CVE-2023-52081

Published: Dic 28, 2023 Last Modified: Nov 21, 2024 EU-VD ID: EUVD-2023-3316 Aliases: GHSA-wpmx-564x-h2mh
ExploitDB:
Other exploit source:
Google Dorks:
MEDIUM 5,3
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: none
User Interaction: none
Scope: unchanged
Confidentiality: none
Integrity: low
Availability: none

Description

AI Translation Available

ffcss is a CLI interface to apply and configure Firefox CSS themes. Prior to 0.2.0, the function `lookupPreprocess()` is meant to apply some transformations to a string by disabling characters in the regex `[-_ .]`. However, due to the use of late Unicode normalization of type NFKD, it is possible to bypass that validation and re-introduce all the characters in the regex `[-_ .]`. The `lookupPreprocess()` can be easily bypassed with equivalent Unicode characters like U+FE4D (﹍), which would result in the omitted U+005F (_), for instance. The `lookupPreprocess()` function is only ever used to search for themes loosely (case insensitively, while ignoring dashes, underscores and dots), so the actual security impact is classified as low. This vulnerability is fixed in 0.2.0. There are no known workarounds.

EPSS (Exploit Prediction Scoring System)

Trend Analysis

EPSS (Exploit Prediction Scoring System)

Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.

EPSS Score
0,0013
Percentile
0,3th
Updated

EPSS Score Trend (Last 90 Days)

74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Incomplete
Abstraction: Class Structure: Simple
Common Consequences
Security Scopes Affected:
Confidentiality Access Control Other Integrity Non-Repudiation
Potential Impacts:
Read Application Data Bypass Protection Mechanism Alter Execution Logic Other Hide Activities
Applicable Platforms
All platforms may be affected
Likelihood of Exploit: High
View CWE Details
176

Improper Handling of Unicode Encoding

Draft
Abstraction: Variant Structure: Simple
Common Consequences
Security Scopes Affected:
Integrity
Potential Impacts:
Unexpected State
Applicable Platforms
All platforms may be affected
View CWE Details
Application

Firefox Css by Ewen-Lbh

Product Information
Vendor Ewen-Lbh
Product Firefox Css
Version Range Affected
To 0.2.0 (exclusive)
cpe:2.3:a:ewen-lbh:firefox_css:*:*:*:*:*:go:*:*
Common Platform Enumeration - Standardized vulnerability identification
https://github.com/ewen-lbh/ffcss/commit/f9c491874b858a32fc…
Patch
https://github.com/ewen-lbh/ffcss/commit/f9c491874b858a32fcae15045f169fd7d02f90…
https://github.com/ewen-lbh/ffcss/security/advisories/GHSA-…
Exploit Vendor Advisory
https://github.com/ewen-lbh/ffcss/security/advisories/GHSA-wpmx-564x-h2mh
https://github.com/ewen-lbh/ffcss/commit/f9c491874b858a32fc…
Patch
https://github.com/ewen-lbh/ffcss/commit/f9c491874b858a32fcae15045f169fd7d02f90…
https://github.com/ewen-lbh/ffcss/security/advisories/GHSA-…
Exploit Vendor Advisory
https://github.com/ewen-lbh/ffcss/security/advisories/GHSA-wpmx-564x-h2mh