CRITICAL🇵🇱 Wersja polska

CVE-2024-5699

CVSS 9.8v3.1pub. 2024-06-11upd. 2025-04-04

In violation of spec, cookie prefixes such as `__Secure` were being ignored if they were not correctly capitalized - by spec they should be checked with a case-insensitive comparison. This could have resulted in the browser not correctly honoring the behaviors specified by the prefix. This vulnerability affects Firefox < 127.

🤖 AI Analysis
How it works

According to the specification, cookie prefixes such as `__Secure` should be recognized using case-insensitive comparison. Firefox incorrectly ignored these prefixes if they were not written with the exact required capitalization, which constitutes a specification violation (CWE-178). As a result, protective mechanisms enforced by the prefixes — such as requiring the Secure flag — were not enforced by the browser. An attacker could potentially set or modify cookies in a way that should be blocked by these prefixes.

Impact

An attacker could bypass security measures related to cookie prefixes, which could result in unauthorized access to protected resources, disclosure of sensitive data, or violation of user session integrity.

Mitigation & patch

Mozilla Firefox browser should be updated to version 127 or newer. Details available in the security advisory from the vendor: https://www.mozilla.org/security/advisories/mfsa2024-25/

Who is affected

Mozilla Firefox in versions earlier than 127

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Mozilla Firefox

    APP
    Mozilla
    < 127.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2024-9680CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Use-after-free w Animation timelines Firefox/Thunderbird — RCE

CVE-2022-26486CRITICAL9.6⚠ KEVten sam produkt

An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escap...

CVE-2019-11708CRITICAL10.0⚠ KEVten sam produkt

Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes ...

CVE-2010-3765CRITICAL9.8⚠ KEVten sam produkt

Mozilla Firefox 3.5.x through 3.5.14 and 3.6.x through 3.6.11, Thunderbird 3.1.6 before 3.1.6 and 3.0.x before...

CVE-2026-14241CRITICAL9.8ten sam produkt

Memory safety bugs present in Firefox 152.0.3. Some of these bugs showed evidence of memory corruption and we ...