Vulnerabilites related to Mozilla - Focus for iOS
cve-2024-0605
Vulnerability from cvelistv5
Published
2024-01-22 18:23
Modified
2024-08-01 18:11
Severity ?
EPSS score ?
Summary
Using a javascript: URI with a setTimeout race condition, an attacker can execute unauthorized scripts on top origin sites in urlbar. This bypasses security measures, potentially leading to arbitrary code execution or unauthorized actions within the user's loaded webpage. This vulnerability affects Focus for iOS < 122.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mozilla | Focus for iOS |
Version: unspecified < 122 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:11:35.592Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1855575"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.mozilla.org/security/advisories/mfsa2024-03/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Focus for iOS",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "122",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "James Lee"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Using a javascript: URI with a setTimeout race condition, an attacker can execute unauthorized scripts on top origin sites in urlbar. This bypasses security measures, potentially leading to arbitrary code execution or unauthorized actions within the user\u0027s loaded webpage. This vulnerability affects Focus for iOS \u003c 122."
}
],
"value": "Using a javascript: URI with a setTimeout race condition, an attacker can execute unauthorized scripts on top origin sites in urlbar. This bypasses security measures, potentially leading to arbitrary code execution or unauthorized actions within the user\u0027s loaded webpage. This vulnerability affects Focus for iOS \u003c 122."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "JavaScript URI running on top origin sites",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-22T18:23:24.614Z",
"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"shortName": "mozilla"
},
"references": [
{
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1855575"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2024-03/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"assignerShortName": "mozilla",
"cveId": "CVE-2024-0605",
"datePublished": "2024-01-22T18:23:24.614Z",
"dateReserved": "2024-01-16T16:14:25.975Z",
"dateUpdated": "2024-08-01T18:11:35.592Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-8399
Vulnerability from cvelistv5
Published
2024-09-03 20:07
Modified
2024-09-03 20:50
Severity ?
EPSS score ?
Summary
Websites could utilize Javascript links to spoof URL addresses in the Focus navigation bar This vulnerability affects Focus for iOS < 130.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mozilla | Focus for iOS |
Version: unspecified < 130 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8399",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-03T20:50:22.886276Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-03T20:50:34.126Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Focus for iOS",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "130",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "James Lee"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Websites could utilize Javascript links to spoof URL addresses in the Focus navigation bar This vulnerability affects Focus for iOS \u003c 130."
}
],
"value": "Websites could utilize Javascript links to spoof URL addresses in the Focus navigation bar This vulnerability affects Focus for iOS \u003c 130."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "iOS Firefox Focus javascript URI address bar spoofing",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-03T20:07:38.036Z",
"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"shortName": "mozilla"
},
"references": [
{
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1863838"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2024-42/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"assignerShortName": "mozilla",
"cveId": "CVE-2024-8399",
"datePublished": "2024-09-03T20:07:38.036Z",
"dateReserved": "2024-09-03T17:48:07.569Z",
"dateUpdated": "2024-09-03T20:50:34.126Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-1563
Vulnerability from cvelistv5
Published
2024-02-22 14:56
Modified
2024-08-01 18:40
Severity ?
EPSS score ?
Summary
An attacker could have executed unauthorized scripts on top origin sites using a JavaScript URI when opening an external URL with a custom Firefox scheme and a timeout race condition. This vulnerability affects Focus for iOS < 122.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mozilla | Focus for iOS |
Version: unspecified < 122 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-1563",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-22T18:07:37.490603Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-05T17:21:57.263Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:40:21.368Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1863831"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.mozilla.org/security/advisories/mfsa2024-09/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Focus for iOS",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "122",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "James Lee"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An attacker could have executed unauthorized scripts on top origin sites using a JavaScript URI when opening an external URL with a custom Firefox scheme and a timeout race condition. This vulnerability affects Focus for iOS \u003c 122."
}
],
"value": "An attacker could have executed unauthorized scripts on top origin sites using a JavaScript URI when opening an external URL with a custom Firefox scheme and a timeout race condition. This vulnerability affects Focus for iOS \u003c 122."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "UXSS exploit using a timeout after externally opening the application from a custom Focus scheme",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-22T14:56:42.888Z",
"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"shortName": "mozilla"
},
"references": [
{
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1863831"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2024-09/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"assignerShortName": "mozilla",
"cveId": "CVE-2024-1563",
"datePublished": "2024-02-22T14:56:42.888Z",
"dateReserved": "2024-02-15T19:38:27.164Z",
"dateUpdated": "2024-08-01T18:40:21.368Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-0606
Vulnerability from cvelistv5
Published
2024-01-22 18:23
Modified
2024-08-01 18:11
Severity ?
EPSS score ?
Summary
An attacker could execute unauthorized script on a legitimate site through UXSS using window.open() by opening a javascript URI leading to unauthorized actions within the user's loaded webpage. This vulnerability affects Focus for iOS < 122.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mozilla | Focus for iOS |
Version: unspecified < 122 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:11:35.670Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1855030"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.mozilla.org/security/advisories/mfsa2024-03/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Focus for iOS",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "122",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "James Lee"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An attacker could execute unauthorized script on a legitimate site through UXSS using window.open() by opening a javascript URI leading to unauthorized actions within the user\u0027s loaded webpage. This vulnerability affects Focus for iOS \u003c 122."
}
],
"value": "An attacker could execute unauthorized script on a legitimate site through UXSS using window.open() by opening a javascript URI leading to unauthorized actions within the user\u0027s loaded webpage. This vulnerability affects Focus for iOS \u003c 122."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "UXSS attack with window.open()",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-22T18:23:25.606Z",
"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"shortName": "mozilla"
},
"references": [
{
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1855030"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2024-03/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"assignerShortName": "mozilla",
"cveId": "CVE-2024-0606",
"datePublished": "2024-01-22T18:23:25.606Z",
"dateReserved": "2024-01-16T16:14:31.565Z",
"dateUpdated": "2024-08-01T18:11:35.670Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-26284
Vulnerability from cvelistv5
Published
2024-02-22 14:56
Modified
2024-08-02 00:07
Severity ?
EPSS score ?
Summary
Utilizing a 302 redirect, an attacker could have conducted a Universal Cross-Site Scripting (UXSS) on a victim website, if the victim had a link to the attacker's website. This vulnerability affects Focus for iOS < 123.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mozilla | Focus for iOS |
Version: unspecified < 123 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-26284",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-22T16:59:26.828962Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-10T20:06:36.338Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:07:19.131Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1860075"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.mozilla.org/security/advisories/mfsa2024-10/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Focus for iOS",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "123",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "James Lee"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Utilizing a 302 redirect, an attacker could have conducted a Universal Cross-Site Scripting (UXSS) on a victim website, if the victim had a link to the attacker\u0027s website. This vulnerability affects Focus for iOS \u003c 123."
}
],
"value": "Utilizing a 302 redirect, an attacker could have conducted a Universal Cross-Site Scripting (UXSS) on a victim website, if the victim had a link to the attacker\u0027s website. This vulnerability affects Focus for iOS \u003c 123."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "UXSS exploit via 302 Redirect",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-22T14:56:42.004Z",
"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"shortName": "mozilla"
},
"references": [
{
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1860075"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2024-10/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"assignerShortName": "mozilla",
"cveId": "CVE-2024-26284",
"datePublished": "2024-02-22T14:56:42.004Z",
"dateReserved": "2024-02-15T19:27:47.711Z",
"dateUpdated": "2024-08-02T00:07:19.131Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-10474
Vulnerability from cvelistv5
Published
2024-10-29 12:19
Modified
2024-10-29 14:02
Severity ?
EPSS score ?
Summary
Focus was incorrectly allowing internal links to utilize the app scheme used for deeplinking, which could result in links potentially circumventing some URL safety checks This vulnerability affects Focus for iOS < 132.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mozilla | Focus for iOS |
Version: unspecified < 132 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:mozilla:focus_for_ios:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "focus_for_ios",
"vendor": "mozilla",
"versions": [
{
"lessThan": "132",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-10474",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-29T13:58:46.853408Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-29T14:02:10.171Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Focus for iOS",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "132",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "James Lee"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Focus was incorrectly allowing internal links to utilize the app scheme used for deeplinking, which could result in links potentially circumventing some URL safety checks This vulnerability affects Focus for iOS \u003c 132."
}
],
"value": "Focus was incorrectly allowing internal links to utilize the app scheme used for deeplinking, which could result in links potentially circumventing some URL safety checks This vulnerability affects Focus for iOS \u003c 132."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Don\u0027t allow web content to open firefox-focus URLs",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-29T12:19:20.120Z",
"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"shortName": "mozilla"
},
"references": [
{
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1863832"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2024-60/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"assignerShortName": "mozilla",
"cveId": "CVE-2024-10474",
"datePublished": "2024-10-29T12:19:20.120Z",
"dateReserved": "2024-10-28T18:38:28.355Z",
"dateUpdated": "2024-10-29T14:02:10.171Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-5022
Vulnerability from cvelistv5
Published
2024-05-17 18:42
Modified
2024-10-28 20:14
Severity ?
EPSS score ?
Summary
The file scheme of URLs would be hidden, resulting in potential spoofing of a website's address in the location bar This vulnerability affects Focus for iOS < 126.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mozilla | Focus for iOS |
Version: unspecified < 126 |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-5022",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-16T12:58:10.876388Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-28T20:14:31.596Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:55:10.438Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1874560"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.mozilla.org/security/advisories/mfsa2024-24/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Focus for iOS",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "126",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "James Lee"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The file scheme of URLs would be hidden, resulting in potential spoofing of a website\u0027s address in the location bar This vulnerability affects Focus for iOS \u003c 126."
}
],
"value": "The file scheme of URLs would be hidden, resulting in potential spoofing of a website\u0027s address in the location bar This vulnerability affects Focus for iOS \u003c 126."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "URLs with file scheme could have been used to spoof addresses in the location bar",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-17T18:42:24.791Z",
"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"shortName": "mozilla"
},
"references": [
{
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1874560"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2024-24/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"assignerShortName": "mozilla",
"cveId": "CVE-2024-5022",
"datePublished": "2024-05-17T18:42:24.791Z",
"dateReserved": "2024-05-16T17:39:36.052Z",
"dateUpdated": "2024-10-28T20:14:31.596Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}