Vulnerability Description
When downloading files through the Save As dialog on Windows with suggested filenames containing environment variable names, Windows would have resolved those in the context of the current user. <br>*This bug only affects Firefox on Windows. Other versions of Firefox are unaffected.*. This vulnerability affects Firefox < 111, Firefox ESR < 102.9, and Thunderbird < 102.9.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mozilla | Firefox | < 111.0 |
| Mozilla | Firefox Esr | < 102.9 |
| Mozilla | Thunderbird | < 102.9 |
Related Weaknesses (CWE)
References
- https://bugzilla.mozilla.org/show_bug.cgi?id=1817768Issue TrackingPermissions RequiredVendor Advisory
- https://www.mozilla.org/security/advisories/mfsa2023-09/Vendor Advisory
- https://www.mozilla.org/security/advisories/mfsa2023-10/Vendor Advisory
- https://www.mozilla.org/security/advisories/mfsa2023-11/Vendor Advisory
- https://bugzilla.mozilla.org/show_bug.cgi?id=1817768Issue TrackingPermissions RequiredVendor Advisory
- https://www.mozilla.org/security/advisories/mfsa2023-09/Vendor Advisory
- https://www.mozilla.org/security/advisories/mfsa2023-10/Vendor Advisory
- https://www.mozilla.org/security/advisories/mfsa2023-11/Vendor Advisory
- https://bugzilla.mozilla.org/show_bug.cgi?id=1817768Issue TrackingPermissions RequiredVendor Advisory
FAQ
What is CVE-2023-28163?
CVE-2023-28163 is a vulnerability with a CVSS score of 6.5 (MEDIUM). When downloading files through the Save As dialog on Windows with suggested filenames containing environment variable names, Windows would have resolved those in the context of the current user. <br>*...
How severe is CVE-2023-28163?
CVE-2023-28163 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-28163?
Check the references section above for vendor advisories and patch information. Affected products include: Mozilla Firefox, Mozilla Firefox Esr, Mozilla Thunderbird.