CVE-2024-9397UI Misrepresentation / Clickjacking in Mozilla Firefox

CWE-1021UI Misrepresentation / Clickjacking13 documents8 sources
Severity
6.1MEDIUMNVD
OSV9.8
EPSS
0.2%
top 55.49%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Mozilla FirefoxMozilla Firefox ESRMozilla Thunderbird
Timeline
PublishedOct 1
Latest updateFeb 2

Description

A missing delay in directory upload UI could have made it possible for an attacker to trick a user into granting permission via clickjacking. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Thunderbird < 128.3, and Thunderbird < 131.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages8 packages

CVEListV5mozilla/firefoxunspecified131
NVDmozilla/firefox< 131.0
CVEListV5mozilla/firefox_esrunspecified128.3
CVEListV5mozilla/thunderbirdunspecified128.3+1
NVDmozilla/firefox_esr< 128.3.0

🔴Vulnerability Details

4
OSV
firefox vulnerabilities2024-10-07
GHSA
GHSA-vpgc-chc4-fq2j: A missing delay in directory upload UI could have made it possible for an attacker to trick a user into granting permission via clickjacking2024-10-01
OSV
CVE-2024-9397: A missing delay in directory upload UI could have made it possible for an attacker to trick a user into granting permission via clickjacking2024-10-01
CVEList
CVE-2024-9397: A missing delay in directory upload UI could have made it possible for an attacker to trick a user into granting permission via clickjacking2024-10-01

📋Vendor Advisories

8
Ubuntu
Thunderbird vulnerabilities2026-02-02
Ubuntu
Firefox vulnerabilities2024-10-07
Red Hat
firefox: thunderbird: Potential directory upload bypass via clickjacking2024-10-01
Debian
CVE-2024-9397: firefox - A missing delay in directory upload UI could have made it possible for an attack...2024
Mozilla
Mozilla Foundation Security Advisory 2024-46: CVE-2024-9397
CVE-2024-9397 — UI Misrepresentation / Clickjacking | cvebase