V
Scaner-VS
HomeCatalogSourcesCWECAPECATT&CKMitigationsProductsVendorsDocs
CVE-2025-6433
ANC
Critical

If a user visited a webpage with an invalid TLS certificate, and granted an exception, the webpage was able to provide a WebAuthn challenge…

CVSS
9.8
Critical
EPSS
0.00
p15
Published
2025-01-01
Updated
2025-01-01
Description

If a user visited a webpage with an invalid TLS certificate, and granted an exception, the webpage was able to provide a WebAuthn challenge that the user would be prompted to complete. This is in violation of the WebAuthN spec which requires "a secure transport established without errors". This vulnerability affects Firefox < 140 and Thunderbird < 140.

Tags · CWE
Pre-auth
CWE-295
CWE-358
CAPEC-459
CAPEC-475
Affected products
FirefoxFirefoxFirefoxFirefoxFirefoxFirefoxFirefoxFirefoxFirefoxMozjs102Mozjs102Mozjs115Mozjs115Mozjs115Mozjs78Mozjs91ThunderbirdThunderbirdThunderbird
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Timeline
2025-01-01
Published
2025-01-01
Updated
CVSS 3.1 breakdown
Attack Vector
AV: N
Network (N)
Attack Complexity
AC: L
Low (L)
Privileges Required
PR: N
None (N)
User Interaction
UI: N
None (N)
Scope
S: U
Unchanged (U)
Confidentiality Impact
C: H
High (H)
Integrity Impact
I: H
High (H)
Availability Impact
A: H
High (H)
Exploit indicators
EPSS
0.002 · p15
Known exploited (KEV)
No
Known exploits — Сканер-ВС
No Сканер-ВС checks registered for this vulnerability yet.
Affected products
ProductVendorStatus
Tracked
firefoxTracked
firefoxTracked
firefoxTracked
firefoxTracked
firefoxTracked
firefoxTracked
firefoxTracked
firefoxTracked
firefoxTracked
mozjs102Tracked
mozjs102Tracked
mozjs115Tracked
mozjs115Tracked
mozjs115Tracked
mozjs78Tracked
mozjs91Tracked
thunderbirdTracked
thunderbirdTracked
thunderbirdTracked
Showing first 20 of 23
Source databases
ANC
AST
DEB
CVE
UBU
Related vulnerabilities