CVE-2024-7525Incorrect Default Permissions in Mozilla Firefox

CWE-276Incorrect Default PermissionsCWE-284Improper Access ControlCWE-269Improper Privilege Management13 documents8 sources
Severity
8.1HIGHNVD
EPSS
0.1%
top 66.53%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Mozilla FirefoxMozilla Firefox ESRMozilla Thunderbird
Timeline
PublishedAug 6
Latest updateSep 9

Description

It was possible for a web extension with minimal permissions to create a `StreamFilter` which could be used to read and modify the response body of requests on any site. This vulnerability affects Firefox < 129, Firefox ESR < 115.14, Firefox ESR < 128.1, Thunderbird < 128.1, and Thunderbird < 115.14.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:NExploitability: 2.8 | Impact: 5.2

Affected Packages7 packages

CVEListV5mozilla/firefoxunspecified129
NVDmozilla/firefox< 129.0
CVEListV5mozilla/firefox_esrunspecified115.14+1
NVDmozilla/firefox_esr< 115.14.0+1
CVEListV5mozilla/thunderbirdunspecified128.1+1

🔴Vulnerability Details

3
OSV
CVE-2024-7525: It was possible for a web extension with minimal permissions to create a `StreamFilter` which could be used to read and modify the response body of re2024-08-06
GHSA
GHSA-7369-x5q2-rh2m: It was possible for a web extension with minimal permissions to create a `StreamFilter` which could be used to read and modify the response body of re2024-08-06
CVEList
CVE-2024-7525: It was possible for a web extension with minimal permissions to create a `StreamFilter` which could be used to read and modify the response body of re2024-08-06

📋Vendor Advisories

9
Ubuntu
Thunderbird vulnerabilities2024-09-09
Ubuntu
Firefox vulnerabilities2024-08-19
Red Hat
mozilla: Missing permission check when creating a StreamFilter2024-08-06
Debian
CVE-2024-7525: firefox - It was possible for a web extension with minimal permissions to create a `Stream...2024
Mozilla
Mozilla Foundation Security Advisory 2024-33: CVE-2024-7525
CVE-2024-7525 — Incorrect Default Permissions | cvebase