Vulnerability-Lookup

CVE-2024-4768 (GCVE-0-2024-4768)

Vulnerability from cvelistv5 – Published: 2024-05-14 17:21 – Updated: 2025-02-13 17:53

Summary

A bug in popup notifications' interaction with WebAuthn made it easier for an attacker to trick a user into granting permissions. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11.

Severity ?

6.1 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE

Potential permissions request bypass via clickjacking

Assigner

mozilla

References

6 references

URL	Tags
https://bugzilla.mozilla.org/show_bug.cgi?id=1886082
https://www.mozilla.org/security/advisories/mfsa2…
https://www.mozilla.org/security/advisories/mfsa2…
https://www.mozilla.org/security/advisories/mfsa2…
https://lists.debian.org/debian-lts-announce/2024…
https://lists.debian.org/debian-lts-announce/2024…

Impacted products

3 products

Vendor	Product	Version
Mozilla	Firefox	Affected: unspecified , < 126 (custom)
Mozilla	Firefox ESR	Affected: unspecified , < 115.11 (custom)
Mozilla	Thunderbird	Affected: unspecified , < 115.11 (custom)

Credits

Hafiizh

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 6.1,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "CHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-4768",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-06-12T15:37:43.312324Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-281",
                "description": "CWE-281 Improper Preservation of Permissions",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-21T16:03:03.223Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T20:47:41.692Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1886082"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.mozilla.org/security/advisories/mfsa2024-21/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.mozilla.org/security/advisories/mfsa2024-22/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.mozilla.org/security/advisories/mfsa2024-23/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2024/05/msg00010.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2024/05/msg00012.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Firefox",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "126",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Firefox ESR",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "115.11",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Thunderbird",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "115.11",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Hafiizh"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "A bug in popup notifications\u0027 interaction with WebAuthn made it easier for an attacker to trick a user into granting permissions. This vulnerability affects Firefox \u003c 126, Firefox ESR \u003c 115.11, and Thunderbird \u003c 115.11."
            }
          ],
          "value": "A bug in popup notifications\u0027 interaction with WebAuthn made it easier for an attacker to trick a user into granting permissions. This vulnerability affects Firefox \u003c 126, Firefox ESR \u003c 115.11, and Thunderbird \u003c 115.11."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Potential permissions request bypass via clickjacking",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-06-10T16:07:38.653Z",
        "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
        "shortName": "mozilla"
      },
      "references": [
        {
          "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1886082"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2024-21/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2024-22/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2024-23/"
        },
        {
          "url": "https://lists.debian.org/debian-lts-announce/2024/05/msg00010.html"
        },
        {
          "url": "https://lists.debian.org/debian-lts-announce/2024/05/msg00012.html"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
    "assignerShortName": "mozilla",
    "cveId": "CVE-2024-4768",
    "datePublished": "2024-05-14T17:21:24.047Z",
    "dateReserved": "2024-05-10T17:37:04.311Z",
    "dateUpdated": "2025-02-13T17:53:39.586Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2024-4768",
      "date": "2026-05-21",
      "epss": "0.00706",
      "percentile": "0.72363"
    },
    "fkie_nvd": {
      "descriptions": "[{\"lang\": \"en\", \"value\": \"A bug in popup notifications\u0027 interaction with WebAuthn made it easier for an attacker to trick a user into granting permissions. This vulnerability affects Firefox \u003c 126, Firefox ESR \u003c 115.11, and Thunderbird \u003c 115.11.\"}, {\"lang\": \"es\", \"value\": \"Un error en la interacci\\u00f3n de las notificaciones emergentes con WebAuthn facilit\\u00f3 que un atacante enga\\u00f1ara a un usuario para que concediera permisos. Esta vulnerabilidad afecta a Firefox \u0026lt; 126, Firefox ESR \u0026lt; 115.11 y Thunderbird \u0026lt; 115.11.\"}]",
      "id": "CVE-2024-4768",
      "lastModified": "2024-11-21T16:15:26.283",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\", \"baseScore\": 6.1, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 2.7}]}",
      "published": "2024-05-14T18:15:14.013",
      "references": "[{\"url\": \"https://bugzilla.mozilla.org/show_bug.cgi?id=1886082\", \"source\": \"security@mozilla.org\"}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2024/05/msg00010.html\", \"source\": \"security@mozilla.org\"}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2024/05/msg00012.html\", \"source\": \"security@mozilla.org\"}, {\"url\": \"https://www.mozilla.org/security/advisories/mfsa2024-21/\", \"source\": \"security@mozilla.org\"}, {\"url\": \"https://www.mozilla.org/security/advisories/mfsa2024-22/\", \"source\": \"security@mozilla.org\"}, {\"url\": \"https://www.mozilla.org/security/advisories/mfsa2024-23/\", \"source\": \"security@mozilla.org\"}, {\"url\": \"https://bugzilla.mozilla.org/show_bug.cgi?id=1886082\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2024/05/msg00010.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2024/05/msg00012.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://www.mozilla.org/security/advisories/mfsa2024-21/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://www.mozilla.org/security/advisories/mfsa2024-22/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://www.mozilla.org/security/advisories/mfsa2024-23/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
      "sourceIdentifier": "security@mozilla.org",
      "vulnStatus": "Awaiting Analysis",
      "weaknesses": "[{\"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-281\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-4768\",\"sourceIdentifier\":\"security@mozilla.org\",\"published\":\"2024-05-14T18:15:14.013\",\"lastModified\":\"2025-04-01T18:00:09.610\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A bug in popup notifications\u0027 interaction with WebAuthn made it easier for an attacker to trick a user into granting permissions. This vulnerability affects Firefox \u003c 126, Firefox ESR \u003c 115.11, and Thunderbird \u003c 115.11.\"},{\"lang\":\"es\",\"value\":\"Un error en la interacci\u00f3n de las notificaciones emergentes con WebAuthn facilit\u00f3 que un atacante enga\u00f1ara a un usuario para que concediera permisos. Esta vulnerabilidad afecta a Firefox \u0026lt; 126, Firefox ESR \u0026lt; 115.11 y Thunderbird \u0026lt; 115.11.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-281\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*\",\"versionEndExcluding\":\"115.11.0\",\"matchCriteriaId\":\"DCAE3CC2-8B68-45CA-BADF-3DF1AF50ECD6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*\",\"versionEndExcluding\":\"126.0\",\"matchCriteriaId\":\"2695925F-3984-4304-A630-5FF27054F360\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"115.11.0\",\"matchCriteriaId\":\"0C7339B9-8741-4320-BF1C-3BC9F1D051FF\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"07B237A9-69A3-4A9C-9DA0-4E06BD37AE73\"}]}]}],\"references\":[{\"url\":\"https://bugzilla.mozilla.org/show_bug.cgi?id=1886082\",\"source\":\"security@mozilla.org\",\"tags\":[\"Exploit\",\"Issue Tracking\",\"Vendor Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2024/05/msg00010.html\",\"source\":\"security@mozilla.org\",\"tags\":[\"Mailing List\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2024/05/msg00012.html\",\"source\":\"security@mozilla.org\",\"tags\":[\"Mailing List\"]},{\"url\":\"https://www.mozilla.org/security/advisories/mfsa2024-21/\",\"source\":\"security@mozilla.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.mozilla.org/security/advisories/mfsa2024-22/\",\"source\":\"security@mozilla.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.mozilla.org/security/advisories/mfsa2024-23/\",\"source\":\"security@mozilla.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://bugzilla.mozilla.org/show_bug.cgi?id=1886082\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Issue Tracking\",\"Vendor Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2024/05/msg00010.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2024/05/msg00012.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\"]},{\"url\":\"https://www.mozilla.org/security/advisories/mfsa2024-21/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.mozilla.org/security/advisories/mfsa2024-22/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.mozilla.org/security/advisories/mfsa2024-23/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://bugzilla.mozilla.org/show_bug.cgi?id=1886082\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://www.mozilla.org/security/advisories/mfsa2024-21/\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://www.mozilla.org/security/advisories/mfsa2024-22/\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://www.mozilla.org/security/advisories/mfsa2024-23/\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2024/05/msg00010.html\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2024/05/msg00012.html\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-01T20:47:41.692Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 6.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-4768\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-06-12T15:37:43.312324Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-281\", \"description\": \"CWE-281 Improper Preservation of Permissions\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-06-12T15:38:44.873Z\"}}], \"cna\": {\"credits\": [{\"lang\": \"en\", \"value\": \"Hafiizh\"}], \"affected\": [{\"vendor\": \"Mozilla\", \"product\": \"Firefox\", \"versions\": [{\"status\": \"affected\", \"version\": \"unspecified\", \"lessThan\": \"126\", \"versionType\": \"custom\"}]}, {\"vendor\": \"Mozilla\", \"product\": \"Firefox ESR\", \"versions\": [{\"status\": \"affected\", \"version\": \"unspecified\", \"lessThan\": \"115.11\", \"versionType\": \"custom\"}]}, {\"vendor\": \"Mozilla\", \"product\": \"Thunderbird\", \"versions\": [{\"status\": \"affected\", \"version\": \"unspecified\", \"lessThan\": \"115.11\", \"versionType\": \"custom\"}]}], \"references\": [{\"url\": \"https://bugzilla.mozilla.org/show_bug.cgi?id=1886082\"}, {\"url\": \"https://www.mozilla.org/security/advisories/mfsa2024-21/\"}, {\"url\": \"https://www.mozilla.org/security/advisories/mfsa2024-22/\"}, {\"url\": \"https://www.mozilla.org/security/advisories/mfsa2024-23/\"}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2024/05/msg00010.html\"}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2024/05/msg00012.html\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"A bug in popup notifications\u0027 interaction with WebAuthn made it easier for an attacker to trick a user into granting permissions. This vulnerability affects Firefox \u003c 126, Firefox ESR \u003c 115.11, and Thunderbird \u003c 115.11.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"A bug in popup notifications\u0027 interaction with WebAuthn made it easier for an attacker to trick a user into granting permissions. This vulnerability affects Firefox \u003c 126, Firefox ESR \u003c 115.11, and Thunderbird \u003c 115.11.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"text\", \"description\": \"Potential permissions request bypass via clickjacking\"}]}], \"providerMetadata\": {\"orgId\": \"f16b083a-5664-49f3-a51e-8d479e5ed7fe\", \"shortName\": \"mozilla\", \"dateUpdated\": \"2024-06-10T16:07:38.653Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-4768\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-02-13T17:53:39.586Z\", \"dateReserved\": \"2024-05-10T17:37:04.311Z\", \"assignerOrgId\": \"f16b083a-5664-49f3-a51e-8d479e5ed7fe\", \"datePublished\": \"2024-05-14T17:21:24.047Z\", \"assignerShortName\": \"mozilla\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

CERTFR-2024-AVI-0396

Vulnerability from certfr_avis - Published: - Updated:

De multiples vulnérabilités ont été découvertes dans les produits Mozilla. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une atteinte à la confidentialité des données et un contournement de la politique de sécurité.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
Mozilla	Firefox ESR	Firefox ESR versions antérieures à 115.11
Mozilla	Firefox	Firefox versions antérieures à 126
Mozilla	Thunderbird	Thunderbird versions antérieures à 115.11

References

Title

Publication Time

CERTFR-2024-AVI-0396

Vulnerability from certfr_avis - Published: - Updated:

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
Mozilla	Firefox ESR	Firefox ESR versions antérieures à 115.11
Mozilla	Firefox	Firefox versions antérieures à 126
Mozilla	Thunderbird	Thunderbird versions antérieures à 115.11

References

Title

Publication Time

alsa-2024:2883

Vulnerability from osv_almalinux

Published

2024-05-16 00:00

Modified

2024-05-21 07:56

Summary

Important: firefox security update

Details

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.

This update upgrades Firefox to version 115.11.0 ESR.

Security Fix(es):

firefox: Arbitrary JavaScript execution in PDF.js (CVE-2024-4367)
firefox: IndexedDB files retained in private browsing mode (CVE-2024-4767)
firefox: Potential permissions request bypass via clickjacking (CVE-2024-4768)
firefox: Cross-origin responses could be distinguished between script and non-script content-types (CVE-2024-4769)
firefox: Use-after-free could occur when printing to PDF (CVE-2024-4770)
firefox: Memory safety bugs fixed in Firefox 126, Firefox ESR 115.11, and Thunderbird 115.11 (CVE-2024-4777)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References

URL

Type

	https://access.redhat.com/errata/RHSA-2024:2883	ADVISORY
	https://access.redhat.com/security/cve/CVE-2024-4367	REPORT
	https://access.redhat.com/security/cve/CVE-2024-4767	REPORT
	https://access.redhat.com/security/cve/CVE-2024-4768	REPORT
	https://access.redhat.com/security/cve/CVE-2024-4769	REPORT
	https://access.redhat.com/security/cve/CVE-2024-4770	REPORT
	https://access.redhat.com/security/cve/CVE-2024-4777	REPORT
	https://bugzilla.redhat.com/2280382	REPORT
	https://bugzilla.redhat.com/2280383	REPORT
	https://bugzilla.redhat.com/2280384	REPORT
	https://bugzilla.redhat.com/2280385	REPORT
	https://bugzilla.redhat.com/2280386	REPORT
	https://bugzilla.redhat.com/2280387	REPORT
	https://errata.almalinux.org/9/ALSA-2024-2883.html	ADVISORY

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "firefox"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "115.11.0-1.el9_4.alma.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "firefox-x11"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "115.11.0-1.el9_4.alma.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.\n\nThis update upgrades Firefox to version 115.11.0 ESR.\n\nSecurity Fix(es):\n  \n\n* firefox: Arbitrary JavaScript execution in PDF.js (CVE-2024-4367)\n* firefox: IndexedDB files retained in private browsing mode (CVE-2024-4767)\n* firefox: Potential permissions request bypass via clickjacking (CVE-2024-4768)\n* firefox: Cross-origin responses could be distinguished between script and non-script content-types (CVE-2024-4769)\n* firefox: Use-after-free could occur when printing to PDF (CVE-2024-4770)\n* firefox: Memory safety bugs fixed in Firefox 126, Firefox ESR 115.11, and Thunderbird 115.11 (CVE-2024-4777)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
  "id": "ALSA-2024:2883",
  "modified": "2024-05-21T07:56:50Z",
  "published": "2024-05-16T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2024:2883"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-4367"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-4767"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-4768"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-4769"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-4770"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-4777"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2280382"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2280383"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2280384"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2280385"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2280386"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2280387"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/9/ALSA-2024-2883.html"
    }
  ],
  "related": [
    "CVE-2024-4367",
    "CVE-2024-4767",
    "CVE-2024-4768",
    "CVE-2024-4769",
    "CVE-2024-4770",
    "CVE-2024-4777"
  ],
  "summary": "Important: firefox security update"
}

alsa-2024:2888

Vulnerability from osv_almalinux

Published

2024-05-16 00:00

Modified

2024-05-21 07:54

Summary

Important: thunderbird security update

Details

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 115.11.0.

Security Fix(es):

firefox: Arbitrary JavaScript execution in PDF.js (CVE-2024-4367)
firefox: IndexedDB files retained in private browsing mode (CVE-2024-4767)
firefox: Potential permissions request bypass via clickjacking (CVE-2024-4768)
firefox: Cross-origin responses could be distinguished between script and non-script content-types (CVE-2024-4769)
firefox: Use-after-free could occur when printing to PDF (CVE-2024-4770)
firefox: Memory safety bugs fixed in Firefox 126, Firefox ESR 115.11, and Thunderbird 115.11 (CVE-2024-4777)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References

URL

Type

	https://access.redhat.com/errata/RHSA-2024:2888	ADVISORY
	https://access.redhat.com/security/cve/CVE-2024-4367	REPORT
	https://access.redhat.com/security/cve/CVE-2024-4767	REPORT
	https://access.redhat.com/security/cve/CVE-2024-4768	REPORT
	https://access.redhat.com/security/cve/CVE-2024-4769	REPORT
	https://access.redhat.com/security/cve/CVE-2024-4770	REPORT
	https://access.redhat.com/security/cve/CVE-2024-4777	REPORT
	https://bugzilla.redhat.com/2280382	REPORT
	https://bugzilla.redhat.com/2280383	REPORT
	https://bugzilla.redhat.com/2280384	REPORT
	https://bugzilla.redhat.com/2280385	REPORT
	https://bugzilla.redhat.com/2280386	REPORT
	https://bugzilla.redhat.com/2280387	REPORT
	https://errata.almalinux.org/9/ALSA-2024-2888.html	ADVISORY

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "thunderbird"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "115.11.0-1.el9_4.alma.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "Mozilla Thunderbird is a standalone mail and newsgroup client.\n\nThis update upgrades Thunderbird to version 115.11.0.\n\nSecurity Fix(es):\n\n* firefox: Arbitrary JavaScript execution in PDF.js (CVE-2024-4367)\n* firefox: IndexedDB files retained in private browsing mode (CVE-2024-4767)\n* firefox: Potential permissions request bypass via clickjacking (CVE-2024-4768)\n* firefox: Cross-origin responses could be distinguished between script and\nnon-script content-types (CVE-2024-4769)\n* firefox: Use-after-free could occur when printing to PDF (CVE-2024-4770)\n* firefox: Memory safety bugs fixed in Firefox 126, Firefox ESR 115.11, and\nThunderbird 115.11 (CVE-2024-4777)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
  "id": "ALSA-2024:2888",
  "modified": "2024-05-21T07:54:53Z",
  "published": "2024-05-16T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2024:2888"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-4367"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-4767"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-4768"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-4769"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-4770"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-4777"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2280382"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2280383"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2280384"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2280385"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2280386"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2280387"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/9/ALSA-2024-2888.html"
    }
  ],
  "related": [
    "CVE-2024-4367",
    "CVE-2024-4767",
    "CVE-2024-4768",
    "CVE-2024-4769",
    "CVE-2024-4770",
    "CVE-2024-4777"
  ],
  "summary": "Important: thunderbird security update"
}

alsa-2024:3783

Vulnerability from osv_almalinux

Published

2024-06-10 00:00

Modified

2024-06-20 21:37

Summary

Moderate: firefox security update

Details

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.

This update upgrades Firefox to version 115.11.0 ESR.

Security Fix(es):

firefox: Arbitrary JavaScript execution in PDF.js (CVE-2024-4367)
firefox: IndexedDB files retained in private browsing mode (CVE-2024-4767)
firefox: Potential permissions request bypass via clickjacking (CVE-2024-4768)
firefox: Cross-origin responses could be distinguished between script and non-script content-types (CVE-2024-4769)
firefox: Use-after-free could occur when printing to PDF (CVE-2024-4770)
firefox: Memory safety bugs fixed in Firefox 126, Firefox ESR 115.11, and Thunderbird 115.11 (CVE-2024-4777)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References

URL

Type

	https://access.redhat.com/errata/RHSA-2024:3783	ADVISORY
	https://access.redhat.com/security/cve/CVE-2024-4367	REPORT
	https://access.redhat.com/security/cve/CVE-2024-4767	REPORT
	https://access.redhat.com/security/cve/CVE-2024-4768	REPORT
	https://access.redhat.com/security/cve/CVE-2024-4769	REPORT
	https://access.redhat.com/security/cve/CVE-2024-4770	REPORT
	https://access.redhat.com/security/cve/CVE-2024-4777	REPORT
	https://bugzilla.redhat.com/2280382	REPORT
	https://bugzilla.redhat.com/2280383	REPORT
	https://bugzilla.redhat.com/2280384	REPORT
	https://bugzilla.redhat.com/2280385	REPORT
	https://bugzilla.redhat.com/2280386	REPORT
	https://bugzilla.redhat.com/2280387	REPORT
	https://errata.almalinux.org/8/ALSA-2024-3783.html	ADVISORY

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "firefox"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "115.11.0-1.el8_10.alma.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "Mozilla Firefox is an open-source web browser, designed for standards\ncompliance, performance, and portability.\n\nThis update upgrades Firefox to version 115.11.0 ESR.\n\nSecurity Fix(es):\n\n* firefox: Arbitrary JavaScript execution in PDF.js (CVE-2024-4367)\n* firefox: IndexedDB files retained in private browsing mode (CVE-2024-4767)\n* firefox: Potential permissions request bypass via clickjacking (CVE-2024-4768)\n* firefox: Cross-origin responses could be distinguished between script and\nnon-script content-types (CVE-2024-4769)\n* firefox: Use-after-free could occur when printing to PDF (CVE-2024-4770)\n* firefox: Memory safety bugs fixed in Firefox 126, Firefox ESR 115.11, and\nThunderbird 115.11 (CVE-2024-4777)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
  "id": "ALSA-2024:3783",
  "modified": "2024-06-20T21:37:10Z",
  "published": "2024-06-10T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2024:3783"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-4367"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-4767"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-4768"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-4769"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-4770"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-4777"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2280382"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2280383"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2280384"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2280385"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2280386"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2280387"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/8/ALSA-2024-3783.html"
    }
  ],
  "related": [
    "CVE-2024-4367",
    "CVE-2024-4767",
    "CVE-2024-4768",
    "CVE-2024-4769",
    "CVE-2024-4770",
    "CVE-2024-4777"
  ],
  "summary": "Moderate: firefox security update"
}

alsa-2024:3784

Vulnerability from osv_almalinux

Published

2024-06-10 00:00

Modified

2024-06-20 21:36

Summary

Moderate: thunderbird security update

Details

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 115.11.0.

Security Fix(es):

firefox: Arbitrary JavaScript execution in PDF.js (CVE-2024-4367)
firefox: IndexedDB files retained in private browsing mode (CVE-2024-4767)
firefox: Potential permissions request bypass via clickjacking (CVE-2024-4768)
firefox: Cross-origin responses could be distinguished between script and non-script content-types (CVE-2024-4769)
firefox: Use-after-free could occur when printing to PDF (CVE-2024-4770)
firefox: Memory safety bugs fixed in Firefox 126, Firefox ESR 115.11, and Thunderbird 115.11 (CVE-2024-4777)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References

URL

Type

	https://access.redhat.com/errata/RHSA-2024:3784	ADVISORY
	https://access.redhat.com/security/cve/CVE-2024-4367	REPORT
	https://access.redhat.com/security/cve/CVE-2024-4767	REPORT
	https://access.redhat.com/security/cve/CVE-2024-4768	REPORT
	https://access.redhat.com/security/cve/CVE-2024-4769	REPORT
	https://access.redhat.com/security/cve/CVE-2024-4770	REPORT
	https://access.redhat.com/security/cve/CVE-2024-4777	REPORT
	https://bugzilla.redhat.com/2280382	REPORT
	https://bugzilla.redhat.com/2280383	REPORT
	https://bugzilla.redhat.com/2280384	REPORT
	https://bugzilla.redhat.com/2280385	REPORT
	https://bugzilla.redhat.com/2280386	REPORT
	https://bugzilla.redhat.com/2280387	REPORT
	https://errata.almalinux.org/8/ALSA-2024-3784.html	ADVISORY

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "thunderbird"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "115.11.0-1.el8_10.alma.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "Mozilla Thunderbird is a standalone mail and newsgroup client.\n\nThis update upgrades Thunderbird to version 115.11.0.\n\nSecurity Fix(es):\n\n* firefox: Arbitrary JavaScript execution in PDF.js (CVE-2024-4367)\n* firefox: IndexedDB files retained in private browsing mode (CVE-2024-4767)\n* firefox: Potential permissions request bypass via clickjacking (CVE-2024-4768)\n* firefox: Cross-origin responses could be distinguished between script and\nnon-script content-types (CVE-2024-4769)\n* firefox: Use-after-free could occur when printing to PDF (CVE-2024-4770)\n* firefox: Memory safety bugs fixed in Firefox 126, Firefox ESR 115.11, and\nThunderbird 115.11 (CVE-2024-4777)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
  "id": "ALSA-2024:3784",
  "modified": "2024-06-20T21:36:14Z",
  "published": "2024-06-10T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2024:3784"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-4367"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-4767"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-4768"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-4769"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-4770"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-4777"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2280382"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2280383"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2280384"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2280385"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2280386"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2280387"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/8/ALSA-2024-3784.html"
    }
  ],
  "related": [
    "CVE-2024-4367",
    "CVE-2024-4767",
    "CVE-2024-4768",
    "CVE-2024-4769",
    "CVE-2024-4770",
    "CVE-2024-4777"
  ],
  "summary": "Moderate: thunderbird security update"
}

CNVD-2024-23345

Vulnerability from cnvd - Published: 2024-05-20

Title

Mozilla Firefox安全绕过漏洞（CNVD-2024-23345）

Description

Mozilla Firefox是美国Mozilla基金会的一款开源Web浏览器。Mozilla Firefox ESR是Firefox（Web浏览器）的一个延长支持版本。Mozilla Thunderbird是一套从Mozilla Application Suite独立出来的电子邮件客户端软件。 Mozilla Firefox存在安全绕过漏洞，攻击者可利用该漏洞欺骗用户授予权限。

Severity

高

Patch Name

Mozilla Firefox安全绕过漏洞（CNVD-2024-23345）的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://www.mozilla.org/en-US/security/advisories/mfsa2024-23/ https://www.mozilla.org/en-US/security/advisories/mfsa2024-21/ https://www.mozilla.org/en-US/security/advisories/mfsa2024-22/

Reference

https://exchange.xforce.ibmcloud.com/vulnerabilities/290491

Impacted products

Name
['Mozilla Firefox <126', 'Mozilla Firefox ESR <115.11', 'Mozilla Thunderbird <115.11']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2024-4768"
    }
  },
  "description": "Mozilla Firefox\u662f\u7f8e\u56fdMozilla\u57fa\u91d1\u4f1a\u7684\u4e00\u6b3e\u5f00\u6e90Web\u6d4f\u89c8\u5668\u3002Mozilla Firefox ESR\u662fFirefox\uff08Web\u6d4f\u89c8\u5668\uff09\u7684\u4e00\u4e2a\u5ef6\u957f\u652f\u6301\u7248\u672c\u3002Mozilla Thunderbird\u662f\u4e00\u5957\u4eceMozilla Application Suite\u72ec\u7acb\u51fa\u6765\u7684\u7535\u5b50\u90ae\u4ef6\u5ba2\u6237\u7aef\u8f6f\u4ef6\u3002\n\nMozilla Firefox\u5b58\u5728\u5b89\u5168\u7ed5\u8fc7\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6b3a\u9a97\u7528\u6237\u6388\u4e88\u6743\u9650\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://www.mozilla.org/en-US/security/advisories/mfsa2024-23/\r\nhttps://www.mozilla.org/en-US/security/advisories/mfsa2024-21/\r\nhttps://www.mozilla.org/en-US/security/advisories/mfsa2024-22/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2024-23345",
  "openTime": "2024-05-20",
  "patchDescription": "Mozilla Firefox\u662f\u7f8e\u56fdMozilla\u57fa\u91d1\u4f1a\u7684\u4e00\u6b3e\u5f00\u6e90Web\u6d4f\u89c8\u5668\u3002Mozilla Firefox ESR\u662fFirefox\uff08Web\u6d4f\u89c8\u5668\uff09\u7684\u4e00\u4e2a\u5ef6\u957f\u652f\u6301\u7248\u672c\u3002Mozilla Thunderbird\u662f\u4e00\u5957\u4eceMozilla Application Suite\u72ec\u7acb\u51fa\u6765\u7684\u7535\u5b50\u90ae\u4ef6\u5ba2\u6237\u7aef\u8f6f\u4ef6\u3002\r\n\r\nMozilla Firefox\u5b58\u5728\u5b89\u5168\u7ed5\u8fc7\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6b3a\u9a97\u7528\u6237\u6388\u4e88\u6743\u9650\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Mozilla Firefox\u5b89\u5168\u7ed5\u8fc7\u6f0f\u6d1e\uff08CNVD-2024-23345\uff09\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Mozilla Firefox \u003c126",
      "Mozilla Firefox ESR \u003c115.11",
      "Mozilla Thunderbird \u003c115.11"
    ]
  },
  "referenceLink": "https://exchange.xforce.ibmcloud.com/vulnerabilities/290491",
  "serverity": "\u9ad8",
  "submitTime": "2024-05-15",
  "title": "Mozilla Firefox\u5b89\u5168\u7ed5\u8fc7\u6f0f\u6d1e\uff08CNVD-2024-23345\uff09"
}

FKIE_CVE-2024-4768

Vulnerability from fkie_nvd - Published: 2024-05-14 18:15 - Updated: 2025-04-01 18:00

Severity ?

6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Summary

References

URL	Tags
security@mozilla.org	https://bugzilla.mozilla.org/show_bug.cgi?id=1886082	Exploit, Issue Tracking, Vendor Advisory
security@mozilla.org	https://lists.debian.org/debian-lts-announce/2024/05/msg00010.html	Mailing List
security@mozilla.org	https://lists.debian.org/debian-lts-announce/2024/05/msg00012.html	Mailing List
security@mozilla.org	https://www.mozilla.org/security/advisories/mfsa2024-21/	Vendor Advisory
security@mozilla.org	https://www.mozilla.org/security/advisories/mfsa2024-22/	Vendor Advisory
security@mozilla.org	https://www.mozilla.org/security/advisories/mfsa2024-23/	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://bugzilla.mozilla.org/show_bug.cgi?id=1886082	Exploit, Issue Tracking, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.debian.org/debian-lts-announce/2024/05/msg00010.html	Mailing List
af854a3a-2127-422b-91ae-364da2661108	https://lists.debian.org/debian-lts-announce/2024/05/msg00012.html	Mailing List
af854a3a-2127-422b-91ae-364da2661108	https://www.mozilla.org/security/advisories/mfsa2024-21/	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.mozilla.org/security/advisories/mfsa2024-22/	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.mozilla.org/security/advisories/mfsa2024-23/	Vendor Advisory

Impacted products

Vendor	Product	Version
mozilla	firefox	*
mozilla	firefox	*
mozilla	thunderbird	*
debian	debian_linux	10.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*",
              "matchCriteriaId": "DCAE3CC2-8B68-45CA-BADF-3DF1AF50ECD6",
              "versionEndExcluding": "115.11.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*",
              "matchCriteriaId": "2695925F-3984-4304-A630-5FF27054F360",
              "versionEndExcluding": "126.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "0C7339B9-8741-4320-BF1C-3BC9F1D051FF",
              "versionEndExcluding": "115.11.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A bug in popup notifications\u0027 interaction with WebAuthn made it easier for an attacker to trick a user into granting permissions. This vulnerability affects Firefox \u003c 126, Firefox ESR \u003c 115.11, and Thunderbird \u003c 115.11."
    },
    {
      "lang": "es",
      "value": "Un error en la interacci\u00f3n de las notificaciones emergentes con WebAuthn facilit\u00f3 que un atacante enga\u00f1ara a un usuario para que concediera permisos. Esta vulnerabilidad afecta a Firefox \u0026lt; 126, Firefox ESR \u0026lt; 115.11 y Thunderbird \u0026lt; 115.11."
    }
  ],
  "id": "CVE-2024-4768",
  "lastModified": "2025-04-01T18:00:09.610",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.7,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-05-14T18:15:14.013",
  "references": [
    {
      "source": "security@mozilla.org",
      "tags": [
        "Exploit",
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1886082"
    },
    {
      "source": "security@mozilla.org",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2024/05/msg00010.html"
    },
    {
      "source": "security@mozilla.org",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2024/05/msg00012.html"
    },
    {
      "source": "security@mozilla.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.mozilla.org/security/advisories/mfsa2024-21/"
    },
    {
      "source": "security@mozilla.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.mozilla.org/security/advisories/mfsa2024-22/"
    },
    {
      "source": "security@mozilla.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.mozilla.org/security/advisories/mfsa2024-23/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1886082"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2024/05/msg00010.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2024/05/msg00012.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.mozilla.org/security/advisories/mfsa2024-21/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.mozilla.org/security/advisories/mfsa2024-22/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.mozilla.org/security/advisories/mfsa2024-23/"
    }
  ],
  "sourceIdentifier": "security@mozilla.org",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-281"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}

GHSA-2FG8-6GGF-J2JG

Vulnerability from github – Published: 2024-05-14 18:31 – Updated: 2025-04-01 18:30

Details

Severity ?

6.1 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2024-4768"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-14T18:15:14Z",
    "severity": "MODERATE"
  },
  "details": "A bug in popup notifications\u0027 interaction with WebAuthn made it easier for an attacker to trick a user into granting permissions. This vulnerability affects Firefox \u003c 126, Firefox ESR \u003c 115.11, and Thunderbird \u003c 115.11.",
  "id": "GHSA-2fg8-6ggf-j2jg",
  "modified": "2025-04-01T18:30:39Z",
  "published": "2024-05-14T18:31:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4768"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1886082"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/05/msg00010.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/05/msg00012.html"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2024-21"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2024-22"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2024-23"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

NCSC-2024-0218

Vulnerability from csaf_ncscnl - Published: 2024-05-15 12:29 - Updated: 2024-05-15 12:29

Summary

Kwetsbaarheden verholpen in Mozilla Firefox en Thunderbird

Notes

The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions: NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein. NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory. This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.

Feiten: Mozilla heeft kwetsbaarheden verholpen in Firefox en Thunderbird

Interpretaties: Een kwaadwillende kan de kwetsbaarheden misbruiken om aanvallen uit te voeren die kunnen leiden tot de volgende categorieën schade: - Denial-of-Service (DoS) - Omzeilen van beveiligingsmaatregel - (Remote) code execution (Gebruikersrechten)

Oplossingen: Mozilla heeft updates uitgebracht om de kwetsbaarheden te verhelpen in Firefox 126, Firefox ESR 115.11 en Thunderbird 115.11. Voor meer informatie, zie bijgevoegde referenties.

Kans: medium

Schade: medium

CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer

CWE-416: Use After Free

CWE-451: User Interface (UI) Misrepresentation of Critical Information

CWE-754: Improper Check for Unusual or Exceptional Conditions

CWE-829: Inclusion of Functionality from Untrusted Control Sphere

CVE-2024-4778

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
firefox mozilla	`cpe:2.3:a:mozilla:firefox::::::::`	—

CVE-2024-4777

6.1 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

Affected products

Known affected 3 products

Product	Identifier	Version
firefox_esr mozilla	`cpe:2.3:a:mozilla:firefox_esr::::::::`	—
thunderbird mozilla	`cpe:2.3:a:mozilla:thunderbird::::::::`	—
firefox mozilla	`cpe:2.3:a:mozilla:firefox::::::::`	—

CVE-2024-4776

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
firefox mozilla	`cpe:2.3:a:mozilla:firefox::::::::`	—

CVE-2024-4775

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
firefox mozilla	`cpe:2.3:a:mozilla:firefox::::::::`	—

CVE-2024-4774

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
firefox mozilla	`cpe:2.3:a:mozilla:firefox::::::::`	—

CVE-2024-4773

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
firefox mozilla	`cpe:2.3:a:mozilla:firefox::::::::`	—

CVE-2024-4772

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
firefox mozilla	`cpe:2.3:a:mozilla:firefox::::::::`	—

CVE-2024-4771

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
firefox mozilla	`cpe:2.3:a:mozilla:firefox::::::::`	—

CVE-2024-4770

6.1 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE-416 - Use After Free

Affected products

Known affected 3 products

Product	Identifier	Version
firefox_esr mozilla	`cpe:2.3:a:mozilla:firefox_esr::::::::`	—
thunderbird mozilla	`cpe:2.3:a:mozilla:thunderbird::::::::`	—
firefox mozilla	`cpe:2.3:a:mozilla:firefox::::::::`	—

CVE-2024-4769

6.1 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE-829 - Inclusion of Functionality from Untrusted Control Sphere

Affected products

Known affected 3 products

Product	Identifier	Version
firefox_esr mozilla	`cpe:2.3:a:mozilla:firefox_esr::::::::`	—
thunderbird mozilla	`cpe:2.3:a:mozilla:thunderbird::::::::`	—
firefox mozilla	`cpe:2.3:a:mozilla:firefox::::::::`	—

CVE-2024-4768

6.1 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE-451 - User Interface (UI) Misrepresentation of Critical Information

Affected products

Known affected 3 products

Product	Identifier	Version
firefox_esr mozilla	`cpe:2.3:a:mozilla:firefox_esr::::::::`	—
thunderbird mozilla	`cpe:2.3:a:mozilla:thunderbird::::::::`	—
firefox mozilla	`cpe:2.3:a:mozilla:firefox::::::::`	—

CVE-2024-4767

6.1 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE-212 - Improper Removal of Sensitive Information Before Storage or Transfer

Affected products

Known affected 3 products

Product	Identifier	Version
firefox_esr mozilla	`cpe:2.3:a:mozilla:firefox_esr::::::::`	—
thunderbird mozilla	`cpe:2.3:a:mozilla:thunderbird::::::::`	—
firefox mozilla	`cpe:2.3:a:mozilla:firefox::::::::`	—

CVE-2024-4766

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
firefox mozilla	`cpe:2.3:a:mozilla:firefox::::::::`	—

CVE-2024-4765

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
firefox mozilla	`cpe:2.3:a:mozilla:firefox::::::::`	—

CVE-2024-4764

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
firefox mozilla	`cpe:2.3:a:mozilla:firefox::::::::`	—

CVE-2024-4367

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE-754 - Improper Check for Unusual or Exceptional Conditions

Affected products

Known affected 3 products

Product	Identifier	Version
firefox_esr mozilla	`cpe:2.3:a:mozilla:firefox_esr::::::::`	—
thunderbird mozilla	`cpe:2.3:a:mozilla:thunderbird::::::::`	—
firefox mozilla	`cpe:2.3:a:mozilla:firefox::::::::`	—

References

19 references

URL	Category
https://www.mozilla.org/security/advisories/mfsa2…	external
https://www.mozilla.org/security/advisories/mfsa2…	external
https://www.mozilla.org/security/advisories/mfsa2…	external
https://api.ncsc.nl/velma/v1/vulnerabilities/2024…	self
https://api.ncsc.nl/velma/v1/vulnerabilities/2024…	self
https://api.ncsc.nl/velma/v1/vulnerabilities/2024…	self
https://api.ncsc.nl/velma/v1/vulnerabilities/2024…	self
https://api.ncsc.nl/velma/v1/vulnerabilities/2024…	self
https://api.ncsc.nl/velma/v1/vulnerabilities/2024…	self
https://api.ncsc.nl/velma/v1/vulnerabilities/2024…	self
https://api.ncsc.nl/velma/v1/vulnerabilities/2024…	self
https://api.ncsc.nl/velma/v1/vulnerabilities/2024…	self
https://api.ncsc.nl/velma/v1/vulnerabilities/2024…	self
https://api.ncsc.nl/velma/v1/vulnerabilities/2024…	self
https://api.ncsc.nl/velma/v1/vulnerabilities/2024…	self
https://api.ncsc.nl/velma/v1/vulnerabilities/2024…	self
https://api.ncsc.nl/velma/v1/vulnerabilities/2024…	self
https://api.ncsc.nl/velma/v1/vulnerabilities/2024…	self
https://api.ncsc.nl/velma/v1/vulnerabilities/2024…	self

JSON

To clipboard

{
  "document": {
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE"
      }
    },
    "lang": "nl",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n    NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n    NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n    This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
      },
      {
        "category": "description",
        "text": "Mozilla heeft kwetsbaarheden verholpen in Firefox en Thunderbird",
        "title": "Feiten"
      },
      {
        "category": "description",
        "text": "Een kwaadwillende kan de kwetsbaarheden misbruiken om aanvallen uit te voeren die kunnen leiden tot de volgende categorie\u00ebn schade:\n\n- Denial-of-Service (DoS)\n- Omzeilen van beveiligingsmaatregel\n- (Remote) code execution (Gebruikersrechten)",
        "title": "Interpretaties"
      },
      {
        "category": "description",
        "text": "Mozilla heeft updates uitgebracht om de kwetsbaarheden te verhelpen in Firefox 126, Firefox ESR 115.11 en Thunderbird 115.11. Voor meer informatie, zie bijgevoegde referenties.",
        "title": "Oplossingen"
      },
      {
        "category": "general",
        "text": "medium",
        "title": "Kans"
      },
      {
        "category": "general",
        "text": "medium",
        "title": "Schade"
      },
      {
        "category": "general",
        "text": "Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)",
        "title": "CWE-120"
      },
      {
        "category": "general",
        "text": "Improper Removal of Sensitive Information Before Storage or Transfer",
        "title": "CWE-212"
      },
      {
        "category": "general",
        "text": "Use After Free",
        "title": "CWE-416"
      },
      {
        "category": "general",
        "text": "User Interface (UI) Misrepresentation of Critical Information",
        "title": "CWE-451"
      },
      {
        "category": "general",
        "text": "Improper Check for Unusual or Exceptional Conditions",
        "title": "CWE-754"
      },
      {
        "category": "general",
        "text": "Inclusion of Functionality from Untrusted Control Sphere",
        "title": "CWE-829"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "cert@ncsc.nl",
      "name": "Nationaal Cyber Security Centrum",
      "namespace": "https://www.ncsc.nl/"
    },
    "references": [
      {
        "category": "external",
        "summary": "Source - mozilla",
        "url": "https://www.mozilla.org/security/advisories/mfsa2024-21/"
      },
      {
        "category": "external",
        "summary": "Source - mozilla",
        "url": "https://www.mozilla.org/security/advisories/mfsa2024-22/"
      },
      {
        "category": "external",
        "summary": "Source - mozilla",
        "url": "https://www.mozilla.org/security/advisories/mfsa2024-23/"
      }
    ],
    "title": "Kwetsbaarheden verholpen in Mozilla Firefox en Thunderbird",
    "tracking": {
      "current_release_date": "2024-05-15T12:29:43.620890Z",
      "id": "NCSC-2024-0218",
      "initial_release_date": "2024-05-15T12:29:43.620890Z",
      "revision_history": [
        {
          "date": "2024-05-15T12:29:43.620890Z",
          "number": "0",
          "summary": "Initiele versie"
        }
      ],
      "status": "final",
      "version": "1.0.0"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "firefox_esr",
            "product": {
              "name": "firefox_esr",
              "product_id": "CSAFPID-2332",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "firefox",
            "product": {
              "name": "firefox",
              "product_id": "CSAFPID-2331",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "thunderbird",
            "product": {
              "name": "thunderbird",
              "product_id": "CSAFPID-2333",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "mozilla"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-4778",
      "product_status": {
        "known_affected": [
          "CSAFPID-2331"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-4778",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-4778.json"
        }
      ],
      "title": "CVE-2024-4778"
    },
    {
      "cve": "CVE-2024-4777",
      "cwe": {
        "id": "CWE-120",
        "name": "Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)"
      },
      "notes": [
        {
          "category": "other",
          "text": "Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)",
          "title": "CWE-120"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-2332",
          "CSAFPID-2333",
          "CSAFPID-2331"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-4777",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-4777.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-2332",
            "CSAFPID-2333",
            "CSAFPID-2331"
          ]
        }
      ],
      "title": "CVE-2024-4777"
    },
    {
      "cve": "CVE-2024-4776",
      "product_status": {
        "known_affected": [
          "CSAFPID-2331"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-4776",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-4776.json"
        }
      ],
      "title": "CVE-2024-4776"
    },
    {
      "cve": "CVE-2024-4775",
      "product_status": {
        "known_affected": [
          "CSAFPID-2331"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-4775",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-4775.json"
        }
      ],
      "title": "CVE-2024-4775"
    },
    {
      "cve": "CVE-2024-4774",
      "product_status": {
        "known_affected": [
          "CSAFPID-2331"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-4774",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-4774.json"
        }
      ],
      "title": "CVE-2024-4774"
    },
    {
      "cve": "CVE-2024-4773",
      "product_status": {
        "known_affected": [
          "CSAFPID-2331"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-4773",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-4773.json"
        }
      ],
      "title": "CVE-2024-4773"
    },
    {
      "cve": "CVE-2024-4772",
      "product_status": {
        "known_affected": [
          "CSAFPID-2331"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-4772",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-4772.json"
        }
      ],
      "title": "CVE-2024-4772"
    },
    {
      "cve": "CVE-2024-4771",
      "product_status": {
        "known_affected": [
          "CSAFPID-2331"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-4771",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-4771.json"
        }
      ],
      "title": "CVE-2024-4771"
    },
    {
      "cve": "CVE-2024-4770",
      "cwe": {
        "id": "CWE-416",
        "name": "Use After Free"
      },
      "notes": [
        {
          "category": "other",
          "text": "Use After Free",
          "title": "CWE-416"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-2332",
          "CSAFPID-2333",
          "CSAFPID-2331"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-4770",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-4770.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-2332",
            "CSAFPID-2333",
            "CSAFPID-2331"
          ]
        }
      ],
      "title": "CVE-2024-4770"
    },
    {
      "cve": "CVE-2024-4769",
      "cwe": {
        "id": "CWE-829",
        "name": "Inclusion of Functionality from Untrusted Control Sphere"
      },
      "notes": [
        {
          "category": "other",
          "text": "Inclusion of Functionality from Untrusted Control Sphere",
          "title": "CWE-829"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-2332",
          "CSAFPID-2333",
          "CSAFPID-2331"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-4769",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-4769.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-2332",
            "CSAFPID-2333",
            "CSAFPID-2331"
          ]
        }
      ],
      "title": "CVE-2024-4769"
    },
    {
      "cve": "CVE-2024-4768",
      "cwe": {
        "id": "CWE-451",
        "name": "User Interface (UI) Misrepresentation of Critical Information"
      },
      "notes": [
        {
          "category": "other",
          "text": "User Interface (UI) Misrepresentation of Critical Information",
          "title": "CWE-451"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-2332",
          "CSAFPID-2333",
          "CSAFPID-2331"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-4768",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-4768.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-2332",
            "CSAFPID-2333",
            "CSAFPID-2331"
          ]
        }
      ],
      "title": "CVE-2024-4768"
    },
    {
      "cve": "CVE-2024-4767",
      "cwe": {
        "id": "CWE-212",
        "name": "Improper Removal of Sensitive Information Before Storage or Transfer"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Removal of Sensitive Information Before Storage or Transfer",
          "title": "CWE-212"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-2332",
          "CSAFPID-2333",
          "CSAFPID-2331"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-4767",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-4767.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-2332",
            "CSAFPID-2333",
            "CSAFPID-2331"
          ]
        }
      ],
      "title": "CVE-2024-4767"
    },
    {
      "cve": "CVE-2024-4766",
      "product_status": {
        "known_affected": [
          "CSAFPID-2331"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-4766",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-4766.json"
        }
      ],
      "title": "CVE-2024-4766"
    },
    {
      "cve": "CVE-2024-4765",
      "product_status": {
        "known_affected": [
          "CSAFPID-2331"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-4765",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-4765.json"
        }
      ],
      "title": "CVE-2024-4765"
    },
    {
      "cve": "CVE-2024-4764",
      "product_status": {
        "known_affected": [
          "CSAFPID-2331"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-4764",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-4764.json"
        }
      ],
      "title": "CVE-2024-4764"
    },
    {
      "cve": "CVE-2024-4367",
      "cwe": {
        "id": "CWE-754",
        "name": "Improper Check for Unusual or Exceptional Conditions"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Check for Unusual or Exceptional Conditions",
          "title": "CWE-754"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-2332",
          "CSAFPID-2333",
          "CSAFPID-2331"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-4367",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-4367.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-2332",
            "CSAFPID-2333",
            "CSAFPID-2331"
          ]
        }
      ],
      "title": "CVE-2024-4367"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2024-4768 (GCVE-0-2024-4768)

Solution

Solution

Vulnerability from osv_almalinux

Vulnerability from osv_almalinux

Vulnerability from osv_almalinux

Vulnerability from osv_almalinux

Tags

Sightings

Nomenclature