#VU94620 Insufficient UI Warning of Dangerous Operations in Firefox for Android and Mozilla Firefox - CVE-2024-6607


Vulnerability identifier: #VU94620

Vulnerability risk: Medium

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-6607

CWE-ID: CWE-357

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Firefox for Android
Mobile applications / Apps for mobile phones
Mozilla Firefox
Client/Desktop applications / Web browsers

Vendor: Mozilla

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to the way the browsers handles escape button and pointerlock. It was possible to prevent a user from exiting pointerlock when pressing escape and to overlay customValidity notifications from a <select> element over certain permission prompts. This could be used to confuse a user into giving a site unintended permissions.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Firefox for Android: 120.0 - 127.0

Mozilla Firefox: 120.0 - 127.0.2

External links
https://www.mozilla.org/en-US/security/advisories/mfsa2024-29/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


openEuler 22.03 LTS SP3 update for firefox
openEuler 22.03 LTS SP4 update for firefox
Gentoo update for Mozilla Firefox
SUSE update for MozillaThunderbird
SUSE update for MozillaFirefox
SUSE update for MozillaFirefox
Ubuntu update for firefox
Multiple vulnerabilities in Mozilla Thunderbird
Multiple vulnerabilities in Mozilla Firefox