CVE-2024-2611The UI Performs the Wrong Action in Mozilla Firefox

CWE-449The UI Performs the Wrong ActionCWE-190Integer Overflow or Wraparound14 documents8 sources
Severity
5.5MEDIUMNVD
OSV6.5
EPSS
0.3%
top 44.60%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Mozilla FirefoxMozilla Firefox ESRMozilla Thunderbird+1 more
Timeline
PublishedMar 19
Latest updateDec 27

Description

A missing delay on when pointer lock was used could have allowed a malicious page to trick a user into granting permissions. This vulnerability affects Firefox < 124, Firefox ESR < 115.9, and Thunderbird < 115.9.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:LExploitability: 2.1 | Impact: 3.4

Affected Packages8 packages

CVEListV5mozilla/firefoxunspecified124
NVDmozilla/firefox< 115.9.0+1
CVEListV5mozilla/firefox_esrunspecified115.9
Ubuntumozilla/firefox< 124.0+build1-0ubuntu0.20.04.1
CVEListV5mozilla/thunderbirdunspecified115.9

Also affects: Debian Linux 10.0

🔴Vulnerability Details

5
OSV
thunderbird vulnerabilities2024-03-26
OSV
firefox vulnerabilities2024-03-20
GHSA
GHSA-63p7-87m3-8c9v: A missing delay on when pointer lock was used could have allowed a malicious page to trick a user into granting permissions2024-03-19
CVEList
CVE-2024-2611: A missing delay on when pointer lock was used could have allowed a malicious page to trick a user into granting permissions2024-03-19
OSV
CVE-2024-2611: A missing delay on when pointer lock was used could have allowed a malicious page to trick a user into granting permissions2024-03-19

📋Vendor Advisories

8
Red Hat
kernel: io_uring: check for overflows in io_pin_pages2024-12-27
Ubuntu
Thunderbird vulnerabilities2024-03-26
Ubuntu
Firefox vulnerabilities2024-03-20
Red Hat
Mozilla: Clickjacking vulnerability could have led to a user accidentally granting permissions2024-03-19
Debian
CVE-2024-2611: firefox - A missing delay on when pointer lock was used could have allowed a malicious pag...2024
CVE-2024-2611 — The UI Performs the Wrong Action | cvebase