This bug only affects Firefox for Android. This lead to the possibility of notifications to be displayed during different browsing sessions. Per origin notification permissions were being stored in a way that didn't take into account what browsing context the permission was granted in. #CVE-2023-23600: Notification permissions persisted between Normal and Private Browsing on Android
When copying a network request from the developer tools panel as a curl command the output was not being properly sanitized and could allow arbitrary commands to be hidden within. #CVE-2023-23599: Malicious command could be hidden in devtools output on Windows #CVE-2023-23598: Arbitrary file read from GTK drag and drop on Linuxĭue to the Firefox GTK wrapper code's use of text/plain for drag data and GTK treating all text/plain MIMEs containing file URLs as being dragged a website could arbitrarily read a file via a call to tData.
Given a reliable exploit primitive, this new process could be exploited again leading to arbitrary file read. #CVE-2023-23597: Logic bug in process allocation allowed to read arbitrary filesĪ compromised web child process could disable web security opening restrictions, leading to a new child process being spawned within the file:// context. Security Vulnerabilities fixed in Firefox 109
Mozilla Foundation Security Advisory 2023-01 Endpoint Detection & Response for Servers
0 kommentar(er)
