Risk | High |
Patch available | YES |
Number of vulnerabilities | 14 |
CVE-ID | CVE-2024-9403 CVE-2024-9395 CVE-2024-9391 CVE-2024-9402 CVE-2024-9400 CVE-2024-9399 CVE-2024-9398 CVE-2024-9397 CVE-2024-9396 CVE-2024-8900 CVE-2024-9401 CVE-2024-9394 CVE-2024-9393 CVE-2024-9392 |
CWE-ID | CWE-119 CWE-451 CWE-1021 CWE-400 CWE-20 CWE-200 CWE-357 CWE-264 CWE-254 |
Exploitation vector | Network |
Public exploit | N/A |
Vulnerable software Subscribe |
Mozilla Firefox Client/Desktop applications / Web browsers Firefox ESR Client/Desktop applications / Web browsers Firefox for Android Mobile applications / Apps for mobile phones Firefox Focus for Android Mobile applications / Apps for mobile phones |
Vendor | Mozilla |
Security Bulletin
This security bulletin contains information about 14 vulnerabilities.
EUVDB-ID: #VU97929
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-9403
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 130.0 - 130.0.1
Firefox for Android: 130.0 - 130.0.1
CPE2.3http://www.mozilla.org/en-US/security/advisories/mfsa2024-46/
http://bugzilla.mozilla.org/show_bug.cgi?id=1917807
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU97928
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-9395
CWE-ID:
CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to incorrect processing of filenames. A specially crafted filename containing a large number of spaces could obscure the file's extension when displayed in the download dialog.
MitigationInstall updates from vendor's website.
Vulnerable software versionsFirefox for Android: 130.0 - 130.0.1
CPE2.3http://www.mozilla.org/en-US/security/advisories/mfsa2024-46/
http://bugzilla.mozilla.org/show_bug.cgi?id=1906024
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to perform certain actions on the device.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU97927
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-9391
CWE-ID:
CWE-1021 - Improper Restriction of Rendered UI Layers or Frames
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to an error when exiting fullscreen mode. A user who enables full-screen mode on a specially crafted web page could potentially be prevented from exiting full screen mode. This may allow spoofing of other sites as the address bar is no longer visible.
MitigationInstall updates from vendor's website.
Vulnerable software versionsFirefox Focus for Android: before 131.0
CPE2.3http://www.mozilla.org/en-US/security/advisories/mfsa2024-46/
http://bugzilla.mozilla.org/show_bug.cgi?id=1892407
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU97926
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-9402
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 120.0 - 130.0.1
Firefox for Android: 120.0 - 130.0.1
Firefox ESR: 128.0 - 128.2.0
CPE2.3http://www.mozilla.org/en-US/security/advisories/mfsa2024-47/
http://www.mozilla.org/en-US/security/advisories/mfsa2024-46/
http://bugzilla.mozilla.org/buglist.cgi?bug_id=1872744%2C1897792%2C1911317%2C1913445%2C1914106%2C1914475%2C1914963%2C1915008%2C1916476
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU97925
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-9400
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources during JIT compilation. A remote attacker can crash the browser.
Install updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 120.0 - 130.0.1
Firefox for Android: 120.0 - 130.0.1
Firefox ESR: 128.0 - 128.2.0
CPE2.3http://www.mozilla.org/en-US/security/advisories/mfsa2024-47/
http://www.mozilla.org/en-US/security/advisories/mfsa2024-46/
http://bugzilla.mozilla.org/show_bug.cgi?id=1915249
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU97924
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-9399
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input when handling WebTransport. A remote attacker can trick the victim into visiting a specially crafted website and crash the browser.
Install updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 120.0 - 130.0.1
Firefox for Android: 120.0 - 130.0.1
Firefox ESR: 128.0 - 128.2.0
CPE2.3http://www.mozilla.org/en-US/security/advisories/mfsa2024-47/
http://www.mozilla.org/en-US/security/advisories/mfsa2024-46/
http://bugzilla.mozilla.org/show_bug.cgi?id=1907726
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU97923
Risk: Low
CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-9398
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a possibility to enumerate protocol handlers via the window.open() call. A remote attacker can enumerate installed applications on the system.
Install updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 120.0 - 130.0.1
Firefox for Android: 120.0 - 130.0.1
Firefox ESR: 128.0 - 128.2.0
CPE2.3http://www.mozilla.org/en-US/security/advisories/mfsa2024-47/
http://www.mozilla.org/en-US/security/advisories/mfsa2024-46/
http://bugzilla.mozilla.org/show_bug.cgi?id=1881037
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU97922
Risk: Low
CVSSv3.1: 3.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-9397
CWE-ID:
CWE-357 - Insufficient UI Warning of Dangerous Operations
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform clickjacking attacks.
The vulnerability exists due to a missing delay in directory upload UI. A remote attacker can trick a user into granting permission via clickjacking.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 120.0 - 130.0.1
Firefox for Android: 120.0 - 130.0.1
Firefox ESR: 128.0 - 128.2.0
CPE2.3http://www.mozilla.org/en-US/security/advisories/mfsa2024-47/
http://www.mozilla.org/en-US/security/advisories/mfsa2024-46/
http://bugzilla.mozilla.org/show_bug.cgi?id=1916659
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU97921
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-9396
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when cloning certain objects. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 120.0 - 130.0.1
Firefox for Android: 120.0 - 130.0.1
Firefox ESR: 128.0 - 128.2.0
CPE2.3http://www.mozilla.org/en-US/security/advisories/mfsa2024-47/
http://bugzilla.mozilla.org/show_bug.cgi?id=1912471
http://www.mozilla.org/en-US/security/advisories/mfsa2024-46/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU97920
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-8900
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to application does not properly impose security restrictions. A remote attacker can write data to the user's clipboard, bypassing the user prompt, during a certain sequence of navigational events.
MitigationInstall updates from vendor's website.
Vulnerable software versionsFirefox ESR: 128.0 - 128.2.0
CPE2.3 External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2024-47/
http://bugzilla.mozilla.org/show_bug.cgi?id=1872841
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU97919
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-9401
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted website, trick the victim into visiting it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 100.0 - 130.0.1
Firefox for Android: 100.1.0 - 130.0.1
Firefox ESR: 102.0 - 128.2.0
CPE2.3http://www.mozilla.org/en-US/security/advisories/mfsa2024-46/
http://www.mozilla.org/en-US/security/advisories/mfsa2024-47/
http://www.mozilla.org/en-US/security/advisories/mfsa2024-48/
http://bugzilla.mozilla.org/buglist.cgi?bug_id=1872744%2C1897792%2C1911317%2C1916476
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU97918
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-9394
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to application does not properly impose security restrictions. A remote attacker can send a specially crafted multipart response and execute arbitrary JavaScript under the resource://devtools origin. This could allow them to access cross-origin JSON content.
Note, this access is limited to "same site" documents by the Site Isolation feature on desktop clients, however full cross-origin access is possible on Android.
Install updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 100.0 - 130.0.1
Firefox for Android: 100.1.0 - 130.0.1
Firefox ESR: 102.0 - 128.2.0
CPE2.3http://www.mozilla.org/en-US/security/advisories/mfsa2024-46/
http://bugzilla.mozilla.org/show_bug.cgi?id=1918874
http://www.mozilla.org/en-US/security/advisories/mfsa2024-47/
http://www.mozilla.org/en-US/security/advisories/mfsa2024-48/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU97917
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-9393
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to application does not properly impose security restrictions. A remote attacker can use a specially crafted multipart response to execute arbitrary JavaScript under the resource://pdf.js origin and access cross-origin PDF content.
Note, this access is limited to "same site" documents by the Site Isolation feature on desktop clients, however the full cross-origin access is possible on Android installations.
Install updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 100.0 - 130.0.1
Firefox for Android: 100.1.0 - 130.0.1
Firefox ESR: 102.0 - 128.2.0
CPE2.3http://www.mozilla.org/en-US/security/advisories/mfsa2024-46/
http://www.mozilla.org/en-US/security/advisories/mfsa2024-47/
http://www.mozilla.org/en-US/security/advisories/mfsa2024-48/
http://bugzilla.mozilla.org/show_bug.cgi?id=1918301
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU97916
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-9392
CWE-ID:
CWE-254 - Security Features
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to an unspecified error. A compromised content process perform arbitrary loading of cross-origin pages.
Install updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 100.0 - 130.0.1
Firefox for Android: 100.1.0 - 130.0.1
Firefox ESR: 102.0 - 128.2.0
CPE2.3http://www.mozilla.org/en-US/security/advisories/mfsa2024-46/
http://bugzilla.mozilla.org/show_bug.cgi?id=1905843
http://www.mozilla.org/en-US/security/advisories/mfsa2024-47/
http://www.mozilla.org/en-US/security/advisories/mfsa2024-48/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.