Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

CVE-2023-37207

Medium

6.5/10

Summary

A website could have obscured the fullscreen notification by using a URL with a scheme handled by an external program, such as a mailto URL. This could have led to user confusion and possible spoofing attacks. This vulnerability affects Firefox in versions prior to 115, Firefox ESR in versions prior to 102.13, and Thunderbird in versions prior to 102.13.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: REQUIRED
Privileges Required: NONE
Confidentiality Impact: NONE
Availability Impact: NONE

CWE-470 - Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

The application uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code.

References

Advisory
Firefox
Firefox ESR
Thunderbird
Issue

Advisory Timeline

Published Jul 05, 2023

Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

CVE-2023-37207

Summary

CWE-470 - Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS