SUSE update for MozillaFirefox
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 28 |
| CVE-ID | CVE-2024-6600 CVE-2024-6601 CVE-2024-6602 CVE-2024-6603 CVE-2024-6604 CVE-2024-6605 CVE-2024-6606 CVE-2024-6607 CVE-2024-6608 CVE-2024-6609 CVE-2024-6610 CVE-2024-6611 CVE-2024-6612 CVE-2024-6613 CVE-2024-6614 CVE-2024-6615 CVE-2024-7518 CVE-2024-7519 CVE-2024-7520 CVE-2024-7521 CVE-2024-7522 CVE-2024-7524 CVE-2024-7525 CVE-2024-7526 CVE-2024-7527 CVE-2024-7528 CVE-2024-7529 CVE-2024-7531 |
| CWE-ID | CWE-119 CWE-362 CWE-357 CWE-125 CWE-415 CWE-447 CWE-200 CWE-254 CWE-835 CWE-450 CWE-843 CWE-416 CWE-264 CWE-908 CWE-310 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Desktop Applications Module Operating systems & Components / Operating system SUSE Linux Enterprise Real Time 15 Operating systems & Components / Operating system openSUSE Leap Operating systems & Components / Operating system SUSE Linux Enterprise Server for SAP Applications 15 Operating systems & Components / Operating system SUSE Linux Enterprise Server 15 Operating systems & Components / Operating system SUSE Linux Enterprise Desktop 15 Operating systems & Components / Operating system SUSE Linux Enterprise Server 15 SP4 LTSS Operating systems & Components / Operating system SUSE Linux Enterprise High Performance Computing LTSS 15 Operating systems & Components / Operating system SUSE Linux Enterprise High Performance Computing ESPOS 15 Operating systems & Components / Operating system SUSE Linux Enterprise Desktop 15 SP4 LTSS Operating systems & Components / Operating system SUSE Linux Enterprise High Performance Computing 15 Operating systems & Components / Operating system SUSE Linux Enterprise Server 15 SP3 LTSS Operating systems & Components / Operating system SUSE Linux Enterprise Server 15 SP2 LTSS Operating systems & Components / Operating system SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS Operating systems & Components / Operating system SUSE Enterprise Storage Operating systems & Components / Operating system MozillaFirefox-devel Operating systems & Components / Operating system package or component MozillaFirefox Operating systems & Components / Operating system package or component MozillaFirefox-debuginfo Operating systems & Components / Operating system package or component MozillaFirefox-debugsource Operating systems & Components / Operating system package or component MozillaFirefox-branding-upstream Operating systems & Components / Operating system package or component MozillaFirefox-branding-SLE Operating systems & Components / Operating system package or component MozillaFirefox-translations-other Operating systems & Components / Operating system package or component MozillaFirefox-translations-common Operating systems & Components / Operating system package or component |
| Vendor | SUSE |
Security Bulletin
This security bulletin contains information about 28 vulnerabilities.
1) Buffer overflow
EUVDB-ID: #VU93894
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-6600
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in WebGL API. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Note, the vulnerability affects Firefox installations on macOS only.
Update the affected package MozillaFirefox to the latest version.
Vulnerable software versionsDesktop Applications Module: 15-SP5 - 15-SP6
SUSE Linux Enterprise Real Time 15: SP5 - SP6
openSUSE Leap: 15.5 - 15.6
SUSE Linux Enterprise Server for SAP Applications 15: SP2 - SP6
SUSE Linux Enterprise Server 15: SP2 - SP6
SUSE Linux Enterprise Desktop 15: SP5 - SP6
SUSE Linux Enterprise Server 15 SP4 LTSS: 15-SP4
SUSE Linux Enterprise High Performance Computing LTSS 15: SP3 - SP4
SUSE Linux Enterprise High Performance Computing ESPOS 15: SP4
SUSE Linux Enterprise Desktop 15 SP4 LTSS: 15-SP4
SUSE Linux Enterprise High Performance Computing 15: SP2 - SP5
SUSE Linux Enterprise Server 15 SP3 LTSS: 15-SP3
SUSE Linux Enterprise Server 15 SP2 LTSS: 15-SP2
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS: 15-SP2
SUSE Enterprise Storage: 7.1
MozillaFirefox-devel: before 128.1.0-150200.152.146.1
MozillaFirefox: before 128.1.0-150200.152.146.1
MozillaFirefox-debuginfo: before 128.1.0-150200.152.146.1
MozillaFirefox-debugsource: before 128.1.0-150200.152.146.1
MozillaFirefox-branding-upstream: before 128.1.0-150200.152.146.1
MozillaFirefox-branding-SLE: before 128-150200.9.16.1
MozillaFirefox-translations-other: before 128.1.0-150200.152.146.1
MozillaFirefox-translations-common: before 128.1.0-150200.152.146.1
External linkshttp://www.suse.com/support/update/announcement/2024/suse-su-20243003-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Race condition
EUVDB-ID: #VU93895
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-6601
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to a race condition in permission assignment. A remote attacker can trick the victim to visit a specially crafted website, bypass cross-origin container obtaining permissions of the top-level origin and gain access to sensitive information.
Update the affected package MozillaFirefox to the latest version.
Vulnerable software versionsDesktop Applications Module: 15-SP5 - 15-SP6
SUSE Linux Enterprise Real Time 15: SP5 - SP6
openSUSE Leap: 15.5 - 15.6
SUSE Linux Enterprise Server for SAP Applications 15: SP2 - SP6
SUSE Linux Enterprise Server 15: SP2 - SP6
SUSE Linux Enterprise Desktop 15: SP5 - SP6
SUSE Linux Enterprise Server 15 SP4 LTSS: 15-SP4
SUSE Linux Enterprise High Performance Computing LTSS 15: SP3 - SP4
SUSE Linux Enterprise High Performance Computing ESPOS 15: SP4
SUSE Linux Enterprise Desktop 15 SP4 LTSS: 15-SP4
SUSE Linux Enterprise High Performance Computing 15: SP2 - SP5
SUSE Linux Enterprise Server 15 SP3 LTSS: 15-SP3
SUSE Linux Enterprise Server 15 SP2 LTSS: 15-SP2
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS: 15-SP2
SUSE Enterprise Storage: 7.1
MozillaFirefox-devel: before 128.1.0-150200.152.146.1
MozillaFirefox: before 128.1.0-150200.152.146.1
MozillaFirefox-debuginfo: before 128.1.0-150200.152.146.1
MozillaFirefox-debugsource: before 128.1.0-150200.152.146.1
MozillaFirefox-branding-upstream: before 128.1.0-150200.152.146.1
MozillaFirefox-branding-SLE: before 128-150200.9.16.1
MozillaFirefox-translations-other: before 128.1.0-150200.152.146.1
MozillaFirefox-translations-common: before 128.1.0-150200.152.146.1
External linkshttp://www.suse.com/support/update/announcement/2024/suse-su-20243003-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Buffer overflow
EUVDB-ID: #VU93896
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-6602
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in NSS. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected package MozillaFirefox to the latest version.
Vulnerable software versionsDesktop Applications Module: 15-SP5 - 15-SP6
SUSE Linux Enterprise Real Time 15: SP5 - SP6
openSUSE Leap: 15.5 - 15.6
SUSE Linux Enterprise Server for SAP Applications 15: SP2 - SP6
SUSE Linux Enterprise Server 15: SP2 - SP6
SUSE Linux Enterprise Desktop 15: SP5 - SP6
SUSE Linux Enterprise Server 15 SP4 LTSS: 15-SP4
SUSE Linux Enterprise High Performance Computing LTSS 15: SP3 - SP4
SUSE Linux Enterprise High Performance Computing ESPOS 15: SP4
SUSE Linux Enterprise Desktop 15 SP4 LTSS: 15-SP4
SUSE Linux Enterprise High Performance Computing 15: SP2 - SP5
SUSE Linux Enterprise Server 15 SP3 LTSS: 15-SP3
SUSE Linux Enterprise Server 15 SP2 LTSS: 15-SP2
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS: 15-SP2
SUSE Enterprise Storage: 7.1
MozillaFirefox-devel: before 128.1.0-150200.152.146.1
MozillaFirefox: before 128.1.0-150200.152.146.1
MozillaFirefox-debuginfo: before 128.1.0-150200.152.146.1
MozillaFirefox-debugsource: before 128.1.0-150200.152.146.1
MozillaFirefox-branding-upstream: before 128.1.0-150200.152.146.1
MozillaFirefox-branding-SLE: before 128-150200.9.16.1
MozillaFirefox-translations-other: before 128.1.0-150200.152.146.1
MozillaFirefox-translations-common: before 128.1.0-150200.152.146.1
External linkshttp://www.suse.com/support/update/announcement/2024/suse-su-20243003-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Buffer overflow
EUVDB-ID: #VU93897
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-6603
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in thread creation. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and crash the browser.
Update the affected package MozillaFirefox to the latest version.
Vulnerable software versionsDesktop Applications Module: 15-SP5 - 15-SP6
SUSE Linux Enterprise Real Time 15: SP5 - SP6
openSUSE Leap: 15.5 - 15.6
SUSE Linux Enterprise Server for SAP Applications 15: SP2 - SP6
SUSE Linux Enterprise Server 15: SP2 - SP6
SUSE Linux Enterprise Desktop 15: SP5 - SP6
SUSE Linux Enterprise Server 15 SP4 LTSS: 15-SP4
SUSE Linux Enterprise High Performance Computing LTSS 15: SP3 - SP4
SUSE Linux Enterprise High Performance Computing ESPOS 15: SP4
SUSE Linux Enterprise Desktop 15 SP4 LTSS: 15-SP4
SUSE Linux Enterprise High Performance Computing 15: SP2 - SP5
SUSE Linux Enterprise Server 15 SP3 LTSS: 15-SP3
SUSE Linux Enterprise Server 15 SP2 LTSS: 15-SP2
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS: 15-SP2
SUSE Enterprise Storage: 7.1
MozillaFirefox-devel: before 128.1.0-150200.152.146.1
MozillaFirefox: before 128.1.0-150200.152.146.1
MozillaFirefox-debuginfo: before 128.1.0-150200.152.146.1
MozillaFirefox-debugsource: before 128.1.0-150200.152.146.1
MozillaFirefox-branding-upstream: before 128.1.0-150200.152.146.1
MozillaFirefox-branding-SLE: before 128-150200.9.16.1
MozillaFirefox-translations-other: before 128.1.0-150200.152.146.1
MozillaFirefox-translations-common: before 128.1.0-150200.152.146.1
External linkshttp://www.suse.com/support/update/announcement/2024/suse-su-20243003-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Buffer overflow
EUVDB-ID: #VU93898
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-6604
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected package MozillaFirefox to the latest version.
Vulnerable software versionsDesktop Applications Module: 15-SP5 - 15-SP6
SUSE Linux Enterprise Real Time 15: SP5 - SP6
openSUSE Leap: 15.5 - 15.6
SUSE Linux Enterprise Server for SAP Applications 15: SP2 - SP6
SUSE Linux Enterprise Server 15: SP2 - SP6
SUSE Linux Enterprise Desktop 15: SP5 - SP6
SUSE Linux Enterprise Server 15 SP4 LTSS: 15-SP4
SUSE Linux Enterprise High Performance Computing LTSS 15: SP3 - SP4
SUSE Linux Enterprise High Performance Computing ESPOS 15: SP4
SUSE Linux Enterprise Desktop 15 SP4 LTSS: 15-SP4
SUSE Linux Enterprise High Performance Computing 15: SP2 - SP5
SUSE Linux Enterprise Server 15 SP3 LTSS: 15-SP3
SUSE Linux Enterprise Server 15 SP2 LTSS: 15-SP2
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS: 15-SP2
SUSE Enterprise Storage: 7.1
MozillaFirefox-devel: before 128.1.0-150200.152.146.1
MozillaFirefox: before 128.1.0-150200.152.146.1
MozillaFirefox-debuginfo: before 128.1.0-150200.152.146.1
MozillaFirefox-debugsource: before 128.1.0-150200.152.146.1
MozillaFirefox-branding-upstream: before 128.1.0-150200.152.146.1
MozillaFirefox-branding-SLE: before 128-150200.9.16.1
MozillaFirefox-translations-other: before 128.1.0-150200.152.146.1
MozillaFirefox-translations-common: before 128.1.0-150200.152.146.1
External linkshttp://www.suse.com/support/update/announcement/2024/suse-su-20243003-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Insufficient UI Warning of Dangerous Operations
EUVDB-ID: #VU94618
Risk: Medium
CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-6605
CWE-ID:
CWE-357 - Insufficient UI Warning of Dangerous Operations
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform tapjacking attacks.
The vulnerability exists due to missing activation delay when interacting with permission prompts. A remote attacker can perform tapjacking attacks.
Update the affected package MozillaFirefox to the latest version.
Vulnerable software versionsDesktop Applications Module: 15-SP5 - 15-SP6
SUSE Linux Enterprise Real Time 15: SP5 - SP6
openSUSE Leap: 15.5 - 15.6
SUSE Linux Enterprise Server for SAP Applications 15: SP2 - SP6
SUSE Linux Enterprise Server 15: SP2 - SP6
SUSE Linux Enterprise Desktop 15: SP5 - SP6
SUSE Linux Enterprise Server 15 SP4 LTSS: 15-SP4
SUSE Linux Enterprise High Performance Computing LTSS 15: SP3 - SP4
SUSE Linux Enterprise High Performance Computing ESPOS 15: SP4
SUSE Linux Enterprise Desktop 15 SP4 LTSS: 15-SP4
SUSE Linux Enterprise High Performance Computing 15: SP2 - SP5
SUSE Linux Enterprise Server 15 SP3 LTSS: 15-SP3
SUSE Linux Enterprise Server 15 SP2 LTSS: 15-SP2
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS: 15-SP2
SUSE Enterprise Storage: 7.1
MozillaFirefox-devel: before 128.1.0-150200.152.146.1
MozillaFirefox: before 128.1.0-150200.152.146.1
MozillaFirefox-debuginfo: before 128.1.0-150200.152.146.1
MozillaFirefox-debugsource: before 128.1.0-150200.152.146.1
MozillaFirefox-branding-upstream: before 128.1.0-150200.152.146.1
MozillaFirefox-branding-SLE: before 128-150200.9.16.1
MozillaFirefox-translations-other: before 128.1.0-150200.152.146.1
MozillaFirefox-translations-common: before 128.1.0-150200.152.146.1
External linkshttp://www.suse.com/support/update/announcement/2024/suse-su-20243003-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Out-of-bounds read
EUVDB-ID: #VU94619
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-6606
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition in clipboard component. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger an out-of-bounds read error and read contents of memory on the system.
MitigationUpdate the affected package MozillaFirefox to the latest version.
Vulnerable software versionsDesktop Applications Module: 15-SP5 - 15-SP6
SUSE Linux Enterprise Real Time 15: SP5 - SP6
openSUSE Leap: 15.5 - 15.6
SUSE Linux Enterprise Server for SAP Applications 15: SP2 - SP6
SUSE Linux Enterprise Server 15: SP2 - SP6
SUSE Linux Enterprise Desktop 15: SP5 - SP6
SUSE Linux Enterprise Server 15 SP4 LTSS: 15-SP4
SUSE Linux Enterprise High Performance Computing LTSS 15: SP3 - SP4
SUSE Linux Enterprise High Performance Computing ESPOS 15: SP4
SUSE Linux Enterprise Desktop 15 SP4 LTSS: 15-SP4
SUSE Linux Enterprise High Performance Computing 15: SP2 - SP5
SUSE Linux Enterprise Server 15 SP3 LTSS: 15-SP3
SUSE Linux Enterprise Server 15 SP2 LTSS: 15-SP2
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS: 15-SP2
SUSE Enterprise Storage: 7.1
MozillaFirefox-devel: before 128.1.0-150200.152.146.1
MozillaFirefox: before 128.1.0-150200.152.146.1
MozillaFirefox-debuginfo: before 128.1.0-150200.152.146.1
MozillaFirefox-debugsource: before 128.1.0-150200.152.146.1
MozillaFirefox-branding-upstream: before 128.1.0-150200.152.146.1
MozillaFirefox-branding-SLE: before 128-150200.9.16.1
MozillaFirefox-translations-other: before 128.1.0-150200.152.146.1
MozillaFirefox-translations-common: before 128.1.0-150200.152.146.1
External linkshttp://www.suse.com/support/update/announcement/2024/suse-su-20243003-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Insufficient UI Warning of Dangerous Operations
EUVDB-ID: #VU94620
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-6607
CWE-ID:
CWE-357 - Insufficient UI Warning of Dangerous Operations
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to the way the browsers handles escape button and pointerlock. It was possible to prevent a user from exiting pointerlock when pressing
escape
and to overlay customValidity notifications from a <select> element over certain
permission prompts. This could be used to confuse a user into giving a site unintended permissions.
Update the affected package MozillaFirefox to the latest version.
Vulnerable software versionsDesktop Applications Module: 15-SP5 - 15-SP6
SUSE Linux Enterprise Real Time 15: SP5 - SP6
openSUSE Leap: 15.5 - 15.6
SUSE Linux Enterprise Server for SAP Applications 15: SP2 - SP6
SUSE Linux Enterprise Server 15: SP2 - SP6
SUSE Linux Enterprise Desktop 15: SP5 - SP6
SUSE Linux Enterprise Server 15 SP4 LTSS: 15-SP4
SUSE Linux Enterprise High Performance Computing LTSS 15: SP3 - SP4
SUSE Linux Enterprise High Performance Computing ESPOS 15: SP4
SUSE Linux Enterprise Desktop 15 SP4 LTSS: 15-SP4
SUSE Linux Enterprise High Performance Computing 15: SP2 - SP5
SUSE Linux Enterprise Server 15 SP3 LTSS: 15-SP3
SUSE Linux Enterprise Server 15 SP2 LTSS: 15-SP2
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS: 15-SP2
SUSE Enterprise Storage: 7.1
MozillaFirefox-devel: before 128.1.0-150200.152.146.1
MozillaFirefox: before 128.1.0-150200.152.146.1
MozillaFirefox-debuginfo: before 128.1.0-150200.152.146.1
MozillaFirefox-debugsource: before 128.1.0-150200.152.146.1
MozillaFirefox-branding-upstream: before 128.1.0-150200.152.146.1
MozillaFirefox-branding-SLE: before 128-150200.9.16.1
MozillaFirefox-translations-other: before 128.1.0-150200.152.146.1
MozillaFirefox-translations-common: before 128.1.0-150200.152.146.1
External linkshttp://www.suse.com/support/update/announcement/2024/suse-su-20243003-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Insufficient UI Warning of Dangerous Operations
EUVDB-ID: #VU94621
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-6608
CWE-ID:
CWE-357 - Insufficient UI Warning of Dangerous Operations
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to an error when handling cursor and pointerlock. It was possible to move the cursor using pointerlock from an iframe. This allowed moving the cursor outside of the viewport and the Firefox window.
MitigationUpdate the affected package MozillaFirefox to the latest version.
Vulnerable software versionsDesktop Applications Module: 15-SP5 - 15-SP6
SUSE Linux Enterprise Real Time 15: SP5 - SP6
openSUSE Leap: 15.5 - 15.6
SUSE Linux Enterprise Server for SAP Applications 15: SP2 - SP6
SUSE Linux Enterprise Server 15: SP2 - SP6
SUSE Linux Enterprise Desktop 15: SP5 - SP6
SUSE Linux Enterprise Server 15 SP4 LTSS: 15-SP4
SUSE Linux Enterprise High Performance Computing LTSS 15: SP3 - SP4
SUSE Linux Enterprise High Performance Computing ESPOS 15: SP4
SUSE Linux Enterprise Desktop 15 SP4 LTSS: 15-SP4
SUSE Linux Enterprise High Performance Computing 15: SP2 - SP5
SUSE Linux Enterprise Server 15 SP3 LTSS: 15-SP3
SUSE Linux Enterprise Server 15 SP2 LTSS: 15-SP2
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS: 15-SP2
SUSE Enterprise Storage: 7.1
MozillaFirefox-devel: before 128.1.0-150200.152.146.1
MozillaFirefox: before 128.1.0-150200.152.146.1
MozillaFirefox-debuginfo: before 128.1.0-150200.152.146.1
MozillaFirefox-debugsource: before 128.1.0-150200.152.146.1
MozillaFirefox-branding-upstream: before 128.1.0-150200.152.146.1
MozillaFirefox-branding-SLE: before 128-150200.9.16.1
MozillaFirefox-translations-other: before 128.1.0-150200.152.146.1
MozillaFirefox-translations-common: before 128.1.0-150200.152.146.1
External linkshttp://www.suse.com/support/update/announcement/2024/suse-su-20243003-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Double free
EUVDB-ID: #VU94622
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-6609
CWE-ID:
CWE-415 - Double Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in NSS. A remote attacker can force the browser to free an elliptic curve key which was never allocated and crash the browser.
Update the affected package MozillaFirefox to the latest version.
Vulnerable software versionsDesktop Applications Module: 15-SP5 - 15-SP6
SUSE Linux Enterprise Real Time 15: SP5 - SP6
openSUSE Leap: 15.5 - 15.6
SUSE Linux Enterprise Server for SAP Applications 15: SP2 - SP6
SUSE Linux Enterprise Server 15: SP2 - SP6
SUSE Linux Enterprise Desktop 15: SP5 - SP6
SUSE Linux Enterprise Server 15 SP4 LTSS: 15-SP4
SUSE Linux Enterprise High Performance Computing LTSS 15: SP3 - SP4
SUSE Linux Enterprise High Performance Computing ESPOS 15: SP4
SUSE Linux Enterprise Desktop 15 SP4 LTSS: 15-SP4
SUSE Linux Enterprise High Performance Computing 15: SP2 - SP5
SUSE Linux Enterprise Server 15 SP3 LTSS: 15-SP3
SUSE Linux Enterprise Server 15 SP2 LTSS: 15-SP2
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS: 15-SP2
SUSE Enterprise Storage: 7.1
MozillaFirefox-devel: before 128.1.0-150200.152.146.1
MozillaFirefox: before 128.1.0-150200.152.146.1
MozillaFirefox-debuginfo: before 128.1.0-150200.152.146.1
MozillaFirefox-debugsource: before 128.1.0-150200.152.146.1
MozillaFirefox-branding-upstream: before 128.1.0-150200.152.146.1
MozillaFirefox-branding-SLE: before 128-150200.9.16.1
MozillaFirefox-translations-other: before 128.1.0-150200.152.146.1
MozillaFirefox-translations-common: before 128.1.0-150200.152.146.1
External linkshttp://www.suse.com/support/update/announcement/2024/suse-su-20243003-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Unimplemented or Unsupported Feature in UI
EUVDB-ID: #VU94623
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-6610
CWE-ID:
CWE-447 - Unimplemented or Unsupported Feature in UI
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to an error in form validation popups. A remote attacker can spam form validation messages to prevent users from exiting full-screen mode.
MitigationUpdate the affected package MozillaFirefox to the latest version.
Vulnerable software versionsDesktop Applications Module: 15-SP5 - 15-SP6
SUSE Linux Enterprise Real Time 15: SP5 - SP6
openSUSE Leap: 15.5 - 15.6
SUSE Linux Enterprise Server for SAP Applications 15: SP2 - SP6
SUSE Linux Enterprise Server 15: SP2 - SP6
SUSE Linux Enterprise Desktop 15: SP5 - SP6
SUSE Linux Enterprise Server 15 SP4 LTSS: 15-SP4
SUSE Linux Enterprise High Performance Computing LTSS 15: SP3 - SP4
SUSE Linux Enterprise High Performance Computing ESPOS 15: SP4
SUSE Linux Enterprise Desktop 15 SP4 LTSS: 15-SP4
SUSE Linux Enterprise High Performance Computing 15: SP2 - SP5
SUSE Linux Enterprise Server 15 SP3 LTSS: 15-SP3
SUSE Linux Enterprise Server 15 SP2 LTSS: 15-SP2
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS: 15-SP2
SUSE Enterprise Storage: 7.1
MozillaFirefox-devel: before 128.1.0-150200.152.146.1
MozillaFirefox: before 128.1.0-150200.152.146.1
MozillaFirefox-debuginfo: before 128.1.0-150200.152.146.1
MozillaFirefox-debugsource: before 128.1.0-150200.152.146.1
MozillaFirefox-branding-upstream: before 128.1.0-150200.152.146.1
MozillaFirefox-branding-SLE: before 128-150200.9.16.1
MozillaFirefox-translations-other: before 128.1.0-150200.152.146.1
MozillaFirefox-translations-common: before 128.1.0-150200.152.146.1
External linkshttp://www.suse.com/support/update/announcement/2024/suse-su-20243003-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Information disclosure
EUVDB-ID: #VU94624
Risk: Low
CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-6611
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to SameSite=Strict or Lax cookies could be sent to a nested iframe. A remote attacker can gain access to potentially sensitive information.
Update the affected package MozillaFirefox to the latest version.
Vulnerable software versionsDesktop Applications Module: 15-SP5 - 15-SP6
SUSE Linux Enterprise Real Time 15: SP5 - SP6
openSUSE Leap: 15.5 - 15.6
SUSE Linux Enterprise Server for SAP Applications 15: SP2 - SP6
SUSE Linux Enterprise Server 15: SP2 - SP6
SUSE Linux Enterprise Desktop 15: SP5 - SP6
SUSE Linux Enterprise Server 15 SP4 LTSS: 15-SP4
SUSE Linux Enterprise High Performance Computing LTSS 15: SP3 - SP4
SUSE Linux Enterprise High Performance Computing ESPOS 15: SP4
SUSE Linux Enterprise Desktop 15 SP4 LTSS: 15-SP4
SUSE Linux Enterprise High Performance Computing 15: SP2 - SP5
SUSE Linux Enterprise Server 15 SP3 LTSS: 15-SP3
SUSE Linux Enterprise Server 15 SP2 LTSS: 15-SP2
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS: 15-SP2
SUSE Enterprise Storage: 7.1
MozillaFirefox-devel: before 128.1.0-150200.152.146.1
MozillaFirefox: before 128.1.0-150200.152.146.1
MozillaFirefox-debuginfo: before 128.1.0-150200.152.146.1
MozillaFirefox-debugsource: before 128.1.0-150200.152.146.1
MozillaFirefox-branding-upstream: before 128.1.0-150200.152.146.1
MozillaFirefox-branding-SLE: before 128-150200.9.16.1
MozillaFirefox-translations-other: before 128.1.0-150200.152.146.1
MozillaFirefox-translations-common: before 128.1.0-150200.152.146.1
External linkshttp://www.suse.com/support/update/announcement/2024/suse-su-20243003-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) Security features bypass
EUVDB-ID: #VU94625
Risk: Low
CVSSv3.1: 3.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-6612
CWE-ID:
CWE-254 - Security Features
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass CSP protection mechanism.
The vulnerability exists due to CSP violation leakage when using devtools. CSP violations generated links in the console tab of the developer tools, pointing to the violating resource. This caused a DNS prefetch which leaked that a CSP violation happened.
MitigationUpdate the affected package MozillaFirefox to the latest version.
Vulnerable software versionsDesktop Applications Module: 15-SP5 - 15-SP6
SUSE Linux Enterprise Real Time 15: SP5 - SP6
openSUSE Leap: 15.5 - 15.6
SUSE Linux Enterprise Server for SAP Applications 15: SP2 - SP6
SUSE Linux Enterprise Server 15: SP2 - SP6
SUSE Linux Enterprise Desktop 15: SP5 - SP6
SUSE Linux Enterprise Server 15 SP4 LTSS: 15-SP4
SUSE Linux Enterprise High Performance Computing LTSS 15: SP3 - SP4
SUSE Linux Enterprise High Performance Computing ESPOS 15: SP4
SUSE Linux Enterprise Desktop 15 SP4 LTSS: 15-SP4
SUSE Linux Enterprise High Performance Computing 15: SP2 - SP5
SUSE Linux Enterprise Server 15 SP3 LTSS: 15-SP3
SUSE Linux Enterprise Server 15 SP2 LTSS: 15-SP2
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS: 15-SP2
SUSE Enterprise Storage: 7.1
MozillaFirefox-devel: before 128.1.0-150200.152.146.1
MozillaFirefox: before 128.1.0-150200.152.146.1
MozillaFirefox-debuginfo: before 128.1.0-150200.152.146.1
MozillaFirefox-debugsource: before 128.1.0-150200.152.146.1
MozillaFirefox-branding-upstream: before 128.1.0-150200.152.146.1
MozillaFirefox-branding-SLE: before 128-150200.9.16.1
MozillaFirefox-translations-other: before 128.1.0-150200.152.146.1
MozillaFirefox-translations-common: before 128.1.0-150200.152.146.1
External linkshttp://www.suse.com/support/update/announcement/2024/suse-su-20243003-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
14) Infinite loop
EUVDB-ID: #VU94626
Risk: Low
CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-6613
CWE-ID:
CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to alter trace data,
The vulnerability exists due to infinite loop. The frame iterator could get stuck in a loop when encountering certain wasm frames leading to incorrect stack traces.
MitigationUpdate the affected package MozillaFirefox to the latest version.
Vulnerable software versionsDesktop Applications Module: 15-SP5 - 15-SP6
SUSE Linux Enterprise Real Time 15: SP5 - SP6
openSUSE Leap: 15.5 - 15.6
SUSE Linux Enterprise Server for SAP Applications 15: SP2 - SP6
SUSE Linux Enterprise Server 15: SP2 - SP6
SUSE Linux Enterprise Desktop 15: SP5 - SP6
SUSE Linux Enterprise Server 15 SP4 LTSS: 15-SP4
SUSE Linux Enterprise High Performance Computing LTSS 15: SP3 - SP4
SUSE Linux Enterprise High Performance Computing ESPOS 15: SP4
SUSE Linux Enterprise Desktop 15 SP4 LTSS: 15-SP4
SUSE Linux Enterprise High Performance Computing 15: SP2 - SP5
SUSE Linux Enterprise Server 15 SP3 LTSS: 15-SP3
SUSE Linux Enterprise Server 15 SP2 LTSS: 15-SP2
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS: 15-SP2
SUSE Enterprise Storage: 7.1
MozillaFirefox-devel: before 128.1.0-150200.152.146.1
MozillaFirefox: before 128.1.0-150200.152.146.1
MozillaFirefox-debuginfo: before 128.1.0-150200.152.146.1
MozillaFirefox-debugsource: before 128.1.0-150200.152.146.1
MozillaFirefox-branding-upstream: before 128.1.0-150200.152.146.1
MozillaFirefox-branding-SLE: before 128-150200.9.16.1
MozillaFirefox-translations-other: before 128.1.0-150200.152.146.1
MozillaFirefox-translations-common: before 128.1.0-150200.152.146.1
External linkshttp://www.suse.com/support/update/announcement/2024/suse-su-20243003-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
15) Infinite loop
EUVDB-ID: #VU94627
Risk: Low
CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-6614
CWE-ID:
CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to alter trace data.
The vulnerability exists due to infinite loop. The frame iterator could get stuck in a loop when encountering certain wasm frames leading to incorrect stack traces.
MitigationUpdate the affected package MozillaFirefox to the latest version.
Vulnerable software versionsDesktop Applications Module: 15-SP5 - 15-SP6
SUSE Linux Enterprise Real Time 15: SP5 - SP6
openSUSE Leap: 15.5 - 15.6
SUSE Linux Enterprise Server for SAP Applications 15: SP2 - SP6
SUSE Linux Enterprise Server 15: SP2 - SP6
SUSE Linux Enterprise Desktop 15: SP5 - SP6
SUSE Linux Enterprise Server 15 SP4 LTSS: 15-SP4
SUSE Linux Enterprise High Performance Computing LTSS 15: SP3 - SP4
SUSE Linux Enterprise High Performance Computing ESPOS 15: SP4
SUSE Linux Enterprise Desktop 15 SP4 LTSS: 15-SP4
SUSE Linux Enterprise High Performance Computing 15: SP2 - SP5
SUSE Linux Enterprise Server 15 SP3 LTSS: 15-SP3
SUSE Linux Enterprise Server 15 SP2 LTSS: 15-SP2
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS: 15-SP2
SUSE Enterprise Storage: 7.1
MozillaFirefox-devel: before 128.1.0-150200.152.146.1
MozillaFirefox: before 128.1.0-150200.152.146.1
MozillaFirefox-debuginfo: before 128.1.0-150200.152.146.1
MozillaFirefox-debugsource: before 128.1.0-150200.152.146.1
MozillaFirefox-branding-upstream: before 128.1.0-150200.152.146.1
MozillaFirefox-branding-SLE: before 128-150200.9.16.1
MozillaFirefox-translations-other: before 128.1.0-150200.152.146.1
MozillaFirefox-translations-common: before 128.1.0-150200.152.146.1
External linkshttp://www.suse.com/support/update/announcement/2024/suse-su-20243003-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
16) Buffer overflow
EUVDB-ID: #VU94628
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-6615
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected package MozillaFirefox to the latest version.
Vulnerable software versionsDesktop Applications Module: 15-SP5 - 15-SP6
SUSE Linux Enterprise Real Time 15: SP5 - SP6
openSUSE Leap: 15.5 - 15.6
SUSE Linux Enterprise Server for SAP Applications 15: SP2 - SP6
SUSE Linux Enterprise Server 15: SP2 - SP6
SUSE Linux Enterprise Desktop 15: SP5 - SP6
SUSE Linux Enterprise Server 15 SP4 LTSS: 15-SP4
SUSE Linux Enterprise High Performance Computing LTSS 15: SP3 - SP4
SUSE Linux Enterprise High Performance Computing ESPOS 15: SP4
SUSE Linux Enterprise Desktop 15 SP4 LTSS: 15-SP4
SUSE Linux Enterprise High Performance Computing 15: SP2 - SP5
SUSE Linux Enterprise Server 15 SP3 LTSS: 15-SP3
SUSE Linux Enterprise Server 15 SP2 LTSS: 15-SP2
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS: 15-SP2
SUSE Enterprise Storage: 7.1
MozillaFirefox-devel: before 128.1.0-150200.152.146.1
MozillaFirefox: before 128.1.0-150200.152.146.1
MozillaFirefox-debuginfo: before 128.1.0-150200.152.146.1
MozillaFirefox-debugsource: before 128.1.0-150200.152.146.1
MozillaFirefox-branding-upstream: before 128.1.0-150200.152.146.1
MozillaFirefox-branding-SLE: before 128-150200.9.16.1
MozillaFirefox-translations-other: before 128.1.0-150200.152.146.1
MozillaFirefox-translations-common: before 128.1.0-150200.152.146.1
External linkshttp://www.suse.com/support/update/announcement/2024/suse-su-20243003-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
17) Multiple Interpretations of UI Input
EUVDB-ID: #VU95420
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-7518
CWE-ID:
CWE-450 - Multiple Interpretations of UI Input
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exist due to improper input interpretation in UI when handling select options. A remote attacler can obscure the fullscreen notification dialog by document content and perform spoofing attack.
Update the affected package MozillaFirefox to the latest version.
Vulnerable software versionsDesktop Applications Module: 15-SP5 - 15-SP6
SUSE Linux Enterprise Real Time 15: SP5 - SP6
openSUSE Leap: 15.5 - 15.6
SUSE Linux Enterprise Server for SAP Applications 15: SP2 - SP6
SUSE Linux Enterprise Server 15: SP2 - SP6
SUSE Linux Enterprise Desktop 15: SP5 - SP6
SUSE Linux Enterprise Server 15 SP4 LTSS: 15-SP4
SUSE Linux Enterprise High Performance Computing LTSS 15: SP3 - SP4
SUSE Linux Enterprise High Performance Computing ESPOS 15: SP4
SUSE Linux Enterprise Desktop 15 SP4 LTSS: 15-SP4
SUSE Linux Enterprise High Performance Computing 15: SP2 - SP5
SUSE Linux Enterprise Server 15 SP3 LTSS: 15-SP3
SUSE Linux Enterprise Server 15 SP2 LTSS: 15-SP2
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS: 15-SP2
SUSE Enterprise Storage: 7.1
MozillaFirefox-devel: before 128.1.0-150200.152.146.1
MozillaFirefox: before 128.1.0-150200.152.146.1
MozillaFirefox-debuginfo: before 128.1.0-150200.152.146.1
MozillaFirefox-debugsource: before 128.1.0-150200.152.146.1
MozillaFirefox-branding-upstream: before 128.1.0-150200.152.146.1
MozillaFirefox-branding-SLE: before 128-150200.9.16.1
MozillaFirefox-translations-other: before 128.1.0-150200.152.146.1
MozillaFirefox-translations-common: before 128.1.0-150200.152.146.1
External linkshttp://www.suse.com/support/update/announcement/2024/suse-su-20243003-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
18) Out-of-bounds read
EUVDB-ID: #VU95422
Risk: High
CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-7519
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to a boundary error when processing
graphics shared memory. A remote attacker can create a specially crafted
website, trick the victim into opening it, trigger an out-of-bounds read and bypass browser sandbox.
Update the affected package MozillaFirefox to the latest version.
Vulnerable software versionsDesktop Applications Module: 15-SP5 - 15-SP6
SUSE Linux Enterprise Real Time 15: SP5 - SP6
openSUSE Leap: 15.5 - 15.6
SUSE Linux Enterprise Server for SAP Applications 15: SP2 - SP6
SUSE Linux Enterprise Server 15: SP2 - SP6
SUSE Linux Enterprise Desktop 15: SP5 - SP6
SUSE Linux Enterprise Server 15 SP4 LTSS: 15-SP4
SUSE Linux Enterprise High Performance Computing LTSS 15: SP3 - SP4
SUSE Linux Enterprise High Performance Computing ESPOS 15: SP4
SUSE Linux Enterprise Desktop 15 SP4 LTSS: 15-SP4
SUSE Linux Enterprise High Performance Computing 15: SP2 - SP5
SUSE Linux Enterprise Server 15 SP3 LTSS: 15-SP3
SUSE Linux Enterprise Server 15 SP2 LTSS: 15-SP2
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS: 15-SP2
SUSE Enterprise Storage: 7.1
MozillaFirefox-devel: before 128.1.0-150200.152.146.1
MozillaFirefox: before 128.1.0-150200.152.146.1
MozillaFirefox-debuginfo: before 128.1.0-150200.152.146.1
MozillaFirefox-debugsource: before 128.1.0-150200.152.146.1
MozillaFirefox-branding-upstream: before 128.1.0-150200.152.146.1
MozillaFirefox-branding-SLE: before 128-150200.9.16.1
MozillaFirefox-translations-other: before 128.1.0-150200.152.146.1
MozillaFirefox-translations-common: before 128.1.0-150200.152.146.1
External linkshttp://www.suse.com/support/update/announcement/2024/suse-su-20243003-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
19) Type Confusion
EUVDB-ID: #VU95423
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-7520
CWE-ID:
CWE-843 - Type confusion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a type confusion error in WebAssembly. A remote attacker can trick the victim to visit a specially crafted website, trigger a type confusion error and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected package MozillaFirefox to the latest version.
Vulnerable software versionsDesktop Applications Module: 15-SP5 - 15-SP6
SUSE Linux Enterprise Real Time 15: SP5 - SP6
openSUSE Leap: 15.5 - 15.6
SUSE Linux Enterprise Server for SAP Applications 15: SP2 - SP6
SUSE Linux Enterprise Server 15: SP2 - SP6
SUSE Linux Enterprise Desktop 15: SP5 - SP6
SUSE Linux Enterprise Server 15 SP4 LTSS: 15-SP4
SUSE Linux Enterprise High Performance Computing LTSS 15: SP3 - SP4
SUSE Linux Enterprise High Performance Computing ESPOS 15: SP4
SUSE Linux Enterprise Desktop 15 SP4 LTSS: 15-SP4
SUSE Linux Enterprise High Performance Computing 15: SP2 - SP5
SUSE Linux Enterprise Server 15 SP3 LTSS: 15-SP3
SUSE Linux Enterprise Server 15 SP2 LTSS: 15-SP2
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS: 15-SP2
SUSE Enterprise Storage: 7.1
MozillaFirefox-devel: before 128.1.0-150200.152.146.1
MozillaFirefox: before 128.1.0-150200.152.146.1
MozillaFirefox-debuginfo: before 128.1.0-150200.152.146.1
MozillaFirefox-debugsource: before 128.1.0-150200.152.146.1
MozillaFirefox-branding-upstream: before 128.1.0-150200.152.146.1
MozillaFirefox-branding-SLE: before 128-150200.9.16.1
MozillaFirefox-translations-other: before 128.1.0-150200.152.146.1
MozillaFirefox-translations-common: before 128.1.0-150200.152.146.1
External linkshttp://www.suse.com/support/update/announcement/2024/suse-su-20243003-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
20) Use-after-free
EUVDB-ID: #VU95424
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-7521
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error in WebAssembly. A remote attacker can trick the victim to visit a specially crafted website, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationUpdate the affected package MozillaFirefox to the latest version.
Vulnerable software versionsDesktop Applications Module: 15-SP5 - 15-SP6
SUSE Linux Enterprise Real Time 15: SP5 - SP6
openSUSE Leap: 15.5 - 15.6
SUSE Linux Enterprise Server for SAP Applications 15: SP2 - SP6
SUSE Linux Enterprise Server 15: SP2 - SP6
SUSE Linux Enterprise Desktop 15: SP5 - SP6
SUSE Linux Enterprise Server 15 SP4 LTSS: 15-SP4
SUSE Linux Enterprise High Performance Computing LTSS 15: SP3 - SP4
SUSE Linux Enterprise High Performance Computing ESPOS 15: SP4
SUSE Linux Enterprise Desktop 15 SP4 LTSS: 15-SP4
SUSE Linux Enterprise High Performance Computing 15: SP2 - SP5
SUSE Linux Enterprise Server 15 SP3 LTSS: 15-SP3
SUSE Linux Enterprise Server 15 SP2 LTSS: 15-SP2
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS: 15-SP2
SUSE Enterprise Storage: 7.1
MozillaFirefox-devel: before 128.1.0-150200.152.146.1
MozillaFirefox: before 128.1.0-150200.152.146.1
MozillaFirefox-debuginfo: before 128.1.0-150200.152.146.1
MozillaFirefox-debugsource: before 128.1.0-150200.152.146.1
MozillaFirefox-branding-upstream: before 128.1.0-150200.152.146.1
MozillaFirefox-branding-SLE: before 128-150200.9.16.1
MozillaFirefox-translations-other: before 128.1.0-150200.152.146.1
MozillaFirefox-translations-common: before 128.1.0-150200.152.146.1
External linkshttp://www.suse.com/support/update/announcement/2024/suse-su-20243003-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
21) Out-of-bounds read
EUVDB-ID: #VU95431
Risk: High
CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-7522
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
Description
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to a boundary error in editor component. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger an out-of-bounds read and bypass browser sandbox.
Update the affected package MozillaFirefox to the latest version.
Vulnerable software versionsDesktop Applications Module: 15-SP5 - 15-SP6
SUSE Linux Enterprise Real Time 15: SP5 - SP6
openSUSE Leap: 15.5 - 15.6
SUSE Linux Enterprise Server for SAP Applications 15: SP2 - SP6
SUSE Linux Enterprise Server 15: SP2 - SP6
SUSE Linux Enterprise Desktop 15: SP5 - SP6
SUSE Linux Enterprise Server 15 SP4 LTSS: 15-SP4
SUSE Linux Enterprise High Performance Computing LTSS 15: SP3 - SP4
SUSE Linux Enterprise High Performance Computing ESPOS 15: SP4
SUSE Linux Enterprise Desktop 15 SP4 LTSS: 15-SP4
SUSE Linux Enterprise High Performance Computing 15: SP2 - SP5
SUSE Linux Enterprise Server 15 SP3 LTSS: 15-SP3
SUSE Linux Enterprise Server 15 SP2 LTSS: 15-SP2
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS: 15-SP2
SUSE Enterprise Storage: 7.1
MozillaFirefox-devel: before 128.1.0-150200.152.146.1
MozillaFirefox: before 128.1.0-150200.152.146.1
MozillaFirefox-debuginfo: before 128.1.0-150200.152.146.1
MozillaFirefox-debugsource: before 128.1.0-150200.152.146.1
MozillaFirefox-branding-upstream: before 128.1.0-150200.152.146.1
MozillaFirefox-branding-SLE: before 128-150200.9.16.1
MozillaFirefox-translations-other: before 128.1.0-150200.152.146.1
MozillaFirefox-translations-common: before 128.1.0-150200.152.146.1
External linkshttp://www.suse.com/support/update/announcement/2024/suse-su-20243003-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
22) Security features bypass
EUVDB-ID: #VU95494
Risk: Medium
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-7524
CWE-ID:
CWE-254 - Security Features
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass CSP policy.
Firefox adds web-compatibility shims in place of some tracking scripts blocked by Enhanced Tracking Protection. On a site protected by Content Security Policy in "strict-dynamic" mode, an attacker able to inject an HTML element could have used a DOM Clobbering attack on some of the shims and achieved XSS, bypassing the CSP strict-dynamic protection.
MitigationUpdate the affected package MozillaFirefox to the latest version.
Vulnerable software versionsDesktop Applications Module: 15-SP5 - 15-SP6
SUSE Linux Enterprise Real Time 15: SP5 - SP6
openSUSE Leap: 15.5 - 15.6
SUSE Linux Enterprise Server for SAP Applications 15: SP2 - SP6
SUSE Linux Enterprise Server 15: SP2 - SP6
SUSE Linux Enterprise Desktop 15: SP5 - SP6
SUSE Linux Enterprise Server 15 SP4 LTSS: 15-SP4
SUSE Linux Enterprise High Performance Computing LTSS 15: SP3 - SP4
SUSE Linux Enterprise High Performance Computing ESPOS 15: SP4
SUSE Linux Enterprise Desktop 15 SP4 LTSS: 15-SP4
SUSE Linux Enterprise High Performance Computing 15: SP2 - SP5
SUSE Linux Enterprise Server 15 SP3 LTSS: 15-SP3
SUSE Linux Enterprise Server 15 SP2 LTSS: 15-SP2
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS: 15-SP2
SUSE Enterprise Storage: 7.1
MozillaFirefox-devel: before 128.1.0-150200.152.146.1
MozillaFirefox: before 128.1.0-150200.152.146.1
MozillaFirefox-debuginfo: before 128.1.0-150200.152.146.1
MozillaFirefox-debugsource: before 128.1.0-150200.152.146.1
MozillaFirefox-branding-upstream: before 128.1.0-150200.152.146.1
MozillaFirefox-branding-SLE: before 128-150200.9.16.1
MozillaFirefox-translations-other: before 128.1.0-150200.152.146.1
MozillaFirefox-translations-common: before 128.1.0-150200.152.146.1
External linkshttp://www.suse.com/support/update/announcement/2024/suse-su-20243003-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
23) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU95495
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-7525
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due missing permission check when creating a StreamFilter. A web extension with minimal permissions can create a StreamFilter, which can be used to read and modify the response body of requests on any site.
Update the affected package MozillaFirefox to the latest version.
Vulnerable software versionsDesktop Applications Module: 15-SP5 - 15-SP6
SUSE Linux Enterprise Real Time 15: SP5 - SP6
openSUSE Leap: 15.5 - 15.6
SUSE Linux Enterprise Server for SAP Applications 15: SP2 - SP6
SUSE Linux Enterprise Server 15: SP2 - SP6
SUSE Linux Enterprise Desktop 15: SP5 - SP6
SUSE Linux Enterprise Server 15 SP4 LTSS: 15-SP4
SUSE Linux Enterprise High Performance Computing LTSS 15: SP3 - SP4
SUSE Linux Enterprise High Performance Computing ESPOS 15: SP4
SUSE Linux Enterprise Desktop 15 SP4 LTSS: 15-SP4
SUSE Linux Enterprise High Performance Computing 15: SP2 - SP5
SUSE Linux Enterprise Server 15 SP3 LTSS: 15-SP3
SUSE Linux Enterprise Server 15 SP2 LTSS: 15-SP2
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS: 15-SP2
SUSE Enterprise Storage: 7.1
MozillaFirefox-devel: before 128.1.0-150200.152.146.1
MozillaFirefox: before 128.1.0-150200.152.146.1
MozillaFirefox-debuginfo: before 128.1.0-150200.152.146.1
MozillaFirefox-debugsource: before 128.1.0-150200.152.146.1
MozillaFirefox-branding-upstream: before 128.1.0-150200.152.146.1
MozillaFirefox-branding-SLE: before 128-150200.9.16.1
MozillaFirefox-translations-other: before 128.1.0-150200.152.146.1
MozillaFirefox-translations-common: before 128.1.0-150200.152.146.1
External linkshttp://www.suse.com/support/update/announcement/2024/suse-su-20243003-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
24) Use of uninitialized resource
EUVDB-ID: #VU95496
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-7526
CWE-ID:
CWE-908 - Use of Uninitialized Resource
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass certain security restrictions.
The vulnerability exists due to usage of uninitialized resources in WebGL ANGLE. A remote attacker can trick the victim to visit a specially crafted website and gain access to sensitive information.
Update the affected package MozillaFirefox to the latest version.
Vulnerable software versionsDesktop Applications Module: 15-SP5 - 15-SP6
SUSE Linux Enterprise Real Time 15: SP5 - SP6
openSUSE Leap: 15.5 - 15.6
SUSE Linux Enterprise Server for SAP Applications 15: SP2 - SP6
SUSE Linux Enterprise Server 15: SP2 - SP6
SUSE Linux Enterprise Desktop 15: SP5 - SP6
SUSE Linux Enterprise Server 15 SP4 LTSS: 15-SP4
SUSE Linux Enterprise High Performance Computing LTSS 15: SP3 - SP4
SUSE Linux Enterprise High Performance Computing ESPOS 15: SP4
SUSE Linux Enterprise Desktop 15 SP4 LTSS: 15-SP4
SUSE Linux Enterprise High Performance Computing 15: SP2 - SP5
SUSE Linux Enterprise Server 15 SP3 LTSS: 15-SP3
SUSE Linux Enterprise Server 15 SP2 LTSS: 15-SP2
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS: 15-SP2
SUSE Enterprise Storage: 7.1
MozillaFirefox-devel: before 128.1.0-150200.152.146.1
MozillaFirefox: before 128.1.0-150200.152.146.1
MozillaFirefox-debuginfo: before 128.1.0-150200.152.146.1
MozillaFirefox-debugsource: before 128.1.0-150200.152.146.1
MozillaFirefox-branding-upstream: before 128.1.0-150200.152.146.1
MozillaFirefox-branding-SLE: before 128-150200.9.16.1
MozillaFirefox-translations-other: before 128.1.0-150200.152.146.1
MozillaFirefox-translations-common: before 128.1.0-150200.152.146.1
External linkshttp://www.suse.com/support/update/announcement/2024/suse-su-20243003-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
25) Use-after-free
EUVDB-ID: #VU95497
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-7527
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error in JavaScript garbage collection. A remote attacker can trick the victim into visiting a specially crafted website, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationUpdate the affected package MozillaFirefox to the latest version.
Vulnerable software versionsDesktop Applications Module: 15-SP5 - 15-SP6
SUSE Linux Enterprise Real Time 15: SP5 - SP6
openSUSE Leap: 15.5 - 15.6
SUSE Linux Enterprise Server for SAP Applications 15: SP2 - SP6
SUSE Linux Enterprise Server 15: SP2 - SP6
SUSE Linux Enterprise Desktop 15: SP5 - SP6
SUSE Linux Enterprise Server 15 SP4 LTSS: 15-SP4
SUSE Linux Enterprise High Performance Computing LTSS 15: SP3 - SP4
SUSE Linux Enterprise High Performance Computing ESPOS 15: SP4
SUSE Linux Enterprise Desktop 15 SP4 LTSS: 15-SP4
SUSE Linux Enterprise High Performance Computing 15: SP2 - SP5
SUSE Linux Enterprise Server 15 SP3 LTSS: 15-SP3
SUSE Linux Enterprise Server 15 SP2 LTSS: 15-SP2
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS: 15-SP2
SUSE Enterprise Storage: 7.1
MozillaFirefox-devel: before 128.1.0-150200.152.146.1
MozillaFirefox: before 128.1.0-150200.152.146.1
MozillaFirefox-debuginfo: before 128.1.0-150200.152.146.1
MozillaFirefox-debugsource: before 128.1.0-150200.152.146.1
MozillaFirefox-branding-upstream: before 128.1.0-150200.152.146.1
MozillaFirefox-branding-SLE: before 128-150200.9.16.1
MozillaFirefox-translations-other: before 128.1.0-150200.152.146.1
MozillaFirefox-translations-common: before 128.1.0-150200.152.146.1
External linkshttp://www.suse.com/support/update/announcement/2024/suse-su-20243003-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
26) Use-after-free
EUVDB-ID: #VU95498
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-7528
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error in IndexedDB. A remote attacker can trick the victim into visiting a specially
crafted website, trigger a use-after-free error and execute arbitrary
code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationUpdate the affected package MozillaFirefox to the latest version.
Vulnerable software versionsDesktop Applications Module: 15-SP5 - 15-SP6
SUSE Linux Enterprise Real Time 15: SP5 - SP6
openSUSE Leap: 15.5 - 15.6
SUSE Linux Enterprise Server for SAP Applications 15: SP2 - SP6
SUSE Linux Enterprise Server 15: SP2 - SP6
SUSE Linux Enterprise Desktop 15: SP5 - SP6
SUSE Linux Enterprise Server 15 SP4 LTSS: 15-SP4
SUSE Linux Enterprise High Performance Computing LTSS 15: SP3 - SP4
SUSE Linux Enterprise High Performance Computing ESPOS 15: SP4
SUSE Linux Enterprise Desktop 15 SP4 LTSS: 15-SP4
SUSE Linux Enterprise High Performance Computing 15: SP2 - SP5
SUSE Linux Enterprise Server 15 SP3 LTSS: 15-SP3
SUSE Linux Enterprise Server 15 SP2 LTSS: 15-SP2
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS: 15-SP2
SUSE Enterprise Storage: 7.1
MozillaFirefox-devel: before 128.1.0-150200.152.146.1
MozillaFirefox: before 128.1.0-150200.152.146.1
MozillaFirefox-debuginfo: before 128.1.0-150200.152.146.1
MozillaFirefox-debugsource: before 128.1.0-150200.152.146.1
MozillaFirefox-branding-upstream: before 128.1.0-150200.152.146.1
MozillaFirefox-branding-SLE: before 128-150200.9.16.1
MozillaFirefox-translations-other: before 128.1.0-150200.152.146.1
MozillaFirefox-translations-common: before 128.1.0-150200.152.146.1
External linkshttp://www.suse.com/support/update/announcement/2024/suse-su-20243003-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
27) Multiple Interpretations of UI Input
EUVDB-ID: #VU95500
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-7529
CWE-ID:
CWE-450 - Multiple Interpretations of UI Input
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exist due to improper handling of the date picker, which can obscure security prompts. A remote attacker use a malicious site to trick a victim into granting permissions.
MitigationUpdate the affected package MozillaFirefox to the latest version.
Vulnerable software versionsDesktop Applications Module: 15-SP5 - 15-SP6
SUSE Linux Enterprise Real Time 15: SP5 - SP6
openSUSE Leap: 15.5 - 15.6
SUSE Linux Enterprise Server for SAP Applications 15: SP2 - SP6
SUSE Linux Enterprise Server 15: SP2 - SP6
SUSE Linux Enterprise Desktop 15: SP5 - SP6
SUSE Linux Enterprise Server 15 SP4 LTSS: 15-SP4
SUSE Linux Enterprise High Performance Computing LTSS 15: SP3 - SP4
SUSE Linux Enterprise High Performance Computing ESPOS 15: SP4
SUSE Linux Enterprise Desktop 15 SP4 LTSS: 15-SP4
SUSE Linux Enterprise High Performance Computing 15: SP2 - SP5
SUSE Linux Enterprise Server 15 SP3 LTSS: 15-SP3
SUSE Linux Enterprise Server 15 SP2 LTSS: 15-SP2
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS: 15-SP2
SUSE Enterprise Storage: 7.1
MozillaFirefox-devel: before 128.1.0-150200.152.146.1
MozillaFirefox: before 128.1.0-150200.152.146.1
MozillaFirefox-debuginfo: before 128.1.0-150200.152.146.1
MozillaFirefox-debugsource: before 128.1.0-150200.152.146.1
MozillaFirefox-branding-upstream: before 128.1.0-150200.152.146.1
MozillaFirefox-branding-SLE: before 128-150200.9.16.1
MozillaFirefox-translations-other: before 128.1.0-150200.152.146.1
MozillaFirefox-translations-common: before 128.1.0-150200.152.146.1
External linkshttp://www.suse.com/support/update/announcement/2024/suse-su-20243003-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
28) Cryptographic issues
EUVDB-ID: #VU95501
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-7531
CWE-ID:
CWE-310 - Cryptographic Issues
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
Calling PK11_Encrypt() in NSS using CKM_CHACHA20 and the same buffer for input and output can result in plaintext on an Intel Sandy Bridge processor. In Firefox this only affects the QUIC header protection feature when the connection is using the ChaCha20-Poly1305 cipher suite. The most likely outcome is connection failure, but if the connection persists despite the high packet loss it could be possible for a network observer to identify packets as coming from the same source despite a network path change.
Update the affected package MozillaFirefox to the latest version.
Vulnerable software versionsDesktop Applications Module: 15-SP5 - 15-SP6
SUSE Linux Enterprise Real Time 15: SP5 - SP6
openSUSE Leap: 15.5 - 15.6
SUSE Linux Enterprise Server for SAP Applications 15: SP2 - SP6
SUSE Linux Enterprise Server 15: SP2 - SP6
SUSE Linux Enterprise Desktop 15: SP5 - SP6
SUSE Linux Enterprise Server 15 SP4 LTSS: 15-SP4
SUSE Linux Enterprise High Performance Computing LTSS 15: SP3 - SP4
SUSE Linux Enterprise High Performance Computing ESPOS 15: SP4
SUSE Linux Enterprise Desktop 15 SP4 LTSS: 15-SP4
SUSE Linux Enterprise High Performance Computing 15: SP2 - SP5
SUSE Linux Enterprise Server 15 SP3 LTSS: 15-SP3
SUSE Linux Enterprise Server 15 SP2 LTSS: 15-SP2
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS: 15-SP2
SUSE Enterprise Storage: 7.1
MozillaFirefox-devel: before 128.1.0-150200.152.146.1
MozillaFirefox: before 128.1.0-150200.152.146.1
MozillaFirefox-debuginfo: before 128.1.0-150200.152.146.1
MozillaFirefox-debugsource: before 128.1.0-150200.152.146.1
MozillaFirefox-branding-upstream: before 128.1.0-150200.152.146.1
MozillaFirefox-branding-SLE: before 128-150200.9.16.1
MozillaFirefox-translations-other: before 128.1.0-150200.152.146.1
MozillaFirefox-translations-common: before 128.1.0-150200.152.146.1
External linkshttp://www.suse.com/support/update/announcement/2024/suse-su-20243003-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
