CVE-2024-11700

Malicious websites may have been able to perform user intent confirmation through tapjacking. This could have led to users unknowingly approving the launch of external applications, potentially exposing them to underlying vulnerabilities. This vulnerability affects Firefox < 133 and Thunderbird < 133.

CVSS v3 8.1 HIGH

8.1^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://bugzilla.mozilla.org/show_bug.cgi?id=1836921	Issue Tracking
https://www.mozilla.org/security/advisories/mfsa2024-63/	Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2024-67/	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:mozilla:firefox::::::::
	cpe:2.3:a:mozilla:thunderbird::::::::

History

03 Apr 2025, 13:32

Type	Values Removed	Values Added
First Time		Mozilla Mozilla firefox Mozilla thunderbird
CPE		cpe:2.3:a:mozilla:thunderbird:::::::: cpe:2.3:a:mozilla:firefox::::::::
References	~~() https://bugzilla.mozilla.org/show_bug.cgi?id=1836921 -~~	() https://bugzilla.mozilla.org/show_bug.cgi?id=1836921 - Issue Tracking
References	~~() https://www.mozilla.org/security/advisories/mfsa2024-63/ -~~	() https://www.mozilla.org/security/advisories/mfsa2024-63/ - Vendor Advisory
References	~~() https://www.mozilla.org/security/advisories/mfsa2024-67/ -~~	() https://www.mozilla.org/security/advisories/mfsa2024-67/ - Vendor Advisory

Information

Published : 2024-11-26 14:15

Updated : 2025-04-03 13:32

NVD link : CVE-2024-11700

Mitre link : CVE-2024-11700

CVE.ORG link : CVE-2024-11700

JSON object : View

Products Affected

mozilla

firefox
thunderbird

CWE

CWE-1021

Improper Restriction of Rendered UI Layers or Frames

{"id": "CVE-2024-11700", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.8}]}, "published": "2024-11-26T14:15:19.523", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1836921", "tags": ["Issue Tracking"], "source": "security@mozilla.org"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2024-63/", "tags": ["Vendor Advisory"], "source": "security@mozilla.org"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2024-67/", "tags": ["Vendor Advisory"], "source": "security@mozilla.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-1021"}]}], "descriptions": [{"lang": "en", "value": "Malicious websites may have been able to perform user intent confirmation through tapjacking. This could have led to users unknowingly approving the launch of external applications, potentially exposing them to underlying vulnerabilities. This vulnerability affects Firefox < 133 and Thunderbird < 133."}, {"lang": "es", "value": "Es posible que los sitios web maliciosos hayan podido confirmar la intenci\u00f3n del usuario mediante tapjacking. Esto podr\u00eda haber provocado que los usuarios aprobaran sin saberlo el lanzamiento de aplicaciones externas, lo que podr\u00eda exponerlos a vulnerabilidades subyacentes. Esta vulnerabilidad afecta a Firefox < 133 y Thunderbird < 133."}], "lastModified": "2025-04-03T13:32:01.157", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F82571FC-4DDE-4C63-BD2B-8CF2FFEA28A8", "versionEndExcluding": "133.0"}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "75D1724C-A89A-46A9-988C-09A4019D9956", "versionEndExcluding": "133.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@mozilla.org"}