CVE-2025-11720
BaseFortify
Publication date: 2025-10-14
Last updated on: 2026-04-13
Assigner: Mozilla Corporation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| android | * | |
| mozilla | firefox | From 60.9.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-451 | The user interface (UI) does not properly represent critical information to the user, allowing the information - or its source - to be obscured or spoofed. This is often a component in phishing attacks. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Firefox and Firefox Focus on Android involves the custom tab feature only displaying the 'site' part of the URL, not the full hostname. This means that user-supplied content hosted on a subdomain could trick users into believing it is from a different subdomain of the same site, potentially misleading them about the true origin of the content.
How can this vulnerability impact me? :
The vulnerability can be used to deceive users by making malicious or untrusted content appear as if it comes from a trusted subdomain. This could lead to phishing attacks or other forms of social engineering where users are misled about the authenticity of the content they are viewing.
What immediate steps should I take to mitigate this vulnerability?
Update Firefox and Firefox Focus on Android to version 144 or later, as versions prior to 144 are affected by this vulnerability.