The error page for sites with invalid TLS certificates was missing the activation-delay Firefox uses to protect prompts and permission dialogs from attacks that exploit human response time delays. If a malicious page elicited user clicks in precise locations immediately before navigating to a site with a certificate error and made the renderer extremely busy at the same time, it could create a gap between when the error page was loaded and when the display actually refreshed. With the right timing the elicited clicks could land in that gap and activate the button that overrides the certificate error for that site. This vulnerability affects Firefox ESR < 102.12, Firefox < 114, and Thunderbird < 102.12.
Published 2023-06-19 11:15:11
Updated 2024-01-07 11:15:12
View at NVD,   CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2023-34414

0.06%
Probability of exploitation activity in the next 30 days EPSS Score History
~ 23 %
Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-34414

Base Score Base Severity CVSS Vector Exploitability Score Impact Score Score Source First Seen
3.1
LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L
1.6
1.4
NIST

CWE ids for CVE-2023-34414

References for CVE-2023-34414

Products affected by CVE-2023-34414

This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!