Firefox Memory Corruption Flaw Let Attacker Execute Arbitrary Code

Mozilla Firefox 119 was released with updates for 11 vulnerabilities, including three issues of high severity, seven issues of moderate severity, and one issue of low severity.

Particularly, the browser update also fixes several memory safety flaws that are classified as CVE-2023-5730 and CVE-2023-5731, which could allow an attacker to run arbitrary code.

High-Severity Issues Addressed

The security flaw tracked as CVE-2023-5721, Queued up rendering, might have allowed websites to clickjack.

Due to an insufficient activation delay, certain browser prompts and dialogues might be triggered or rejected accidentally by the user. The issue was reported by Kelsey Gilbert.

The subsequent high-severity vulnerability is identified as CVE-2023-5730. Memory safety issues have been fixed in Thunderbird 115.4.1, Firefox 119, and Firefox ESR 115.4.

“Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code”, Mozilla said.

The issue was reported by Jed Davis, Andrew McCreight, Randell Jesup, and the Mozilla Fuzzing Team.

Additionally, the issue tracked as CVE-2023-5731, Memory safety bugs fixed in Firefox 119.

Mozilla stated that this memory corruption lets attackers run arbitrary code.

Moderate and Low Severity Issues Fixes

Patches for seven moderate-severity flaws that resulted in the bypass of download protections (CVE-2023-5727), crashes (CVE-2023-5724), unexpected errors (CVE-2023-5723), the opening of arbitrary URLs (CVE-2023-5725), and obscured full-screen notifications (CVE-2023-5729) were also included in Firefox 119.

A low severity flaw tracked as CVE-2023-5729, the Fullscreen notification dialog could have been obscured by WebAuthn prompts, has been fixed.

Along with Firefox 119, Mozilla also announced the release of Thunderbird 115.4.1 and Firefox ESR 115.4, which include updates for eight vulnerabilities, including CVE-2023-5721 and CVE-2023-5730.

Mozilla has no disclosure about any of these vulnerabilities being used in malicious activities.

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Try a free trial to ensure 100% security.

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

U.S. Secures Extradition of Rydox Cybercrime Marketplace Admins from Kosovo in Major International Operation

The United States has successfully extradited two Kosovo nationals, Ardit Kutleshi, 26, and Jetmir Kutleshi,…

30 minutes ago

Ivanti Fully Patched Connect Secure RCE Vulnerability That Actively Exploited in the Wild

Ivanti has issued an urgent security advisory for CVE-2025-22457, a critical vulnerability impacting Ivanti Connect…

1 day ago

Beware! Weaponized Job Recruitment Emails Spreading BeaverTail and Tropidoor Malware

A concerning malware campaign was disclosed by the AhnLab Security Intelligence Center (ASEC), revealing how…

2 days ago

EncryptHub Ransomware Uncovered Through ChatGPT Use and OPSEC Failures

EncryptHub, a rapidly evolving cybercriminal entity, has come under intense scrutiny following revelations of operational…

2 days ago

PoisonSeed Targets CRM and Bulk Email Providers in New Supply Chain Phishing Attack

A sophisticated phishing campaign, dubbed "PoisonSeed," has been identified targeting customer relationship management (CRM) and…

2 days ago

Beware! Fake Unpaid Tolls Messages Used in Phishing Attack to Steal Login Credentials

A surge in phishing text messages claiming unpaid tolls has been linked to a massive…

2 days ago