漏洞标题
N/A
漏洞描述信息
"'复制图像链接'上下文菜单操作将复制 redirects 后最终的图像URL。通过嵌入触发验证流程的图像 - 并结合 Content Security Policy 阻止中间 redirect 链 - 最终的的图像URL 可能是包含用于接管用户帐户的验证令牌的图像URL。如果一个网站欺骗用户将图像链接复制并粘贴回页面,页面将能够窃取验证令牌。通过在任何 redirects 之前使操作返回原始 URL 来解决这个问题。此漏洞影响 Firefox < 94。"
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
漏洞类别
N/A
漏洞标题
N/A
漏洞描述信息
The 'Copy Image Link' context menu action would copy the final image URL after redirects. By embedding an image that triggered authentication flows - in conjunction with a Content Security Policy that stopped a redirection chain in the middle - the final image URL could be one that contained an authentication token used to takeover a user account. If a website tricked a user into copy and pasting the image link back to the page, the page would be able to steal the authentication tokens. This was fixed by making the action return the original URL, before any redirects. This vulnerability affects Firefox < 94.
CVSS信息
N/A
漏洞类别
N/A
漏洞标题
Mozilla Firefox 输入验证错误漏洞
漏洞描述信息
Mozilla Firefox是美国Mozilla基金会的一款开源Web浏览器。 Mozilla Firefox 存在输入验证错误漏洞,该漏洞通过嵌入一个触发身份验证流的图像,图像URL可以包含一个用于接管用户帐户的身份验证令牌。攻击者通过某个网站欺骗用户复制粘贴图像链接到页面中,该页面将能够窃取认证标记。
CVSS信息
N/A
漏洞类别
输入验证错误