{"api_version":"1","generated_at":"2026-04-23T01:19:37+00:00","cve":"CVE-2025-55033","urls":{"html":"https://cve.report/CVE-2025-55033","api":"https://cve.report/api/cve/CVE-2025-55033.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2025-55033","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2025-55033"},"summary":{"title":"Drag and drop gestures in Focus for iOS could allow JavaScript links to be executed incorrectly","description":"Dragging JavaScript links to the URL bar in Focus for iOS could be utilized to run malicious scripts, potentially resulting in XSS attacks. This vulnerability was fixed in Focus for iOS 142.","state":"PUBLISHED","assigner":"mozilla","published_at":"2025-08-19 21:15:28","updated_at":"2026-04-13 15:17:03"},"problem_types":["CWE-79","CWE-79 CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"],"metrics":[{"version":"3.1","source":"ADP","type":"DECLARED","score":"6.1","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":6.1,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","integrityImpact":"LOW","privilegesRequired":"NONE","scope":"CHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","version":"3.1"}},{"version":"3.1","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","score":"6.1","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","baseScore":6.1,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"}}],"references":[{"url":"https://bugzilla.mozilla.org/show_bug.cgi?id=1913825","name":"https://bugzilla.mozilla.org/show_bug.cgi?id=1913825","refsource":"security@mozilla.org","tags":["Issue Tracking","Permissions Required"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.mozilla.org/security/advisories/mfsa2025-69/","name":"https://www.mozilla.org/security/advisories/mfsa2025-69/","refsource":"security@mozilla.org","tags":["Vendor Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2025-55033","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-55033","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Mozilla","product":"Focus for iOS","version":"unaffected 142 * rpm","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"Muneaki Nishimura","lang":"en"}],"nvd_cpes":[{"cve_year":"2025","cve_id":"55033","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"firefox_focus","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"iphone_os","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2025","cve_id":"55033","cve":"CVE-2025-55033","epss":"0.000250000","percentile":"0.070130000","score_date":"2026-04-15","updated_at":"2026-04-16 00:13:56"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":6.1,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","integrityImpact":"LOW","privilegesRequired":"NONE","scope":"CHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","version":"3.1"}},{"other":{"content":{"id":"CVE-2025-55033","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2025-08-20T14:00:44.408015Z","version":"2.0.3"},"type":"ssvc"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-79","description":"CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2025-08-20T15:16:49.367Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"product":"Focus for iOS","vendor":"Mozilla","versions":[{"lessThanOrEqual":"*","status":"unaffected","version":"142","versionType":"rpm"}]}],"credits":[{"lang":"en","value":"Muneaki Nishimura"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Dragging JavaScript links to the URL bar in Focus for iOS could be utilized to run malicious scripts, potentially resulting in XSS attacks. This vulnerability was fixed in Focus for iOS 142."}],"value":"Dragging JavaScript links to the URL bar in Focus for iOS could be utilized to run malicious scripts, potentially resulting in XSS attacks. This vulnerability was fixed in Focus for iOS 142."}],"providerMetadata":{"dateUpdated":"2026-04-13T14:28:59.196Z","orgId":"f16b083a-5664-49f3-a51e-8d479e5ed7fe","shortName":"mozilla"},"references":[{"url":"https://bugzilla.mozilla.org/show_bug.cgi?id=1913825"},{"url":"https://www.mozilla.org/security/advisories/mfsa2025-69/"}],"title":"Drag and drop gestures in Focus for iOS could allow JavaScript links to be executed incorrectly"}},"cveMetadata":{"assignerOrgId":"f16b083a-5664-49f3-a51e-8d479e5ed7fe","assignerShortName":"mozilla","cveId":"CVE-2025-55033","datePublished":"2025-08-19T20:52:51.056Z","dateReserved":"2025-08-05T13:26:34.686Z","dateUpdated":"2026-04-13T14:28:59.196Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2025-08-19 21:15:28","lastModifiedDate":"2026-04-13 15:17:03","problem_types":["CWE-79","CWE-79 CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","baseScore":6.1,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":2.7}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:mozilla:firefox_focus:*:*:*:*:*:iphone_os:*:*","versionEndExcluding":"142.0","matchCriteriaId":"667BB2C7-17E5-4D04-AA9A-1CBE726492AF"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2025","CveId":"55033","Ordinal":"1","Title":"Drag and drop gestures in Focus for iOS could allow JavaScript l","CVE":"CVE-2025-55033","Year":"2025"},"notes":[{"CveYear":"2025","CveId":"55033","Ordinal":"1","NoteData":"Dragging JavaScript links to the URL bar in Focus for iOS could be utilized to run malicious scripts, potentially resulting in XSS attacks. This vulnerability was fixed in Focus for iOS 142.","Type":"Description","Title":"Drag and drop gestures in Focus for iOS could allow JavaScript l"}]}}}