI Input
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to an error when displaying browser content. A <dialog> element can be manipulated to paint content outside of a sandboxed iframe, which could allow untrusted content to display under the guise of trusted content.
Install updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 116.0 - 120.0.1
Firefox for Android: 116.0 - 120.1.1
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2023-56/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
15) Improper access control
EUVDB-ID: #VU84570
Risk: Low
CVSSv3.1: 3.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-6868
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. the user-agent would allow push requests which lacked a valid VAPID even though the push manager subscription defined one. This could allow empty messages to be sent from unauthorized parties.
MitigationInstall updates from vendor's website.
Vulnerable software versionsFirefox for Android: 120.0 - 120.1.1
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2023-56/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to perform certain actions on the device.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
16) Observable discrepancy
EUVDB-ID: #VU84568
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-6135
CWE-ID:
CWE-203 - Observable discrepancy
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to a side-channel attack in multiple NSS NIST curves, known as "Minerva". A remote attacker can recover the private key and decrypt data passed between server and client.
Install updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 116.0 - 120.0.1
Firefox for Android: 116.0 - 120.1.1
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2023-56/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
17) Improper handling of exceptional conditions
EUVDB-ID: #VU84569
Risk: Low
CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-6866
CWE-ID:
CWE-755 - Improper Handling of Exceptional Conditions
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper handling of errors in TypedArrays. A remote attacker can trick the victim to open a specially crafted website and perform a denial of service (DoS) attack.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 116.0 - 120.0.1
Firefox for Android: 116.0 - 120.1.1
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2023-56/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
18) Buffer overflow
EUVDB-ID: #VU84575
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-6873
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 116.0 - 120.0.1
Firefox for Android: 116.0 - 120.1.1
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2023-56/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
19) Inclusion of Sensitive Information in Log Files
EUVDB-ID: #VU84574
Risk: Low
CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-6872
CWE-ID:
CWE-532 - Information Exposure Through Log Files
Exploit availability: No
DescriptionThe vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to Browser tab titles are leaked by GNOME to system logs. A local user can read the log files and gain access to sensitive data.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 116.0 - 120.0.1
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2023-56/
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
