CVE-2023-4054
MEDIUMFirefox < 116.0 - Unauthenticated Arbitrary Code Execution via Appref-MS File Handling
Title source: llmDescription
When opening appref-ms files, Firefox did not warn the user that these files may contain malicious code. *This bug only affects Firefox on Windows. Other operating systems are unaffected.* This vulnerability affects Firefox < 116, Firefox ESR < 102.14, Firefox ESR < 115.1, Thunderbird < 102.14, and Thunderbird < 115.1.
References (6)
Core 6
Core References
Issue Tracking, Permissions Required
https://bugzilla.mozilla.org/show_bug.cgi?id=1840777
Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2023-29/
Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2023-30/
Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2023-31/
Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2023-32/
Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2023-33/
Scores
CVSS v3
5.5
EPSS
0.0003
EPSS Percentile
9.6%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
Status
published
Products (1)
mozilla/firefox
< 116.0
Published
Aug 01, 2023
Tracked Since
Feb 18, 2026