Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2023-23604

Summary
Assigner-mozilla
Assigner Org ID-f16b083a-5664-49f3-a51e-8d479e5ed7fe
Published At-02 Jun, 2023 | 00:00
Updated At-10 Jan, 2025 | 18:06
Rejected At-
Credits

A duplicate <code>SystemPrincipal</code> object could be created when parsing a non-system html document via <code>DOMParser::ParseFromSafeString</code>. This could have lead to bypassing web security checks. This vulnerability affects Firefox < 109.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:mozilla
Assigner Org ID:f16b083a-5664-49f3-a51e-8d479e5ed7fe
Published At:02 Jun, 2023 | 00:00
Updated At:10 Jan, 2025 | 18:06
Rejected At:
▼CVE Numbering Authority (CNA)

A duplicate <code>SystemPrincipal</code> object could be created when parsing a non-system html document via <code>DOMParser::ParseFromSafeString</code>. This could have lead to bypassing web security checks. This vulnerability affects Firefox < 109.

Affected Products
Vendor
Mozilla CorporationMozilla
Product
Firefox
Versions
Affected
  • From unspecified before 109 (custom)
Problem Types
TypeCWE IDDescription
textN/ACreation of duplicate SystemPrincipal from less secure contexts
Type: text
CWE ID: N/A
Description: Creation of duplicate SystemPrincipal from less secure contexts
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.mozilla.org/security/advisories/mfsa2023-01/
N/A
https://bugzilla.mozilla.org/show_bug.cgi?id=1802346
N/A
Hyperlink: https://www.mozilla.org/security/advisories/mfsa2023-01/
Resource: N/A
Hyperlink: https://bugzilla.mozilla.org/show_bug.cgi?id=1802346
Resource: N/A
▼Authorized Data Publishers (ADP)
1. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.mozilla.org/security/advisories/mfsa2023-01/
x_transferred
https://bugzilla.mozilla.org/show_bug.cgi?id=1802346
x_transferred
Hyperlink: https://www.mozilla.org/security/advisories/mfsa2023-01/
Resource:
x_transferred
Hyperlink: https://bugzilla.mozilla.org/show_bug.cgi?id=1802346
Resource:
x_transferred
2. CISA ADP Vulnrichment
Affected Products
Problem Types
TypeCWE IDDescription
CWECWE-863CWE-863 Incorrect Authorization
Type: CWE
CWE ID: CWE-863
Description: CWE-863 Incorrect Authorization
Metrics
VersionBase scoreBase severityVector
3.16.5MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Version: 3.1
Base score: 6.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security@mozilla.org
Published At:02 Jun, 2023 | 17:15
Updated At:10 Jan, 2025 | 18:15

A duplicate <code>SystemPrincipal</code> object could be created when parsing a non-system html document via <code>DOMParser::ParseFromSafeString</code>. This could have lead to bypassing web security checks. This vulnerability affects Firefox < 109.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.16.5MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Secondary3.16.5MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Type: Primary
Version: 3.1
Base score: 6.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Type: Secondary
Version: 3.1
Base score: 6.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
CPE Matches
Mozilla Corporation
mozilla
>>firefox>>Versions before 109.0(exclusive)
cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
NVD-CWE-noinfoPrimarynvd@nist.gov
CWE-863Secondary134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE ID: NVD-CWE-noinfo
Type: Primary
Source: nvd@nist.gov
CWE ID: CWE-863
Type: Secondary
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://bugzilla.mozilla.org/show_bug.cgi?id=1802346security@mozilla.org
Issue Tracking
Permissions Required
Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2023-01/security@mozilla.org
Vendor Advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=1802346af854a3a-2127-422b-91ae-364da2661108
Issue Tracking
Permissions Required
Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2023-01/af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
Hyperlink: https://bugzilla.mozilla.org/show_bug.cgi?id=1802346
Source: security@mozilla.org
Resource:
Issue Tracking
Permissions Required
Vendor Advisory
Hyperlink: https://www.mozilla.org/security/advisories/mfsa2023-01/
Source: security@mozilla.org
Resource:
Vendor Advisory
Hyperlink: https://bugzilla.mozilla.org/show_bug.cgi?id=1802346
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Issue Tracking
Permissions Required
Vendor Advisory
Hyperlink: https://www.mozilla.org/security/advisories/mfsa2023-01/
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

129Records found
CVE-2021-23975
Matching Score-8
Assigner-Mozilla Corporation
ShareView Details
Matching Score-8
Assigner-Mozilla Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.29% / 51.77%
||
7 Day CHG~0.00%
Published-26 Feb, 2021 | 01:49
Updated-03 Aug, 2024 | 19:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The developer page about:memory has a Measure function for exploring what object types the browser has allocated and their sizes. When this function was invoked we incorrectly called the sizeof function, instead of using the API method that checks for invalid pointers. This vulnerability affects Firefox < 86.

Action-Not Available
Vendor-Mozilla Corporation
Product-firefoxFirefox
CWE ID-CWE-862
Missing Authorization
CVE-2021-23982
Matching Score-8
Assigner-Mozilla Corporation
ShareView Details
Matching Score-8
Assigner-Mozilla Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.20% / 41.77%
||
7 Day CHG~0.00%
Published-31 Mar, 2021 | 13:42
Updated-03 Aug, 2024 | 19:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Using techniques that built on the slipstream research, a malicious webpage could have scanned both an internal network's hosts as well as services running on the user's local machine utilizing WebRTC connections. This vulnerability affects Firefox ESR < 78.9, Firefox < 87, and Thunderbird < 78.9.

Action-Not Available
Vendor-Mozilla Corporation
Product-firefoxthunderbirdfirefox_esrFirefoxFirefox ESRThunderbird
CWE ID-CWE-326
Inadequate Encryption Strength
CVE-2019-11747
Matching Score-8
Assigner-Mozilla Corporation
ShareView Details
Matching Score-8
Assigner-Mozilla Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.35% / 56.89%
||
7 Day CHG~0.00%
Published-27 Sep, 2019 | 17:16
Updated-04 Aug, 2024 | 23:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The "Forget about this site" feature in the History pane is intended to remove all saved user data that indicates a user has visited a site. This includes removing any HTTP Strict Transport Security (HSTS) settings received from sites that use it. Due to a bug, sites on the pre-load list also have their HSTS setting removed. On the next visit to that site if the user specifies an http: URL rather than secure https: they will not be protected by the pre-loaded HSTS setting. After that visit the site's HSTS setting will be restored. This vulnerability affects Firefox < 69 and Firefox ESR < 68.1.

Action-Not Available
Vendor-Mozilla Corporation
Product-firefoxfirefox_esrFirefoxFirefox ESR
CWE ID-CWE-665
Improper Initialization
CVE-2024-38312
Matching Score-8
Assigner-Mozilla Corporation
ShareView Details
Matching Score-8
Assigner-Mozilla Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.38% / 58.78%
||
7 Day CHG~0.00%
Published-13 Jun, 2024 | 20:01
Updated-19 Mar, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

When browsing private tabs, some data related to location history or webpage thumbnails could be persisted incorrectly within the sandboxed app bundle after app termination This vulnerability affects Firefox for iOS < 127.

Action-Not Available
Vendor-Mozilla Corporation
Product-firefoxFirefox for iOS
CWE ID-CWE-922
Insecure Storage of Sensitive Information
CVE-2019-17023
Matching Score-8
Assigner-Mozilla Corporation
ShareView Details
Matching Score-8
Assigner-Mozilla Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.17% / 38.16%
||
7 Day CHG~0.00%
Published-08 Jan, 2020 | 21:30
Updated-05 Aug, 2024 | 01:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

After a HelloRetryRequest has been sent, the client may negotiate a lower protocol that TLS 1.3, resulting in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming Application Data records will be ignored. This vulnerability affects Firefox < 72.

Action-Not Available
Vendor-Canonical Ltd.Mozilla CorporationDebian GNU/Linux
Product-firefoxubuntu_linuxdebian_linuxFirefox
CWE ID-CWE-287
Improper Authentication
CVE-2024-5692
Matching Score-8
Assigner-Mozilla Corporation
ShareView Details
Matching Score-8
Assigner-Mozilla Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.41% / 60.22%
||
7 Day CHG~0.00%
Published-11 Jun, 2024 | 12:40
Updated-27 Mar, 2025 | 20:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

On Windows 10, when using the 'Save As' functionality, an attacker could have tricked the browser into saving the file with a disallowed extension such as `.url` by including an invalid character in the extension. *Note:* This issue only affected Windows operating systems. Other operating systems are unaffected. This vulnerability affects Firefox < 127, Firefox ESR < 115.12, and Thunderbird < 115.12.

Action-Not Available
Vendor-Microsoft CorporationMozilla Corporation
Product-firefoxthunderbirdwindowsFirefoxThunderbirdFirefox ESRfirefoxfirefox_esr
CVE-2022-38472
Matching Score-8
Assigner-Mozilla Corporation
ShareView Details
Matching Score-8
Assigner-Mozilla Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.14% / 35.15%
||
7 Day CHG~0.00%
Published-22 Dec, 2022 | 00:00
Updated-15 Apr, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An attacker could have abused XSLT error handling to associate attacker-controlled content with another origin which was displayed in the address bar. This could have been used to fool the user into submitting data intended for the spoofed origin. This vulnerability affects Thunderbird < 102.2, Thunderbird < 91.13, Firefox ESR < 91.13, Firefox ESR < 102.2, and Firefox < 104.

Action-Not Available
Vendor-Mozilla Corporation
Product-thunderbirdfirefoxThunderbirdFirefox ESRFirefox
CWE ID-CWE-346
Origin Validation Error
CVE-2020-15658
Matching Score-8
Assigner-Mozilla Corporation
ShareView Details
Matching Score-8
Assigner-Mozilla Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.53% / 66.04%
||
7 Day CHG~0.00%
Published-10 Aug, 2020 | 17:43
Updated-04 Aug, 2024 | 13:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The code for downloading files did not properly take care of special characters, which led to an attacker being able to cut off the file ending at an earlier position, leading to a different file type being downloaded than shown in the dialog. This vulnerability affects Firefox ESR < 78.1, Firefox < 79, and Thunderbird < 78.1.

Action-Not Available
Vendor-Mozilla CorporationCanonical Ltd.
Product-firefoxubuntu_linuxthunderbirdfirefox_esrFirefoxFirefox ESRThunderbird
CWE ID-CWE-754
Improper Check for Unusual or Exceptional Conditions
CVE-2018-12369
Matching Score-6
Assigner-Mozilla Corporation
ShareView Details
Matching Score-6
Assigner-Mozilla Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.80% / 82.02%
||
7 Day CHG-0.62%
Published-18 Oct, 2018 | 13:00
Updated-05 Aug, 2024 | 08:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

WebExtensions bundled with embedded experiments were not correctly checked for proper authorization. This allowed a malicious WebExtension to gain full browser permissions. This vulnerability affects Firefox ESR < 60.1 and Firefox < 61.

Action-Not Available
Vendor-Mozilla CorporationCanonical Ltd.
Product-firefoxubuntu_linuxfirefox_esrFirefoxFirefox ESR
CWE ID-CWE-863
Incorrect Authorization
CVE-2018-12391
Matching Score-6
Assigner-Mozilla Corporation
ShareView Details
Matching Score-6
Assigner-Mozilla Corporation
CVSS Score-8.8||HIGH
EPSS-0.58% / 67.91%
||
7 Day CHG~0.00%
Published-28 Feb, 2019 | 18:00
Updated-05 Aug, 2024 | 08:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

During HTTP Live Stream playback on Firefox for Android, audio data can be accessed across origins in violation of security policies. Because the problem is in the underlying Android service, this issue is addressed by treating all HLS streams as cross-origin and opaque to access. *Note: this issue only affects Firefox for Android. Desktop versions of Firefox are unaffected.*. This vulnerability affects Firefox < 63, Firefox ESR < 60.3, and Thunderbird < 60.3.

Action-Not Available
Vendor-Mozilla CorporationGoogle LLC
Product-firefoxandroidthunderbirdfirefox_esrFirefoxFirefox ESRThunderbird
CWE ID-CWE-863
Incorrect Authorization
CVE-2020-12391
Matching Score-6
Assigner-Mozilla Corporation
ShareView Details
Matching Score-6
Assigner-Mozilla Corporation
CVSS Score-7.5||HIGH
EPSS-0.70% / 71.02%
||
7 Day CHG~0.00%
Published-26 May, 2020 | 17:02
Updated-04 Aug, 2024 | 11:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Documents formed using data: URLs in an OBJECT element failed to inherit the CSP of the creating context. This allowed the execution of scripts that should have been blocked, albeit with a unique opaque origin. This vulnerability affects Firefox < 76.

Action-Not Available
Vendor-Mozilla Corporation
Product-firefoxFirefox
CWE ID-CWE-863
Incorrect Authorization
CVE-2021-38503
Matching Score-6
Assigner-Mozilla Corporation
ShareView Details
Matching Score-6
Assigner-Mozilla Corporation
CVSS Score-10||CRITICAL
EPSS-1.39% / 79.58%
||
7 Day CHG~0.00%
Published-08 Dec, 2021 | 21:22
Updated-04 Aug, 2024 | 01:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The iframe sandbox rules were not correctly applied to XSLT stylesheets, allowing an iframe to bypass restrictions such as executing scripts or navigating the top-level frame. This vulnerability affects Firefox < 94, Thunderbird < 91.3, and Firefox ESR < 91.3.

Action-Not Available
Vendor-Debian GNU/LinuxMozilla Corporation
Product-firefoxthunderbirddebian_linuxfirefox_esrFirefoxFirefox ESRThunderbird
CWE ID-CWE-863
Incorrect Authorization
CVE-2023-25729
Matching Score-6
Assigner-Mozilla Corporation
ShareView Details
Matching Score-6
Assigner-Mozilla Corporation
CVSS Score-8.8||HIGH
EPSS-0.12% / 30.98%
||
7 Day CHG~0.00%
Published-02 Jun, 2023 | 00:00
Updated-10 Jan, 2025 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Permission prompts for opening external schemes were only shown for <code>ContentPrincipals</code> resulting in extensions being able to open them without user interaction via <code>ExpandedPrincipals</code>. This could lead to further malicious actions such as downloading files or interacting with software already installed on the system. This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8.

Action-Not Available
Vendor-Mozilla Corporation
Product-firefox_esrthunderbirdfirefoxThunderbirdFirefoxFirefox ESR
CWE ID-CWE-863
Incorrect Authorization
CVE-2023-25749
Matching Score-6
Assigner-Mozilla Corporation
ShareView Details
Matching Score-6
Assigner-Mozilla Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.13% / 32.61%
||
7 Day CHG~0.00%
Published-02 Jun, 2023 | 00:00
Updated-09 Jan, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Android applications with unpatched vulnerabilities can be launched from a browser using Intents, exposing users to these vulnerabilities. Firefox will now confirm with users that they want to launch an external application before doing so. <br>*This bug only affects Firefox for Android. Other versions of Firefox are unaffected.*. This vulnerability affects Firefox < 111.

Action-Not Available
Vendor-Mozilla Corporation
Product-firefoxFirefox
CWE ID-CWE-863
Incorrect Authorization
CVE-2019-17014
Matching Score-6
Assigner-Mozilla Corporation
ShareView Details
Matching Score-6
Assigner-Mozilla Corporation
CVSS Score-7.4||HIGH
EPSS-0.34% / 56.28%
||
7 Day CHG~0.00%
Published-08 Jan, 2020 | 21:25
Updated-05 Aug, 2024 | 01:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

If an image had not loaded correctly (such as when it is not actually an image), it could be dragged and dropped cross-domain, resulting in a cross-origin information leak. This vulnerability affects Firefox < 71.

Action-Not Available
Vendor-Mozilla Corporation
Product-firefoxFirefox
CWE ID-CWE-863
Incorrect Authorization
CVE-2021-29959
Matching Score-6
Assigner-Mozilla Corporation
ShareView Details
Matching Score-6
Assigner-Mozilla Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.32% / 54.13%
||
7 Day CHG~0.00%
Published-24 Jun, 2021 | 13:16
Updated-03 Aug, 2024 | 22:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

When a user has already allowed a website to access microphone and camera, disabling camera sharing would not fully prevent the website from re-enabling it without an additional prompt. This was only possible if the website kept recording with the microphone until re-enabling the camera. This vulnerability affects Firefox < 89.

Action-Not Available
Vendor-Mozilla Corporation
Product-firefoxFirefox
CWE ID-CWE-863
Incorrect Authorization
CVE-2021-29961
Matching Score-6
Assigner-Mozilla Corporation
ShareView Details
Matching Score-6
Assigner-Mozilla Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.32% / 54.13%
||
7 Day CHG~0.00%
Published-24 Jun, 2021 | 13:15
Updated-03 Aug, 2024 | 22:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

When styling and rendering an oversized `<select>` element, Firefox did not apply correct clipping which allowed an attacker to paint over the user interface. This vulnerability affects Firefox < 89.

Action-Not Available
Vendor-Mozilla Corporation
Product-firefoxFirefox
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-0237
Matching Score-6
Assigner-Mozilla Corporation
ShareView Details
Matching Score-6
Assigner-Mozilla Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.14% / 34.93%
||
7 Day CHG~0.00%
Published-07 Jan, 2025 | 16:07
Updated-03 Apr, 2025 | 16:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The WebChannel API, which is used to transport various information across processes, did not check the sending principal but rather accepted the principal being sent. This could have led to privilege escalation attacks. This vulnerability affects Firefox < 134, Firefox ESR < 128.6, Thunderbird < 134, and Thunderbird < 128.6.

Action-Not Available
Vendor-Mozilla Corporation
Product-firefoxthunderbirdFirefox ESRFirefoxThunderbird
CWE ID-CWE-863
Incorrect Authorization
CVE-2019-11724
Matching Score-6
Assigner-Mozilla Corporation
ShareView Details
Matching Score-6
Assigner-Mozilla Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.41% / 60.67%
||
7 Day CHG~0.00%
Published-23 Jul, 2019 | 13:17
Updated-04 Aug, 2024 | 23:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Application permissions give additional remote troubleshooting permission to the site input.mozilla.org, which has been retired and now redirects to another site. This additional permission is unnecessary and is a potential vector for malicious attacks. This vulnerability affects Firefox < 68.

Action-Not Available
Vendor-openSUSEMozilla Corporation
Product-firefoxleapFirefox
CWE ID-CWE-863
Incorrect Authorization
CVE-2021-21182
Matching Score-4
Assigner-Chrome
ShareView Details
Matching Score-4
Assigner-Chrome
CVSS Score-6.5||MEDIUM
EPSS-0.34% / 56.02%
||
7 Day CHG~0.00%
Published-09 Mar, 2021 | 17:46
Updated-03 Aug, 2024 | 18:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Insufficient policy enforcement in navigations in Google Chrome prior to 89.0.4389.72 allowed a remote attacker who had compromised the renderer process to bypass navigation restrictions via a crafted HTML page.

Action-Not Available
Vendor-Fedora ProjectGoogle LLCDebian GNU/Linux
Product-chromedebian_linuxfedoraChrome
CWE ID-CWE-863
Incorrect Authorization
CVE-2020-36622
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 9.99%
||
7 Day CHG~0.00%
Published-21 Dec, 2022 | 00:00
Updated-15 Apr, 2025 | 12:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
sah-comp bienlein cross-site request forgery

A vulnerability was found in sah-comp bienlein and classified as problematic. This issue affects some unknown processing. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The name of the patch is d7836a4f2b241e4745ede194f0f6fb47199cab6b. It is recommended to apply a patch to fix this issue. The identifier VDB-216473 was assigned to this vulnerability.

Action-Not Available
Vendor-bienlein_projectsah-comp
Product-bienleinbienlein
CWE ID-CWE-863
Incorrect Authorization
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2022-0309
Matching Score-4
Assigner-Chrome
ShareView Details
Matching Score-4
Assigner-Chrome
CVSS Score-6.5||MEDIUM
EPSS-0.10% / 29.12%
||
7 Day CHG~0.00%
Published-12 Feb, 2022 | 01:36
Updated-02 Aug, 2024 | 23:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Inappropriate implementation in Autofill in Google Chrome prior to 97.0.4692.99 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.

Action-Not Available
Vendor-Google LLC
Product-chromeChrome
CWE ID-CWE-863
Incorrect Authorization
CVE-2017-5060
Matching Score-4
Assigner-Chrome
ShareView Details
Matching Score-4
Assigner-Chrome
CVSS Score-6.5||MEDIUM
EPSS-0.69% / 70.80%
||
7 Day CHG~0.00%
Published-27 Oct, 2017 | 05:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Insufficient Policy Enforcement in Omnibox in Google Chrome prior to 58.0.3029.81 for Mac, Windows, and Linux, and 58.0.3029.83 for Android, allowed a remote attacker to perform domain spoofing via IDN homographs in a crafted domain name.

Action-Not Available
Vendor-n/aLinux Kernel Organization, IncRed Hat, Inc.Apple Inc.Microsoft CorporationGoogle LLC
Product-chromeenterprise_linux_desktopenterprise_linux_workstationlinux_kernelwindowsenterprise_linux_servermacosandroidGoogle Chrome prior to 58.0.3029.81 for Mac, Windows and Linux, and 58.0.3029.83 for Android
CWE ID-CWE-863
Incorrect Authorization
CVE-2023-0133
Matching Score-4
Assigner-Chrome
ShareView Details
Matching Score-4
Assigner-Chrome
CVSS Score-6.5||MEDIUM
EPSS-0.05% / 15.00%
||
7 Day CHG~0.00%
Published-10 Jan, 2023 | 00:00
Updated-20 Mar, 2025 | 21:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Inappropriate implementation in in Permission prompts in Google Chrome on Android prior to 109.0.5414.74 allowed a remote attacker to bypass main origin permission delegation via a crafted HTML page. (Chromium security severity: Medium)

Action-Not Available
Vendor-Google LLC
Product-chromeandroidChrome
CWE ID-CWE-863
Incorrect Authorization
CVE-2022-4397
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 12.71%
||
7 Day CHG~0.00%
Published-10 Dec, 2022 | 00:00
Updated-15 Apr, 2025 | 13:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
morontt zend-blog-number-2 Comment Comment.php cross-site request forgery

A vulnerability was found in morontt zend-blog-number-2. It has been classified as problematic. Affected is an unknown function of the file application/forms/Comment.php of the component Comment Handler. The manipulation leads to cross-site request forgery. It is possible to launch the attack remotely. The name of the patch is 36b2d4abe20a6245e4f8df7a4b14e130b24d429d. It is recommended to apply a patch to fix this issue. VDB-215250 is the identifier assigned to this vulnerability.

Action-Not Available
Vendor-zend-blog-2_projectmorontt
Product-zend-blog-2zend-blog-number-2
CWE ID-CWE-863
Incorrect Authorization
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2021-30533
Matching Score-4
Assigner-Chrome
ShareView Details
Matching Score-4
Assigner-Chrome
CVSS Score-6.5||MEDIUM
EPSS-6.45% / 90.68%
||
7 Day CHG~0.00%
Published-07 Jun, 2021 | 19:25
Updated-30 Jul, 2025 | 01:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2022-07-18||Apply updates per vendor instructions.

Insufficient policy enforcement in PopupBlocker in Google Chrome prior to 91.0.4472.77 allowed a remote attacker to bypass navigation restrictions via a crafted iframe.

Action-Not Available
Vendor-Fedora ProjectGoogle LLC
Product-fedorachromeChromeChromium PopupBlocker
CWE ID-CWE-863
Incorrect Authorization
CVE-2021-30534
Matching Score-4
Assigner-Chrome
ShareView Details
Matching Score-4
Assigner-Chrome
CVSS Score-6.5||MEDIUM
EPSS-0.09% / 26.00%
||
7 Day CHG~0.00%
Published-07 Jun, 2021 | 19:25
Updated-03 Aug, 2024 | 22:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Insufficient policy enforcement in iFrameSandbox in Google Chrome prior to 91.0.4472.77 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.

Action-Not Available
Vendor-Fedora ProjectGoogle LLC
Product-chromefedoraChrome
CWE ID-CWE-863
Incorrect Authorization
CVE-2022-3880
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.5||MEDIUM
EPSS-0.09% / 26.62%
||
7 Day CHG~0.00%
Published-12 Dec, 2022 | 17:54
Updated-22 Apr, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
AntiHacker < 4.20 - Subscriber+ Arbitrary Plugin Installation

The Disable Json API, Login Lockdown, XMLRPC, Pingback, Stop User Enumeration Anti Hacker Scan WordPress plugin before 4.20 does not have proper authorisation and CSRF in an AJAX action, allowing any authenticated users, such as subscriber to call it and install and activate arbitrary plugins from wordpress.org

Action-Not Available
Vendor-antihacker_projectUnknown
Product-antihackerDisable Json API, Login Lockdown, XMLRPC, Pingback, Stop User Enumeration Anti Hacker Scan
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CWE ID-CWE-863
Incorrect Authorization
CVE-2020-36623
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 10.17%
||
7 Day CHG~0.00%
Published-21 Dec, 2022 | 00:00
Updated-15 Apr, 2025 | 12:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Pengu index.js runApp cross-site request forgery

A vulnerability was found in Pengu. It has been declared as problematic. Affected by this vulnerability is the function runApp of the file src/index.js. The manipulation leads to cross-site request forgery. The attack can be launched remotely. The name of the patch is aea66f12b8cdfc3c8c50ad6a9c89d8307e9d0a91. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-216475.

Action-Not Available
Vendor-pengu_projectunspecified
Product-penguPengu
CWE ID-CWE-863
Incorrect Authorization
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
  • Previous
  • 1
  • 2
  • 3
  • Next
Details not found