CVE-2025-1936

{"id": "CVE-2025-1936", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 3.4, "exploitabilityScore": 3.9}]}, "published": "2025-03-04T14:15:38.500", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1940027", "tags": ["Permissions Required"], "source": "security@mozilla.org"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-14/", "tags": ["Vendor Advisory"], "source": "security@mozilla.org"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-16/", "tags": ["Vendor Advisory"], "source": "security@mozilla.org"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-17/", "tags": ["Vendor Advisory"], "source": "security@mozilla.org"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-18/", "tags": ["Vendor Advisory"], "source": "security@mozilla.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-158"}]}], "descriptions": [{"lang": "en", "value": "jar: URLs retrieve local file content packaged in a ZIP archive. The null and everything after it was ignored when retrieving the content from the archive, but the fake extension after the null was used to determine the type of content. This could have been used to hide code in a web extension disguised as something else like an image. This vulnerability affects Firefox < 136, Firefox ESR < 128.8, Thunderbird < 136, and Thunderbird < 128.8."}, {"lang": "es", "value": "jar: las URL recuperan el contenido de un archivo local empaquetado en un archivo ZIP. El valor null y todo lo que le sigue se ignoran al recuperar el contenido del archivo, pero la extensi\u00f3n falsa que sigue al valor null se utiliza para determinar el tipo de contenido. Esto podr\u00eda haberse utilizado para ocultar c\u00f3digo en una extensi\u00f3n web camuflada en otra cosa, como una imagen. Esta vulnerabilidad afecta a Firefox &lt; 136, Firefox ESR &lt; 128.8, Thunderbird &lt; 136 y Thunderbird &lt; 128.8."}], "lastModified": "2025-06-24T17:08:27.197", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*", "vulnerable": true, "matchCriteriaId": "51A0498A-4BF8-4166-A347-78023C0A6B33", "versionEndExcluding": "128.8.0"}, {"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*", "vulnerable": true, "matchCriteriaId": "0FD416E8-4DD8-434A-AD75-86F38562E720", "versionEndExcluding": "136.0"}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D3C5A2B6-C7B5-4888-B0A7-9DA0C3024C71", "versionEndExcluding": "128.8.0"}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "93C81C9D-FC2E-4D7D-A97F-8DB97ED92192", "versionEndExcluding": "136.0", "versionStartIncluding": "129.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@mozilla.org"}