SB2024012529 - SUSE update for MozillaFirefox 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2024012529

SB2024012529 - SUSE update for MozillaFirefox

Published: January 25, 2024

Security Bulletin ID SB2024012529
Severity
High
Patch available
YES
Number of vulnerabilities 9
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 22% Medium 22% Low 56%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 9 secuirty vulnerabilities.


1) Out-of-bounds write (CVE-ID: CVE-2024-0741)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error in ANGLE when processing untrusted input. A remote attacker can trick the victim to open a specially crafted website, trigger an out-of-bounds write and execute arbitrary code on the target system.


2) Security features bypass (CVE-ID: CVE-2024-0742)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to failure to update user input timestamp for certain browser prompts and dialogs. A remote attacker can perform clickjacking attack and trick the victim into providing unintended permissions to a malicious website.


3) Reachable Assertion (CVE-ID: CVE-2024-0746)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a reachable assertion when listing pointers on Linux. A remote attacker can trick the victim to open the print preview dialog and crash the browser.


4) Security features bypass (CVE-ID: CVE-2024-0747)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to an error in the way the Content Security Policy handles unsafe-inline directive. When a parent page loaded a child in an iframe with unsafe-inline, the parent Content Security Policy could have overridden the child Content Security Policy.


5) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2024-0749)

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to application does not properly impose security restrictions. A phishing site could have repurposed an about: dialog to show phishing content with an incorrect origin in the address bar.


6) Insufficient UI Warning of Dangerous Operations (CVE-ID: CVE-2024-0750)

The vulnerability allows a remote attacker to perform a clickjacking attack.

The vulnerability exists due to an error in popup notifications delay calculation. A remote attacker can perform a clickjacking attack and trick a user into granting permissions to a malicious web application.


7) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2024-0751)

The vulnerability allows a remote attacker to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions. A malicious devtools extension could have been used to escalate privileges.


8) Security features bypass (CVE-ID: CVE-2024-0753)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to an error when handling HSTS on a subdomain. In specific HSTS configurations an attacker could have bypassed HSTS.


9) Buffer overflow (CVE-ID: CVE-2024-0755)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


Remediation

Install update from vendor's website.

References