Vulnerability-Lookup

CVE-2024-9393 (GCVE-0-2024-9393)

Vulnerability from cvelistv5 – Published: 2024-10-01 15:13 – Updated: 2025-11-03 22:33

Summary

An attacker could, via a specially crafted multipart response, execute arbitrary JavaScript under the `resource://pdf.js` origin. This could allow them to access cross-origin PDF content. This access is limited to "same site" documents by the Site Isolation feature on desktop clients, but full cross-origin access is possible on Android versions. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Firefox ESR < 115.16, Thunderbird < 128.3, and Thunderbird < 131.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE

Cross-origin access to PDF contents through multipart responses

Assigner

mozilla

References

6 references

URL	Tags
https://bugzilla.mozilla.org/show_bug.cgi?id=1918301
https://www.mozilla.org/security/advisories/mfsa2…
https://www.mozilla.org/security/advisories/mfsa2…
https://www.mozilla.org/security/advisories/mfsa2…
https://www.mozilla.org/security/advisories/mfsa2…
https://www.mozilla.org/security/advisories/mfsa2…

Impacted products

5 products

Vendor	Product	Version
Mozilla	Firefox	Affected: unspecified , < 131 (custom)
Mozilla	Firefox ESR	Affected: unspecified , < 128.3 (custom)
Mozilla	Firefox ESR	Affected: unspecified , < 115.16 (custom)
Mozilla	Thunderbird	Affected: unspecified , < 128.3 (custom)
Mozilla	Thunderbird	Affected: unspecified , < 131 (custom)

Credits

Masato Kinugawa

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-9393",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-14T15:14:36.763792Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-346",
                "description": "CWE-346 Origin Validation Error",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-14T15:15:13.293Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T22:33:27.062Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2024/10/msg00006.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2024/10/msg00004.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Firefox",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "131",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Firefox ESR",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "128.3",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Firefox ESR",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "115.16",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Thunderbird",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "128.3",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Thunderbird",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "131",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Masato Kinugawa"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "An attacker could, via a specially crafted multipart response, execute arbitrary JavaScript under the `resource://pdf.js` origin.  This could allow them to access cross-origin PDF content. This access is limited to \"same site\" documents by the Site Isolation feature on desktop clients, but full cross-origin access is possible on Android versions. This vulnerability affects Firefox \u003c 131, Firefox ESR \u003c 128.3, Firefox ESR \u003c 115.16, Thunderbird \u003c 128.3, and Thunderbird \u003c 131."
            }
          ],
          "value": "An attacker could, via a specially crafted multipart response, execute arbitrary JavaScript under the `resource://pdf.js` origin.  This could allow them to access cross-origin PDF content. This access is limited to \"same site\" documents by the Site Isolation feature on desktop clients, but full cross-origin access is possible on Android versions. This vulnerability affects Firefox \u003c 131, Firefox ESR \u003c 128.3, Firefox ESR \u003c 115.16, Thunderbird \u003c 128.3, and Thunderbird \u003c 131."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Cross-origin access to PDF contents through multipart responses",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-10-01T15:13:19.123Z",
        "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
        "shortName": "mozilla"
      },
      "references": [
        {
          "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1918301"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2024-46/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2024-47/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2024-48/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2024-49/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2024-50/"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
    "assignerShortName": "mozilla",
    "cveId": "CVE-2024-9393",
    "datePublished": "2024-10-01T15:13:19.123Z",
    "dateReserved": "2024-10-01T06:10:06.764Z",
    "dateUpdated": "2025-11-03T22:33:27.062Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2024-9393",
      "date": "2026-05-24",
      "epss": "0.00168",
      "percentile": "0.37521"
    },
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"131.0\", \"matchCriteriaId\": \"DA47FFCA-3451-462C-8FFB-47143C65E65A\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"115.16.0\", \"matchCriteriaId\": \"BE98FB6E-21A3-4917-8806-09D3AF4FB876\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"116.0\", \"versionEndExcluding\": \"128.3.0\", \"matchCriteriaId\": \"CAB84369-2EC9-42EC-A9BF-95A3EB9925C1\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"128.3\", \"matchCriteriaId\": \"2B27464A-8C97-4D45-B7BE-CD1E3EA1DFD6\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:mozilla:thunderbird:129.0:beta:*:*:*:*:*:*\", \"matchCriteriaId\": \"1CF643F7-C722-44F1-827C-3974B45A3D0D\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:mozilla:thunderbird:129.0:beta2:*:*:*:*:*:*\", \"matchCriteriaId\": \"963ACFD6-B12A-4A66-A539-FD156C6F5220\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:mozilla:thunderbird:129.0:beta3:*:*:*:*:*:*\", \"matchCriteriaId\": \"B9E39014-2E8F-4E19-9575-978AB56E451A\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:mozilla:thunderbird:129.0:beta4:*:*:*:*:*:*\", \"matchCriteriaId\": \"28752A54-6016-4F6E-983B-CB54FEA19E5F\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:mozilla:thunderbird:129.0:beta5:*:*:*:*:*:*\", \"matchCriteriaId\": \"DA46E15E-0C2B-4F6E-8BA3-B7CB32C58D43\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:mozilla:thunderbird:129.0:beta6:*:*:*:*:*:*\", \"matchCriteriaId\": \"90AD96F8-A88B-4B70-A4D2-CD7637DF239A\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"An attacker could, via a specially crafted multipart response, execute arbitrary JavaScript under the `resource://pdf.js` origin.  This could allow them to access cross-origin PDF content. This access is limited to \\\"same site\\\" documents by the Site Isolation feature on desktop clients, but full cross-origin access is possible on Android versions. This vulnerability affects Firefox \u003c 131, Firefox ESR \u003c 128.3, Firefox ESR \u003c 115.16, Thunderbird \u003c 128.3, and Thunderbird \u003c 131.\"}, {\"lang\": \"es\", \"value\": \"Un atacante podr\\u00eda, mediante una respuesta de varias partes especialmente manipulada, ejecutar c\\u00f3digo JavaScript arbitrario bajo el origen `resource://pdf.js`. Esto podr\\u00eda permitirle acceder a contenido PDF de origen cruzado. Este acceso est\\u00e1 limitado a documentos del \\\"mismo sitio\\\" por la funci\\u00f3n de aislamiento de sitios en los clientes de escritorio, pero el acceso completo de origen cruzado es posible en las versiones de Android. Esta vulnerabilidad afecta a Firefox \u0026lt; 131, Firefox ESR \u0026lt; 128.3, Firefox ESR \u0026lt; 115.16, Thunderbird \u0026lt; 128.3 y Thunderbird \u0026lt; 131.\"}]",
      "id": "CVE-2024-9393",
      "lastModified": "2024-10-30T17:35:18.107",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}]}",
      "published": "2024-10-01T16:15:10.623",
      "references": "[{\"url\": \"https://bugzilla.mozilla.org/show_bug.cgi?id=1918301\", \"source\": \"security@mozilla.org\", \"tags\": [\"Permissions Required\"]}, {\"url\": \"https://www.mozilla.org/security/advisories/mfsa2024-46/\", \"source\": \"security@mozilla.org\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://www.mozilla.org/security/advisories/mfsa2024-47/\", \"source\": \"security@mozilla.org\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://www.mozilla.org/security/advisories/mfsa2024-48/\", \"source\": \"security@mozilla.org\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://www.mozilla.org/security/advisories/mfsa2024-49/\", \"source\": \"security@mozilla.org\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://www.mozilla.org/security/advisories/mfsa2024-50/\", \"source\": \"security@mozilla.org\", \"tags\": [\"Vendor Advisory\"]}]",
      "sourceIdentifier": "security@mozilla.org",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"NVD-CWE-Other\"}]}, {\"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-346\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-9393\",\"sourceIdentifier\":\"security@mozilla.org\",\"published\":\"2024-10-01T16:15:10.623\",\"lastModified\":\"2025-11-03T23:17:33.923\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An attacker could, via a specially crafted multipart response, execute arbitrary JavaScript under the `resource://pdf.js` origin.  This could allow them to access cross-origin PDF content. This access is limited to \\\"same site\\\" documents by the Site Isolation feature on desktop clients, but full cross-origin access is possible on Android versions. This vulnerability affects Firefox \u003c 131, Firefox ESR \u003c 128.3, Firefox ESR \u003c 115.16, Thunderbird \u003c 128.3, and Thunderbird \u003c 131.\"},{\"lang\":\"es\",\"value\":\"Un atacante podr\u00eda, mediante una respuesta de varias partes especialmente manipulada, ejecutar c\u00f3digo JavaScript arbitrario bajo el origen `resource://pdf.js`. Esto podr\u00eda permitirle acceder a contenido PDF de origen cruzado. Este acceso est\u00e1 limitado a documentos del \\\"mismo sitio\\\" por la funci\u00f3n de aislamiento de sitios en los clientes de escritorio, pero el acceso completo de origen cruzado es posible en las versiones de Android. Esta vulnerabilidad afecta a Firefox \u0026lt; 131, Firefox ESR \u0026lt; 128.3, Firefox ESR \u0026lt; 115.16, Thunderbird \u0026lt; 128.3 y Thunderbird \u0026lt; 131.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-Other\"}]},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-346\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"131.0\",\"matchCriteriaId\":\"DA47FFCA-3451-462C-8FFB-47143C65E65A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"115.16.0\",\"matchCriteriaId\":\"BE98FB6E-21A3-4917-8806-09D3AF4FB876\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"116.0\",\"versionEndExcluding\":\"128.3.0\",\"matchCriteriaId\":\"CAB84369-2EC9-42EC-A9BF-95A3EB9925C1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"128.3\",\"matchCriteriaId\":\"2B27464A-8C97-4D45-B7BE-CD1E3EA1DFD6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mozilla:thunderbird:129.0:beta:*:*:*:*:*:*\",\"matchCriteriaId\":\"1CF643F7-C722-44F1-827C-3974B45A3D0D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mozilla:thunderbird:129.0:beta2:*:*:*:*:*:*\",\"matchCriteriaId\":\"963ACFD6-B12A-4A66-A539-FD156C6F5220\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mozilla:thunderbird:129.0:beta3:*:*:*:*:*:*\",\"matchCriteriaId\":\"B9E39014-2E8F-4E19-9575-978AB56E451A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mozilla:thunderbird:129.0:beta4:*:*:*:*:*:*\",\"matchCriteriaId\":\"28752A54-6016-4F6E-983B-CB54FEA19E5F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mozilla:thunderbird:129.0:beta5:*:*:*:*:*:*\",\"matchCriteriaId\":\"DA46E15E-0C2B-4F6E-8BA3-B7CB32C58D43\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mozilla:thunderbird:129.0:beta6:*:*:*:*:*:*\",\"matchCriteriaId\":\"90AD96F8-A88B-4B70-A4D2-CD7637DF239A\"}]}]}],\"references\":[{\"url\":\"https://bugzilla.mozilla.org/show_bug.cgi?id=1918301\",\"source\":\"security@mozilla.org\",\"tags\":[\"Permissions Required\"]},{\"url\":\"https://www.mozilla.org/security/advisories/mfsa2024-46/\",\"source\":\"security@mozilla.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.mozilla.org/security/advisories/mfsa2024-47/\",\"source\":\"security@mozilla.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.mozilla.org/security/advisories/mfsa2024-48/\",\"source\":\"security@mozilla.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.mozilla.org/security/advisories/mfsa2024-49/\",\"source\":\"security@mozilla.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.mozilla.org/security/advisories/mfsa2024-50/\",\"source\":\"security@mozilla.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2024/10/msg00004.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.debian.org/debian-lts-announce/2024/10/msg00006.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://lists.debian.org/debian-lts-announce/2024/10/msg00006.html\"}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2024/10/msg00004.html\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2025-11-03T22:33:27.062Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-9393\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-03-14T15:14:36.763792Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-346\", \"description\": \"CWE-346 Origin Validation Error\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-10-01T18:04:28.832Z\"}}], \"cna\": {\"credits\": [{\"lang\": \"en\", \"value\": \"Masato Kinugawa\"}], \"affected\": [{\"vendor\": \"Mozilla\", \"product\": \"Firefox\", \"versions\": [{\"status\": \"affected\", \"version\": \"unspecified\", \"lessThan\": \"131\", \"versionType\": \"custom\"}]}, {\"vendor\": \"Mozilla\", \"product\": \"Firefox ESR\", \"versions\": [{\"status\": \"affected\", \"version\": \"unspecified\", \"lessThan\": \"128.3\", \"versionType\": \"custom\"}]}, {\"vendor\": \"Mozilla\", \"product\": \"Firefox ESR\", \"versions\": [{\"status\": \"affected\", \"version\": \"unspecified\", \"lessThan\": \"115.16\", \"versionType\": \"custom\"}]}, {\"vendor\": \"Mozilla\", \"product\": \"Thunderbird\", \"versions\": [{\"status\": \"affected\", \"version\": \"unspecified\", \"lessThan\": \"128.3\", \"versionType\": \"custom\"}]}, {\"vendor\": \"Mozilla\", \"product\": \"Thunderbird\", \"versions\": [{\"status\": \"affected\", \"version\": \"unspecified\", \"lessThan\": \"131\", \"versionType\": \"custom\"}]}], \"references\": [{\"url\": \"https://bugzilla.mozilla.org/show_bug.cgi?id=1918301\"}, {\"url\": \"https://www.mozilla.org/security/advisories/mfsa2024-46/\"}, {\"url\": \"https://www.mozilla.org/security/advisories/mfsa2024-47/\"}, {\"url\": \"https://www.mozilla.org/security/advisories/mfsa2024-48/\"}, {\"url\": \"https://www.mozilla.org/security/advisories/mfsa2024-49/\"}, {\"url\": \"https://www.mozilla.org/security/advisories/mfsa2024-50/\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"An attacker could, via a specially crafted multipart response, execute arbitrary JavaScript under the `resource://pdf.js` origin.  This could allow them to access cross-origin PDF content. This access is limited to \\\"same site\\\" documents by the Site Isolation feature on desktop clients, but full cross-origin access is possible on Android versions. This vulnerability affects Firefox \u003c 131, Firefox ESR \u003c 128.3, Firefox ESR \u003c 115.16, Thunderbird \u003c 128.3, and Thunderbird \u003c 131.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"An attacker could, via a specially crafted multipart response, execute arbitrary JavaScript under the `resource://pdf.js` origin.  This could allow them to access cross-origin PDF content. This access is limited to \\\"same site\\\" documents by the Site Isolation feature on desktop clients, but full cross-origin access is possible on Android versions. This vulnerability affects Firefox \u003c 131, Firefox ESR \u003c 128.3, Firefox ESR \u003c 115.16, Thunderbird \u003c 128.3, and Thunderbird \u003c 131.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"text\", \"description\": \"Cross-origin access to PDF contents through multipart responses\"}]}], \"providerMetadata\": {\"orgId\": \"f16b083a-5664-49f3-a51e-8d479e5ed7fe\", \"shortName\": \"mozilla\", \"dateUpdated\": \"2024-10-01T15:13:19.123Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-9393\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-11-03T22:33:27.062Z\", \"dateReserved\": \"2024-10-01T06:10:06.764Z\", \"assignerOrgId\": \"f16b083a-5664-49f3-a51e-8d479e5ed7fe\", \"datePublished\": \"2024-10-01T15:13:19.123Z\", \"assignerShortName\": \"mozilla\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

CERTFR-2024-AVI-0829

Vulnerability from certfr_avis - Published: - Updated:

De multiples vulnérabilités ont été découvertes dans les produits Mozilla. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et une atteinte à la confidentialité des données.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

Vendor	Product	Description
Mozilla	Firefox ESR	Firefox ESR versions antérieures à 128.3
Mozilla	Thunderbird	Thunderbird versions antérieures à 128.3
Mozilla	Firefox Focus	Firefox Focus versions antérieures à 131 pour Android
Mozilla	Firefox	Firefox versions antérieures à 131 pour Android
Mozilla	Firefox ESR	Firefox ESR versions antérieures à 115.16
Mozilla	Firefox	Firefox versions antérieures à 131
Mozilla	Thunderbird	Thunderbird versions antérieures à 131

References

Title

Publication Time

CERTFR-2024-AVI-0829

Vulnerability from certfr_avis - Published: - Updated:

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

Vendor	Product	Description
Mozilla	Firefox ESR	Firefox ESR versions antérieures à 128.3
Mozilla	Thunderbird	Thunderbird versions antérieures à 128.3
Mozilla	Firefox Focus	Firefox Focus versions antérieures à 131 pour Android
Mozilla	Firefox	Firefox versions antérieures à 131 pour Android
Mozilla	Firefox ESR	Firefox ESR versions antérieures à 115.16
Mozilla	Firefox	Firefox versions antérieures à 131
Mozilla	Thunderbird	Thunderbird versions antérieures à 131

References

Title

Publication Time

alsa-2024:7505

Vulnerability from osv_almalinux

Published

2024-10-02 00:00

Modified

2024-10-04 05:27

Summary

Important: firefox security update

Details

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.

Security Fix(es):

firefox: 115.16/128.3 ESR ()
firefox: thunderbird: Memory safety bugs fixed in Firefox 131, Firefox ESR 115.16, Firefox ESR 128.3, Thunderbird 131, and Thunderbird 128.3 (CVE-2024-9401)
firefox: thunderbird: Memory safety bugs fixed in Firefox 131, Firefox ESR 128.3, Thunderbird 131, and Thunderbird 128.3 (CVE-2024-9402)
firefox: thunderbird: Cross-origin access to PDF contents through multipart responses (CVE-2024-9393)
firefox: thunderbird: Cross-origin access to JSON contents through multipart responses (CVE-2024-9394)
firefox: thunderbird: Compromised content process can bypass site isolation (CVE-2024-9392)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References

URL

Type

	https://access.redhat.com/errata/RHSA-2024:7505	ADVISORY
	https://access.redhat.com/security/cve/CVE-2024-9392	REPORT
	https://access.redhat.com/security/cve/CVE-2024-9393	REPORT
	https://access.redhat.com/security/cve/CVE-2024-9394	REPORT
	https://access.redhat.com/security/cve/CVE-2024-9401	REPORT
	https://access.redhat.com/security/cve/CVE-2024-9402	REPORT
	https://bugzilla.redhat.com/2315950	REPORT
	https://bugzilla.redhat.com/2315951	REPORT
	https://bugzilla.redhat.com/2315956	REPORT
	https://bugzilla.redhat.com/2315957	REPORT
	https://bugzilla.redhat.com/2315959	REPORT
	https://errata.almalinux.org/9/ALSA-2024-7505.html	ADVISORY

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "firefox"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "128.3.0-1.el9_4.alma.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "firefox-x11"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "128.3.0-1.el9_4.alma.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.\n\nSecurity Fix(es):\n\n* firefox: 115.16/128.3 ESR ()\n* firefox: thunderbird: Memory safety bugs fixed in Firefox 131, Firefox ESR 115.16, Firefox ESR 128.3, Thunderbird 131, and Thunderbird 128.3 (CVE-2024-9401)\n* firefox: thunderbird: Memory safety bugs fixed in Firefox 131, Firefox ESR 128.3, Thunderbird 131, and Thunderbird 128.3 (CVE-2024-9402)\n* firefox: thunderbird: Cross-origin access to PDF contents through multipart responses (CVE-2024-9393)\n* firefox: thunderbird: Cross-origin access to JSON contents through multipart responses (CVE-2024-9394)\n* firefox: thunderbird: Compromised content process can bypass site isolation (CVE-2024-9392)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
  "id": "ALSA-2024:7505",
  "modified": "2024-10-04T05:27:10Z",
  "published": "2024-10-02T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2024:7505"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-9392"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-9393"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-9394"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-9401"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-9402"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2315950"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2315951"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2315956"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2315957"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2315959"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/9/ALSA-2024-7505.html"
    }
  ],
  "related": [
    "CVE-2024-9401",
    "CVE-2024-9402",
    "CVE-2024-9393",
    "CVE-2024-9394",
    "CVE-2024-9392"
  ],
  "summary": "Important: firefox security update"
}

alsa-2024:7552

Vulnerability from osv_almalinux

Published

2024-10-02 00:00

Modified

2024-10-04 05:25

Summary

Important: thunderbird security update

Details

Mozilla Thunderbird is a standalone mail and newsgroup client.

Security Fix(es):

thunderbird: 115.16/128.3 ()
firefox: thunderbird: Specially crafted WebTransport requests could lead to denial of service (CVE-2024-9399)
firefox: thunderbird: Memory safety bugs fixed in Firefox 131 and Thunderbird 131 (CVE-2024-9403)
firefox: thunderbird: Potential directory upload bypass via clickjacking (CVE-2024-9397)
firefox: thunderbird: Memory safety bugs fixed in Firefox 131, Firefox ESR 115.16, Firefox ESR 128.3, Thunderbird 131, and Thunderbird 128.3 (CVE-2024-9401)
firefox: thunderbird: Memory safety bugs fixed in Firefox 131, Firefox ESR 128.3, Thunderbird 131, and Thunderbird 128.3 (CVE-2024-9402)
firefox: thunderbird: External protocol handlers could be enumerated via popups (CVE-2024-9398)
firefox: thunderbird: Potential memory corruption during JIT compilation (CVE-2024-9400)
firefox: thunderbird: Potential memory corruption may occur when cloning certain objects (CVE-2024-9396)
firefox: thunderbird: Cross-origin access to PDF contents through multipart responses (CVE-2024-9393)
firefox: thunderbird: Cross-origin access to JSON contents through multipart responses (CVE-2024-9394)
firefox: thunderbird: Compromised content process can bypass site isolation (CVE-2024-9392)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References

URL

Type

	https://access.redhat.com/errata/RHSA-2024:7552	ADVISORY
	https://access.redhat.com/security/cve/CVE-2024-9392	REPORT
	https://access.redhat.com/security/cve/CVE-2024-9393	REPORT
	https://access.redhat.com/security/cve/CVE-2024-9394	REPORT
	https://access.redhat.com/security/cve/CVE-2024-9396	REPORT
	https://access.redhat.com/security/cve/CVE-2024-9397	REPORT
	https://access.redhat.com/security/cve/CVE-2024-9398	REPORT
	https://access.redhat.com/security/cve/CVE-2024-9399	REPORT
	https://access.redhat.com/security/cve/CVE-2024-9400	REPORT
	https://access.redhat.com/security/cve/CVE-2024-9401	REPORT
	https://access.redhat.com/security/cve/CVE-2024-9402	REPORT
	https://access.redhat.com/security/cve/CVE-2024-9403	REPORT
	https://bugzilla.redhat.com/2315945	REPORT
	https://bugzilla.redhat.com/2315947	REPORT
	https://bugzilla.redhat.com/2315949	REPORT
	https://bugzilla.redhat.com/2315950	REPORT
	https://bugzilla.redhat.com/2315951	REPORT
	https://bugzilla.redhat.com/2315952	REPORT
	https://bugzilla.redhat.com/2315953	REPORT
	https://bugzilla.redhat.com/2315954	REPORT
	https://bugzilla.redhat.com/2315956	REPORT
	https://bugzilla.redhat.com/2315957	REPORT
	https://bugzilla.redhat.com/2315959	REPORT
	https://errata.almalinux.org/9/ALSA-2024-7552.html	ADVISORY

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "thunderbird"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "128.3.0-1.el9_4.alma.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "Mozilla Thunderbird is a standalone mail and newsgroup client.\n\nSecurity Fix(es):\n\n* thunderbird: 115.16/128.3 ()\n* firefox: thunderbird: Specially crafted WebTransport requests could lead to denial of service (CVE-2024-9399)\n* firefox: thunderbird: Memory safety bugs fixed in Firefox 131 and Thunderbird 131 (CVE-2024-9403)\n* firefox: thunderbird: Potential directory upload bypass via clickjacking (CVE-2024-9397)\n* firefox: thunderbird: Memory safety bugs fixed in Firefox 131, Firefox ESR 115.16, Firefox ESR 128.3, Thunderbird 131, and Thunderbird 128.3 (CVE-2024-9401)\n* firefox: thunderbird: Memory safety bugs fixed in Firefox 131, Firefox ESR 128.3, Thunderbird 131, and Thunderbird 128.3 (CVE-2024-9402)\n* firefox: thunderbird: External protocol handlers could be enumerated via popups (CVE-2024-9398)\n* firefox: thunderbird: Potential memory corruption during JIT compilation (CVE-2024-9400)\n* firefox: thunderbird: Potential memory corruption may occur when cloning certain objects (CVE-2024-9396)\n* firefox: thunderbird: Cross-origin access to PDF contents through multipart responses (CVE-2024-9393)\n* firefox: thunderbird: Cross-origin access to JSON contents through multipart responses (CVE-2024-9394)\n* firefox: thunderbird: Compromised content process can bypass site isolation (CVE-2024-9392)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
  "id": "ALSA-2024:7552",
  "modified": "2024-10-04T05:25:09Z",
  "published": "2024-10-02T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2024:7552"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-9392"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-9393"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-9394"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-9396"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-9397"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-9398"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-9399"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-9400"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-9401"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-9402"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-9403"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2315945"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2315947"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2315949"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2315950"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2315951"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2315952"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2315953"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2315954"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2315956"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2315957"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2315959"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/9/ALSA-2024-7552.html"
    }
  ],
  "related": [
    "CVE-2024-9399",
    "CVE-2024-9403",
    "CVE-2024-9397",
    "CVE-2024-9401",
    "CVE-2024-9402",
    "CVE-2024-9398",
    "CVE-2024-9400",
    "CVE-2024-9396",
    "CVE-2024-9393",
    "CVE-2024-9394",
    "CVE-2024-9392"
  ],
  "summary": "Important: thunderbird security update"
}

alsa-2024:7699

Vulnerability from osv_almalinux

Published

2024-10-07 00:00

Modified

2024-10-09 08:55

Summary

Important: thunderbird security update

Details

Mozilla Thunderbird is a standalone mail and newsgroup client.

Security Fix(es):

thunderbird: 115.16/128.3 ()
firefox: thunderbird: Specially crafted WebTransport requests could lead to denial of service (CVE-2024-9399)
firefox: thunderbird: Memory safety bugs fixed in Firefox 131 and Thunderbird 131 (CVE-2024-9403)
firefox: thunderbird: Potential directory upload bypass via clickjacking (CVE-2024-9397)
firefox: thunderbird: Memory safety bugs fixed in Firefox 131, Firefox ESR 115.16, Firefox ESR 128.3, Thunderbird 131, and Thunderbird 128.3 (CVE-2024-9401)
firefox: thunderbird: Memory safety bugs fixed in Firefox 131, Firefox ESR 128.3, Thunderbird 131, and Thunderbird 128.3 (CVE-2024-9402)
firefox: thunderbird: External protocol handlers could be enumerated via popups (CVE-2024-9398)
firefox: thunderbird: Potential memory corruption during JIT compilation (CVE-2024-9400)
firefox: thunderbird: Potential memory corruption may occur when cloning certain objects (CVE-2024-9396)
firefox: thunderbird: Cross-origin access to PDF contents through multipart responses (CVE-2024-9393)
firefox: thunderbird: Cross-origin access to JSON contents through multipart responses (CVE-2024-9394)
firefox: thunderbird: Compromised content process can bypass site isolation (CVE-2024-9392)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References

URL

Type

	https://access.redhat.com/errata/RHSA-2024:7699	ADVISORY
	https://access.redhat.com/security/cve/CVE-2024-9392	REPORT
	https://access.redhat.com/security/cve/CVE-2024-9393	REPORT
	https://access.redhat.com/security/cve/CVE-2024-9394	REPORT
	https://access.redhat.com/security/cve/CVE-2024-9396	REPORT
	https://access.redhat.com/security/cve/CVE-2024-9397	REPORT
	https://access.redhat.com/security/cve/CVE-2024-9398	REPORT
	https://access.redhat.com/security/cve/CVE-2024-9399	REPORT
	https://access.redhat.com/security/cve/CVE-2024-9400	REPORT
	https://access.redhat.com/security/cve/CVE-2024-9401	REPORT
	https://access.redhat.com/security/cve/CVE-2024-9402	REPORT
	https://access.redhat.com/security/cve/CVE-2024-9403	REPORT
	https://bugzilla.redhat.com/2315945	REPORT
	https://bugzilla.redhat.com/2315947	REPORT
	https://bugzilla.redhat.com/2315949	REPORT
	https://bugzilla.redhat.com/2315950	REPORT
	https://bugzilla.redhat.com/2315951	REPORT
	https://bugzilla.redhat.com/2315952	REPORT
	https://bugzilla.redhat.com/2315953	REPORT
	https://bugzilla.redhat.com/2315954	REPORT
	https://bugzilla.redhat.com/2315956	REPORT
	https://bugzilla.redhat.com/2315957	REPORT
	https://bugzilla.redhat.com/2315959	REPORT
	https://errata.almalinux.org/8/ALSA-2024-7699.html	ADVISORY

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "thunderbird"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "128.3.0-1.el8_10.alma.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "Mozilla Thunderbird is a standalone mail and newsgroup client.\n\nSecurity Fix(es):\n\n* thunderbird: 115.16/128.3 ()\n* firefox: thunderbird: Specially crafted WebTransport requests could lead to denial of service (CVE-2024-9399)\n* firefox: thunderbird: Memory safety bugs fixed in Firefox 131 and Thunderbird 131 (CVE-2024-9403)\n* firefox: thunderbird: Potential directory upload bypass via clickjacking (CVE-2024-9397)\n* firefox: thunderbird: Memory safety bugs fixed in Firefox 131, Firefox ESR 115.16, Firefox ESR 128.3, Thunderbird 131, and Thunderbird 128.3 (CVE-2024-9401)\n* firefox: thunderbird: Memory safety bugs fixed in Firefox 131, Firefox ESR 128.3, Thunderbird 131, and Thunderbird 128.3 (CVE-2024-9402)\n* firefox: thunderbird: External protocol handlers could be enumerated via popups (CVE-2024-9398)\n* firefox: thunderbird: Potential memory corruption during JIT compilation (CVE-2024-9400)\n* firefox: thunderbird: Potential memory corruption may occur when cloning certain objects (CVE-2024-9396)\n* firefox: thunderbird: Cross-origin access to PDF contents through multipart responses (CVE-2024-9393)\n* firefox: thunderbird: Cross-origin access to JSON contents through multipart responses (CVE-2024-9394)\n* firefox: thunderbird: Compromised content process can bypass site isolation (CVE-2024-9392)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
  "id": "ALSA-2024:7699",
  "modified": "2024-10-09T08:55:36Z",
  "published": "2024-10-07T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2024:7699"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-9392"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-9393"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-9394"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-9396"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-9397"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-9398"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-9399"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-9400"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-9401"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-9402"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-9403"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2315945"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2315947"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2315949"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2315950"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2315951"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2315952"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2315953"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2315954"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2315956"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2315957"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2315959"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/8/ALSA-2024-7699.html"
    }
  ],
  "related": [
    "CVE-2024-9399",
    "CVE-2024-9403",
    "CVE-2024-9397",
    "CVE-2024-9401",
    "CVE-2024-9402",
    "CVE-2024-9398",
    "CVE-2024-9400",
    "CVE-2024-9396",
    "CVE-2024-9393",
    "CVE-2024-9394",
    "CVE-2024-9392"
  ],
  "summary": "Important: thunderbird security update"
}

alsa-2024:7700

Vulnerability from osv_almalinux

Published

2024-10-07 00:00

Modified

2024-10-09 08:57

Summary

Important: firefox security update

Details

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.

Security Fix(es):

firefox: 115.16/128.3 ESR ()
firefox: thunderbird: Specially crafted WebTransport requests could lead to denial of service (CVE-2024-9399)
firefox: thunderbird: Memory safety bugs fixed in Firefox 131 and Thunderbird 131 (CVE-2024-9403)
firefox: thunderbird: Potential directory upload bypass via clickjacking (CVE-2024-9397)
firefox: thunderbird: Memory safety bugs fixed in Firefox 131, Firefox ESR 115.16, Firefox ESR 128.3, Thunderbird 131, and Thunderbird 128.3 (CVE-2024-9401)
firefox: thunderbird: Memory safety bugs fixed in Firefox 131, Firefox ESR 128.3, Thunderbird 131, and Thunderbird 128.3 (CVE-2024-9402)
firefox: thunderbird: External protocol handlers could be enumerated via popups (CVE-2024-9398)
firefox: thunderbird: Potential memory corruption during JIT compilation (CVE-2024-9400)
firefox: thunderbird: Potential memory corruption may occur when cloning certain objects (CVE-2024-9396)
firefox: thunderbird: Cross-origin access to PDF contents through multipart responses (CVE-2024-9393)
firefox: thunderbird: Cross-origin access to JSON contents through multipart responses (CVE-2024-9394)
firefox: thunderbird: Compromised content process can bypass site isolation (CVE-2024-9392)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References

URL

Type

	https://access.redhat.com/errata/RHSA-2024:7700	ADVISORY
	https://access.redhat.com/security/cve/CVE-2024-8900	REPORT
	https://access.redhat.com/security/cve/CVE-2024-9392	REPORT
	https://access.redhat.com/security/cve/CVE-2024-9393	REPORT
	https://access.redhat.com/security/cve/CVE-2024-9394	REPORT
	https://access.redhat.com/security/cve/CVE-2024-9396	REPORT
	https://access.redhat.com/security/cve/CVE-2024-9397	REPORT
	https://access.redhat.com/security/cve/CVE-2024-9398	REPORT
	https://access.redhat.com/security/cve/CVE-2024-9399	REPORT
	https://access.redhat.com/security/cve/CVE-2024-9400	REPORT
	https://access.redhat.com/security/cve/CVE-2024-9401	REPORT
	https://access.redhat.com/security/cve/CVE-2024-9402	REPORT
	https://bugzilla.redhat.com/2312914	REPORT
	https://bugzilla.redhat.com/2315945	REPORT
	https://bugzilla.redhat.com/2315949	REPORT
	https://bugzilla.redhat.com/2315950	REPORT
	https://bugzilla.redhat.com/2315951	REPORT
	https://bugzilla.redhat.com/2315952	REPORT
	https://bugzilla.redhat.com/2315953	REPORT
	https://bugzilla.redhat.com/2315954	REPORT
	https://bugzilla.redhat.com/2315956	REPORT
	https://bugzilla.redhat.com/2315957	REPORT
	https://bugzilla.redhat.com/2315959	REPORT
	https://errata.almalinux.org/8/ALSA-2024-7700.html	ADVISORY

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "firefox"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "128.3.0-1.el8_10.alma.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.\n\nSecurity Fix(es):\n\n* firefox: 115.16/128.3 ESR ()\n* firefox: thunderbird: Specially crafted WebTransport requests could lead to denial of service (CVE-2024-9399)\n* firefox: thunderbird: Memory safety bugs fixed in Firefox 131 and Thunderbird 131 (CVE-2024-9403)\n* firefox: thunderbird: Potential directory upload bypass via clickjacking (CVE-2024-9397)\n* firefox: thunderbird: Memory safety bugs fixed in Firefox 131, Firefox ESR 115.16, Firefox ESR 128.3, Thunderbird 131, and Thunderbird 128.3 (CVE-2024-9401)\n* firefox: thunderbird: Memory safety bugs fixed in Firefox 131, Firefox ESR 128.3, Thunderbird 131, and Thunderbird 128.3 (CVE-2024-9402)\n* firefox: thunderbird: External protocol handlers could be enumerated via popups (CVE-2024-9398)\n* firefox: thunderbird: Potential memory corruption during JIT compilation (CVE-2024-9400)\n* firefox: thunderbird: Potential memory corruption may occur when cloning certain objects (CVE-2024-9396)\n* firefox: thunderbird: Cross-origin access to PDF contents through multipart responses (CVE-2024-9393)\n* firefox: thunderbird: Cross-origin access to JSON contents through multipart responses (CVE-2024-9394)\n* firefox: thunderbird: Compromised content process can bypass site isolation (CVE-2024-9392)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
  "id": "ALSA-2024:7700",
  "modified": "2024-10-09T08:57:20Z",
  "published": "2024-10-07T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2024:7700"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-8900"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-9392"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-9393"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-9394"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-9396"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-9397"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-9398"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-9399"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-9400"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-9401"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-9402"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2312914"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2315945"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2315949"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2315950"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2315951"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2315952"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2315953"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2315954"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2315956"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2315957"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2315959"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/8/ALSA-2024-7700.html"
    }
  ],
  "related": [
    "CVE-2024-9399",
    "CVE-2024-9403",
    "CVE-2024-9397",
    "CVE-2024-9401",
    "CVE-2024-9402",
    "CVE-2024-9398",
    "CVE-2024-9400",
    "CVE-2024-9396",
    "CVE-2024-9393",
    "CVE-2024-9394",
    "CVE-2024-9392"
  ],
  "summary": "Important: firefox security update"
}

CNVD-2024-44475

Vulnerability from cnvd - Published: 2024-11-12

Title

Mozilla Firefox原点验证错误漏洞

Description

Mozilla Firefox是一款开源Web浏览器。Mozilla Firefox ESR是Firefox（Web浏览器）的一个延长支持版本。Mozilla Thunderbird是一套从Mozilla Application Suite独立出来的电子邮件客户端软件。 Mozilla Firefox存在原点验证错误，该漏洞源于通过多部分响应跨域访问PDF内容，攻击者可利用该漏洞通过特制的多部分响应，在‘ resource://pdf.js ’源下执行任意JavaScript。

Severity

高

Patch Name

Mozilla Firefox原点验证错误漏洞的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://www.mozilla.org/security/advisories/mfsa2024-46/

Reference

https://bugzilla.mozilla.org/show_bug.cgi?id=1918301

Impacted products

Name
['Mozilla Firefox <131', 'Mozilla Firefox ESR <128.3', 'Mozilla Thunderbird <128.3', 'Mozilla Thunderbird <131']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2024-9393",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2024-9393"
    }
  },
  "description": "Mozilla Firefox\u662f\u4e00\u6b3e\u5f00\u6e90Web\u6d4f\u89c8\u5668\u3002Mozilla Firefox ESR\u662fFirefox\uff08Web\u6d4f\u89c8\u5668\uff09\u7684\u4e00\u4e2a\u5ef6\u957f\u652f\u6301\u7248\u672c\u3002Mozilla Thunderbird\u662f\u4e00\u5957\u4eceMozilla Application Suite\u72ec\u7acb\u51fa\u6765\u7684\u7535\u5b50\u90ae\u4ef6\u5ba2\u6237\u7aef\u8f6f\u4ef6\u3002\n\nMozilla Firefox\u5b58\u5728\u539f\u70b9\u9a8c\u8bc1\u9519\u8bef\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u901a\u8fc7\u591a\u90e8\u5206\u54cd\u5e94\u8de8\u57df\u8bbf\u95eePDF\u5185\u5bb9\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7\u7279\u5236\u7684\u591a\u90e8\u5206\u54cd\u5e94\uff0c\u5728\u2018 resource://pdf.js \u2019\u6e90\u4e0b\u6267\u884c\u4efb\u610fJavaScript\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://www.mozilla.org/security/advisories/mfsa2024-46/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2024-44475",
  "openTime": "2024-11-12",
  "patchDescription": "Mozilla Firefox\u662f\u4e00\u6b3e\u5f00\u6e90Web\u6d4f\u89c8\u5668\u3002Mozilla Firefox ESR\u662fFirefox\uff08Web\u6d4f\u89c8\u5668\uff09\u7684\u4e00\u4e2a\u5ef6\u957f\u652f\u6301\u7248\u672c\u3002Mozilla Thunderbird\u662f\u4e00\u5957\u4eceMozilla Application Suite\u72ec\u7acb\u51fa\u6765\u7684\u7535\u5b50\u90ae\u4ef6\u5ba2\u6237\u7aef\u8f6f\u4ef6\u3002\r\n\r\nMozilla Firefox\u5b58\u5728\u539f\u70b9\u9a8c\u8bc1\u9519\u8bef\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u901a\u8fc7\u591a\u90e8\u5206\u54cd\u5e94\u8de8\u57df\u8bbf\u95eePDF\u5185\u5bb9\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7\u7279\u5236\u7684\u591a\u90e8\u5206\u54cd\u5e94\uff0c\u5728\u2018 resource://pdf.js \u2019\u6e90\u4e0b\u6267\u884c\u4efb\u610fJavaScript\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Mozilla Firefox\u539f\u70b9\u9a8c\u8bc1\u9519\u8bef\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Mozilla Firefox \u003c131",
      "Mozilla Firefox ESR \u003c128.3",
      "Mozilla Thunderbird \u003c128.3",
      "Mozilla Thunderbird \u003c131"
    ]
  },
  "referenceLink": "https://bugzilla.mozilla.org/show_bug.cgi?id=1918301",
  "serverity": "\u9ad8",
  "submitTime": "2024-10-13",
  "title": "Mozilla Firefox\u539f\u70b9\u9a8c\u8bc1\u9519\u8bef\u6f0f\u6d1e"
}

FKIE_CVE-2024-9393

Vulnerability from fkie_nvd - Published: 2024-10-01 16:15 - Updated: 2025-11-03 23:17

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Summary

References

URL	Tags
security@mozilla.org	https://bugzilla.mozilla.org/show_bug.cgi?id=1918301	Permissions Required
security@mozilla.org	https://www.mozilla.org/security/advisories/mfsa2024-46/	Vendor Advisory
security@mozilla.org	https://www.mozilla.org/security/advisories/mfsa2024-47/	Vendor Advisory
security@mozilla.org	https://www.mozilla.org/security/advisories/mfsa2024-48/	Vendor Advisory
security@mozilla.org	https://www.mozilla.org/security/advisories/mfsa2024-49/	Vendor Advisory
security@mozilla.org	https://www.mozilla.org/security/advisories/mfsa2024-50/	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.debian.org/debian-lts-announce/2024/10/msg00004.html
af854a3a-2127-422b-91ae-364da2661108	https://lists.debian.org/debian-lts-announce/2024/10/msg00006.html

Impacted products

Vendor	Product	Version
mozilla	firefox	*
mozilla	firefox_esr	*
mozilla	firefox_esr	*
mozilla	thunderbird	*
mozilla	thunderbird	129.0
mozilla	thunderbird	129.0
mozilla	thunderbird	129.0
mozilla	thunderbird	129.0
mozilla	thunderbird	129.0
mozilla	thunderbird	129.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "DA47FFCA-3451-462C-8FFB-47143C65E65A",
              "versionEndExcluding": "131.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "BE98FB6E-21A3-4917-8806-09D3AF4FB876",
              "versionEndExcluding": "115.16.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "CAB84369-2EC9-42EC-A9BF-95A3EB9925C1",
              "versionEndExcluding": "128.3.0",
              "versionStartIncluding": "116.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "2B27464A-8C97-4D45-B7BE-CD1E3EA1DFD6",
              "versionEndExcluding": "128.3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:mozilla:thunderbird:129.0:beta:*:*:*:*:*:*",
              "matchCriteriaId": "1CF643F7-C722-44F1-827C-3974B45A3D0D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:mozilla:thunderbird:129.0:beta2:*:*:*:*:*:*",
              "matchCriteriaId": "963ACFD6-B12A-4A66-A539-FD156C6F5220",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:mozilla:thunderbird:129.0:beta3:*:*:*:*:*:*",
              "matchCriteriaId": "B9E39014-2E8F-4E19-9575-978AB56E451A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:mozilla:thunderbird:129.0:beta4:*:*:*:*:*:*",
              "matchCriteriaId": "28752A54-6016-4F6E-983B-CB54FEA19E5F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:mozilla:thunderbird:129.0:beta5:*:*:*:*:*:*",
              "matchCriteriaId": "DA46E15E-0C2B-4F6E-8BA3-B7CB32C58D43",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:mozilla:thunderbird:129.0:beta6:*:*:*:*:*:*",
              "matchCriteriaId": "90AD96F8-A88B-4B70-A4D2-CD7637DF239A",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "An attacker could, via a specially crafted multipart response, execute arbitrary JavaScript under the `resource://pdf.js` origin.  This could allow them to access cross-origin PDF content. This access is limited to \"same site\" documents by the Site Isolation feature on desktop clients, but full cross-origin access is possible on Android versions. This vulnerability affects Firefox \u003c 131, Firefox ESR \u003c 128.3, Firefox ESR \u003c 115.16, Thunderbird \u003c 128.3, and Thunderbird \u003c 131."
    },
    {
      "lang": "es",
      "value": "Un atacante podr\u00eda, mediante una respuesta de varias partes especialmente manipulada, ejecutar c\u00f3digo JavaScript arbitrario bajo el origen `resource://pdf.js`. Esto podr\u00eda permitirle acceder a contenido PDF de origen cruzado. Este acceso est\u00e1 limitado a documentos del \"mismo sitio\" por la funci\u00f3n de aislamiento de sitios en los clientes de escritorio, pero el acceso completo de origen cruzado es posible en las versiones de Android. Esta vulnerabilidad afecta a Firefox \u0026lt; 131, Firefox ESR \u0026lt; 128.3, Firefox ESR \u0026lt; 115.16, Thunderbird \u0026lt; 128.3 y Thunderbird \u0026lt; 131."
    }
  ],
  "id": "CVE-2024-9393",
  "lastModified": "2025-11-03T23:17:33.923",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-10-01T16:15:10.623",
  "references": [
    {
      "source": "security@mozilla.org",
      "tags": [
        "Permissions Required"
      ],
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1918301"
    },
    {
      "source": "security@mozilla.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.mozilla.org/security/advisories/mfsa2024-46/"
    },
    {
      "source": "security@mozilla.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.mozilla.org/security/advisories/mfsa2024-47/"
    },
    {
      "source": "security@mozilla.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.mozilla.org/security/advisories/mfsa2024-48/"
    },
    {
      "source": "security@mozilla.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.mozilla.org/security/advisories/mfsa2024-49/"
    },
    {
      "source": "security@mozilla.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.mozilla.org/security/advisories/mfsa2024-50/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.debian.org/debian-lts-announce/2024/10/msg00004.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.debian.org/debian-lts-announce/2024/10/msg00006.html"
    }
  ],
  "sourceIdentifier": "security@mozilla.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-Other"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-346"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}

GHSA-RGGH-RM3V-8XQJ

Vulnerability from github – Published: 2024-10-01 18:31 – Updated: 2025-11-04 00:31

Details

An attacker could, via a specially crafted multipart response, execute arbitrary JavaScript under the resource://pdf.js origin. This could allow them to access cross-origin PDF content. This access is limited to "same site" documents by the Site Isolation feature on desktop clients, but full cross-origin access is possible on Android versions. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Firefox ESR < 115.16, Thunderbird < 128.3, and Thunderbird < 131.

Severity ?

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2024-9393"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-346"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-01T16:15:10Z",
    "severity": "HIGH"
  },
  "details": "An attacker could, via a specially crafted multipart response, execute arbitrary JavaScript under the `resource://pdf.js` origin.  This could allow them to access cross-origin PDF content. This access is limited to \"same site\" documents by the Site Isolation feature on desktop clients, but full cross-origin access is possible on Android versions. This vulnerability affects Firefox \u003c 131, Firefox ESR \u003c 128.3, Firefox ESR \u003c 115.16, Thunderbird \u003c 128.3, and Thunderbird \u003c 131.",
  "id": "GHSA-rggh-rm3v-8xqj",
  "modified": "2025-11-04T00:31:32Z",
  "published": "2024-10-01T18:31:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9393"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1918301"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/10/msg00004.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/10/msg00006.html"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2024-46"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2024-47"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2024-48"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2024-49"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2024-50"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

NCSC-2024-0387

Vulnerability from csaf_ncscnl - Published: 2024-10-02 09:07 - Updated: 2024-10-02 09:07

Summary

Kwetsbaarheden verholpen in Mozilla Firefox en Thunderbird

Notes

The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions: NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein. NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory. This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.

Feiten: Mozilla heeft kwetsbaarheden verholpen in Firefox en Thunderbird.

Interpretaties: Een kwaadwillende kan de kwetsbaarheden misbruiken om in de context van het slachtoffer beveiligingsmaatregelen te omzeilen en mogelijk willekeurige code uit te voeren of toegang te krijgen tot gevoelige gegevens in de context van de browser.

Oplossingen: Mozilla heeft updates uitgebracht om de kwetsbaarheden te verhelpen in Firefox 130, Firefox ESR 128.2 en Thunderbird 128.2. Voor meer informatie, zie bijgevoegde referenties.

Kans: medium

Schade: high

CWE-94: Improper Control of Generation of Code ('Code Injection')

CWE-319: Cleartext Transmission of Sensitive Information

CWE-1021: Improper Restriction of Rendered UI Layers or Frames

CWE-451: User Interface (UI) Misrepresentation of Critical Information

CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer

CWE-346: Origin Validation Error

CVE-2024-8900

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Affected products

Known affected 3 products

Product	Identifier	Version
firefox mozilla	`cpe:2.3:a:mozilla:firefox::::::::`	—
thunderbird mozilla	`cpe:2.3:a:mozilla:thunderbird::::::::`	—
firefox_esr mozilla	`cpe:2.3:a:mozilla:firefox_esr::::::::`	—

CVE-2024-9391

7.1 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N

CWE-451 - User Interface (UI) Misrepresentation of Critical Information

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
firefox mozilla	`cpe:2.3:a:mozilla:firefox::::::::`	—

CVE-2024-9392

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-346 - Origin Validation Error

Affected products

Known affected 3 products

Product	Identifier	Version
thunderbird mozilla	`cpe:2.3:a:mozilla:thunderbird::::::::`	—
firefox mozilla	`cpe:2.3:a:mozilla:firefox::::::::`	—
firefox_esr mozilla	`cpe:2.3:a:mozilla:firefox_esr::::::::`	—

CVE-2024-9393

7.6 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L

CWE-94 - Improper Control of Generation of Code ('Code Injection')

Affected products

Known affected 3 products

Product	Identifier	Version
firefox mozilla	`cpe:2.3:a:mozilla:firefox::::::::`	—
thunderbird mozilla	`cpe:2.3:a:mozilla:thunderbird::::::::`	—
firefox_esr mozilla	`cpe:2.3:a:mozilla:firefox_esr::::::::`	—

CVE-2024-9394

Affected products

Known affected 3 products

Product	Identifier	Version
firefox mozilla	`cpe:2.3:a:mozilla:firefox::::::::`	—
thunderbird mozilla	`cpe:2.3:a:mozilla:thunderbird::::::::`	—
firefox_esr mozilla	`cpe:2.3:a:mozilla:firefox_esr::::::::`	—

CVE-2024-9395

CWE-1021 - Improper Restriction of Rendered UI Layers or Frames

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
firefox mozilla	`cpe:2.3:a:mozilla:firefox::::::::`	—

CVE-2024-9396

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected products

Known affected 3 products

Product	Identifier	Version
thunderbird mozilla	`cpe:2.3:a:mozilla:thunderbird::::::::`	—
firefox_esr mozilla	`cpe:2.3:a:mozilla:firefox_esr::::::::`	—
firefox mozilla	`cpe:2.3:a:mozilla:firefox::::::::`	—

CVE-2024-9397

Affected products

Known affected 3 products

Product	Identifier	Version
thunderbird mozilla	`cpe:2.3:a:mozilla:thunderbird::::::::`	—
firefox_esr mozilla	`cpe:2.3:a:mozilla:firefox_esr::::::::`	—
firefox mozilla	`cpe:2.3:a:mozilla:firefox::::::::`	—

CVE-2024-9398

Affected products

Known affected 3 products

Product	Identifier	Version
thunderbird mozilla	`cpe:2.3:a:mozilla:thunderbird::::::::`	—
firefox_esr mozilla	`cpe:2.3:a:mozilla:firefox_esr::::::::`	—
firefox mozilla	`cpe:2.3:a:mozilla:firefox::::::::`	—

CVE-2024-9399

Affected products

Known affected 3 products

Product	Identifier	Version
thunderbird mozilla	`cpe:2.3:a:mozilla:thunderbird::::::::`	—
firefox_esr mozilla	`cpe:2.3:a:mozilla:firefox_esr::::::::`	—
firefox mozilla	`cpe:2.3:a:mozilla:firefox::::::::`	—

CVE-2024-9400

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Affected products

Known affected 3 products

Product	Identifier	Version
thunderbird mozilla	`cpe:2.3:a:mozilla:thunderbird::::::::`	—
firefox_esr mozilla	`cpe:2.3:a:mozilla:firefox_esr::::::::`	—
firefox mozilla	`cpe:2.3:a:mozilla:firefox::::::::`	—

CVE-2024-9401

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

Known affected 3 products

Product	Identifier	Version
thunderbird mozilla	`cpe:2.3:a:mozilla:thunderbird::::::::`	—
firefox mozilla	`cpe:2.3:a:mozilla:firefox::::::::`	—
firefox_esr mozilla	`cpe:2.3:a:mozilla:firefox_esr::::::::`	—

CVE-2024-9402

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

Known affected 3 products

Product	Identifier	Version
thunderbird mozilla	`cpe:2.3:a:mozilla:thunderbird::::::::`	—
firefox_esr mozilla	`cpe:2.3:a:mozilla:firefox_esr::::::::`	—
firefox mozilla	`cpe:2.3:a:mozilla:firefox::::::::`	—

CVE-2024-9403

7.3 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Affected products

Known affected 2 products

Product	Identifier	Version	Remediation
thunderbird mozilla	`cpe:2.3:a:mozilla:thunderbird::::::::`	—
firefox mozilla	`cpe:2.3:a:mozilla:firefox::::::::`	—

References

19 references

URL	Category
https://www.mozilla.org/en-US/security/advisories…	external
https://www.mozilla.org/en-US/security/advisories…	external
https://www.mozilla.org/en-US/security/advisories…	external
https://www.mozilla.org/en-US/security/advisories…	external
https://www.mozilla.org/en-US/security/advisories…	external
https://api.ncsc.nl/velma/v1/vulnerabilities/2024…	self
https://api.ncsc.nl/velma/v1/vulnerabilities/2024…	self
https://api.ncsc.nl/velma/v1/vulnerabilities/2024…	self
https://api.ncsc.nl/velma/v1/vulnerabilities/2024…	self
https://api.ncsc.nl/velma/v1/vulnerabilities/2024…	self
https://api.ncsc.nl/velma/v1/vulnerabilities/2024…	self
https://api.ncsc.nl/velma/v1/vulnerabilities/2024…	self
https://api.ncsc.nl/velma/v1/vulnerabilities/2024…	self
https://api.ncsc.nl/velma/v1/vulnerabilities/2024…	self
https://api.ncsc.nl/velma/v1/vulnerabilities/2024…	self
https://api.ncsc.nl/velma/v1/vulnerabilities/2024…	self
https://api.ncsc.nl/velma/v1/vulnerabilities/2024…	self
https://api.ncsc.nl/velma/v1/vulnerabilities/2024…	self
https://api.ncsc.nl/velma/v1/vulnerabilities/2024…	self

JSON

To clipboard

{
  "document": {
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE"
      }
    },
    "lang": "nl",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n    NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n    NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n    This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
      },
      {
        "category": "description",
        "text": "Mozilla heeft kwetsbaarheden verholpen in Firefox en Thunderbird. ",
        "title": "Feiten"
      },
      {
        "category": "description",
        "text": "Een kwaadwillende kan de kwetsbaarheden misbruiken om in de context van het slachtoffer beveiligingsmaatregelen te omzeilen en mogelijk willekeurige code uit te voeren of toegang te krijgen tot gevoelige gegevens in de context van de browser. ",
        "title": "Interpretaties"
      },
      {
        "category": "description",
        "text": "Mozilla heeft updates uitgebracht om de kwetsbaarheden te verhelpen in Firefox 130, Firefox ESR 128.2 en Thunderbird 128.2. Voor meer informatie, zie bijgevoegde referenties.",
        "title": "Oplossingen"
      },
      {
        "category": "general",
        "text": "medium",
        "title": "Kans"
      },
      {
        "category": "general",
        "text": "high",
        "title": "Schade"
      },
      {
        "category": "general",
        "text": "Improper Control of Generation of Code (\u0027Code Injection\u0027)",
        "title": "CWE-94"
      },
      {
        "category": "general",
        "text": "Cleartext Transmission of Sensitive Information",
        "title": "CWE-319"
      },
      {
        "category": "general",
        "text": "Improper Restriction of Rendered UI Layers or Frames",
        "title": "CWE-1021"
      },
      {
        "category": "general",
        "text": "User Interface (UI) Misrepresentation of Critical Information",
        "title": "CWE-451"
      },
      {
        "category": "general",
        "text": "Improper Restriction of Operations within the Bounds of a Memory Buffer",
        "title": "CWE-119"
      },
      {
        "category": "general",
        "text": "Origin Validation Error",
        "title": "CWE-346"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "cert@ncsc.nl",
      "name": "Nationaal Cyber Security Centrum",
      "namespace": "https://www.ncsc.nl/"
    },
    "references": [
      {
        "category": "external",
        "summary": "Reference - ncscclear",
        "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2024-48"
      },
      {
        "category": "external",
        "summary": "Reference - ncscclear",
        "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2024-46/"
      },
      {
        "category": "external",
        "summary": "Reference - ncscclear",
        "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2024-47/"
      },
      {
        "category": "external",
        "summary": "Reference - ncscclear",
        "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2024-49/"
      },
      {
        "category": "external",
        "summary": "Reference - ncscclear",
        "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2024-50/"
      }
    ],
    "title": "Kwetsbaarheden verholpen in Mozilla Firefox en Thunderbird",
    "tracking": {
      "current_release_date": "2024-10-02T09:07:21.241299Z",
      "id": "NCSC-2024-0387",
      "initial_release_date": "2024-10-02T09:07:21.241299Z",
      "revision_history": [
        {
          "date": "2024-10-02T09:07:21.241299Z",
          "number": "0",
          "summary": "Initiele versie"
        }
      ],
      "status": "final",
      "version": "1.0.0"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "firefox_esr",
            "product": {
              "name": "firefox_esr",
              "product_id": "CSAFPID-2332",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "firefox",
            "product": {
              "name": "firefox",
              "product_id": "CSAFPID-2331",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "thunderbird",
            "product": {
              "name": "thunderbird",
              "product_id": "CSAFPID-2333",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "mozilla"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-8900",
      "product_status": {
        "known_affected": [
          "CSAFPID-2331",
          "CSAFPID-2333",
          "CSAFPID-2332"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-8900",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-8900.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-2331",
            "CSAFPID-2333",
            "CSAFPID-2332"
          ]
        }
      ],
      "title": "CVE-2024-8900"
    },
    {
      "cve": "CVE-2024-9391",
      "cwe": {
        "id": "CWE-451",
        "name": "User Interface (UI) Misrepresentation of Critical Information"
      },
      "notes": [
        {
          "category": "other",
          "text": "User Interface (UI) Misrepresentation of Critical Information",
          "title": "CWE-451"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-2331"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-9391",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-9391.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-2331"
          ]
        }
      ],
      "title": "CVE-2024-9391"
    },
    {
      "cve": "CVE-2024-9392",
      "cwe": {
        "id": "CWE-346",
        "name": "Origin Validation Error"
      },
      "notes": [
        {
          "category": "other",
          "text": "Origin Validation Error",
          "title": "CWE-346"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-2333",
          "CSAFPID-2331",
          "CSAFPID-2332"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-9392",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-9392.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-2333",
            "CSAFPID-2331",
            "CSAFPID-2332"
          ]
        }
      ],
      "title": "CVE-2024-9392"
    },
    {
      "cve": "CVE-2024-9393",
      "cwe": {
        "id": "CWE-94",
        "name": "Improper Control of Generation of Code (\u0027Code Injection\u0027)"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Control of Generation of Code (\u0027Code Injection\u0027)",
          "title": "CWE-94"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-2331",
          "CSAFPID-2333",
          "CSAFPID-2332"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-9393",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-9393.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.6,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-2331",
            "CSAFPID-2333",
            "CSAFPID-2332"
          ]
        }
      ],
      "title": "CVE-2024-9393"
    },
    {
      "cve": "CVE-2024-9394",
      "product_status": {
        "known_affected": [
          "CSAFPID-2331",
          "CSAFPID-2333",
          "CSAFPID-2332"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-9394",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-9394.json"
        }
      ],
      "title": "CVE-2024-9394"
    },
    {
      "cve": "CVE-2024-9395",
      "cwe": {
        "id": "CWE-1021",
        "name": "Improper Restriction of Rendered UI Layers or Frames"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Restriction of Rendered UI Layers or Frames",
          "title": "CWE-1021"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-2331"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-9395",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-9395.json"
        }
      ],
      "title": "CVE-2024-9395"
    },
    {
      "cve": "CVE-2024-9396",
      "product_status": {
        "known_affected": [
          "CSAFPID-2333",
          "CSAFPID-2332",
          "CSAFPID-2331"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-9396",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-9396.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-2333",
            "CSAFPID-2332",
            "CSAFPID-2331"
          ]
        }
      ],
      "title": "CVE-2024-9396"
    },
    {
      "cve": "CVE-2024-9397",
      "product_status": {
        "known_affected": [
          "CSAFPID-2333",
          "CSAFPID-2332",
          "CSAFPID-2331"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-9397",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-9397.json"
        }
      ],
      "title": "CVE-2024-9397"
    },
    {
      "cve": "CVE-2024-9398",
      "product_status": {
        "known_affected": [
          "CSAFPID-2333",
          "CSAFPID-2332",
          "CSAFPID-2331"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-9398",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-9398.json"
        }
      ],
      "title": "CVE-2024-9398"
    },
    {
      "cve": "CVE-2024-9399",
      "product_status": {
        "known_affected": [
          "CSAFPID-2333",
          "CSAFPID-2332",
          "CSAFPID-2331"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-9399",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-9399.json"
        }
      ],
      "title": "CVE-2024-9399"
    },
    {
      "cve": "CVE-2024-9400",
      "cwe": {
        "id": "CWE-119",
        "name": "Improper Restriction of Operations within the Bounds of a Memory Buffer"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Restriction of Operations within the Bounds of a Memory Buffer",
          "title": "CWE-119"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-2333",
          "CSAFPID-2332",
          "CSAFPID-2331"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-9400",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-9400.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-2333",
            "CSAFPID-2332",
            "CSAFPID-2331"
          ]
        }
      ],
      "title": "CVE-2024-9400"
    },
    {
      "cve": "CVE-2024-9401",
      "product_status": {
        "known_affected": [
          "CSAFPID-2333",
          "CSAFPID-2331",
          "CSAFPID-2332"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-9401",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-9401.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-2333",
            "CSAFPID-2331",
            "CSAFPID-2332"
          ]
        }
      ],
      "title": "CVE-2024-9401"
    },
    {
      "cve": "CVE-2024-9402",
      "product_status": {
        "known_affected": [
          "CSAFPID-2333",
          "CSAFPID-2332",
          "CSAFPID-2331"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-9402",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-9402.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-2333",
            "CSAFPID-2332",
            "CSAFPID-2331"
          ]
        }
      ],
      "title": "CVE-2024-9402"
    },
    {
      "cve": "CVE-2024-9403",
      "product_status": {
        "known_affected": [
          "CSAFPID-2333",
          "CSAFPID-2331"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-9403",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-9403.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-2333",
            "CSAFPID-2331"
          ]
        }
      ],
      "title": "CVE-2024-9403"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2024-9393 (GCVE-0-2024-9393)

Solutions

Solutions

Vulnerability from osv_almalinux

Vulnerability from osv_almalinux

Vulnerability from osv_almalinux

Vulnerability from osv_almalinux

Tags

Sightings

Nomenclature