CVE-2023-28164Origin Validation Error in Mozilla Firefox

CWE-346Origin Validation ErrorCWE-829Inclusion of Functionality from Untrusted Control Sphere15 documents8 sources
Severity
6.5MEDIUMNVD
OSV8.8OSV4.3
EPSS
0.1%
top 75.39%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Mozilla FirefoxMozilla Firefox ESRMozilla Thunderbird
Timeline
PublishedJun 2

Description

Dragging a URL from a cross-origin iframe that was removed during the drag could have led to user confusion and website spoofing attacks. This vulnerability affects Firefox < 111, Firefox ESR < 102.9, and Thunderbird < 102.9.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages9 packages

CVEListV5mozilla/firefoxunspecified111
NVDmozilla/firefox< 111.0
CVEListV5mozilla/firefox_esrunspecified102.9
NVDmozilla/firefox_esr< 102.9
Ubuntumozilla/firefox< 111.0+build2-0ubuntu0.18.04.1+3

🔴Vulnerability Details

6
CVEList
CVE-2023-28164: Dragging a URL from a cross-origin iframe that was removed during the drag could have led to user confusion and website spoofing attacks2023-06-02
GHSA
GHSA-vx2v-7cpp-943m: Dragging a URL from a cross-origin iframe that was removed during the drag could have led to user confusion and website spoofing attacks2023-06-02
OSV
CVE-2023-28164: Dragging a URL from a cross-origin iframe that was removed during the drag could have led to user confusion and website spoofing attacks2023-06-02
OSV
thunderbird vulnerabilities2023-03-27
OSV
firefox regressions2023-03-27

📋Vendor Advisories

8
Ubuntu
Thunderbird vulnerabilities2023-03-27
Ubuntu
Firefox regressions2023-03-27
Ubuntu
Firefox vulnerabilities2023-03-15
Red Hat
Mozilla: URL being dragged from a removed cross-origin iframe into the same tab triggered navigation2023-03-14
Debian
CVE-2023-28164: firefox - Dragging a URL from a cross-origin iframe that was removed during the drag could...2023
CVE-2023-28164 — Origin Validation Error in Mozilla | cvebase