Analysis Summary

CVE-2024-6601 CVSS:6.5

Mozilla Firefox could allow a remote attacker to obtain sensitive information, caused by a race condition in permission assignment. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability leading to a cross-origin container obtaining permissions of the top-level origin.

CVE-2024-6607 CVSS:6.5

Mozilla Firefox could allow a remote attacker to bypass security restrictions, caused by an error related to preventing a user from exiting pointerlock when pressing escape and to overlay customValidity notifications from a `<select>` element over certain permission prompts. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to confuse a user into giving a site unintended permissions.

CVE-2024-6614 CVSS:6.5

Mozilla Firefox could allow a remote attacker to bypass security restrictions, caused by the incorrect listing of stack frames. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to lead to incorrect stack traces.

CVE-2024-6612 CVSS:6.5

Mozilla Firefox could allow a remote attacker to obtain sensitive information, caused by a CSP violation leakage when using devtools. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to leak that a CSP violation happened.

CVE-2024-6610 CVSS:6.5

Mozilla Firefox could allow a remote attacker to bypass security restrictions, caused by an error related to form validation popups capturing escape key presses. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to prevent users from exiting full-screen mode.

CVE-2024-6600 CVSS:6.5

Mozilla Firefox could allow a remote attacker to gain unauthorized access to the system, caused by a memory corruption in WebGL API. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to trigger an out-of-bounds access.

CVE-2024-6613 CVSS:6.5

Mozilla Firefox could allow a remote attacker to bypass security restrictions, caused by the incorrect listing of stack frames. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to lead to incorrect stack traces.

CVE-2024-6611 CVSS:6.5

Mozilla Firefox could allow a remote attacker to bypass security restrictions, caused by the incorrect handling of SameSite cookies. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to trigger a cross-site navigation and send SameSite=Strict or Lax cookies.

Impact

• Information Disclosure
• Security Bypass
• Gain Access

Indicators of Compromise

CVE

• CVE-2024-6601
• CVE-2024-6607
• CVE-2024-6614
• CVE-2024-6612
• CVE-2024-6610
• CVE-2024-6600
• CVE-2024-6613
• CVE-2024-6611

Affected Vendors

Affected Products

• Mozilla Firefox 127.0
• Mozilla Firefox ESR 115.12

Remediation

Refer to Mozilla Foundation Security Advisory for patch, upgrade or suggested workaround information.

Mozilla Foundation Security Advisory