April 18, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Rewterz Threat Alert – ModiLoader aka DBatLoader – Active IOCs
April 12, 2023Rewterz Threat Advisory – Multiple Fortinet Products Vulnerabilities
April 12, 2023Rewterz Threat Alert – ModiLoader aka DBatLoader – Active IOCs
April 12, 2023Rewterz Threat Advisory – Multiple Fortinet Products Vulnerabilities
April 12, 2023
Severity
High
Analysis Summary
CVE-2023-29537 CVSS:8.8
Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by multiple race conditions in the font initialization. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CVE-2023-29536 CVSS:8.8
Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by the failure to correctly free a pointer that addresses attacker-controlled memory. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CVE-2023-29535 CVSS:8.8
Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by memory corruption following Garbage Collector compaction. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CVE-2023-29534 CVSS:6.5
Mozilla Firefox for Android and Focus for Android could allow a remote attacker to conduct spoofing attacks, caused by the use of different techniques. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to obscure the fullscreen notification and conduct a spoofing attack.
CVE-2023-29532 CVSS:6.5
Mozilla Firefox could allow a remote attacker to bypass security restrictions, caused by tricking the Mozilla Maintenance Service into applying an unsigned update file. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to bypass the write-lock.
CVE-2023-29533 CVSS:6.5
Mozilla Firefox could allow a remote attacker to conduct spoofing attacks, caused by using a combination of window.open, fullscreen requests, window.name assignments, and setInterval calls. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to obscure the fullscreen notification and conduct a spoofing attack.
CVE-2023-29531 CVSS:8.8
Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by an out-of-bounds memory access using WebGL APIs. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CVE-2023-29479 CVSS:6.5
Mozilla Thunderbird is vulnerable to a denial of service, caused by an error when processing certain OpenPGP messages. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to trigger incorrect parsing of PKESK/SKESK packets and cause the user interface to hang.
CVE-2023-0547 CVSS:6.5
Mozilla Thunderbird could allow a remote attacker to bypass security restrictions, caused by the failure to check the revocation status of S/Mime recipient certificates. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to accept revoked certificates.
CVE-2023-1945 CVSS:8.8
Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by a memory corruption in the Safe Browsing code. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CVE-2023-29551 CVSS:8.8
Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by memory safety bugs within the browser engine. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CVE-2023-29550 CVSS:8.8
Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by memory safety bugs within the browser engine. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CVE-2023-29549 CVSS:6.5
Mozilla Firefox could provide weaker than expected security, caused by the failure of Javascript’s bind function. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to result in the incorrect realm.
CVE-2023-29548 CVSS:6.5
Mozilla Firefox could provide weaker than expected security, caused by wrong lowering instruction in the ARM64 Ion compiler. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to result in a wrong optimization result.
CVE-2023-29547 CVSS:6.5
Mozilla Firefox could allow a remote attacker to conduct spoofing attacks, caused by the creation of an insecure cookie when a secure cookie exists. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to spoof the secure document cookie.
CVE-2023-29546 CVSS:6.5
Mozilla Firefox for Android could allow a remote attacker to obtain sensitive information, caused by an error when recording the screen while in Private Browsing. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to obtain the address bar and other sensitive information.
CVE-2023-29544 CVSS:8.8
Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by a memory collector in garbage collector. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CVE-2023-29543 CVSS:8.8
Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free in debugging APIs. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CVE-2023-29542 CVSS:6.5
Mozilla Firefox could allow a remote attacker to bypass security restrictions, caused by the use of a newline in a filename. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to bypass the file extension security mechanisms.
CVE-2023-29541 CVSS:6.5
Mozilla Firefox could allow a remote attacker to bypass security restrictions, caused by the failure to properly handle downloads of files ending in .desktop. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to run attacker-controlled commands.
CVE-2023-29540 CVSS:6.5
Mozilla Firefox could allow a remote attacker to bypass security restrictions, caused by using a redirect embedded into sourceMappingUrls. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to navigate to external protocol links in sandboxed iframes without allow-top-navigation-to-custom-protocols.
CVE-2023-29539 CVSS:6.5
Mozilla Firefox could allow a remote attacker to download arbitrary files, caused by the truncation of Content-Disposition filename. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to lead to a reflected file download attack.
CVE-2023-29538 CVSS:6.5
Mozilla Firefox could allow a remote attacker to obtain sensitive information, caused by the leak of directory information. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to obtain directory paths on the user’s machine.
CVE-2023-29545 CVSS:6.5
Mozilla Firefox could allow a remote attacker to bypass security restrictions, caused by an error when downloading files through the Save As dialog on Windows with suggested filenames containing environment variable names. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to bypass security restrictions.
Impact
- Code Execution
- Gain Access
- Denial of Service
- Security Bypass
- Information Disclosure
Indicators Of Compromise
CVE
- CVE-2023-29537
- CVE-2023-29536
- CVE-2023-29535
- CVE-2023-29534
- CVE-2023-29532
- CVE-2023-29533
- CVE-2023-29531
- CVE-2023-29479
- CVE-2023-0547
- CVE-2023-1945
- CVE-2023-29551
- CVE-2023-29550
- CVE-2023-29549
- CVE-2023-29548
- CVE-2023-29547
- CVE-2023-29546
- CVE-2023-29544
- CVE-2023-29543
- CVE-2023-29542
- CVE-2023-29541
- CVE-2023-29540
- CVE-2023-29539
- CVE-2023-29538
- CVE-2023-29545
Affected Vendors
Mozilla
Affected Products
- Mozilla Firefox 111
- Mozilla Firefox ESR 102.9
- Mozilla Thunderbird 102.9
- Mozilla Firefox for Android 111
- Mozilla Focus for Android 111
Remediation
Refer to Mozilla Foundation Security Advisory for patch, upgrade or suggested workaround information.
Mozilla Foundation Security Advisory 2023-13
