CVE-2024-1549UI Misrepresentation / Clickjacking in Mozilla Firefox

CWE-1021UI Misrepresentation / Clickjacking14 documents8 sources
Severity
6.1MEDIUMNVD
OSV7.5
EPSS
0.3%
top 43.30%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Mozilla FirefoxMozilla Firefox ESRMozilla Thunderbird+1 more
Timeline
PublishedFeb 20
Latest updateMar 6

Description

If a website set a large custom cursor, portions of the cursor could have overlapped with the permission dialog, potentially resulting in user confusion and unexpected granted permissions. This vulnerability affects Firefox < 123, Firefox ESR < 115.8, and Thunderbird < 115.8.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages7 packages

CVEListV5mozilla/firefoxunspecified123
NVDmozilla/firefox< 115.8.0+1
CVEListV5mozilla/firefox_esrunspecified115.8
Ubuntumozilla/firefox< 123.0+build3-0ubuntu0.20.04.1+1
CVEListV5mozilla/thunderbirdunspecified115.8

Also affects: Debian Linux 10.0

🔴Vulnerability Details

6
OSV
firefox regressions2024-03-06
OSV
thunderbird vulnerabilities2024-03-04
OSV
firefox vulnerabilities2024-02-22
CVEList
CVE-2024-1549: If a website set a large custom cursor, portions of the cursor could have overlapped with the permission dialog, potentially resulting in user confusi2024-02-20
OSV
CVE-2024-1549: If a website set a large custom cursor, portions of the cursor could have overlapped with the permission dialog, potentially resulting in user confusi2024-02-20

📋Vendor Advisories

7
Ubuntu
Thunderbird vulnerabilities2024-03-04
Ubuntu
Firefox vulnerabilities2024-02-22
Red Hat
Mozilla: Custom cursor could obscure the permission dialog2024-02-20
Debian
CVE-2024-1549: firefox - If a website set a large custom cursor, portions of the cursor could have overla...2024
Mozilla
Mozilla Foundation Security Advisory 2024-05: CVE-2024-1549
CVE-2024-1549 — UI Misrepresentation / Clickjacking | cvebase