Mozilla Firefox up to 114 RTL Arabic Character clickjacking
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 4.1 | $5k-$25k | 0.00 |
Summary
A vulnerability was found in Mozilla Firefox up to 114. It has been classified as problematic. The impacted element is an unknown function of the component RTL Arabic Character Handler. Performing a manipulation results in clickjacking. This vulnerability is known as CVE-2023-37205. Remote exploitation of the attack is possible. No exploit is available. Upgrading the affected component is recommended.
Details
A vulnerability classified as problematic has been found in Mozilla Firefox up to 114 (Web Browser). This affects an unknown code block of the component RTL Arabic Character Handler. The manipulation with an unknown input leads to a clickjacking vulnerability. CWE is classifying the issue as CWE-451. The user interface (UI) does not properly represent critical information to the user, allowing the information - or its source - to be obscured or spoofed. This is often a component in phishing attacks. This is going to have an impact on integrity.
The weakness was published 07/04/2023 by Rohan Sharma as Bug 1704420 as confirmed advisory (Website). The advisory is shared at bugzilla.mozilla.org. The advisory contains:
The use of RTL Arabic characters in the address bar may have allowed for URL spoofing.This vulnerability is uniquely identified as CVE-2023-37205. It demands that the victim is doing some kind of user interaction. Neither technical details nor an exploit are publicly available. The price for an exploit might be around USD $5k-$25k at the moment (estimation calculated on 07/05/2023). MITRE ATT&CK project uses the attack technique T1566.003 for this issue.
Upgrading to version 115 eliminates this vulnerability. A possible mitigation has been published immediately after the disclosure of the vulnerability.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Product
Type
Vendor
Name
Version
License
Website
- Vendor: https://www.mozilla.org/
- Product: https://www.mozilla.org/en-US/firefox/
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 4.3VulDB Meta Temp Score: 4.1
VulDB Base Score: 4.3
VulDB Temp Score: 4.1
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
Exploiting
Class: ClickjackingCWE: CWE-451
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Yes
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
Reaction Time: 🔍
0-Day Time: 🔍
Exposure Time: 🔍
Upgrade: Firefox 115
Timeline
06/28/2023 🔍07/04/2023 🔍
07/04/2023 🔍
07/05/2023 🔍
07/23/2023 🔍
Sources
Vendor: mozilla.orgProduct: mozilla.org
Advisory: Bug 1704420
Researcher: Rohan Sharma
Status: Confirmed
Confirmation: 🔍
CVE: CVE-2023-37205 (🔍)
GCVE (CVE): GCVE-0-2023-37205
GCVE (VulDB): GCVE-100-232965
Entry
Created: 07/05/2023 14:40Updated: 07/23/2023 09:42
Changes: 07/05/2023 14:40 (18), 07/05/2023 14:43 (28), 07/23/2023 09:42 (2)
Complete: 🔍
Cache ID: 216::103
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
No comments yet. Languages: en.
Please log in to comment.