Severity
High
Analysis Summary
CVE-2024-7518 CVSS:6.5
Mozilla Firefox could allow a remote attacker to conduct spoofing attacks, caused by the failure to obscure the fullscreen notification dialog. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to conduct a spoofing attack.
CVE-2024-7519 CVSS:8.8
Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by insufficient checks when processing graphics shared memory leading to memory corruption. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CVE-2024-7520 CVSS:8.8
Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by a type confusion in WebAssembly. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CVE-2024-7521 CVSS:8.8
Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by incomplete WebAssembly exception handing leading to a use-after-free error. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CVE-2024-7522 CVSS:8.8
Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by an out-of-bounds read in editor component. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CVE-2024-7523 CVSS:6.5
Mozilla Firefox for Android could allow a remote attacker to bypass security restrictions, caused by the obscuring of security prompts by a select option. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to trick a user into granting permissions.
CVE-2024-7524 CVSS:6.5
Mozilla Firefox could allow a remote attacker to bypass security restrictions, caused by an error on a site protected by Content Security Policy in "strict-dynamic" mode. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to inject an HTML element could have used a DOM Clobbering attack on some of the shims and achieved XSS, bypassing the CSP strict-dynamic protection.
CVE-2024-7525 CVSS:6.5
Mozilla Firefox could allow a remote attacker to bypass security restrictions, caused by missing permission check when creating a StreamFilter. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to bypass security restrictions.
CVE-2024-7526 CVSS:6.5
Mozilla Firefox could allow a remote attacker to obtain sensitive information, caused by the failure to initialize parameters which lead to reading from uninitialized memory by ANGLE. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to leak sensitive data from memory.
CVE-2024-7527 CVSS:8.8
Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free in JavaScript garbage collection. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CVE-2024-7528 CVSS:8.8
Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free in IndexedDB. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CVE-2024-7529 CVSS:6.5
Mozilla Firefox could allow a remote attacker to bypass security restrictions, caused by the obscuring of security prompts by document content. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to trick a user into granting permissions.
CVE-2024-7530 CVSS:8.8
Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free in JavaScript code coverage collection. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CVE-2024-7531 CVSS:6.5
Mozilla Firefox could allow a remote attacker to obtain sensitive information, caused by an error related to calling PK11_Encrypt() in NSS using CKM_CHACHA20 and the same buffer for input and output By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to reveal plaintext on Intel Sandy Bridge machines.
Impact
- Denial of Service
- Gain Access
- Code Execution
- Security Bypass
- Information Disclosure
Indicators of Compromise
CVE
- CVE-2024-7518
- CVE-2024-7519
- CVE-2024-7520
- CVE-2024-7521
- CVE-2024-7522
- CVE-2024-7523
- CVE-2024-7524
- CVE-2024-7525
- CVE-2024-7526
- CVE-2024-7527
- CVE-2024-7528
- CVE-2024-7529
- CVE-2024-7530
- CVE-2024-7531
Affected Vendors
Affected Products
- Mozilla Firefox 128.0
- Mozilla Firefox ESR 115.13
- Mozilla Firefox ESR 128.0
- Mozilla Thunderbird 128.0
- Mozilla Thunderbird 115.13
- Mozilla Firefox for Android 128.0
Remediation
Refer to Mozilla Foundation Security Advisory for patch, upgrade or suggested workaround information.