CVE-2024-0605

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-0605
Using a javascript: URI with a setTimeout race condition, an attacker can execute unauthorized scripts on top origin sites in urlbar. This bypasses security measures, potentially leading to arbitrary code execution or unauthorized actions within the user's loaded webpage. This vulnerability affects Focus for iOS < 122.

7.5 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.6 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://bugzilla.mozilla.org/show_bug.cgi?id=1855575 Issue Tracking Permissions Required
https://www.mozilla.org/security/advisories/mfsa2024-03/ Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:mozilla:firefox_focus:*:*:*:*:*:iphone_os:*:*
History

30 Jan 2024, 15:19

Type Values Removed Values Added
First Time Mozilla
Mozilla firefox Focus
References () https://bugzilla.mozilla.org/show_bug.cgi?id=1855575 - () https://bugzilla.mozilla.org/show_bug.cgi?id=1855575 - Issue Tracking, Permissions Required
References () https://www.mozilla.org/security/advisories/mfsa2024-03/ - () https://www.mozilla.org/security/advisories/mfsa2024-03/ - Vendor Advisory
CWE CWE-362
Summary
  • (es) Usando un javascript: URI con una condición de ejecución setTimeout, un atacante puede ejecutar scripts no autorizados en los principales sitios de origen en urlbar. Esto elude las medidas de seguridad, lo que podría provocar la ejecución de código arbitrario o acciones no autorizadas dentro de la página web cargada por el usuario. Esta vulnerabilidad afecta a Focus para iOS &lt; 122.
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 7.5
CPE cpe:2.3:a:mozilla:firefox_focus:*:*:*:*:*:iphone_os:*:*

22 Jan 2024, 19:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-01-22 19:15

Updated : 2024-01-30 15:19

NVD link : CVE-2024-0605

Mitre link : CVE-2024-0605

CVE.ORG link : CVE-2024-0605

JSON object : View

Products Affected

mozilla

  • firefox_focus
CWE
CWE-362

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')