Severity
High
Analysis Summary
CVE-2023-25728 CVSS:6.5
Mozilla Firefox could allow a remote attacker to obtain sensitive information, caused by a Content security policy leak in violation reports using iframes. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using the Content-Security-Policy-Report-Only header to leak a child iframe’s unredacted URI.
CVE-2023-25730 CVSS:6.5
Mozilla Firefox could allow a remote attacker to conduct spoofing attacks, caused by a background script that invokes requestFullscreen and then blocks the main thread. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to hijack the screen and conduct a spoofing attack.
CVE-2023-25743 CVSS:6.5
Mozilla Firefox could allow a remote attacker to conduct spoofing attacks, caused by a lack of in app notification for entering fullscreen mode. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof the Web site.
CVE-2023-0767 CVSS:8.8
Mozilla Network Security Services (NSS), as used in Mozilla Firefox, could allow a remote attacker to execute arbitrary code on the system, caused by an arbitrary memory write. By constructing a PKCS 12 cert bundle in such a way, a remote attacker could exploit this vulnerability using PKCS 12 Safe Bag attributes to allow for arbitrary memory writes and execute arbitrary code on the vulnerable system.
CVE-2023-25735 CVSS:8.8
Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free from compartment mismatch in SpiderMonkey. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CVE-2023-25737 CVSS:8.8
Mozilla Firefox could provide weaker than expected security, caused by an invalid downcast from nsTextNode to SVGElement. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to lead to undefined behavior.
CVE-2023-25738 CVSS:6.5
Mozilla Firefox is vulnerable to a denial of service, caused by the failure to validate members of the DEVMODEW struct set by the printer device driver. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to cause the browser to attempt out of bounds access to related variables, resulting in a crash.
CVE-2023-25739 CVSS:8.8
Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free mozilla::dom::ScriptLoadContext::~ScriptLoadContext. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CVE-2023-25729 CVSS:8.8
Mozilla Firefox could allow a remote attacker to obtain sensitive information, caused by permission prompts for opening external schemes being opened by extensions and without user interaction. A remote attacker could exploit this vulnerability to conduct malicious actions such as downloading files or interacting with software already installed on the system.
CVE-2023-25732 CVSS:6.5
Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by an out-of-bounds memory write from EncodeInputStream. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CVE-2023-25734 CVSS:6.5
Mozilla Firefox could allow a remote attacker to bypass security restrictions, caused by the opening of local .url files. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to lead to unexpected network requests from the operating system.
CVE-2023-25740 CVSS:6.5
Mozilla Firefox could allow a remote attacker to bypass security restrictions, caused by the opening of local .scf files. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to lead to unexpected network requests from the operating system.
CVE-2023-25731 CVSS:8.8
Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by prototype pollution when rendering URLPreview. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to overwrite global objects in privileged code and execute arbitrary code on the vulnerable system or cause a denial of service.
CVE-2023-25733 CVSS:6.5
Mozilla Firefox is vulnerable to a denial of service, caused by a NULL pointer dereference in TaskbarPreviewCallback. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to cause a denial of service.
CVE-2023-25736 CVSS:6.5
Mozilla Firefox could provide weaker than expected security, caused by an invalid downcast from nsHTMLDocument to nsIContent. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to lead to undefined behavior.
CVE-2023-25741 CVSS:6.5
Mozilla Firefox could allow a remote attacker to obtain sensitive information, caused by a same-origin policy leak when dragging and dropping an image. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to obtain the image’s size.
CVE-2023-25742 CVSS:6.5
Mozilla Firefox is vulnerable to a denial of service, caused by the improper handling of the key when importing a SPKI RSA public key as ECDSA P-256. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to cause the tab to crash.
CVE-2023-25743 CVSS:6.5
Mozilla Firefox could allow a remote attacker to conduct spoofing attacks, caused by a lack of in app notification for entering fullscreen mode. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof the Web site.
CVE-2023-25744 CVSS:8.8
Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by memory safety bugs within the browser engine. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CVE-2023-25745 CVSS:8.8
Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by memory safety bugs within the browser engine. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
Impact
- Gain Access
- Code Execution
- Denial of Service
- Information Disclosure
- Security Bypass
Indicators Of Compromise
CVE
- CVE-2023-25728
- CVE-2023-25730
- CVE-2023-25743
- CVE-2023-0767
- CVE-2023-25735
- CVE-2023-25737
- CVE-2023-25738
- CVE-2023-25739
- CVE-2023-25729
- CVE-2023-25732
- CVE-2023-25734
- CVE-2023-25740
- CVE-2023-25731
- CVE-2023-25733
- CVE-2023-25736
- CVE-2023-25741
- CVE-2023-25742
- CVE-2023-25744
- CVE-2023-25745
Affected Vendors
Mozilla
Affected Products
- Mozilla Firefox 109
- Mozilla Firefox ESR 102.7
Remediation
Refer to Mozilla Foundation Security Advisory for patch, upgrade or suggested workaround information.