CVE-2023-37208 — Unrestricted File Upload in Mozilla Firefox

CWE-434 — Unrestricted File Upload CWE-1127 — Compilation with Insufficient Warnings or Errors12 documents8 sources

Severity

7.8HIGHNVD

EPSS

0.0%

top 86.30%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Mozilla Firefox ESR Mozilla Thunderbird +1 more

Timeline

PublishedJul 5

Latest updateJul 11

Description

When opening Diagcab files, Firefox did not warn the user that these files may contain malicious code. This vulnerability affects Firefox < 115, Firefox ESR < 102.13, and Thunderbird < 102.13.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages7 packages

▶CVEListV5mozilla/firefoxunspecified — 115

▶NVDmozilla/firefox< 115.0

▶CVEListV5mozilla/firefox_esrunspecified — 102.13

▶NVDmozilla/firefox_esr< 102.13

▶CVEListV5mozilla/thunderbirdunspecified — 102.13

Also affects: Debian Linux 10.0, 11.0, 12.0

🔴Vulnerability Details

OSV

thunderbird vulnerabilities↗2023-07-11

▶

OSV

CVE-2023-37208: When opening Diagcab files, Firefox did not warn the user that these files may contain malicious code↗2023-07-05

▶

GHSA

GHSA-7f9h-g35v-jfqh: When opening Diagcab files, Firefox did not warn the user that these files may contain malicious code↗2023-07-05

▶

CVEList

CVE-2023-37208: When opening Diagcab files, Firefox did not warn the user that these files may contain malicious code↗2023-07-05

▶

📋Vendor Advisories

Ubuntu

Thunderbird vulnerabilities↗2023-07-11

▶

Ubuntu

Firefox vulnerabilities↗2023-07-05

▶

Red Hat

Mozilla: Lack of warning when opening Diagcab files↗2023-07-04

▶

Debian

CVE-2023-37208: firefox - When opening Diagcab files, Firefox did not warn the user that these files may c...↗2023

▶

Mozilla

Mozilla Foundation Security Advisory 2023-24: CVE-2023-37208↗

▶