{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-10290", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "state": "PUBLISHED", "assignerShortName": "mozilla", "dateReserved": "2025-09-11T17:59:15.574Z", "datePublished": "2025-09-16T12:26:39.308Z", "dateUpdated": "2026-04-13T14:29:50.967Z"}, "containers": {"cna": {"affected": [{"product": "Focus for iOS", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "143.0", "lessThanOrEqual": "*", "versionType": "rpm"}]}], "descriptions": [{"lang": "en", "value": "Opening links via the contextual menu in Focus iOS for certain URL schemes would fail to load but would not refresh the toolbar correctly, allowing attackers to spoof websites if users were coerced into opening a link explicitly through a long-press. This vulnerability was fixed in Focus for iOS 143.0.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Opening links via the contextual menu in Focus iOS for certain URL schemes would fail to load but would not refresh the toolbar correctly, allowing attackers to spoof websites if users were coerced into opening a link explicitly through a long-press. This vulnerability was fixed in Focus for iOS 143.0."}]}], "title": "Opening links via the contextual menu in Focus for iOS would not update the toolbar UI correctly, allowing attackers to spoof websites", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1975566"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-76/"}], "credits": [{"lang": "en", "value": "Renwa"}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T14:29:50.967Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-451", "lang": "en", "description": "CWE-451 User Interface (UI) Misrepresentation of Critical Information"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-09-16T17:30:14.447776Z", "id": "CVE-2025-10290", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-16T18:26:56.722Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-10290", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-09-16T17:30:14.447776Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-451", "description": "CWE-451 User Interface (UI) Misrepresentation of Critical Information"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-16T17:30:18.323Z"}}], "cna": {"title": "Opening links via the contextual menu in Focus for iOS would not update the toolbar UI correctly, allowing attackers to spoof websites", "credits": [{"lang": "en", "value": "Renwa"}], "affected": [{"vendor": "Mozilla", "product": "Focus for iOS", "versions": [{"status": "unaffected", "version": "143.0", "versionType": "rpm", "lessThanOrEqual": "*"}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1975566"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-76/"}], "descriptions": [{"lang": "en", "value": "Opening links via the contextual menu in Focus iOS for certain URL schemes would fail to load but would not refresh the toolbar correctly, allowing attackers to spoof websites if users were coerced into opening a link explicitly through a long-press. This vulnerability was fixed in Focus for iOS 143.0.", "supportingMedia": [{"type": "text/html", "value": "Opening links via the contextual menu in Focus iOS for certain URL schemes would fail to load but would not refresh the toolbar correctly, allowing attackers to spoof websites if users were coerced into opening a link explicitly through a long-press. This vulnerability was fixed in Focus for iOS 143.0.", "base64": false}]}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T14:29:50.967Z"}}}, "cveMetadata": {"cveId": "CVE-2025-10290", "state": "PUBLISHED", "dateUpdated": "2026-04-13T14:29:50.967Z", "dateReserved": "2025-09-11T17:59:15.574Z", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "datePublished": "2025-09-16T12:26:39.308Z", "assignerShortName": "mozilla"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox_focus:*:*:*:*:*:iphone_os:*:*", "matchCriteriaId": "F0689DCB-CA40-4BEA-945D-D74C7351ED2D", "versionEndExcluding": "143.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Opening links via the contextual menu in Focus iOS for certain URL schemes would fail to load but would not refresh the toolbar correctly, allowing attackers to spoof websites if users were coerced into opening a link explicitly through a long-press. This vulnerability was fixed in Focus for iOS 143.0."}], "id": "CVE-2025-10290", "lastModified": "2026-04-13T15:16:35.563", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-09-16T13:15:41.520", "references": [{"source": "security@mozilla.org", "tags": ["Issue Tracking", "Permissions Required"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1975566"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-76/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-451"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T17:54:32.100746+00:00", "value": {"mitigation_remediation": ["Apply the latest Focus for iOS update (143.0 or newer).", "If an update cannot be applied immediately, avoid using the long\u2011press contextual menu to open links from untrusted sources.", "Stay informed of future security advisories from Mozilla regarding Focus for iOS."], "summary": {"action": "Apply patch", "impact": "Spoofed website display"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Mozilla Focus for iOS versions prior to 143.0. The fix was applied in Focus for iOS 143.0 and later releases, therefore only installations using older builds are susceptible.", "description_and_impact": "Opening links via the contextual menu in Focus for iOS fails to refresh the toolbar when certain URL schemes are used, letting the application display an incorrect or misleading title. This UI flaw enables attackers to spoof the appearance of a website if a user is coerced into opening a tapped link, potentially tricking them into providing information or believing they are on a trusted site. The root weakness aligns with CWE-451, Information Exposure by Design.", "risk_and_exploitability": "The CVSS score of 6.5 indicates a medium severity, and the EPSS score of less than 1% suggests a low exploitation probability. The exploit requires user interaction \u2013 specifically a long\u2011press to open a link \u2013 so it is largely dependent on social engineering. The vulnerability is not listed in CISA\u2019s KEV catalog, further indicating a lower threat level."}}}}, "created": "2025-09-17T10:04:08.656849+00:00", "updated": "2026-04-20T18:00:11.161796+00:00", "vendors": ["apple", "apple$PRODUCT$ios", "mozilla", "mozilla$PRODUCT$focus_for_ios"]}