Denial Of Service (DoS)

2023-08-0617:30:29

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

firefox

thunderbird

vulnerability

tls

error page

dos

attack

malicious website

iframe

3.1 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L

0.001 Low

EPSS

Percentile

28.1%

JSON

firefox and thunderbird are vulnerable to Denial of Service (DoS) attacks. This vulnerability occurs due to a missing activation delay on the error page for sites with invalid TLS certificates. An attacker can exploit this vulnerability by creating a malicious website that contains a crafted iframe. When a victim visits the malicious website, the iframe will be displayed on top of the Firefox error page. If the victim clicks on a button in the iframe, the click will be redirected to the malicious website, even though the error page is still visible. This can be used to trick the victim into performing actions that they would not otherwise do.

CPENameOperatorVersion
thunderbird:bullseyeeq1:78.5.0-1
firefox-esr:bullseyeeq78.5.0esr-1
thunderbird:sideq1:78.5.0-1
thunderbird:bustereq1:78.5.0-1~deb10u1
thunderbird:bustereq1:68.12.0-1~deb10u1
thunderbird:bustereq1:60.9.0-1~deb10u1
thunderbird:bustereq1:78.6.0-1~deb10u1
firefox:sideq81.0-2
firefox:sideq83.0-1
firefox:sideq82.0.3-1

Name	Operator	Version
thunderbird:bullseye	eq	1:78.5.0-1
firefox-esr:bullseye	eq	78.5.0esr-1
thunderbird:sid	eq	1:78.5.0-1
thunderbird:buster	eq	1:78.5.0-1~deb10u1
thunderbird:buster	eq	1:68.12.0-1~deb10u1
thunderbird:buster	eq	1:60.9.0-1~deb10u1
thunderbird:buster	eq	1:78.6.0-1~deb10u1
firefox:sid	eq	81.0-2
firefox:sid	eq	83.0-1
firefox:sid	eq	82.0.3-1