CRITICAL🇵🇱 Wersja polska

CVE-2024-9392

CVSS 9.8v3.1pub. 2024-10-01upd. 2025-11-03

A compromised content process could have allowed for the arbitrary loading of cross-origin pages. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Firefox ESR < 115.16, Thunderbird < 128.3, and Thunderbird < 131.

🤖 AI Analysis
How it works

The vulnerability stems from a violation of the origin isolation principle (CWE-346 — Origin Validation Error). Under normal circumstances, the same-origin policy mechanism prevents content processes from accessing resources from other domains. In the case of this vulnerability, a compromised content process can bypass this control and load arbitrary cross-origin pages, which opens the way for further abuse of the browser or email client environment.

Impact

An attacker who gains control over the content process can obtain unauthorized access to data from other pages and potentially affect their integrity and availability, which corresponds to a complete breach of confidentiality, integrity, and availability (CVSS C:H/I:H/A:H).

Mitigation & patch

Software should be updated to the following versions: Firefox 131 or newer, Firefox ESR 128.3 or newer, Firefox ESR 115.16 or newer, Thunderbird 128.3 or newer, Thunderbird 131 or newer. Detailed information available in Mozilla security bulletins: mfsa2024-46, mfsa2024-47, mfsa2024-48.

Who is affected

Mozilla Firefox versions below 131, Mozilla Firefox ESR versions below 128.3 and below 115.16, Mozilla Thunderbird versions below 128.3 and below 131.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Mozilla Firefox

    APP
    Mozilla
    < 115.6.0< 131.0
  • Mozilla Thunderbird

    APP
    Mozilla
    < 128.3.0129.0 – 131.0 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2024-9680CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Use-after-free w Animation timelines Firefox/Thunderbird — RCE

CVE-2022-26486CRITICAL9.6⚠ KEVten sam produkt

An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escap...

CVE-2019-11708CRITICAL10.0⚠ KEVten sam produkt

Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes ...

CVE-2010-3765CRITICAL9.8⚠ KEVten sam produkt

Mozilla Firefox 3.5.x through 3.5.14 and 3.6.x through 3.6.11, Thunderbird 3.1.6 before 3.1.6 and 3.0.x before...

CVE-2026-14241CRITICAL9.8ten sam produkt

Memory safety bugs present in Firefox 152.0.3. Some of these bugs showed evidence of memory corruption and we ...