CVE-2024-0605

Using a javascript: URI with a setTimeout race condition, an attacker can execute unauthorized scripts on top origin sites in urlbar. This bypasses security measures, potentially leading to arbitrary code execution or unauthorized actions within the user's loaded webpage. This vulnerability affects Focus for iOS < 122.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.6 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://bugzilla.mozilla.org/show_bug.cgi?id=1855575	Issue Tracking Permissions Required
https://www.mozilla.org/security/advisories/mfsa2024-03/	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:mozilla:firefox_focus:*:*:*:*:*:iphone_os:*:*

History

30 Jan 2024, 15:19

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5
CPE		cpe:2.3:a:mozilla:firefox_focus::::::iphone_os::*
References	~~() https://bugzilla.mozilla.org/show_bug.cgi?id=1855575 -~~	() https://bugzilla.mozilla.org/show_bug.cgi?id=1855575 - Issue Tracking, Permissions Required
References	~~() https://www.mozilla.org/security/advisories/mfsa2024-03/ -~~	() https://www.mozilla.org/security/advisories/mfsa2024-03/ - Vendor Advisory
CWE		CWE-362
First Time		Mozilla firefox Focus Mozilla

22 Jan 2024, 20:28

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-01-22 19:15

Updated : 2024-02-28 20:54

NVD link : CVE-2024-0605

Mitre link : CVE-2024-0605

CVE.ORG link : CVE-2024-0605

JSON object : View

Products Affected

mozilla

firefox_focus

CWE

CWE-362

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

7.5 /10