CVE-2023-23604Incorrect Authorization in Mozilla Firefox

CWE-863Incorrect Authorization10 documents7 sources
Severity
6.5MEDIUMNVD
EPSS
0.0%
top 85.51%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Mozilla FirefoxDebian FirefoxMsrc Azl3 Mozjs 102.15.1-1 ON Azure Linux 3.0
Timeline
PublishedJun 2
Latest updateJun 13

Description

A duplicate `SystemPrincipal` object could be created when parsing a non-system html document via `DOMParser::ParseFromSafeString`. This could have lead to bypassing web security checks. This vulnerability affects Firefox < 109.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages6 packages

debiandebian/firefox< firefox 109.0-1 (sid)
CVEListV5mozilla/firefoxunspecified109
NVDmozilla/firefox< 109.0
Ubuntumozilla/firefox< 109.0.1+build1-0ubuntu0.18.04.2+3
mozillamozilla/firefox

🔴Vulnerability Details

4
GHSA
GHSA-5997-5448-jfqf: A duplicate SystemPrincipal object could be created when parsing a non-system html document via DOMParser::ParseFromSafeString2023-06-02
OSV
firefox regressions2023-02-06
OSV
firefox vulnerabilities2023-01-23
OSV
CVE-2023-23604: A duplicate `SystemPrincipal` object could be created when parsing a non-system html document via `DOMParser::ParseFromSafeString`2023-01-18

📋Vendor Advisories

5
Microsoft
A duplicate <code>SystemPrincipal</code> object could be created when parsing a non-system html document via <code>DOMParser::ParseFromSafeString</code>. This could have lead to bypassing web security2023-06-13
Ubuntu
Firefox regressions2023-02-06
Ubuntu
Firefox vulnerabilities2023-01-23
Debian
CVE-2023-23604: firefox - A duplicate `SystemPrincipal` object could be created when parsing a non-system ...2023
Mozilla
Mozilla Foundation Security Advisory 2023-01: CVE-2023-23604
CVE-2023-23604 — Incorrect Authorization in Mozilla | cvebase