Red Hat: CVE-2023-23603: CVE-2023-23603 Mozilla: Calls to console.log allowed bypasing Content Security Policy via format directive (Multiple Advisories)

Red Hat: CVE-2023-23603: CVE-2023-23603 Mozilla: Calls to <code>console.log</code> allowed bypasing Content Security Policy via format directive (Multiple Advisories)

Severity

7

CVSS

(AV:N/AC:M/Au:N/C:C/I:N/A:N)

Published

01/23/2023

Created

01/25/2023

Added

01/24/2023

Modified

01/30/2025

Description

Regular expressions used to filter out forbidden properties and values from style directives in calls to <code>console.log</code> weren't accounting for external URLs. Data could then be potentially exfiltrated from the browser. This vulnerability affects Firefox < 109, Thunderbird < 102.7, and Firefox ESR < 102.7.

Solution(s)

• redhat-upgrade-firefox
• redhat-upgrade-firefox-debuginfo
• redhat-upgrade-firefox-debugsource
• redhat-upgrade-thunderbird
• redhat-upgrade-thunderbird-debuginfo
• redhat-upgrade-thunderbird-debugsource

References

• CVE-2023-23603
• RHSA-2023:0285
• RHSA-2023:0286
• RHSA-2023:0288
• RHSA-2023:0289
• RHSA-2023:0295
• RHSA-2023:0296
• RHSA-2023:0456
• RHSA-2023:0460
• RHSA-2023:0461
• RHSA-2023:0462
• RHSA-2023:0463
• RHSA-2023:0476

View more