CVE-2023-28164

MEDIUM Year: 2023
CVSS v3 Score
6.5
Medium
Weakness Type
CWE-346
View all →

Vulnerability Description

Dragging a URL from a cross-origin iframe that was removed during the drag could have led to user confusion and website spoofing attacks. This vulnerability affects Firefox < 111, Firefox ESR < 102.9, and Thunderbird < 102.9.

Related Vulnerabilities

CVE-2018-12402

MEDIUM
CVSS:6.5(Medium)

The internal WebBrowserPersist code does not use correct origin context for a resource being saved. This manifests when sub-resources are loaded as part of "Save Page As..." functionality. For example...

CWE-3462018

CVE-2018-16072

MEDIUM
CVSS:6.5(Medium)

A missing origin check related to HLS manifests in Blink in Google Chrome prior to 69.0.3497.81 allowed a remote attacker to bypass same origin policy via a crafted HTML page.

CWE-3462018

CVE-2018-18494

MEDIUM
CVSS:6.5(Medium)

A same-origin policy violation allowing the theft of cross-origin URL entries when using the Javascript location property to cause a redirection to another site using performance.getEntries(). This is...

CWE-3462018

CVE-2018-18499

MEDIUM
CVSS:6.5(Medium)

A same-origin policy violation allowing the theft of cross-origin URL entries when using a meta http-equiv="refresh" on a page to cause a redirection to another site using performance.getEntries(). Th...

CWE-3462018

CVE-2019-13664

MEDIUM
CVSS:6.5(Medium)

Insufficient policy enforcement in Blink in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to bypass content security policy via a crafted HTML page.

CWE-3462019

CVE-2019-13740

MEDIUM
CVSS:6.5(Medium)

Incorrect security UI in sharing in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to perform domain spoofing via a crafted HTML page.

CWE-3462019