#VU99486 Spoofing attack in Mozilla products - CVE-2024-10462

Cybersecurity Help s.r.o.

Published: 2024-10-29

Vulnerability identifier: #VU99486

Vulnerability risk: Medium

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-10462

CWE-ID: CWE-451

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Mozilla Firefox
Client/Desktop applications / Web browsers
Firefox ESR
Client/Desktop applications / Web browsers
Firefox for Android
Mobile applications / Apps for mobile phones

Vendor: Mozilla

Description

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to the browser truncates long URLs when displaying origin of permission prompt. A remote attacker can perform a spoofing attack by providing an overly long URL that looks like a trusted domain name.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Mozilla Firefox: 120.0 - 131.0.3

Firefox ESR: 128.0 - 128.3.1

Firefox for Android: 120.0 - 131.0.2

External links
https://www.mozilla.org/en-US/security/advisories/mfsa2024-55/
https://www.mozilla.org/en-US/security/advisories/mfsa2024-56/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Gentoo update for Spidermonkey

Anolis OS update for thunderbird

Anolis OS update for firefox

openEuler 22.03 LTS SP3 update for firefox

openEuler 22.03 LTS SP4 update for firefox

Gentoo update for Mozilla Firefox

Oracle Solaris update for third-party components

Gentoo update for Mozilla Thunderbird

SUSE update for MozillaThunderbird

Red Hat Enterprise Linux 9 update for firefox