Vulnerability-Lookup

CVE-2024-9392 (GCVE-0-2024-9392)

Vulnerability from cvelistv5 – Published: 2024-10-01 15:13 – Updated: 2025-11-03 22:33

Summary

A compromised content process could have allowed for the arbitrary loading of cross-origin pages. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Firefox ESR < 115.16, Thunderbird < 128.3, and Thunderbird < 131.

Severity ?

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

Compromised content process can bypass site isolation

Assigner

mozilla

References

7 references

URL	Tags
https://bugzilla.mozilla.org/show_bug.cgi?id=1899154
https://bugzilla.mozilla.org/show_bug.cgi?id=1905843
https://www.mozilla.org/security/advisories/mfsa2…
https://www.mozilla.org/security/advisories/mfsa2…
https://www.mozilla.org/security/advisories/mfsa2…
https://www.mozilla.org/security/advisories/mfsa2…
https://www.mozilla.org/security/advisories/mfsa2…

Impacted products

5 products

Vendor	Product	Version
Mozilla	Firefox	Affected: unspecified , < 131 (custom)
Mozilla	Firefox ESR	Affected: unspecified , < 128.3 (custom)
Mozilla	Firefox ESR	Affected: unspecified , < 115.16 (custom)
Mozilla	Thunderbird	Affected: unspecified , < 128.3 (custom)
Mozilla	Thunderbird	Affected: unspecified , < 131 (custom)

Credits

Jan Drescher and David Klein from IAS, TU Braunschweig

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "firefox",
            "vendor": "mozilla",
            "versions": [
              {
                "lessThan": "131",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "firefox_esr",
            "vendor": "mozilla",
            "versions": [
              {
                "lessThan": "128.3",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              },
              {
                "lessThan": "115.16",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "thunderbird",
            "vendor": "mozilla",
            "versions": [
              {
                "lessThan": "128.3",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              },
              {
                "lessThan": "131",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 9.8,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-9392",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-01T18:20:31.590631Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-346",
                "description": "CWE-346 Origin Validation Error",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-01T18:23:43.572Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T22:33:24.026Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2024/10/msg00006.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2024/10/msg00004.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Firefox",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "131",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Firefox ESR",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "128.3",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Firefox ESR",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "115.16",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Thunderbird",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "128.3",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Thunderbird",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "131",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Jan Drescher and David Klein from IAS, TU Braunschweig"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "A compromised content process could have allowed for the arbitrary loading of cross-origin pages. This vulnerability affects Firefox \u003c 131, Firefox ESR \u003c 128.3, Firefox ESR \u003c 115.16, Thunderbird \u003c 128.3, and Thunderbird \u003c 131."
            }
          ],
          "value": "A compromised content process could have allowed for the arbitrary loading of cross-origin pages. This vulnerability affects Firefox \u003c 131, Firefox ESR \u003c 128.3, Firefox ESR \u003c 115.16, Thunderbird \u003c 128.3, and Thunderbird \u003c 131."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Compromised content process can bypass site isolation",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-10-01T16:55:36.855Z",
        "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
        "shortName": "mozilla"
      },
      "references": [
        {
          "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1899154"
        },
        {
          "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1905843"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2024-46/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2024-47/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2024-48/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2024-49/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2024-50/"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
    "assignerShortName": "mozilla",
    "cveId": "CVE-2024-9392",
    "datePublished": "2024-10-01T15:13:18.862Z",
    "dateReserved": "2024-10-01T06:10:04.271Z",
    "dateUpdated": "2025-11-03T22:33:24.026Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2024-9392",
      "date": "2026-05-25",
      "epss": "0.00135",
      "percentile": "0.32913"
    },
    "fkie_nvd": {
      "descriptions": "[{\"lang\": \"en\", \"value\": \"A compromised content process could have allowed for the arbitrary loading of cross-origin pages. This vulnerability affects Firefox \u003c 131, Firefox ESR \u003c 128.3, Firefox ESR \u003c 115.16, Thunderbird \u003c 128.3, and Thunderbird \u003c 131.\"}, {\"lang\": \"es\", \"value\": \"Un proceso de contenido comprometido podr\\u00eda haber permitido la carga arbitraria de p\\u00e1ginas de origen cruzado. Esta vulnerabilidad afecta a Firefox \u0026lt; 131, Firefox ESR \u0026lt; 128.3, Firefox ESR \u0026lt; 115.16, Thunderbird \u0026lt; 128.3 y Thunderbird \u0026lt; 131.\"}]",
      "id": "CVE-2024-9392",
      "lastModified": "2024-10-04T13:51:25.567",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}]}",
      "published": "2024-10-01T16:15:10.570",
      "references": "[{\"url\": \"https://bugzilla.mozilla.org/show_bug.cgi?id=1899154\", \"source\": \"security@mozilla.org\"}, {\"url\": \"https://bugzilla.mozilla.org/show_bug.cgi?id=1905843\", \"source\": \"security@mozilla.org\"}, {\"url\": \"https://www.mozilla.org/security/advisories/mfsa2024-46/\", \"source\": \"security@mozilla.org\"}, {\"url\": \"https://www.mozilla.org/security/advisories/mfsa2024-47/\", \"source\": \"security@mozilla.org\"}, {\"url\": \"https://www.mozilla.org/security/advisories/mfsa2024-48/\", \"source\": \"security@mozilla.org\"}, {\"url\": \"https://www.mozilla.org/security/advisories/mfsa2024-49/\", \"source\": \"security@mozilla.org\"}, {\"url\": \"https://www.mozilla.org/security/advisories/mfsa2024-50/\", \"source\": \"security@mozilla.org\"}]",
      "sourceIdentifier": "security@mozilla.org",
      "vulnStatus": "Awaiting Analysis",
      "weaknesses": "[{\"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-346\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-9392\",\"sourceIdentifier\":\"security@mozilla.org\",\"published\":\"2024-10-01T16:15:10.570\",\"lastModified\":\"2025-11-03T23:17:33.740\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A compromised content process could have allowed for the arbitrary loading of cross-origin pages. This vulnerability affects Firefox \u003c 131, Firefox ESR \u003c 128.3, Firefox ESR \u003c 115.16, Thunderbird \u003c 128.3, and Thunderbird \u003c 131.\"},{\"lang\":\"es\",\"value\":\"Un proceso de contenido comprometido podr\u00eda haber permitido la carga arbitraria de p\u00e1ginas de origen cruzado. Esta vulnerabilidad afecta a Firefox \u0026lt; 131, Firefox ESR \u0026lt; 128.3, Firefox ESR \u0026lt; 115.16, Thunderbird \u0026lt; 128.3 y Thunderbird \u0026lt; 131.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-346\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*\",\"versionEndExcluding\":\"115.6.0\",\"matchCriteriaId\":\"277BD1BE-3F67-42D7-8B95-735FF00D95FB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"131.0\",\"matchCriteriaId\":\"DA47FFCA-3451-462C-8FFB-47143C65E65A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"128.3.0\",\"matchCriteriaId\":\"162E998D-FC05-4428-A848-3073BC879D13\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"129.0\",\"versionEndExcluding\":\"131.0\",\"matchCriteriaId\":\"9556B29A-F934-4F99-9C7F-6506CA829DB3\"}]}]}],\"references\":[{\"url\":\"https://bugzilla.mozilla.org/show_bug.cgi?id=1899154\",\"source\":\"security@mozilla.org\",\"tags\":[\"Issue Tracking\"]},{\"url\":\"https://bugzilla.mozilla.org/show_bug.cgi?id=1905843\",\"source\":\"security@mozilla.org\",\"tags\":[\"Issue Tracking\"]},{\"url\":\"https://www.mozilla.org/security/advisories/mfsa2024-46/\",\"source\":\"security@mozilla.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.mozilla.org/security/advisories/mfsa2024-47/\",\"source\":\"security@mozilla.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.mozilla.org/security/advisories/mfsa2024-48/\",\"source\":\"security@mozilla.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.mozilla.org/security/advisories/mfsa2024-49/\",\"source\":\"security@mozilla.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.mozilla.org/security/advisories/mfsa2024-50/\",\"source\":\"security@mozilla.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2024/10/msg00004.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.debian.org/debian-lts-announce/2024/10/msg00006.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-9392\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-10-01T18:20:31.590631Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*\"], \"vendor\": \"mozilla\", \"product\": \"firefox\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"131\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}, {\"cpes\": [\"cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*\"], \"vendor\": \"mozilla\", \"product\": \"firefox_esr\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"128.3\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"115.16\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}, {\"cpes\": [\"cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*\"], \"vendor\": \"mozilla\", \"product\": \"thunderbird\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"128.3\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"131\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-346\", \"description\": \"CWE-346 Origin Validation Error\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-10-01T18:21:21.764Z\"}}], \"cna\": {\"credits\": [{\"lang\": \"en\", \"value\": \"Jan Drescher and David Klein from IAS, TU Braunschweig\"}], \"affected\": [{\"vendor\": \"Mozilla\", \"product\": \"Firefox\", \"versions\": [{\"status\": \"affected\", \"version\": \"unspecified\", \"lessThan\": \"131\", \"versionType\": \"custom\"}]}, {\"vendor\": \"Mozilla\", \"product\": \"Firefox ESR\", \"versions\": [{\"status\": \"affected\", \"version\": \"unspecified\", \"lessThan\": \"128.3\", \"versionType\": \"custom\"}]}, {\"vendor\": \"Mozilla\", \"product\": \"Firefox ESR\", \"versions\": [{\"status\": \"affected\", \"version\": \"unspecified\", \"lessThan\": \"115.16\", \"versionType\": \"custom\"}]}, {\"vendor\": \"Mozilla\", \"product\": \"Thunderbird\", \"versions\": [{\"status\": \"affected\", \"version\": \"unspecified\", \"lessThan\": \"128.3\", \"versionType\": \"custom\"}]}, {\"vendor\": \"Mozilla\", \"product\": \"Thunderbird\", \"versions\": [{\"status\": \"affected\", \"version\": \"unspecified\", \"lessThan\": \"131\", \"versionType\": \"custom\"}]}], \"references\": [{\"url\": \"https://bugzilla.mozilla.org/show_bug.cgi?id=1899154\"}, {\"url\": \"https://bugzilla.mozilla.org/show_bug.cgi?id=1905843\"}, {\"url\": \"https://www.mozilla.org/security/advisories/mfsa2024-46/\"}, {\"url\": \"https://www.mozilla.org/security/advisories/mfsa2024-47/\"}, {\"url\": \"https://www.mozilla.org/security/advisories/mfsa2024-48/\"}, {\"url\": \"https://www.mozilla.org/security/advisories/mfsa2024-49/\"}, {\"url\": \"https://www.mozilla.org/security/advisories/mfsa2024-50/\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"A compromised content process could have allowed for the arbitrary loading of cross-origin pages. This vulnerability affects Firefox \u003c 131, Firefox ESR \u003c 128.3, Firefox ESR \u003c 115.16, Thunderbird \u003c 128.3, and Thunderbird \u003c 131.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"A compromised content process could have allowed for the arbitrary loading of cross-origin pages. This vulnerability affects Firefox \u003c 131, Firefox ESR \u003c 128.3, Firefox ESR \u003c 115.16, Thunderbird \u003c 128.3, and Thunderbird \u003c 131.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"text\", \"description\": \"Compromised content process can bypass site isolation\"}]}], \"providerMetadata\": {\"orgId\": \"f16b083a-5664-49f3-a51e-8d479e5ed7fe\", \"shortName\": \"mozilla\", \"dateUpdated\": \"2024-10-01T16:55:36.855Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-9392\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-10-01T18:23:43.572Z\", \"dateReserved\": \"2024-10-01T06:10:04.271Z\", \"assignerOrgId\": \"f16b083a-5664-49f3-a51e-8d479e5ed7fe\", \"datePublished\": \"2024-10-01T15:13:18.862Z\", \"assignerShortName\": \"mozilla\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

CERTFR-2024-AVI-0829

Vulnerability from certfr_avis - Published: - Updated:

De multiples vulnérabilités ont été découvertes dans les produits Mozilla. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et une atteinte à la confidentialité des données.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

Vendor	Product	Description
Mozilla	Firefox ESR	Firefox ESR versions antérieures à 128.3
Mozilla	Thunderbird	Thunderbird versions antérieures à 128.3
Mozilla	Firefox Focus	Firefox Focus versions antérieures à 131 pour Android
Mozilla	Firefox	Firefox versions antérieures à 131 pour Android
Mozilla	Firefox ESR	Firefox ESR versions antérieures à 115.16
Mozilla	Firefox	Firefox versions antérieures à 131
Mozilla	Thunderbird	Thunderbird versions antérieures à 131

References

Title

Publication Time

CERTFR-2024-AVI-0829

Vulnerability from certfr_avis - Published: - Updated:

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

Vendor	Product	Description
Mozilla	Firefox ESR	Firefox ESR versions antérieures à 128.3
Mozilla	Thunderbird	Thunderbird versions antérieures à 128.3
Mozilla	Firefox Focus	Firefox Focus versions antérieures à 131 pour Android
Mozilla	Firefox	Firefox versions antérieures à 131 pour Android
Mozilla	Firefox ESR	Firefox ESR versions antérieures à 115.16
Mozilla	Firefox	Firefox versions antérieures à 131
Mozilla	Thunderbird	Thunderbird versions antérieures à 131

References

Title

Publication Time

alsa-2024:7505

Vulnerability from osv_almalinux

Published

2024-10-02 00:00

Modified

2024-10-04 05:27

Summary

Important: firefox security update

Details

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.

Security Fix(es):

firefox: 115.16/128.3 ESR ()
firefox: thunderbird: Memory safety bugs fixed in Firefox 131, Firefox ESR 115.16, Firefox ESR 128.3, Thunderbird 131, and Thunderbird 128.3 (CVE-2024-9401)
firefox: thunderbird: Memory safety bugs fixed in Firefox 131, Firefox ESR 128.3, Thunderbird 131, and Thunderbird 128.3 (CVE-2024-9402)
firefox: thunderbird: Cross-origin access to PDF contents through multipart responses (CVE-2024-9393)
firefox: thunderbird: Cross-origin access to JSON contents through multipart responses (CVE-2024-9394)
firefox: thunderbird: Compromised content process can bypass site isolation (CVE-2024-9392)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References

URL

Type

	https://access.redhat.com/errata/RHSA-2024:7505	ADVISORY
	https://access.redhat.com/security/cve/CVE-2024-9392	REPORT
	https://access.redhat.com/security/cve/CVE-2024-9393	REPORT
	https://access.redhat.com/security/cve/CVE-2024-9394	REPORT
	https://access.redhat.com/security/cve/CVE-2024-9401	REPORT
	https://access.redhat.com/security/cve/CVE-2024-9402	REPORT
	https://bugzilla.redhat.com/2315950	REPORT
	https://bugzilla.redhat.com/2315951	REPORT
	https://bugzilla.redhat.com/2315956	REPORT
	https://bugzilla.redhat.com/2315957	REPORT
	https://bugzilla.redhat.com/2315959	REPORT
	https://errata.almalinux.org/9/ALSA-2024-7505.html	ADVISORY

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "firefox"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "128.3.0-1.el9_4.alma.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "firefox-x11"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "128.3.0-1.el9_4.alma.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.\n\nSecurity Fix(es):\n\n* firefox: 115.16/128.3 ESR ()\n* firefox: thunderbird: Memory safety bugs fixed in Firefox 131, Firefox ESR 115.16, Firefox ESR 128.3, Thunderbird 131, and Thunderbird 128.3 (CVE-2024-9401)\n* firefox: thunderbird: Memory safety bugs fixed in Firefox 131, Firefox ESR 128.3, Thunderbird 131, and Thunderbird 128.3 (CVE-2024-9402)\n* firefox: thunderbird: Cross-origin access to PDF contents through multipart responses (CVE-2024-9393)\n* firefox: thunderbird: Cross-origin access to JSON contents through multipart responses (CVE-2024-9394)\n* firefox: thunderbird: Compromised content process can bypass site isolation (CVE-2024-9392)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
  "id": "ALSA-2024:7505",
  "modified": "2024-10-04T05:27:10Z",
  "published": "2024-10-02T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2024:7505"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-9392"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-9393"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-9394"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-9401"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-9402"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2315950"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2315951"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2315956"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2315957"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2315959"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/9/ALSA-2024-7505.html"
    }
  ],
  "related": [
    "CVE-2024-9401",
    "CVE-2024-9402",
    "CVE-2024-9393",
    "CVE-2024-9394",
    "CVE-2024-9392"
  ],
  "summary": "Important: firefox security update"
}

alsa-2024:7552

Vulnerability from osv_almalinux

Published

2024-10-02 00:00

Modified

2024-10-04 05:25

Summary

Important: thunderbird security update

Details

Mozilla Thunderbird is a standalone mail and newsgroup client.

Security Fix(es):

thunderbird: 115.16/128.3 ()
firefox: thunderbird: Specially crafted WebTransport requests could lead to denial of service (CVE-2024-9399)
firefox: thunderbird: Memory safety bugs fixed in Firefox 131 and Thunderbird 131 (CVE-2024-9403)
firefox: thunderbird: Potential directory upload bypass via clickjacking (CVE-2024-9397)
firefox: thunderbird: Memory safety bugs fixed in Firefox 131, Firefox ESR 115.16, Firefox ESR 128.3, Thunderbird 131, and Thunderbird 128.3 (CVE-2024-9401)
firefox: thunderbird: Memory safety bugs fixed in Firefox 131, Firefox ESR 128.3, Thunderbird 131, and Thunderbird 128.3 (CVE-2024-9402)
firefox: thunderbird: External protocol handlers could be enumerated via popups (CVE-2024-9398)
firefox: thunderbird: Potential memory corruption during JIT compilation (CVE-2024-9400)
firefox: thunderbird: Potential memory corruption may occur when cloning certain objects (CVE-2024-9396)
firefox: thunderbird: Cross-origin access to PDF contents through multipart responses (CVE-2024-9393)
firefox: thunderbird: Cross-origin access to JSON contents through multipart responses (CVE-2024-9394)
firefox: thunderbird: Compromised content process can bypass site isolation (CVE-2024-9392)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References

URL

Type

	https://access.redhat.com/errata/RHSA-2024:7552	ADVISORY
	https://access.redhat.com/security/cve/CVE-2024-9392	REPORT
	https://access.redhat.com/security/cve/CVE-2024-9393	REPORT
	https://access.redhat.com/security/cve/CVE-2024-9394	REPORT
	https://access.redhat.com/security/cve/CVE-2024-9396	REPORT
	https://access.redhat.com/security/cve/CVE-2024-9397	REPORT
	https://access.redhat.com/security/cve/CVE-2024-9398	REPORT
	https://access.redhat.com/security/cve/CVE-2024-9399	REPORT
	https://access.redhat.com/security/cve/CVE-2024-9400	REPORT
	https://access.redhat.com/security/cve/CVE-2024-9401	REPORT
	https://access.redhat.com/security/cve/CVE-2024-9402	REPORT
	https://access.redhat.com/security/cve/CVE-2024-9403	REPORT
	https://bugzilla.redhat.com/2315945	REPORT
	https://bugzilla.redhat.com/2315947	REPORT
	https://bugzilla.redhat.com/2315949	REPORT
	https://bugzilla.redhat.com/2315950	REPORT
	https://bugzilla.redhat.com/2315951	REPORT
	https://bugzilla.redhat.com/2315952	REPORT
	https://bugzilla.redhat.com/2315953	REPORT
	https://bugzilla.redhat.com/2315954	REPORT
	https://bugzilla.redhat.com/2315956	REPORT
	https://bugzilla.redhat.com/2315957	REPORT
	https://bugzilla.redhat.com/2315959	REPORT
	https://errata.almalinux.org/9/ALSA-2024-7552.html	ADVISORY

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "thunderbird"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "128.3.0-1.el9_4.alma.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "Mozilla Thunderbird is a standalone mail and newsgroup client.\n\nSecurity Fix(es):\n\n* thunderbird: 115.16/128.3 ()\n* firefox: thunderbird: Specially crafted WebTransport requests could lead to denial of service (CVE-2024-9399)\n* firefox: thunderbird: Memory safety bugs fixed in Firefox 131 and Thunderbird 131 (CVE-2024-9403)\n* firefox: thunderbird: Potential directory upload bypass via clickjacking (CVE-2024-9397)\n* firefox: thunderbird: Memory safety bugs fixed in Firefox 131, Firefox ESR 115.16, Firefox ESR 128.3, Thunderbird 131, and Thunderbird 128.3 (CVE-2024-9401)\n* firefox: thunderbird: Memory safety bugs fixed in Firefox 131, Firefox ESR 128.3, Thunderbird 131, and Thunderbird 128.3 (CVE-2024-9402)\n* firefox: thunderbird: External protocol handlers could be enumerated via popups (CVE-2024-9398)\n* firefox: thunderbird: Potential memory corruption during JIT compilation (CVE-2024-9400)\n* firefox: thunderbird: Potential memory corruption may occur when cloning certain objects (CVE-2024-9396)\n* firefox: thunderbird: Cross-origin access to PDF contents through multipart responses (CVE-2024-9393)\n* firefox: thunderbird: Cross-origin access to JSON contents through multipart responses (CVE-2024-9394)\n* firefox: thunderbird: Compromised content process can bypass site isolation (CVE-2024-9392)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
  "id": "ALSA-2024:7552",
  "modified": "2024-10-04T05:25:09Z",
  "published": "2024-10-02T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2024:7552"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-9392"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-9393"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-9394"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-9396"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-9397"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-9398"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-9399"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-9400"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-9401"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-9402"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-9403"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2315945"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2315947"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2315949"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2315950"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2315951"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2315952"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2315953"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2315954"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2315956"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2315957"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2315959"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/9/ALSA-2024-7552.html"
    }
  ],
  "related": [
    "CVE-2024-9399",
    "CVE-2024-9403",
    "CVE-2024-9397",
    "CVE-2024-9401",
    "CVE-2024-9402",
    "CVE-2024-9398",
    "CVE-2024-9400",
    "CVE-2024-9396",
    "CVE-2024-9393",
    "CVE-2024-9394",
    "CVE-2024-9392"
  ],
  "summary": "Important: thunderbird security update"
}

alsa-2024:7699

Vulnerability from osv_almalinux

Published

2024-10-07 00:00

Modified

2024-10-09 08:55

Summary

Important: thunderbird security update

Details

Mozilla Thunderbird is a standalone mail and newsgroup client.

Security Fix(es):

thunderbird: 115.16/128.3 ()
firefox: thunderbird: Specially crafted WebTransport requests could lead to denial of service (CVE-2024-9399)
firefox: thunderbird: Memory safety bugs fixed in Firefox 131 and Thunderbird 131 (CVE-2024-9403)
firefox: thunderbird: Potential directory upload bypass via clickjacking (CVE-2024-9397)
firefox: thunderbird: Memory safety bugs fixed in Firefox 131, Firefox ESR 115.16, Firefox ESR 128.3, Thunderbird 131, and Thunderbird 128.3 (CVE-2024-9401)
firefox: thunderbird: Memory safety bugs fixed in Firefox 131, Firefox ESR 128.3, Thunderbird 131, and Thunderbird 128.3 (CVE-2024-9402)
firefox: thunderbird: External protocol handlers could be enumerated via popups (CVE-2024-9398)
firefox: thunderbird: Potential memory corruption during JIT compilation (CVE-2024-9400)
firefox: thunderbird: Potential memory corruption may occur when cloning certain objects (CVE-2024-9396)
firefox: thunderbird: Cross-origin access to PDF contents through multipart responses (CVE-2024-9393)
firefox: thunderbird: Cross-origin access to JSON contents through multipart responses (CVE-2024-9394)
firefox: thunderbird: Compromised content process can bypass site isolation (CVE-2024-9392)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References

URL

Type

	https://access.redhat.com/errata/RHSA-2024:7699	ADVISORY
	https://access.redhat.com/security/cve/CVE-2024-9392	REPORT
	https://access.redhat.com/security/cve/CVE-2024-9393	REPORT
	https://access.redhat.com/security/cve/CVE-2024-9394	REPORT
	https://access.redhat.com/security/cve/CVE-2024-9396	REPORT
	https://access.redhat.com/security/cve/CVE-2024-9397	REPORT
	https://access.redhat.com/security/cve/CVE-2024-9398	REPORT
	https://access.redhat.com/security/cve/CVE-2024-9399	REPORT
	https://access.redhat.com/security/cve/CVE-2024-9400	REPORT
	https://access.redhat.com/security/cve/CVE-2024-9401	REPORT
	https://access.redhat.com/security/cve/CVE-2024-9402	REPORT
	https://access.redhat.com/security/cve/CVE-2024-9403	REPORT
	https://bugzilla.redhat.com/2315945	REPORT
	https://bugzilla.redhat.com/2315947	REPORT
	https://bugzilla.redhat.com/2315949	REPORT
	https://bugzilla.redhat.com/2315950	REPORT
	https://bugzilla.redhat.com/2315951	REPORT
	https://bugzilla.redhat.com/2315952	REPORT
	https://bugzilla.redhat.com/2315953	REPORT
	https://bugzilla.redhat.com/2315954	REPORT
	https://bugzilla.redhat.com/2315956	REPORT
	https://bugzilla.redhat.com/2315957	REPORT
	https://bugzilla.redhat.com/2315959	REPORT
	https://errata.almalinux.org/8/ALSA-2024-7699.html	ADVISORY

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "thunderbird"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "128.3.0-1.el8_10.alma.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "Mozilla Thunderbird is a standalone mail and newsgroup client.\n\nSecurity Fix(es):\n\n* thunderbird: 115.16/128.3 ()\n* firefox: thunderbird: Specially crafted WebTransport requests could lead to denial of service (CVE-2024-9399)\n* firefox: thunderbird: Memory safety bugs fixed in Firefox 131 and Thunderbird 131 (CVE-2024-9403)\n* firefox: thunderbird: Potential directory upload bypass via clickjacking (CVE-2024-9397)\n* firefox: thunderbird: Memory safety bugs fixed in Firefox 131, Firefox ESR 115.16, Firefox ESR 128.3, Thunderbird 131, and Thunderbird 128.3 (CVE-2024-9401)\n* firefox: thunderbird: Memory safety bugs fixed in Firefox 131, Firefox ESR 128.3, Thunderbird 131, and Thunderbird 128.3 (CVE-2024-9402)\n* firefox: thunderbird: External protocol handlers could be enumerated via popups (CVE-2024-9398)\n* firefox: thunderbird: Potential memory corruption during JIT compilation (CVE-2024-9400)\n* firefox: thunderbird: Potential memory corruption may occur when cloning certain objects (CVE-2024-9396)\n* firefox: thunderbird: Cross-origin access to PDF contents through multipart responses (CVE-2024-9393)\n* firefox: thunderbird: Cross-origin access to JSON contents through multipart responses (CVE-2024-9394)\n* firefox: thunderbird: Compromised content process can bypass site isolation (CVE-2024-9392)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
  "id": "ALSA-2024:7699",
  "modified": "2024-10-09T08:55:36Z",
  "published": "2024-10-07T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2024:7699"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-9392"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-9393"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-9394"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-9396"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-9397"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-9398"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-9399"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-9400"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-9401"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-9402"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-9403"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2315945"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2315947"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2315949"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2315950"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2315951"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2315952"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2315953"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2315954"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2315956"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2315957"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2315959"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/8/ALSA-2024-7699.html"
    }
  ],
  "related": [
    "CVE-2024-9399",
    "CVE-2024-9403",
    "CVE-2024-9397",
    "CVE-2024-9401",
    "CVE-2024-9402",
    "CVE-2024-9398",
    "CVE-2024-9400",
    "CVE-2024-9396",
    "CVE-2024-9393",
    "CVE-2024-9394",
    "CVE-2024-9392"
  ],
  "summary": "Important: thunderbird security update"
}

alsa-2024:7700

Vulnerability from osv_almalinux

Published

2024-10-07 00:00

Modified

2024-10-09 08:57

Summary

Important: firefox security update

Details

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.

Security Fix(es):

firefox: 115.16/128.3 ESR ()
firefox: thunderbird: Specially crafted WebTransport requests could lead to denial of service (CVE-2024-9399)
firefox: thunderbird: Memory safety bugs fixed in Firefox 131 and Thunderbird 131 (CVE-2024-9403)
firefox: thunderbird: Potential directory upload bypass via clickjacking (CVE-2024-9397)
firefox: thunderbird: Memory safety bugs fixed in Firefox 131, Firefox ESR 115.16, Firefox ESR 128.3, Thunderbird 131, and Thunderbird 128.3 (CVE-2024-9401)
firefox: thunderbird: Memory safety bugs fixed in Firefox 131, Firefox ESR 128.3, Thunderbird 131, and Thunderbird 128.3 (CVE-2024-9402)
firefox: thunderbird: External protocol handlers could be enumerated via popups (CVE-2024-9398)
firefox: thunderbird: Potential memory corruption during JIT compilation (CVE-2024-9400)
firefox: thunderbird: Potential memory corruption may occur when cloning certain objects (CVE-2024-9396)
firefox: thunderbird: Cross-origin access to PDF contents through multipart responses (CVE-2024-9393)
firefox: thunderbird: Cross-origin access to JSON contents through multipart responses (CVE-2024-9394)
firefox: thunderbird: Compromised content process can bypass site isolation (CVE-2024-9392)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References

URL

Type

	https://access.redhat.com/errata/RHSA-2024:7700	ADVISORY
	https://access.redhat.com/security/cve/CVE-2024-8900	REPORT
	https://access.redhat.com/security/cve/CVE-2024-9392	REPORT
	https://access.redhat.com/security/cve/CVE-2024-9393	REPORT
	https://access.redhat.com/security/cve/CVE-2024-9394	REPORT
	https://access.redhat.com/security/cve/CVE-2024-9396	REPORT
	https://access.redhat.com/security/cve/CVE-2024-9397	REPORT
	https://access.redhat.com/security/cve/CVE-2024-9398	REPORT
	https://access.redhat.com/security/cve/CVE-2024-9399	REPORT
	https://access.redhat.com/security/cve/CVE-2024-9400	REPORT
	https://access.redhat.com/security/cve/CVE-2024-9401	REPORT
	https://access.redhat.com/security/cve/CVE-2024-9402	REPORT
	https://bugzilla.redhat.com/2312914	REPORT
	https://bugzilla.redhat.com/2315945	REPORT
	https://bugzilla.redhat.com/2315949	REPORT
	https://bugzilla.redhat.com/2315950	REPORT
	https://bugzilla.redhat.com/2315951	REPORT
	https://bugzilla.redhat.com/2315952	REPORT
	https://bugzilla.redhat.com/2315953	REPORT
	https://bugzilla.redhat.com/2315954	REPORT
	https://bugzilla.redhat.com/2315956	REPORT
	https://bugzilla.redhat.com/2315957	REPORT
	https://bugzilla.redhat.com/2315959	REPORT
	https://errata.almalinux.org/8/ALSA-2024-7700.html	ADVISORY

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "firefox"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "128.3.0-1.el8_10.alma.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.\n\nSecurity Fix(es):\n\n* firefox: 115.16/128.3 ESR ()\n* firefox: thunderbird: Specially crafted WebTransport requests could lead to denial of service (CVE-2024-9399)\n* firefox: thunderbird: Memory safety bugs fixed in Firefox 131 and Thunderbird 131 (CVE-2024-9403)\n* firefox: thunderbird: Potential directory upload bypass via clickjacking (CVE-2024-9397)\n* firefox: thunderbird: Memory safety bugs fixed in Firefox 131, Firefox ESR 115.16, Firefox ESR 128.3, Thunderbird 131, and Thunderbird 128.3 (CVE-2024-9401)\n* firefox: thunderbird: Memory safety bugs fixed in Firefox 131, Firefox ESR 128.3, Thunderbird 131, and Thunderbird 128.3 (CVE-2024-9402)\n* firefox: thunderbird: External protocol handlers could be enumerated via popups (CVE-2024-9398)\n* firefox: thunderbird: Potential memory corruption during JIT compilation (CVE-2024-9400)\n* firefox: thunderbird: Potential memory corruption may occur when cloning certain objects (CVE-2024-9396)\n* firefox: thunderbird: Cross-origin access to PDF contents through multipart responses (CVE-2024-9393)\n* firefox: thunderbird: Cross-origin access to JSON contents through multipart responses (CVE-2024-9394)\n* firefox: thunderbird: Compromised content process can bypass site isolation (CVE-2024-9392)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
  "id": "ALSA-2024:7700",
  "modified": "2024-10-09T08:57:20Z",
  "published": "2024-10-07T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2024:7700"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-8900"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-9392"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-9393"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-9394"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-9396"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-9397"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-9398"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-9399"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-9400"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-9401"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-9402"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2312914"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2315945"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2315949"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2315950"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2315951"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2315952"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2315953"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2315954"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2315956"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2315957"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2315959"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/8/ALSA-2024-7700.html"
    }
  ],
  "related": [
    "CVE-2024-9399",
    "CVE-2024-9403",
    "CVE-2024-9397",
    "CVE-2024-9401",
    "CVE-2024-9402",
    "CVE-2024-9398",
    "CVE-2024-9400",
    "CVE-2024-9396",
    "CVE-2024-9393",
    "CVE-2024-9394",
    "CVE-2024-9392"
  ],
  "summary": "Important: firefox security update"
}

CNVD-2024-41049

Vulnerability from cnvd - Published: 2024-10-17

Title

Mozilla Firefox存在未明漏洞（CNVD-2024-41049）

Description

Mozilla Firefox是美国Mozilla基金会的一款开源Web浏览器。 Mozilla Firefox存在安全漏洞，该漏洞源于受损的内容进程可能允许任意加载跨源页面。目前没有详细的漏洞细节提供。

Severity

高

Patch Name

Mozilla Firefox存在未明漏洞（CNVD-2024-41049）的补丁

Patch Description

Mozilla Firefox是美国Mozilla基金会的一款开源Web浏览器。 Mozilla Firefox存在安全漏洞，该漏洞源于受损的内容进程可能允许任意加载跨源页面。目前没有详细的漏洞细节提供。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://www.mozilla.org/security/advisories/mfsa2024-46/

Reference

https://bugzilla.mozilla.org/show_bug.cgi?id=1905843

Impacted products

Name
['Mozilla Firefox <131', 'Mozilla Firefox ESR <128.3', 'Mozilla Firefox ESR <115.16', 'Mozilla Thunderbird <128.3', 'Mozilla Thunderbird <131']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2024-9392",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2024-9392"
    }
  },
  "description": "Mozilla Firefox\u662f\u7f8e\u56fdMozilla\u57fa\u91d1\u4f1a\u7684\u4e00\u6b3e\u5f00\u6e90Web\u6d4f\u89c8\u5668\u3002\n\nMozilla Firefox\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u53d7\u635f\u7684\u5185\u5bb9\u8fdb\u7a0b\u53ef\u80fd\u5141\u8bb8\u4efb\u610f\u52a0\u8f7d\u8de8\u6e90\u9875\u9762\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://www.mozilla.org/security/advisories/mfsa2024-46/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2024-41049",
  "openTime": "2024-10-17",
  "patchDescription": "Mozilla Firefox\u662f\u7f8e\u56fdMozilla\u57fa\u91d1\u4f1a\u7684\u4e00\u6b3e\u5f00\u6e90Web\u6d4f\u89c8\u5668\u3002\r\n\r\nMozilla Firefox\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u53d7\u635f\u7684\u5185\u5bb9\u8fdb\u7a0b\u53ef\u80fd\u5141\u8bb8\u4efb\u610f\u52a0\u8f7d\u8de8\u6e90\u9875\u9762\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Mozilla Firefox\u5b58\u5728\u672a\u660e\u6f0f\u6d1e\uff08CNVD-2024-41049\uff09\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Mozilla Firefox \u003c131",
      "Mozilla Firefox ESR \u003c128.3",
      "Mozilla Firefox ESR \u003c115.16",
      "Mozilla Thunderbird \u003c128.3",
      "Mozilla Thunderbird \u003c131"
    ]
  },
  "referenceLink": "https://bugzilla.mozilla.org/show_bug.cgi?id=1905843",
  "serverity": "\u9ad8",
  "submitTime": "2024-10-13",
  "title": "Mozilla Firefox\u5b58\u5728\u672a\u660e\u6f0f\u6d1e\uff08CNVD-2024-41049\uff09"
}

FKIE_CVE-2024-9392

Vulnerability from fkie_nvd - Published: 2024-10-01 16:15 - Updated: 2025-11-03 23:17

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
security@mozilla.org	https://bugzilla.mozilla.org/show_bug.cgi?id=1899154	Issue Tracking
security@mozilla.org	https://bugzilla.mozilla.org/show_bug.cgi?id=1905843	Issue Tracking
security@mozilla.org	https://www.mozilla.org/security/advisories/mfsa2024-46/	Vendor Advisory
security@mozilla.org	https://www.mozilla.org/security/advisories/mfsa2024-47/	Vendor Advisory
security@mozilla.org	https://www.mozilla.org/security/advisories/mfsa2024-48/	Vendor Advisory
security@mozilla.org	https://www.mozilla.org/security/advisories/mfsa2024-49/	Vendor Advisory
security@mozilla.org	https://www.mozilla.org/security/advisories/mfsa2024-50/	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.debian.org/debian-lts-announce/2024/10/msg00004.html
af854a3a-2127-422b-91ae-364da2661108	https://lists.debian.org/debian-lts-announce/2024/10/msg00006.html

Impacted products

Vendor	Product	Version
mozilla	firefox	*
mozilla	firefox	*
mozilla	thunderbird	*
mozilla	thunderbird	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*",
              "matchCriteriaId": "277BD1BE-3F67-42D7-8B95-735FF00D95FB",
              "versionEndExcluding": "115.6.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "DA47FFCA-3451-462C-8FFB-47143C65E65A",
              "versionEndExcluding": "131.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "162E998D-FC05-4428-A848-3073BC879D13",
              "versionEndExcluding": "128.3.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "9556B29A-F934-4F99-9C7F-6506CA829DB3",
              "versionEndExcluding": "131.0",
              "versionStartIncluding": "129.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A compromised content process could have allowed for the arbitrary loading of cross-origin pages. This vulnerability affects Firefox \u003c 131, Firefox ESR \u003c 128.3, Firefox ESR \u003c 115.16, Thunderbird \u003c 128.3, and Thunderbird \u003c 131."
    },
    {
      "lang": "es",
      "value": "Un proceso de contenido comprometido podr\u00eda haber permitido la carga arbitraria de p\u00e1ginas de origen cruzado. Esta vulnerabilidad afecta a Firefox \u0026lt; 131, Firefox ESR \u0026lt; 128.3, Firefox ESR \u0026lt; 115.16, Thunderbird \u0026lt; 128.3 y Thunderbird \u0026lt; 131."
    }
  ],
  "id": "CVE-2024-9392",
  "lastModified": "2025-11-03T23:17:33.740",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-10-01T16:15:10.570",
  "references": [
    {
      "source": "security@mozilla.org",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1899154"
    },
    {
      "source": "security@mozilla.org",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1905843"
    },
    {
      "source": "security@mozilla.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.mozilla.org/security/advisories/mfsa2024-46/"
    },
    {
      "source": "security@mozilla.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.mozilla.org/security/advisories/mfsa2024-47/"
    },
    {
      "source": "security@mozilla.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.mozilla.org/security/advisories/mfsa2024-48/"
    },
    {
      "source": "security@mozilla.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.mozilla.org/security/advisories/mfsa2024-49/"
    },
    {
      "source": "security@mozilla.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.mozilla.org/security/advisories/mfsa2024-50/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.debian.org/debian-lts-announce/2024/10/msg00004.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.debian.org/debian-lts-announce/2024/10/msg00006.html"
    }
  ],
  "sourceIdentifier": "security@mozilla.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-346"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}

GHSA-HC6R-WPFC-Q7M8

Vulnerability from github – Published: 2024-10-01 18:31 – Updated: 2025-11-04 00:31

Details

Severity ?

9.8 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2024-9392"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-346"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-01T16:15:10Z",
    "severity": "CRITICAL"
  },
  "details": "A compromised content process could have allowed for the arbitrary loading of cross-origin pages. This vulnerability affects Firefox \u003c 131, Firefox ESR \u003c 128.3, Firefox ESR \u003c 115.16, Thunderbird \u003c 128.3, and Thunderbird \u003c 131.",
  "id": "GHSA-hc6r-wpfc-q7m8",
  "modified": "2025-11-04T00:31:32Z",
  "published": "2024-10-01T18:31:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9392"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1899154"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1905843"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/10/msg00004.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/10/msg00006.html"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2024-46"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2024-47"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2024-48"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2024-49"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2024-50"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

NCSC-2024-0387

Vulnerability from csaf_ncscnl - Published: 2024-10-02 09:07 - Updated: 2024-10-02 09:07

Summary

Kwetsbaarheden verholpen in Mozilla Firefox en Thunderbird

Notes

The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions: NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein. NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory. This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.

Feiten: Mozilla heeft kwetsbaarheden verholpen in Firefox en Thunderbird.

Interpretaties: Een kwaadwillende kan de kwetsbaarheden misbruiken om in de context van het slachtoffer beveiligingsmaatregelen te omzeilen en mogelijk willekeurige code uit te voeren of toegang te krijgen tot gevoelige gegevens in de context van de browser.

Oplossingen: Mozilla heeft updates uitgebracht om de kwetsbaarheden te verhelpen in Firefox 130, Firefox ESR 128.2 en Thunderbird 128.2. Voor meer informatie, zie bijgevoegde referenties.

Kans: medium

Schade: high

CWE-94: Improper Control of Generation of Code ('Code Injection')

CWE-319: Cleartext Transmission of Sensitive Information

CWE-1021: Improper Restriction of Rendered UI Layers or Frames

CWE-451: User Interface (UI) Misrepresentation of Critical Information

CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer

CWE-346: Origin Validation Error

CVE-2024-8900

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Affected products

Known affected 3 products

Product	Identifier	Version
firefox mozilla	`cpe:2.3:a:mozilla:firefox::::::::`	—
thunderbird mozilla	`cpe:2.3:a:mozilla:thunderbird::::::::`	—
firefox_esr mozilla	`cpe:2.3:a:mozilla:firefox_esr::::::::`	—

CVE-2024-9391

7.1 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N

CWE-451 - User Interface (UI) Misrepresentation of Critical Information

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
firefox mozilla	`cpe:2.3:a:mozilla:firefox::::::::`	—

CVE-2024-9392

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-346 - Origin Validation Error

Affected products

Known affected 3 products

Product	Identifier	Version
thunderbird mozilla	`cpe:2.3:a:mozilla:thunderbird::::::::`	—
firefox mozilla	`cpe:2.3:a:mozilla:firefox::::::::`	—
firefox_esr mozilla	`cpe:2.3:a:mozilla:firefox_esr::::::::`	—

CVE-2024-9393

7.6 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L

CWE-94 - Improper Control of Generation of Code ('Code Injection')

Affected products

Known affected 3 products

Product	Identifier	Version
firefox mozilla	`cpe:2.3:a:mozilla:firefox::::::::`	—
thunderbird mozilla	`cpe:2.3:a:mozilla:thunderbird::::::::`	—
firefox_esr mozilla	`cpe:2.3:a:mozilla:firefox_esr::::::::`	—

CVE-2024-9394

Affected products

Known affected 3 products

Product	Identifier	Version
firefox mozilla	`cpe:2.3:a:mozilla:firefox::::::::`	—
thunderbird mozilla	`cpe:2.3:a:mozilla:thunderbird::::::::`	—
firefox_esr mozilla	`cpe:2.3:a:mozilla:firefox_esr::::::::`	—

CVE-2024-9395

CWE-1021 - Improper Restriction of Rendered UI Layers or Frames

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
firefox mozilla	`cpe:2.3:a:mozilla:firefox::::::::`	—

CVE-2024-9396

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected products

Known affected 3 products

Product	Identifier	Version
thunderbird mozilla	`cpe:2.3:a:mozilla:thunderbird::::::::`	—
firefox_esr mozilla	`cpe:2.3:a:mozilla:firefox_esr::::::::`	—
firefox mozilla	`cpe:2.3:a:mozilla:firefox::::::::`	—

CVE-2024-9397

Affected products

Known affected 3 products

Product	Identifier	Version
thunderbird mozilla	`cpe:2.3:a:mozilla:thunderbird::::::::`	—
firefox_esr mozilla	`cpe:2.3:a:mozilla:firefox_esr::::::::`	—
firefox mozilla	`cpe:2.3:a:mozilla:firefox::::::::`	—

CVE-2024-9398

Affected products

Known affected 3 products

Product	Identifier	Version
thunderbird mozilla	`cpe:2.3:a:mozilla:thunderbird::::::::`	—
firefox_esr mozilla	`cpe:2.3:a:mozilla:firefox_esr::::::::`	—
firefox mozilla	`cpe:2.3:a:mozilla:firefox::::::::`	—

CVE-2024-9399

Affected products

Known affected 3 products

Product	Identifier	Version
thunderbird mozilla	`cpe:2.3:a:mozilla:thunderbird::::::::`	—
firefox_esr mozilla	`cpe:2.3:a:mozilla:firefox_esr::::::::`	—
firefox mozilla	`cpe:2.3:a:mozilla:firefox::::::::`	—

CVE-2024-9400

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Affected products

Known affected 3 products

Product	Identifier	Version
thunderbird mozilla	`cpe:2.3:a:mozilla:thunderbird::::::::`	—
firefox_esr mozilla	`cpe:2.3:a:mozilla:firefox_esr::::::::`	—
firefox mozilla	`cpe:2.3:a:mozilla:firefox::::::::`	—

CVE-2024-9401

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

Known affected 3 products

Product	Identifier	Version
thunderbird mozilla	`cpe:2.3:a:mozilla:thunderbird::::::::`	—
firefox mozilla	`cpe:2.3:a:mozilla:firefox::::::::`	—
firefox_esr mozilla	`cpe:2.3:a:mozilla:firefox_esr::::::::`	—

CVE-2024-9402

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

Known affected 3 products

Product	Identifier	Version
thunderbird mozilla	`cpe:2.3:a:mozilla:thunderbird::::::::`	—
firefox_esr mozilla	`cpe:2.3:a:mozilla:firefox_esr::::::::`	—
firefox mozilla	`cpe:2.3:a:mozilla:firefox::::::::`	—

CVE-2024-9403

7.3 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Affected products

Known affected 2 products

Product	Identifier	Version	Remediation
thunderbird mozilla	`cpe:2.3:a:mozilla:thunderbird::::::::`	—
firefox mozilla	`cpe:2.3:a:mozilla:firefox::::::::`	—

References

19 references

URL	Category
https://www.mozilla.org/en-US/security/advisories…	external
https://www.mozilla.org/en-US/security/advisories…	external
https://www.mozilla.org/en-US/security/advisories…	external
https://www.mozilla.org/en-US/security/advisories…	external
https://www.mozilla.org/en-US/security/advisories…	external
https://api.ncsc.nl/velma/v1/vulnerabilities/2024…	self
https://api.ncsc.nl/velma/v1/vulnerabilities/2024…	self
https://api.ncsc.nl/velma/v1/vulnerabilities/2024…	self
https://api.ncsc.nl/velma/v1/vulnerabilities/2024…	self
https://api.ncsc.nl/velma/v1/vulnerabilities/2024…	self
https://api.ncsc.nl/velma/v1/vulnerabilities/2024…	self
https://api.ncsc.nl/velma/v1/vulnerabilities/2024…	self
https://api.ncsc.nl/velma/v1/vulnerabilities/2024…	self
https://api.ncsc.nl/velma/v1/vulnerabilities/2024…	self
https://api.ncsc.nl/velma/v1/vulnerabilities/2024…	self
https://api.ncsc.nl/velma/v1/vulnerabilities/2024…	self
https://api.ncsc.nl/velma/v1/vulnerabilities/2024…	self
https://api.ncsc.nl/velma/v1/vulnerabilities/2024…	self
https://api.ncsc.nl/velma/v1/vulnerabilities/2024…	self

JSON

To clipboard

{
  "document": {
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE"
      }
    },
    "lang": "nl",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n    NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n    NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n    This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
      },
      {
        "category": "description",
        "text": "Mozilla heeft kwetsbaarheden verholpen in Firefox en Thunderbird. ",
        "title": "Feiten"
      },
      {
        "category": "description",
        "text": "Een kwaadwillende kan de kwetsbaarheden misbruiken om in de context van het slachtoffer beveiligingsmaatregelen te omzeilen en mogelijk willekeurige code uit te voeren of toegang te krijgen tot gevoelige gegevens in de context van de browser. ",
        "title": "Interpretaties"
      },
      {
        "category": "description",
        "text": "Mozilla heeft updates uitgebracht om de kwetsbaarheden te verhelpen in Firefox 130, Firefox ESR 128.2 en Thunderbird 128.2. Voor meer informatie, zie bijgevoegde referenties.",
        "title": "Oplossingen"
      },
      {
        "category": "general",
        "text": "medium",
        "title": "Kans"
      },
      {
        "category": "general",
        "text": "high",
        "title": "Schade"
      },
      {
        "category": "general",
        "text": "Improper Control of Generation of Code (\u0027Code Injection\u0027)",
        "title": "CWE-94"
      },
      {
        "category": "general",
        "text": "Cleartext Transmission of Sensitive Information",
        "title": "CWE-319"
      },
      {
        "category": "general",
        "text": "Improper Restriction of Rendered UI Layers or Frames",
        "title": "CWE-1021"
      },
      {
        "category": "general",
        "text": "User Interface (UI) Misrepresentation of Critical Information",
        "title": "CWE-451"
      },
      {
        "category": "general",
        "text": "Improper Restriction of Operations within the Bounds of a Memory Buffer",
        "title": "CWE-119"
      },
      {
        "category": "general",
        "text": "Origin Validation Error",
        "title": "CWE-346"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "cert@ncsc.nl",
      "name": "Nationaal Cyber Security Centrum",
      "namespace": "https://www.ncsc.nl/"
    },
    "references": [
      {
        "category": "external",
        "summary": "Reference - ncscclear",
        "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2024-48"
      },
      {
        "category": "external",
        "summary": "Reference - ncscclear",
        "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2024-46/"
      },
      {
        "category": "external",
        "summary": "Reference - ncscclear",
        "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2024-47/"
      },
      {
        "category": "external",
        "summary": "Reference - ncscclear",
        "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2024-49/"
      },
      {
        "category": "external",
        "summary": "Reference - ncscclear",
        "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2024-50/"
      }
    ],
    "title": "Kwetsbaarheden verholpen in Mozilla Firefox en Thunderbird",
    "tracking": {
      "current_release_date": "2024-10-02T09:07:21.241299Z",
      "id": "NCSC-2024-0387",
      "initial_release_date": "2024-10-02T09:07:21.241299Z",
      "revision_history": [
        {
          "date": "2024-10-02T09:07:21.241299Z",
          "number": "0",
          "summary": "Initiele versie"
        }
      ],
      "status": "final",
      "version": "1.0.0"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "firefox_esr",
            "product": {
              "name": "firefox_esr",
              "product_id": "CSAFPID-2332",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "firefox",
            "product": {
              "name": "firefox",
              "product_id": "CSAFPID-2331",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "thunderbird",
            "product": {
              "name": "thunderbird",
              "product_id": "CSAFPID-2333",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "mozilla"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-8900",
      "product_status": {
        "known_affected": [
          "CSAFPID-2331",
          "CSAFPID-2333",
          "CSAFPID-2332"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-8900",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-8900.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-2331",
            "CSAFPID-2333",
            "CSAFPID-2332"
          ]
        }
      ],
      "title": "CVE-2024-8900"
    },
    {
      "cve": "CVE-2024-9391",
      "cwe": {
        "id": "CWE-451",
        "name": "User Interface (UI) Misrepresentation of Critical Information"
      },
      "notes": [
        {
          "category": "other",
          "text": "User Interface (UI) Misrepresentation of Critical Information",
          "title": "CWE-451"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-2331"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-9391",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-9391.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-2331"
          ]
        }
      ],
      "title": "CVE-2024-9391"
    },
    {
      "cve": "CVE-2024-9392",
      "cwe": {
        "id": "CWE-346",
        "name": "Origin Validation Error"
      },
      "notes": [
        {
          "category": "other",
          "text": "Origin Validation Error",
          "title": "CWE-346"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-2333",
          "CSAFPID-2331",
          "CSAFPID-2332"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-9392",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-9392.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-2333",
            "CSAFPID-2331",
            "CSAFPID-2332"
          ]
        }
      ],
      "title": "CVE-2024-9392"
    },
    {
      "cve": "CVE-2024-9393",
      "cwe": {
        "id": "CWE-94",
        "name": "Improper Control of Generation of Code (\u0027Code Injection\u0027)"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Control of Generation of Code (\u0027Code Injection\u0027)",
          "title": "CWE-94"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-2331",
          "CSAFPID-2333",
          "CSAFPID-2332"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-9393",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-9393.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.6,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-2331",
            "CSAFPID-2333",
            "CSAFPID-2332"
          ]
        }
      ],
      "title": "CVE-2024-9393"
    },
    {
      "cve": "CVE-2024-9394",
      "product_status": {
        "known_affected": [
          "CSAFPID-2331",
          "CSAFPID-2333",
          "CSAFPID-2332"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-9394",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-9394.json"
        }
      ],
      "title": "CVE-2024-9394"
    },
    {
      "cve": "CVE-2024-9395",
      "cwe": {
        "id": "CWE-1021",
        "name": "Improper Restriction of Rendered UI Layers or Frames"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Restriction of Rendered UI Layers or Frames",
          "title": "CWE-1021"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-2331"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-9395",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-9395.json"
        }
      ],
      "title": "CVE-2024-9395"
    },
    {
      "cve": "CVE-2024-9396",
      "product_status": {
        "known_affected": [
          "CSAFPID-2333",
          "CSAFPID-2332",
          "CSAFPID-2331"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-9396",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-9396.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-2333",
            "CSAFPID-2332",
            "CSAFPID-2331"
          ]
        }
      ],
      "title": "CVE-2024-9396"
    },
    {
      "cve": "CVE-2024-9397",
      "product_status": {
        "known_affected": [
          "CSAFPID-2333",
          "CSAFPID-2332",
          "CSAFPID-2331"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-9397",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-9397.json"
        }
      ],
      "title": "CVE-2024-9397"
    },
    {
      "cve": "CVE-2024-9398",
      "product_status": {
        "known_affected": [
          "CSAFPID-2333",
          "CSAFPID-2332",
          "CSAFPID-2331"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-9398",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-9398.json"
        }
      ],
      "title": "CVE-2024-9398"
    },
    {
      "cve": "CVE-2024-9399",
      "product_status": {
        "known_affected": [
          "CSAFPID-2333",
          "CSAFPID-2332",
          "CSAFPID-2331"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-9399",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-9399.json"
        }
      ],
      "title": "CVE-2024-9399"
    },
    {
      "cve": "CVE-2024-9400",
      "cwe": {
        "id": "CWE-119",
        "name": "Improper Restriction of Operations within the Bounds of a Memory Buffer"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Restriction of Operations within the Bounds of a Memory Buffer",
          "title": "CWE-119"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-2333",
          "CSAFPID-2332",
          "CSAFPID-2331"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-9400",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-9400.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-2333",
            "CSAFPID-2332",
            "CSAFPID-2331"
          ]
        }
      ],
      "title": "CVE-2024-9400"
    },
    {
      "cve": "CVE-2024-9401",
      "product_status": {
        "known_affected": [
          "CSAFPID-2333",
          "CSAFPID-2331",
          "CSAFPID-2332"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-9401",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-9401.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-2333",
            "CSAFPID-2331",
            "CSAFPID-2332"
          ]
        }
      ],
      "title": "CVE-2024-9401"
    },
    {
      "cve": "CVE-2024-9402",
      "product_status": {
        "known_affected": [
          "CSAFPID-2333",
          "CSAFPID-2332",
          "CSAFPID-2331"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-9402",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-9402.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-2333",
            "CSAFPID-2332",
            "CSAFPID-2331"
          ]
        }
      ],
      "title": "CVE-2024-9402"
    },
    {
      "cve": "CVE-2024-9403",
      "product_status": {
        "known_affected": [
          "CSAFPID-2333",
          "CSAFPID-2331"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-9403",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-9403.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-2333",
            "CSAFPID-2331"
          ]
        }
      ],
      "title": "CVE-2024-9403"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2024-9392 (GCVE-0-2024-9392)

Solutions

Solutions

Vulnerability from osv_almalinux

Vulnerability from osv_almalinux

Vulnerability from osv_almalinux

Vulnerability from osv_almalinux

Tags

Sightings

Nomenclature