CVE-2024-2609

Published: Mar 19, 2024Modified: Apr 1, 2025

6.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.7

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

The permission prompt input delay could expire while the window is not in focus. This makes it vulnerable to clickjacking by malicious websites. This vulnerability affects Firefox < 124, Firefox ESR < 115.10, and Thunderbird < 115.10.

Affected (4)

Products: Mozilla: Firefox, Thunderbird · Debian: Debian Linux

2 products

1 product

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Mozilla Firefox	Before 124.0
Mozilla Firefox	Before 115.10.0
Mozilla Thunderbird	Before 115.10.0

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 10.0

Related CWEs

CWE-356

Product UI does not Warn User of Unsafe Actions

The product's user interface does not warn the user before undertaking an unsafe action on behalf of that user. This makes it easier for attackers to trick users into inflicting damage to their system.

References (12)

https://bugzilla.mozilla.org/show_bug.cgi?id=1866100

Source: security@mozilla.org

ExploitIssue TrackingVendor Advisory

https://lists.debian.org/debian-lts-announce/2024/04/msg00012.html

Source: security@mozilla.org

Mailing List

https://lists.debian.org/debian-lts-announce/2024/04/msg00013.html

Source: security@mozilla.org

Mailing List

https://www.mozilla.org/security/advisories/mfsa2024-12/

Source: security@mozilla.org

Vendor Advisory

https://www.mozilla.org/security/advisories/mfsa2024-19/

Source: security@mozilla.org

Vendor Advisory

https://www.mozilla.org/security/advisories/mfsa2024-20/

Source: security@mozilla.org

Vendor Advisory

https://bugzilla.mozilla.org/show_bug.cgi?id=1866100