CVE-2024-2609 — Product UI does not Warn User of Unsafe Actions in Mozilla Firefox

CWE-356 — Product UI does not Warn User of Unsafe Actions13 documents8 sources

Severity

6.1MEDIUMNVD

OSV6.5

EPSS

1.1%

top 21.80%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Mozilla Firefox ESR Mozilla Thunderbird +1 more

Timeline

PublishedMar 19

Latest updateApr 25

Description

The permission prompt input delay could expire while the window is not in focus. This makes it vulnerable to clickjacking by malicious websites. This vulnerability affects Firefox < 124, Firefox ESR < 115.10, and Thunderbird < 115.10.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages8 packages

▶CVEListV5mozilla/firefoxunspecified — 124

▶NVDmozilla/firefox< 115.10.0+1

▶CVEListV5mozilla/firefox_esrunspecified — 115.10

▶Ubuntumozilla/firefox< 124.0+build1-0ubuntu0.20.04.1

▶CVEListV5mozilla/thunderbirdunspecified — 115.10

Also affects: Debian Linux 10.0

🔴Vulnerability Details

OSV

thunderbird vulnerabilities↗2024-04-25

▶

OSV

firefox vulnerabilities↗2024-03-20

▶

CVEList

CVE-2024-2609: The permission prompt input delay could expire while the window is not in focus↗2024-03-19

▶

OSV

CVE-2024-2609: The permission prompt input delay could expire while the window is not in focus↗2024-03-19

▶

GHSA

GHSA-xr62-xhf5-qw2c: The permission prompt input delay could have expired while the window is not in focus, which made the prompt vulnerable to clickjacking by malicious w↗2024-03-19

▶

📋Vendor Advisories

Ubuntu

Thunderbird vulnerabilities↗2024-04-25

▶

Red Hat

Mozilla: Permission prompt input delay could expire when not in focus↗2024-04-16

▶

Ubuntu

Firefox vulnerabilities↗2024-03-20

▶

Debian

CVE-2024-2609: firefox - The permission prompt input delay could expire while the window is not in focus....↗2024

▶

Mozilla

Mozilla Foundation Security Advisory 2024-12: CVE-2024-2609↗

▶