CVE-2024-9394 | THREATINT

Description

An attacker could, via a specially crafted multipart response, execute arbitrary JavaScript under the `resource://devtools` origin. This could allow them to access cross-origin JSON content. This access is limited to "same site" documents by the Site Isolation feature on desktop clients, but full cross-origin access is possible on Android versions. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Firefox ESR < 115.16, Thunderbird < 128.3, and Thunderbird < 131.

PUBLISHED Reserved 2024-10-01 | Published 2024-10-01 | Updated 2025-11-03 | Assigner mozilla

Problem types

Cross-origin access to JSON contents through multipart responses

Product status

Any version before 131

affected

Any version before 128.3

affected

Any version before 115.16

affected

Any version before 128.3

affected

Any version before 131

affected

Credits

Masato Kinugawa

References

lists.debian.org/debian-lts-announce/2024/10/msg00006.html

lists.debian.org/debian-lts-announce/2024/10/msg00004.html

bugzilla.mozilla.org/show_bug.cgi?id=1918874

www.mozilla.org/security/advisories/mfsa2024-46/

www.mozilla.org/security/advisories/mfsa2024-47/

www.mozilla.org/security/advisories/mfsa2024-48/

www.mozilla.org/security/advisories/mfsa2024-49/

www.mozilla.org/security/advisories/mfsa2024-50/

cve.org (CVE-2024-9394)

nvd.nist.gov (CVE-2024-9394)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.

help @ threatint.eu