cve-2025-23108
Vulnerability from cvelistv5
Published
2025-01-11 03:36
Modified
2025-01-13 17:46
Severity ?
EPSS score ?
Summary
Opening Javascript links in a new tab via long-press in the Firefox iOS client could result in a malicious script spoofing the URL of the new tab. This vulnerability affects Firefox for iOS < 134.
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Mozilla | Firefox for iOS |
Version: unspecified < 134 |
|
{ "containers": { "adp": [ { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2025-23108", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2025-01-13T17:44:14.905100Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-01-13T17:46:18.921Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "product": "Firefox for iOS", "vendor": "Mozilla", "versions": [ { "lessThan": "134", "status": "affected", "version": "unspecified", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "value": "Renwa" } ], "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "Opening Javascript links in a new tab via long-press in the Firefox iOS client could result in a malicious script spoofing the URL of the new tab. This vulnerability affects Firefox for iOS \u003c 134." } ], "value": "Opening Javascript links in a new tab via long-press in the Firefox iOS client could result in a malicious script spoofing the URL of the new tab. This vulnerability affects Firefox for iOS \u003c 134." } ], "problemTypes": [ { "descriptions": [ { "description": "Firefox Mobile iOS Full Address Bar Spoof Using Open in New Tab and Javascript URI", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2025-01-11T03:36:53.989Z", "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla" }, "references": [ { "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1933172" }, { "url": "https://www.mozilla.org/security/advisories/mfsa2025-06/" } ] } }, "cveMetadata": { "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "assignerShortName": "mozilla", "cveId": "CVE-2025-23108", "datePublished": "2025-01-11T03:36:53.989Z", "dateReserved": "2025-01-10T21:00:17.659Z", "dateUpdated": "2025-01-13T17:46:18.921Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "vulnerability-lookup:meta": { "nvd": "{\"cve\":{\"id\":\"CVE-2025-23108\",\"sourceIdentifier\":\"security@mozilla.org\",\"published\":\"2025-01-11T04:15:06.280\",\"lastModified\":\"2025-01-13T18:15:22.680\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Opening Javascript links in a new tab via long-press in the Firefox iOS client could result in a malicious script spoofing the URL of the new tab. This vulnerability affects Firefox for iOS \u003c 134.\"},{\"lang\":\"es\",\"value\":\"Abrir enlaces de Javascript en una nueva pesta\u00f1a manteniendo pulsada la tecla en el cliente iOS de Firefox podr\u00eda provocar que un script malicioso falsifique la URL de la nueva pesta\u00f1a. Esta vulnerabilidad afecta a Firefox para iOS \u0026lt; 134.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"references\":[{\"url\":\"https://bugzilla.mozilla.org/show_bug.cgi?id=1933172\",\"source\":\"security@mozilla.org\"},{\"url\":\"https://www.mozilla.org/security/advisories/mfsa2025-06/\",\"source\":\"security@mozilla.org\"}]}}", "vulnrichment": { "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 4.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-23108\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-01-13T17:44:14.905100Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-01-13T17:46:08.182Z\"}}], \"cna\": {\"credits\": [{\"lang\": \"en\", \"value\": \"Renwa\"}], \"affected\": [{\"vendor\": \"Mozilla\", \"product\": \"Firefox for iOS\", \"versions\": [{\"status\": \"affected\", \"version\": \"unspecified\", \"lessThan\": \"134\", \"versionType\": \"custom\"}]}], \"references\": [{\"url\": \"https://bugzilla.mozilla.org/show_bug.cgi?id=1933172\"}, {\"url\": \"https://www.mozilla.org/security/advisories/mfsa2025-06/\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Opening Javascript links in a new tab via long-press in the Firefox iOS client could result in a malicious script spoofing the URL of the new tab. This vulnerability affects Firefox for iOS \u003c 134.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Opening Javascript links in a new tab via long-press in the Firefox iOS client could result in a malicious script spoofing the URL of the new tab. This vulnerability affects Firefox for iOS \u003c 134.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"text\", \"description\": \"Firefox Mobile iOS Full Address Bar Spoof Using Open in New Tab and Javascript URI\"}]}], \"providerMetadata\": {\"orgId\": \"f16b083a-5664-49f3-a51e-8d479e5ed7fe\", \"shortName\": \"mozilla\", \"dateUpdated\": \"2025-01-11T03:36:53.989Z\"}}}", "cveMetadata": "{\"cveId\": \"CVE-2025-23108\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-01-13T17:46:18.921Z\", \"dateReserved\": \"2025-01-10T21:00:17.659Z\", \"assignerOrgId\": \"f16b083a-5664-49f3-a51e-8d479e5ed7fe\", \"datePublished\": \"2025-01-11T03:36:53.989Z\", \"assignerShortName\": \"mozilla\"}", "dataType": "CVE_RECORD", "dataVersion": "5.1" } } }
Loading…
Loading…
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.