Risk | High |
Patch available | YES |
Number of vulnerabilities | 9 |
CVE-ID | CVE-2024-0741 CVE-2024-0742 CVE-2024-0746 CVE-2024-0747 CVE-2024-0749 CVE-2024-0750 CVE-2024-0751 CVE-2024-0753 CVE-2024-0755 |
CWE-ID | CWE-787 CWE-254 CWE-617 CWE-264 CWE-357 CWE-119 |
Exploitation vector | Network |
Public exploit | N/A |
Vulnerable software |
Debian Linux Operating systems & Components / Operating system firefox-esr (Debian package) Operating systems & Components / Operating system package or component |
Vendor | Debian |
Security Bulletin
This security bulletin contains information about 9 vulnerabilities.
EUVDB-ID: #VU85707
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-0741
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error in ANGLE when processing untrusted input. A remote attacker can trick the victim to open a specially crafted website, trigger an out-of-bounds write and execute arbitrary code on the target system.
MitigationUpdate firefox-esr package to one of the following versions: 115.7.0esr-1~deb11u1, 115.7.0esr-1~deb12u1.
Vulnerable software versionsDebian Linux: All versions
firefox-esr (Debian package): before 115.7.0esr-1~deb11u1
CPE2.3http://lists.debian.org/debian-security-announce/2024/msg00013.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU85708
Risk: Medium
CVSSv3.1: 5.9 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-0742
CWE-ID:
CWE-254 - Security Features
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to failure to update user input timestamp for certain browser prompts and dialogs. A remote attacker can perform clickjacking attack and trick the victim into providing unintended permissions to a malicious website.
Update firefox-esr package to one of the following versions: 115.7.0esr-1~deb11u1, 115.7.0esr-1~deb12u1.
Vulnerable software versionsDebian Linux: All versions
firefox-esr (Debian package): before 115.7.0esr-1~deb11u1
CPE2.3http://lists.debian.org/debian-security-announce/2024/msg00013.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU85712
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-0746
CWE-ID:
CWE-617 - Reachable Assertion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a reachable assertion when listing pointers on Linux. A remote attacker can trick the victim to open the print preview dialog and crash the browser.
Update firefox-esr package to one of the following versions: 115.7.0esr-1~deb11u1, 115.7.0esr-1~deb12u1.
Vulnerable software versionsDebian Linux: All versions
firefox-esr (Debian package): before 115.7.0esr-1~deb11u1
CPE2.3http://lists.debian.org/debian-security-announce/2024/msg00013.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU85713
Risk: Low
CVSSv3.1: 3.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-0747
CWE-ID:
CWE-254 - Security Features
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to an error in the way the Content Security Policy handles unsafe-inline directive. When a parent page loaded a child in an iframe with unsafe-inline, the parent Content Security Policy could have overridden the child Content Security Policy.
Update firefox-esr package to one of the following versions: 115.7.0esr-1~deb11u1, 115.7.0esr-1~deb12u1.
Vulnerable software versionsDebian Linux: All versions
firefox-esr (Debian package): before 115.7.0esr-1~deb11u1
CPE2.3http://lists.debian.org/debian-security-announce/2024/msg00013.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU85715
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-0749
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to application does not properly impose security restrictions. A phishing site could have repurposed an about: dialog to show phishing content with an incorrect origin in the address bar.
Update firefox-esr package to one of the following versions: 115.7.0esr-1~deb11u1, 115.7.0esr-1~deb12u1.
Vulnerable software versionsDebian Linux: All versions
firefox-esr (Debian package): before 115.7.0esr-1~deb11u1
CPE2.3http://lists.debian.org/debian-security-announce/2024/msg00013.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU85716
Risk: Medium
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-0750
CWE-ID:
CWE-357 - Insufficient UI Warning of Dangerous Operations
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a clickjacking attack.
The vulnerability exists due to an error in popup notifications delay calculation. A remote attacker can perform a clickjacking attack and trick a user into granting permissions to a malicious web application.
Update firefox-esr package to one of the following versions: 115.7.0esr-1~deb11u1, 115.7.0esr-1~deb12u1.
Vulnerable software versionsDebian Linux: All versions
firefox-esr (Debian package): before 115.7.0esr-1~deb11u1
CPE2.3http://lists.debian.org/debian-security-announce/2024/msg00013.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU85717
Risk: Low
CVSSv3.1: 3.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-0751
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to escalate privileges on the system.
The vulnerability exists due to application does not properly impose security restrictions. A malicious devtools extension could have been used to escalate privileges.
MitigationUpdate firefox-esr package to one of the following versions: 115.7.0esr-1~deb11u1, 115.7.0esr-1~deb12u1.
Vulnerable software versionsDebian Linux: All versions
firefox-esr (Debian package): before 115.7.0esr-1~deb11u1
CPE2.3http://lists.debian.org/debian-security-announce/2024/msg00013.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU85719
Risk: Low
CVSSv3.1: 3.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-0753
CWE-ID:
CWE-254 - Security Features
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to an error when handling HSTS on a subdomain. In specific HSTS configurations an attacker could have bypassed HSTS.
MitigationUpdate firefox-esr package to one of the following versions: 115.7.0esr-1~deb11u1, 115.7.0esr-1~deb12u1.
Vulnerable software versionsDebian Linux: All versions
firefox-esr (Debian package): before 115.7.0esr-1~deb11u1
CPE2.3http://lists.debian.org/debian-security-announce/2024/msg00013.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU85721
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-0755
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate firefox-esr package to one of the following versions: 115.7.0esr-1~deb11u1, 115.7.0esr-1~deb12u1.
Vulnerable software versionsDebian Linux: All versions
firefox-esr (Debian package): before 115.7.0esr-1~deb11u1
CPE2.3http://lists.debian.org/debian-security-announce/2024/msg00013.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.