#VU91734 Security features bypass in Mozilla products - CVE-2024-5693

Cybersecurity Help s.r.o.

Published: 2024-06-11

Vulnerability identifier: #VU91734

Vulnerability risk: Low

CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-5693

CWE-ID: CWE-254

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Firefox ESR
Client/Desktop applications / Web browsers
Mozilla Firefox
Client/Desktop applications / Web browsers
Firefox for Android
Mobile applications / Apps for mobile phones

Vendor: Mozilla

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to Offscreen Canvas does not properly track cross-origin tainting. A remote attacker can access image data from another site in violation of same-origin policy.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Firefox ESR: 102.0 - 102.15.1, 115.0 - 115.11.0

Mozilla Firefox: 100.0 - 126.0.1

Firefox for Android: 100.1.0 - 126.0

External links
http://bugzilla.mozilla.org/show_bug.cgi?id=1891319
http://www.mozilla.org/security/advisories/mfsa2024-25/
http://www.mozilla.org/security/advisories/mfsa2024-26/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Gentoo update for Spidermonkey

Gentoo update for Mozilla Thunderbird

Gentoo update for Mozilla Firefox

Oracle Solaris update for thrid-party components

SUSE update for MozillaFirefox

Debian update for thunderbird

Debian update for firefox-esr

SUSE update for MozillaFirefox

openEuler 24.03 LTS update for firefox

Ubuntu update for firefox