First published: Tue Feb 14 2023(Updated: )
The `Content-Security-Policy-Report-Only` header could allow an attacker to leak a child iframe's unredacted URI when interaction with that iframe triggers a redirect. External Reference: <a href="https://www.mozilla.org/en-US/security/advisories/mfsa2023-06/#CVE-2023-25728">https://www.mozilla.org/en-US/security/advisories/mfsa2023-06/#CVE-2023-25728</a>
Credit: security@mozilla.org security@mozilla.org
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/firefox | <0:102.8.0-2.el7_9 | 0:102.8.0-2.el7_9 |
redhat/thunderbird | <0:102.8.0-2.el7_9 | 0:102.8.0-2.el7_9 |
redhat/firefox | <0:102.8.0-2.el8_7 | 0:102.8.0-2.el8_7 |
redhat/thunderbird | <0:102.8.0-2.el8_7 | 0:102.8.0-2.el8_7 |
redhat/firefox | <0:102.8.0-2.el8_1 | 0:102.8.0-2.el8_1 |
redhat/thunderbird | <0:102.8.0-2.el8_1 | 0:102.8.0-2.el8_1 |
redhat/firefox | <0:102.8.0-2.el8_2 | 0:102.8.0-2.el8_2 |
redhat/thunderbird | <0:102.8.0-2.el8_2 | 0:102.8.0-2.el8_2 |
redhat/firefox | <0:102.8.0-2.el8_4 | 0:102.8.0-2.el8_4 |
redhat/thunderbird | <0:102.8.0-2.el8_4 | 0:102.8.0-2.el8_4 |
redhat/firefox | <0:102.8.0-2.el8_6 | 0:102.8.0-2.el8_6 |
redhat/thunderbird | <0:102.8.0-2.el8_6 | 0:102.8.0-2.el8_6 |
redhat/firefox | <0:102.8.0-2.el9_1 | 0:102.8.0-2.el9_1 |
redhat/thunderbird | <0:102.8.0-2.el9_1 | 0:102.8.0-2.el9_1 |
redhat/firefox | <0:102.8.0-2.el9_0 | 0:102.8.0-2.el9_0 |
redhat/thunderbird | <0:102.8.0-2.el9_0 | 0:102.8.0-2.el9_0 |
Mozilla Thunderbird | <102.8 | 102.8 |
Mozilla Firefox ESR | <102.8 | 102.8 |
redhat/firefox | <102.8 | 102.8 |
redhat/thunderbird | <102.8 | 102.8 |
Mozilla Firefox | <110 | 110 |
Mozilla Firefox | <110.0 | |
Mozilla Firefox ESR | <102.8 | |
Mozilla Thunderbird | <102.8 | |
ubuntu/firefox | <110.0+ | 110.0+ |
ubuntu/firefox | <110.0+ | 110.0+ |
ubuntu/firefox | <110.0-1 | 110.0-1 |
ubuntu/thunderbird | <1:102.8.0+ | 1:102.8.0+ |
ubuntu/thunderbird | <1:102.8.0+ | 1:102.8.0+ |
ubuntu/thunderbird | <1:102.8.0+ | 1:102.8.0+ |
ubuntu/thunderbird | <1:102.8.0+ | 1:102.8.0+ |
debian/firefox | 129.0-1 | |
debian/firefox-esr | 115.12.0esr-1~deb11u1 115.13.0esr-1~deb11u1 115.12.0esr-1~deb12u1 115.13.0esr-1~deb12u1 115.13.0esr-2 115.14.0esr-1 | |
debian/thunderbird | 1:115.12.0-1~deb11u1 1:115.13.0-1~deb11u1 1:115.12.0-1~deb12u1 1:115.13.0-1~deb12u1 1:115.13.0-1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
(Found alongside the following vulnerabilities)
The vulnerability ID for this issue is CVE-2023-25728.
This vulnerability affects Mozilla Firefox < 110, Mozilla Thunderbird < 102.8, and Firefox ESR < 102.8.
The severity of CVE-2023-25728 is high (severity value: 7).
To fix the vulnerability CVE-2023-25728, upgrade to Mozilla Firefox version 110 or later, Mozilla Thunderbird version 102.8 or later, or Firefox ESR version 102.8 or later.
You can find more information about CVE-2023-25728 in the following references: [Mozilla Bugzilla](https://bugzilla.mozilla.org/show_bug.cgi?id=1790345), [Mozilla Security Advisory](https://www.mozilla.org/security/advisories/mfsa2023-05/), [Mozilla Security Advisory](https://www.mozilla.org/security/advisories/mfsa2023-07/).