Multiple vulnerabilities in Mozilla Firefox



Risk High
Patch available YES
Number of vulnerabilities 19
CVE-ID CVE-2023-6856
CVE-2023-6865
CVE-2023-6857
CVE-2023-6858
CVE-2023-6859
CVE-2023-6860
CVE-2023-6867
CVE-2023-6861
CVE-2023-6862
CVE-2023-6863
CVE-2023-6864
CVE-2023-6871
CVE-2023-6870
CVE-2023-6869
CVE-2023-6868
CVE-2023-6135
CVE-2023-6866
CVE-2023-6873
CVE-2023-6872
CWE-ID CWE-122
CWE-457
CWE-124
CWE-416
CWE-254
CWE-450
CWE-758
CWE-119
CWE-357
CWE-284
CWE-203
CWE-755
CWE-532
Exploitation vector Network
Public exploit N/A
Vulnerable software
Mozilla Firefox
Client/Desktop applications / Web browsers

Firefox ESR
Client/Desktop applications / Web browsers

Firefox for Android
Mobile applications / Apps for mobile phones

Vendor Mozilla

Security Bulletin

This security bulletin contains information about 19 vulnerabilities.

1) Heap-based buffer overflow

EUVDB-ID: #VU84557

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-6856

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within the WebGL DrawElementsInstanced method when used on systems with the Mesa VM driver. A remote attacker can trick the victim to visit a specially crafted website, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Mozilla Firefox: 100.0 - 120.0.1

Firefox ESR: 102.0 - 115.5.0

Firefox for Android: 66.0.4 - 120.1.1

CPE2.3 External links

http://www.mozilla.org/en-US/security/advisories/mfsa2023-56/
http://www.mozilla.org/en-US/security/advisories/mfsa2023-54/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Use of Uninitialized Variable

EUVDB-ID: #VU84558

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-6865

CWE-ID: CWE-457 - Use of Uninitialized Variable

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to access to uninitialized data in EncryptingOutputStream. A remote attacker can trick the victim to visit a specially crafted website, trigger memory corruption and write data to a local disk, which may have implications for private browsing mode.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Mozilla Firefox: 100.0 - 120.0.1

Firefox ESR: 102.0 - 115.5.0

Firefox for Android: 66.0.4 - 120.1.1

CPE2.3 External links

http://www.mozilla.org/en-US/security/advisories/mfsa2023-54/
http://www.mozilla.org/en-US/security/advisories/mfsa2023-56/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Buffer Underwrite ('Buffer Underflow')

EUVDB-ID: #VU84559

Risk: Low

CVSSv3.1: 2.2 [CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-6857

CWE-ID: CWE-124 - Buffer Underwrite ('Buffer Underflow')

Exploit availability: No

Description

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to an error when handling symbolic links. A local user can trigger a race when the browser resolves a symbolic link, where the buffer passed to readlink may actually be smaller than necessary. A local user can gain access to potentially sensitive information.

The vulnerability affects Unix based operating systems only (e.g. Android, Linux, MacOS).

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Mozilla Firefox: 100.0 - 120.0.1

Firefox ESR: 102.0 - 115.5.0

Firefox for Android: 66.0.4 - 120.1.1

CPE2.3 External links

http://www.mozilla.org/en-US/security/advisories/mfsa2023-54/
http://www.mozilla.org/en-US/security/advisories/mfsa2023-56/


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Heap-based buffer overflow

EUVDB-ID: #VU84560

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-6858

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error in nsTextFragment when handling out-of-memory situations. A remote attacker can trick the victim to visit a specially crafted website, trigger a heap overflow and crash the browser.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Mozilla Firefox: 100.0 - 120.0.1

Firefox ESR: 102.0 - 115.5.0

Firefox for Android: 66.0.4 - 120.1.1

CPE2.3 External links

http://www.mozilla.org/en-US/security/advisories/mfsa2023-54/
http://www.mozilla.org/en-US/security/advisories/mfsa2023-56/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Use-after-free

EUVDB-ID: #VU84561

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-6859

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a use-after-free error in PR_GetIdentitiesLayer when creating the TLS socket. A remote attacker can trick the victim to visit a specially crafted website and crash the browser.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Mozilla Firefox: 100.0 - 120.0.1

Firefox ESR: 102.0 - 115.5.0

Firefox for Android: 66.0.4 - 120.1.1

CPE2.3 External links

http://www.mozilla.org/en-US/security/advisories/mfsa2023-54/
http://www.mozilla.org/en-US/security/advisories/mfsa2023-56/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Security features bypass

EUVDB-ID: #VU84562

Risk: Medium

CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-6860

CWE-ID: CWE-254 - Security Features

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to VideoBridge lack of texture validation. A remote attacker can trick the victim to open a specially crafted website, escape the sandbox and gain access to sensitive information.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Mozilla Firefox: 100.0 - 120.0.1

Firefox ESR: 102.0 - 115.5.0

Firefox for Android: 66.0.4 - 120.1.1

CPE2.3 External links

http://www.mozilla.org/en-US/security/advisories/mfsa2023-54/
http://www.mozilla.org/en-US/security/advisories/mfsa2023-56/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Multiple Interpretations of UI Input

EUVDB-ID: #VU84563

Risk: Medium

CVSSv3.1: 4.1 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-6867

CWE-ID: CWE-450 - Multiple Interpretations of UI Input

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform clickjacking attack.

The vulnerability exists due to a timing issue when the user clicks on a button. The timing of a button click causing a popup to disappear was approximately the same length as the anti-clickjacking delay on permission prompts. A remote attacker can perform clickjacking attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Mozilla Firefox: 100.0 - 120.0.1

Firefox ESR: 102.0 - 115.5.0

Firefox for Android: 66.0.4 - 120.1.1

CPE2.3 External links

http://www.mozilla.org/en-US/security/advisories/mfsa2023-54/
http://www.mozilla.org/en-US/security/advisories/mfsa2023-56/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Heap-based buffer overflow

EUVDB-ID: #VU84564

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-6861

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within the nsWindow::PickerOpen(void) method when the browser is running in headless mode. A remote attacker can trick the victim to visit a specially crafted website, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Mozilla Firefox: 100.0 - 120.0.1

Firefox ESR: 102.0 - 115.5.0

Firefox for Android: 66.0.4 - 120.1.1

CPE2.3 External links

http://www.mozilla.org/en-US/security/advisories/mfsa2023-54/
http://www.mozilla.org/en-US/security/advisories/mfsa2023-56/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Use-after-free

EUVDB-ID: #VU84565

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-6862

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to crash the browser.

The vulnerability exists due to a use-after-free error in nsDNSService::Init during browser startup. A remote attacker with control over the DNS server can cause the browser to crash.


Mitigation

Install updates from vendor's website.

Vulnerable software versions

Firefox ESR: 115.0 - 115.5.0

CPE2.3
External links

http://www.mozilla.org/en-US/security/advisories/mfsa2023-54/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Reliance on undefined behavior

EUVDB-ID: #VU84566

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-6863

CWE-ID: CWE-758 - Reliance on Undefined, Unspecified, or Implementation-Defined Behavior

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service attack.

The vulnerability exists due to reliance on undefined behavior in ShutdownObserver(). A remote attacker can crash the browser.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Mozilla Firefox: 100.0 - 120.0.1

Firefox ESR: 102.0 - 115.5.0

Firefox for Android: 66.0.4 - 120.1.1

CPE2.3 External links

http://www.mozilla.org/en-US/security/advisories/mfsa2023-54/
http://www.mozilla.org/en-US/security/advisories/mfsa2023-56/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

11) Buffer overflow

EUVDB-ID: #VU84567

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-6864

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Mozilla Firefox: 100.0 - 120.0.1

Firefox ESR: 102.0 - 115.5.0

Firefox for Android: 66.0.4 - 120.1.1

CPE2.3 External links

http://www.mozilla.org/en-US/security/advisories/mfsa2023-54/
http://www.mozilla.org/en-US/security/advisories/mfsa2023-56/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

12) Insufficient UI Warning of Dangerous Operations

EUVDB-ID: #VU84573

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-6871

CWE-ID: CWE-357 - Insufficient UI Warning of Dangerous Operations

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to lack of protocol handler warning when navigating to a new protocol handler. A remote attacker can perform spoofing attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Mozilla Firefox: 116.0 - 120.0.1

Firefox for Android: 116.0 - 120.1.1

CPE2.3 External links

http://www.mozilla.org/en-US/security/advisories/mfsa2023-56/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

13) Insufficient UI Warning of Dangerous Operations

EUVDB-ID: #VU84572

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-6870

CWE-ID: CWE-357 - Insufficient UI Warning of Dangerous Operations

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to an error when handling Toast notifications. Applications which spawn a Toast notification in a background thread can obscure fullscreen notifications displayed by the browser.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Firefox for Android: 120.0 - 120.1.1

CPE2.3 External links

http://www.mozilla.org/en-US/security/advisories/mfsa2023-56/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

14) Multiple Interpretations of UI Input

EUVDB-ID: #VU84571

Risk: Low

CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-6869

CWE-ID: CWE-450 - Multiple Interpretations of UI Input

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to an error when displaying browser content. A <dialog> element can be manipulated to paint content outside of a sandboxed iframe, which could allow untrusted content to display under the guise of trusted content.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Mozilla Firefox: 116.0 - 120.0.1

Firefox for Android: 116.0 - 120.1.1

CPE2.3 External links

http://www.mozilla.org/en-US/security/advisories/mfsa2023-56/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

15) Improper access control

EUVDB-ID: #VU84570

Risk: Low

CVSSv3.1: 3.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-6868

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions. the user-agent would allow push requests which lacked a valid VAPID even though the push manager subscription defined one. This could allow empty messages to be sent from unauthorized parties.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Firefox for Android: 120.0 - 120.1.1

CPE2.3 External links

http://www.mozilla.org/en-US/security/advisories/mfsa2023-56/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

16) Observable discrepancy

EUVDB-ID: #VU84568

Risk: Medium

CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-6135

CWE-ID: CWE-203 - Observable discrepancy

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to a side-channel attack in multiple NSS NIST curves, known as "Minerva". A remote attacker can recover the private key and decrypt data passed between server and client.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Mozilla Firefox: 116.0 - 120.0.1

Firefox for Android: 116.0 - 120.1.1

CPE2.3 External links

http://www.mozilla.org/en-US/security/advisories/mfsa2023-56/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

17) Improper handling of exceptional conditions

EUVDB-ID: #VU84569

Risk: Low

CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-6866

CWE-ID: CWE-755 - Improper Handling of Exceptional Conditions

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper handling of errors in TypedArrays. A remote attacker can trick the victim to open a specially crafted website and perform a denial of service (DoS) attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Mozilla Firefox: 116.0 - 120.0.1

Firefox for Android: 116.0 - 120.1.1

CPE2.3 External links

http://www.mozilla.org/en-US/security/advisories/mfsa2023-56/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

18) Buffer overflow

EUVDB-ID: #VU84575

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-6873

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Mozilla Firefox: 116.0 - 120.0.1

Firefox for Android: 116.0 - 120.1.1

CPE2.3 External links

http://www.mozilla.org/en-US/security/advisories/mfsa2023-56/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

19) Inclusion of Sensitive Information in Log Files

EUVDB-ID: #VU84574

Risk: Low

CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-6872

CWE-ID: CWE-532 - Information Exposure Through Log Files

Exploit availability: No

Description

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to Browser tab titles are leaked by GNOME to system logs. A local user can read the log files and gain access to sensitive data.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Mozilla Firefox: 116.0 - 120.0.1

CPE2.3 External links

http://www.mozilla.org/en-US/security/advisories/mfsa2023-56/


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###