Lucene search

K
ubuntucveUbuntu.comUB:CVE-2023-37207
HistoryJul 05, 2023 - 12:00 a.m.

CVE-2023-37207

2023-07-0500:00:00
ubuntu.com
ubuntu.com
19
firefox
thunderbird
url scheme
spoofing
vulnerability
fullscreen notification
user confusion

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

EPSS

0.002

Percentile

55.6%

A website could have obscured the fullscreen notification by using a URL
with a scheme handled by an external program, such as a mailto URL. This
could have led to user confusion and possible spoofing attacks. This
vulnerability affects Firefox < 115, Firefox ESR < 102.13, and Thunderbird
< 102.13.

Notes

Author Note
tyhicks mozjs contains a copy of the SpiderMonkey JavaScript engine
mdeslaur starting with Ubuntu 22.04, the firefox package is just a script that installs the Firefox snap
OSVersionArchitecturePackageVersionFilename
ubuntu20.04noarchfirefox< 115.0+build2-0ubuntu0.20.04.3UNKNOWN
ubuntu20.04noarchthunderbird< 1:102.13.0+build1-0ubuntu0.20.04.1UNKNOWN
ubuntu22.04noarchthunderbird< 1:102.13.0+build1-0ubuntu0.22.04.1UNKNOWN
ubuntu22.10noarchthunderbird< 1:102.13.0+build1-0ubuntu0.22.10.1UNKNOWN
ubuntu23.04noarchthunderbird< 1:102.13.0+build1-0ubuntu0.23.04.1UNKNOWN

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

EPSS

0.002

Percentile

55.6%