Overview
An update has been made available to address a vulnerability in the Mozilla suite (Firefox, Firefox ESR, and Thunderbird versions). Users of affected products are advised to update to the latest version.
Affected Products
CVE-2024-7518, CVE-2024-7520, CVE-2024-7528
- Firefox versions: ~ 129 (excluded)
- Firefox ESR version: ~ 128.1 (excluded)
- Thunderbird version: ~ 128.1 (excluded)
CVE-2024-7519, CVE-2024-7521, CVE-2024-7522, CVE-2024-7525, CVE-2024-7526, CVE-2024-7527
- Firefox versions: ~ 129 (excluded)
- Firefox ESR version: ~ 115.14 (excluded)
- Firefox ESR version: ~ 128.1 (excluded)
- Thunderbird version: ~ 128.1 (excluded)
- Thunderbird version: ~ 115.14 (excluded)
CVE-2024-7523
- Firefox version: ~ 129 (excluded)
CVE-2024-7524
- Firefox version: ~ 129 (excluded)
- Firefox ESR version: ~115.14 (excluded)
- Firefox ESR version: ~ 128.1 (excluded)
Resolved Vulnerabilities
Vulnerability that could allow malicious sites to conduct spoofing attacks (CVE-2024-7518)
Insufficient checking when handling graphics shared memory could have resulted in memory corruption (CVE-2024-7519)
A vulnerability that could allow an attacker to exploit a type confusion bug in WebAssembly to potentially achieve code execution (CVE-2024-7520)
Incomplete WebAssembly exception handling could lead to a use-after-free vulnerability (CVE-2024-7521)
Vulnerability where editor code failed to check property values, which could result in out-of-bounds reads (CVE-2024-7522)
A vulnerability where a selection option could be used to partially obscure a security prompt, which could be used by a malicious site to trick a user into granting authorization (CVE-2024-7523)
Vulnerability that could allow an attacker to inject HTML elements on a site protected by Content Security Policy in “strict-dynamic” mode, which could allow an attacker to use a DOM clobbering attack on some shims to achieve XSS and bypass CSP strict-dynamic protection (CVE-2024-7524)
StreamFilterVulnerability in which a web extension could be used with minimal privileges to create an app that could be used to read and modify the response body of requests from all sites (CVE-2024-7525)
ANGLE failed to initialize parameters, which could allow sensitive data to be leaked from memory by exploiting reads from uninitialized memory (CVE-2024-7526)
An unexpected marking operation at the start of sweeping could result in a use-after-free (CVE-2024-7527)
Vulnerability in IndexedDB that could lead to an after-use disclosure due to incorrect garbage collection interaction (CVE-2024-7528)
Vulnerability Patches
The following Vulnerability Patches were made available in the 08/06/2024 update. For more information on Vulnerability Patches, please refer to the “Mozilla” Referenced Sites documentation.
CVE-2024-7518, CVE-2024-7520, CVE-2024-7528
- Firefox version: 129
- Firefox ESR version: 128.1
- Thunderbird version: 128.1
CVE-2024-7519, CVE-2024-7521, CVE-2024-7522, CVE-2024-7525, CVE-2024-7526, CVE-2024-7527
- Firefox version: 129
- Firefox ESR version: 115.14
- Firefox ESR version: 128.1
- Thunderbird version: 128.1
- Thunderbird version: 115.14
CVE-2024-7523
- Firefox version: 129
CVE-2024-7524
- Firefox version: 129
- Firefox ESR version: 115.14
- Firefox ESR version: 128.1
Referenced Sites
[1] Security Vulnerabilities fixed in Firefox 129
https://www.mozilla.org/en-US/security/advisories/mfsa2024-33/
[2] Security Vulnerabilities fixed in Firefox ESR 115.14
https://www.mozilla.org/en-US/security/advisories/mfsa2024-34/
[3] Security Vulnerabilities fixed in Firefox ESR 128.1
https://www.mozilla.org/en-US/security/advisories/mfsa2024-35/
[4] Security Vulnerabilities fixed in Thunderbird 128.1
https://www.mozilla.org/en-US/security/advisories/mfsa2024-37/
[5] Security Vulnerabilities fixed in Thunderbird 115.14
https://www.mozilla.org/en-US/security/advisories/mfsa2024-38/
Article Link: Mozilla Products August 2024 1st Security Update Advisory – ASEC