{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-1019", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "state": "PUBLISHED", "assignerShortName": "mozilla", "dateReserved": "2025-02-04T07:26:45.552Z", "datePublished": "2025-02-04T13:58:54.064Z", "dateUpdated": "2026-04-13T14:25:16.746Z"}, "containers": {"cna": {"affected": [{"product": "Firefox", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "135", "lessThanOrEqual": "*", "versionType": "rpm"}]}, {"product": "Thunderbird", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "135", "lessThanOrEqual": "*", "versionType": "rpm"}]}], "descriptions": [{"lang": "en", "value": "The z-order of the browser windows could be manipulated to hide the fullscreen notification. This could potentially be leveraged to perform a spoofing attack. This vulnerability was fixed in Firefox 135 and Thunderbird 135.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "The z-order of the browser windows could be manipulated to hide the fullscreen notification. This could potentially be leveraged to perform a spoofing attack. This vulnerability was fixed in Firefox 135 and Thunderbird 135."}]}], "title": "Fullscreen notification not properly displayed", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1940162"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-07/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-11/"}], "credits": [{"lang": "en", "value": "Irvan Kurniawan"}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T14:25:16.746Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-1021", "lang": "en", "description": "CWE-1021 Improper Restriction of Rendered UI Layers or Frames"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-02-05T19:03:25.933157Z", "id": "CVE-2025-1019", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-05T19:05:20.629Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-1019", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-02-05T19:03:25.933157Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1021", "description": "CWE-1021 Improper Restriction of Rendered UI Layers or Frames"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-05T19:05:14.231Z"}}], "cna": {"title": "Fullscreen notification not properly displayed", "credits": [{"lang": "en", "value": "Irvan Kurniawan"}], "affected": [{"vendor": "Mozilla", "product": "Firefox", "versions": [{"status": "unaffected", "version": "135", "versionType": "rpm", "lessThanOrEqual": "*"}]}, {"vendor": "Mozilla", "product": "Thunderbird", "versions": [{"status": "unaffected", "version": "135", "versionType": "rpm", "lessThanOrEqual": "*"}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1940162"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-07/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-11/"}], "descriptions": [{"lang": "en", "value": "The z-order of the browser windows could be manipulated to hide the fullscreen notification. This could potentially be leveraged to perform a spoofing attack. This vulnerability was fixed in Firefox 135 and Thunderbird 135.", "supportingMedia": [{"type": "text/html", "value": "The z-order of the browser windows could be manipulated to hide the fullscreen notification. This could potentially be leveraged to perform a spoofing attack. This vulnerability was fixed in Firefox 135 and Thunderbird 135.", "base64": false}]}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T14:25:16.746Z"}}}, "cveMetadata": {"cveId": "CVE-2025-1019", "state": "PUBLISHED", "dateUpdated": "2026-04-13T14:25:16.746Z", "dateReserved": "2025-02-04T07:26:45.552Z", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "datePublished": "2025-02-04T13:58:54.064Z", "assignerShortName": "mozilla"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*", "matchCriteriaId": "C08017D5-BBC7-4E01-92D2-CE2E2ED9453A", "versionEndExcluding": "135.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*", "matchCriteriaId": "B5DC3260-2056-4C30-BCBA-AD45537FF0F5", "versionEndExcluding": "135.0", "versionStartIncluding": "131.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The z-order of the browser windows could be manipulated to hide the fullscreen notification. This could potentially be leveraged to perform a spoofing attack. This vulnerability was fixed in Firefox 135 and Thunderbird 135."}, {"lang": "es", "value": "El orden z de las ventanas del navegador podr\u00eda manipularse para ocultar la notificaci\u00f3n de pantalla completa. Esto podr\u00eda aprovecharse para realizar un ataque de suplantaci\u00f3n de identidad. Esta vulnerabilidad afecta a Firefox < 135 y Thunderbird < 135."}], "id": "CVE-2025-1019", "lastModified": "2026-04-13T15:16:51.027", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-02-04T14:15:32.850", "references": [{"source": "security@mozilla.org", "tags": ["Permissions Required"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1940162"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-07/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-11/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1021"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-1021"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "firefox: thunderbird: Fullscreen notification not properly displayed", "id": "2343761", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2343761"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-451", "details": ["The z-order of the browser windows could be manipulated to hide the fullscreen notification. This could potentially be leveraged to perform a spoofing attack. This vulnerability affects Firefox < 135 and Thunderbird < 135."], "name": "CVE-2025-1019", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "firefox-flatpak-container", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "thunderbird-flatpak-container", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Fix deferred", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Fix deferred", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "firefox-flatpak-container", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "thunderbird-flatpak-container", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-02-04T13:58:54Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-1019\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-1019\nhttps://bugzilla.mozilla.org/show_bug.cgi?id=1940162\nhttps://www.mozilla.org/security/advisories/mfsa2025-07/\nhttps://www.mozilla.org/security/advisories/mfsa2025-11/"], "statement": "Red Hat Product Security rates the severity of this flaw as determined by the Mozilla Foundation Security Advisory.", "threat_severity": "Moderate"}

{"analysis": {"en": {"generated_at": "2026-04-20T18:29:28.133973+00:00", "value": {"mitigation_remediation": ["Upgrade Firefox or Thunderbird to version 135 or newer", "If an upgrade is not immediately possible, disable or restrict fullscreen notifications in the application settings", "Ensure that the operating system\u2019s window\u2011manager security settings are configured to prevent unauthorized z\u2011order changes", "Monitor for abnormal application behavior that could indicate notification suppression or spoofing attempts"], "summary": {"action": "Upgrade Vendor", "impact": "Spoofing via z\u2011order manipulation of fullscreen notifications"}, "threat_synthesis": {"affected_systems": "Mozilla Firefox and Mozilla Thunderbird applications are affected. Versions released prior to Firefox\u202f135 and Thunderbird\u202f135 contain the flaw; subsequent releases contain a fix and therefore are not vulnerable.", "description_and_impact": "The vulnerability allows an attacker to manipulate the z\u2011order of browser or email client windows, enabling a fullscreen notification to be hidden from view. If the notification is suppressed, a user may unknowingly interact with a malicious page or email source while believing a legitimate fullscreen alert is present, potentially leading to spoofing or phishing attacks. The weakness is rooted in rendering order control (CWE\u20111021) and misuse of system resource management (CWE\u2011451).", "risk_and_exploitability": "The CVSS score of 4.3 indicates a low severity, while the EPSS score indicates a very low probability of exploitation. The vulnerability is not listed in CISA\u2019s KEV catalog, suggesting no widespread exploitation has been observed. Exploitation would likely require local access or the presence of malicious code running in the user\u2019s environment; remote exploitation is not supported by the available data. The attack is best\u2011effort and depends on window\u2011management manipulation rather than remote code execution or privilege escalation."}}}}, "created": "2026-04-20T18:30:13.984103+00:00", "updated": "2026-04-20T18:30:13.984118+00:00", "vendors": []}