CVE-2023-5727Insufficient UI Warning of Dangerous Operations in Mozilla Firefox

CWE-357Insufficient UI Warning of Dangerous Operations9 documents7 sources
Severity
6.5MEDIUMNVD
EPSS
0.2%
top 56.20%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Mozilla FirefoxMozilla Firefox ESRMozilla Thunderbird
Timeline
PublishedOct 25

Description

The executable file warning was not presented when downloading .msix, .msixbundle, .appx, and .appxbundle files, which can run commands on a user's computer. *Note: This issue only affected Windows operating systems. Other operating systems are unaffected.* This vulnerability affects Firefox < 119, Firefox ESR < 115.4, and Thunderbird < 115.4.1.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages7 packages

CVEListV5mozilla/firefoxunspecified119
NVDmozilla/firefox< 119.0
CVEListV5mozilla/firefox_esrunspecified115.4
NVDmozilla/firefox_esr< 115.4
CVEListV5mozilla/thunderbirdunspecified115.4.1

🔴Vulnerability Details

3
GHSA
GHSA-5c37-6j7c-hr7x: The executable file warning was not presented when downloading2023-10-25
OSV
CVE-2023-5727: The executable file warning was not presented when downloading2023-10-25
CVEList
CVE-2023-5727: The executable file warning was not presented when downloading2023-10-24

📋Vendor Advisories

5
Red Hat
Mozilla: Download Protections were bypassed by .msix, .msixbundle, .appx, and .appxbundle files on Windows2023-10-24
Debian
CVE-2023-5727: firefox - The executable file warning was not presented when downloading .msix, .msixbundl...2023
Mozilla
Mozilla Foundation Security Advisory 2023-47: CVE-2023-5727
Mozilla
Mozilla Foundation Security Advisory 2023-46: CVE-2023-5727
Mozilla
Mozilla Foundation Security Advisory 2023-45: CVE-2023-5727
CVE-2023-5727 — Mozilla Firefox vulnerability | cvebase