CVE-2024-7524
published 2024-08-06CVE-2024-7524: Firefox adds web-compatibility shims in place of some tracking scripts blocked by Enhanced Tracking Protection. On a site protected by Content Security Policy…
medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
Firefox adds web-compatibility shims in place of some tracking scripts blocked by Enhanced Tracking Protection. On a site protected by Content Security Policy in "strict-dynamic" mode, an attacker able to inject an HTML element could have used a DOM Clobbering attack on some of the shims and achieved XSS, bypassing the CSP strict-dynamic protection. This vulnerability affects Firefox < 129, Firefox ESR < 115.14, and Firefox ESR < 128.1.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | firefox | < firefox 129.0-1 (sid) | firefox 129.0-1 (sid) |
| debian | firefox-esr | < firefox 129.0-1 (sid) | firefox 129.0-1 (sid) |
| mozilla | firefox | < 129.0 | 129.0 |
| mozilla | firefox | — | — |
| mozilla | firefox | >= 0 < 129.0.2+build1-0ubuntu0.20.04.1 | 129.0.2+build1-0ubuntu0.20.04.1 |
| mozilla | firefox | >= 0 < 129.0.1+build1-0ubuntu0.20.04.1 | 129.0.1+build1-0ubuntu0.20.04.1 |
| mozilla | firefox | >= unspecified < 129 | 129 |
| mozilla | firefox_esr | < 115.14 | 115.14 |
| mozilla | firefox_esr | >= 116.0 < 128.1 | 128.1 |
| mozilla | firefox_esr | >= unspecified < 115.14 | 115.14 |
| mozilla | firefox_esr | >= unspecified < 128.1 | 128.1 |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
osv6.5MEDIUM
Ubuntu
Firefox regressions
vendor_ubuntu·2024-08-21·CVSS 6.5
[MEDIUM] Firefox regressions
Title: Firefox regressions
Summary: USN-6966-1 caused some minor regressions in Firefox.
USN-6966-1 fixed vulnerabilities in Firefox. The update introduced
several minor regressions. This update fixes the problem.
We apologize for the inconvenience.
Original advisory details:
Multiple security issues were discovered in Firefox. If a user were
tricked into opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, obtain sensitive
information across domains, or execute arbitrary code. (CVE-2024-7518,
CVE-2024-7521, CVE-2024-7524, CVE-2024-7526, CVE-2024-7527, CVE-2024-7528,
CVE-2024-7529, CVE-2024-7530, CVE-2024-7531)
It was discovered that Firefox did not properly manage certain memory
operations when processing graphics shared memo
Ubuntu
Firefox vulnerabilities
vendor_ubuntu·2024-08-19·CVSS 6.5
CVE-2024-7518 [MEDIUM] Firefox vulnerabilities
Title: Firefox vulnerabilities
Summary: Several security issues were fixed in Firefox.
Multiple security issues were discovered in Firefox. If a user were
tricked into opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, obtain sensitive
information across domains, or execute arbitrary code. (CVE-2024-7518,
CVE-2024-7521, CVE-2024-7524, CVE-2024-7526, CVE-2024-7527, CVE-2024-7528,
CVE-2024-7529, CVE-2024-7530, CVE-2024-7531)
It was discovered that Firefox did not properly manage certain memory
operations when processing graphics shared memory. An attacker could
potentially exploit this issue to escape the sandbox. (CVE-2024-7519)
Nan Wang discovered that Firefox did not properly handle type check in
WebAssembly. An attacker coul
Red Hat
mozilla: CSP strict-dynamic bypass using web-compatibility shims
vendor_redhat·2024-08-06·CVSS 6.1
CVE-2024-7524 [MEDIUM] CWE-79 mozilla: CSP strict-dynamic bypass using web-compatibility shims
mozilla: CSP strict-dynamic bypass using web-compatibility shims
Firefox adds web-compatibility shims in place of some tracking scripts blocked by Enhanced Tracking Protection. On a site protected by Content Security Policy in "strict-dynamic" mode, an attacker able to inject an HTML element could have used a DOM Clobbering attack on some of the shims and achieved XSS, bypassing the CSP strict-dynamic protection. This vulnerability affects Firefox < 129, Firefox ESR < 115.14, and Firefox ESR < 128.1.
The Mozilla Foundation Security Advisory describes this flaw as:
Firefox adds web-compatibility shims in place of some tracking scripts blocked by Enhanced Tracking Protection. On a site protected by Content Security Policy in "strict-dynamic" mode, an attacker able to inject an HTML element
Debian
CVE-2024-7524: firefox - Firefox adds web-compatibility shims in place of some tracking scripts blocked b...
vendor_debian·2024·CVSS 6.1
CVE-2024-7524 [MEDIUM] CVE-2024-7524: firefox - Firefox adds web-compatibility shims in place of some tracking scripts blocked b...
Firefox adds web-compatibility shims in place of some tracking scripts blocked by Enhanced Tracking Protection. On a site protected by Content Security Policy in "strict-dynamic" mode, an attacker able to inject an HTML element could have used a DOM Clobbering attack on some of the shims and achieved XSS, bypassing the CSP strict-dynamic protection. This vulnerability affects Firefox < 129, Firefox ESR < 115.14, and Firefox ESR < 128.1.
Scope: local
sid: resolved (fixed in 129.0-1)
Mozilla
Mozilla Foundation Security Advisory 2024-33: CVE-2024-7524
vendor_mozilla·CVSS 6.1
CVE-2024-7524 [MEDIUM] Mozilla Foundation Security Advisory 2024-33: CVE-2024-7524
Mozilla Foundation Security Advisory 2024-33
CVE: CVE-2024-7524
Product: Firefox
Impact: low
Fixed in: Firefox 129
Mozilla
Mozilla Foundation Security Advisory 2024-34: CVE-2024-7524
vendor_mozilla·CVSS 6.1
CVE-2024-7524 [MEDIUM] Mozilla Foundation Security Advisory 2024-34: CVE-2024-7524
Mozilla Foundation Security Advisory 2024-34
CVE: CVE-2024-7524
Product: Firefox ESR
Impact: low
Fixed in: Firefox ESR 115.14
Mozilla
Mozilla Foundation Security Advisory 2024-35: CVE-2024-7524
vendor_mozilla·CVSS 6.1
CVE-2024-7524 [MEDIUM] Mozilla Foundation Security Advisory 2024-35: CVE-2024-7524
Mozilla Foundation Security Advisory 2024-35
CVE: CVE-2024-7524
Product: Firefox ESR
Impact: low
Fixed in: Firefox ESR 128.1
OSV
firefox regressions
osv·2024-08-21·CVSS 6.5
CVE-2024-7518 [MEDIUM] firefox regressions
firefox regressions
USN-6966-1 fixed vulnerabilities in Firefox. The update introduced
several minor regressions. This update fixes the problem.
We apologize for the inconvenience.
Original advisory details:
Multiple security issues were discovered in Firefox. If a user were
tricked into opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, obtain sensitive
information across domains, or execute arbitrary code. (CVE-2024-7518,
CVE-2024-7521, CVE-2024-7524, CVE-2024-7526, CVE-2024-7527, CVE-2024-7528,
CVE-2024-7529, CVE-2024-7530, CVE-2024-7531)
It was discovered that Firefox did not properly manage certain memory
operations when processing graphics shared memory. An attacker could
potentially exploit this issue to escape the san
OSV
firefox vulnerabilities
osv·2024-08-19·CVSS 6.5
CVE-2024-7518 [MEDIUM] firefox vulnerabilities
firefox vulnerabilities
Multiple security issues were discovered in Firefox. If a user were
tricked into opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, obtain sensitive
information across domains, or execute arbitrary code. (CVE-2024-7518,
CVE-2024-7521, CVE-2024-7524, CVE-2024-7526, CVE-2024-7527, CVE-2024-7528,
CVE-2024-7529, CVE-2024-7530, CVE-2024-7531)
It was discovered that Firefox did not properly manage certain memory
operations when processing graphics shared memory. An attacker could
potentially exploit this issue to escape the sandbox. (CVE-2024-7519)
Nan Wang discovered that Firefox did not properly handle type check in
WebAssembly. An attacker could potentially exploit this issue to execute
arbitrary code. (CVE
GHSA
GHSA-7m9h-4qg6-4hmh: Firefox adds web-compatibility shims in place of some tracking scripts blocked by Enhanced Tracking Protection
ghsa_unreviewed·2024-08-06
CVE-2024-7524 [MEDIUM] CWE-79 GHSA-7m9h-4qg6-4hmh: Firefox adds web-compatibility shims in place of some tracking scripts blocked by Enhanced Tracking Protection
Firefox adds web-compatibility shims in place of some tracking scripts blocked by Enhanced Tracking Protection. On a site protected by Content Security Policy in "strict-dynamic" mode, an attacker able to inject an HTML element could have used a DOM Clobbering attack on some of the shims and achieved XSS, bypassing the CSP strict-dynamic protection. This vulnerability affects Firefox < 129, Firefox ESR < 115.14, and Firefox ESR < 128.1.
OSV
CVE-2024-7524: Firefox adds web-compatibility shims in place of some tracking scripts blocked by Enhanced Tracking Protection
osv·2024-08-06·CVSS 6.1
CVE-2024-7524 [MEDIUM] CVE-2024-7524: Firefox adds web-compatibility shims in place of some tracking scripts blocked by Enhanced Tracking Protection
Firefox adds web-compatibility shims in place of some tracking scripts blocked by Enhanced Tracking Protection. On a site protected by Content Security Policy in "strict-dynamic" mode, an attacker able to inject an HTML element could have used a DOM Clobbering attack on some of the shims and achieved XSS, bypassing the CSP strict-dynamic protection. This vulnerability affects Firefox < 129, Firefox ESR < 115.14, and Firefox ESR < 128.1.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-08-06
Published