PT-2023-2071 · Mozilla+4 · Thunderbird+6

Shaheen Fazim

·

Published

2023-03-14

·

Updated

2025-01-09

·

CVE-2023-28163

CVSS v3.1

6.5

Medium

VectorAV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Name of the Vulnerable Software and Affected Versions Firefox versions prior to 111 Firefox ESR versions prior to 102.9 Thunderbird versions prior to 102.9
Description The issue is related to insufficient protection of service data when processing a request to save files through the "Save As" dialog on Windows. This can allow a remote attacker to impact the confidentiality and integrity of protected information. The vulnerability affects Firefox on Windows, specifically when downloading files with suggested filenames containing environment variable names, which are resolved in the context of the current user.
Recommendations For Firefox versions prior to 111, update to version 111 or later. For Firefox ESR versions prior to 102.9, update to version 102.9 or later. For Thunderbird versions prior to 102.9, update to version 102.9 or later.

Exploit

Fix

Information Disclosure

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-200CWE-22

Related Identifiers

ALT-PU-2023-1443
ALT-PU-2023-1491
ALT-PU-2023-1492
ALT-PU-2023-1545
ALT-PU-2023-1546
ALT-PU-2023-1758
ALT-PU-2023-1765
ALT-PU-2023-1817
ALT-PU-2023-4365
ALT-PU-2023-4366
ALT-PU-2023-5202
ALT-PU-2023-5706
ALT-PU-2023-5754
ALT-PU-2023-7774
ALT-PU-2024-3614
BDU:2023-01803
CVE-2023-28163
OPENSUSE-SU-2024:12786-1
OPENSUSE-SU-2024:12791-1
OPENSUSE-SU-2024:12839-1
OPENSUSE-SU-2024:14572-1
SUSE-SU-2023:0728-1
SUSE-SU-2023:0763-1
SUSE-SU-2023:0835-1
SUSE-SU-2023:1736-1

Affected Products

Alt Linux
Astra Linux
Firefox
Firefox Esr
Red Os
Suse
Thunderbird