SB2024030772 - Multiple vulnerabilities in WebKitGTK+ and WPE WebKit
Published: March 7, 2024
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 5 secuirty vulnerabilities.
1) Information disclosure (CVE-ID: CVE-2024-23280)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output in WebKit. A remote attacker can fingerprint the user.
2) Security features bypass (CVE-ID: CVE-2024-23284)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to an error when handling HTML content in WebKit. A remote attacker can trick the victim to visit a specially crafted web page and prevent Content Security Policy from being enforced.
3) Information disclosure (CVE-ID: CVE-2024-23254)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output in WebKit. A remote attacker can exfiltrate audio data cross-origin.
4) Security features bypass (CVE-ID: CVE-2024-23263)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to an error when handling HTML content in WebKit. A remote attacker can trick the victim to visit a specially crafted web page and prevent Content Security Policy from being enforced.
5) Buffer overflow (CVE-ID: CVE-2024-23252)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error when processing HTML content in WebKit. A remote attacker can trick the victim to visit a specially crafted website and crash the browser.
Remediation
Cybersecurity Help is not aware of any official remediation provided by the vendor.