CVE-2024-9394

An attacker could, via a specially crafted multipart response, execute arbitrary JavaScript under the `resource://devtools` origin. This could allow them to access cross-origin JSON content. This access is limited to "same site" documents by the Site Isolation feature on desktop clients, but full cross-origin access is possible on Android versions. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Firefox ESR < 115.16, Thunderbird < 128.3, and Thunderbird < 131.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://bugzilla.mozilla.org/show_bug.cgi?id=1918874	Permissions Required
https://www.mozilla.org/security/advisories/mfsa2024-46/	Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2024-47/	Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2024-48/	Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2024-49/	Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2024-50/	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:mozilla:firefox::::::::
	cpe:2.3:a:mozilla:firefox_esr::::::::
	cpe:2.3:a:mozilla:firefox_esr::::::::
	cpe:2.3:a:mozilla:thunderbird::::::::
	cpe:2.3:a:mozilla:thunderbird:129.0:beta::::::
	cpe:2.3:a:mozilla:thunderbird:129.0:beta2::::::
	cpe:2.3:a:mozilla:thunderbird:129.0:beta3::::::
	cpe:2.3:a:mozilla:thunderbird:129.0:beta4::::::
	cpe:2.3:a:mozilla:thunderbird:129.0:beta5::::::
	cpe:2.3:a:mozilla:thunderbird:129.0:beta6::::::

History

30 Oct 2024, 18:35

Type	Values Removed	Values Added
CWE		CWE-79

11 Oct 2024, 16:08

Type	Values Removed	Values Added
CPE		cpe:2.3:a:mozilla:thunderbird:129.0:beta4:::::: cpe:2.3:a:mozilla:firefox_esr:::::::: cpe:2.3:a:mozilla:thunderbird:129.0:beta3:::::: cpe:2.3:a:mozilla:thunderbird:129.0:beta2:::::: cpe:2.3:a:mozilla:firefox:::::::: cpe:2.3:a:mozilla:thunderbird:129.0:beta:::::: cpe:2.3:a:mozilla:thunderbird:129.0:beta5:::::: cpe:2.3:a:mozilla:thunderbird:129.0:beta6:::::: cpe:2.3:a:mozilla:thunderbird::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5
CWE		NVD-CWE-Other
First Time		Mozilla Mozilla firefox Mozilla firefox Esr Mozilla thunderbird
References	~~() https://bugzilla.mozilla.org/show_bug.cgi?id=1918874 -~~	() https://bugzilla.mozilla.org/show_bug.cgi?id=1918874 - Permissions Required
References	~~() https://www.mozilla.org/security/advisories/mfsa2024-46/ -~~	() https://www.mozilla.org/security/advisories/mfsa2024-46/ - Vendor Advisory
References	~~() https://www.mozilla.org/security/advisories/mfsa2024-47/ -~~	() https://www.mozilla.org/security/advisories/mfsa2024-47/ - Vendor Advisory
References	~~() https://www.mozilla.org/security/advisories/mfsa2024-48/ -~~	() https://www.mozilla.org/security/advisories/mfsa2024-48/ - Vendor Advisory
References	~~() https://www.mozilla.org/security/advisories/mfsa2024-49/ -~~	() https://www.mozilla.org/security/advisories/mfsa2024-49/ - Vendor Advisory
References	~~() https://www.mozilla.org/security/advisories/mfsa2024-50/ -~~	() https://www.mozilla.org/security/advisories/mfsa2024-50/ - Vendor Advisory

04 Oct 2024, 13:51

Type	Values Removed	Values Added
Summary		(es) Un atacante podría, mediante una respuesta de varias partes especialmente manipulada, ejecutar código JavaScript arbitrario bajo el origen `resource://devtools`. Esto podría permitirle acceder a contenido JSON de origen cruzado. Este acceso está limitado a documentos del "mismo sitio" por la función de aislamiento de sitios en los clientes de escritorio, pero el acceso completo de origen cruzado es posible en las versiones de Android. Esta vulnerabilidad afecta a Firefox < 131, Firefox ESR < 128.3, Firefox ESR < 115.16, Thunderbird < 128.3 y Thunderbird < 131.

01 Oct 2024, 16:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-10-01 16:15

Updated : 2024-10-30 18:35

NVD link : CVE-2024-9394

Mitre link : CVE-2024-9394

CVE.ORG link : CVE-2024-9394

JSON object : View

Products Affected

mozilla

firefox
thunderbird
firefox_esr

CWE

NVD-CWE-Other CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

7.5 /10