CVSS: 9.1EPSS: 0%CPEs: 2EXPL: 0CVE-2023-29534
https://notcve.org/view.php?id=CVE-2023-29534
Different techniques existed to obscure the fullscreen notification in Firefox and Focus for Android. These could have led to potential user confusion and spoofing attacks. *This bug only affects Firefox and Focus for Android. Other versions of Firefox are unaffected.* This vulnerability affects Firefox for Android < 112 and Focus for Android < 112. • https://bugzilla.mozilla.org/show_bug.cgi?id=1816007 https://bugzilla.mozilla.org/show_bug.cgi?id=1816059 https://bugzilla.mozilla.org/show_bug.cgi?id=1821155 https://bugzilla.mozilla.org/show_bug.cgi?id=1821576 https://bugzilla.mozilla.org/show_bug.cgi? •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-25747
https://notcve.org/view.php?id=CVE-2023-25747
A potential use-after-free in libaudio was fixed by disabling the AAudio backend when running on Android API below version 30. *This bug only affects Firefox for Android. Other versions of Firefox are unaffected.* This vulnerability affects Firefox for Android < 110.1.0. • https://bugzilla.mozilla.org/show_bug.cgi?id=1815801 https://www.mozilla.org/security/advisories/mfsa2023-08 • CWE-416: Use After Free •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2023-29545
https://notcve.org/view.php?id=CVE-2023-29545
Similar to CVE-2023-28163, this time when choosing 'Save Link As', suggested filenames containing environment variable names would have resolved those in the context of the current user. *This bug only affects Firefox and Thunderbird on Windows. Other versions of Firefox and Thunderbird are unaffected.* This vulnerability affects Firefox < 112, Firefox ESR < 102.10, and Thunderbird < 102.10. • https://bugzilla.mozilla.org/show_bug.cgi?id=1823077 https://www.mozilla.org/security/advisories/mfsa2023-13 https://www.mozilla.org/security/advisories/mfsa2023-14 https://www.mozilla.org/security/advisories/mfsa2023-15 •
CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 0CVE-2023-29542
https://notcve.org/view.php?id=CVE-2023-29542
A newline in a filename could have been used to bypass the file extension security mechanisms that replace malicious file extensions such as .lnk with .download. This could have led to accidental execution of malicious code. *This bug only affects Firefox and Thunderbird on Windows. Other versions of Firefox and Thunderbird are unaffected.* This vulnerability affects Firefox < 112, Firefox ESR < 102.10, and Thunderbird < 102.10. • https://bugzilla.mozilla.org/show_bug.cgi?id=1810793 https://bugzilla.mozilla.org/show_bug.cgi?id=1815062 https://www.mozilla.org/security/advisories/mfsa2023-13 https://www.mozilla.org/security/advisories/mfsa2023-14 https://www.mozilla.org/security/advisories/mfsa2023-15 •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2023-29532
https://notcve.org/view.php?id=CVE-2023-29532
A local attacker can trick the Mozilla Maintenance Service into applying an unsigned update file by pointing the service at an update file on a malicious SMB server. The update file can be replaced after the signature check, before the use, because the write-lock requested by the service does not work on a SMB server. *Note: This attack requires local system access and only affects Windows. Other operating systems are not affected.* This vulnerability affects Firefox < 112, Firefox ESR < 102.10, and Thunderbird < 102.10. • https://bugzilla.mozilla.org/show_bug.cgi?id=1806394 https://www.mozilla.org/security/advisories/mfsa2023-13 https://www.mozilla.org/security/advisories/mfsa2023-14 https://www.mozilla.org/security/advisories/mfsa2023-15 •