Rewterz Threat Advisory – Multiple Mozilla Firefox Vulnerabilities

Severity

High

Analysis Summary

CVE-2023-37210 CVSS:6.5

Mozilla Firefox could allow a remote attacker to conduct spoofing attacks, caused by preventing a user from exiting full-screen mode using alert and prompt calls. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to conduct a spoofing attack.

CVE-2023-37209 CVSS:8.8

Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free in in NotifyOnHistoryReload. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.

CVE-2023-37205 CVSS:6.5

Mozilla Firefox could allow a remote attacker to conduct spoofing attacks, caused by the use of RTL Arabic characters in the address bar. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL.

CVE-2023-37204 CVSS:6.5

Mozilla Firefox could allow a remote attacker to conduct spoofing attacks, caused by the obscuring of the fullscreen notification using an option element. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to conduct a spoofing attack.

CVE-2023-3482 CVSS:6.5

Mozilla Firefox could allow a remote attacker to obtain sensitive information, caused by the storing of data in localstorage by using an iframe with a source of ‘about:blank’. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to store tracking data without permission.

CVE-2023-37207 CVSS:6.5

Mozilla Firefox could allow a remote attacker to conduct spoofing attacks, caused by the obscuring of the fullscreen notification. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to conduct a spoofing attack.

CVE-2023-37211 CVSS:8.8

Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by memory safety bugs within the browser engine. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.

CVE-2023-37203 CVSS:7.8

Mozilla FireFox could allow a remote attacker to execute arbitrary code on the system, caused by insufficient validation in the Drag and Drop API. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.

CVE-2023-37206 CVSS:6.5

Mozilla FireFox could allow a remote attacker to launch a symlink attack, caused by insufficient validation of symlinks in the FileSystem API. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to submit sensitive data.

CVE-2023-37208 CVSS:7.8

Mozilla FireFox could allow a remote attacker to execute arbitrary code on the system, caused by lack of warning when opening Diagcab files. By persuading a victim to open a specially crafted file, a remote attacker could exploit this vulnerability to execute arbitrary code on the vulnerable system.

CVE-2023-37212 CVSS:8.8

Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by memory safety bugs within the browser engine. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.

Impact

• Code Execution
• Information Disclosure
• Gain Access

Indicators Of Compromise

CVE

• CVE-2023-37210
• CVE-2023-37209
• CVE-2023-37205
• CVE-2023-37204
• CVE-2023-3482
• CVE-2023-37207
• CVE-2023-37211
• CVE-2023-37203
• CVE-2023-37206
• CVE-2023-37208
• CVE-2023-37212

Affected Vendors

Mozilla

Affected Products

• Mozilla Firefox 114

Remediation

Refer to Mozilla Foundation Security Advisory for patch, upgrade or suggested workaround information.

Mozilla Foundation Security Advisory