Page 21 of 1114 results (0.012 seconds)

CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0

A background script invoking <code>requestFullscreen</code> and then blocking the main thread could force the browser into fullscreen mode indefinitely, resulting in potential user confusion or spoofing attacks. This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8. The Mozilla Foundation Security Advisory describes this flaw as: A background script invoking `requestFullscreen` and then blocking the main thread could force the browser into fullscreen mode indefinitely, resulting in potential user confusion or spoofing attacks. • https://bugzilla.mozilla.org/show_bug.cgi?id=1794622 https://www.mozilla.org/security/advisories/mfsa2023-05 https://www.mozilla.org/security/advisories/mfsa2023-06 https://www.mozilla.org/security/advisories/mfsa2023-07 https://access.redhat.com/security/cve/CVE-2023-25730 https://bugzilla.redhat.com/show_bug.cgi?id=2170375 • CWE-821: Incorrect Synchronization •

CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0

Permission prompts for opening external schemes were only shown for <code>ContentPrincipals</code> resulting in extensions being able to open them without user interaction via <code>ExpandedPrincipals</code>. This could lead to further malicious actions such as downloading files or interacting with software already installed on the system. This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8. The Mozilla Foundation Security Advisory describes this flaw as: Permission prompts for opening external schemes were only shown for `ContentPrincipals` resulting in extensions being able to open them without user interaction via `ExpandedPrincipals`. This could lead to further malicious actions such as downloading files or interacting with software already installed on the system. • https://bugzilla.mozilla.org/show_bug.cgi?id=1792138 https://www.mozilla.org/security/advisories/mfsa2023-05 https://www.mozilla.org/security/advisories/mfsa2023-06 https://www.mozilla.org/security/advisories/mfsa2023-07 https://access.redhat.com/security/cve/CVE-2023-25729 https://bugzilla.redhat.com/show_bug.cgi?id=2170382 • CWE-84: Improper Neutralization of Encoded URI Schemes in a Web Page •

CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0

When copying a network request from the developer tools panel as a curl command the output was not being properly sanitized and could allow arbitrary commands to be hidden within. This vulnerability affects Firefox < 109, Thunderbird < 102.7, and Firefox ESR < 102.7. The Mozilla Foundation Security Advisory describes this flaw as: When copying a network request from the developer tools panel as a curl command the output was not being properly sanitized and could allow arbitrary commands to be hidden within. • https://bugzilla.mozilla.org/show_bug.cgi?id=1777800 https://www.mozilla.org/security/advisories/mfsa2023-01 https://www.mozilla.org/security/advisories/mfsa2023-02 https://www.mozilla.org/security/advisories/mfsa2023-03 https://access.redhat.com/security/cve/CVE-2023-23599 https://bugzilla.redhat.com/show_bug.cgi?id=2162339 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-116: Improper Encoding or Escaping of Output •

CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0

Navigations were being allowed when dragging a URL from a cross-origin iframe into the same tab which could lead to website spoofing attacks. This vulnerability affects Firefox < 109, Thunderbird < 102.7, and Firefox ESR < 102.7. The Mozilla Foundation Security Advisory describes this flaw as: Navigations were being allowed when dragging a URL from a cross-origin iframe into the same tab which could lead to website spoofing attacks • https://bugzilla.mozilla.org/show_bug.cgi?id=1794268 https://www.mozilla.org/security/advisories/mfsa2023-01 https://www.mozilla.org/security/advisories/mfsa2023-02 https://www.mozilla.org/security/advisories/mfsa2023-03 https://access.redhat.com/security/cve/CVE-2023-23601 https://bugzilla.redhat.com/show_bug.cgi?id=2162340 • CWE-346: Origin Validation Error CWE-829: Inclusion of Functionality from Untrusted Control Sphere •

CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0

A mishandled security check when creating a WebSocket in a WebWorker caused the Content Security Policy connect-src header to be ignored. This could lead to connections to restricted origins from inside WebWorkers. This vulnerability affects Firefox < 109, Thunderbird < 102.7, and Firefox ESR < 102.7. The Mozilla Foundation Security Advisory describes this flaw as: A mishandled security check when creating a WebSocket in a WebWorker caused the Content Security Policy connect-src header to be ignored. This could lead to connections to restricted origins from inside WebWorkers. • https://bugzilla.mozilla.org/show_bug.cgi?id=1800890 https://www.mozilla.org/security/advisories/mfsa2023-01 https://www.mozilla.org/security/advisories/mfsa2023-02 https://www.mozilla.org/security/advisories/mfsa2023-03 https://access.redhat.com/security/cve/CVE-2023-23602 https://bugzilla.redhat.com/show_bug.cgi?id=2162341 • CWE-754: Improper Check for Unusual or Exceptional Conditions CWE-1385: Missing Origin Validation in WebSockets •