CVE-2024-7524

{"id": "CVE-2024-7524", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2024-08-06T13:15:57.357", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1909241", "tags": ["Issue Tracking", "Permissions Required"], "source": "security@mozilla.org"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2024-33/", "tags": ["Vendor Advisory"], "source": "security@mozilla.org"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2024-34/", "tags": ["Vendor Advisory"], "source": "security@mozilla.org"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2024-35/", "tags": ["Vendor Advisory"], "source": "security@mozilla.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Firefox adds web-compatibility shims in place of some tracking scripts blocked by Enhanced Tracking Protection. On a site protected by Content Security Policy in \"strict-dynamic\" mode, an attacker able to inject an HTML element could have used a DOM Clobbering attack on some of the shims and achieved XSS, bypassing the CSP strict-dynamic protection. This vulnerability affects Firefox < 129, Firefox ESR < 115.14, and Firefox ESR < 128.1."}, {"lang": "es", "value": "Firefox agrega ajustes de compatibilidad web en lugar de algunos scripts de seguimiento bloqueados por la Protecci\u00f3n de seguimiento mejorada. En un sitio protegido por la Pol\u00edtica de seguridad de contenido en modo \"din\u00e1mico estricto\", un atacante capaz de inyectar un elemento HTML podr\u00eda haber utilizado un ataque DOM Clobbering en algunas de las correcciones y lograr XSS, evitando la protecci\u00f3n din\u00e1mica estricta del CSP. Esta vulnerabilidad afecta a Firefox &lt; 129, Firefox ESR &lt; 115.14 y Firefox ESR &lt; 128.1."}], "lastModified": "2024-08-29T17:35:34.820", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "12C9ABF7-3B44-4C24-B152-488DCF9E2D39", "versionEndExcluding": "129.0"}, {"criteria": "cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "77E36842-1F83-4A47-94D2-5D0A9825D3C8", "versionEndExcluding": "115.14"}, {"criteria": "cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "38D2AF1C-E314-45EE-A2A9-7B44DA2A4ACF", "versionEndExcluding": "128.1", "versionStartIncluding": "116.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@mozilla.org"}