CVE-2023-6860Improper Input Validation in Mozilla Firefox

CWE-20Improper Input Validation11 documents8 sources
Severity
6.5MEDIUMNVD
EPSS
0.5%
top 35.35%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Mozilla FirefoxMozilla Firefox ESRMozilla Thunderbird+1 more
Timeline
PublishedDec 19
Latest updateJan 2

Description

The `VideoBridge` allowed any content process to use textures produced by remote decoders. This could be abused to escape the sandbox. This vulnerability affects Firefox ESR < 115.6, Thunderbird < 115.6, and Firefox < 121.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages7 packages

CVEListV5mozilla/firefoxunspecified121
NVDmozilla/firefox< 121.0
CVEListV5mozilla/firefox_esrunspecified115.6
NVDmozilla/firefox_esr< 115.6
CVEListV5mozilla/thunderbirdunspecified115.6

Also affects: Debian Linux 10.0, 11.0, 12.0

🔴Vulnerability Details

3
GHSA
GHSA-96p4-h67r-wqfm: The `VideoBridge` allowed any content process to use textures produced by remote decoders2023-12-19
CVEList
CVE-2023-6860: The `VideoBridge` allowed any content process to use textures produced by remote decoders2023-12-19
OSV
CVE-2023-6860: The `VideoBridge` allowed any content process to use textures produced by remote decoders2023-12-19

📋Vendor Advisories

7
Ubuntu
Firefox vulnerabilities2024-01-02
Ubuntu
Thunderbird vulnerabilities2024-01-02
Red Hat
Mozilla: Potential sandbox escape due to <code>VideoBridge</code> lack of texture validation2023-12-19
Debian
CVE-2023-6860: firefox - The `VideoBridge` allowed any content process to use textures produced by remote...2023
Mozilla
Mozilla Foundation Security Advisory 2023-54: CVE-2023-6860
CVE-2023-6860 — Improper Input Validation in Mozilla | cvebase