Multiple vulnerabilities in Mozilla Firefox and Firefox ESR



Published: 2024-10-01 | Updated: 2024-10-02
Risk High
Patch available YES
Number of vulnerabilities 14
CVE-ID CVE-2024-9403
CVE-2024-9395
CVE-2024-9391
CVE-2024-9402
CVE-2024-9400
CVE-2024-9399
CVE-2024-9398
CVE-2024-9397
CVE-2024-9396
CVE-2024-8900
CVE-2024-9401
CVE-2024-9394
CVE-2024-9393
CVE-2024-9392
CWE-ID CWE-119
CWE-451
CWE-1021
CWE-400
CWE-20
CWE-200
CWE-357
CWE-264
CWE-254
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
Mozilla Firefox
Client/Desktop applications / Web browsers

Firefox ESR
Client/Desktop applications / Web browsers

Firefox for Android
Mobile applications / Apps for mobile phones

Firefox Focus for Android
Mobile applications / Apps for mobile phones

Vendor Mozilla

Security Bulletin

This security bulletin contains information about 14 vulnerabilities.

1) Buffer overflow

EUVDB-ID: #VU97929

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-9403

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Mozilla Firefox: 130.0 - 130.0.1

Firefox for Android: 130.0 - 130.0.1

CPE2.3 External links

http://www.mozilla.org/en-US/security/advisories/mfsa2024-46/
http://bugzilla.mozilla.org/show_bug.cgi?id=1917807


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Spoofing attack

EUVDB-ID: #VU97928

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-9395

CWE-ID: CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to incorrect processing of filenames. A specially crafted filename containing a large number of spaces could obscure the file's extension when displayed in the download dialog.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Firefox for Android: 130.0 - 130.0.1

CPE2.3 External links

http://www.mozilla.org/en-US/security/advisories/mfsa2024-46/
http://bugzilla.mozilla.org/show_bug.cgi?id=1906024


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to perform certain actions on the device.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Improper Restriction of Rendered UI Layers or Frames

EUVDB-ID: #VU97927

Risk: Medium

CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-9391

CWE-ID: CWE-1021 - Improper Restriction of Rendered UI Layers or Frames

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to an error when exiting fullscreen mode. A user who enables full-screen mode on a specially crafted web page could potentially be prevented from exiting full screen mode. This may allow spoofing of other sites as the address bar is no longer visible.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Firefox Focus for Android: before 131.0

CPE2.3
External links

http://www.mozilla.org/en-US/security/advisories/mfsa2024-46/
http://bugzilla.mozilla.org/show_bug.cgi?id=1892407


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Buffer overflow

EUVDB-ID: #VU97926

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-9402

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Mozilla Firefox: 120.0 - 130.0.1

Firefox for Android: 120.0 - 130.0.1

Firefox ESR: 128.0 - 128.2.0

CPE2.3 External links

http://www.mozilla.org/en-US/security/advisories/mfsa2024-47/
http://www.mozilla.org/en-US/security/advisories/mfsa2024-46/
http://bugzilla.mozilla.org/buglist.cgi?bug_id=1872744%2C1897792%2C1911317%2C1913445%2C1914106%2C1914475%2C1914963%2C1915008%2C1916476


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Resource exhaustion

EUVDB-ID: #VU97925

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-9400

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources during JIT compilation. A remote attacker can crash the browser.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Mozilla Firefox: 120.0 - 130.0.1

Firefox for Android: 120.0 - 130.0.1

Firefox ESR: 128.0 - 128.2.0

CPE2.3 External links

http://www.mozilla.org/en-US/security/advisories/mfsa2024-47/
http://www.mozilla.org/en-US/security/advisories/mfsa2024-46/
http://bugzilla.mozilla.org/show_bug.cgi?id=1915249


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Input validation error

EUVDB-ID: #VU97924

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-9399

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input when handling WebTransport. A remote attacker can trick the victim into visiting a specially crafted website and crash the browser.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Mozilla Firefox: 120.0 - 130.0.1

Firefox for Android: 120.0 - 130.0.1

Firefox ESR: 128.0 - 128.2.0

CPE2.3 External links

http://www.mozilla.org/en-US/security/advisories/mfsa2024-47/
http://www.mozilla.org/en-US/security/advisories/mfsa2024-46/
http://bugzilla.mozilla.org/show_bug.cgi?id=1907726


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Information disclosure

EUVDB-ID: #VU97923

Risk: Low

CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-9398

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a possibility to enumerate protocol handlers via the window.open() call. A remote attacker can enumerate installed applications on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Mozilla Firefox: 120.0 - 130.0.1

Firefox for Android: 120.0 - 130.0.1

Firefox ESR: 128.0 - 128.2.0

CPE2.3 External links

http://www.mozilla.org/en-US/security/advisories/mfsa2024-47/
http://www.mozilla.org/en-US/security/advisories/mfsa2024-46/
http://bugzilla.mozilla.org/show_bug.cgi?id=1881037


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Insufficient UI Warning of Dangerous Operations

EUVDB-ID: #VU97922

Risk: Low

CVSSv3.1: 3.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-9397

CWE-ID: CWE-357 - Insufficient UI Warning of Dangerous Operations

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform clickjacking attacks.

The vulnerability exists due to a missing delay in directory upload UI. A remote attacker can trick a user into granting permission via clickjacking.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Mozilla Firefox: 120.0 - 130.0.1

Firefox for Android: 120.0 - 130.0.1

Firefox ESR: 128.0 - 128.2.0

CPE2.3 External links

http://www.mozilla.org/en-US/security/advisories/mfsa2024-47/
http://www.mozilla.org/en-US/security/advisories/mfsa2024-46/
http://bugzilla.mozilla.org/show_bug.cgi?id=1916659


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Buffer overflow

EUVDB-ID: #VU97921

Risk: Medium

CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-9396

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when cloning certain objects. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Mozilla Firefox: 120.0 - 130.0.1

Firefox for Android: 120.0 - 130.0.1

Firefox ESR: 128.0 - 128.2.0

CPE2.3 External links

http://www.mozilla.org/en-US/security/advisories/mfsa2024-47/
http://bugzilla.mozilla.org/show_bug.cgi?id=1912471
http://www.mozilla.org/en-US/security/advisories/mfsa2024-46/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU97920

Risk: Medium

CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-8900

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to application does not properly impose security restrictions. A remote attacker can write data to the user's clipboard, bypassing the user prompt, during a certain sequence of navigational events.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Firefox ESR: 128.0 - 128.2.0

CPE2.3 External links

http://www.mozilla.org/en-US/security/advisories/mfsa2024-47/
http://bugzilla.mozilla.org/show_bug.cgi?id=1872841


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

11) Buffer overflow

EUVDB-ID: #VU97919

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-9401

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted website, trick the victim into visiting it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Mozilla Firefox: 100.0 - 130.0.1

Firefox for Android: 100.1.0 - 130.0.1

Firefox ESR: 102.0 - 128.2.0

CPE2.3 External links

http://www.mozilla.org/en-US/security/advisories/mfsa2024-46/
http://www.mozilla.org/en-US/security/advisories/mfsa2024-47/
http://www.mozilla.org/en-US/security/advisories/mfsa2024-48/
http://bugzilla.mozilla.org/buglist.cgi?bug_id=1872744%2C1897792%2C1911317%2C1916476


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

12) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU97918

Risk: Medium

CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-9394

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to application does not properly impose security restrictions. A remote attacker can send a specially crafted multipart response and execute arbitrary JavaScript under the resource://devtools origin. This could allow them to access cross-origin JSON content.

Note, this access is limited to "same site" documents by the Site Isolation feature on desktop clients, however full cross-origin access is possible on Android.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Mozilla Firefox: 100.0 - 130.0.1

Firefox for Android: 100.1.0 - 130.0.1

Firefox ESR: 102.0 - 128.2.0

CPE2.3 External links

http://www.mozilla.org/en-US/security/advisories/mfsa2024-46/
http://bugzilla.mozilla.org/show_bug.cgi?id=1918874
http://www.mozilla.org/en-US/security/advisories/mfsa2024-47/
http://www.mozilla.org/en-US/security/advisories/mfsa2024-48/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

13) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU97917

Risk: Medium

CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-9393

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to application does not properly impose security restrictions. A remote attacker can use a specially crafted multipart response to execute arbitrary JavaScript under the resource://pdf.js origin and access cross-origin PDF content.

Note, this access is limited to "same site" documents by the Site Isolation feature on desktop clients, however the full cross-origin access is possible on Android installations.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Mozilla Firefox: 100.0 - 130.0.1

Firefox for Android: 100.1.0 - 130.0.1

Firefox ESR: 102.0 - 128.2.0

CPE2.3 External links

http://www.mozilla.org/en-US/security/advisories/mfsa2024-46/
http://www.mozilla.org/en-US/security/advisories/mfsa2024-47/
http://www.mozilla.org/en-US/security/advisories/mfsa2024-48/
http://bugzilla.mozilla.org/show_bug.cgi?id=1918301


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

14) Security features bypass

EUVDB-ID: #VU97916

Risk: Medium

CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-9392

CWE-ID: CWE-254 - Security Features

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to an unspecified error. A compromised content process perform arbitrary loading of cross-origin pages.


Mitigation

Install updates from vendor's website.

Vulnerable software versions

Mozilla Firefox: 100.0 - 130.0.1

Firefox for Android: 100.1.0 - 130.0.1

Firefox ESR: 102.0 - 128.2.0

CPE2.3 External links

http://www.mozilla.org/en-US/security/advisories/mfsa2024-46/
http://bugzilla.mozilla.org/show_bug.cgi?id=1905843
http://www.mozilla.org/en-US/security/advisories/mfsa2024-47/
http://www.mozilla.org/en-US/security/advisories/mfsa2024-48/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###