Analysis Summary

CVE-2024-4367 CVSS: 8.8

Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by a missing type check when handling fonts in PDF.js. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.

CVE-2024-4768 CVSS: 6.5

Mozilla Firefox could allow a remote attacker to bypass security restrictions, caused by a bug in popup notifications' interaction with WebAuthn. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to trick a user into granting permissions.

CVE-2024-4778 CVSS: 8.8

Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by memory safety bugs within the browser engine. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.

CVE-2024-4774 CVSS: 6.5

Mozilla Firefox could allow a remote attacker to bypass security restrictions, caused by undefined behavior in ShmemCharMapHashEntry(). By bypassing the move semantics for one of its data members, a remote attacker could exploit this vulnerability to bypass security restrictions.

CVE-2024-4767 CVSS: 6.5

Mozilla Firefox could allow a remote attacker to bypass security restrictions, caused by the failure to properly delete IndexedDB files when the window was closed when the browser.privatebrowsing.autostart preference is enabled. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to bypass security restrictions.

CVE-2024-4764 CVSS: 8.8

Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free when audio input connected with multiple consumers. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.

CVE-2024-4771 CVSS: 6.5

Mozilla Firefox is vulnerable to a denial of service, caused by a use-after-free if the allocation failed. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to cause the browser to crash.

CVE-2024-4775 CVSS: 6.5

Mozilla Firefox could allow a remote attacker to bypass security restrictions, caused by invalid memory access in the built-in profilers. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to bypass security restrictions.

CVE-2024-4777 CVSS: 8.8

Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by memory safety bugs within the browser engine. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.

CVE-2024-4770 CVSS: 6.5

Mozilla Firefox is vulnerable to a denial of service, caused by a use-after-free when printing to PDF. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to cause the browser to crash.

CVE-2024-4765 CVSS: 8.8

Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by the storing of web application manifests using an insecure MD5 hash. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to allow a hash collision to overwrite another application's manifest to execute arbitrary code on the vulnerable system or cause a denial of service.

CVE-2024-4766 CVSS: 6.5

Mozilla Firefox for Android could allow a remote attacker to conduct spoofing attacks, caused by the obscuring of fullscreen notification. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to conduct spoofing attacks.

CVE-2024-4773 CVSS: 6.5

Mozilla Firefox could allow a remote attacker to conduct spoofing attacks, caused by an error when a network error occurs during page load. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to conduct spoofing attacks.

CVE-2024-4772 CVSS: 6.5

Mozilla Firefox could provide weaker than expected security, caused by the use of insecure rand() function to generate nonce. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to lead to predictable values.

CVE-2024-4776 CVSS: 6.5

Mozilla Firefox could allow a remote attacker to bypass security restrictions, caused by a window remaining disabled after file dialog is shown in full-screen. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to bypass security restrictions.

CVE-2024-4769 CVSS: 6.5

Mozilla Firefox could allow a remote attacker to obtain sensitive information, caused by the distinguishing of cross-origin responses between script and non-script content-types. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to learn information cross-origin.

Impact

• Denial of Service
• Code Execution
• Security Bypass
• Gain Access
• Information Disclosure

Indicators of Compromise

CVE

• CVE-2024-4367
• CVE-2024-4768
• CVE-2024-4778
• CVE-2024-4774
• CVE-2024-4767
• CVE-2024-4764
• CVE-2024-4771
• CVE-2024-4775
• CVE-2024-4777
• CVE-2024-4770
• CVE-2024-4765
• CVE-2024-4766
• CVE-2024-4773
• CVE-2024-4772
• CVE-2024-4776
• CVE-2024-4769

Affected Vendors

Affected Products

• Mozilla Firefox 125.0
• Mozilla Firefox ESR 115.10
• Mozilla Thunderbird 115.10
• Mozilla Firefox for Android 125.0

Remediation

Refer to Mozilla Foundation Security Advisory for patch, upgrade or suggested workaround information.

Mozilla Foundation Security Advisory