Lucene search

K
ubuntucveUbuntu.comUB:CVE-2023-23603
HistoryJan 18, 2023 - 12:00 a.m.

CVE-2023-23603

2023-01-1800:00:00
ubuntu.com
ubuntu.com
15
regular expressions
security vulnerability
firefox
thunderbird
firefox esr
exfiltration
browser
style directives
console.log
external urls

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

45.3%

Regular expressions used to filter out forbidden properties and values from
style directives in calls to <code>console.log</code> weren’t accounting
for external URLs. Data could then be potentially exfiltrated from the
browser. This vulnerability affects Firefox < 109, Thunderbird < 102.7, and
Firefox ESR < 102.7.

Notes

Author Note
tyhicks mozjs contains a copy of the SpiderMonkey JavaScript engine
mdeslaur starting with Ubuntu 22.04, the firefox package is just a script that installs the Firefox snap
OSVersionArchitecturePackageVersionFilename
ubuntu18.04noarchfirefox< 109.0+build2-0ubuntu0.18.04.1UNKNOWN
ubuntu20.04noarchfirefox< 109.0+build2-0ubuntu0.20.04.1UNKNOWN
ubuntu18.04noarchmozjs38< anyUNKNOWN
ubuntu18.04noarchmozjs52< anyUNKNOWN
ubuntu20.04noarchmozjs52< anyUNKNOWN
ubuntu20.04noarchmozjs68< anyUNKNOWN
ubuntu22.04noarchmozjs78< anyUNKNOWN
ubuntu22.04noarchmozjs91< anyUNKNOWN
ubuntu18.04noarchthunderbird< 1:102.7.1+build2-0ubuntu0.18.04.1UNKNOWN
ubuntu20.04noarchthunderbird< 1:102.7.1+build2-0ubuntu0.20.04.1UNKNOWN
Rows per page:
1-10 of 151

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

45.3%