Risk | High |
Patch available | YES |
Number of vulnerabilities | 14 |
CVE-ID | CVE-2024-7518 CVE-2024-7519 CVE-2024-7520 CVE-2024-7521 CVE-2024-7522 CVE-2024-7530 CVE-2024-7525 CVE-2024-7523 CVE-2024-7531 CVE-2024-7529 CVE-2024-7528 CVE-2024-7526 CVE-2024-7527 CVE-2024-7524 |
CWE-ID | CWE-450 CWE-125 CWE-843 CWE-416 CWE-264 CWE-310 CWE-908 CWE-254 |
Exploitation vector | Network |
Public exploit | N/A |
Vulnerable software Subscribe |
Mozilla Firefox Client/Desktop applications / Web browsers Firefox ESR Client/Desktop applications / Web browsers Firefox for Android Mobile applications / Apps for mobile phones |
Vendor | Mozilla |
Security Bulletin
This security bulletin contains information about 14 vulnerabilities.
EUVDB-ID: #VU95420
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-7518
CWE-ID:
CWE-450 - Multiple Interpretations of UI Input
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exist due to improper input interpretation in UI when handling select options. A remote attacler can obscure the fullscreen notification dialog by document content and perform spoofing attack.
Install updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 126.0 - 128.0.3
Firefox ESR: 128.0
Firefox for Android: 128.0 - 128.0.3
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2024-33/
http://www.mozilla.org/en-US/security/advisories/mfsa2024-35/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU95422
Risk: High
CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-7519
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to a boundary error when processing
graphics shared memory. A remote attacker can create a specially crafted
website, trick the victim into opening it, trigger an out-of-bounds read and bypass browser sandbox.
Install updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 100.0 - 128.0.3
Firefox ESR: 102.0 - 128.0
Firefox for Android: 100.1.0 - 128.0.3
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2024-33/
http://www.mozilla.org/en-US/security/advisories/mfsa2024-35/
http://www.mozilla.org/en-US/security/advisories/mfsa2024-34/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU95423
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-7520
CWE-ID:
CWE-843 - Type confusion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a type confusion error in WebAssembly. A remote attacker can trick the victim to visit a specially crafted website, trigger a type confusion error and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 120.0 - 128.0.3
Firefox ESR: 128.0
Firefox for Android: 120.0 - 128.0.3
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2024-33/
http://www.mozilla.org/en-US/security/advisories/mfsa2024-35/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU95424
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-7521
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error in WebAssembly. A remote attacker can trick the victim to visit a specially crafted website, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 100.0 - 128.0.3
Firefox ESR: 102.0 - 128.0
Firefox for Android: 100.1.0 - 128.0.3
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2024-33/
http://www.mozilla.org/en-US/security/advisories/mfsa2024-35/
http://www.mozilla.org/en-US/security/advisories/mfsa2024-34/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU95431
Risk: High
CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-7522
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
Description
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to a boundary error in editor component. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger an out-of-bounds read and bypass browser sandbox.
Install updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 100.0 - 128.0.3
Firefox ESR: 102.0 - 128.0
Firefox for Android: 100.1.0 - 128.0.3
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2024-33/
http://www.mozilla.org/en-US/security/advisories/mfsa2024-35/
http://www.mozilla.org/en-US/security/advisories/mfsa2024-34/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU95499
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-7530
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to crash the browser
The vulnerability exists due to a use-after-free error in JavaScript code coverage collection. A remote attacker can trick the victim into visiting a specially crafted
website, trigger a use-after-free error and crash the browser.
Install updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 128.0 - 128.0.3
External linkshttp://bugzilla.mozilla.org/show_bug.cgi?id=1904011
http://www.mozilla.org/security/advisories/mfsa2024-33/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU95495
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-7525
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due missing permission check when creating a StreamFilter. A web extension with minimal permissions can create a StreamFilter, which can be used to read and modify the response body of requests on any site.
Install updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 100.0 - 128.0.3
Firefox ESR: 102.0 - 128.0
Firefox for Android: 100.1.0 - 128.0.3
External linkshttp://www.mozilla.org/security/advisories/mfsa2024-33/
http://www.mozilla.org/security/advisories/mfsa2024-34/
http://www.mozilla.org/security/advisories/mfsa2024-35/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU95493
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-7523
CWE-ID:
CWE-450 - Multiple Interpretations of UI Input
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to an error when handling select options, which can obscure security prompts. A remote attacker can trick a victim into granting permissions.
MitigationInstall updates from vendor's website.
Vulnerable software versionsFirefox for Android: 120.1.0 - 128.0.3
External linkshttp://bugzilla.mozilla.org/show_bug.cgi?id=1908344
http://www.mozilla.org/security/advisories/mfsa2024-33/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to perform certain actions on the device.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU95501
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-7531
CWE-ID:
CWE-310 - Cryptographic Issues
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
Calling PK11_Encrypt() in NSS using CKM_CHACHA20 and the same buffer for input and output can result in plaintext on an Intel Sandy Bridge processor. In Firefox this only affects the QUIC header protection feature when the connection is using the ChaCha20-Poly1305 cipher suite. The most likely outcome is connection failure, but if the connection persists despite the high packet loss it could be possible for a network observer to identify packets as coming from the same source despite a network path change.
Install updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 100.0 - 128.0.3
Firefox ESR: 102.0 - 128.0
Firefox for Android: 100.1.0 - 128.0.3
External linkshttp://bugzilla.mozilla.org/show_bug.cgi?id=1905691
http://www.mozilla.org/security/advisories/mfsa2024-33/
http://www.mozilla.org/security/advisories/mfsa2024-34/
http://www.mozilla.org/security/advisories/mfsa2024-35/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU95500
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-7529
CWE-ID:
CWE-450 - Multiple Interpretations of UI Input
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exist due to improper handling of the date picker, which can obscure security prompts. A remote attacker use a malicious site to trick a victim into granting permissions.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 100.0 - 128.0.3
Firefox ESR: 102.0 - 128.0
Firefox for Android: 100.1.0 - 128.0.3
External linkshttp://bugzilla.mozilla.org/show_bug.cgi?id=1903187
http://www.mozilla.org/security/advisories/mfsa2024-33/
http://www.mozilla.org/security/advisories/mfsa2024-34/
http://www.mozilla.org/security/advisories/mfsa2024-35/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU95498
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-7528
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error in IndexedDB. A remote attacker can trick the victim into visiting a specially
crafted website, trigger a use-after-free error and execute arbitrary
code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 126.0 - 128.0.3
Firefox ESR: 128.0
Firefox for Android: 128.0 - 128.0.3
External linkshttp://bugzilla.mozilla.org/show_bug.cgi?id=1895951
http://www.mozilla.org/security/advisories/mfsa2024-33/
http://www.mozilla.org/security/advisories/mfsa2024-35/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU95496
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-7526
CWE-ID:
CWE-908 - Use of Uninitialized Resource
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass certain security restrictions.
The vulnerability exists due to usage of uninitialized resources in WebGL ANGLE. A remote attacker can trick the victim to visit a specially crafted website and gain access to sensitive information.
Install updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 100.0 - 128.0.3
Firefox ESR: 102.0 - 128.0
Firefox for Android: 100.1.0 - 128.0.3
External linkshttp://www.mozilla.org/security/advisories/mfsa2024-33/
http://www.mozilla.org/security/advisories/mfsa2024-34/
http://www.mozilla.org/security/advisories/mfsa2024-35/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU95497
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-7527
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error in JavaScript garbage collection. A remote attacker can trick the victim into visiting a specially crafted website, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 100.0 - 128.0.3
Firefox ESR: 102.0 - 128.0
Firefox for Android: 100.1.0 - 128.0.3
External linkshttp://bugzilla.mozilla.org/show_bug.cgi?id=1871303
http://www.mozilla.org/security/advisories/mfsa2024-33/
http://www.mozilla.org/security/advisories/mfsa2024-34/
http://www.mozilla.org/security/advisories/mfsa2024-35/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU95494
Risk: Medium
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-7524
CWE-ID:
CWE-254 - Security Features
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass CSP policy.
Firefox adds web-compatibility shims in place of some tracking scripts blocked by Enhanced Tracking Protection. On a site protected by Content Security Policy in "strict-dynamic" mode, an attacker able to inject an HTML element could have used a DOM Clobbering attack on some of the shims and achieved XSS, bypassing the CSP strict-dynamic protection.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 100.0 - 128.0.3
Firefox ESR: 102.0 - 128.0
Firefox for Android: 100.1.0 - 128.0.3
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2024-33/
http://www.mozilla.org/en-US/security/advisories/mfsa2024-35/
http://www.mozilla.org/en-US/security/advisories/mfsa2024-34/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.