ncsc-2025-0325
Vulnerability from csaf_ncscnl
Published
2025-10-20 12:59
Modified
2025-10-20 12:59
Summary
Kwetsbaarheden verholpen in Mozilla Firefox en Thunderbird
Notes
The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:
NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.
NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.
This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.
Feiten
Mozilla heeft kwetsbaarheden verholpen in Firefox en Thunderbird (Specifiek voor versies onder 144).
Interpretaties
De kwetsbaarheden omvatten verschillende problemen, waaronder een use-after-free probleem, geheugenveiligheidsfouten en de mogelijkheid voor een kwaadwillende om gevoelige gegevens te benaderen of willekeurige code uit te voeren. Deze kwetsbaarheden kunnen worden geëxploiteerd via gemanipuleerde webprocessen, onveilige IPC-berichten en andere methoden die de integriteit van de applicaties in gevaar brengen. De risico's zijn significant, vooral voor gebruikers van Windows en Android, waar specifieke kwetsbaarheden zijn vastgesteld die kunnen leiden tot ongeautoriseerde toegang en systeemcompromittering.
Oplossingen
Mozilla heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.
Kans
medium
Schade
high
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-88
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
CWE-116
Improper Encoding or Escaping of Output
CWE-119
Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE-125
Out-of-bounds Read
CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE-275
CWE-275
CWE-284
Improper Access Control
CWE-404
Improper Resource Shutdown or Release
CWE-416
Use After Free
CWE-436
Interpretation Conflict
CWE-451
User Interface (UI) Misrepresentation of Critical Information
CWE-497
Exposure of Sensitive System Information to an Unauthorized Control Sphere
CWE-591
Sensitive Data Storage in Improperly Locked Memory
CWE-787
Out-of-bounds Write
CWE-1021
Improper Restriction of Rendered UI Layers or Frames
{
"document": {
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE"
}
},
"lang": "nl",
"notes": [
{
"category": "legal_disclaimer",
"text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
},
{
"category": "description",
"text": "Mozilla heeft kwetsbaarheden verholpen in Firefox en Thunderbird (Specifiek voor versies onder 144).",
"title": "Feiten"
},
{
"category": "description",
"text": "De kwetsbaarheden omvatten verschillende problemen, waaronder een use-after-free probleem, geheugenveiligheidsfouten en de mogelijkheid voor een kwaadwillende om gevoelige gegevens te benaderen of willekeurige code uit te voeren. Deze kwetsbaarheden kunnen worden ge\u00ebxploiteerd via gemanipuleerde webprocessen, onveilige IPC-berichten en andere methoden die de integriteit van de applicaties in gevaar brengen. De risico\u0027s zijn significant, vooral voor gebruikers van Windows en Android, waar specifieke kwetsbaarheden zijn vastgesteld die kunnen leiden tot ongeautoriseerde toegang en systeemcompromittering.",
"title": "Interpretaties"
},
{
"category": "description",
"text": "Mozilla heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.",
"title": "Oplossingen"
},
{
"category": "general",
"text": "medium",
"title": "Kans"
},
{
"category": "general",
"text": "high",
"title": "Schade"
},
{
"category": "general",
"text": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"title": "CWE-79"
},
{
"category": "general",
"text": "Improper Neutralization of Argument Delimiters in a Command (\u0027Argument Injection\u0027)",
"title": "CWE-88"
},
{
"category": "general",
"text": "Improper Encoding or Escaping of Output",
"title": "CWE-116"
},
{
"category": "general",
"text": "Improper Restriction of Operations within the Bounds of a Memory Buffer",
"title": "CWE-119"
},
{
"category": "general",
"text": "Out-of-bounds Read",
"title": "CWE-125"
},
{
"category": "general",
"text": "Exposure of Sensitive Information to an Unauthorized Actor",
"title": "CWE-200"
},
{
"category": "general",
"text": "CWE-275",
"title": "CWE-275"
},
{
"category": "general",
"text": "Improper Access Control",
"title": "CWE-284"
},
{
"category": "general",
"text": "Improper Resource Shutdown or Release",
"title": "CWE-404"
},
{
"category": "general",
"text": "Use After Free",
"title": "CWE-416"
},
{
"category": "general",
"text": "Interpretation Conflict",
"title": "CWE-436"
},
{
"category": "general",
"text": "User Interface (UI) Misrepresentation of Critical Information",
"title": "CWE-451"
},
{
"category": "general",
"text": "Exposure of Sensitive System Information to an Unauthorized Control Sphere",
"title": "CWE-497"
},
{
"category": "general",
"text": "Sensitive Data Storage in Improperly Locked Memory",
"title": "CWE-591"
},
{
"category": "general",
"text": "Out-of-bounds Write",
"title": "CWE-787"
},
{
"category": "general",
"text": "Improper Restriction of Rendered UI Layers or Frames",
"title": "CWE-1021"
}
],
"publisher": {
"category": "coordinator",
"contact_details": "cert@ncsc.nl",
"name": "Nationaal Cyber Security Centrum",
"namespace": "https://www.ncsc.nl/"
},
"references": [
{
"category": "external",
"summary": "Reference",
"url": "https://www.mozilla.org/en-US/security/advisories/mfsa2025-81/"
},
{
"category": "external",
"summary": "Reference",
"url": "https://www.mozilla.org/en-US/security/advisories/mfsa2025-82/"
},
{
"category": "external",
"summary": "Reference",
"url": "https://www.mozilla.org/en-US/security/advisories/mfsa2025-83/"
},
{
"category": "external",
"summary": "Reference",
"url": "https://www.mozilla.org/en-US/security/advisories/mfsa2025-84/"
},
{
"category": "external",
"summary": "Reference",
"url": "https://www.mozilla.org/en-US/security/advisories/mfsa2025-85/"
}
],
"title": "Kwetsbaarheden verholpen in Mozilla Firefox en Thunderbird",
"tracking": {
"current_release_date": "2025-10-20T12:59:06.729067Z",
"generator": {
"date": "2025-08-04T16:30:00Z",
"engine": {
"name": "V.A.",
"version": "1.3"
}
},
"id": "NCSC-2025-0325",
"initial_release_date": "2025-10-20T12:59:06.729067Z",
"revision_history": [
{
"date": "2025-10-20T12:59:06.729067Z",
"number": "1.0.0",
"summary": "Initiele versie"
}
],
"status": "final",
"version": "1.0.0"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-1"
}
}
],
"category": "product_name",
"name": "Firefox"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-2"
}
}
],
"category": "product_name",
"name": "Firefox ESR"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-3"
}
}
],
"category": "product_name",
"name": "Thunderbird"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-4"
}
}
],
"category": "product_name",
"name": "Thunderbird ESR"
}
],
"category": "vendor",
"name": "Mozilla"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-11708",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"notes": [
{
"category": "other",
"text": "Use After Free",
"title": "CWE-416"
},
{
"category": "description",
"text": "A use-after-free vulnerability in MediaTrackGraphImpl::GetInstance() affects Firefox and Thunderbird versions below 144, with specific ESR versions also impacted, as assessed by Red Hat Product Security.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-11708 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-11708.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4"
]
}
],
"title": "CVE-2025-11708"
},
{
"cve": "CVE-2025-11709",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"notes": [
{
"category": "other",
"text": "Out-of-bounds Read",
"title": "CWE-125"
},
{
"category": "other",
"text": "Out-of-bounds Write",
"title": "CWE-787"
},
{
"category": "description",
"text": "A vulnerability in specific versions of Firefox and Thunderbird allows exploitation through manipulated WebGL textures, resulting in out of bounds reads and writes in a more privileged process.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-11709 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-11709.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4"
]
}
],
"title": "CVE-2025-11709"
},
{
"cve": "CVE-2025-11710",
"cwe": {
"id": "CWE-497",
"name": "Exposure of Sensitive System Information to an Unauthorized Control Sphere"
},
"notes": [
{
"category": "other",
"text": "Exposure of Sensitive System Information to an Unauthorized Control Sphere",
"title": "CWE-497"
},
{
"category": "other",
"text": "Exposure of Sensitive Information to an Unauthorized Actor",
"title": "CWE-200"
},
{
"category": "description",
"text": "A vulnerability in Firefox and Thunderbird prior to specified updates allows a compromised web process to access sensitive memory blocks of the privileged browser process via malicious IPC messages.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-11710 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-11710.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4"
]
}
],
"title": "CVE-2025-11710"
},
{
"cve": "CVE-2025-11711",
"cwe": {
"id": "CWE-284",
"name": "Improper Access Control"
},
"notes": [
{
"category": "other",
"text": "Improper Access Control",
"title": "CWE-284"
},
{
"category": "other",
"text": "Sensitive Data Storage in Improperly Locked Memory",
"title": "CWE-591"
},
{
"category": "description",
"text": "A vulnerability affecting specific versions of Firefox and Thunderbird allows modification of non-writeable JavaScript Object properties, as assessed by Red Hat Product Security based on a Mozilla Foundation Security Advisory.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-11711 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-11711.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4"
]
}
],
"title": "CVE-2025-11711"
},
{
"cve": "CVE-2025-11712",
"cwe": {
"id": "CWE-436",
"name": "Interpretation Conflict"
},
"notes": [
{
"category": "other",
"text": "Interpretation Conflict",
"title": "CWE-436"
},
{
"category": "other",
"text": "Improper Encoding or Escaping of Output",
"title": "CWE-116"
},
{
"category": "description",
"text": "A vulnerability in Firefox and Thunderbird allows exploitation of the OBJECT tag\u0027s type attribute, potentially leading to XSS attacks on sites serving files without a content-type header.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-11712 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-11712.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4"
]
}
],
"title": "CVE-2025-11712"
},
{
"cve": "CVE-2025-11713",
"cwe": {
"id": "CWE-88",
"name": "Improper Neutralization of Argument Delimiters in a Command (\u0027Argument Injection\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Neutralization of Argument Delimiters in a Command (\u0027Argument Injection\u0027)",
"title": "CWE-88"
},
{
"category": "other",
"text": "Improper Encoding or Escaping of Output",
"title": "CWE-116"
},
{
"category": "description",
"text": "A vulnerability in the \u0027Copy as cURL\u0027 feature affects Windows users of Firefox and Thunderbird, allowing unexpected code execution, while other operating systems remain unaffected.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-11713 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-11713.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4"
]
}
],
"title": "CVE-2025-11713"
},
{
"cve": "CVE-2025-11714",
"cwe": {
"id": "CWE-119",
"name": "Improper Restriction of Operations within the Bounds of a Memory Buffer"
},
"notes": [
{
"category": "other",
"text": "Improper Restriction of Operations within the Bounds of a Memory Buffer",
"title": "CWE-119"
},
{
"category": "other",
"text": "Out-of-bounds Read",
"title": "CWE-125"
},
{
"category": "other",
"text": "Out-of-bounds Write",
"title": "CWE-787"
},
{
"category": "description",
"text": "Memory safety vulnerabilities in various versions of Firefox and Thunderbird could be exploited to execute arbitrary code, with severity ratings provided by Red Hat based on Mozilla\u0027s advisory.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-11714 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-11714.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4"
]
}
],
"title": "CVE-2025-11714"
},
{
"cve": "CVE-2025-11715",
"cwe": {
"id": "CWE-119",
"name": "Improper Restriction of Operations within the Bounds of a Memory Buffer"
},
"notes": [
{
"category": "other",
"text": "Improper Restriction of Operations within the Bounds of a Memory Buffer",
"title": "CWE-119"
},
{
"category": "description",
"text": "Memory safety vulnerabilities in Firefox and Thunderbird versions 140.3 and 143 could allow arbitrary code execution, affecting earlier versions and rated by Red Hat based on Mozilla\u0027s advisory.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-11715 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-11715.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4"
]
}
],
"title": "CVE-2025-11715"
},
{
"cve": "CVE-2025-11716",
"cwe": {
"id": "CWE-284",
"name": "Improper Access Control"
},
"notes": [
{
"category": "other",
"text": "Improper Access Control",
"title": "CWE-284"
},
{
"category": "description",
"text": "A vulnerability in Firefox and Thunderbird versions prior to 144 allows links in a sandboxed iframe to open external applications on Android without the necessary \u0027allow-\u0027 permission.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-11716 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-11716.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4"
]
}
],
"title": "CVE-2025-11716"
},
{
"cve": "CVE-2025-11717",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"notes": [
{
"category": "other",
"text": "Exposure of Sensitive Information to an Unauthorized Actor",
"title": "CWE-200"
},
{
"category": "description",
"text": "Firefox versions prior to 144 exhibit a black screen in the app switcher instead of displaying the password edit screen when the last used screen was password-related on Android devices.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-11717 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-11717.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4"
]
}
],
"title": "CVE-2025-11717"
},
{
"cve": "CVE-2025-11718",
"cwe": {
"id": "CWE-451",
"name": "User Interface (UI) Misrepresentation of Critical Information"
},
"notes": [
{
"category": "other",
"text": "User Interface (UI) Misrepresentation of Critical Information",
"title": "CWE-451"
},
{
"category": "description",
"text": "A vulnerability in Firefox versions prior to 144 on Android allows malicious pages to create a deceptive fake address bar by hiding the real one during scrolling, potentially misleading users.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-11718 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-11718.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4"
]
}
],
"title": "CVE-2025-11718"
},
{
"cve": "CVE-2025-11719",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"notes": [
{
"category": "other",
"text": "Use After Free",
"title": "CWE-416"
},
{
"category": "description",
"text": "Firefox and Thunderbird versions prior to 144 are vulnerable to crashes on Windows due to a use-after-free memory corruption issue in the native messaging API for web extensions, identified from version 143.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-11719 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-11719.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4"
]
}
],
"title": "CVE-2025-11719"
},
{
"cve": "CVE-2025-11720",
"cwe": {
"id": "CWE-451",
"name": "User Interface (UI) Misrepresentation of Critical Information"
},
"notes": [
{
"category": "other",
"text": "User Interface (UI) Misrepresentation of Critical Information",
"title": "CWE-451"
},
{
"category": "description",
"text": "The Firefox and Firefox Focus UI for Android custom tabs displayed only the loaded site instead of the full hostname, misleading users about content sources from subdomains in versions prior to 144.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-11720 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-11720.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4"
]
}
],
"title": "CVE-2025-11720"
},
{
"cve": "CVE-2025-11721",
"cwe": {
"id": "CWE-119",
"name": "Improper Restriction of Operations within the Bounds of a Memory Buffer"
},
"notes": [
{
"category": "other",
"text": "Improper Restriction of Operations within the Bounds of a Memory Buffer",
"title": "CWE-119"
},
{
"category": "description",
"text": "A memory safety vulnerability in Firefox 143 and Thunderbird 143 could lead to arbitrary code execution due to memory corruption, affecting versions prior to 144.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-11721 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-11721.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4"
]
}
],
"title": "CVE-2025-11721"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…