CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0CVE-2024-0747 – Mozilla: Bypass of Content Security Policy when directive unsafe-inline was set
https://notcve.org/view.php?id=CVE-2024-0747
When a parent page loaded a child in an iframe with `unsafe-inline`, the parent Content Security Policy could have overridden the child Content Security Policy. This vulnerability affects Firefox < 122, Firefox ESR < 115.7, and Thunderbird < 115.7. Cuando una página principal cargaba una secundaria en un iframe con "unsafe-inline", la política de seguridad de contenido principal podría haber anulado la política de seguridad de contenido secundaria. Esta vulnerabilidad afecta a Firefox < 122, Firefox ESR < 115.7 y Thunderbird < 115.7. The Mozilla Foundation Security Advisory describes this flaw as: When a parent page loaded a child in an iframe with `unsafe-inline`, the parent Content Security Policy could have overridden the child Content Security Policy. • https://bugzilla.mozilla.org/show_bug.cgi?id=1764343 https://lists.debian.org/debian-lts-announce/2024/01/msg00015.html https://lists.debian.org/debian-lts-announce/2024/01/msg00022.html https://www.mozilla.org/security/advisories/mfsa2024-01 https://www.mozilla.org/security/advisories/mfsa2024-02 https://www.mozilla.org/security/advisories/mfsa2024-04 https://access.redhat.com/security/cve/CVE-2024-0747 https://bugzilla.redhat.com/show_bug.cgi?id=2259929 • CWE-1021: Improper Restriction of Rendered UI Layers or Frames •
CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0CVE-2024-0746 – Mozilla: Crash when listing printers on Linux
https://notcve.org/view.php?id=CVE-2024-0746
A Linux user opening the print preview dialog could have caused the browser to crash. This vulnerability affects Firefox < 122, Firefox ESR < 115.7, and Thunderbird < 115.7. Un usuario de Linux que hubiera abierto el cuadro de diálogo de vista previa de impresión podría haber provocado que el navegador fallara. Esta vulnerabilidad afecta a Firefox < 122, Firefox ESR < 115.7 y Thunderbird < 115.7. The Mozilla Foundation Security Advisory describes this flaw as: A Linux user opening the print preview dialog could have caused the browser to crash. • https://bugzilla.mozilla.org/show_bug.cgi?id=1660223 https://lists.debian.org/debian-lts-announce/2024/01/msg00015.html https://lists.debian.org/debian-lts-announce/2024/01/msg00022.html https://www.mozilla.org/security/advisories/mfsa2024-01 https://www.mozilla.org/security/advisories/mfsa2024-02 https://www.mozilla.org/security/advisories/mfsa2024-04 https://access.redhat.com/security/cve/CVE-2024-0746 https://bugzilla.redhat.com/show_bug.cgi?id=2259928 • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2024-0742 – Mozilla: Failure to update user input timestamp
https://notcve.org/view.php?id=CVE-2024-0742
It was possible for certain browser prompts and dialogs to be activated or dismissed unintentionally by the user due to an incorrect timestamp used to prevent input after page load. This vulnerability affects Firefox < 122, Firefox ESR < 115.7, and Thunderbird < 115.7. Era posible que el usuario activara o descartara ciertas indicaciones y cuadros de diálogo del navegador sin querer debido a una marca de tiempo incorrecta utilizada para evitar la entrada después de cargar la página. Esta vulnerabilidad afecta a Firefox < 122, Firefox ESR < 115.7 y Thunderbird < 115.7. The Mozilla Foundation Security Advisory describes this flaw as: It was possible for certain browser prompts and dialogs to be activated or dismissed unintentionally by the user due to an incorrect timestamp used to prevent input after page load. • https://bugzilla.mozilla.org/show_bug.cgi?id=1867152 https://lists.debian.org/debian-lts-announce/2024/01/msg00015.html https://lists.debian.org/debian-lts-announce/2024/01/msg00022.html https://www.mozilla.org/security/advisories/mfsa2024-01 https://www.mozilla.org/security/advisories/mfsa2024-02 https://www.mozilla.org/security/advisories/mfsa2024-04 https://access.redhat.com/security/cve/CVE-2024-0742 https://bugzilla.redhat.com/show_bug.cgi?id=2259927 • CWE-1021: Improper Restriction of Rendered UI Layers or Frames •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 1CVE-2024-0741 – Mozilla: Out of bounds write in ANGLE
https://notcve.org/view.php?id=CVE-2024-0741
An out of bounds write in ANGLE could have allowed an attacker to corrupt memory leading to a potentially exploitable crash. This vulnerability affects Firefox < 122, Firefox ESR < 115.7, and Thunderbird < 115.7. Una escritura fuera de los límites en ANGLE podría haber permitido que un atacante corrompiera la memoria y provocara un bloqueo potencialmente explotable. Esta vulnerabilidad afecta a Firefox < 122, Firefox ESR < 115.7 y Thunderbird < 115.7. The Mozilla Foundation Security Advisory describes this flaw as: An out of bounds write in ANGLE could have allowed an attacker to corrupt memory leading to a potentially exploitable crash. • https://github.com/HyHy100/Firefox-ANGLE-CVE-2024-0741 https://bugzilla.mozilla.org/show_bug.cgi?id=1864587 https://lists.debian.org/debian-lts-announce/2024/01/msg00015.html https://lists.debian.org/debian-lts-announce/2024/01/msg00022.html https://www.mozilla.org/security/advisories/mfsa2024-01 https://www.mozilla.org/security/advisories/mfsa2024-02 https://www.mozilla.org/security/advisories/mfsa2024-04 https://access.redhat.com/security/cve/CVE-2024-0741 https://bugzilla.redhat& • CWE-787: Out-of-bounds Write •
CVSS: 6.1EPSS: 0%CPEs: 5EXPL: 0CVE-2023-6867 – Mozilla: Clickjacking permission prompts using the popup transition
https://notcve.org/view.php?id=CVE-2023-6867
The timing of a button click causing a popup to disappear was approximately the same length as the anti-clickjacking delay on permission prompts. It was possible to use this fact to surprise users by luring them to click where the permission grant button would be about to appear. This vulnerability affects Firefox ESR < 115.6 and Firefox < 121. El timing en el que se hace clic en un botón que provoca la desaparición de una ventana emergente era aproximadamente de la misma duración que el retraso anti-clickjacking en las solicitudes de permiso. Era posible utilizar este hecho para sorprender a los usuarios atrayéndolos a hacer clic en el lugar donde el botón de concesión de permiso estaría a punto de aparecer. • https://bugzilla.mozilla.org/show_bug.cgi?id=1863863 https://lists.debian.org/debian-lts-announce/2023/12/msg00020.html https://security.gentoo.org/glsa/202401-10 https://www.debian.org/security/2023/dsa-5581 https://www.mozilla.org/security/advisories/mfsa2023-54 https://www.mozilla.org/security/advisories/mfsa2023-56 https://access.redhat.com/security/cve/CVE-2023-6867 https://bugzilla.redhat.com/show_bug.cgi?id=2255366 • CWE-1021: Improper Restriction of Rendered UI Layers or Frames •