CVE-2024-9393 — Origin Validation Error in Mozilla Firefox
Severity
7.5HIGHNVD
EPSS
0.2%
top 59.94%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedOct 1
Latest updateOct 7
Description
An attacker could, via a specially crafted multipart response, execute arbitrary JavaScript under the `resource://pdf.js` origin. This could allow them to access cross-origin PDF content. This access is limited to "same site" documents by the Site Isolation feature on desktop clients, but full cross-origin access is possible on Android versions. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Firefox ESR < 115.16, Thunderbird < 128.3, and Thunderbird < 131.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6
Affected Packages7 packages
🔴Vulnerability Details
4GHSA▶
GHSA-rggh-rm3v-8xqj: An attacker could, via a specially crafted multipart response, execute arbitrary JavaScript under the `resource://pdf↗2024-10-01
CVEList▶
CVE-2024-9393: An attacker could, via a specially crafted multipart response, execute arbitrary JavaScript under the `resource://pdf↗2024-10-01
OSV▶
CVE-2024-9393: An attacker could, via a specially crafted multipart response, execute arbitrary JavaScript under the `resource://pdf↗2024-10-01
📋Vendor Advisories
8Red Hat
▶
Debian▶
CVE-2024-9393: firefox - An attacker could, via a specially crafted multipart response, execute arbitrary...↗2024