CVE-2024-9397
published 2024-10-01CVE-2024-9397: A missing delay in directory upload UI could have made it possible for an attacker to trick a user into granting permission via clickjacking. This…
medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
A missing delay in directory upload UI could have made it possible for an attacker to trick a user into granting permission via clickjacking. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Thunderbird < 128.3, and Thunderbird < 131.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | firefox | < firefox 131.0-1 (sid) | firefox 131.0-1 (sid) |
| debian | thunderbird | < firefox 131.0-1 (sid) | firefox 131.0-1 (sid) |
| mozilla | firefox | < 131.0 | 131.0 |
| mozilla | firefox | — | — |
| mozilla | firefox | >= 0 < 131.0+build1.1-0ubuntu0.20.04.1 | 131.0+build1.1-0ubuntu0.20.04.1 |
| mozilla | firefox | >= unspecified < 131 | 131 |
| mozilla | firefox_esr | < 128.3.0 | 128.3.0 |
| mozilla | firefox_esr | >= unspecified < 128.3 | 128.3 |
| mozilla | thunderbird | < 128.3 | 128.3 |
| mozilla | thunderbird | — | — |
| mozilla | thunderbird | >= 0 < 1:128.3.0esr-1 | 1:128.3.0esr-1 |
| mozilla | thunderbird | >= 0 < 1:128.3.0esr-1 | 1:128.3.0esr-1 |
| mozilla | thunderbird | >= unspecified < 128.3 | 128.3 |
| mozilla | thunderbird | >= unspecified < 131 | 131 |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
osv9.8CRITICAL
Ubuntu
Thunderbird vulnerabilities
vendor_ubuntu·2026-02-02
CVE-2025-8031 Thunderbird vulnerabilities
Title: Thunderbird vulnerabilities
Summary: Several security issues were fixed in Thunderbird.
Multiple security issues were discovered in Thunderbird. If a user were
tricked into opening a specially crafted website in a browsing context,
an attacker could potentially exploit these to cause a denial of service,
obtain sensitive information, bypass security restrictions, cross-site
tracing, or execute arbitrary code.
Instructions: In general, a standard system update will make all the necessary changes.
Ubuntu
Firefox vulnerabilities
vendor_ubuntu·2024-10-07·CVSS 9.8
CVE-2024-9394 [CRITICAL] Firefox vulnerabilities
Title: Firefox vulnerabilities
Summary: Several security issues were fixed in Firefox.
Multiple security issues were discovered in Firefox. If a user were
tricked into opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, obtain sensitive
information across domains, or execute arbitrary code. (CVE-2024-9392,
CVE-2024-9396, CVE-2024-9397, CVE-2024-9398, CVE-2024-9399, CVE-2024-9400,
CVE-2024-9401, CVE-2024-9402, CVE-2024-9403)
Masato Kinugawa discovered that Firefox did not properly validate
javascript under the "resource://pdf.js" origin. An attacker could
potentially exploit this issue to execute arbitrary javascript code and
access cross-origin PDF content. (CVE-2024-9393)
Masato Kinugawa discovered that Firefox did not properl
Red Hat
firefox: thunderbird: Potential directory upload bypass via clickjacking
vendor_redhat·2024-10-01·CVSS 6.1
CVE-2024-9397 [MEDIUM] CWE-1021 firefox: thunderbird: Potential directory upload bypass via clickjacking
firefox: thunderbird: Potential directory upload bypass via clickjacking
A missing delay in directory upload UI could have made it possible for an attacker to trick a user into granting permission via clickjacking. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Thunderbird < 128.3, and Thunderbird < 131.
A flaw was found in Mozilla. The Mozilla Foundation's Security Advisory describes the issue as follows: A missing delay in directory upload UI could have made it possible for an attacker to trick a user into granting permission via clickjacking.
Statement: Red Hat Product Security rates the severity of this flaw as determined by the Mozilla Foundation Security Advisory.
Package: firefox (Red Hat Enterprise Linux 10) - Affected
Package: thunderbird (Red Hat Enterprise L
Debian
CVE-2024-9397: firefox - A missing delay in directory upload UI could have made it possible for an attack...
vendor_debian·2024·CVSS 6.1
CVE-2024-9397 [MEDIUM] CVE-2024-9397: firefox - A missing delay in directory upload UI could have made it possible for an attack...
A missing delay in directory upload UI could have made it possible for an attacker to trick a user into granting permission via clickjacking. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Thunderbird < 128.3, and Thunderbird < 131.
Scope: local
sid: resolved (fixed in 131.0-1)
Mozilla
Mozilla Foundation Security Advisory 2024-46: CVE-2024-9397
vendor_mozilla·CVSS 6.1
CVE-2024-9397 [MEDIUM] Mozilla Foundation Security Advisory 2024-46: CVE-2024-9397
Mozilla Foundation Security Advisory 2024-46
CVE: CVE-2024-9397
Product: Firefox
Impact: high
Fixed in: Firefox 131
Mozilla
Mozilla Foundation Security Advisory 2024-50: CVE-2024-9397
vendor_mozilla·CVSS 6.1
CVE-2024-9397 [MEDIUM] Mozilla Foundation Security Advisory 2024-50: CVE-2024-9397
Mozilla Foundation Security Advisory 2024-50
CVE: CVE-2024-9397
Product: Thunderbird
Impact: high
Fixed in: Thunderbird 131
Mozilla
Mozilla Foundation Security Advisory 2024-47: CVE-2024-9397
vendor_mozilla·CVSS 6.1
CVE-2024-9397 [MEDIUM] Mozilla Foundation Security Advisory 2024-47: CVE-2024-9397
Mozilla Foundation Security Advisory 2024-47
CVE: CVE-2024-9397
Product: Firefox ESR
Impact: high
Fixed in: Firefox ESR 128.3
Mozilla
Mozilla Foundation Security Advisory 2024-49: CVE-2024-9397
vendor_mozilla·CVSS 6.1
CVE-2024-9397 [MEDIUM] Mozilla Foundation Security Advisory 2024-49: CVE-2024-9397
Mozilla Foundation Security Advisory 2024-49
CVE: CVE-2024-9397
Product: Thunderbird
Impact: high
Fixed in: Thunderbird 128.3
OSV
firefox vulnerabilities
osv·2024-10-07·CVSS 9.8
CVE-2024-9392 [CRITICAL] firefox vulnerabilities
firefox vulnerabilities
Multiple security issues were discovered in Firefox. If a user were
tricked into opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, obtain sensitive
information across domains, or execute arbitrary code. (CVE-2024-9392,
CVE-2024-9396, CVE-2024-9397, CVE-2024-9398, CVE-2024-9399, CVE-2024-9400,
CVE-2024-9401, CVE-2024-9402, CVE-2024-9403)
Masato Kinugawa discovered that Firefox did not properly validate
javascript under the "resource://pdf.js" origin. An attacker could
potentially exploit this issue to execute arbitrary javascript code and
access cross-origin PDF content. (CVE-2024-9393)
Masato Kinugawa discovered that Firefox did not properly validate
javascript under the "resource://devtools" origin. An
GHSA
GHSA-vpgc-chc4-fq2j: A missing delay in directory upload UI could have made it possible for an attacker to trick a user into granting permission via clickjacking
ghsa_unreviewed·2024-10-01
CVE-2024-9397 [MEDIUM] CWE-1021 GHSA-vpgc-chc4-fq2j: A missing delay in directory upload UI could have made it possible for an attacker to trick a user into granting permission via clickjacking
A missing delay in directory upload UI could have made it possible for an attacker to trick a user into granting permission via clickjacking. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Thunderbird < 128.3, and Thunderbird < 131.
OSV
CVE-2024-9397: A missing delay in directory upload UI could have made it possible for an attacker to trick a user into granting permission via clickjacking
osv·2024-10-01·CVSS 6.1
CVE-2024-9397 [MEDIUM] CVE-2024-9397: A missing delay in directory upload UI could have made it possible for an attacker to trick a user into granting permission via clickjacking
A missing delay in directory upload UI could have made it possible for an attacker to trick a user into granting permission via clickjacking. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Thunderbird < 128.3, and Thunderbird < 131.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-10-01
Published