Vulnerability Description
Using a javascript: URI with a setTimeout race condition, an attacker can execute unauthorized scripts on top origin sites in urlbar. This bypasses security measures, potentially leading to arbitrary code execution or unauthorized actions within the user's loaded webpage. This vulnerability affects Focus for iOS < 122.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mozilla | Firefox Focus | < 122.0 |
Related Weaknesses (CWE)
References
- https://bugzilla.mozilla.org/show_bug.cgi?id=1855575Issue TrackingPermissions Required
- https://www.mozilla.org/security/advisories/mfsa2024-03/Vendor Advisory
- https://bugzilla.mozilla.org/show_bug.cgi?id=1855575Issue TrackingPermissions Required
- https://www.mozilla.org/security/advisories/mfsa2024-03/Vendor Advisory
FAQ
What is CVE-2024-0605?
CVE-2024-0605 is a vulnerability with a CVSS score of 7.5 (HIGH). Using a javascript: URI with a setTimeout race condition, an attacker can execute unauthorized scripts on top origin sites in urlbar. This bypasses security measures, potentially leading to arbitrary ...
How severe is CVE-2024-0605?
CVE-2024-0605 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-0605?
Check the references section above for vendor advisories and patch information. Affected products include: Mozilla Firefox Focus.