PT-2023-7881 · Mozilla+2 · Firefox+2

John-Mark Gurney

Publicado

2023-12-19

Atualizado

2024-12-27

CVE-2023-6868

CVSS v2.0

5.0

Média

Vetor

AV:N/AC:L/Au:N/C:N/I:P/A:N

Name of the Vulnerable Software and Affected Versions Firefox versions prior to 121

Description The user-agent would allow push requests which lacked a valid VAPID even though the push manager subscription defined one. This could allow empty messages to be sent from unauthorized parties. The issue is related to insufficient protection of service data and may allow a remote attacker to gain unauthorized access to limited functions. This bug only affects Firefox on Android.

Recommendations For Firefox versions prior to 121, update to version 121 or later to resolve the issue. As a temporary workaround, consider restricting access to push requests until a patch is available. Avoid using the VAPID parameter in push requests until the issue is resolved.

Correção

Improper Access Control

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-284

Identificadores relacionados

ALT-PU-2023-8231

ALT-PU-2024-15839

BDU:2023-08952

CVE-2023-6868

OPENSUSE-SU-2024:13531-1

OPENSUSE-SU-2024:14572-1

Produtos afetados

Alt Linux

Astra Linux

Firefox

PT-2023-7881 · Mozilla+2 · Firefox+2

CVE-2023-6868

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 1879