CVE-2024-1550

A malicious website could have used a combination of exiting fullscreen mode and `requestPointerLock` to cause the user's mouse to be re-positioned unexpectedly, which could have led to user confusion and inadvertently granting permissions they did not intend to grant. This vulnerability affects Firefox < 123, Firefox ESR < 115.8, and Thunderbird < 115.8.

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://bugzilla.mozilla.org/show_bug.cgi?id=1860065	Issue Tracking
https://lists.debian.org/debian-lts-announce/2024/03/msg00000.html	Mailing List
https://lists.debian.org/debian-lts-announce/2024/03/msg00001.html	Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2024-05/	Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2024-06/	Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2024-07/	Vendor Advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=1860065	Issue Tracking
https://lists.debian.org/debian-lts-announce/2024/03/msg00000.html	Mailing List
https://lists.debian.org/debian-lts-announce/2024/03/msg00001.html	Mailing List
https://www.mozilla.org/security/advisories/mfsa2024-05/	Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2024-06/	Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2024-07/	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:mozilla:firefox:::::esr:::*
	cpe:2.3:a:mozilla:firefox:::::-:::*
	cpe:2.3:a:mozilla:thunderbird::::::::

Configuration 2 (hide)

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

History

10 Dec 2024, 15:30

Type	Values Removed	Values Added
References	~~() https://bugzilla.mozilla.org/show_bug.cgi?id=1860065 -~~	() https://bugzilla.mozilla.org/show_bug.cgi?id=1860065 - Issue Tracking
References	~~() https://lists.debian.org/debian-lts-announce/2024/03/msg00000.html -~~	() https://lists.debian.org/debian-lts-announce/2024/03/msg00000.html - Mailing List
References	~~() https://lists.debian.org/debian-lts-announce/2024/03/msg00001.html -~~	() https://lists.debian.org/debian-lts-announce/2024/03/msg00001.html - Mailing List
References	~~() https://www.mozilla.org/security/advisories/mfsa2024-05/ -~~	() https://www.mozilla.org/security/advisories/mfsa2024-05/ - Vendor Advisory
References	~~() https://www.mozilla.org/security/advisories/mfsa2024-06/ -~~	() https://www.mozilla.org/security/advisories/mfsa2024-06/ - Vendor Advisory
References	~~() https://www.mozilla.org/security/advisories/mfsa2024-07/ -~~	() https://www.mozilla.org/security/advisories/mfsa2024-07/ - Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.1
CWE		CWE-1021
First Time		Mozilla thunderbird Debian debian Linux Mozilla firefox Mozilla Debian
CPE		cpe:2.3:o:debian:debian_linux:10.0:::::::* cpe:2.3:a:mozilla:firefox:::::esr:::* cpe:2.3:a:mozilla:thunderbird:::::::: cpe:2.3:a:mozilla:firefox:::::-:::*

21 Nov 2024, 08:50

Type	Values Removed	Values Added
References	~~() https://bugzilla.mozilla.org/show_bug.cgi?id=1860065 -~~	() https://bugzilla.mozilla.org/show_bug.cgi?id=1860065 -
References	~~() https://lists.debian.org/debian-lts-announce/2024/03/msg00000.html -~~	() https://lists.debian.org/debian-lts-announce/2024/03/msg00000.html -
References	~~() https://lists.debian.org/debian-lts-announce/2024/03/msg00001.html -~~	() https://lists.debian.org/debian-lts-announce/2024/03/msg00001.html -
References	~~() https://www.mozilla.org/security/advisories/mfsa2024-05/ -~~	() https://www.mozilla.org/security/advisories/mfsa2024-05/ -
References	~~() https://www.mozilla.org/security/advisories/mfsa2024-06/ -~~	() https://www.mozilla.org/security/advisories/mfsa2024-06/ -
References	~~() https://www.mozilla.org/security/advisories/mfsa2024-07/ -~~	() https://www.mozilla.org/security/advisories/mfsa2024-07/ -

04 Mar 2024, 09:15

Type	Values Removed	Values Added
Summary		(es) Un sitio web malicioso podría haber utilizado una combinación de salir del modo de pantalla completa y `requestPointerLock` para provocar que el mouse del usuario se reposicionara inesperadamente, lo que podría haber llevado a confusión al usuario y haber otorgado permisos sin darse cuenta que no tenía intención de otorgar. Esta vulnerabilidad afecta a Firefox < 123, Firefox ESR < 115.8 y Thunderbird < 115.8.
References		() https://lists.debian.org/debian-lts-announce/2024/03/msg00000.html - () https://lists.debian.org/debian-lts-announce/2024/03/msg00001.html -

20 Feb 2024, 20:15

Type	Values Removed	Values Added
References		() https://www.mozilla.org/security/advisories/mfsa2024-07/ -
Summary	(en) A malicious website could have used a combination of exiting fullscreen mode and `requestPointerLock` to cause the user's mouse to be re-positioned unexpectedly, which could have led to user confusion and inadvertently granting permissions they did not intend to grant. This vulnerability affects Firefox < 123 and Firefox ESR < 115.8.	(en) A malicious website could have used a combination of exiting fullscreen mode and `requestPointerLock` to cause the user's mouse to be re-positioned unexpectedly, which could have led to user confusion and inadvertently granting permissions they did not intend to grant. This vulnerability affects Firefox < 123, Firefox ESR < 115.8, and Thunderbird < 115.8.

20 Feb 2024, 14:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-02-20 14:15

Updated : 2024-12-10 15:30

NVD link : CVE-2024-1550

Mitre link : CVE-2024-1550

CVE.ORG link : CVE-2024-1550

JSON object : View

Products Affected

debian

debian_linux

mozilla

firefox
thunderbird

CWE

CWE-1021

Improper Restriction of Rendered UI Layers or Frames

6.1 /10