exploitDog

CVE-2024-0605

Опубликовано: 22 янв. 2024

Источник: nvd

CVSS3: 7.5

EPSS Низкий

Описание

Using a javascript: URI with a setTimeout race condition, an attacker can execute unauthorized scripts on top origin sites in urlbar. This bypasses security measures, potentially leading to arbitrary code execution or unauthorized actions within the user's loaded webpage. This vulnerability affects Focus for iOS < 122.

Ссылки

https://bugzilla.mozilla.org/show_bug.cgi?id=1855575
Issue Tracking
Permissions Required
https://www.mozilla.org/security/advisories/mfsa2024-03/
Vendor Advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=1855575
Issue Tracking
Permissions Required
https://www.mozilla.org/security/advisories/mfsa2024-03/
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:mozilla:firefox_focus:*:*:*:*:*:iphone_os:*:*

Версия до 122.0 (исключая)

EPSS

Процентиль: 10%

0.00036

Низкий

7.5 High

CVSS3

Дефекты

CWE-362

CWE-362

Связанные уязвимости

GHSA-wph3-4v72-8x34

CVSS3: 7.5

github

около 2 лет назад

Using a javascript: URI with a setTimeout race condition, an attacker can execute unauthorized scripts on top origin sites in urlbar. This bypasses security measures, potentially leading to arbitrary code execution or unauthorized actions within the user's loaded webpage. This vulnerability affects Focus for iOS < 122.

EPSS

Процентиль: 10%

0.00036

Низкий

7.5 High

CVSS3

Дефекты

CWE-362

CWE-362