PT-2023-6854 · Mozilla+3 · Thunderbird+5

Ameen Basha M K

+1

·

Published

2023-02-14

·

Updated

2025-01-09

·

CVE-2023-25734

CVSS v2.0

9.4

High

VectorAV:N/AC:L/Au:N/C:C/I:C/A:N
Name of the Vulnerable Software and Affected Versions Firefox versions prior to 110 Thunderbird versions prior to 102.8 Firefox ESR versions prior to 102.8
Description The issue is related to incorrect external management of a file name or path, which could allow a remote attacker to impact the confidentiality and integrity of protected information. After downloading a Windows .url shortcut from the local filesystem, an attacker could supply a remote path that would lead to unexpected network requests from the operating system, potentially leaking NTLM credentials to the resource. This bug only affects Firefox on Windows, with other operating systems being unaffected.
Recommendations For Firefox versions prior to 110, update to version 110 or later. For Thunderbird versions prior to 102.8, update to version 102.8 or later. For Firefox ESR versions prior to 102.8, update to version 102.8 or later.

Exploit

Fix

Open Redirect

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-601CWE-73

Related Identifiers

ALT-PU-2023-1374
ALT-PU-2023-1386
ALT-PU-2023-1387
ALT-PU-2023-1411
ALT-PU-2023-1435
ALT-PU-2023-1478
ALT-PU-2023-1758
ALT-PU-2023-1765
ALT-PU-2023-4365
ALT-PU-2023-4366
BDU:2023-07863
CVE-2023-25734
OPENSUSE-SU-2023_0461-1
OPENSUSE-SU-2024:12702-1
OPENSUSE-SU-2024:12713-1
OPENSUSE-SU-2024:12753-1
OPENSUSE-SU-2024:14572-1
SUSE-SU-2023:0461-1
SUSE-SU-2023:0466-1
SUSE-SU-2023:0469-1
SUSE-SU-2023:0599-1

Affected Products

Alt Linux
Astra Linux
Firefox
Firefox Esr
Suse
Thunderbird