CVE-2024-5691
published 2024-06-11CVE-2024-5691: By tricking the browser with a `X-Frame-Options` header, a sandboxed iframe could have presented a button that, if clicked by a user, would bypass restrictions…
medium4.7CVSS 3.1
AVNACLPRNUIRSCCNILAN
By tricking the browser with a `X-Frame-Options` header, a sandboxed iframe could have presented a button that, if clicked by a user, would bypass restrictions to open a new window. This vulnerability affects Firefox < 127, Firefox ESR < 115.12, and Thunderbird < 115.12.
Affected
17 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | firefox | < firefox 127.0-1 (sid) | firefox 127.0-1 (sid) |
| debian | firefox-esr | < firefox 127.0-1 (sid) | firefox 127.0-1 (sid) |
| debian | thunderbird | < firefox 127.0-1 (sid) | firefox 127.0-1 (sid) |
| mozilla | firefox | < 127.0 | 127.0 |
| mozilla | firefox | — | — |
| mozilla | firefox | >= 0 < 127.0.2+build1-0ubuntu0.20.04.1 | 127.0.2+build1-0ubuntu0.20.04.1 |
| mozilla | firefox | >= unspecified < 127 | 127 |
| mozilla | firefox_esr | < 115.12 | 115.12 |
| mozilla | firefox_esr | >= unspecified < 115.12 | 115.12 |
| mozilla | thunderbird | < 115.12 | 115.12 |
| mozilla | thunderbird | >= 0 < 1:115.12.0-1~deb11u1 | 1:115.12.0-1~deb11u1 |
| mozilla | thunderbird | >= 0 < 1:115.12.0-1~deb12u1 | 1:115.12.0-1~deb12u1 |
| mozilla | thunderbird | >= 0 < 1:115.12.0-1 | 1:115.12.0-1 |
| mozilla | thunderbird | >= 0 < 1:115.12.0-1 | 1:115.12.0-1 |
| mozilla | thunderbird | >= 0 < 1:115.12.0+build3-0ubuntu0.20.04.1 | 1:115.12.0+build3-0ubuntu0.20.04.1 |
| mozilla | thunderbird | >= 0 < 1:115.12.0+build3-0ubuntu0.22.04.1 | 1:115.12.0+build3-0ubuntu0.22.04.1 |
| mozilla | thunderbird | >= unspecified < 115.12 | 115.12 |
CVSS provenance
nvdv3.14.7MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
osv8.1HIGH
Ubuntu
Firefox vulnerabilities
vendor_ubuntu·2024-07-03·CVSS 8.1
CVE-2024-5693 [HIGH] Firefox vulnerabilities
Title: Firefox vulnerabilities
Summary: Several security issues were fixed in Firefox.
Multiple security issues were discovered in Firefox. If a user were
tricked into opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, obtain sensitive
information across domains, or execute arbitrary code. (CVE-2024-5689,
CVE-2024-5690, CVE-2024-5691, CVE-2024-5693, CVE-2024-5697, CVE-2024-5698,
CVE-2024-5699, CVE-2024-5700, CVE-2024-5701)
Lukas Bernhard discovered that Firefox did not properly manage memory
during garbage collection. An attacker could potentially exploit this
issue to cause a denial of service, or execute arbitrary code.
(CVE-2024-5688)
Lukas Bernhard discovered that Firefox did not properly manage memory in
the JavaScript en
Ubuntu
Thunderbird vulnerabilities
vendor_ubuntu·2024-06-19·CVSS 8.1
CVE-2024-5688 [HIGH] Thunderbird vulnerabilities
Title: Thunderbird vulnerabilities
Summary: Several security issues were fixed in Thunderbird.
Multiple security issues were discovered in Thunderbird. If a user were
tricked into opening a specially crafted website in a browsing context, an
attacker could potentially exploit these to cause a denial of service,
obtain sensitive information, bypass security restrictions, cross-site
tracing, or execute arbitrary code.(CVE-2024-5688, CVE-2024-5690,
CVE-2024-5696, CVE-2024-5700, CVE-2024-5702)
Luan Herrera discovered that Thunderbird did not properly validate the
X-Frame-Options header inside sandboxed iframe. An attacker could
potentially exploit this issue to bypass sandbox restrictions to open a new
window. (CVE-2024-5691)
Kirtikumar Anandrao Ramchandani discovered that Thunderbird did
Red Hat
Mozilla: Sandboxed iframes were able to bypass sandbox restrictions to open a new window
vendor_redhat·2024-06-11·CVSS 4.7
CVE-2024-5691 [MEDIUM] CWE-284 Mozilla: Sandboxed iframes were able to bypass sandbox restrictions to open a new window
Mozilla: Sandboxed iframes were able to bypass sandbox restrictions to open a new window
By tricking the browser with a `X-Frame-Options` header, a sandboxed iframe could have presented a button that, if clicked by a user, would bypass restrictions to open a new window. This vulnerability affects Firefox < 127, Firefox ESR < 115.12, and Thunderbird < 115.12.
The Mozilla Foundation Security Advisory describes this flaw as:
By tricking the browser with a `X-Frame-Options` header, a sandboxed iframe could have presented a button that, if clicked by a user, would bypass restrictions to open a new window.
Statement: Red Hat Product Security rates the severity of this flaw as determined by the Mozilla Foundation Security Advisory.
Package: firefox (Red Hat Enterprise Linux 6) - Out of suppor
Debian
CVE-2024-5691: firefox - By tricking the browser with a `X-Frame-Options` header, a sandboxed iframe coul...
vendor_debian·2024·CVSS 4.7
CVE-2024-5691 [MEDIUM] CVE-2024-5691: firefox - By tricking the browser with a `X-Frame-Options` header, a sandboxed iframe coul...
By tricking the browser with a `X-Frame-Options` header, a sandboxed iframe could have presented a button that, if clicked by a user, would bypass restrictions to open a new window. This vulnerability affects Firefox < 127, Firefox ESR < 115.12, and Thunderbird < 115.12.
Scope: local
sid: resolved (fixed in 127.0-1)
Mozilla
Mozilla Foundation Security Advisory 2024-28: CVE-2024-5691
vendor_mozilla·CVSS 4.7
CVE-2024-5691 [MEDIUM] Mozilla Foundation Security Advisory 2024-28: CVE-2024-5691
Mozilla Foundation Security Advisory 2024-28
CVE: CVE-2024-5691
Product: Thunderbird
Impact: high
Fixed in: Thunderbird 115.12
Mozilla
Mozilla Foundation Security Advisory 2024-25: CVE-2024-5691
vendor_mozilla·CVSS 4.7
CVE-2024-5691 [MEDIUM] Mozilla Foundation Security Advisory 2024-25: CVE-2024-5691
Mozilla Foundation Security Advisory 2024-25
CVE: CVE-2024-5691
Product: Firefox
Impact: high
Fixed in: Firefox 127
Mozilla
Mozilla Foundation Security Advisory 2024-26: CVE-2024-5691
vendor_mozilla·CVSS 4.7
CVE-2024-5691 [MEDIUM] Mozilla Foundation Security Advisory 2024-26: CVE-2024-5691
Mozilla Foundation Security Advisory 2024-26
CVE: CVE-2024-5691
Product: Firefox ESR
Impact: high
Fixed in: Firefox ESR 115.12
OSV
firefox vulnerabilities
osv·2024-07-03·CVSS 8.1
CVE-2024-5689 [HIGH] firefox vulnerabilities
firefox vulnerabilities
Multiple security issues were discovered in Firefox. If a user were
tricked into opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, obtain sensitive
information across domains, or execute arbitrary code. (CVE-2024-5689,
CVE-2024-5690, CVE-2024-5691, CVE-2024-5693, CVE-2024-5697, CVE-2024-5698,
CVE-2024-5699, CVE-2024-5700, CVE-2024-5701)
Lukas Bernhard discovered that Firefox did not properly manage memory
during garbage collection. An attacker could potentially exploit this
issue to cause a denial of service, or execute arbitrary code.
(CVE-2024-5688)
Lukas Bernhard discovered that Firefox did not properly manage memory in
the JavaScript engine. An attacker could potentially exploit this issue to
obtain
OSV
thunderbird vulnerabilities
osv·2024-06-19·CVSS 8.1
CVE-2024-5688 [HIGH] thunderbird vulnerabilities
thunderbird vulnerabilities
Multiple security issues were discovered in Thunderbird. If a user were
tricked into opening a specially crafted website in a browsing context, an
attacker could potentially exploit these to cause a denial of service,
obtain sensitive information, bypass security restrictions, cross-site
tracing, or execute arbitrary code.(CVE-2024-5688, CVE-2024-5690,
CVE-2024-5696, CVE-2024-5700, CVE-2024-5702)
Luan Herrera discovered that Thunderbird did not properly validate the
X-Frame-Options header inside sandboxed iframe. An attacker could
potentially exploit this issue to bypass sandbox restrictions to open a new
window. (CVE-2024-5691)
Kirtikumar Anandrao Ramchandani discovered that Thunderbird did not properly
track cross-origin tainting in Offscreen Canvas. An att
GHSA
GHSA-xhxm-p3qv-qprc: By tricking the browser with a `X-Frame-Options` header, a sandboxed iframe could have presented a button that, if clicked by a user, would bypass res
ghsa_unreviewed·2024-06-11
CVE-2024-5691 [MEDIUM] CWE-693 GHSA-xhxm-p3qv-qprc: By tricking the browser with a `X-Frame-Options` header, a sandboxed iframe could have presented a button that, if clicked by a user, would bypass res
By tricking the browser with a `X-Frame-Options` header, a sandboxed iframe could have presented a button that, if clicked by a user, would bypass restrictions to open a new window. This vulnerability affects Firefox < 127 and Firefox ESR < 115.12.
OSV
CVE-2024-5691: By tricking the browser with a `X-Frame-Options` header, a sandboxed iframe could have presented a button that, if clicked by a user, would bypass res
osv·2024-06-11·CVSS 4.7
CVE-2024-5691 [MEDIUM] CVE-2024-5691: By tricking the browser with a `X-Frame-Options` header, a sandboxed iframe could have presented a button that, if clicked by a user, would bypass res
By tricking the browser with a `X-Frame-Options` header, a sandboxed iframe could have presented a button that, if clicked by a user, would bypass restrictions to open a new window. This vulnerability affects Firefox < 127, Firefox ESR < 115.12, and Thunderbird < 115.12.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://bugzilla.mozilla.org/show_bug.cgi?id=1888695https://lists.debian.org/debian-lts-announce/2024/06/msg00000.htmlhttps://lists.debian.org/debian-lts-announce/2024/06/msg00010.htmlhttps://www.mozilla.org/security/advisories/mfsa2024-25/https://www.mozilla.org/security/advisories/mfsa2024-26/https://www.mozilla.org/security/advisories/mfsa2024-28/https://bugzilla.mozilla.org/show_bug.cgi?id=1888695https://lists.debian.org/debian-lts-announce/2024/06/msg00000.htmlhttps://lists.debian.org/debian-lts-announce/2024/06/msg00010.htmlhttps://www.mozilla.org/security/advisories/mfsa2024-25/https://www.mozilla.org/security/advisories/mfsa2024-26/https://www.mozilla.org/security/advisories/mfsa2024-28/
2024-06-11
Published