CVE-2023-25729 — Incorrect Authorization in Mozilla Firefox
Severity
8.8HIGHNVD
OSV6.5
EPSS
0.1%
top 68.43%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedJun 2
Description
Permission prompts for opening external schemes were only shown for ContentPrincipals resulting in extensions being able to open them without user interaction via ExpandedPrincipals. This could lead to further malicious actions such as downloading files or interacting with software already installed on the system. This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9
Affected Packages9 packages
🔴Vulnerability Details
6OSV▶
CVE-2023-25729: Permission prompts for opening external schemes were only shown for ContentPrincipals resulting in extensions being able to open them without user int↗2023-06-02
GHSA▶
GHSA-vhjv-4vf6-mc9x: Permission prompts for opening external schemes were only shown for ContentPrincipals resulting in extensions being able to open them without user int↗2023-06-02
CVEList▶
CVE-2023-25729: Permission prompts for opening external schemes were only shown for ContentPrincipals resulting in extensions being able to open them without user int↗2023-06-02
📋Vendor Advisories
7Debian▶
CVE-2023-25729: firefox - Permission prompts for opening external schemes were only shown for <code>Conten...↗2023