{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-0246", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "state": "PUBLISHED", "assignerShortName": "mozilla", "dateReserved": "2025-01-06T14:49:17.440Z", "datePublished": "2025-01-07T16:07:05.551Z", "dateUpdated": "2025-01-08T15:54:25.771Z"}, "containers": {"cna": {"affected": [{"product": "Firefox", "vendor": "Mozilla", "versions": [{"lessThan": "134", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "When using an invalid protocol scheme, an attacker could spoof the address bar. \n*Note: This issue only affected Android operating systems. Other operating systems are unaffected.*\n*Note: This issue is a different issue from CVE-2025-0244. This vulnerability affects Firefox < 134.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "When using an invalid protocol scheme, an attacker could spoof the address bar. <br>*Note: This issue only affected Android operating systems. Other operating systems are unaffected.*<br>*Note: This issue is a different issue from CVE-2025-0244. This vulnerability affects Firefox < 134."}]}], "problemTypes": [{"descriptions": [{"description": "Address bar spoofing using an invalid protocol scheme on Firefox for Android", "lang": "en", "type": "text"}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1912709"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-01/"}], "credits": [{"lang": "en", "value": "James Lee"}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2025-01-07T16:07:05.551Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-noinfo Not enough information"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-01-08T15:49:04.131560Z", "id": "CVE-2025-0246", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-08T15:54:25.771Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-0246", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-01-08T15:49:04.131560Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-noinfo Not enough information"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-08T15:54:20.489Z"}}], "cna": {"credits": [{"lang": "en", "value": "James Lee"}], "affected": [{"vendor": "Mozilla", "product": "Firefox", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "134", "versionType": "custom"}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1912709"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-01/"}], "descriptions": [{"lang": "en", "value": "When using an invalid protocol scheme, an attacker could spoof the address bar. \n*Note: This issue only affected Android operating systems. Other operating systems are unaffected.*\n*Note: This issue is a different issue from CVE-2025-0244. This vulnerability affects Firefox < 134.", "supportingMedia": [{"type": "text/html", "value": "When using an invalid protocol scheme, an attacker could spoof the address bar. <br>*Note: This issue only affected Android operating systems. Other operating systems are unaffected.*<br>*Note: This issue is a different issue from CVE-2025-0244. This vulnerability affects Firefox < 134.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "Address bar spoofing using an invalid protocol scheme on Firefox for Android"}]}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2025-01-07T16:07:05.551Z"}}}, "cveMetadata": {"cveId": "CVE-2025-0246", "state": "PUBLISHED", "dateUpdated": "2025-01-08T15:54:25.771Z", "dateReserved": "2025-01-06T14:49:17.440Z", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "datePublished": "2025-01-07T16:07:05.551Z", "assignerShortName": "mozilla"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*", "matchCriteriaId": "4FDCA935-A68D-404E-A749-CA3845C709F0", "versionEndExcluding": "134.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:google:android:-:*:*:*:*:*:*:*", "matchCriteriaId": "F8B9FEC8-73B6-43B8-B24E-1F7C20D91D26", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "When using an invalid protocol scheme, an attacker could spoof the address bar. \n*Note: This issue only affected Android operating systems. Other operating systems are unaffected.*\n*Note: This issue is a different issue from CVE-2025-0244. This vulnerability affects Firefox < 134."}, {"lang": "es", "value": "Al utilizar un esquema de protocolo no v\u00e1lido, un atacante podr\u00eda falsificar la barra de direcciones. *Nota: este problema solo afectaba a los sistemas operativos Android. Los dem\u00e1s sistemas operativos no se ven afectados.* *Nota: este problema es diferente de CVE-2025-0244. Esta vulnerabilidad afecta a Firefox &lt; 134."}], "id": "CVE-2025-0246", "lastModified": "2025-04-03T16:30:27.703", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-01-07T16:15:39.260", "references": [{"source": "security@mozilla.org", "tags": ["Issue Tracking", "Permissions Required"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1912709"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-01/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "firefox: Address bar spoofing using an invalid protocol scheme on Firefox for Android", "id": "2336183", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2336183"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-451", "details": ["When using an invalid protocol scheme, an attacker could spoof the address bar. \n*Note: This issue only affected Android operating systems. Other operating systems are unaffected.*\n*Note: This issue is a different issue from CVE-2025-0244. This vulnerability affects Firefox < 134.", "A flaw was found in Firefox. The Mozilla Foundation's Security Advisory: When using an invalid protocol scheme, an attacker could spoof the address bar. Note: This issue is different than CVE-2025-0244."], "name": "CVE-2025-0246", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "firefox:flatpak/firefox", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-01-07T16:07:05Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-0246\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-0246\nhttps://bugzilla.mozilla.org/show_bug.cgi?id=1912709\nhttps://www.mozilla.org/security/advisories/mfsa2025-01/"], "statement": "Red Hat Product Security rates the severity of this flaw as determined by the Mozilla Foundation Security Advisory. This issue only affects Android operating systems. Other operating systems are unaffected.", "threat_severity": "Moderate"}