CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
AI Score
Confidence
Low
[email protected] reports:
CVE-2024-7531: Calling `PK11_Encrypt()` in NSS using
CKM_CHACHA20 and the same buffer for input and output can
result in plaintext on an Intel Sandy Bridge processor. In
Firefox this only affects the QUIC header protection
feature when the connection is using the ChaCha20-Poly1305
cipher suite. The most likely outcome is connection
failure, but if the connection persists despite the high
packet loss it could be possible for a network observer to
identify packets as coming from the same source despite a
network path change. This vulnerability affects Firefox
< 129, Firefox ESR < 115.14, and Firefox ESR <
128.1.
CVE-2024-7529: The date picker could partially obscure
security prompts. This could be used by a malicious site
to trick a user into granting permissions. This
vulnerability affects Firefox < 129, Firefox ESR <
115.14, Firefox ESR < 128.1, Thunderbird < 128.1,
and Thunderbird < 115.14.
CVE-2024-7525: It was possible for a web extension with
minimal permissions to create a `StreamFilter` which could
be used to read and modify the response body of requests
on any site. This vulnerability affects Firefox < 129,
Firefox ESR < 115.14, Firefox ESR < 128.1,
Thunderbird < 128.1, and Thunderbird < 115.14.
CVE-2024-7522: Editor code failed to check an attribute
value. This could have led to an out-of-bounds read. This
vulnerability affects Firefox < 129, Firefox ESR <
115.14, Firefox ESR < 128.1, Thunderbird < 128.1, and
Thunderbird < 115.14.
CVE-2024-7520: A type confusion bug in WebAssembly could
be leveraged by an attacker to potentially achieve code
execution. This vulnerability affects Firefox < 129,
Firefox ESR < 128.1, and Thunderbird < 128.1.
CVE-2024-7521: Incomplete WebAssembly exception handing
could have led to a use-after-free. This vulnerability
affects Firefox < 129, Firefox ESR < 115.14,
Firefox ESR < 128.1, Thunderbird < 128.1, and
Thunderbird < 115.14.
CVE-2024-7530: Incorrect garbage collection interaction
could have led to a use-after-free. This vulnerability
affects Firefox < 129.
CVE-2024-7528: Incorrect garbage collection interaction in
IndexedDB could have led to a use-after-free. This
vulnerability affects Firefox < 129,
Firefox ESR < 128.1, and Thunderbird < 128.1.
CVE-2024-7527: Unexpected marking work at the start of
sweeping could have led to a use-after-free. This
vulnerability affects Firefox < 129,
Firefox ESR < 115.14, Firefox ESR < 128.1,
Thunderbird < 128.1, and Thunderbird < 115.14.
nvd.nist.gov/vuln/detail/CVE-2024-7520
nvd.nist.gov/vuln/detail/CVE-2024-7521
nvd.nist.gov/vuln/detail/CVE-2024-7522
nvd.nist.gov/vuln/detail/CVE-2024-7525
nvd.nist.gov/vuln/detail/CVE-2024-7527
nvd.nist.gov/vuln/detail/CVE-2024-7528
nvd.nist.gov/vuln/detail/CVE-2024-7529
nvd.nist.gov/vuln/detail/CVE-2024-7530
nvd.nist.gov/vuln/detail/CVE-2024-7531
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
AI Score
Confidence
Low