Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
March 17, 2023Severity High Analysis Summary Chaos is a customizable ransomware builder that emerged on June 9 2021 (in underground forums) by falsely marketing itself as the .NET […]March 17, 2023Severity High Analysis Summary CVE-2023-26361 CVSS:4.9 Adobe ColdFusion could allow a remote authenticated attacker to traverse directories on the system. An attacker could send a specially […]March 17, 2023Severity Medium Analysis Summary Ursnif banking trojan also known as Gozi and Dreambot has been around for more than 10 years. It gained popularity in 2015 […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
March 17, 2023Severity High Analysis Summary Chaos is a customizable ransomware builder that emerged on June 9 2021 (in underground forums) by falsely marketing itself as the .NET […]March 17, 2023Severity High Analysis Summary CVE-2023-26361 CVSS:4.9 Adobe ColdFusion could allow a remote authenticated attacker to traverse directories on the system. An attacker could send a specially […]March 17, 2023Severity Medium Analysis Summary Ursnif banking trojan also known as Gozi and Dreambot has been around for more than 10 years. It gained popularity in 2015 […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Rewterz Threat Advisory – CVE-2023-20010 – Cisco Unified Communications Manager Vulnerability
January 19, 2023Rewterz Threat Advisory – CVE-2022-47990 – IBM AIX Vulnerability
January 19, 2023
Severity
Medium
Analysis Summary
CVE-2023-23606 CVSS:8.8
Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by memory safety bugs within the browser engine. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CVE-2023-23604 CVSS:6.5
Mozilla Firefox could allow a remote attacker to bypass security restrictions, caused by the failure to account for external URLs by regular expressions used to filter out forbidden properties and values from style directives in calls to console.log. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to exfiltrate data from the browser.
CVE-2023-23603 CVSS:6.5
Mozilla Firefox could allow a remote attacker to bypass security restrictions, caused by the failure to correctly apply Content Security Policy to WebSockets in WebWorkers. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to lead to connections to restricted origins from inside WebWorkers.
CVE-2023-23602 CVSS:6.5
Mozilla Firefox could allow a remote attacker to conduct spoofing attacks, caused by navigations being allowed when dragging a URL from a cross-origin iframe into the same tab. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to conduct spoofing attacks.
CVE-2023-23601 CVSS:6.5
Mozilla Firefox could allow a remote attacker to conduct spoofing attacks, caused by navigations being allowed when dragging a URL from a cross-origin iframe into the same tab. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to conduct spoofing attacks.
CVE-2023-23600 CVSS:6.5
Mozilla Firefox could allow a remote attacker to obtain sensitive information, caused by the incorrect storing of origin notification permissions. By persuading a victim to visit a specially-crafted Web site, an attacker could exploit this vulnerability to display notifications during different browsing sessions.
CVE-2023-23599 CVSS:6.5
Mozilla Firefox could allow a remote attacker to bypass security restrictions, caused by the improper validation of output when copying a network request from the developer tools panel as a curl command. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to allow arbitrary commands to be hidden within.
CVE-2023-23597 CVSS:6.5
Mozilla Firefox could allow a remote attacker to obtain sensitive information, caused by a logic bug in process allocation. By persuading a victim to visit a specially-crafted Web site, an attacker could exploit this vulnerability to read arbitrary files on the system.
CVE-2023-23598 CVSS:6.5
Mozilla Firefox could allow a remote attacker to obtain sensitive information, caused by the use of text/plain for a GTK drag and drop on Linux. By persuading a victim to visit a specially-crafted Web site, an attacker could exploit this vulnerability using a call to DataTransfer.setData to read arbitrary files on the system.
CVE-2023-23605 CVSS:8.8
Mozilla Firefox could allow a remote attacker to obtain sensitive information, caused by the use of text/plain for a GTK drag and drop on Linux. By persuading a victim to visit a specially-crafted Web site, an attacker could exploit this vulnerability using a call to DataTransfer.setData to read arbitrary files on the system.
Impact
- Code Execution
- Security Bypass
- Gain Access
- Information Disclosure
Indicators Of Compromise
CVE
- CVE-2023-23606
- CVE-2023-23604
- CVE-2023-23603
- CVE-2023-23602
- CVE-2023-23601
- CVE-2023-23600
- CVE-2023-23599
- CVE-2023-23597
- CVE-2023-23598
- CVE-2023-23605
Affected Vendors
Mozilla
Affected Products
- Mozilla Firefox 108
- Mozilla Firefox ESR 102.6
Remediation
Refer to Mozilla Foundation Security Advisory for patch, upgrade or suggested workaround information.