CVE-2024-7525

Published: Aug 6, 2024Modified: Aug 12, 2024

8.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Exploitability: 2.8 / Impact: 5.2

Source: NVD

Description

It was possible for a web extension with minimal permissions to create a `StreamFilter` which could be used to read and modify the response body of requests on any site. This vulnerability affects Firefox < 129, Firefox ESR < 115.14, Firefox ESR < 128.1, Thunderbird < 128.1, and Thunderbird < 115.14.

Affected (5)

Products: Mozilla: Firefox, Firefox Esr, Thunderbird

3 products

Configuration A

5 vulnerable

Vulnerable Software	Affected Versions
Mozilla Firefox	Before 129.0
Mozilla Firefox Esr	Before 115.14.0
Mozilla Firefox Esr	Version 128.0
Mozilla Thunderbird	Before 115.14.0
Mozilla Thunderbird	Version 128.0.1

Related CWEs

Incorrect Default Permissions

During installation, installed file permissions are set to allow anyone to modify those files.

Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

References (6)

https://bugzilla.mozilla.org/show_bug.cgi?id=1909298

Source: security@mozilla.org

Issue TrackingPermissions Required

https://www.mozilla.org/security/advisories/mfsa2024-33/

Source: security@mozilla.org

Vendor Advisory

https://www.mozilla.org/security/advisories/mfsa2024-34/

Source: security@mozilla.org

Vendor Advisory

https://www.mozilla.org/security/advisories/mfsa2024-35/

Source: security@mozilla.org

Vendor Advisory

https://www.mozilla.org/security/advisories/mfsa2024-37/

Source: security@mozilla.org

Vendor Advisory

https://www.mozilla.org/security/advisories/mfsa2024-38/

Source: security@mozilla.org

Vendor Advisory

Timeline

No history available yet.