CVE-2024-8383

Firefox normally asks for confirmation before asking the operating system to find an application to handle a scheme that the browser does not support. It did not ask before doing so for the Usenet-related schemes news: and snews:. Since most operating systems don't have a trusted newsreader installed by default, an unscrupulous program that the user downloaded could register itself as a handler. The website that served the application download could then launch that application at will. This vulnerability affects Firefox < 130, Firefox ESR < 128.2, and Firefox ESR < 115.15.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*

History

30 Oct 2024, 17:35

Type Values Removed Values Added
CWE CWE-1188

06 Sep 2024, 19:15

Type Values Removed Values Added
Summary (en) Firefox normally asks for confirmation before asking the operating system to find an application to handle a scheme that the browser does not support. It did not ask before doing so for the Usenet-related schemes news: and snews:. Since most operating systems don't have a trusted newsreader installed by default, an unscrupulous program that the user downloaded could register itself as a handler. The website that served the application download could then launch that application at will. This vulnerability affects Firefox < 130, Firefox ESR < 128.2, Firefox ESR < 115.15, Thunderbird < 128.2, and Thunderbird < 115.15. (en) Firefox normally asks for confirmation before asking the operating system to find an application to handle a scheme that the browser does not support. It did not ask before doing so for the Usenet-related schemes news: and snews:. Since most operating systems don't have a trusted newsreader installed by default, an unscrupulous program that the user downloaded could register itself as a handler. The website that served the application download could then launch that application at will. This vulnerability affects Firefox < 130, Firefox ESR < 128.2, and Firefox ESR < 115.15.
References
  • {'url': 'https://www.mozilla.org/security/advisories/mfsa2024-43/', 'source': 'security@mozilla.org'}
  • {'url': 'https://www.mozilla.org/security/advisories/mfsa2024-44/', 'source': 'security@mozilla.org'}

06 Sep 2024, 17:15

Type Values Removed Values Added
References
  • () https://www.mozilla.org/security/advisories/mfsa2024-43/ -
  • () https://www.mozilla.org/security/advisories/mfsa2024-44/ -
Summary (en) Firefox normally asks for confirmation before asking the operating system to find an application to handle a scheme that the browser does not support. It did not ask before doing so for the Usenet-related schemes news: and snews:. Since most operating systems don't have a trusted newsreader installed by default, an unscrupulous program that the user downloaded could register itself as a handler. The website that served the application download could then launch that application at will. This vulnerability affects Firefox < 130, Firefox ESR < 128.2, and Firefox ESR < 115.15. (en) Firefox normally asks for confirmation before asking the operating system to find an application to handle a scheme that the browser does not support. It did not ask before doing so for the Usenet-related schemes news: and snews:. Since most operating systems don't have a trusted newsreader installed by default, an unscrupulous program that the user downloaded could register itself as a handler. The website that served the application download could then launch that application at will. This vulnerability affects Firefox < 130, Firefox ESR < 128.2, Firefox ESR < 115.15, Thunderbird < 128.2, and Thunderbird < 115.15.

04 Sep 2024, 15:09

Type Values Removed Values Added
Summary
  • (es) Firefox normalmente pide confirmación antes de pedirle al sistema operativo que encuentre una aplicación para manejar un esquema que el navegador no soporta. No preguntó antes de hacerlo para los esquemas relacionados con Usenet news: y snews:. Dado que la mayoría de los sistemas operativos no tienen un lector de noticias confiable instalado de forma predeterminada, un programa sin escrúpulos que el usuario haya descargado podría registrarse como manejador. El sitio web que sirvió la descarga de la aplicación podría entonces iniciar esa aplicación a voluntad. Esta vulnerabilidad afecta a Firefox &lt; 130, Firefox ESR &lt; 128.2 y Firefox ESR &lt; 115.15.
CPE cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
CWE NVD-CWE-noinfo
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.5
References () https://bugzilla.mozilla.org/show_bug.cgi?id=1908496 - () https://bugzilla.mozilla.org/show_bug.cgi?id=1908496 - Issue Tracking, Permissions Required
References () https://www.mozilla.org/security/advisories/mfsa2024-39/ - () https://www.mozilla.org/security/advisories/mfsa2024-39/ - Vendor Advisory
References () https://www.mozilla.org/security/advisories/mfsa2024-40/ - () https://www.mozilla.org/security/advisories/mfsa2024-40/ - Vendor Advisory
References () https://www.mozilla.org/security/advisories/mfsa2024-41/ - () https://www.mozilla.org/security/advisories/mfsa2024-41/ - Vendor Advisory
First Time Mozilla
Mozilla firefox Esr
Mozilla firefox

03 Sep 2024, 22:15

Type Values Removed Values Added
Summary (en) Firefox normally asks for confirmation before asking the operating system to find an application to handle a scheme that the browser does not support. It did not ask before doing so for the Usenet-related schemes news: and snews:. Since most operating systems don't have a trusted newsreader installed by default, an unscrupulous program that the user downloaded could register itself as a handler. The website that served the application download could then launch that application at will This vulnerability affects Firefox < 130, Firefox ESR < 128.2, and Firefox ESR < 115.15. (en) Firefox normally asks for confirmation before asking the operating system to find an application to handle a scheme that the browser does not support. It did not ask before doing so for the Usenet-related schemes news: and snews:. Since most operating systems don't have a trusted newsreader installed by default, an unscrupulous program that the user downloaded could register itself as a handler. The website that served the application download could then launch that application at will. This vulnerability affects Firefox < 130, Firefox ESR < 128.2, and Firefox ESR < 115.15.

03 Sep 2024, 13:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-09-03 13:15

Updated : 2024-10-30 17:35


NVD link : CVE-2024-8383

Mitre link : CVE-2024-8383

CVE.ORG link : CVE-2024-8383


JSON object : View

Products Affected

mozilla

  • firefox
  • firefox_esr
CWE
NVD-CWE-noinfo CWE-1188

Insecure Default Initialization of Resource