Mozilla Fixes Vulnerability in Firefox Allowing Unscrupulous Websites to Launch Applications Without User Permission
CVE-2024-8383

7.5HIGH

Key Information:

Vendor: Mozilla
Status: Firefox; Firefox Esr; Thunderbird
Vendor: CVE Published:; 3 September 2024

Summary

A vulnerability exists in Firefox due to improper input handling for Usenet-related schemes (news: and snews:). The browser fails to prompt users for confirmation before delegating the handling of unsupported schemes to the operating system. This can lead to potential exploitation where an untrusted application is activated without user consent, especially since many operating systems lack a pre-installed trusted newsreader. This issue poses significant risks as malicious websites could leverage this flaw to execute unauthorized programs, potentially compromising user security. Affected versions include Firefox versions before 130, Firefox ESR versions before 128.2, and Firefox ESR versions before 115.15.

Affected Version(s)

Firefox < 130

Firefox ESR < 128.2

Firefox ESR < 115.15

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1908496

https://www.mozilla.org/security/advisories/mfsa2024-39/

https://www.mozilla.org/security/advisories/mfsa2024-40/

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 3, 2024
Vulnerability Reserved
Sep 3, 2024

Key Information:

Summary

Affected Version(s)

References

CVSS V3.1

Timeline

Credit