CVE-2023-34414 — Improper Certificate Validation in Mozilla Firefox
CWE-295 — Improper Certificate ValidationCWE-449 — The UI Performs the Wrong Action16 documents9 sources
Severity
3.1LOWNVD
EPSS
0.1%
top 80.75%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedJun 19
Latest updateAug 26
Description
The error page for sites with invalid TLS certificates was missing the
activation-delay Firefox uses to protect prompts and permission dialogs
from attacks that exploit human response time delays. If a malicious
page elicited user clicks in precise locations immediately before
navigating to a site with a certificate error and made the renderer
extremely busy at the same time, it could create a gap between when
the error page was loaded and when the display actually refreshed.
With the right timi…
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:LExploitability: 1.6 | Impact: 1.4
Affected Packages9 packages
🔴Vulnerability Details
7GHSA▶
GHSA-75j9-5hgg-gprr: The error page for sites with invalid TLS certificates was missing the
activation-delay Firefox uses to protect prompts and permission dialogs
from at↗2023-06-19
OSV▶
CVE-2023-34414: The error page for sites with invalid TLS certificates was missing the activation-delay Firefox uses to protect prompts and permission dialogs from at↗2023-06-19
CVEList▶
CVE-2023-34414: The error page for sites with invalid TLS certificates was missing the
activation-delay Firefox uses to protect prompts and permission dialogs
from at↗2023-06-19
📋Vendor Advisories
7Debian▶
CVE-2023-34414: firefox - The error page for sites with invalid TLS certificates was missing the activatio...↗2023