PT-2023-7881 · Mozilla+2 · Firefox+2

John-Mark Gurney

Published

2023-12-19

Updated

2024-12-27

CVE-2023-6868

CVSS v2.0

5.0

Medium

Vector

AV:N/AC:L/Au:N/C:N/I:P/A:N

Name of the Vulnerable Software and Affected Versions Firefox versions prior to 121

Description The user-agent would allow push requests which lacked a valid VAPID even though the push manager subscription defined one. This could allow empty messages to be sent from unauthorized parties. The issue is related to insufficient protection of service data and may allow a remote attacker to gain unauthorized access to limited functions. This bug only affects Firefox on Android.

Recommendations For Firefox versions prior to 121, update to version 121 or later to resolve the issue. As a temporary workaround, consider restricting access to push requests until a patch is available. Avoid using the VAPID parameter in push requests until the issue is resolved.

Fix

Improper Access Control

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-284

Related Identifiers

ALT-PU-2023-8231

ALT-PU-2024-15839

BDU:2023-08952

CVE-2023-6868

OPENSUSE-SU-2024:13531-1

OPENSUSE-SU-2024:14572-1

Affected Products

Alt Linux

Astra Linux

Firefox

PT-2023-7881 · Mozilla+2 · Firefox+2

CVE-2023-6868

Weakness Enumeration

Related Identifiers

Affected Products

References · 1879