CVE-2023-25740 — Insufficiently Protected Credentials in Mozilla Firefox

CWE-522 — Insufficiently Protected Credentials5 documents5 sources

Severity

8.8HIGHNVD

EPSS

0.2%

top 52.00%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Debian Firefox

Timeline

PublishedJun 2

Description

After downloading a Windows .scf script from the local filesystem, an attacker could supply a remote path that would lead to unexpected network requests from the operating system. This also had the potential to leak NTLM credentials to the resource.*This bug only affects Firefox for Windows. Other operating systems are unaffected.*. This vulnerability affects Firefox < 110.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages4 packages

▶CVEListV5mozilla/firefoxunspecified — 110

▶NVDmozilla/firefox< 110.0

▶debiandebian/firefox

▶mozillamozilla/firefox

🔴Vulnerability Details

GHSA

GHSA-g67q-47ww-68wp: After downloading a Windows↗2023-06-02

▶

📋Vendor Advisories

Red Hat

Mozilla: Opening local .scf files could cause unexpected network loads↗2023-02-14

▶

Debian

CVE-2023-25740: firefox - After downloading a Windows <code>.scf</code> script from the local filesystem, ...↗2023

▶

Mozilla

Mozilla Foundation Security Advisory 2023-05: CVE-2023-25740↗

▶