Request a Demo
Rewterz
Rewterz Threat Alert – Phishing Attacks Leverage Popular Document Publishing Sites – Active IOCs
March 20, 2024
Rewterz
Rewterz Threat Advisory – Multiple Google Chrome Vulnerabilities
March 21, 2024

Rewterz Threat Advisory – Multiple Mozilla Firefox Vulnerabilities

Severity

High

Analysis Summary

CVE-2024-2616 CVSS:6.5

Mozilla Firefox ESR and Thunderbird are vulnerable to a denial of service, caused by an error related to out-of-memory conditions in ICU. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to cause the browser to crash.

CVE-2024-2615 CVSS:8.8

Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by memory safety bugs within the browser engine. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.

CVE-2024-2613 CVSS:6.5

Mozilla Firefox is vulnerable to a denial of service, caused by the improper handling of QUIC ACK frame data. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to consume restricted memory and cause the browser to crash.

CVE-2024-2612 CVSS:8.8

Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free triggered by a particular code path in SafeRefPtr. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of servic

CVE-2024-2611 CVSS:6.5

Mozilla Firefox could allow a remote attacker to conduct clickjacking attack, caused by an error when a missing delay on when pointer lock was used. By persuading a victim to visit a specially crafted Web site, an attacker could exploit this vulnerability to hijack the clicking actions of another user.

CVE-2024-2610 CVSS:6.5

Mozilla Firefox could allow a remote attacker to bypass security restrictions, caused by the improper handling of html and body tags enabled CSP nonce leakage. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to bypass strict content security policies.

CVE-2024-2609 CVSS:6.5

Mozilla Firefox could allow a remote attacker to conduct clickjacking attack, caused by an error when the permission prompt input delay could have expired while the window is not in focus. By persuading a victim to visit a specially crafted Web site, an attacker could exploit this vulnerability to hijack the clicking actions of another user.

CVE-2024-2608 CVSS:8.8

Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by integer overfows in AppendEncodedAttributeValue(), ExtraSpaceNeededForAttrEncoding() and AppendEncodedCharacters(). By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to trigger an out-of-bounds write to execute arbitrary code on the vulnerable system or cause a denial of service.

CVE-2024-2607 CVSS:8.8

Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by the failure of JIT code to return registers on Armv7-A systems. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.

CVE-2024-2606 CVSS:6.5

Mozilla Firefox could allow a remote attacker to bypass security restrictions, caused by the mishandling of WASM register values. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to create invalid wasm values.

CVE-2024-2605 CVSS:8.8

Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by the use of the Windows Error Reporter as a Sandbox escape vector. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.

CVE-2024-2614 CVSS:8.8

Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by memory safety bugs within the browser engine. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.

Impact

  • Denial of Service
  • Gain Access
  • Security Bypass

Indicators Of Compromise

CVE

  • CVE-2024-2616
  • CVE-2024-2615
  • CVE-2024-2613
  • CVE-2024-2612
  • CVE-2024-2611
  • CVE-2024-2610
  • CVE-2024-2609
  • CVE-2024-2608
  • CVE-2024-2607
  • CVE-2024-2606
  • CVE-2024-2605
  • CVE-2024-2614

Affected Vendors

Mozilla

Affected Products

  • Mozilla Firefox ESR 115.8
  • Mozilla Thunderbird 115.8
  • Mozilla Firefox 123

Remediation

Refer to Mozilla Foundation Security Advisory for patch, upgrade or suggested workaround information.

CVE-2024-2616

CVE-2024-2615

CVE-2024-2613

CVE-2024-2612

CVE-2024-2611

CVE-2024-2610

CVE-2024-2609

CVE-2024-2608

CVE-2024-2607

CVE-2024-2606

CVE-2024-2605

CVE-2024-2614