Apply appropriate updates provided by Mozilla to vulnerable systems immediately after appropriate testing.We recommend the following actions be taken: Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights. Depending on the privileges associated with the user an attacker could then install programs view, change, or delete data or create new accounts with full user rights. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution. CVE-2023-28161: One-time permissions granted to a local file were extended to other local files loaded in the same tab.CVE-2023-28160: Redirect to Web Extension files may have leaked local path.CVE-2023-25750: Potential ServiceWorker cache leak during private browsing mode.CVE-2023-25749: Firefox for Android may have opened third-party apps without a prompt.CVE-2023-25748: Fullscreen Notification could have been hidden by window prompts on Android.CVE-2023-28159: Fullscreen Notification could have been hidden by download popups on Android.CVE-2023-25751: Incorrect code generation during JIT compilation.CVE-2023-28164: URL being dragged from a removed cross-origin iframe into the same tab triggered navigation.CVE-2023-28162: Invalid downcast in Worklets.CVE-2023-25752: Potential out-of-bounds when accessing throttled streams.CVE-2023-28163: Windows Save As dialog resolved environment variables.CVE-2023-28177: Memory safety bugs fixed in Firefox 111Īdditional lower priority vulnerabilities include:.CVE-2023-28176: Memory safety bugs fixed in Firefox 111 and Firefox ESR 102.9.
CVE-2023-28176 and CVE-2023-28177 showed evidence of memory corruption and Mozilla presumes that with enough effort they could be exploited to run arbitrary code.ĭetails of these vulnerabilities are as follows:
Multiple vulnerabilities have been discovered in Mozilla Firefox and Firefox Extended Support Release (ESR), the most severe of which could allow for arbitrary code execution.
0 kommentar(er)
