Mozilla Products August 2024 1st Security Update Advisory

Overview
 

An update has been made available to address a vulnerability in the Mozilla suite (Firefox, Firefox ESR, and Thunderbird versions). Users of affected products are advised to update to the latest version.

 

Affected Products

CVE-2024-7518, CVE-2024-7520, CVE-2024-7528

  • Firefox versions: ~ 129 (excluded)
  • Firefox ESR version: ~ 128.1 (excluded)
  • Thunderbird version: ~ 128.1 (excluded)

 

CVE-2024-7519, CVE-2024-7521, CVE-2024-7522, CVE-2024-7525, CVE-2024-7526, CVE-2024-7527

  • Firefox versions: ~ 129 (excluded)
  • Firefox ESR version: ~ 115.14 (excluded)
  • Firefox ESR version: ~ 128.1 (excluded)
  • Thunderbird version: ~ 128.1 (excluded)
  • Thunderbird version: ~ 115.14 (excluded)

CVE-2024-7523

  • Firefox version: ~ 129 (excluded)

 

CVE-2024-7524

  • Firefox version: ~ 129 (excluded)
  • Firefox ESR version: ~115.14 (excluded)
  • Firefox ESR version: ~ 128.1 (excluded)
     

 

Resolved Vulnerabilities

Vulnerability that could allow malicious sites to conduct spoofing attacks (CVE-2024-7518)

Insufficient checking when handling graphics shared memory could have resulted in memory corruption (CVE-2024-7519)

A vulnerability that could allow an attacker to exploit a type confusion bug in WebAssembly to potentially achieve code execution (CVE-2024-7520)

Incomplete WebAssembly exception handling could lead to a use-after-free vulnerability (CVE-2024-7521)

Vulnerability where editor code failed to check property values, which could result in out-of-bounds reads (CVE-2024-7522)

A vulnerability where a selection option could be used to partially obscure a security prompt, which could be used by a malicious site to trick a user into granting authorization (CVE-2024-7523)

Vulnerability that could allow an attacker to inject HTML elements on a site protected by Content Security Policy in “strict-dynamic” mode, which could allow an attacker to use a DOM clobbering attack on some shims to achieve XSS and bypass CSP strict-dynamic protection (CVE-2024-7524)

StreamFilterVulnerability in which a web extension could be used with minimal privileges to create an app that could be used to read and modify the response body of requests from all sites (CVE-2024-7525)

ANGLE failed to initialize parameters, which could allow sensitive data to be leaked from memory by exploiting reads from uninitialized memory (CVE-2024-7526)

An unexpected marking operation at the start of sweeping could result in a use-after-free (CVE-2024-7527)

Vulnerability in IndexedDB that could lead to an after-use disclosure due to incorrect garbage collection interaction (CVE-2024-7528)
 

Vulnerability Patches

The following Vulnerability Patches were made available in the 08/06/2024 update. For more information on Vulnerability Patches, please refer to the “Mozilla” Referenced Sites documentation.

 

CVE-2024-7518, CVE-2024-7520, CVE-2024-7528

  • Firefox version: 129
  • Firefox ESR version: 128.1
  • Thunderbird version: 128.1

 

CVE-2024-7519, CVE-2024-7521, CVE-2024-7522, CVE-2024-7525, CVE-2024-7526, CVE-2024-7527

  • Firefox version: 129
  • Firefox ESR version: 115.14
  • Firefox ESR version: 128.1
  • Thunderbird version: 128.1
  • Thunderbird version: 115.14

CVE-2024-7523

  • Firefox version: 129
     

CVE-2024-7524

  • Firefox version: 129
  • Firefox ESR version: 115.14
  • Firefox ESR version: 128.1
     

 

Referenced Sites

[1] Security Vulnerabilities fixed in Firefox 129

https://www.mozilla.org/en-US/security/advisories/mfsa2024-33/

[2] Security Vulnerabilities fixed in Firefox ESR 115.14

https://www.mozilla.org/en-US/security/advisories/mfsa2024-34/

[3] Security Vulnerabilities fixed in Firefox ESR 128.1

https://www.mozilla.org/en-US/security/advisories/mfsa2024-35/

[4] Security Vulnerabilities fixed in Thunderbird 128.1

https://www.mozilla.org/en-US/security/advisories/mfsa2024-37/

[5] Security Vulnerabilities fixed in Thunderbird 115.14

https://www.mozilla.org/en-US/security/advisories/mfsa2024-38/

Article Link: Mozilla Products August 2024 1st Security Update Advisory – ASEC