CVE-2024-11700 — UI Misrepresentation / Clickjacking in Mozilla Firefox

CWE-1021 — UI Misrepresentation / Clickjacking CWE-356 — Product UI does not Warn User of Unsafe Actions8 documents7 sources

Severity

8.1HIGHNVD

EPSS

0.3%

top 49.83%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Mozilla Thunderbird

Timeline

PublishedNov 26

Description

Malicious websites may have been able to perform user intent confirmation through tapjacking. This could have led to users unknowingly approving the launch of external applications, potentially exposing them to underlying vulnerabilities. This vulnerability affects Firefox < 133 and Thunderbird < 133.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:NExploitability: 2.8 | Impact: 5.2

Affected Packages4 packages

▶CVEListV5mozilla/firefoxunspecified — 133

▶NVDmozilla/firefox< 133.0

▶CVEListV5mozilla/thunderbirdunspecified — 133

▶NVDmozilla/thunderbird< 133.0

🔴Vulnerability Details

OSV

CVE-2024-11700: Malicious websites may have been able to perform user intent confirmation through tapjacking↗2024-11-26

▶

GHSA

GHSA-845f-27fw-gjw9: Malicious websites may have been able to user intent confirmation through tapjacking↗2024-11-26

▶

CVEList

CVE-2024-11700: Malicious websites may have been able to perform user intent confirmation through tapjacking↗2024-11-26

▶

📋Vendor Advisories

Red Hat

firefox: thunderbird: Potential Tapjacking Exploit for Intent Confirmation on Android↗2024-11-26

▶

Debian

CVE-2024-11700: firefox - Malicious websites may have been able to perform user intent confirmation throug...↗2024

▶

Mozilla

Mozilla Foundation Security Advisory 2024-67: CVE-2024-11700↗

▶

Mozilla

Mozilla Foundation Security Advisory 2024-63: CVE-2024-11700↗

▶