Impact
The Password Manager component in Firefox and Thunderbird improperly handles credentials, causing an information disclosure that can expose stored passwords. This flaw is a classic confidentiality vulnerability (CWE‑200) and involves weak protection of credentials (CWE‑256). Attackers who can read the application’s memory or access the profile directory may retrieve the plaintext credentials, compromising user accounts that rely on the manager.
Affected Systems
Affected systems include Mozilla Firefox versions up to 151 and Mozilla Thunderbird up to 151. The vulnerability was fixed in release 152 of both products. All installations that do not include this patch are susceptible.
Risk and Exploitability
The CVSS score of 4.3 indicates a moderate severity impact, while the EPSS score of <1 % suggests a very low probability of exploitation in the wild. It is not listed in the CISA KEV catalog. The attack vector is inferred to be local or privileged, as the disclosure requires access to the victim’s user environment or the profile files where the credentials reside. The implications are limited to confidentiality loss of user passwords.
OpenCVE Enrichment