CVE-2023-32207Authentication Bypass by Spoofing in Mozilla Firefox

CWE-290Authentication Bypass by SpoofingCWE-280Improper Handling of Insufficient Permissions or Privileges15 documents8 sources
Severity
8.8HIGHNVD
OSV4.3
EPSS
0.3%
top 49.95%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Mozilla FirefoxMozilla Firefox ESRMozilla Thunderbird
Timeline
PublishedJun 2

Description

A missing delay in popup notifications could have made it possible for an attacker to trick a user into granting permissions. This vulnerability affects Firefox < 113, Firefox ESR < 102.11, and Thunderbird < 102.11.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages9 packages

CVEListV5mozilla/firefoxunspecified113
NVDmozilla/firefox< 113.0
CVEListV5mozilla/firefox_esrunspecified102.11
NVDmozilla/firefox_esr< 102.11
Ubuntumozilla/firefox< 113.0+build2-0ubuntu0.18.04.1+1

🔴Vulnerability Details

7
GHSA
GHSA-m6hx-2pxx-hfg7: A missing delay in popup notifications could have made it possible for an attacker to trick a user into granting permissions2023-06-02
CVEList
CVE-2023-32207: A missing delay in popup notifications could have made it possible for an attacker to trick a user into granting permissions2023-06-02
OSV
CVE-2023-32207: A missing delay in popup notifications could have made it possible for an attacker to trick a user into granting permissions2023-06-02
OSV
firefox regressions2023-05-24
OSV
firefox regressions2023-05-16

📋Vendor Advisories

7
Ubuntu
Thunderbird vulnerabilities2023-05-15
Ubuntu
Firefox vulnerabilities2023-05-15
Red Hat
Mozilla: Potential permissions request bypass via clickjacking2023-05-09
Debian
CVE-2023-32207: firefox - A missing delay in popup notifications could have made it possible for an attack...2023
Mozilla
Mozilla Foundation Security Advisory 2023-18: CVE-2023-32207
CVE-2023-32207 — Authentication Bypass by Spoofing | cvebase