CVE-2024-9393

{"id": "CVE-2024-9393", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2024-10-01T16:15:10.623", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1918301", "tags": ["Permissions Required"], "source": "security@mozilla.org"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2024-46/", "tags": ["Vendor Advisory"], "source": "security@mozilla.org"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2024-47/", "tags": ["Vendor Advisory"], "source": "security@mozilla.org"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2024-48/", "tags": ["Vendor Advisory"], "source": "security@mozilla.org"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2024-49/", "tags": ["Vendor Advisory"], "source": "security@mozilla.org"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2024-50/", "tags": ["Vendor Advisory"], "source": "security@mozilla.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-346"}]}], "descriptions": [{"lang": "en", "value": "An attacker could, via a specially crafted multipart response, execute arbitrary JavaScript under the `resource://pdf.js` origin. This could allow them to access cross-origin PDF content. This access is limited to \"same site\" documents by the Site Isolation feature on desktop clients, but full cross-origin access is possible on Android versions. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Firefox ESR < 115.16, Thunderbird < 128.3, and Thunderbird < 131."}, {"lang": "es", "value": "Un atacante podr\u00eda, mediante una respuesta de varias partes especialmente manipulada, ejecutar c\u00f3digo JavaScript arbitrario bajo el origen `resource://pdf.js`. Esto podr\u00eda permitirle acceder a contenido PDF de origen cruzado. Este acceso est\u00e1 limitado a documentos del \"mismo sitio\" por la funci\u00f3n de aislamiento de sitios en los clientes de escritorio, pero el acceso completo de origen cruzado es posible en las versiones de Android. Esta vulnerabilidad afecta a Firefox &lt; 131, Firefox ESR &lt; 128.3, Firefox ESR &lt; 115.16, Thunderbird &lt; 128.3 y Thunderbird &lt; 131."}], "lastModified": "2024-10-30T17:35:18.107", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DA47FFCA-3451-462C-8FFB-47143C65E65A", "versionEndExcluding": "131.0"}, {"criteria": "cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BE98FB6E-21A3-4917-8806-09D3AF4FB876", "versionEndExcluding": "115.16.0"}, {"criteria": "cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CAB84369-2EC9-42EC-A9BF-95A3EB9925C1", "versionEndExcluding": "128.3.0", "versionStartIncluding": "116.0"}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2B27464A-8C97-4D45-B7BE-CD1E3EA1DFD6", "versionEndExcluding": "128.3"}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:129.0:beta:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1CF643F7-C722-44F1-827C-3974B45A3D0D"}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:129.0:beta2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "963ACFD6-B12A-4A66-A539-FD156C6F5220"}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:129.0:beta3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B9E39014-2E8F-4E19-9575-978AB56E451A"}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:129.0:beta4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "28752A54-6016-4F6E-983B-CB54FEA19E5F"}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:129.0:beta5:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DA46E15E-0C2B-4F6E-8BA3-B7CB32C58D43"}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:129.0:beta6:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "90AD96F8-A88B-4B70-A4D2-CD7637DF239A"}], "operator": "OR"}]}], "sourceIdentifier": "security@mozilla.org"}