CVE-2024-8383

{"id": "CVE-2024-8383", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2024-09-03T13:15:05.687", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1908496", "tags": ["Issue Tracking", "Permissions Required"], "source": "security@mozilla.org"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2024-39/", "tags": ["Vendor Advisory"], "source": "security@mozilla.org"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2024-40/", "tags": ["Vendor Advisory"], "source": "security@mozilla.org"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2024-41/", "tags": ["Vendor Advisory"], "source": "security@mozilla.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "Firefox normally asks for confirmation before asking the operating system to find an application to handle a scheme that the browser does not support. It did not ask before doing so for the Usenet-related schemes news: and snews:. Since most operating systems don't have a trusted newsreader installed by default, an unscrupulous program that the user downloaded could register itself as a handler. The website that served the application download could then launch that application at will. This vulnerability affects Firefox < 130, Firefox ESR < 128.2, and Firefox ESR < 115.15."}, {"lang": "es", "value": "Firefox normalmente pide confirmaci\u00f3n antes de pedirle al sistema operativo que encuentre una aplicaci\u00f3n para manejar un esquema que el navegador no soporta. No pregunt\u00f3 antes de hacerlo para los esquemas relacionados con Usenet news: y snews:. Dado que la mayor\u00eda de los sistemas operativos no tienen un lector de noticias confiable instalado de forma predeterminada, un programa sin escr\u00fapulos que el usuario haya descargado podr\u00eda registrarse como manejador. El sitio web que sirvi\u00f3 la descarga de la aplicaci\u00f3n podr\u00eda entonces iniciar esa aplicaci\u00f3n a voluntad. Esta vulnerabilidad afecta a Firefox &lt; 130, Firefox ESR &lt; 128.2 y Firefox ESR &lt; 115.15."}], "lastModified": "2024-09-06T19:15:12.830", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "87E41A09-924E-494F-BDF3-8C17EF330178", "versionEndExcluding": "130.0"}, {"criteria": "cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1208DB6D-68A1-41C1-9C57-7C1C16F32229", "versionEndExcluding": "115.15"}, {"criteria": "cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5D8B478B-4E42-4B63-B62E-D788C298047D", "versionEndExcluding": "128.2", "versionStartIncluding": "128.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@mozilla.org"}