#VU97922 Insufficient UI Warning of Dangerous Operations in Mozilla products - CVE-2024-9397


| Updated: 2024-10-02

Vulnerability identifier: #VU97922

Vulnerability risk: Low

CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-9397

CWE-ID: CWE-357

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Mozilla Firefox
Client/Desktop applications / Web browsers
Firefox ESR
Client/Desktop applications / Web browsers
Firefox for Android
Mobile applications / Apps for mobile phones

Vendor: Mozilla

Description

The vulnerability allows a remote attacker to perform clickjacking attacks.

The vulnerability exists due to a missing delay in directory upload UI. A remote attacker can trick a user into granting permission via clickjacking.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Mozilla Firefox: 120.0 - 130.0.1

Firefox for Android: 120.0 - 130.0.1

Firefox ESR: 128.0 - 128.2.0

External links
http://www.mozilla.org/en-US/security/advisories/mfsa2024-47/
http://www.mozilla.org/en-US/security/advisories/mfsa2024-46/
http://bugzilla.mozilla.org/show_bug.cgi?id=1916659

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM Cloud Pak for Multicloud Management
Gentoo update for Mozilla Firefox
Gentoo update for Mozilla Thunderbird
Fedora 41 update for thunderbird
Fedora 40 update for thunderbird
Fedora 39 update for firefox
Fedora 41 update for firefox
Fedora 40 update for firefox
openEuler 24.03 LTS update for firefox
Red Hat Enterprise Linux 8 update for thunderbird