VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-fc18-tpew-aaaj

Essentials
Severities (93)
References (53)
Severity details (14)
Exploits (0)
EPSS
History (0)

Vulnerability ID	VCID-fc18-tpew-aaaj
Aliases	CVE-2023-25728
Summary	The <code>Content-Security-Policy-Report-Only</code> header could allow an attacker to leak a child iframe's unredacted URI when interaction with that iframe triggers a redirect. This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8.
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (1)

CWE-1021

Improper Restriction of Rendered UI Layers or Frames

System	Score	Found at
cvssv3	7.5	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-25728.json
epss	0.00098	https://api.first.org/data/v1/epss?cve=CVE-2023-25728
epss	0.00098	https://api.first.org/data/v1/epss?cve=CVE-2023-25728
epss	0.00114	https://api.first.org/data/v1/epss?cve=CVE-2023-25728
epss	0.00125	https://api.first.org/data/v1/epss?cve=CVE-2023-25728
epss	0.00125	https://api.first.org/data/v1/epss?cve=CVE-2023-25728
epss	0.00125	https://api.first.org/data/v1/epss?cve=CVE-2023-25728
epss	0.00125	https://api.first.org/data/v1/epss?cve=CVE-2023-25728
epss	0.00125	https://api.first.org/data/v1/epss?cve=CVE-2023-25728
epss	0.00125	https://api.first.org/data/v1/epss?cve=CVE-2023-25728
epss	0.00125	https://api.first.org/data/v1/epss?cve=CVE-2023-25728
epss	0.00125	https://api.first.org/data/v1/epss?cve=CVE-2023-25728
epss	0.00125	https://api.first.org/data/v1/epss?cve=CVE-2023-25728
epss	0.00125	https://api.first.org/data/v1/epss?cve=CVE-2023-25728
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-25728
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-25728
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-25728
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-25728
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-25728
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-25728
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-25728
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-25728
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-25728
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-25728
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-25728
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-25728
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-25728
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-25728
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-25728
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-25728
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-25728
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-25728
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-25728
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-25728
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-25728
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-25728
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-25728
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-25728
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-25728
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-25728
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-25728
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-25728
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-25728
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-25728
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-25728
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-25728
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-25728
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-25728
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-25728
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-25728
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-25728
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-25728
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-25728
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-25728
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-25728
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-25728
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-25728
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-25728
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-25728
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-25728
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-25728
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-25728
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-25728
epss	0.00168	https://api.first.org/data/v1/epss?cve=CVE-2023-25728
epss	0.00168	https://api.first.org/data/v1/epss?cve=CVE-2023-25728
epss	0.00344	https://api.first.org/data/v1/epss?cve=CVE-2023-25728
epss	0.00344	https://api.first.org/data/v1/epss?cve=CVE-2023-25728
epss	0.00344	https://api.first.org/data/v1/epss?cve=CVE-2023-25728
epss	0.00344	https://api.first.org/data/v1/epss?cve=CVE-2023-25728
epss	0.00344	https://api.first.org/data/v1/epss?cve=CVE-2023-25728
epss	0.00344	https://api.first.org/data/v1/epss?cve=CVE-2023-25728
epss	0.00344	https://api.first.org/data/v1/epss?cve=CVE-2023-25728
epss	0.00344	https://api.first.org/data/v1/epss?cve=CVE-2023-25728
epss	0.00344	https://api.first.org/data/v1/epss?cve=CVE-2023-25728
epss	0.00344	https://api.first.org/data/v1/epss?cve=CVE-2023-25728
epss	0.00344	https://api.first.org/data/v1/epss?cve=CVE-2023-25728
epss	0.00344	https://api.first.org/data/v1/epss?cve=CVE-2023-25728
epss	0.00344	https://api.first.org/data/v1/epss?cve=CVE-2023-25728
epss	0.00344	https://api.first.org/data/v1/epss?cve=CVE-2023-25728
epss	0.01092	https://api.first.org/data/v1/epss?cve=CVE-2023-25728
cvssv3.1	6.5	https://bugzilla.mozilla.org/show_bug.cgi?id=1790345
ssvc	Track	https://bugzilla.mozilla.org/show_bug.cgi?id=1790345
cvssv3	6.5	https://nvd.nist.gov/vuln/detail/CVE-2023-25728
cvssv3.1	6.5	https://nvd.nist.gov/vuln/detail/CVE-2023-25728
generic_textual	high	https://www.mozilla.org/en-US/security/advisories/mfsa2023-05
generic_textual	high	https://www.mozilla.org/en-US/security/advisories/mfsa2023-06
generic_textual	low	https://www.mozilla.org/en-US/security/advisories/mfsa2023-07
cvssv3.1	6.5	https://www.mozilla.org/security/advisories/mfsa2023-05/
ssvc	Track	https://www.mozilla.org/security/advisories/mfsa2023-05/
cvssv3.1	6.5	https://www.mozilla.org/security/advisories/mfsa2023-06/
ssvc	Track	https://www.mozilla.org/security/advisories/mfsa2023-06/
cvssv3.1	6.5	https://www.mozilla.org/security/advisories/mfsa2023-07/
ssvc	Track	https://www.mozilla.org/security/advisories/mfsa2023-07/

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-25728.json
		https://api.first.org/data/v1/epss?cve=CVE-2023-25728
		https://bugzilla.mozilla.org/show_bug.cgi?id=1790345
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46871
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46877
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0430
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0616
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0767
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23598
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23601
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23602
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23603
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23605
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25728
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25729
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25730
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25732
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25735
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25737
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25739
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25742
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25744
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25746
		https://www.mozilla.org/security/advisories/mfsa2023-05/
		https://www.mozilla.org/security/advisories/mfsa2023-06/
		https://www.mozilla.org/security/advisories/mfsa2023-07/
2170374		https://bugzilla.redhat.com/show_bug.cgi?id=2170374
cpe:2.3:a:mozilla:firefox::::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:mozilla:firefox::::::::
cpe:2.3:a:mozilla:firefox_esr::::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:mozilla:firefox_esr::::::::
cpe:2.3:a:mozilla:thunderbird::::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:mozilla:thunderbird::::::::
CVE-2023-25728		https://nvd.nist.gov/vuln/detail/CVE-2023-25728
GLSA-202305-35		https://security.gentoo.org/glsa/202305-35
mfsa2023-05		https://www.mozilla.org/en-US/security/advisories/mfsa2023-05
mfsa2023-06		https://www.mozilla.org/en-US/security/advisories/mfsa2023-06
mfsa2023-07		https://www.mozilla.org/en-US/security/advisories/mfsa2023-07
RHSA-2023:0805		https://access.redhat.com/errata/RHSA-2023:0805
RHSA-2023:0806		https://access.redhat.com/errata/RHSA-2023:0806
RHSA-2023:0807		https://access.redhat.com/errata/RHSA-2023:0807
RHSA-2023:0808		https://access.redhat.com/errata/RHSA-2023:0808
RHSA-2023:0809		https://access.redhat.com/errata/RHSA-2023:0809
RHSA-2023:0810		https://access.redhat.com/errata/RHSA-2023:0810
RHSA-2023:0811		https://access.redhat.com/errata/RHSA-2023:0811
RHSA-2023:0812		https://access.redhat.com/errata/RHSA-2023:0812
RHSA-2023:0817		https://access.redhat.com/errata/RHSA-2023:0817
RHSA-2023:0818		https://access.redhat.com/errata/RHSA-2023:0818
RHSA-2023:0819		https://access.redhat.com/errata/RHSA-2023:0819
RHSA-2023:0820		https://access.redhat.com/errata/RHSA-2023:0820
RHSA-2023:0821		https://access.redhat.com/errata/RHSA-2023:0821
RHSA-2023:0822		https://access.redhat.com/errata/RHSA-2023:0822
RHSA-2023:0823		https://access.redhat.com/errata/RHSA-2023:0823
RHSA-2023:0824		https://access.redhat.com/errata/RHSA-2023:0824
USN-5880-1		https://usn.ubuntu.com/5880-1/
USN-5943-1		https://usn.ubuntu.com/5943-1/

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-25728.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N Found at https://bugzilla.mozilla.org/show_bug.cgi?id=1790345

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-10T17:40:01Z/ Found at https://bugzilla.mozilla.org/show_bug.cgi?id=1790345

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2023-25728

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2023-25728

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N Found at https://www.mozilla.org/security/advisories/mfsa2023-05/

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-10T17:40:01Z/ Found at https://www.mozilla.org/security/advisories/mfsa2023-05/

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N Found at https://www.mozilla.org/security/advisories/mfsa2023-06/

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-10T17:40:01Z/ Found at https://www.mozilla.org/security/advisories/mfsa2023-06/

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N Found at https://www.mozilla.org/security/advisories/mfsa2023-07/

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-10T17:40:01Z/ Found at https://www.mozilla.org/security/advisories/mfsa2023-07/

Exploit Prediction Scoring System (EPSS)

Percentile	0.41755
EPSS Score	0.00098
Published At	Dec. 17, 2024, midnight

Date	Actor	Action	Source	VulnerableCode Version
There are no relevant records.