Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2024-9393

Опубликовано: 01 окт. 2024
Источник: nvd
CVSS3: 7.5
EPSS Низкий

Описание

An attacker could, via a specially crafted multipart response, execute arbitrary JavaScript under the resource://pdf.js origin. This could allow them to access cross-origin PDF content. This access is limited to "same site" documents by the Site Isolation feature on desktop clients, but full cross-origin access is possible on Android versions. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Firefox ESR < 115.16, Thunderbird < 128.3, and Thunderbird < 131.

Ссылки

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
Версия до 131.0 (исключая)
cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*
Версия до 115.16.0 (исключая)
cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*
Версия от 116.0 (включая) до 128.3.0 (исключая)
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
Версия до 128.3 (исключая)
cpe:2.3:a:mozilla:thunderbird:129.0:beta:*:*:*:*:*:*
cpe:2.3:a:mozilla:thunderbird:129.0:beta2:*:*:*:*:*:*
cpe:2.3:a:mozilla:thunderbird:129.0:beta3:*:*:*:*:*:*
cpe:2.3:a:mozilla:thunderbird:129.0:beta4:*:*:*:*:*:*
cpe:2.3:a:mozilla:thunderbird:129.0:beta5:*:*:*:*:*:*
cpe:2.3:a:mozilla:thunderbird:129.0:beta6:*:*:*:*:*:*

EPSS

Процентиль: 31%
0.00111
Низкий

7.5 High

CVSS3

Дефекты

NVD-CWE-Other
CWE-346

Связанные уязвимости

ubuntu логотип

CVE-2024-9393

CVSS3: 7.5
ubuntu
9 месяцев назад

An attacker could, via a specially crafted multipart response, execute arbitrary JavaScript under the `resource://pdf.js` origin. This could allow them to access cross-origin PDF content. This access is limited to "same site" documents by the Site Isolation feature on desktop clients, but full cross-origin access is possible on Android versions. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Firefox ESR < 115.16, Thunderbird < 128.3, and Thunderbird < 131.

redhat логотип

CVE-2024-9393

CVSS3: 7.6
redhat
9 месяцев назад

An attacker could, via a specially crafted multipart response, execute arbitrary JavaScript under the `resource://pdf.js` origin. This could allow them to access cross-origin PDF content. This access is limited to "same site" documents by the Site Isolation feature on desktop clients, but full cross-origin access is possible on Android versions. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Firefox ESR < 115.16, Thunderbird < 128.3, and Thunderbird < 131.

debian логотип

CVE-2024-9393

CVSS3: 7.5
debian
9 месяцев назад

An attacker could, via a specially crafted multipart response, execute ...

github логотип

GHSA-rggh-rm3v-8xqj

CVSS3: 7.5
github
9 месяцев назад

An attacker could, via a specially crafted multipart response, execute arbitrary JavaScript under the `resource://pdf.js` origin. This could allow them to access cross-origin PDF content. This access is limited to "same site" documents by the Site Isolation feature on desktop clients, but full cross-origin access is possible on Android versions. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Firefox ESR < 115.16, Thunderbird < 128.3, and Thunderbird < 131.

fstec логотип

BDU:2024-09268

CVSS3: 7.5
fstec
9 месяцев назад

Уязвимость механизма CORS браузеров Mozilla Firefox, Firefox ESR и почтового клиента Thunderbird, позволяющая нарушителю обойти ограничения безопасности и поучить несанкционированный доступ к защищаемой информации

EPSS

Процентиль: 31%
0.00111
Низкий

7.5 High

CVSS3

Дефекты

NVD-CWE-Other
CWE-346