Request a Demo
Rewterz
Rewterz Threat Update – Crypto Scammers Capitalize Israel War Against Palestine With Donation Fraud
October 25, 2023
Rewterz
Rewterz Threat Advisory – Multiple VMware vCenter and Cloud Foundation Vulnerabilities
October 25, 2023

Rewterz Threat Advisory – Multiple Mozilla Firefox Vulnerabilities

Severity

Medium

Analysis Summary

CVE-2023-5758 CVSS:6.5

Mozilla Firefox for iOS is vulnerable to cross-site scripting, caused by improper validation of user-supplied input when opening a page in reader mode. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.

CVE-2023-5732 CVSS:6.5

Mozilla Firefox could allow a remote attacker to conduct spoofing attacks, caused by the creation of a malicious link using bidirectional characters. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to spoof the location in the address bar when visited.

CVE-2023-5731 CVSS:8.8

Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by memory safety bugs within the browser engine. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.

CVE-2023-5730 CVSS:8.8

Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by memory safety bugs within the browser engine. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.

CVE-2023-5729 CVSS:6.5

Mozilla Firefox could allow a remote attacker to conduct spoofing attacks, caused by obscuring the full screen notification by using WebAuthn prompts. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to conduct a spoofing attack.

CVE-2023-5728 CVSS:6.5

Mozilla Firefox is vulnerable to a denial of service, caused by improper object tracking during GC in the JavaScript engine. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to cause the browser to crash.

CVE-2023-5727 CVSS:6.5

Mozilla Firefox could allow a remote attacker to bypass security restrictions, caused by the failure to present the executable file warning when downloading .msix, .msixbundle, .appx, and .appxbundle files. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to bypass download protections.

CVE-2023-5726 CVSS:6.5

Mozilla Firefox could allow a remote attacker to conduct spoofing attacks, caused by obscuring the full screen notification by using the file open dialog. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to conduct a spoofing attack.

CVE-2023-5725 CVSS:6.5

Mozilla Firefox could allow a remote attacker to obtain sensitive information, caused by the use of a malicious installed WebExtension to open arbitrary URLs. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to collect sensitive user data.

CVE-2023-5724 CVSS:6.5

Mozilla Firefox is vulnerable to a denial of service, caused by extremely large WebGL draw calls. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to cause the browser to crash.

CVE-2023-5723 CVSS:6.5

Mozilla Firefox could allow a remote attacker to bypass security restrictions, caused by setting a cookie containing invalid characters using document.cookie. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to bypass security restrictions.

CVE-2023-5722 CVSS:6.5

Mozilla Firefox could allow a remote attacker to obtain sensitive information, caused by a cross-origin size and header leakage. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to learn the size of an opaque response, as well as the contents of a server-supplied Vary header.

CVE-2023-5721 CVSS:6.5

Mozilla Firefox could allow a remote attacker to conduct clickjacking attack, caused by an insufficient activation-delay. By persuading a victim to visit a specially crafted Web site, an attacker could exploit this vulnerability to hijack the clicking actions of another user.

Impact

  • enial of Service
  • Cross-Site Scripting
  • Information Theft
  • Security Bypass
  • Information Disclosure

Indicators Of Compromise

CVE

  • CVE-2023-5758
  • CVE-2023-5732
  • CVE-2023-5731
  • CVE-2023-5730
  • CVE-2023-5729
  • CVE-2023-5728
  • CVE-2023-5727
  • CVE-2023-5726
  • CVE-2023-5725
  • CVE-2023-5724
  • CVE-2023-5723
  • CVE-2023-5722
  • CVE-2023-5721

Affected Vendors

Mozilla

Affected Products

  • Mozilla Firefox for iOS 118
  • Mozilla Firefox ESR 115.3
  • Mozilla Thunderbird 115.3
  • Mozilla Firefox 118

Remediation

Refer to Mozilla Foundation Security Advisory for patch, upgrade or suggested workaround information.

Mozilla Firefox ESR 115.4 and Thunderbird 115.3

Mozilla Firefox for iOS 119

Mozilla Firefox 119