CVE-2024-11703 — Insufficiently Protected Credentials in Mozilla Firefox

CWE-522 — Insufficiently Protected Credentials CWE-276 — Incorrect Default Permissions CWE-288 — Authentication Bypass Using an Alternate Path or Channel8 documents8 sources

Severity

5.7MEDIUMNVD

EPSS

0.1%

top 78.85%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox

Timeline

PublishedNov 26

Latest updateDec 19

Description

On Android, Firefox may have inadvertently allowed viewing saved passwords without the required device PIN authentication. This vulnerability affects Firefox < 133.

CVSS vector

CVSS:3.1/AV:P/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:NExploitability: 0.5 | Impact: 5.2

Affected Packages2 packages

▶CVEListV5mozilla/firefoxunspecified — 133

▶NVDmozilla/firefox< 133.0

🔴Vulnerability Details

GHSA

GHSA-wjq6-6xvc-xr82: On Android, Firefox may have inadvertently allowed viewing saved passwords without the required device PIN authentication↗2024-11-26

▶

CVEList

CVE-2024-11703: On Android, Firefox may have inadvertently allowed viewing saved passwords without the required device PIN authentication↗2024-11-26

▶

OSV

CVE-2024-11703: On Android, Firefox may have inadvertently allowed viewing saved passwords without the required device PIN authentication↗2024-11-26

▶

📋Vendor Advisories

Red Hat

firefox: thunderbird: Password access without authentication via PIN bypass on Android↗2024-11-26

▶

Debian

CVE-2024-11703: firefox - On Android, Firefox may have inadvertently allowed viewing saved passwords witho...↗2024

▶

Mozilla

Mozilla Foundation Security Advisory 2024-63: CVE-2024-11703↗

▶

💬Community

Bugzilla

password fingerprint protections bypassed using the OS "back" action↗2024-12-19

▶