CVE-2023-25734

Public Exploit

Description

After downloading a Windows <code>.url</code> shortcut from the local filesystem, an attacker could supply a remote path that would lead to unexpected network requests from the operating system. This also had the potential to leak NTLM credentials to the resource.<br>*This bug only affects Firefox on Windows. Other operating systems are unaffected.*. This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8.

References

Link	Tags
https://www.mozilla.org/security/advisories/mfsa2023-06/	vendor advisory
https://www.mozilla.org/security/advisories/mfsa2023-05/	vendor advisory
https://www.mozilla.org/security/advisories/mfsa2023-07/	vendor advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=1809923	issue tracking permissions required
https://bugzilla.mozilla.org/show_bug.cgi?id=1784451	vendor advisory issue tracking exploit
https://bugzilla.mozilla.org/show_bug.cgi?id=1810143	issue tracking permissions required
https://bugzilla.mozilla.org/show_bug.cgi?id=1812338	issue tracking permissions required

Frequently Asked Questions

What is the severity of CVE-2023-25734?: CVE-2023-25734 has been scored as a high severity vulnerability.
How to fix CVE-2023-25734?: To fix CVE-2023-25734, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2023-25734 being actively exploited in the wild?: It is possible that CVE-2023-25734 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2023-25734?: CVE-2023-25734 affects Mozilla Firefox, Mozilla Thunderbird, Mozilla Firefox ESR.

Description

Category

CWE-601 – URL Redirection to Untrusted Site ('Open Redirect')

References

Frequently Asked Questions