CVE-2024-9394

firefox: thunderbird: Cross-origin access to JSON contents through multipart responses

Severity Score

7.6

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

NVD
RedHat

An attacker could, via a specially crafted multipart response, execute arbitrary JavaScript under the `resource://devtools` origin. This could allow them to access cross-origin JSON content. This access is limited to "same site" documents by the Site Isolation feature on desktop clients, but full cross-origin access is possible on Android versions. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Firefox ESR < 115.16, Thunderbird < 128.3, and Thunderbird < 131.

A flaw was found in Mozilla. The Mozilla Foundation's Security Advisory describes the issue as follows: An attacker could, via a specially crafted multipart response, execute arbitrary JavaScript under the resource://devtools origin. This could allow them to access cross-origin JSON content. This access is limited to "same site" documents by the Site Isolation feature on desktop clients, but full cross-origin access is possible on Android versions.

*Credits: Masato Kinugawa

CVSS Scores

Red Hatv3.1 7.6

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

High

Availability

Low

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-10-01 CVE Reserved
2024-10-01 CVE Published
2024-10-30 CVE Updated
2024-10-31 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-94: Improper Control of Generation of Code ('Code Injection')

CAPEC

References (8)

URL	Tag	Source
https://bugzilla.mozilla.org/show_bug.cgi?id=1918874
https://www.mozilla.org/security/advisories/mfsa2024-46
https://www.mozilla.org/security/advisories/mfsa2024-47
https://www.mozilla.org/security/advisories/mfsa2024-48
https://www.mozilla.org/security/advisories/mfsa2024-49
https://www.mozilla.org/security/advisories/mfsa2024-50

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2024-9394	2024-10-16
https://bugzilla.redhat.com/show_bug.cgi?id=2315957	2024-10-16

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
-		-				-		-		-