CVE-2024-9394 — Cross-site Scripting in Mozilla Firefox
Severity
7.5HIGHNVD
EPSS
0.2%
top 60.82%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedOct 1
Latest updateOct 7
Description
An attacker could, via a specially crafted multipart response, execute arbitrary JavaScript under the `resource://devtools` origin. This could allow them to access cross-origin JSON content. This access is limited to "same site" documents by the Site Isolation feature on desktop clients, but full cross-origin access is possible on Android versions. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Firefox ESR < 115.16, Thunderbird < 128.3, and Thunderbird < 131.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6
Affected Packages7 packages
🔴Vulnerability Details
3OSV▶
CVE-2024-9394: An attacker could, via a specially crafted multipart response, execute arbitrary JavaScript under the `resource://devtools` origin↗2024-10-01
GHSA▶
GHSA-qph8-rvxf-5936: An attacker could, via a specially crafted multipart response, execute arbitrary JavaScript under the `resource://devtools` origin↗2024-10-01
CVEList▶
CVE-2024-9394: An attacker could, via a specially crafted multipart response, execute arbitrary JavaScript under the `resource://devtools` origin↗2024-10-01
📋Vendor Advisories
8Red Hat
▶
Debian▶
CVE-2024-9394: firefox - An attacker could, via a specially crafted multipart response, execute arbitrary...↗2024