PT-2023-6465 · Mozilla+9 · Firefox Esr+11
Vadim
·
Published
2023-01-17
·
Updated
2024-12-12
·
CVE-2023-23599
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Firefox versions prior to 109
Thunderbird versions prior to 102.7
Firefox ESR versions prior to 102.7
Description
The vulnerability is related to the DevTools panel in Mozilla Firefox and Thunderbird, where the output of a network request copied as a curl command was not properly sanitized. This could allow an attacker to hide arbitrary commands within the output. The issue is associated with a lack of data sanitization at the management level, which could enable a remote attacker to execute arbitrary commands.
Recommendations
For Firefox versions prior to 109, update to version 109 or later to resolve the issue.
For Thunderbird versions prior to 102.7, update to version 102.7 or later to resolve the issue.
For Firefox ESR versions prior to 102.7, update to version 102.7 or later to resolve the issue.
As a temporary workaround, consider disabling the use of the DevTools panel to copy network requests as curl commands until a patch is available.
Fix
Command Injection
Special Elements Injection
Improper Encoding or Escaping of Output
Improper Neutralization
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Alt Linux
Almalinux
Astra Linux
Centos
Firefox
Firefox Esr
Linuxmint
Red Hat
Rocky Linux
Suse
Thunderbird
Ubuntu