{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-10534", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "state": "PUBLISHED", "assignerShortName": "mozilla", "dateReserved": "2025-09-16T06:48:46.636Z", "datePublished": "2025-09-16T12:26:38.630Z", "dateUpdated": "2026-04-13T14:28:21.557Z"}, "containers": {"cna": {"affected": [{"product": "Firefox", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "143", "lessThanOrEqual": "*", "versionType": "rpm"}]}, {"product": "Thunderbird", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "143", "lessThanOrEqual": "*", "versionType": "rpm"}]}], "descriptions": [{"lang": "en", "value": "Spoofing issue in the Site Permissions component. This vulnerability was fixed in Firefox 143 and Thunderbird 143.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Spoofing issue in the Site Permissions component. This vulnerability was fixed in Firefox 143 and Thunderbird 143."}]}], "title": "Spoofing issue in the Site Permissions component", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1665334"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-73/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-77/"}], "credits": [{"lang": "en", "value": "Emma Z\u00fchlcke"}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T14:28:21.557Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-09-17T13:59:12.723101Z", "id": "CVE-2025-10534", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-04T15:50:01.108Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-10534", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-09-17T13:59:12.723101Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-17T14:00:21.937Z"}}], "cna": {"title": "Spoofing issue in the Site Permissions component", "credits": [{"lang": "en", "value": "Emma Z\u00fchlcke"}], "affected": [{"vendor": "Mozilla", "product": "Firefox", "versions": [{"status": "unaffected", "version": "143", "versionType": "rpm", "lessThanOrEqual": "*"}]}, {"vendor": "Mozilla", "product": "Thunderbird", "versions": [{"status": "unaffected", "version": "143", "versionType": "rpm", "lessThanOrEqual": "*"}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1665334"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-73/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-77/"}], "descriptions": [{"lang": "en", "value": "Spoofing issue in the Site Permissions component. This vulnerability was fixed in Firefox 143 and Thunderbird 143.", "supportingMedia": [{"type": "text/html", "value": "Spoofing issue in the Site Permissions component. This vulnerability was fixed in Firefox 143 and Thunderbird 143.", "base64": false}]}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T14:28:21.557Z"}}}, "cveMetadata": {"cveId": "CVE-2025-10534", "state": "PUBLISHED", "dateUpdated": "2026-04-13T14:28:21.557Z", "dateReserved": "2025-09-16T06:48:46.636Z", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "datePublished": "2025-09-16T12:26:38.630Z", "assignerShortName": "mozilla"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*", "matchCriteriaId": "7A8F1380-5E9C-49C4-A8CA-6C7F1C90C254", "versionEndExcluding": "143.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*", "matchCriteriaId": "7B03DED4-F40B-4D9C-A29D-AD540CDF003D", "versionEndExcluding": "143.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Spoofing issue in the Site Permissions component. This vulnerability was fixed in Firefox 143 and Thunderbird 143."}], "id": "CVE-2025-10534", "lastModified": "2026-04-13T15:16:37.050", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-09-16T13:15:48.007", "references": [{"source": "security@mozilla.org", "tags": ["Permissions Required"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1665334"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-73/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-77/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "firefox: Spoofing issue in the Site Permissions component", "id": "2395765", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2395765"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N", "status": "draft"}, "details": ["No description is available for this CVE."], "name": "CVE-2025-10534", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "rhel10/firefox-flatpak", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-09-16T12:26:38Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-10534\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-10534\nhttps://bugzilla.mozilla.org/show_bug.cgi?id=1665334\nhttps://www.mozilla.org/security/advisories/mfsa2025-73/"], "statement": "Red Hat Product Security rates the severity of this flaw as determined by the Mozilla Foundation Security Advisory.", "threat_severity": "Low"}

{"analysis": {"en": {"generated_at": "2026-04-20T19:33:03.957758+00:00", "value": {"mitigation_remediation": ["Install the latest version of Firefox or Thunderbird (143 or newer).", "Reset site permissions to the default or \u2018Ask\u2019 setting for sites that do not require explicit grants.", "Guard against unwanted JavaScript execution by disabling or limiting pop\u2011ups and scripting on untrusted source pages."], "summary": {"action": "Update", "impact": "Cross\u2011Site Scripting leading to spoofing"}, "threat_synthesis": {"affected_systems": "Mozilla Firefox and Mozilla Thunderbird browsers are impacted. All releases prior to version\u202f143 of each product contain the vulnerability; the flaw was addressed in the 143 update.", "description_and_impact": "This flaw allows an attacker to manipulate the Site Permissions user interface in Firefox and Thunderbird, causing the browser to present falsified permission prompts. The vulnerability is classified as CWE\u201179, indicating potential for cross\u2011site scripting, which can lead to spoofing of trusted permissions. The impact is primarily the deception of users into granting or reviewing permissions under false pretenses, compromising the integrity of the browser's permission model.", "risk_and_exploitability": "The CVSS score of 8.1 classifies the issue as high severity, yet the EPSS score of less than 1\u202f% indicates a low current exploitation probability. The vulnerability has not been listed in the CISA KEV catalog. Likely exploitation would involve delivering a crafted website that manipulates the Site Permissions component, but the attack requires the user to visit such a malicious site or click a link containing the crafted payload. Based on the description, it can be inferred that the attack vector is web\u2011based with user interaction as a prerequisite."}}}}, "created": "2025-09-17T10:04:52.783668+00:00", "updated": "2026-04-20T19:45:15.502911+00:00", "vendors": ["mozilla", "mozilla$PRODUCT$firefox", "mozilla$PRODUCT$thunderbird"]}