National Cyber Warfare Foundation (NCWF) Forums


Firefox 127 Released With patch for 15 Vulnerabilities


0 user ratings
2024-06-12 13:10:09
milo
Red Team (CNA)

Mozilla has released Firefox 127, addressing 15 security vulnerabilities, some of which have been rated as high impact. This update is crucial for users to ensure their browsing experience remains secure. Below is a detailed breakdown of the vulnerabilities fixed in this release. CVE-2024-5687: An Incorrect Principal Could Have Been Used When Opening New Tabs […]


The post Firefox 127 Released With patch for 15 Vulnerabilities appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.



Mozilla has released Firefox 127, addressing 15 security vulnerabilities, some of which have been rated as high impact.





This update is crucial for users to ensure their browsing experience remains secure.





Below is a detailed breakdown of the vulnerabilities fixed in this release.





CVE-2024-5687: An Incorrect Principal Could Have Been Used When Opening New Tabs





Reporter: jackyzy823
Impact: High
Description: When opening a new tab, a specific sequence of actions could result in an incorrect triggering principle.





This principle is crucial for calculating values like the Referer and Sec- headers, potentially leading to incorrect security checks and misleading information sent to remote websites.





This bug affects only Firefox for Android.





References: Bug 1889066





CVE-2024-5688: Use-After-Free in JavaScript Object Transplant





Reporter: Lukas Bernhard
Impact: High
Description: A use-after-free vulnerability could occur during object transplant if garbage collection is triggered correctly.





References: Bug 1895086





Analyze any MaliciousURL, Files & Emails & Configuration With ANY RUN Start your Analysis





CVE-2024-5689: User Confusion and Possible Phishing Vector via Firefox Screenshots





Reporter: Fabian Fäßler
Impact: Moderate
Description: A website could overlay the ‘My Shots’ button that appears when a user takes a screenshot, directing them to a replica Firefox Screenshots page, potentially used for phishing.





References: Bug 1389707





CVE-2024-5690: External Protocol Handlers Leaked by Timing Attack





Reporter: Satoki Tsuji
Impact: Moderate
Description: An attacker could guess which external protocol handlers were functional on a user’s system by monitoring the time certain operations take.





References: Bug 1883693





CVE-2024-5691: Sandboxed Iframes Bypassing Sandbox Restrictions to Open a New Window





Reporter: Luan Herrera
Impact: Moderate
Description: A sandboxed iframe could bypass restrictions to open a new window by tricking the browser with an X-Frame-Options header.





References: Bug 1888695





CVE-2024-5692: Bypass of File Name Restrictions During Saving





Reporters: Raphael Shaniyazov and Axel Chong (@Haxatron)
Impact: Moderate
Description: An attacker could trick the browser into saving a file with a disallowed extension on Windows by including an invalid character.





This issue only affects Windows operating systems.





References: Bug 1891234, Bug 1837514





CVE-2024-5693: Cross-Origin Image Leak via Offscreen Canvas





Reporter: Kirtikumar Anandrao Ramchandani
Impact: Moderate
Description: Offscreen Canvas did not correctly track cross-origin tainting, allowing access to image data from another site, violating the same-origin policy.





References: Bug 1891319





CVE-2024-5694: Use-After-Free in JavaScript Strings





Reporter: Lukas Bernhard
Impact: Moderate
Description: An attacker could cause a use-after-free in the JavaScript engine to read memory in the JavaScript string section of the heap.





References: Bug 1895055





CVE-2024-5695: Memory Corruption Using Allocation Under Out-of-Memory Conditions





Reporter: Irvan Kurniawan
Impact: Moderate
Description: An out-of-memory condition during allocations in the probabilistic heap checker could trigger an assertion, potentially leading to memory corruption.





References: Bug 1895579





CVE-2024-5696: Memory Corruption in Text Fragments





Reporter: Irvan Kurniawan
Impact: Moderate
Description: Manipulating text in a  tag could cause memory corruption, leading to a potentially exploitable crash.





References: Bug 1896555





CVE-2024-5697: Website Able to Detect When Firefox Takes a Screenshot





Reporter: Wil Clouser
Impact: Low
Description: A website could detect when a user took a screenshot using Firefox’s built-in Screenshot functionality.





References: Bug 1414937





CVE-2024-5698: Data-List Could Overlay Address Bar





Reporter: Hafiizh
Impact: Low
Description: By manipulating the fullscreen feature while opening a data-list, an attacker could overlay a text box over the address bar, leading to user confusion and possible spoofing attacks.





References: Bug 1828259









Reporter: Konstantin Preißer
Impact: Low
Description: Cookie prefixes such as __Secure were ignored if not correctly capitalized, violating the spec that requires case-insensitive comparison.





References: Bug 1891349





CVE-2024-5700: Memory Safety Bugs Fixed in Firefox 127, Firefox ESR 115.12, and Thunderbird 115.12





Reporter: The Mozilla Fuzzing Team
Impact: High
Description: Memory safety bugs present in Firefox 126, Firefox ESR 115.11, and Thunderbird 115.11 showed evidence of memory corruption, which could potentially be exploited to run arbitrary code.





References: Memory safety bugs fixed in Firefox 127, Firefox ESR 115.12, and Thunderbird 115.12





CVE-2024-5701: Memory Safety Bugs Fixed in Firefox 127





Reporters: Randell Jesup and the Mozilla Fuzzing Team
Impact: High
Description: Memory safety bugs in Firefox 126 showed evidence of memory corruption, potentially exploitable to run arbitrary code.





References: Memory safety bugs fixed in Firefox 127.





Mozilla urges all users to update to Firefox 127 to ensure their browsers are protected against these vulnerabilities.





Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs: Try Free Demo


The post Firefox 127 Released With patch for 15 Vulnerabilities appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.



Source: gbHackers
Source Link: https://gbhackers.com/firefox-127-released/


Comments
new comment
Nobody has commented yet. Will you be the first?
 
Forum
Red Team (CNA)



© Copyright 2012 through 2024 - National Cyber War Foundation - All rights reserved worldwide.