Vulnerability-Lookup

CVE-2023-23601 (GCVE-0-2023-23601)

Vulnerability from cvelistv5 – Published: 2023-06-02 00:00 – Updated: 2025-12-18 15:22

Title

URL being dragged from cross-origin iframe into same tab triggers navigation

Summary

Navigations were being allowed when dragging a URL from a cross-origin iframe into the same tab which could lead to website spoofing attacks This vulnerability affects Firefox < 109, Firefox ESR < 102.7, and Thunderbird < 102.7.

Severity ?

No CVSS data available.

Assigner

mozilla

References

4 references

URL	Tags
https://bugzilla.mozilla.org/show_bug.cgi?id=1794268
https://www.mozilla.org/security/advisories/mfsa2…
https://www.mozilla.org/security/advisories/mfsa2…
https://www.mozilla.org/security/advisories/mfsa2…

Impacted products

3 products

Vendor	Product	Version
Mozilla	Firefox	Affected: unspecified , < 109 (custom)
Mozilla	Firefox ESR	Affected: unspecified , < 102.7 (custom)
Mozilla	Thunderbird	Affected: unspecified , < 102.7 (custom)

Credits

Luan Herrera

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T10:35:33.288Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.mozilla.org/security/advisories/mfsa2023-02/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.mozilla.org/security/advisories/mfsa2023-01/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.mozilla.org/security/advisories/mfsa2023-03/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1794268"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-23601",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-09T16:17:52.430940Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-01-09T16:18:26.500Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Firefox",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "109",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Firefox ESR",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "102.7",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Thunderbird",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "102.7",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Luan Herrera"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Navigations were being allowed when dragging a URL from a cross-origin iframe into the same tab which could lead to website spoofing attacks This vulnerability affects Firefox \u003c 109, Firefox ESR \u003c 102.7, and Thunderbird \u003c 102.7."
            }
          ],
          "value": "Navigations were being allowed when dragging a URL from a cross-origin iframe into the same tab which could lead to website spoofing attacks This vulnerability affects Firefox \u003c 109, Firefox ESR \u003c 102.7, and Thunderbird \u003c 102.7."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-18T15:22:54.621Z",
        "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
        "shortName": "mozilla"
      },
      "references": [
        {
          "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1794268"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2023-01/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2023-02/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2023-03/"
        }
      ],
      "title": "URL being dragged from cross-origin iframe into same tab triggers navigation"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
    "assignerShortName": "mozilla",
    "cveId": "CVE-2023-23601",
    "datePublished": "2023-06-02T00:00:00.000Z",
    "dateReserved": "2023-01-16T00:00:00.000Z",
    "dateUpdated": "2025-12-18T15:22:54.621Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2023-23601",
      "date": "2026-05-21",
      "epss": "0.00115",
      "percentile": "0.29758"
    },
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"109.0\", \"matchCriteriaId\": \"2809632C-444A-49A3-A7E7-D3BB027A91B8\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"102.7\", \"matchCriteriaId\": \"1D5D3545-44B1-4576-B1BA-C461D4DC09A3\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"102.7\", \"matchCriteriaId\": \"E73E816A-885B-49D4-BB52-220D30866D7C\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Navigations were being allowed when dragging a URL from a cross-origin iframe into the same tab which could lead to website spoofing attacks. This vulnerability affects Firefox \u003c 109, Thunderbird \u003c 102.7, and Firefox ESR \u003c 102.7.\"}]",
      "id": "CVE-2023-23601",
      "lastModified": "2024-11-21T07:46:30.763",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N\", \"baseScore\": 6.5, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 3.6}]}",
      "published": "2023-06-02T17:15:10.727",
      "references": "[{\"url\": \"https://bugzilla.mozilla.org/show_bug.cgi?id=1794268\", \"source\": \"security@mozilla.org\", \"tags\": [\"Issue Tracking\", \"Permissions Required\", \"Vendor Advisory\"]}, {\"url\": \"https://www.mozilla.org/security/advisories/mfsa2023-01/\", \"source\": \"security@mozilla.org\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://www.mozilla.org/security/advisories/mfsa2023-02/\", \"source\": \"security@mozilla.org\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://www.mozilla.org/security/advisories/mfsa2023-03/\", \"source\": \"security@mozilla.org\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://bugzilla.mozilla.org/show_bug.cgi?id=1794268\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Issue Tracking\", \"Permissions Required\", \"Vendor Advisory\"]}, {\"url\": \"https://www.mozilla.org/security/advisories/mfsa2023-01/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://www.mozilla.org/security/advisories/mfsa2023-02/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://www.mozilla.org/security/advisories/mfsa2023-03/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
      "sourceIdentifier": "security@mozilla.org",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-346\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-23601\",\"sourceIdentifier\":\"security@mozilla.org\",\"published\":\"2023-06-02T17:15:10.727\",\"lastModified\":\"2025-12-18T16:15:48.650\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Navigations were being allowed when dragging a URL from a cross-origin iframe into the same tab which could lead to website spoofing attacks This vulnerability affects Firefox \u003c 109, Firefox ESR \u003c 102.7, and Thunderbird \u003c 102.7.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-346\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"109.0\",\"matchCriteriaId\":\"2809632C-444A-49A3-A7E7-D3BB027A91B8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"102.7\",\"matchCriteriaId\":\"1D5D3545-44B1-4576-B1BA-C461D4DC09A3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"102.7\",\"matchCriteriaId\":\"E73E816A-885B-49D4-BB52-220D30866D7C\"}]}]}],\"references\":[{\"url\":\"https://bugzilla.mozilla.org/show_bug.cgi?id=1794268\",\"source\":\"security@mozilla.org\",\"tags\":[\"Issue Tracking\",\"Permissions Required\",\"Vendor Advisory\"]},{\"url\":\"https://www.mozilla.org/security/advisories/mfsa2023-01/\",\"source\":\"security@mozilla.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.mozilla.org/security/advisories/mfsa2023-02/\",\"source\":\"security@mozilla.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.mozilla.org/security/advisories/mfsa2023-03/\",\"source\":\"security@mozilla.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://bugzilla.mozilla.org/show_bug.cgi?id=1794268\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Permissions Required\",\"Vendor Advisory\"]},{\"url\":\"https://www.mozilla.org/security/advisories/mfsa2023-01/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.mozilla.org/security/advisories/mfsa2023-02/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.mozilla.org/security/advisories/mfsa2023-03/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://www.mozilla.org/security/advisories/mfsa2023-02/\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://www.mozilla.org/security/advisories/mfsa2023-01/\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://www.mozilla.org/security/advisories/mfsa2023-03/\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://bugzilla.mozilla.org/show_bug.cgi?id=1794268\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T10:35:33.288Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-23601\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-01-09T16:17:52.430940Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-01-09T16:18:16.952Z\"}}], \"cna\": {\"title\": \"URL being dragged from cross-origin iframe into same tab triggers navigation\", \"credits\": [{\"lang\": \"en\", \"value\": \"Luan Herrera\"}], \"affected\": [{\"vendor\": \"Mozilla\", \"product\": \"Firefox\", \"versions\": [{\"status\": \"affected\", \"version\": \"unspecified\", \"lessThan\": \"109\", \"versionType\": \"custom\"}]}, {\"vendor\": \"Mozilla\", \"product\": \"Firefox ESR\", \"versions\": [{\"status\": \"affected\", \"version\": \"unspecified\", \"lessThan\": \"102.7\", \"versionType\": \"custom\"}]}, {\"vendor\": \"Mozilla\", \"product\": \"Thunderbird\", \"versions\": [{\"status\": \"affected\", \"version\": \"unspecified\", \"lessThan\": \"102.7\", \"versionType\": \"custom\"}]}], \"references\": [{\"url\": \"https://bugzilla.mozilla.org/show_bug.cgi?id=1794268\"}, {\"url\": \"https://www.mozilla.org/security/advisories/mfsa2023-01/\"}, {\"url\": \"https://www.mozilla.org/security/advisories/mfsa2023-02/\"}, {\"url\": \"https://www.mozilla.org/security/advisories/mfsa2023-03/\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Navigations were being allowed when dragging a URL from a cross-origin iframe into the same tab which could lead to website spoofing attacks This vulnerability affects Firefox \u003c 109, Firefox ESR \u003c 102.7, and Thunderbird \u003c 102.7.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Navigations were being allowed when dragging a URL from a cross-origin iframe into the same tab which could lead to website spoofing attacks This vulnerability affects Firefox \u003c 109, Firefox ESR \u003c 102.7, and Thunderbird \u003c 102.7.\", \"base64\": false}]}], \"providerMetadata\": {\"orgId\": \"f16b083a-5664-49f3-a51e-8d479e5ed7fe\", \"shortName\": \"mozilla\", \"dateUpdated\": \"2025-12-18T15:22:54.621Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-23601\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-12-18T15:22:54.621Z\", \"dateReserved\": \"2023-01-16T00:00:00.000Z\", \"assignerOrgId\": \"f16b083a-5664-49f3-a51e-8d479e5ed7fe\", \"datePublished\": \"2023-06-02T00:00:00.000Z\", \"assignerShortName\": \"mozilla\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

CERTFR-2023-AVI-0036

Vulnerability from certfr_avis - Published: - Updated:

De multiples vulnérabilités ont été corrigées dans les produits Mozilla. Elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un contournement de la politique de sécurité et une atteinte à la confidentialité des données.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

	Vendor	Product	Description
	Mozilla	Firefox	Firefox versions antérieures à 109
	Mozilla	Firefox ESR	Firefox ESR versions antérieures à 102.7

References

Title

Publication Time

Tags

Bulletin de sécurité Mozilla mfsa2023-02 du 17 janvier 2023	None	vendor-advisory
Bulletin de sécurité Mozilla mfsa2023-01 du 17 janvier 2023	None	vendor-advisory
Bulletin de sécurité Mozilla du 17 janvier 2023	-	other
Bulletin de sécurité Mozilla du 17 janvier 2023	-	other

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Firefox versions ant\u00e9rieures \u00e0 109",
      "product": {
        "name": "Firefox",
        "vendor": {
          "name": "Mozilla",
          "scada": false
        }
      }
    },
    {
      "description": "Firefox ESR versions ant\u00e9rieures \u00e0 102.7",
      "product": {
        "name": "Firefox ESR",
        "vendor": {
          "name": "Mozilla",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2023-23604",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-23604"
    },
    {
      "name": "CVE-2023-23598",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-23598"
    },
    {
      "name": "CVE-2023-23605",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-23605"
    },
    {
      "name": "CVE-2022-46877",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-46877"
    },
    {
      "name": "CVE-2023-23602",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-23602"
    },
    {
      "name": "CVE-2023-23597",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-23597"
    },
    {
      "name": "CVE-2023-23606",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-23606"
    },
    {
      "name": "CVE-2023-23600",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-23600"
    },
    {
      "name": "CVE-2023-23603",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-23603"
    },
    {
      "name": "CVE-2023-23599",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-23599"
    },
    {
      "name": "CVE-2022-46871",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-46871"
    },
    {
      "name": "CVE-2023-23601",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-23601"
    }
  ],
  "links": [
    {
      "title": "Bulletin de s\u00e9curit\u00e9 Mozilla du 17 janvier 2023",
      "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2023-01/"
    },
    {
      "title": "Bulletin de s\u00e9curit\u00e9 Mozilla du 17 janvier 2023",
      "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2023-02/"
    }
  ],
  "reference": "CERTFR-2023-AVI-0036",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2023-01-18T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 corrig\u00e9es dans \u003cspan\nclass=\"textit\"\u003eles produits Mozilla\u003c/span\u003e. Elles permettent \u00e0 un\nattaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, un\ncontournement de la politique de s\u00e9curit\u00e9 et une atteinte \u00e0 la\nconfidentialit\u00e9 des donn\u00e9es.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Mozilla",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Mozilla mfsa2023-02 du 17 janvier 2023",
      "url": null
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Mozilla mfsa2023-01 du 17 janvier 2023",
      "url": null
    }
  ]
}

CERTFR-2023-AVI-0052

Vulnerability from certfr_avis - Published: - Updated:

De multiples vulnérabilités ont été corrigées dans Mozilla Thunderbird. Elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un contournement de la politique de sécurité et une atteinte à la confidentialité des données.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

	Vendor	Product	Description
	Mozilla	Thunderbird	Mozilla Thunderbird versions antérieures à 102.7

References

Title

Publication Time

Tags

Bulletin de sécurité Mozilla mfsa2023-03 du 18 janvier 2023

None

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Mozilla Thunderbird versions ant\u00e9rieures \u00e0 102.7",
      "product": {
        "name": "Thunderbird",
        "vendor": {
          "name": "Mozilla",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2023-23598",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-23598"
    },
    {
      "name": "CVE-2023-23605",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-23605"
    },
    {
      "name": "CVE-2022-46877",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-46877"
    },
    {
      "name": "CVE-2023-23602",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-23602"
    },
    {
      "name": "CVE-2023-23603",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-23603"
    },
    {
      "name": "CVE-2023-23599",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-23599"
    },
    {
      "name": "CVE-2022-46871",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-46871"
    },
    {
      "name": "CVE-2023-23601",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-23601"
    }
  ],
  "links": [],
  "reference": "CERTFR-2023-AVI-0052",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2023-01-23T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 corrig\u00e9es dans\u003cspan class=\"textit\"\u003e\nMozilla Thunderbird\u003c/span\u003e. Elles permettent \u00e0 un attaquant de provoquer\nune ex\u00e9cution de code arbitraire \u00e0 distance, un contournement de la\npolitique de s\u00e9curit\u00e9 et une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans Mozilla Thunderbird",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Mozilla mfsa2023-03 du 18 janvier 2023",
      "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2023-03/"
    }
  ]
}

CERTFR-2023-AVI-0036

Vulnerability from certfr_avis - Published: - Updated:

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

	Vendor	Product	Description
	Mozilla	Firefox	Firefox versions antérieures à 109
	Mozilla	Firefox ESR	Firefox ESR versions antérieures à 102.7

References

Title

Publication Time

Tags

Bulletin de sécurité Mozilla mfsa2023-02 du 17 janvier 2023	None	vendor-advisory
Bulletin de sécurité Mozilla mfsa2023-01 du 17 janvier 2023	None	vendor-advisory
Bulletin de sécurité Mozilla du 17 janvier 2023	-	other
Bulletin de sécurité Mozilla du 17 janvier 2023	-	other

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Firefox versions ant\u00e9rieures \u00e0 109",
      "product": {
        "name": "Firefox",
        "vendor": {
          "name": "Mozilla",
          "scada": false
        }
      }
    },
    {
      "description": "Firefox ESR versions ant\u00e9rieures \u00e0 102.7",
      "product": {
        "name": "Firefox ESR",
        "vendor": {
          "name": "Mozilla",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2023-23604",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-23604"
    },
    {
      "name": "CVE-2023-23598",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-23598"
    },
    {
      "name": "CVE-2023-23605",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-23605"
    },
    {
      "name": "CVE-2022-46877",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-46877"
    },
    {
      "name": "CVE-2023-23602",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-23602"
    },
    {
      "name": "CVE-2023-23597",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-23597"
    },
    {
      "name": "CVE-2023-23606",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-23606"
    },
    {
      "name": "CVE-2023-23600",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-23600"
    },
    {
      "name": "CVE-2023-23603",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-23603"
    },
    {
      "name": "CVE-2023-23599",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-23599"
    },
    {
      "name": "CVE-2022-46871",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-46871"
    },
    {
      "name": "CVE-2023-23601",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-23601"
    }
  ],
  "links": [
    {
      "title": "Bulletin de s\u00e9curit\u00e9 Mozilla du 17 janvier 2023",
      "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2023-01/"
    },
    {
      "title": "Bulletin de s\u00e9curit\u00e9 Mozilla du 17 janvier 2023",
      "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2023-02/"
    }
  ],
  "reference": "CERTFR-2023-AVI-0036",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2023-01-18T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 corrig\u00e9es dans \u003cspan\nclass=\"textit\"\u003eles produits Mozilla\u003c/span\u003e. Elles permettent \u00e0 un\nattaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, un\ncontournement de la politique de s\u00e9curit\u00e9 et une atteinte \u00e0 la\nconfidentialit\u00e9 des donn\u00e9es.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Mozilla",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Mozilla mfsa2023-02 du 17 janvier 2023",
      "url": null
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Mozilla mfsa2023-01 du 17 janvier 2023",
      "url": null
    }
  ]
}

CERTFR-2023-AVI-0052

Vulnerability from certfr_avis - Published: - Updated:

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

	Vendor	Product	Description
	Mozilla	Thunderbird	Mozilla Thunderbird versions antérieures à 102.7

References

Title

Publication Time

Tags

Bulletin de sécurité Mozilla mfsa2023-03 du 18 janvier 2023

None

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Mozilla Thunderbird versions ant\u00e9rieures \u00e0 102.7",
      "product": {
        "name": "Thunderbird",
        "vendor": {
          "name": "Mozilla",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2023-23598",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-23598"
    },
    {
      "name": "CVE-2023-23605",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-23605"
    },
    {
      "name": "CVE-2022-46877",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-46877"
    },
    {
      "name": "CVE-2023-23602",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-23602"
    },
    {
      "name": "CVE-2023-23603",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-23603"
    },
    {
      "name": "CVE-2023-23599",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-23599"
    },
    {
      "name": "CVE-2022-46871",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-46871"
    },
    {
      "name": "CVE-2023-23601",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-23601"
    }
  ],
  "links": [],
  "reference": "CERTFR-2023-AVI-0052",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2023-01-23T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 corrig\u00e9es dans\u003cspan class=\"textit\"\u003e\nMozilla Thunderbird\u003c/span\u003e. Elles permettent \u00e0 un attaquant de provoquer\nune ex\u00e9cution de code arbitraire \u00e0 distance, un contournement de la\npolitique de s\u00e9curit\u00e9 et une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans Mozilla Thunderbird",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Mozilla mfsa2023-03 du 18 janvier 2023",
      "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2023-03/"
    }
  ]
}

alsa-2023:0285

Vulnerability from osv_almalinux

Published

2023-01-23 00:00

Modified

2023-01-24 07:32

Summary

Important: firefox security update

Details

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.

This update upgrades Firefox to version 102.7.0 ESR.

Security Fix(es):

Mozilla: libusrsctp library out of date (CVE-2022-46871)
Mozilla: Arbitrary file read from GTK drag and drop on Linux (CVE-2023-23598)
Mozilla: Memory safety bugs fixed in Firefox 109 and Firefox ESR 102.7 (CVE-2023-23605)
Mozilla: Malicious command could be hidden in devtools output (CVE-2023-23599)
Mozilla: URL being dragged from cross-origin iframe into same tab triggers navigation (CVE-2023-23601)
Mozilla: Content Security Policy wasn't being correctly applied to WebSockets in WebWorkers (CVE-2023-23602)
Mozilla: Fullscreen notification bypass (CVE-2022-46877)
Mozilla: Calls to console.log allowed bypasing Content Security Policy via format directive (CVE-2023-23603)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References

URL

Type

	https://access.redhat.com/errata/RHSA-2023:0285	ADVISORY
	https://access.redhat.com/security/cve/CVE-2022-46871	REPORT
	https://access.redhat.com/security/cve/CVE-2022-46877	REPORT
	https://access.redhat.com/security/cve/CVE-2023-23598	REPORT
	https://access.redhat.com/security/cve/CVE-2023-23599	REPORT
	https://access.redhat.com/security/cve/CVE-2023-23601	REPORT
	https://access.redhat.com/security/cve/CVE-2023-23602	REPORT
	https://access.redhat.com/security/cve/CVE-2023-23603	REPORT
	https://access.redhat.com/security/cve/CVE-2023-23605	REPORT
	https://bugzilla.redhat.com/2162336	REPORT
	https://bugzilla.redhat.com/2162338	REPORT
	https://bugzilla.redhat.com/2162339	REPORT
	https://bugzilla.redhat.com/2162340	REPORT
	https://bugzilla.redhat.com/2162341	REPORT
	https://bugzilla.redhat.com/2162342	REPORT
	https://bugzilla.redhat.com/2162343	REPORT
	https://bugzilla.redhat.com/2162344	REPORT
	https://errata.almalinux.org/9/ALSA-2023-0285.html	ADVISORY

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "firefox"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "102.7.0-1.el9_1.alma"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.\n\nThis update upgrades Firefox to version 102.7.0 ESR.\n\nSecurity Fix(es):\n\n* Mozilla: libusrsctp library out of date (CVE-2022-46871)\n* Mozilla: Arbitrary file read from GTK drag and drop on Linux (CVE-2023-23598)\n* Mozilla: Memory safety bugs fixed in Firefox 109 and Firefox ESR 102.7 (CVE-2023-23605)\n* Mozilla: Malicious command could be hidden in devtools output (CVE-2023-23599)\n* Mozilla: URL being dragged from cross-origin iframe into same tab triggers navigation (CVE-2023-23601)\n* Mozilla: Content Security Policy wasn\u0027t being correctly applied to WebSockets in WebWorkers (CVE-2023-23602)\n* Mozilla: Fullscreen notification bypass (CVE-2022-46877)\n* Mozilla: Calls to \u003ccode\u003econsole.log\u003c/code\u003e allowed bypasing Content Security Policy via format directive (CVE-2023-23603)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
  "id": "ALSA-2023:0285",
  "modified": "2023-01-24T07:32:24Z",
  "published": "2023-01-23T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2023:0285"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-46871"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-46877"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2023-23598"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2023-23599"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2023-23601"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2023-23602"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2023-23603"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2023-23605"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2162336"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2162338"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2162339"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2162340"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2162341"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2162342"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2162343"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2162344"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/9/ALSA-2023-0285.html"
    }
  ],
  "related": [
    "CVE-2022-46871",
    "CVE-2023-23598",
    "CVE-2023-23605",
    "CVE-2023-23599",
    "CVE-2023-23601",
    "CVE-2023-23602",
    "CVE-2022-46877",
    "CVE-2023-23603"
  ],
  "summary": "Important: firefox security update"
}

alsa-2023:0288

Vulnerability from osv_almalinux

Published

2023-01-23 00:00

Modified

2023-01-24 07:35

Summary

Important: firefox security update

Details

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.

This update upgrades Firefox to version 102.7.0 ESR.

Security Fix(es):

Mozilla: libusrsctp library out of date (CVE-2022-46871)
Mozilla: Arbitrary file read from GTK drag and drop on Linux (CVE-2023-23598)
Mozilla: Memory safety bugs fixed in Firefox 109 and Firefox ESR 102.7 (CVE-2023-23605)
Mozilla: Malicious command could be hidden in devtools output (CVE-2023-23599)
Mozilla: URL being dragged from cross-origin iframe into same tab triggers navigation (CVE-2023-23601)
Mozilla: Content Security Policy wasn't being correctly applied to WebSockets in WebWorkers (CVE-2023-23602)
Mozilla: Fullscreen notification bypass (CVE-2022-46877)
Mozilla: Calls to console.log allowed bypasing Content Security Policy via format directive (CVE-2023-23603)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References

URL

Type

	https://access.redhat.com/errata/RHSA-2023:0288	ADVISORY
	https://access.redhat.com/security/cve/CVE-2022-46871	REPORT
	https://access.redhat.com/security/cve/CVE-2022-46877	REPORT
	https://access.redhat.com/security/cve/CVE-2023-23598	REPORT
	https://access.redhat.com/security/cve/CVE-2023-23599	REPORT
	https://access.redhat.com/security/cve/CVE-2023-23601	REPORT
	https://access.redhat.com/security/cve/CVE-2023-23602	REPORT
	https://access.redhat.com/security/cve/CVE-2023-23603	REPORT
	https://access.redhat.com/security/cve/CVE-2023-23605	REPORT
	https://bugzilla.redhat.com/2162336	REPORT
	https://bugzilla.redhat.com/2162338	REPORT
	https://bugzilla.redhat.com/2162339	REPORT
	https://bugzilla.redhat.com/2162340	REPORT
	https://bugzilla.redhat.com/2162341	REPORT
	https://bugzilla.redhat.com/2162342	REPORT
	https://bugzilla.redhat.com/2162343	REPORT
	https://bugzilla.redhat.com/2162344	REPORT
	https://errata.almalinux.org/8/ALSA-2023-0288.html	ADVISORY

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "firefox"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "102.7.0-1.el8_7.alma"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.\n\nThis update upgrades Firefox to version 102.7.0 ESR.\n\nSecurity Fix(es):\n\n* Mozilla: libusrsctp library out of date (CVE-2022-46871)\n* Mozilla: Arbitrary file read from GTK drag and drop on Linux (CVE-2023-23598)\n* Mozilla: Memory safety bugs fixed in Firefox 109 and Firefox ESR 102.7 (CVE-2023-23605)\n* Mozilla: Malicious command could be hidden in devtools output (CVE-2023-23599)\n* Mozilla: URL being dragged from cross-origin iframe into same tab triggers navigation (CVE-2023-23601)\n* Mozilla: Content Security Policy wasn\u0027t being correctly applied to WebSockets in WebWorkers (CVE-2023-23602)\n* Mozilla: Fullscreen notification bypass (CVE-2022-46877)\n* Mozilla: Calls to \u003ccode\u003econsole.log\u003c/code\u003e allowed bypasing Content Security Policy via format directive (CVE-2023-23603)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
  "id": "ALSA-2023:0288",
  "modified": "2023-01-24T07:35:30Z",
  "published": "2023-01-23T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2023:0288"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-46871"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-46877"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2023-23598"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2023-23599"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2023-23601"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2023-23602"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2023-23603"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2023-23605"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2162336"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2162338"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2162339"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2162340"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2162341"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2162342"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2162343"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2162344"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/8/ALSA-2023-0288.html"
    }
  ],
  "related": [
    "CVE-2022-46871",
    "CVE-2023-23598",
    "CVE-2023-23605",
    "CVE-2023-23599",
    "CVE-2023-23601",
    "CVE-2023-23602",
    "CVE-2022-46877",
    "CVE-2023-23603"
  ],
  "summary": "Important: firefox security update"
}

alsa-2023:0463

Vulnerability from osv_almalinux

Published

2023-01-25 00:00

Modified

2023-01-27 06:16

Summary

Important: thunderbird security update

Details

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 102.7.1.

Security Fix(es):

Mozilla: libusrsctp library out of date (CVE-2022-46871)
Mozilla: Arbitrary file read from GTK drag and drop on Linux (CVE-2023-23598)
Mozilla: Memory safety bugs fixed in Firefox 109 and Firefox ESR 102.7 (CVE-2023-23605)
Mozilla: Malicious command could be hidden in devtools output (CVE-2023-23599)
Mozilla: URL being dragged from cross-origin iframe into same tab triggers navigation (CVE-2023-23601)
Mozilla: Content Security Policy wasn't being correctly applied to WebSockets in WebWorkers (CVE-2023-23602)
Mozilla: Fullscreen notification bypass (CVE-2022-46877)
Mozilla: Calls to console.log allowed bypasing Content Security Policy via format directive (CVE-2023-23603)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References

URL

Type

	https://access.redhat.com/errata/RHSA-2023:0463	ADVISORY
	https://access.redhat.com/security/cve/CVE-2022-46871	REPORT
	https://access.redhat.com/security/cve/CVE-2022-46877	REPORT
	https://access.redhat.com/security/cve/CVE-2023-23598	REPORT
	https://access.redhat.com/security/cve/CVE-2023-23599	REPORT
	https://access.redhat.com/security/cve/CVE-2023-23601	REPORT
	https://access.redhat.com/security/cve/CVE-2023-23602	REPORT
	https://access.redhat.com/security/cve/CVE-2023-23603	REPORT
	https://access.redhat.com/security/cve/CVE-2023-23605	REPORT
	https://bugzilla.redhat.com/2162336	REPORT
	https://bugzilla.redhat.com/2162338	REPORT
	https://bugzilla.redhat.com/2162339	REPORT
	https://bugzilla.redhat.com/2162340	REPORT
	https://bugzilla.redhat.com/2162341	REPORT
	https://bugzilla.redhat.com/2162342	REPORT
	https://bugzilla.redhat.com/2162343	REPORT
	https://bugzilla.redhat.com/2162344	REPORT
	https://errata.almalinux.org/8/ALSA-2023-0463.html	ADVISORY

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "thunderbird"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "102.7.1-1.el8_7.alma"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "Mozilla Thunderbird is a standalone mail and newsgroup client.\n\nThis update upgrades Thunderbird to version 102.7.1.\n\nSecurity Fix(es):\n\n* Mozilla: libusrsctp library out of date (CVE-2022-46871)\n* Mozilla: Arbitrary file read from GTK drag and drop on Linux (CVE-2023-23598)\n* Mozilla: Memory safety bugs fixed in Firefox 109 and Firefox ESR 102.7 (CVE-2023-23605)\n* Mozilla: Malicious command could be hidden in devtools output (CVE-2023-23599)\n* Mozilla: URL being dragged from cross-origin iframe into same tab triggers navigation (CVE-2023-23601)\n* Mozilla: Content Security Policy wasn\u0027t being correctly applied to WebSockets in WebWorkers (CVE-2023-23602)\n* Mozilla: Fullscreen notification bypass (CVE-2022-46877)\n* Mozilla: Calls to \u003ccode\u003econsole.log\u003c/code\u003e allowed bypasing Content Security Policy via format directive (CVE-2023-23603)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
  "id": "ALSA-2023:0463",
  "modified": "2023-01-27T06:16:14Z",
  "published": "2023-01-25T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2023:0463"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-46871"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-46877"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2023-23598"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2023-23599"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2023-23601"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2023-23602"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2023-23603"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2023-23605"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2162336"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2162338"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2162339"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2162340"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2162341"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2162342"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2162343"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2162344"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/8/ALSA-2023-0463.html"
    }
  ],
  "related": [
    "CVE-2022-46871",
    "CVE-2023-23598",
    "CVE-2023-23605",
    "CVE-2023-23599",
    "CVE-2023-23601",
    "CVE-2023-23602",
    "CVE-2022-46877",
    "CVE-2023-23603"
  ],
  "summary": "Important: thunderbird security update"
}

alsa-2023:0476

Vulnerability from osv_almalinux

Published

2023-01-26 00:00

Modified

2023-01-31 16:03

Summary

Important: thunderbird security update

Details

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 102.7.1.

Security Fix(es):

Mozilla: libusrsctp library out of date (CVE-2022-46871)
Mozilla: Arbitrary file read from GTK drag and drop on Linux (CVE-2023-23598)
Mozilla: Memory safety bugs fixed in Firefox 109 and Firefox ESR 102.7 (CVE-2023-23605)
Mozilla: Malicious command could be hidden in devtools output (CVE-2023-23599)
Mozilla: URL being dragged from cross-origin iframe into same tab triggers navigation (CVE-2023-23601)
Mozilla: Content Security Policy wasn't being correctly applied to WebSockets in WebWorkers (CVE-2023-23602)
Mozilla: Fullscreen notification bypass (CVE-2022-46877)
Mozilla: Calls to console.log allowed bypasing Content Security Policy via format directive (CVE-2023-23603)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References

URL

Type

	https://access.redhat.com/errata/RHSA-2023:0476	ADVISORY
	https://access.redhat.com/security/cve/CVE-2022-46871	REPORT
	https://access.redhat.com/security/cve/CVE-2022-46877	REPORT
	https://access.redhat.com/security/cve/CVE-2023-23598	REPORT
	https://access.redhat.com/security/cve/CVE-2023-23599	REPORT
	https://access.redhat.com/security/cve/CVE-2023-23601	REPORT
	https://access.redhat.com/security/cve/CVE-2023-23602	REPORT
	https://access.redhat.com/security/cve/CVE-2023-23603	REPORT
	https://access.redhat.com/security/cve/CVE-2023-23605	REPORT
	https://bugzilla.redhat.com/2162336	REPORT
	https://bugzilla.redhat.com/2162338	REPORT
	https://bugzilla.redhat.com/2162339	REPORT
	https://bugzilla.redhat.com/2162340	REPORT
	https://bugzilla.redhat.com/2162341	REPORT
	https://bugzilla.redhat.com/2162342	REPORT
	https://bugzilla.redhat.com/2162343	REPORT
	https://bugzilla.redhat.com/2162344	REPORT
	https://errata.almalinux.org/9/ALSA-2023-0476.html	ADVISORY

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "thunderbird"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "102.7.1-1.el9_1.alma"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "Mozilla Thunderbird is a standalone mail and newsgroup client.\n\nThis update upgrades Thunderbird to version 102.7.1.\n\nSecurity Fix(es):\n\n* Mozilla: libusrsctp library out of date (CVE-2022-46871)\n* Mozilla: Arbitrary file read from GTK drag and drop on Linux (CVE-2023-23598)\n* Mozilla: Memory safety bugs fixed in Firefox 109 and Firefox ESR 102.7 (CVE-2023-23605)\n* Mozilla: Malicious command could be hidden in devtools output (CVE-2023-23599)\n* Mozilla: URL being dragged from cross-origin iframe into same tab triggers navigation (CVE-2023-23601)\n* Mozilla: Content Security Policy wasn\u0027t being correctly applied to WebSockets in WebWorkers (CVE-2023-23602)\n* Mozilla: Fullscreen notification bypass (CVE-2022-46877)\n* Mozilla: Calls to \u003ccode\u003econsole.log\u003c/code\u003e allowed bypasing Content Security Policy via format directive (CVE-2023-23603)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
  "id": "ALSA-2023:0476",
  "modified": "2023-01-31T16:03:16Z",
  "published": "2023-01-26T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2023:0476"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-46871"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-46877"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2023-23598"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2023-23599"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2023-23601"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2023-23602"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2023-23603"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2023-23605"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2162336"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2162338"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2162339"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2162340"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2162341"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2162342"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2162343"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2162344"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/9/ALSA-2023-0476.html"
    }
  ],
  "related": [
    "CVE-2022-46871",
    "CVE-2023-23598",
    "CVE-2023-23605",
    "CVE-2023-23599",
    "CVE-2023-23601",
    "CVE-2023-23602",
    "CVE-2022-46877",
    "CVE-2023-23603"
  ],
  "summary": "Important: thunderbird security update"
}

BDU:2023-04829

Vulnerability from fstec - Published: 08.10.2022

Title

Уязвимость веб-браузеров Firefox, Firefox ESR, почтового клиента Thunderbird, связанная с недостатком в механизме подтверждения источника, позволяющая нарушителю оказать воздействие на целостность данных

Description

Уязвимость веб-браузеров Firefox, Firefox ESR, почтового клиента Thunderbird связана с недостатком в механизме подтверждения источника. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, оказать воздействие на целостность данных

Severity ?


                    
                      AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Vendor

ООО «РусБИТех-Астра», Сообщество свободного программного обеспечения, АО «ИВК», АО "НППКТ", Mozilla Corp.

Software Name

Astra Linux Special Edition (запись в едином реестре российских программ №369), Debian GNU/Linux, Альт 8 СП (запись в едином реестре российских программ №4305), ОСОН ОСнова Оnyx (запись в едином реестре российских программ №5913), Firefox, Firefox ESR, Thunderbird

Software Version

1.6 «Смоленск» (Astra Linux Special Edition), 10 (Debian GNU/Linux), 11 (Debian GNU/Linux), 1.7 (Astra Linux Special Edition), 4.7 (Astra Linux Special Edition), - (Альт 8 СП), до 2.7 (ОСОН ОСнова Оnyx), до 109 (Firefox), до 102.7 (Firefox ESR), до 102.7 (Thunderbird), до 2.8 (ОСОН ОСнова Оnyx)

Possible Mitigations

Для Firefox: использование рекомендаций производителя: https://www.mozilla.org/en-US/security/advisories/mfsa2023-01/#CVE-2023-23601 Для Firefox ESR: использование рекомендаций производителя: https://www.mozilla.org/en-US/security/advisories/mfsa2023-02/ Для Thunderbird: использование рекомендаций производителя: https://www.mozilla.org/en-US/security/advisories/mfsa2023-03/ Для Debian: использование рекомендаций производителя: https://security-tracker.debian.org/tracker/CVE-2023-23601 Для ОС Astra Linux: использование рекомендаций производителя: https://wiki.astralinux.ru/astra-linux-se47-bulletin-2023-0727SE47 Для ОС Альт 8 СП: установка обновления из публичного репозитория программного средства Для ОСОН ОСнова Оnyx: Обновление программного обеспечения firefox-esr до версии 102.7.0esr+repack-1~deb10u1.osnova1 Для ОСОН ОСнова Оnyx: Обновление программного обеспечения thunderbird до версии 1:102.13.1+repack-1~deb10u1.osnova1 Для ОС Astra Linux Special Edition 1.7: - обновить пакет firefox до 111.0.1+build2-0ubuntu0.18.04.1+ci202304041739+astra12 или более высокой версии, используя рекомендации производителя: https://wiki.astralinux.ru/astra-linux-se17-bulletin-2023-0426SE17 - обновить пакет thunderbird до 1:102.8.0+build2-0ubuntu1astra1+ci202302211317+astra1 или более высокой версии, используя рекомендации производителя: https://wiki.astralinux.ru/astra-linux-se17-bulletin-2023-0426SE17 Для ОС Astra Linux 1.6 «Смоленск»: - обновить пакет thunderbird до 1:115.5.0+build1-0ubuntu1+ci202311280951+astra2 или более высокой версии, используя рекомендации производителя: https://wiki.astralinux.ru/astra-linux-se16-bulletin-20231214SE16 - обновить пакет firefox до 120.0+build2-0ubuntu0.20.04.1+ci202311281348+astra13 или более высокой версии, используя рекомендации производителя: https://wiki.astralinux.ru/astra-linux-se16-bulletin-20231214SE16

Reference

https://bugzilla.mozilla.org/show_bug.cgi?id=1794268 https://nvd.nist.gov/vuln/detail/CVE-2023-23601 https://security-tracker.debian.org/tracker/CVE-2023-23601 https://wiki.astralinux.ru/astra-linux-se47-bulletin-2023-0727SE47 https://www.mozilla.org/en-US/security/advisories/mfsa2023-01/#CVE-2023-23601 https://www.mozilla.org/en-US/security/advisories/mfsa2023-02/ https://www.mozilla.org/en-US/security/advisories/mfsa2023-03/ https://altsp.su/obnovleniya-bezopasnosti/ https://поддержка.нппкт.рф/bin/view/ОСнова/Обновления/2.7/ https://поддержка.нппкт.рф/bin/view/ОСнова/Обновления/2.8/ https://wiki.astralinux.ru/astra-linux-se16-bulletin-20220829SE16

CWE

CWE-346

JSON

To clipboard

{
  "CVSS 2.0": "AV:N/AC:L/Au:N/C:N/I:C/A:N",
  "CVSS 3.0": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
  "CVSS 4.0": null,
  "remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
  "remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
  "\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "\u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb, \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f, \u0410\u041e \u00ab\u0418\u0412\u041a\u00bb, \u0410\u041e \"\u041d\u041f\u041f\u041a\u0422\", Mozilla Corp.",
  "\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "1.6 \u00ab\u0421\u043c\u043e\u043b\u0435\u043d\u0441\u043a\u00bb (Astra Linux Special Edition), 10 (Debian GNU/Linux), 11 (Debian GNU/Linux), 1.7 (Astra Linux Special Edition), 4.7 (Astra Linux Special Edition), - (\u0410\u043b\u044c\u0442 8 \u0421\u041f), \u0434\u043e 2.7 (\u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx), \u0434\u043e 109 (Firefox), \u0434\u043e 102.7 (Firefox ESR), \u0434\u043e 102.7 (Thunderbird), \u0434\u043e 2.8 (\u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx)",
  "\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0414\u043b\u044f Firefox:\n\u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f: https://www.mozilla.org/en-US/security/advisories/mfsa2023-01/#CVE-2023-23601\n\n\u0414\u043b\u044f Firefox ESR:\n\u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f: https://www.mozilla.org/en-US/security/advisories/mfsa2023-02/\n\n\u0414\u043b\u044f Thunderbird:\n\u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f: https://www.mozilla.org/en-US/security/advisories/mfsa2023-03/\n\n\u0414\u043b\u044f Debian:\n\u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f: https://security-tracker.debian.org/tracker/CVE-2023-23601\n\n\u0414\u043b\u044f \u041e\u0421 Astra Linux:\n\u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f: https://wiki.astralinux.ru/astra-linux-se47-bulletin-2023-0727SE47\n\n\u0414\u043b\u044f \u041e\u0421 \u0410\u043b\u044c\u0442 8 \u0421\u041f: \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u043a\u0430 \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f \u0438\u0437 \u043f\u0443\u0431\u043b\u0438\u0447\u043d\u043e\u0433\u043e \u0440\u0435\u043f\u043e\u0437\u0438\u0442\u043e\u0440\u0438\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u0430\n\n\u0414\u043b\u044f \u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx:\n\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f firefox-esr \u0434\u043e \u0432\u0435\u0440\u0441\u0438\u0438 102.7.0esr+repack-1~deb10u1.osnova1\n\n\u0414\u043b\u044f \u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx:\n\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f thunderbird \u0434\u043e \u0432\u0435\u0440\u0441\u0438\u0438 1:102.13.1+repack-1~deb10u1.osnova1\n\n\u0414\u043b\u044f \u041e\u0421 Astra Linux Special Edition 1.7:\n- \u043e\u0431\u043d\u043e\u0432\u0438\u0442\u044c \u043f\u0430\u043a\u0435\u0442 firefox \u0434\u043e 111.0.1+build2-0ubuntu0.18.04.1+ci202304041739+astra12 \u0438\u043b\u0438 \u0431\u043e\u043b\u0435\u0435 \u0432\u044b\u0441\u043e\u043a\u043e\u0439 \u0432\u0435\u0440\u0441\u0438\u0438, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044f \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0438 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f: https://wiki.astralinux.ru/astra-linux-se17-bulletin-2023-0426SE17\n- \u043e\u0431\u043d\u043e\u0432\u0438\u0442\u044c \u043f\u0430\u043a\u0435\u0442 thunderbird \u0434\u043e 1:102.8.0+build2-0ubuntu1astra1+ci202302211317+astra1 \u0438\u043b\u0438 \u0431\u043e\u043b\u0435\u0435 \u0432\u044b\u0441\u043e\u043a\u043e\u0439 \u0432\u0435\u0440\u0441\u0438\u0438, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044f \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0438 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f: https://wiki.astralinux.ru/astra-linux-se17-bulletin-2023-0426SE17\n\n\u0414\u043b\u044f \u041e\u0421 Astra Linux 1.6 \u00ab\u0421\u043c\u043e\u043b\u0435\u043d\u0441\u043a\u00bb:\n- \u043e\u0431\u043d\u043e\u0432\u0438\u0442\u044c \u043f\u0430\u043a\u0435\u0442 thunderbird \u0434\u043e 1:115.5.0+build1-0ubuntu1+ci202311280951+astra2 \u0438\u043b\u0438 \u0431\u043e\u043b\u0435\u0435 \u0432\u044b\u0441\u043e\u043a\u043e\u0439 \u0432\u0435\u0440\u0441\u0438\u0438, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044f \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0438 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f: https://wiki.astralinux.ru/astra-linux-se16-bulletin-20231214SE16\n- \u043e\u0431\u043d\u043e\u0432\u0438\u0442\u044c \u043f\u0430\u043a\u0435\u0442 firefox \u0434\u043e 120.0+build2-0ubuntu0.20.04.1+ci202311281348+astra13 \u0438\u043b\u0438 \u0431\u043e\u043b\u0435\u0435 \u0432\u044b\u0441\u043e\u043a\u043e\u0439 \u0432\u0435\u0440\u0441\u0438\u0438, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044f \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0438 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f: https://wiki.astralinux.ru/astra-linux-se16-bulletin-20231214SE16",
  "\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "08.10.2022",
  "\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "30.09.2024",
  "\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "21.08.2023",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2023-04829",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2023-23601",
  "\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
  "\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
  "\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "Astra Linux Special Edition (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u2116369), Debian GNU/Linux, \u0410\u043b\u044c\u0442 8 \u0421\u041f (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21164305), \u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21165913), Firefox, Firefox ESR, Thunderbird",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": "\u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb Astra Linux Special Edition 1.6 \u00ab\u0421\u043c\u043e\u043b\u0435\u043d\u0441\u043a\u00bb  (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u2116369), \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f Debian GNU/Linux 10 , \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f Debian GNU/Linux 11 , \u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb Astra Linux Special Edition 1.7  (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u2116369), \u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb Astra Linux Special Edition 4.7  (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u2116369), \u0410\u041e \u00ab\u0418\u0412\u041a\u00bb \u0410\u043b\u044c\u0442 8 \u0421\u041f -  (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21164305), \u0410\u041e \"\u041d\u041f\u041f\u041a\u0422\" \u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx \u0434\u043e 2.7  (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21165913), \u0410\u041e \"\u041d\u041f\u041f\u041a\u0422\" \u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx \u0434\u043e 2.8  (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21165913)",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0432\u0435\u0431-\u0431\u0440\u0430\u0443\u0437\u0435\u0440\u043e\u0432 Firefox, Firefox ESR, \u043f\u043e\u0447\u0442\u043e\u0432\u043e\u0433\u043e \u043a\u043b\u0438\u0435\u043d\u0442\u0430 Thunderbird, \u0441\u0432\u044f\u0437\u0430\u043d\u043d\u0430\u044f \u0441 \u043d\u0435\u0434\u043e\u0441\u0442\u0430\u0442\u043a\u043e\u043c \u0432 \u043c\u0435\u0445\u0430\u043d\u0438\u0437\u043c\u0435 \u043f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0438\u044f \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0430, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u043e\u043a\u0430\u0437\u0430\u0442\u044c \u0432\u043e\u0437\u0434\u0435\u0439\u0441\u0442\u0432\u0438\u0435 \u043d\u0430 \u0446\u0435\u043b\u043e\u0441\u0442\u043d\u043e\u0441\u0442\u044c \u0434\u0430\u043d\u043d\u044b\u0445",
  "\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u041e\u0448\u0438\u0431\u043a\u0430 \u043f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0438\u044f \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0430 \u0434\u0430\u043d\u043d\u044b\u0445 (CWE-346)",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0432\u0435\u0431-\u0431\u0440\u0430\u0443\u0437\u0435\u0440\u043e\u0432 Firefox, Firefox ESR, \u043f\u043e\u0447\u0442\u043e\u0432\u043e\u0433\u043e \u043a\u043b\u0438\u0435\u043d\u0442\u0430 Thunderbird \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043d\u0435\u0434\u043e\u0441\u0442\u0430\u0442\u043a\u043e\u043c \u0432 \u043c\u0435\u0445\u0430\u043d\u0438\u0437\u043c\u0435 \u043f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0438\u044f \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0430. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e, \u043e\u043a\u0430\u0437\u0430\u0442\u044c \u0432\u043e\u0437\u0434\u0435\u0439\u0441\u0442\u0432\u0438\u0435 \u043d\u0430 \u0446\u0435\u043b\u043e\u0441\u0442\u043d\u043e\u0441\u0442\u044c \u0434\u0430\u043d\u043d\u044b\u0445",
  "\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
  "\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
  "\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u041f\u043e\u0434\u043c\u0435\u043d\u0430 \u043f\u0440\u0438 \u0432\u0437\u0430\u0438\u043c\u043e\u0434\u0435\u0439\u0441\u0442\u0432\u0438\u0438",
  "\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://bugzilla.mozilla.org/show_bug.cgi?id=1794268\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-23601\nhttps://security-tracker.debian.org/tracker/CVE-2023-23601\nhttps://wiki.astralinux.ru/astra-linux-se47-bulletin-2023-0727SE47\nhttps://www.mozilla.org/en-US/security/advisories/mfsa2023-01/#CVE-2023-23601\nhttps://www.mozilla.org/en-US/security/advisories/mfsa2023-02/\nhttps://www.mozilla.org/en-US/security/advisories/mfsa2023-03/\n\nhttps://altsp.su/obnovleniya-bezopasnosti/\nhttps://\u043f\u043e\u0434\u0434\u0435\u0440\u0436\u043a\u0430.\u043d\u043f\u043f\u043a\u0442.\u0440\u0444/bin/view/\u041e\u0421\u043d\u043e\u0432\u0430/\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f/2.7/\nhttps://\u043f\u043e\u0434\u0434\u0435\u0440\u0436\u043a\u0430.\u043d\u043f\u043f\u043a\u0442.\u0440\u0444/bin/view/\u041e\u0421\u043d\u043e\u0432\u0430/\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f/2.8/\nhttps://wiki.astralinux.ru/astra-linux-se16-bulletin-20220829SE16",
  "\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
  "\u0422\u0438\u043f \u041f\u041e": "\u041e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u0430\u044f \u0441\u0438\u0441\u0442\u0435\u043c\u0430, \u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c",
  "\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-346",
  "\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 7,8)\n\u0421\u0440\u0435\u0434\u043d\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 6,5)"
}

FKIE_CVE-2023-23601

Vulnerability from fkie_nvd - Published: 2023-06-02 17:15 - Updated: 2025-12-18 16:15

Severity ?

6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Summary

References

URL	Tags
security@mozilla.org	https://bugzilla.mozilla.org/show_bug.cgi?id=1794268	Issue Tracking, Permissions Required, Vendor Advisory
security@mozilla.org	https://www.mozilla.org/security/advisories/mfsa2023-01/	Vendor Advisory
security@mozilla.org	https://www.mozilla.org/security/advisories/mfsa2023-02/	Vendor Advisory
security@mozilla.org	https://www.mozilla.org/security/advisories/mfsa2023-03/	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://bugzilla.mozilla.org/show_bug.cgi?id=1794268	Issue Tracking, Permissions Required, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.mozilla.org/security/advisories/mfsa2023-01/	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.mozilla.org/security/advisories/mfsa2023-02/	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.mozilla.org/security/advisories/mfsa2023-03/	Vendor Advisory

Impacted products

Vendor	Product	Version
mozilla	firefox	*
mozilla	firefox_esr	*
mozilla	thunderbird	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "2809632C-444A-49A3-A7E7-D3BB027A91B8",
              "versionEndExcluding": "109.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "1D5D3545-44B1-4576-B1BA-C461D4DC09A3",
              "versionEndExcluding": "102.7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "E73E816A-885B-49D4-BB52-220D30866D7C",
              "versionEndExcluding": "102.7",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Navigations were being allowed when dragging a URL from a cross-origin iframe into the same tab which could lead to website spoofing attacks This vulnerability affects Firefox \u003c 109, Firefox ESR \u003c 102.7, and Thunderbird \u003c 102.7."
    }
  ],
  "id": "CVE-2023-23601",
  "lastModified": "2025-12-18T16:15:48.650",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2023-06-02T17:15:10.727",
  "references": [
    {
      "source": "security@mozilla.org",
      "tags": [
        "Issue Tracking",
        "Permissions Required",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1794268"
    },
    {
      "source": "security@mozilla.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.mozilla.org/security/advisories/mfsa2023-01/"
    },
    {
      "source": "security@mozilla.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.mozilla.org/security/advisories/mfsa2023-02/"
    },
    {
      "source": "security@mozilla.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.mozilla.org/security/advisories/mfsa2023-03/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Permissions Required",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1794268"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.mozilla.org/security/advisories/mfsa2023-01/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.mozilla.org/security/advisories/mfsa2023-02/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.mozilla.org/security/advisories/mfsa2023-03/"
    }
  ],
  "sourceIdentifier": "security@mozilla.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-346"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2023-23601 (GCVE-0-2023-23601)

Solution

Solution

Solution

Solution

Vulnerability from osv_almalinux

Vulnerability from osv_almalinux

Vulnerability from osv_almalinux

Vulnerability from osv_almalinux

Tags

Sightings

Nomenclature