Arbitrary JavaScript Execution Vulnerability Affects Firefox < 124.0.1 and Firefox ESR < 115.9.1
CVE-2024-29944

8.4HIGH

Key Information:

Vendor
Mozilla
Status
Firefox
Firefox Esr
Vendor
CVE Published:
22 March 2024

Badges

👾 Exploit Exists📰 News Worthy

Summary

A vulnerability exists in the Desktop version of Firefox, allowing an attacker to inject an event handler into a privileged object. This exploitation could result in the execution of arbitrary JavaScript within the parent process. Notably, this issue does not impact mobile versions of Firefox. Users of Firefox versions prior to 124.0.1 and Firefox ESR versions before 115.9.1 are particularly at risk and should take immediate action to update their software.

Affected Version(s)

Firefox < 124.0.1

Firefox ESR < 115.9.1

News Articles

favicon imageunSafe.sh

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

favicon imageSecurity Affairs

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during the Pwn2Own Vancouver 2024.

favicon imageCybersecurityNews

2 Firefox Zero-Days Exploited At Pwn2Own : Patch Now

Mozilla addresses two zero-day vulnerabilities that were recently exploited at the Pwn2Own Vancouver 2024 hacking contest in the Firefox

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1886852
https://www.mozilla.org/security/advisories/mfsa2024-15/
https://www.mozilla.org/security/advisories/mfsa2024-16/

CVSS V3.1

Score:
8.4
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 👾

    Exploit known to exist

  • 📰

    First article discovered by securityonline.info

  • Vulnerability published

  • Vulnerability Reserved

Credit

Manfred Paul via Trend Micro's Zero Day Initiative
.