Login Sign Up

CVE-2023-37203

7.8 HIGH

📋 TL;DR

This vulnerability in Firefox's Drag and Drop API allows attackers to trick users into creating shortcuts to local system files through social engineering. When exploited, this could lead to arbitrary code execution on the victim's system. It affects all Firefox users running versions below 115.

💻 Affected Systems

Products:
  • Mozilla Firefox
Versions: All versions below 115
Operating Systems: Windows, Linux, macOS
Default Config Vulnerable: ⚠️ Yes
Notes: All default Firefox configurations are vulnerable. Requires user interaction with malicious content.

📦 What is this software?

Firefox by Mozilla

View all CVEs affecting Firefox →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise through arbitrary code execution leading to data theft, ransomware deployment, or complete system control.

🟠

Likely Case

Limited file system access or malware installation through user deception, potentially leading to credential theft or data exfiltration.

🟢

If Mitigated

No impact if users don't interact with malicious content and Firefox is updated to version 115 or later.

🌐 Internet-Facing: HIGH - Attackers can host malicious websites accessible to any Firefox user with vulnerable versions.
🏢 Internal Only: MEDIUM - Risk exists if users visit malicious internal sites or open malicious emails, but requires user interaction.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Requires social engineering to trick users into drag-and-drop actions. No authentication needed to initiate attack.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firefox 115 and later

Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2023-22/

Restart Required: Yes

Instructions:

1. Open Firefox. 2. Click menu → Help → About Firefox. 3. Firefox will automatically check for updates and install version 115 or later. 4. Restart Firefox when prompted.

🔧 Temporary Workarounds

Disable Drag and Drop

all

Disable drag and drop functionality through Firefox configuration

about:config → Set dom.event.clipboardevents.enabled to false

Use Content Security Policy

all

Implement strict CSP headers to prevent malicious content execution

🧯 If You Can't Patch

  • Implement network filtering to block known malicious sites
  • Educate users about social engineering risks and suspicious drag-and-drop prompts

🔍 How to Verify

Check if Vulnerable:

Check Firefox version: Open Firefox → Help → About Firefox. If version is below 115, system is vulnerable.

Check Version:

firefox --version (Linux/macOS) or check About Firefox in GUI

Verify Fix Applied:

Confirm Firefox version is 115 or higher in About Firefox dialog.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file creation events in system logs
  • Firefox crash reports related to drag-and-drop operations

Network Indicators:

  • Connections to suspicious domains followed by local file system access

SIEM Query:

source="firefox.log" AND ("drag" OR "drop") AND ("file://" OR "local")

📊 Metadata

CVE ID: CVE-2023-37203
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Published: July 5, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON