CVE-2024-1549

If a website set a large custom cursor, portions of the cursor could have overlapped with the permission dialog, potentially resulting in user confusion and unexpected granted permissions. This vulnerability affects Firefox < 123, Firefox ESR < 115.8, and Thunderbird < 115.8.

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://bugzilla.mozilla.org/show_bug.cgi?id=1833814	Issue Tracking
https://lists.debian.org/debian-lts-announce/2024/03/msg00000.html	Mailing List
https://lists.debian.org/debian-lts-announce/2024/03/msg00001.html	Mailing List
https://www.mozilla.org/security/advisories/mfsa2024-05/	Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2024-06/	Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2024-07/	Vendor Advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=1833814	Issue Tracking
https://lists.debian.org/debian-lts-announce/2024/03/msg00000.html	Mailing List
https://lists.debian.org/debian-lts-announce/2024/03/msg00001.html	Mailing List
https://www.mozilla.org/security/advisories/mfsa2024-05/	Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2024-06/	Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2024-07/	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:mozilla:firefox:::::esr:::*
	cpe:2.3:a:mozilla:firefox:::::-:::*
	cpe:2.3:a:mozilla:thunderbird::::::::

Configuration 2 (hide)

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

History

27 Mar 2025, 14:37

Type	Values Removed	Values Added
CPE		cpe:2.3:a:mozilla:thunderbird:::::::: cpe:2.3:a:mozilla:firefox:::::esr:::* cpe:2.3:a:mozilla:firefox:::::-:::* cpe:2.3:o:debian:debian_linux:10.0:::::::*
References	~~() https://bugzilla.mozilla.org/show_bug.cgi?id=1833814 -~~	() https://bugzilla.mozilla.org/show_bug.cgi?id=1833814 - Issue Tracking
References	~~() https://lists.debian.org/debian-lts-announce/2024/03/msg00000.html -~~	() https://lists.debian.org/debian-lts-announce/2024/03/msg00000.html - Mailing List
References	~~() https://lists.debian.org/debian-lts-announce/2024/03/msg00001.html -~~	() https://lists.debian.org/debian-lts-announce/2024/03/msg00001.html - Mailing List
References	~~() https://www.mozilla.org/security/advisories/mfsa2024-05/ -~~	() https://www.mozilla.org/security/advisories/mfsa2024-05/ - Vendor Advisory
References	~~() https://www.mozilla.org/security/advisories/mfsa2024-06/ -~~	() https://www.mozilla.org/security/advisories/mfsa2024-06/ - Vendor Advisory
References	~~() https://www.mozilla.org/security/advisories/mfsa2024-07/ -~~	() https://www.mozilla.org/security/advisories/mfsa2024-07/ - Vendor Advisory
CWE		NVD-CWE-noinfo
First Time		Mozilla thunderbird Mozilla firefox Mozilla Debian debian Linux Debian

21 Nov 2024, 08:50

Type	Values Removed	Values Added
References	~~() https://bugzilla.mozilla.org/show_bug.cgi?id=1833814 -~~	() https://bugzilla.mozilla.org/show_bug.cgi?id=1833814 -
References	~~() https://lists.debian.org/debian-lts-announce/2024/03/msg00000.html -~~	() https://lists.debian.org/debian-lts-announce/2024/03/msg00000.html -
References	~~() https://lists.debian.org/debian-lts-announce/2024/03/msg00001.html -~~	() https://lists.debian.org/debian-lts-announce/2024/03/msg00001.html -
References	~~() https://www.mozilla.org/security/advisories/mfsa2024-05/ -~~	() https://www.mozilla.org/security/advisories/mfsa2024-05/ -
References	~~() https://www.mozilla.org/security/advisories/mfsa2024-06/ -~~	() https://www.mozilla.org/security/advisories/mfsa2024-06/ -
References	~~() https://www.mozilla.org/security/advisories/mfsa2024-07/ -~~	() https://www.mozilla.org/security/advisories/mfsa2024-07/ -

01 Nov 2024, 16:35

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.1

04 Mar 2024, 09:15

Type	Values Removed	Values Added
Summary		(es) Si un sitio web configura un cursor personalizado grande, partes del cursor podrían haberse superpuesto con el cuadro de diálogo de permisos, lo que podría generar confusión en el usuario y permisos concedidos inesperados. Esta vulnerabilidad afecta a Firefox < 123, Firefox ESR < 115.8 y Thunderbird < 115.8.
References		() https://lists.debian.org/debian-lts-announce/2024/03/msg00000.html - () https://lists.debian.org/debian-lts-announce/2024/03/msg00001.html -

20 Feb 2024, 20:15

Type	Values Removed	Values Added
Summary	(en) If a website set a large custom cursor, portions of the cursor could have overlapped with the permission dialog, potentially resulting in user confusion and unexpected granted permissions. This vulnerability affects Firefox < 123 and Firefox ESR < 115.8.	(en) If a website set a large custom cursor, portions of the cursor could have overlapped with the permission dialog, potentially resulting in user confusion and unexpected granted permissions. This vulnerability affects Firefox < 123, Firefox ESR < 115.8, and Thunderbird < 115.8.
References		() https://www.mozilla.org/security/advisories/mfsa2024-07/ -

20 Feb 2024, 14:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-02-20 14:15

Updated : 2025-03-27 14:37

NVD link : CVE-2024-1549

Mitre link : CVE-2024-1549

CVE.ORG link : CVE-2024-1549

JSON object : View

Products Affected

debian

debian_linux

mozilla

firefox
thunderbird

CWE

NVD-CWE-noinfo

6.1 /10