CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2023-6868
https://notcve.org/view.php?id=CVE-2023-6868
In some instances, the user-agent would allow push requests which lacked a valid VAPID even though the push manager subscription defined one. This could allow empty messages to be sent from unauthorized parties. *This bug only affects Firefox on Android.* This vulnerability affects Firefox < 121. En algunos casos, el agente de usuario permitiría solicitudes de inserción que carecían de un VAPID válido aunque la suscripción del administrador de inserción definiera uno. Esto podría permitir que se envíen mensajes vacíos desde partes no autorizadas. *Este error solo afecta a Firefox en Android.* Esta vulnerabilidad afecta a Firefox < 121. • https://bugzilla.mozilla.org/show_bug.cgi?id=1865488 https://security.gentoo.org/glsa/202401-10 https://www.mozilla.org/security/advisories/mfsa2023-56 •
CVSS: 6.1EPSS: 0%CPEs: 5EXPL: 0CVE-2023-6867 – Mozilla: Clickjacking permission prompts using the popup transition
https://notcve.org/view.php?id=CVE-2023-6867
The timing of a button click causing a popup to disappear was approximately the same length as the anti-clickjacking delay on permission prompts. It was possible to use this fact to surprise users by luring them to click where the permission grant button would be about to appear. This vulnerability affects Firefox ESR < 115.6 and Firefox < 121. El timing en el que se hace clic en un botón que provoca la desaparición de una ventana emergente era aproximadamente de la misma duración que el retraso anti-clickjacking en las solicitudes de permiso. Era posible utilizar este hecho para sorprender a los usuarios atrayéndolos a hacer clic en el lugar donde el botón de concesión de permiso estaría a punto de aparecer. • https://bugzilla.mozilla.org/show_bug.cgi?id=1863863 https://lists.debian.org/debian-lts-announce/2023/12/msg00020.html https://security.gentoo.org/glsa/202401-10 https://www.debian.org/security/2023/dsa-5581 https://www.mozilla.org/security/advisories/mfsa2023-54 https://www.mozilla.org/security/advisories/mfsa2023-56 https://access.redhat.com/security/cve/CVE-2023-6867 https://bugzilla.redhat.com/show_bug.cgi?id=2255366 • CWE-1021: Improper Restriction of Rendered UI Layers or Frames •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-6866
https://notcve.org/view.php?id=CVE-2023-6866
TypedArrays can be fallible and lacked proper exception handling. This could lead to abuse in other APIs which expect TypedArrays to always succeed. This vulnerability affects Firefox < 121. TypedArrays puede ser falible y carecer de un manejo de excepciones adecuado. Esto podría dar lugar a abusos en otras API que esperan que TypedArrays siempre tenga éxito. • https://bugzilla.mozilla.org/show_bug.cgi?id=1849037 https://security.gentoo.org/glsa/202401-10 https://www.mozilla.org/security/advisories/mfsa2023-56 • CWE-755: Improper Handling of Exceptional Conditions •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2023-6865 – Mozilla: Potential exposure of uninitialized data in <code>EncryptingOutputStream</code>
https://notcve.org/view.php?id=CVE-2023-6865
`EncryptingOutputStream` was susceptible to exposing uninitialized data. This issue could only be abused in order to write data to a local disk which may have implications for private browsing mode. This vulnerability affects Firefox ESR < 115.6 and Firefox < 121. `EncryptingOutputStream` era susceptible de exponer datos no inicializados. Sólo se puede abusar de este problema para escribir datos en un disco local, lo que puede tener implicaciones para el modo de navegación privada. • https://bugzilla.mozilla.org/show_bug.cgi?id=1864123 https://lists.debian.org/debian-lts-announce/2023/12/msg00020.html https://security.gentoo.org/glsa/202401-10 https://www.debian.org/security/2023/dsa-5581 https://www.mozilla.org/security/advisories/mfsa2023-54 https://www.mozilla.org/security/advisories/mfsa2023-56 https://access.redhat.com/security/cve/CVE-2023-6865 https://bugzilla.redhat.com/show_bug.cgi?id=2255361 • CWE-908: Use of Uninitialized Resource •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-6135 – nss: vulnerable to Minerva side-channel information leak
https://notcve.org/view.php?id=CVE-2023-6135
Multiple NSS NIST curves were susceptible to a side-channel attack known as "Minerva". This attack could potentially allow an attacker to recover the private key. This vulnerability affects Firefox < 121. Múltiples curvas NSS NIST fueron susceptibles a un ataque de canal lateral conocido como "Minerva". Este ataque podría permitir potencialmente que un atacante recupere la clave privada. • https://bugzilla.mozilla.org/show_bug.cgi?id=1853908 https://security.gentoo.org/glsa/202401-10 https://www.mozilla.org/security/advisories/mfsa2023-56 https://access.redhat.com/security/cve/CVE-2023-6135 https://bugzilla.redhat.com/show_bug.cgi?id=2249906 https://people.redhat.com/~hkario/marvin • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-203: Observable Discrepancy •