Mozilla Fixes Vulnerability in Firefox Allowing Unscrupulous Websites to Launch Applications Without User Permission
CVE-2024-8383
7.5HIGH
Key Information
- Vendor
- Mozilla
- Status
- Firefox
- Firefox Esr
- Thunderbird
- Vendor
- CVE Published:
- 3 September 2024
Summary
Firefox normally asks for confirmation before asking the operating system to find an application to handle a scheme that the browser does not support. It did not ask before doing so for the Usenet-related schemes news: and snews:. Since most operating systems don't have a trusted newsreader installed by default, an unscrupulous program that the user downloaded could register itself as a handler. The website that served the application download could then launch that application at will. This vulnerability affects Firefox < 130, Firefox ESR < 128.2, and Firefox ESR < 115.15.
Affected Version(s)
Firefox < 130
Firefox ESR < 128.2
Firefox ESR < 115.15
Refferences
https://bugzilla.mozilla.org/show_bug.cgi?id=1908496
https://www.mozilla.org/security/advisories/mfsa2024-39/
https://www.mozilla.org/security/advisories/mfsa2024-40/
https://www.mozilla.org/security/advisories/mfsa2024-41/
https://www.mozilla.org/security/advisories/mfsa2024-43/
https://www.mozilla.org/security/advisories/mfsa2024-44/
CVSS V3.1
Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability Reserved
Vulnerability published
Collectors
NVD DatabaseMitre Database
Credit
D7