CVE-2024-5693Inclusion of Functionality from Untrusted Control Sphere in Mozilla Firefox

CWE-829Inclusion of Functionality from Untrusted Control Sphere12 documents8 sources
Severity
6.1MEDIUMNVD
OSV8.1
EPSS
1.5%
top 19.04%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Mozilla FirefoxMozilla Firefox ESRMozilla Thunderbird
Timeline
PublishedJun 11
Latest updateJul 3

Description

Offscreen Canvas did not properly track cross-origin tainting, which could be used to access image data from another site in violation of same-origin policy. This vulnerability affects Firefox < 127, Firefox ESR < 115.12, and Thunderbird < 115.12.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages7 packages

CVEListV5mozilla/firefoxunspecified127
NVDmozilla/firefox< 115.12+1
CVEListV5mozilla/firefox_esrunspecified115.12
Ubuntumozilla/firefox< 127.0.2+build1-0ubuntu0.20.04.1
CVEListV5mozilla/thunderbirdunspecified115.12

🔴Vulnerability Details

4
OSV
firefox vulnerabilities2024-07-03
CVEList
CVE-2024-5693: Offscreen Canvas did not properly track cross-origin tainting, which could be used to access image data from another site in violation of same-origin2024-06-11
GHSA
GHSA-pxf8-583j-3rmh: Offscreen Canvas did not properly track cross-origin tainting, which could be used to access image data from another site in violation of same-origin2024-06-11
OSV
CVE-2024-5693: Offscreen Canvas did not properly track cross-origin tainting, which could be used to access image data from another site in violation of same-origin2024-06-11

📋Vendor Advisories

7
Ubuntu
Firefox vulnerabilities2024-07-03
Ubuntu
Thunderbird vulnerabilities2024-06-19
Red Hat
Mozilla: Cross-Origin Image leak via Offscreen Canvas2024-06-11
Debian
CVE-2024-5693: firefox - Offscreen Canvas did not properly track cross-origin tainting, which could be us...2024
Mozilla
Mozilla Foundation Security Advisory 2024-25: CVE-2024-5693
CVE-2024-5693 — Mozilla Firefox vulnerability | cvebase