CVE-2023-6206 : The black fade animation when exiting fullscreen is roughly the length of the an

The black fade animation when exiting fullscreen is roughly the length of the anti-clickjacking delay on permission prompts. It was possible to use this fact to surprise users by luring them to click where the permission grant button would be about to appear. This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.

Published 2023-11-21 15:15:08

Updated 2023-11-30 16:15:11

Source Mozilla Corporation

View at NVD, CVE.org

Products affected by CVE-2023-6206

Debian » Debian Linux » Version: 10.0
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
Matching versions
Debian » Debian Linux » Version: 11.0
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
Matching versions
Debian » Debian Linux » Version: 12.0
cpe:2.3:o:debian:debian_linux:12.0:*:*:*:*:*:*:*
Matching versions
Mozilla » Firefox
Versions before (<) 120.0
cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
Matching versions
Mozilla » Thunderbird
Versions before (<) 115.5
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
Matching versions
Mozilla » Firefox Esr
Versions before (<) 115.5.0
cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2023-6206

EPSS FAQ

0.53%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 65 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-6206

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
5.4	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N	2.8	2.5	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: Low Integrity: Low Availability: None

CWE ids for CVE-2023-6206

CWE-1021 Improper Restriction of Rendered UI Layers or Frames

The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2023-6206

https://www.mozilla.org/security/advisories/mfsa2023-49/

Security Vulnerabilities fixed in Firefox 120 — Mozilla
Release Notes;Vendor Advisory

CVEs referencing this url
https://www.mozilla.org/security/advisories/mfsa2023-50/

Security Vulnerabilities fixed in Firefox ESR 115.5 — Mozilla
Release Notes;Vendor Advisory

CVEs referencing this url
https://bugzilla.mozilla.org/show_bug.cgi?id=1857430

Access Denied
Issue Tracking;Permissions Required
https://lists.debian.org/debian-lts-announce/2023/11/msg00030.html

[SECURITY] [DLA 3674-1] thunderbird security update

CVEs referencing this url
https://www.mozilla.org/security/advisories/mfsa2023-52/

Security Vulnerabilities fixed in Thunderbird 115.5.0 — Mozilla
Release Notes;Vendor Advisory

CVEs referencing this url
https://www.debian.org/security/2023/dsa-5561

Debian -- Security Information -- DSA-5561-1 firefox-esr
Third Party Advisory

CVEs referencing this url
https://lists.debian.org/debian-lts-announce/2023/11/msg00017.html

[SECURITY] [DLA 3661-1] firefox-esr security update
Mailing List

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2023-6206

Products affected by CVE-2023-6206

Exploit prediction scoring system (EPSS) score for CVE-2023-6206

CVSS scores for CVE-2023-6206

CWE ids for CVE-2023-6206

References for CVE-2023-6206