CVE-2023-28161: One-time permissions granted to a local file were extended to other local files loaded in the same tab.Two notably interesting vulnerabilities appear amongst the 11, namely: None of the other eleven CVE-numbered bugs this month were worse thah High three of them apply to Firefox for Android only and no one has yet (so far as we yet know) come up with a PoC exploit that shows how to abuse them in real life. Mozilla admits that “we presume that with enough effort some of these could have been exploited to run arbitrary code”, but no one has yet figured out how to do so, or even if such exploits are feasible.
These bags-of-bugs have been rated High rather than Critical. These bugs almost certainly only exist in new code that brought in new features, given that they didn’t show up in the older ESR codebase. CVE-2023-28177: Memory safety bugs fixed in Firefox 111 only.
These bugs were shared between the current version (which includes new features) and the ESR version, short for extended support release (security fixes applied, but with new features frozen since version 102, nine releases ago).
0 kommentar(er)
