CVE-2023-25734
First published: Tue Feb 14 2023(Updated: )
After downloading a Windows .url shortcut from the local filesystem, an attacker could supply a remote path that would lead to unexpected network requests from the operating system. This also had the potential to leak NTLM credentials to the resource.This bug only affects Firefox on Windows. Other operating systems are unaffected.
Credit: security@mozilla.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| <110 | 110 | |
| <102.8 | 102.8 | |
| Mozilla Thunderbird | <102.8 | 102.8 |
| <102.8 | 102.8 | |
| Mozilla Firefox | <110.0 | |
| Mozilla Firefox ESR | <102.8 | |
| Mozilla Thunderbird | <102.8 | |
| Microsoft Windows |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.mozilla.org/show_bug.cgi?id=1809923
- https://bugzilla.mozilla.org/show_bug.cgi?id=1784451
- https://bugzilla.mozilla.org/show_bug.cgi?id=1810143
- https://bugzilla.mozilla.org/show_bug.cgi?id=1812338
- https://www.mozilla.org/en-US/security/advisories/mfsa2023-07/
- https://www.mozilla.org/en-US/security/advisories/mfsa2023-05/
- https://www.mozilla.org/en-US/security/advisories/mfsa2023-06/
- https://www.mozilla.org/en-US/security/advisories/mfsa2023-07/#CVE-2023-25746
- https://www.mozilla.org/security/advisories/mfsa2023-05/
- https://www.mozilla.org/security/advisories/mfsa2023-06/
- https://www.mozilla.org/security/advisories/mfsa2023-07/
Peer vulnerabilities
(Found alongside the following vulnerabilities)
Frequently Asked Questions
What is CVE-2023-25734?
CVE-2023-25734 is a vulnerability that allows an attacker to supply a remote path in a Windows .url shortcut, leading to unexpected network requests from the operating system and potentially leaking NTLM credentials.
Which software is affected by CVE-2023-25734?
CVE-2023-25734 affects Mozilla Thunderbird (up to version 102.8), Mozilla Firefox (up to version 110), and Mozilla Firefox ESR (up to version 102.8).
What is the severity of CVE-2023-25734?
CVE-2023-25734 has a severity rating of medium with a value of 4.
How can an attacker exploit CVE-2023-25734?
An attacker can exploit CVE-2023-25734 by supplying a remote path in a Windows .url shortcut, causing unexpected network requests and potentially leaking NTLM credentials.
How can I mitigate CVE-2023-25734?
To mitigate CVE-2023-25734, update Mozilla Thunderbird, Mozilla Firefox, or Mozilla Firefox ESR to the latest version available, which includes the necessary security fixes.
- collector/nvd-latest
- collector/mozilla-advisory
- agent/type
- agent/first-publish-date
- agent/softwarecombine
- source/Mozilla
- agent/software-canonical-lookup
- agent/author
- agent/description
- agent/references
- agent/severity
- agent/software-canonical-lookup-request
- collector/nvd-index
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/tags
- agent/event
- agent/trending
- vendor/mozilla
- canonical/mozilla thunderbird
- canonical/mozilla firefox esr
- canonical/mozilla firefox
- vendor/microsoft
- canonical/microsoft windows