CVE-2024-2609
published 2024-03-19CVE-2024-2609: The permission prompt input delay could expire while the window is not in focus. This makes it vulnerable to clickjacking by malicious websites. This…
medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
The permission prompt input delay could expire while the window is not in focus. This makes it vulnerable to clickjacking by malicious websites. This vulnerability affects Firefox < 124, Firefox ESR < 115.10, and Thunderbird < 115.10.
Affected
18 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | firefox | < firefox 124.0-1 (sid) | firefox 124.0-1 (sid) |
| debian | firefox-esr | < firefox 124.0-1 (sid) | firefox 124.0-1 (sid) |
| debian | thunderbird | < firefox 124.0-1 (sid) | firefox 124.0-1 (sid) |
| mozilla | firefox | < 115.10.0 | 115.10.0 |
| mozilla | firefox | < 124.0 | 124.0 |
| mozilla | firefox | — | — |
| mozilla | firefox | >= 0 < 124.0+build1-0ubuntu0.20.04.1 | 124.0+build1-0ubuntu0.20.04.1 |
| mozilla | firefox | >= unspecified < 124 | 124 |
| mozilla | firefox_esr | >= unspecified < 115.10 | 115.10 |
| mozilla | thunderbird | < 115.10.0 | 115.10.0 |
| mozilla | thunderbird | >= 0 < 1:115.10.1-1~deb11u1 | 1:115.10.1-1~deb11u1 |
| mozilla | thunderbird | >= 0 < 1:115.10.1-1~deb12u1 | 1:115.10.1-1~deb12u1 |
| mozilla | thunderbird | >= 0 < 1:115.10.1-1 | 1:115.10.1-1 |
| mozilla | thunderbird | >= 0 < 1:115.10.1-1 | 1:115.10.1-1 |
| mozilla | thunderbird | >= 0 < 1:115.10.1+build1-0ubuntu0.20.04.1 | 1:115.10.1+build1-0ubuntu0.20.04.1 |
| mozilla | thunderbird | >= 0 < 1:115.10.1+build1-0ubuntu0.22.04.1 | 1:115.10.1+build1-0ubuntu0.22.04.1 |
| mozilla | thunderbird | >= unspecified < 115.10 | 115.10 |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
osv6.5MEDIUM
Ubuntu
Thunderbird vulnerabilities
vendor_ubuntu·2024-04-25·CVSS 6.1
CVE-2024-3861 [MEDIUM] Thunderbird vulnerabilities
Title: Thunderbird vulnerabilities
Summary: Several security issues were fixed in Thunderbird.
Multiple security issues were discovered in Thunderbird. If a user were
tricked into opening a specially crafted website in a browsing context, an
attacker could potentially exploit these to cause a denial of service,
obtain sensitive information, bypass security restrictions, cross-site
tracing, or execute arbitrary code. (CVE-2024-2609, CVE-2024-3852,
CVE-2024-3864)
Bartek Nowotarski discovered that Thunderbird did not properly limit HTTP/2
CONTINUATION frames. An attacker could potentially exploit this issue to
cause a denial of service. (CVE-2024-3302)
Lukas Bernhard discovered that Thunderbird did not properly manage memory
during JIT optimisations, leading to an out-of-bounds read vulne
Red Hat
Mozilla: Permission prompt input delay could expire when not in focus
vendor_redhat·2024-04-16·CVSS 6.1
CVE-2024-2609 [MEDIUM] CWE-356 Mozilla: Permission prompt input delay could expire when not in focus
Mozilla: Permission prompt input delay could expire when not in focus
The permission prompt input delay could expire while the window is not in focus. This makes it vulnerable to clickjacking by malicious websites. This vulnerability affects Firefox < 124, Firefox ESR < 115.10, and Thunderbird < 115.10.
The Mozilla Foundation Security Advisory describes this flaw as:
The permission prompt input delay could expire while the window is not in focus. This makes it vulnerable to clickjacking by malicious websites.
Statement: Red Hat Product Security rates the severity of this flaw as determined by the Mozilla Foundation Security Advisory.
Package: firefox (Red Hat Enterprise Linux 6) - Out of support scope
Package: thunderbird (Red Hat Enterprise Linux 6) - Out of support scope
Ubuntu
Firefox vulnerabilities
vendor_ubuntu·2024-03-20·CVSS 6.5
CVE-2024-2610 [MEDIUM] Firefox vulnerabilities
Title: Firefox vulnerabilities
Summary: Several security issues were fixed in Firefox.
Multiple security issues were discovered in Firefox. If a user were
tricked into opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, obtain sensitive
information across domains, or execute arbitrary code. (CVE-2024-2609,
CVE-2024-2611, CVE-2024-2614, CVE-2024-2615)
Hubert Kario discovered that Firefox had a timing side-channel when
performing RSA decryption. A remote attacker could possibly use this
issue to recover sensitive information. (CVE-2023-5388)
It was discovered that Firefox did not properly handle WASM register
values in some circumstances. An attacker could potentially exploit this
issue to cause a denial of service. (CVE-2024-260
Debian
CVE-2024-2609: firefox - The permission prompt input delay could expire while the window is not in focus....
vendor_debian·2024·CVSS 6.1
CVE-2024-2609 [MEDIUM] CVE-2024-2609: firefox - The permission prompt input delay could expire while the window is not in focus....
The permission prompt input delay could expire while the window is not in focus. This makes it vulnerable to clickjacking by malicious websites. This vulnerability affects Firefox < 124, Firefox ESR < 115.10, and Thunderbird < 115.10.
Scope: local
sid: resolved (fixed in 124.0-1)
Mozilla
Mozilla Foundation Security Advisory 2024-12: CVE-2024-2609
vendor_mozilla·CVSS 6.1
CVE-2024-2609 [MEDIUM] Mozilla Foundation Security Advisory 2024-12: CVE-2024-2609
Mozilla Foundation Security Advisory 2024-12
CVE: CVE-2024-2609
Product: Firefox
Impact: critical
Fixed in: Firefox 124
Mozilla
Mozilla Foundation Security Advisory 2024-20: CVE-2024-2609
vendor_mozilla·CVSS 6.1
CVE-2024-2609 [MEDIUM] Mozilla Foundation Security Advisory 2024-20: CVE-2024-2609
Mozilla Foundation Security Advisory 2024-20
CVE: CVE-2024-2609
Product: Thunderbird
Impact: high
Fixed in: Thunderbird 115.10
Mozilla
Mozilla Foundation Security Advisory 2024-19: CVE-2024-2609
vendor_mozilla·CVSS 6.1
CVE-2024-2609 [MEDIUM] Mozilla Foundation Security Advisory 2024-19: CVE-2024-2609
Mozilla Foundation Security Advisory 2024-19
CVE: CVE-2024-2609
Product: Firefox ESR
Impact: high
Fixed in: Firefox ESR 115.10
OSV
thunderbird vulnerabilities
osv·2024-04-25·CVSS 6.1
CVE-2024-2609 [MEDIUM] thunderbird vulnerabilities
thunderbird vulnerabilities
Multiple security issues were discovered in Thunderbird. If a user were
tricked into opening a specially crafted website in a browsing context, an
attacker could potentially exploit these to cause a denial of service,
obtain sensitive information, bypass security restrictions, cross-site
tracing, or execute arbitrary code. (CVE-2024-2609, CVE-2024-3852,
CVE-2024-3864)
Bartek Nowotarski discovered that Thunderbird did not properly limit HTTP/2
CONTINUATION frames. An attacker could potentially exploit this issue to
cause a denial of service. (CVE-2024-3302)
Lukas Bernhard discovered that Thunderbird did not properly manage memory
during JIT optimisations, leading to an out-of-bounds read vulnerability.
An attacker could possibly use this issue to cause a denia
OSV
firefox vulnerabilities
osv·2024-03-20·CVSS 6.5
CVE-2024-2609 [MEDIUM] firefox vulnerabilities
firefox vulnerabilities
Multiple security issues were discovered in Firefox. If a user were
tricked into opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, obtain sensitive
information across domains, or execute arbitrary code. (CVE-2024-2609,
CVE-2024-2611, CVE-2024-2614, CVE-2024-2615)
Hubert Kario discovered that Firefox had a timing side-channel when
performing RSA decryption. A remote attacker could possibly use this
issue to recover sensitive information. (CVE-2023-5388)
It was discovered that Firefox did not properly handle WASM register
values in some circumstances. An attacker could potentially exploit this
issue to cause a denial of service. (CVE-2024-2606)
Gary Kwong discovered that Firefox incorrectly updated retur
OSV
CVE-2024-2609: The permission prompt input delay could expire while the window is not in focus
osv·2024-03-19·CVSS 6.1
CVE-2024-2609 [MEDIUM] CVE-2024-2609: The permission prompt input delay could expire while the window is not in focus
The permission prompt input delay could expire while the window is not in focus. This makes it vulnerable to clickjacking by malicious websites. This vulnerability affects Firefox < 124, Firefox ESR < 115.10, and Thunderbird < 115.10.
GHSA
GHSA-xr62-xhf5-qw2c: The permission prompt input delay could have expired while the window is not in focus, which made the prompt vulnerable to clickjacking by malicious w
ghsa_unreviewed·2024-03-19
CVE-2024-2609 [MEDIUM] CWE-356 GHSA-xr62-xhf5-qw2c: The permission prompt input delay could have expired while the window is not in focus, which made the prompt vulnerable to clickjacking by malicious w
The permission prompt input delay could have expired while the window is not in focus, which made the prompt vulnerable to clickjacking by malicious websites. This vulnerability affects Firefox < 124.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://bugzilla.mozilla.org/show_bug.cgi?id=1866100https://lists.debian.org/debian-lts-announce/2024/04/msg00012.htmlhttps://lists.debian.org/debian-lts-announce/2024/04/msg00013.htmlhttps://www.mozilla.org/security/advisories/mfsa2024-12/https://www.mozilla.org/security/advisories/mfsa2024-19/https://www.mozilla.org/security/advisories/mfsa2024-20/https://bugzilla.mozilla.org/show_bug.cgi?id=1866100https://lists.debian.org/debian-lts-announce/2024/04/msg00012.htmlhttps://lists.debian.org/debian-lts-announce/2024/04/msg00013.htmlhttps://www.mozilla.org/security/advisories/mfsa2024-12/https://www.mozilla.org/security/advisories/mfsa2024-19/https://www.mozilla.org/security/advisories/mfsa2024-20/
2024-03-19
Published