CVE-2024-9393

An attacker could, via a specially crafted multipart response, execute arbitrary JavaScript under the `resource://pdf.js` origin. This could allow them to access cross-origin PDF content. This access is limited to "same site" documents by the Site Isolation feature on desktop clients, but full cross-origin access is possible on Android versions. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Firefox ESR < 115.16, Thunderbird < 128.3, and Thunderbird < 131.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:thunderbird:129.0:beta:*:*:*:*:*:*
cpe:2.3:a:mozilla:thunderbird:129.0:beta2:*:*:*:*:*:*
cpe:2.3:a:mozilla:thunderbird:129.0:beta3:*:*:*:*:*:*
cpe:2.3:a:mozilla:thunderbird:129.0:beta4:*:*:*:*:*:*
cpe:2.3:a:mozilla:thunderbird:129.0:beta5:*:*:*:*:*:*
cpe:2.3:a:mozilla:thunderbird:129.0:beta6:*:*:*:*:*:*

History

30 Oct 2024, 17:35

Type Values Removed Values Added
CWE CWE-346

11 Oct 2024, 16:07

Type Values Removed Values Added
First Time Mozilla firefox Esr
Mozilla thunderbird
Mozilla
Mozilla firefox
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.5
CWE NVD-CWE-Other
References () https://bugzilla.mozilla.org/show_bug.cgi?id=1918301 - () https://bugzilla.mozilla.org/show_bug.cgi?id=1918301 - Permissions Required
References () https://www.mozilla.org/security/advisories/mfsa2024-46/ - () https://www.mozilla.org/security/advisories/mfsa2024-46/ - Vendor Advisory
References () https://www.mozilla.org/security/advisories/mfsa2024-47/ - () https://www.mozilla.org/security/advisories/mfsa2024-47/ - Vendor Advisory
References () https://www.mozilla.org/security/advisories/mfsa2024-48/ - () https://www.mozilla.org/security/advisories/mfsa2024-48/ - Vendor Advisory
References () https://www.mozilla.org/security/advisories/mfsa2024-49/ - () https://www.mozilla.org/security/advisories/mfsa2024-49/ - Vendor Advisory
References () https://www.mozilla.org/security/advisories/mfsa2024-50/ - () https://www.mozilla.org/security/advisories/mfsa2024-50/ - Vendor Advisory
CPE cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:thunderbird:129.0:beta3:*:*:*:*:*:*
cpe:2.3:a:mozilla:thunderbird:129.0:beta2:*:*:*:*:*:*
cpe:2.3:a:mozilla:thunderbird:129.0:beta5:*:*:*:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:thunderbird:129.0:beta4:*:*:*:*:*:*
cpe:2.3:a:mozilla:thunderbird:129.0:beta:*:*:*:*:*:*
cpe:2.3:a:mozilla:thunderbird:129.0:beta6:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*

04 Oct 2024, 13:51

Type Values Removed Values Added
Summary
  • (es) Un atacante podría, mediante una respuesta de varias partes especialmente manipulada, ejecutar código JavaScript arbitrario bajo el origen `resource://pdf.js`. Esto podría permitirle acceder a contenido PDF de origen cruzado. Este acceso está limitado a documentos del "mismo sitio" por la función de aislamiento de sitios en los clientes de escritorio, pero el acceso completo de origen cruzado es posible en las versiones de Android. Esta vulnerabilidad afecta a Firefox &lt; 131, Firefox ESR &lt; 128.3, Firefox ESR &lt; 115.16, Thunderbird &lt; 128.3 y Thunderbird &lt; 131.

01 Oct 2024, 16:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-10-01 16:15

Updated : 2024-10-30 17:35


NVD link : CVE-2024-9393

Mitre link : CVE-2024-9393

CVE.ORG link : CVE-2024-9393


JSON object : View

Products Affected

mozilla

  • firefox
  • thunderbird
  • firefox_esr
CWE
NVD-CWE-Other CWE-346

Origin Validation Error