cbcvebase.
CVE-2023-25732
published 2023-06-02

CVE-2023-25732: When encoding data from an inputStream in xpcom the size of the input being encoded was not correctly calculated potentially leading to an out of bounds memory…

PriorityP341high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
0.74%
50.0th percentile
When encoding data from an inputStream in xpcom the size of the input being encoded was not correctly calculated potentially leading to an out of bounds memory write. This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8.

Affected

21 ranges
VendorProductVersion rangeFixed in
debianfirefox< firefox 110.0-1 (sid)firefox 110.0-1 (sid)
debianfirefox-esr< firefox 110.0-1 (sid)firefox 110.0-1 (sid)
debianthunderbird< firefox 110.0-1 (sid)firefox 110.0-1 (sid)
mozillafirefox< 110.0110.0
mozillafirefox
mozillafirefox>= 0 < 110.0+build3-0ubuntu0.18.04.1110.0+build3-0ubuntu0.18.04.1
mozillafirefox>= 0 < 110.0.1+build2-0ubuntu0.18.04.1110.0.1+build2-0ubuntu0.18.04.1
mozillafirefox>= 0 < 110.0+build3-0ubuntu0.20.04.1110.0+build3-0ubuntu0.20.04.1
mozillafirefox>= 0 < 110.0.1+build2-0ubuntu0.20.04.1110.0.1+build2-0ubuntu0.20.04.1
mozillafirefox>= unspecified < 110110
mozillafirefox_esr< 102.8102.8
mozillafirefox_esr>= unspecified < 102.8102.8
mozillathunderbird< 102.8102.8
mozillathunderbird>= 0 < 1:102.8.0-1~deb11u11:102.8.0-1~deb11u1
mozillathunderbird>= 0 < 1:102.8.0-11:102.8.0-1
mozillathunderbird>= 0 < 1:102.8.0-11:102.8.0-1
mozillathunderbird>= 0 < 1:102.8.0-11:102.8.0-1
mozillathunderbird>= 0 < 1:102.8.0+build2-0ubuntu0.18.04.11:102.8.0+build2-0ubuntu0.18.04.1
mozillathunderbird>= 0 < 1:102.8.0+build2-0ubuntu0.20.04.11:102.8.0+build2-0ubuntu0.20.04.1
mozillathunderbird>= 0 < 1:102.8.0+build2-0ubuntu0.22.04.11:102.8.0+build2-0ubuntu0.22.04.1
mozillathunderbird>= unspecified < 102.8102.8

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
osv8.8HIGH
vendor_debian8.8HIGH
vendor_redhat8.8HIGH
vendor_ubuntu8.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.