CVE-2024-9394

An attacker could, via a specially crafted multipart response, execute arbitrary JavaScript under the `resource://devtools` origin. This could allow them to access cross-origin JSON content. This access is limited to "same site" documents by the Site Isolation feature on desktop clients, but full cross-origin access is possible on Android versions. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Firefox ESR < 115.16, Thunderbird < 128.3, and Thunderbird < 131.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:thunderbird:129.0:beta:*:*:*:*:*:*
cpe:2.3:a:mozilla:thunderbird:129.0:beta2:*:*:*:*:*:*
cpe:2.3:a:mozilla:thunderbird:129.0:beta3:*:*:*:*:*:*
cpe:2.3:a:mozilla:thunderbird:129.0:beta4:*:*:*:*:*:*
cpe:2.3:a:mozilla:thunderbird:129.0:beta5:*:*:*:*:*:*
cpe:2.3:a:mozilla:thunderbird:129.0:beta6:*:*:*:*:*:*

History

30 Oct 2024, 18:35

Type Values Removed Values Added
CWE CWE-79

11 Oct 2024, 16:08

Type Values Removed Values Added
References () https://bugzilla.mozilla.org/show_bug.cgi?id=1918874 - () https://bugzilla.mozilla.org/show_bug.cgi?id=1918874 - Permissions Required
References () https://www.mozilla.org/security/advisories/mfsa2024-46/ - () https://www.mozilla.org/security/advisories/mfsa2024-46/ - Vendor Advisory
References () https://www.mozilla.org/security/advisories/mfsa2024-47/ - () https://www.mozilla.org/security/advisories/mfsa2024-47/ - Vendor Advisory
References () https://www.mozilla.org/security/advisories/mfsa2024-48/ - () https://www.mozilla.org/security/advisories/mfsa2024-48/ - Vendor Advisory
References () https://www.mozilla.org/security/advisories/mfsa2024-49/ - () https://www.mozilla.org/security/advisories/mfsa2024-49/ - Vendor Advisory
References () https://www.mozilla.org/security/advisories/mfsa2024-50/ - () https://www.mozilla.org/security/advisories/mfsa2024-50/ - Vendor Advisory
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.5
First Time Mozilla firefox Esr
Mozilla thunderbird
Mozilla
Mozilla firefox
CPE cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:thunderbird:129.0:beta3:*:*:*:*:*:*
cpe:2.3:a:mozilla:thunderbird:129.0:beta2:*:*:*:*:*:*
cpe:2.3:a:mozilla:thunderbird:129.0:beta5:*:*:*:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:thunderbird:129.0:beta4:*:*:*:*:*:*
cpe:2.3:a:mozilla:thunderbird:129.0:beta:*:*:*:*:*:*
cpe:2.3:a:mozilla:thunderbird:129.0:beta6:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*
CWE NVD-CWE-Other

04 Oct 2024, 13:51

Type Values Removed Values Added
Summary
  • (es) Un atacante podría, mediante una respuesta de varias partes especialmente manipulada, ejecutar código JavaScript arbitrario bajo el origen `resource://devtools`. Esto podría permitirle acceder a contenido JSON de origen cruzado. Este acceso está limitado a documentos del "mismo sitio" por la función de aislamiento de sitios en los clientes de escritorio, pero el acceso completo de origen cruzado es posible en las versiones de Android. Esta vulnerabilidad afecta a Firefox &lt; 131, Firefox ESR &lt; 128.3, Firefox ESR &lt; 115.16, Thunderbird &lt; 128.3 y Thunderbird &lt; 131.

01 Oct 2024, 16:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-10-01 16:15

Updated : 2024-10-30 18:35


NVD link : CVE-2024-9394

Mitre link : CVE-2024-9394

CVE.ORG link : CVE-2024-9394


JSON object : View

Products Affected

mozilla

  • firefox
  • thunderbird
  • firefox_esr
CWE
NVD-CWE-Other CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')