VDB
DEBIAN-CVE-2025-0237
DEBIAN-CVE-2025-0237
PUBLISHED
CVSS 5.400000095367432 MEDIUM
The WebChannel API, which is used to transport various information across processes, did not check the sending principal but rather accepted the principal being sent. This could have led to privilege escalation attacks. This vulnerability was fixed in Firefox 134, Firefox ESR 128.6, Thunderbird 134, and Thunderbird 128.6.
Risk Scores
CVSS 3.1
5.400000095367432
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian:12 | firefox-esr | *, *, * |
| Debian:12 | thunderbird | 115.8.0-1, 115.8.0-1, 115.8.0-1 |
| Debian:13 | firefox-esr | 0, 0 |
| Debian:14 | thunderbird | 0, 0 |
| Debian:13 | thunderbird | 0, 0 |
| Debian:11 | thunderbird | 1:91.6.1-1~deb10u1, 1:91.6.1-1~deb11u1, 1:91.6.1-1~deb9u1 |
| Debian:14 | firefox-esr | 0, 0 |
| Debian:11 | firefox-esr | 102.14.0, 102.14.0, 102.14.0 |
Exploit Intelligence
- seen_cves.json (github-poc)
Timeline
- Jan 7, 2025 CVE Published
- Apr 28, 2026 CVE Updated