CVE-2024-2609 : The permission prompt input delay could expire while the window is not in focus.

The permission prompt input delay could expire while the window is not in focus. This makes it vulnerable to clickjacking by malicious websites. This vulnerability affects Firefox < 124, Firefox ESR < 115.10, and Thunderbird < 115.10.

Published 2024-03-19 12:02:55

Updated 2025-04-01 17:19:51

Source Mozilla Corporation

View at NVD, CVE.org

Products affected by CVE-2024-2609

Debian » Debian Linux » Version: 10.0
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
Matching versions
Mozilla » Firefox » ESR Edition
Versions before (<) 115.10.0
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
Matching versions
Mozilla » Firefox »
Versions before (<) 124.0
cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
Matching versions
Mozilla » Thunderbird
Versions before (<) 115.10.0
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2024-2609

EPSS FAQ

0.82%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 73 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2024-2609

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
6.1	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	2.8	2.7	134c704f-9b21-4f2e-91b3-4a467353bcc0	2024-08-28
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Changed Confidentiality: Low Integrity: Low Availability: None

CWE ids for CVE-2024-2609

CWE-356 Product UI does not Warn User of Unsafe Actions

The product's user interface does not warn the user before undertaking an unsafe action on behalf of that user. This makes it easier for attackers to trick users into inflicting damage to their system.

Assigned by: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

References for CVE-2024-2609

https://lists.debian.org/debian-lts-announce/2024/04/msg00013.html

[SECURITY] [DLA 3791-1] thunderbird security update
Mailing List

CVEs referencing this url
https://www.mozilla.org/security/advisories/mfsa2024-19/

Security Vulnerabilities fixed in Firefox ESR 115.10 — Mozilla
Vendor Advisory

CVEs referencing this url
https://bugzilla.mozilla.org/show_bug.cgi?id=1866100

Access Denied
Issue Tracking;Exploit;Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2024-12/

Security Vulnerabilities fixed in Firefox 124 — Mozilla
Vendor Advisory

CVEs referencing this url
https://lists.debian.org/debian-lts-announce/2024/04/msg00012.html

[SECURITY] [DLA 3790-1] firefox-esr security update
Mailing List

CVEs referencing this url
https://www.mozilla.org/security/advisories/mfsa2024-20/

Security Vulnerabilities fixed in Thunderbird 115.10 — Mozilla
Vendor Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2024-2609

Products affected by CVE-2024-2609

Exploit prediction scoring system (EPSS) score for CVE-2024-2609

CVSS scores for CVE-2024-2609

CWE ids for CVE-2024-2609

References for CVE-2024-2609