CVE-2024-9393

Public on 2024-10-01
Modified on 2024-10-07
Description
An attacker could, via a specially crafted multipart response, execute arbitrary JavaScript under the `resource://pdf.js` origin. This could allow them to access cross-origin PDF content. This access is limited to "same site" documents by the Site Isolation feature on desktop clients, but full cross-origin access is possible on Android versions. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Firefox ESR < 115.16, Thunderbird < 128.3, and Thunderbird < 131.
Severity
Important severity
Important
CVSS v3 Base Score
7.6
See breakdown

Affected Packages

Platform Package Release Date Advisory Status
Amazon Linux 2 - Firefox Extra firefox 2024-10-24 ALAS2FIREFOX-2024-031 Fixed
Amazon Linux 2 - Core thunderbird Pending Fix

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 7.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L
NVD CVSSv3 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N