1. Home
  2. Vulnerabilities
  3. CVE-2024-7524

CVE-2024-7524

CVSS v3.1 6.1 (Medium)
61% Progress
EPSS 0.05 % (22th)
0.05% Progress
Affected Products 2
Advisories 15
NVD Status Analyzed
Info CVSS EPSS CAPEC Affected Configurations References Security Advisories Packages & Software Tools, Exploits & PoC Graph Web & Social Timeline

Firefox adds web-compatibility shims in place of some tracking scripts blocked by Enhanced Tracking Protection. On a site protected by Content Security Policy in "strict-dynamic" mode, an attacker able to inject an HTML element could have used a DOM Clobbering attack on some of the shims and achieved XSS, bypassing the CSP strict-dynamic protection. This vulnerability affects Firefox < 129, Firefox ESR < 115.14, and Firefox ESR < 128.1.

Weaknesses
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE Status
PUBLISHED
NVD Status
Analyzed
CNA
Mozilla Corporation
Published Date
2024-08-06 13:15:57
(5 weeks ago)
Updated Date
2024-08-29 17:35:34
(2 weeks ago)

Affected Products

Mozilla

Configuration #1

    CPE23 From Up To
  Mozilla Firefox prior 129.0 version cpe:2.3:a:mozilla:firefox < 129.0
  Mozilla Firefox Esr prior 115.14 version cpe:2.3:a:mozilla:firefox_esr < 115.14
  Mozilla Firefox Esr from 116.0 version and prior 128.1 version cpe:2.3:a:mozilla:firefox_esr >= 116.0 < 128.1