Analysis Summary

CVE-2024-7518 CVSS:6.5

Mozilla Firefox could allow a remote attacker to conduct spoofing attacks, caused by the failure to obscure the fullscreen notification dialog. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to conduct a spoofing attack.

CVE-2024-7519 CVSS:8.8

Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by insufficient checks when processing graphics shared memory leading to memory corruption. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.

CVE-2024-7520 CVSS:8.8

Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by a type confusion in WebAssembly. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.

CVE-2024-7521 CVSS:8.8

Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by incomplete WebAssembly exception handing leading to a use-after-free error. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.

CVE-2024-7522 CVSS:8.8

Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by an out-of-bounds read in editor component. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.

CVE-2024-7523 CVSS:6.5

Mozilla Firefox for Android could allow a remote attacker to bypass security restrictions, caused by the obscuring of security prompts by a select option. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to trick a user into granting permissions.

CVE-2024-7524 CVSS:6.5

Mozilla Firefox could allow a remote attacker to bypass security restrictions, caused by an error on a site protected by Content Security Policy in "strict-dynamic" mode. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to inject an HTML element could have used a DOM Clobbering attack on some of the shims and achieved XSS, bypassing the CSP strict-dynamic protection.

CVE-2024-7525 CVSS:6.5

Mozilla Firefox could allow a remote attacker to bypass security restrictions, caused by missing permission check when creating a StreamFilter. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to bypass security restrictions.

CVE-2024-7526 CVSS:6.5

Mozilla Firefox could allow a remote attacker to obtain sensitive information, caused by the failure to initialize parameters which lead to reading from uninitialized memory by ANGLE. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to leak sensitive data from memory.

CVE-2024-7527 CVSS:8.8

Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free in JavaScript garbage collection. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.

CVE-2024-7528 CVSS:8.8

Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free in IndexedDB. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.

CVE-2024-7529 CVSS:6.5

Mozilla Firefox could allow a remote attacker to bypass security restrictions, caused by the obscuring of security prompts by document content. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to trick a user into granting permissions.

CVE-2024-7530 CVSS:8.8

Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free in JavaScript code coverage collection. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.

CVE-2024-7531 CVSS:6.5

Mozilla Firefox could allow a remote attacker to obtain sensitive information, caused by an error related to calling PK11_Encrypt() in NSS using CKM_CHACHA20 and the same buffer for input and output By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to reveal plaintext on Intel Sandy Bridge machines.

Impact

• Denial of Service
• Gain Access
• Code Execution
• Security Bypass
• Information Disclosure

Indicators of Compromise

CVE

• CVE-2024-7518
• CVE-2024-7519
• CVE-2024-7520
• CVE-2024-7521
• CVE-2024-7522
• CVE-2024-7523
• CVE-2024-7524
• CVE-2024-7525
• CVE-2024-7526
• CVE-2024-7527
• CVE-2024-7528
• CVE-2024-7529
• CVE-2024-7530
• CVE-2024-7531

Affected Vendors

Affected Products

• Mozilla Firefox 128.0
• Mozilla Firefox ESR 115.13
• Mozilla Firefox ESR 128.0
• Mozilla Thunderbird 128.0
• Mozilla Thunderbird 115.13
• Mozilla Firefox for Android 128.0

Remediation

Refer to Mozilla Foundation Security Advisory for patch, upgrade or suggested workaround information.

Mozilla Foundation Security Advisory