Multiple WordPress Plugins Vulnerabilities

May 15, 2024

PoC Exploit for RCE Zero-Day in D-Link EXO AX4800 Routers Released Publicly

May 15, 2024

Multiple Mozilla Firefox Vulnerabilities

Severity

High

Analysis Summary

CVE-2024-4367 CVSS: 8.8

Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by a missing type check when handling fonts in PDF.js. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.

CVE-2024-4768 CVSS: 6.5

Mozilla Firefox could allow a remote attacker to bypass security restrictions, caused by a bug in popup notifications' interaction with WebAuthn. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to trick a user into granting permissions.

CVE-2024-4778 CVSS: 8.8

Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by memory safety bugs within the browser engine. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.

CVE-2024-4774 CVSS: 6.5

Mozilla Firefox could allow a remote attacker to bypass security restrictions, caused by undefined behavior in ShmemCharMapHashEntry(). By bypassing the move semantics for one of its data members, a remote attacker could exploit this vulnerability to bypass security restrictions.

CVE-2024-4767 CVSS: 6.5

Mozilla Firefox could allow a remote attacker to bypass security restrictions, caused by the failure to properly delete IndexedDB files when the window was closed when the browser.privatebrowsing.autostart preference is enabled. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to bypass security restrictions.

CVE-2024-4764 CVSS: 8.8

Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free when audio input connected with multiple consumers. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.

CVE-2024-4771 CVSS: 6.5

Mozilla Firefox is vulnerable to a denial of service, caused by a use-after-free if the allocation failed. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to cause the browser to crash.

CVE-2024-4775 CVSS: 6.5

Mozilla Firefox could allow a remote attacker to bypass security restrictions, caused by invalid memory access in the built-in profilers. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to bypass security restrictions.

CVE-2024-4777 CVSS: 8.8

CVE-2024-4770 CVSS: 6.5

Mozilla Firefox is vulnerable to a denial of service, caused by a use-after-free when printing to PDF. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to cause the browser to crash.

CVE-2024-4765 CVSS: 8.8

Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by the storing of web application manifests using an insecure MD5 hash. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to allow a hash collision to overwrite another application's manifest to execute arbitrary code on the vulnerable system or cause a denial of service.

CVE-2024-4766 CVSS: 6.5

Mozilla Firefox for Android could allow a remote attacker to conduct spoofing attacks, caused by the obscuring of fullscreen notification. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to conduct spoofing attacks.

CVE-2024-4773 CVSS: 6.5

Mozilla Firefox could allow a remote attacker to conduct spoofing attacks, caused by an error when a network error occurs during page load. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to conduct spoofing attacks.

CVE-2024-4772 CVSS: 6.5

Mozilla Firefox could provide weaker than expected security, caused by the use of insecure rand() function to generate nonce. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to lead to predictable values.

CVE-2024-4776 CVSS: 6.5

Mozilla Firefox could allow a remote attacker to bypass security restrictions, caused by a window remaining disabled after file dialog is shown in full-screen. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to bypass security restrictions.

CVE-2024-4769 CVSS: 6.5

Mozilla Firefox could allow a remote attacker to obtain sensitive information, caused by the distinguishing of cross-origin responses between script and non-script content-types. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to learn information cross-origin.

Impact

Denial of Service
Code Execution
Security Bypass
Gain Access
Information Disclosure

Indicators of Compromise

CVE

CVE-2024-4367
CVE-2024-4768
CVE-2024-4778
CVE-2024-4774
CVE-2024-4767
CVE-2024-4764
CVE-2024-4771
CVE-2024-4775
CVE-2024-4777
CVE-2024-4770
CVE-2024-4765
CVE-2024-4766
CVE-2024-4773
CVE-2024-4772
CVE-2024-4776
CVE-2024-4769

Affected Vendors

Mozilla

Affected Products

Mozilla Firefox 125.0
Mozilla Firefox ESR 115.10
Mozilla Thunderbird 115.10
Mozilla Firefox for Android 125.0

Remediation

Refer to Mozilla Foundation Security Advisory for patch, upgrade or suggested workaround information.

Mozilla Foundation Security Advisory