CVE-2023-23602
Advisory lineage Upstream: 0 Downstream: 34
Modified
Published: 02 Jun 2023, 00:00
Last modified:18 Dec 2025, 15:22
Vulnerability Summary
Overall Risk (default)
medium
26/100 CVSS Score
6.5 MEDIUM
v3.1 (cve.org)
EPSS Score
0.14% LOW
0% probability +0.01%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
02 Jun 2023, 00:00
Published
Vulnerability first disclosed
18 Dec 2025, 15:22
Last Modified
Vulnerability information updated
Description
A mishandled security check when creating a WebSocket in a WebWorker caused the Content Security Policy connect-src header to be ignored. This could lead to connections to restricted origins from inside WebWorkers. This vulnerability affects Firefox < 109, Firefox ESR < 102.7, and Thunderbird < 102.7.
CVSS Metrics
- v3.1•MEDIUM•Score: 6.5CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
EPSS Trends
Current EPSS score: 0.14%• Percentile: 34%
Techniques & Countermeasures
- CWE-754•Improper Check for Unusual or Exceptional Conditions
The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.
Affected Systems
- mozilla•firefox
< 109.0 | ≥ unspecified, < 109
- mozilla•firefox_esr
< 102.7 | ≥ unspecified, < 102.7
- mozilla•thunderbird
< 102.7 | ≥ unspecified, < 102.7