CVE-2024-10460
published 2024-10-29CVE-2024-10460: The origin of an external protocol handler prompt could have been obscured using a data: URL within an `iframe`. This vulnerability affects Firefox < 132…
medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
The origin of an external protocol handler prompt could have been obscured using a data: URL within an `iframe`. This vulnerability affects Firefox < 132, Firefox ESR < 128.4, Thunderbird < 128.4, and Thunderbird < 132.
Affected
17 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | firefox | < firefox 132.0-1 (sid) | firefox 132.0-1 (sid) |
| debian | firefox-esr | < firefox 132.0-1 (sid) | firefox 132.0-1 (sid) |
| debian | thunderbird | < firefox 132.0-1 (sid) | firefox 132.0-1 (sid) |
| mozilla | firefox | < 128.4.0 | 128.4.0 |
| mozilla | firefox | < 132.0 | 132.0 |
| mozilla | firefox | — | — |
| mozilla | firefox | >= 0 < 132.0+build1-0ubuntu0.20.04.1 | 132.0+build1-0ubuntu0.20.04.1 |
| mozilla | firefox | >= unspecified < 132 | 132 |
| mozilla | firefox_esr | >= unspecified < 128.4 | 128.4 |
| mozilla | thunderbird | < 128.4 | 128.4 |
| mozilla | thunderbird | >= 0 < 1:128.4.0esr-1~deb11u1 | 1:128.4.0esr-1~deb11u1 |
| mozilla | thunderbird | >= 0 < 1:128.4.0esr-1~deb12u1 | 1:128.4.0esr-1~deb12u1 |
| mozilla | thunderbird | >= 0 < 1:128.4.0esr-1 | 1:128.4.0esr-1 |
| mozilla | thunderbird | >= 0 < 1:128.4.0esr-1 | 1:128.4.0esr-1 |
| mozilla | thunderbird | >= 129 < 132 | 132 |
| mozilla | thunderbird | >= unspecified < 128.4 | 128.4 |
| mozilla | thunderbird | >= unspecified < 132 | 132 |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
osv7.5HIGH
Ubuntu
Thunderbird vulnerabilities
vendor_ubuntu·2026-02-02
CVE-2025-8031 Thunderbird vulnerabilities
Title: Thunderbird vulnerabilities
Summary: Several security issues were fixed in Thunderbird.
Multiple security issues were discovered in Thunderbird. If a user were
tricked into opening a specially crafted website in a browsing context,
an attacker could potentially exploit these to cause a denial of service,
obtain sensitive information, bypass security restrictions, cross-site
tracing, or execute arbitrary code.
Instructions: In general, a standard system update will make all the necessary changes.
Ubuntu
Firefox vulnerabilities
vendor_ubuntu·2024-10-31·CVSS 7.5
CVE-2024-10459 [HIGH] Firefox vulnerabilities
Title: Firefox vulnerabilities
Summary: Several security issues were fixed in Firefox.
Multiple security issues were discovered in Firefox. If a user were
tricked into opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, obtain sensitive
information across domains, or execute arbitrary code. (CVE-2024-10458
CVE-2024-10459, CVE-2024-10460, CVE-2024-10461, CVE-2024-10462,
CVE-2024-10463, CVE-2024-10464, CVE-2024-10465, CVE-2024-10466,
CVE-2024-10467, CVE-2024-10468)
Instructions: After a standard system update you need to restart Firefox to make all the
necessary changes.
Red Hat
firefox: thunderbird: Confusing display of origin for external protocol handler prompt
vendor_redhat·2024-10-29·CVSS 5.3
CVE-2024-10460 [MEDIUM] CWE-940 firefox: thunderbird: Confusing display of origin for external protocol handler prompt
firefox: thunderbird: Confusing display of origin for external protocol handler prompt
The origin of an external protocol handler prompt could have been obscured using a data: URL within an `iframe`. This vulnerability affects Firefox < 132, Firefox ESR < 128.4, Thunderbird < 128.4, and Thunderbird < 132.
The Mozilla Foundation's Security Advisory: The origin of an external protocol handler prompt could be obscured using a data: URL within an `iframe`.
Statement: Red Hat Product Security rates the severity of this flaw as determined by the Mozilla Foundation Security Advisory.
Package: firefox (Red Hat Enterprise Linux 6) - Out of support scope
Package: thunderbird (Red Hat Enterprise Linux 6) - Out of support scope
Package: thunderbird (Red Hat Enterprise Linux 7) - Out of support s
Debian
CVE-2024-10460: firefox - The origin of an external protocol handler prompt could have been obscured using...
vendor_debian·2024·CVSS 5.3
CVE-2024-10460 [MEDIUM] CVE-2024-10460: firefox - The origin of an external protocol handler prompt could have been obscured using...
The origin of an external protocol handler prompt could have been obscured using a data: URL within an `iframe`. This vulnerability affects Firefox < 132, Firefox ESR < 128.4, Thunderbird < 128.4, and Thunderbird < 132.
Scope: local
sid: resolved (fixed in 132.0-1)
Mozilla
Mozilla Foundation Security Advisory 2024-58: CVE-2024-10460
vendor_mozilla·CVSS 5.3
CVE-2024-10460 [MEDIUM] Mozilla Foundation Security Advisory 2024-58: CVE-2024-10460
Mozilla Foundation Security Advisory 2024-58
CVE: CVE-2024-10460
Product: Thunderbird
Impact: moderate
Fixed in: Thunderbird 128.4
Mozilla
Mozilla Foundation Security Advisory 2024-56: CVE-2024-10460
vendor_mozilla·CVSS 5.3
CVE-2024-10460 [MEDIUM] Mozilla Foundation Security Advisory 2024-56: CVE-2024-10460
Mozilla Foundation Security Advisory 2024-56
CVE: CVE-2024-10460
Product: Firefox ESR
Impact: moderate
Fixed in: Firefox ESR 128.4
Mozilla
Mozilla Foundation Security Advisory 2024-55: CVE-2024-10460
vendor_mozilla·CVSS 5.3
CVE-2024-10460 [MEDIUM] Mozilla Foundation Security Advisory 2024-55: CVE-2024-10460
Mozilla Foundation Security Advisory 2024-55
CVE: CVE-2024-10460
Product: Firefox
Impact: moderate
Fixed in: Firefox 132
Mozilla
Mozilla Foundation Security Advisory 2024-59: CVE-2024-10460
vendor_mozilla·CVSS 5.3
CVE-2024-10460 [MEDIUM] Mozilla Foundation Security Advisory 2024-59: CVE-2024-10460
Mozilla Foundation Security Advisory 2024-59
CVE: CVE-2024-10460
Product: Thunderbird
Impact: moderate
Fixed in: Thunderbird 132
OSV
firefox vulnerabilities
osv·2024-10-31·CVSS 7.5
CVE-2024-10458 [HIGH] firefox vulnerabilities
firefox vulnerabilities
Multiple security issues were discovered in Firefox. If a user were
tricked into opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, obtain sensitive
information across domains, or execute arbitrary code. (CVE-2024-10458
CVE-2024-10459, CVE-2024-10460, CVE-2024-10461, CVE-2024-10462,
CVE-2024-10463, CVE-2024-10464, CVE-2024-10465, CVE-2024-10466,
CVE-2024-10467, CVE-2024-10468)
GHSA
GHSA-jv24-5j5x-m8w6: The origin of an external protocol handler prompt could have been obscured using a data: URL within an `iframe`
ghsa_unreviewed·2024-10-29
CVE-2024-10460 [MEDIUM] CWE-346 GHSA-jv24-5j5x-m8w6: The origin of an external protocol handler prompt could have been obscured using a data: URL within an `iframe`
The origin of an external protocol handler prompt could have been obscured using a data: URL within an `iframe`. This vulnerability affects Firefox < 132, Firefox ESR < 128.4, Thunderbird < 128.4, and Thunderbird < 132.
OSV
CVE-2024-10460: The origin of an external protocol handler prompt could have been obscured using a data: URL within an `iframe`
osv·2024-10-29·CVSS 5.3
CVE-2024-10460 [MEDIUM] CVE-2024-10460: The origin of an external protocol handler prompt could have been obscured using a data: URL within an `iframe`
The origin of an external protocol handler prompt could have been obscured using a data: URL within an `iframe`. This vulnerability affects Firefox < 132, Firefox ESR < 128.4, Thunderbird < 128.4, and Thunderbird < 132.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://bugzilla.mozilla.org/show_bug.cgi?id=1912537https://www.mozilla.org/security/advisories/mfsa2024-55/https://www.mozilla.org/security/advisories/mfsa2024-56/https://www.mozilla.org/security/advisories/mfsa2024-58/https://www.mozilla.org/security/advisories/mfsa2024-59/https://lists.debian.org/debian-lts-announce/2024/10/msg00034.htmlhttps://lists.debian.org/debian-lts-announce/2024/11/msg00001.html
2024-10-29
Published