CVE-2024-7524

Firefox adds web-compatibility shims in place of some tracking scripts blocked by Enhanced Tracking Protection. On a site protected by Content Security Policy in "strict-dynamic" mode, an attacker able to inject an HTML element could have used a DOM Clobbering attack on some of the shims and achieved XSS, bypassing the CSP strict-dynamic protection. This vulnerability affects Firefox < 129, Firefox ESR < 115.14, and Firefox ESR < 128.1.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*

History

29 Aug 2024, 17:35

Type Values Removed Values Added
First Time Mozilla
Mozilla firefox
Mozilla firefox Esr
References () https://bugzilla.mozilla.org/show_bug.cgi?id=1909241 - () https://bugzilla.mozilla.org/show_bug.cgi?id=1909241 - Issue Tracking, Permissions Required
References () https://www.mozilla.org/security/advisories/mfsa2024-33/ - () https://www.mozilla.org/security/advisories/mfsa2024-33/ - Vendor Advisory
References () https://www.mozilla.org/security/advisories/mfsa2024-34/ - () https://www.mozilla.org/security/advisories/mfsa2024-34/ - Vendor Advisory
References () https://www.mozilla.org/security/advisories/mfsa2024-35/ - () https://www.mozilla.org/security/advisories/mfsa2024-35/ - Vendor Advisory
CWE CWE-79
CPE cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*
Summary
  • (es) Firefox agrega ajustes de compatibilidad web en lugar de algunos scripts de seguimiento bloqueados por la Protección de seguimiento mejorada. En un sitio protegido por la Política de seguridad de contenido en modo "dinámico estricto", un atacante capaz de inyectar un elemento HTML podría haber utilizado un ataque DOM Clobbering en algunas de las correcciones y lograr XSS, evitando la protección dinámica estricta del CSP. Esta vulnerabilidad afecta a Firefox &lt; 129, Firefox ESR &lt; 115.14 y Firefox ESR &lt; 128.1.
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 6.1

06 Aug 2024, 13:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-08-06 13:15

Updated : 2024-08-29 17:35


NVD link : CVE-2024-7524

Mitre link : CVE-2024-7524

CVE.ORG link : CVE-2024-7524


JSON object : View

Products Affected

mozilla

  • firefox
  • firefox_esr
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')