CVE-2024-9394
10/1/2024 4:15:00 PM
3 ماه قبل
2 ماه قبل
7
Reporter :security@mozilla.org
Modified :10/1/2024 4:15:00 PM
Problem Data :NVD-CWE-Other
Description
An attacker could, via a specially crafted multipart response, execute arbitrary JavaScript under the `resource://devtools` origin. This could allow them to access cross-origin JSON content. This access is limited to "same site" documents by the Site Isolation feature on desktop clients, but full cross-origin access is possible on Android versions. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Firefox ESR < 115.16, Thunderbird < 128.3, and Thunderbird < 131.
Cvss Version 3.1
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality Impact | High |
| Integrity Impact | None |
| Availability Impact | None |
Reference
| لینک | منبع | تگ ها |
|---|---|---|
| https://www.mozilla.org/security/advisories/mfsa2024-47/ | Vendor Advisory | |
| https://www.mozilla.org/security/advisories/mfsa2024-50/ | Vendor Advisory | |
| https://bugzilla.mozilla.org/show_bug.cgi?id=1918874 | Permissions Required | |
| https://www.mozilla.org/security/advisories/mfsa2024-46/ | Vendor Advisory | |
| https://www.mozilla.org/security/advisories/mfsa2024-48/ | Vendor Advisory | |
| https://www.mozilla.org/security/advisories/mfsa2024-49/ | Vendor Advisory |