Home > Vulnerability Database > CVE-2023-52081

Mend.io Vulnerability Database

CVE-2023-52081

Good to know:

Date: December 28, 2023

ffcss is a CLI interface to apply and configure Firefox CSS themes. Prior to 0.2.0, the function `lookupPreprocess()` is meant to apply some transformations to a string by disabling characters in the regex `[-_ .]`. However, due to the use of late Unicode normalization of type NFKD, it is possible to bypass that validation and re-introduce all the characters in the regex `[-_ .]`. The `lookupPreprocess()` can be easily bypassed with equivalent Unicode characters like U+FE4D (?), which would result in the omitted U+005F (_), for instance. The `lookupPreprocess()` function is only ever used to search for themes loosely (case insensitively, while ignoring dashes, underscores and dots), so the actual security impact is classified as low. This vulnerability is fixed in 0.2.0. There are no known workarounds.

Language: Go

Severity Score

5.3

Related Resources (5)

Url: https://github.com/ewen-lbh/ffcss/commit/f9c491874b858a32fcae15045f169fd7d02f90dc

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-52081

Url: https://github.com/ewen-lbh/ffcss

Url: https://github.com/ewen-lbh/ffcss/security/advisories/GHSA-wpmx-564x-h2mh

Url: https://www.mend.io/vulnerability-database/CVE-2023-52081

Severity Score

5.3

Weakness Type (CWE)

Injection

CWE-74

Improper Handling of Unicode Encoding

CWE-176

Top Fix

Upgrade Version

Upgrade to version v0.2.0

Learn More

CVSS v3.1

Base Score:	5.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2023-52081

Good to know:

Date: December 28, 2023

Language: Go

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?