Using a javascript: URI with a setTimeout race condition, an attacker can execute unauthorized scripts on top origin sites in urlbar. This bypasses security measures, potentially leading to arbitrary code execution or unauthorized actions within the user's loaded webpage. This vulnerability affects Focus for iOS < 122.
References
| Link | Resource |
|---|---|
| https://bugzilla.mozilla.org/show_bug.cgi?id=1855575 | Issue Tracking Permissions Required |
| https://www.mozilla.org/security/advisories/mfsa2024-03/ | Vendor Advisory |
| https://bugzilla.mozilla.org/show_bug.cgi?id=1855575 | Issue Tracking Permissions Required |
| https://www.mozilla.org/security/advisories/mfsa2024-03/ | Vendor Advisory |
Configurations
History
21 Nov 2024, 08:46
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://bugzilla.mozilla.org/show_bug.cgi?id=1855575 - Issue Tracking, Permissions Required | |
| References | () https://www.mozilla.org/security/advisories/mfsa2024-03/ - Vendor Advisory |
30 Jan 2024, 15:19
| Type | Values Removed | Values Added |
|---|---|---|
| CWE | CWE-362 | |
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.5 |
| CPE | cpe:2.3:a:mozilla:firefox_focus:*:*:*:*:*:iphone_os:*:* | |
| References | () https://bugzilla.mozilla.org/show_bug.cgi?id=1855575 - Issue Tracking, Permissions Required | |
| References | () https://www.mozilla.org/security/advisories/mfsa2024-03/ - Vendor Advisory |
22 Jan 2024, 20:28
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2024-01-22 19:15
Updated : 2024-11-21 08:46
NVD link : CVE-2024-0605
Mitre link : CVE-2024-0605
CVE.ORG link : CVE-2024-0605
JSON object : View
Products Affected
mozilla
- firefox_focus
CWE
CWE-362
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')