{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-6206", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "state": "PUBLISHED", "assignerShortName": "mozilla", "dateReserved": "2023-11-20T13:33:29.870Z", "datePublished": "2023-11-21T14:28:52.832Z", "dateUpdated": "2024-08-02T08:21:17.996Z"}, "containers": {"cna": {"affected": [{"product": "Firefox", "vendor": "Mozilla", "versions": [{"lessThan": "120", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "Firefox ESR", "vendor": "Mozilla", "versions": [{"lessThan": "115.5.0", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "Thunderbird", "vendor": "Mozilla", "versions": [{"lessThan": "115.5", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "The black fade animation when exiting fullscreen is roughly the length of the anti-clickjacking delay on permission prompts. It was possible to use this fact to surprise users by luring them to click where the permission grant button would be about to appear. This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "The black fade animation when exiting fullscreen is roughly the length of the anti-clickjacking delay on permission prompts. It was possible to use this fact to surprise users by luring them to click where the permission grant button would be about to appear. This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5."}]}], "problemTypes": [{"descriptions": [{"description": "Clickjacking permission prompts using the fullscreen transition", "lang": "en", "type": "text"}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1857430"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2023-49/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2023-50/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2023-52/"}, {"url": "https://www.debian.org/security/2023/dsa-5561"}, {"url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00017.html"}, {"url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00030.html"}], "credits": [{"lang": "en", "value": "Hafiizh"}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2023-11-22T16:46:26.360Z"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T08:21:17.996Z"}, "title": "CVE Program Container", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1857430", "tags": ["x_transferred"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2023-49/", "tags": ["x_transferred"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2023-50/", "tags": ["x_transferred"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2023-52/", "tags": ["x_transferred"]}, {"url": "https://www.debian.org/security/2023/dsa-5561", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00017.html", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00030.html", "tags": ["x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*", "matchCriteriaId": "30F5F1B5-825D-4DC4-A6F0-ED5AD1B031F2", "versionEndExcluding": "120.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*", "matchCriteriaId": "E2804F80-1F0A-4810-AAFF-57F113F5658D", "versionEndExcluding": "115.5.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*", "matchCriteriaId": "92C55DCD-E2E9-46CA-B654-3B3E50A3DC6A", "versionEndExcluding": "115.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:12.0:*:*:*:*:*:*:*", "matchCriteriaId": "46D69DCC-AE4D-4EA5-861C-D60951444C6C", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The black fade animation when exiting fullscreen is roughly the length of the anti-clickjacking delay on permission prompts. It was possible to use this fact to surprise users by luring them to click where the permission grant button would be about to appear. This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5."}, {"lang": "es", "value": "La animaci\u00f3n de desvanecimiento negro al salir de la pantalla completa es aproximadamente la duraci\u00f3n del retraso anti-clickjacking en las solicitudes de permiso. Era posible utilizar este hecho para sorprender a los usuarios atray\u00e9ndolos a hacer clic en el lugar donde el bot\u00f3n de concesi\u00f3n de permiso estar\u00eda a punto de aparecer. Esta vulnerabilidad afecta a Firefox &lt; 120, Firefox &lt; 115.5 y Thunderbird &lt; 115.5.0."}], "id": "CVE-2023-6206", "lastModified": "2023-11-30T16:15:10.940", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-11-21T15:15:07.787", "references": [{"source": "security@mozilla.org", "tags": ["Issue Tracking", "Permissions Required"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1857430"}, {"source": "security@mozilla.org", "tags": ["Mailing List"], "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00017.html"}, {"source": "security@mozilla.org", "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00030.html"}, {"source": "security@mozilla.org", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2023/dsa-5561"}, {"source": "security@mozilla.org", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2023-49/"}, {"source": "security@mozilla.org", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2023-50/"}, {"source": "security@mozilla.org", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2023-52/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1021"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Hafiizh as the original reporter.", "affected_release": [{"advisory": "RHSA-2023:7505", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "thunderbird-0:115.5.0-1.el7_9", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2023-11-27T00:00:00Z"}, {"advisory": "RHSA-2023:7509", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "firefox-0:115.5.0-1.el7_9", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2023-11-27T00:00:00Z"}, {"advisory": "RHSA-2023:7500", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "thunderbird-0:115.5.0-1.el8_9", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2023-11-27T00:00:00Z"}, {"advisory": "RHSA-2023:7508", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "firefox-0:115.5.0-1.el8_9", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2023-11-27T00:00:00Z"}, {"advisory": "RHSA-2023:7502", "cpe": "cpe:/a:redhat:rhel_e4s:8.1", "package": "thunderbird-0:115.5.0-1.el8_1", "product_name": "Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions", "release_date": "2023-11-27T00:00:00Z"}, {"advisory": "RHSA-2023:7547", "cpe": "cpe:/a:redhat:rhel_e4s:8.1", "package": "firefox-0:115.5.0-1.el8_1", "product_name": "Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions", "release_date": "2023-11-28T00:00:00Z"}, {"advisory": "RHSA-2023:7573", "cpe": "cpe:/a:redhat:rhel_aus:8.2", "package": "firefox-0:115.5.0-1.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date": "2023-11-29T00:00:00Z"}, {"advisory": "RHSA-2023:7574", "cpe": "cpe:/a:redhat:rhel_aus:8.2", "package": "thunderbird-0:115.5.0-1.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date": "2023-11-29T00:00:00Z"}, {"advisory": "RHSA-2023:7573", "cpe": "cpe:/a:redhat:rhel_tus:8.2", "package": "firefox-0:115.5.0-1.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Telecommunications Update Service", "release_date": "2023-11-29T00:00:00Z"}, {"advisory": "RHSA-2023:7574", "cpe": "cpe:/a:redhat:rhel_tus:8.2", "package": "thunderbird-0:115.5.0-1.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Telecommunications Update Service", "release_date": "2023-11-29T00:00:00Z"}, {"advisory": "RHSA-2023:7573", "cpe": "cpe:/a:redhat:rhel_e4s:8.2", "package": "firefox-0:115.5.0-1.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions", "release_date": "2023-11-29T00:00:00Z"}, {"advisory": "RHSA-2023:7574", "cpe": "cpe:/a:redhat:rhel_e4s:8.2", "package": "thunderbird-0:115.5.0-1.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions", "release_date": "2023-11-29T00:00:00Z"}, {"advisory": "RHSA-2023:7569", "cpe": "cpe:/a:redhat:rhel_aus:8.4", "package": "firefox-0:115.5.0-1.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date": "2023-11-29T00:00:00Z"}, {"advisory": "RHSA-2023:7570", "cpe": "cpe:/a:redhat:rhel_aus:8.4", "package": "thunderbird-0:115.5.0-1.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date": "2023-11-29T00:00:00Z"}, {"advisory": "RHSA-2023:7569", "cpe": "cpe:/a:redhat:rhel_tus:8.4", "package": "firefox-0:115.5.0-1.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", "release_date": "2023-11-29T00:00:00Z"}, {"advisory": "RHSA-2023:7570", "cpe": "cpe:/a:redhat:rhel_tus:8.4", "package": "thunderbird-0:115.5.0-1.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", "release_date": "2023-11-29T00:00:00Z"}, {"advisory": "RHSA-2023:7569", "cpe": "cpe:/a:redhat:rhel_e4s:8.4", "package": "firefox-0:115.5.0-1.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", "release_date": "2023-11-29T00:00:00Z"}, {"advisory": "RHSA-2023:7570", "cpe": "cpe:/a:redhat:rhel_e4s:8.4", "package": "thunderbird-0:115.5.0-1.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", "release_date": "2023-11-29T00:00:00Z"}, {"advisory": "RHSA-2023:7503", "cpe": "cpe:/a:redhat:rhel_eus:8.6", "package": "thunderbird-0:115.5.0-1.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Extended Update Support", "release_date": "2023-11-27T00:00:00Z"}, {"advisory": "RHSA-2023:7512", "cpe": "cpe:/a:redhat:rhel_eus:8.6", "package": "firefox-0:115.5.0-1.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Extended Update Support", "release_date": "2023-11-27T00:00:00Z"}, {"advisory": "RHSA-2023:7504", "cpe": "cpe:/a:redhat:rhel_eus:8.8", "package": "thunderbird-0:115.5.0-1.el8_8", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2023-11-27T00:00:00Z"}, {"advisory": "RHSA-2023:7511", "cpe": "cpe:/a:redhat:rhel_eus:8.8", "package": "firefox-0:115.5.0-1.el8_8", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2023-11-27T00:00:00Z"}, {"advisory": "RHSA-2023:7501", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "thunderbird-0:115.5.0-1.el9_3", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2023-11-27T00:00:00Z"}, {"advisory": "RHSA-2023:7507", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "firefox-0:115.5.0-1.el9_3", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2023-11-27T00:00:00Z"}, {"advisory": "RHSA-2023:7506", "cpe": "cpe:/a:redhat:rhel_eus:9.0", "package": "thunderbird-0:115.5.0-1.el9_0", "product_name": "Red Hat Enterprise Linux 9.0 Extended Update Support", "release_date": "2023-11-27T00:00:00Z"}, {"advisory": "RHSA-2023:7510", "cpe": "cpe:/a:redhat:rhel_eus:9.0", "package": "firefox-0:115.5.0-1.el9_0", "product_name": "Red Hat Enterprise Linux 9.0 Extended Update Support", "release_date": "2023-11-27T00:00:00Z"}, {"advisory": "RHSA-2023:7499", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "thunderbird-0:115.5.0-1.el9_2", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2023-11-27T00:00:00Z"}, {"advisory": "RHSA-2023:7577", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "firefox-0:115.5.0-1.el9_2", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2023-11-29T00:00:00Z"}], "bugzilla": {"description": "Mozilla: Clickjacking permission prompts using the fullscreen transition", "id": "2250898", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2250898"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-1021", "details": ["The black fade animation when exiting fullscreen is roughly the length of the anti-clickjacking delay on permission prompts. It was possible to use this fact to surprise users by luring them to click where the permission grant button would be about to appear. This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.", "The Mozilla Foundation Security Advisory describes this flaw as:\nThe black fade animation when exiting fullscreen is roughly\nthe length of the anti-clickjacking delay on permission prompts.\nIt was possible to use this fact to surprise users by luring them\nto click where the permission grant button would be about to appear."], "name": "CVE-2023-6206", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 6"}], "public_date": "2023-11-21T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-6206\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-6206\nhttps://www.mozilla.org/en-US/security/advisories/mfsa2023-50/#CVE-2023-6206\nhttps://www.mozilla.org/en-US/security/advisories/mfsa2023-52/#CVE-2023-6206"], "statement": "Red Hat Product Security rates the severity of this flaw as determined by the Mozilla Foundation Security Advisory.", "threat_severity": "Important", "upstream_fix": "firefox 115.5, thunderbird 115.5"}