CVE-2024-2610

Published: Mar 19, 2024Modified: Apr 1, 2025

6.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.7

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

Using a markup injection an attacker could have stolen nonce values. This could have been used to bypass strict content security policies. This vulnerability affects Firefox < 124, Firefox ESR < 115.9, and Thunderbird < 115.9.

Affected (3)

Products: Mozilla: Firefox, Thunderbird

Mozilla

2 products

Firefox

Thunderbird

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Mozilla Firefox	Before 124.0
Mozilla Firefox	Before 115.9.0
Mozilla Thunderbird	Before 115.9.0

Related CWEs

CWE-94

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (12)

https://bugzilla.mozilla.org/show_bug.cgi?id=1871112

Source: security@mozilla.org

ExploitIssue TrackingVendor Advisory

https://lists.debian.org/debian-lts-announce/2024/03/msg00022.html

Source: security@mozilla.org

Mailing List

https://lists.debian.org/debian-lts-announce/2024/03/msg00028.html

Source: security@mozilla.org

Mailing List

https://www.mozilla.org/security/advisories/mfsa2024-12/

Source: security@mozilla.org

Vendor Advisory

https://www.mozilla.org/security/advisories/mfsa2024-13/

Source: security@mozilla.org

Vendor Advisory

https://www.mozilla.org/security/advisories/mfsa2024-14/

Source: security@mozilla.org

Vendor Advisory

https://bugzilla.mozilla.org/show_bug.cgi?id=1871112