CRITICAL🇵🇱 Wersja polska

CVE-2024-6611

CVSS 9.8v3.1pub. 2024-07-09upd. 2025-04-04

A nested iframe, triggering a cross-site navigation, could send SameSite=Strict or Lax cookies. This vulnerability affects Firefox < 128 and Thunderbird < 128.

🤖 AI Analysis
How it works

The attack exploits a nested iframe element that triggers cross-site navigation. Under normal circumstances, cookies with the SameSite=Strict or SameSite=Lax attribute should not be sent in requests initiated from other websites. However, a bug in the browser's logic causes SameSite restrictions to be bypassed in the described scenario, and cookies are included in the request despite crossing the origin boundary. This allows an attacker to carry out an attack from an external website with the victim's authentication.

Impact

An attacker can bypass SameSite cookie protections and send authenticated requests on behalf of the victim to other websites, effectively opening the door to Cross-Site Request Forgery (CSRF) attacks and unauthorized access to resources protected by the user's session.

Mitigation & patch

Mozilla Firefox should be updated to version 128 or newer, and Mozilla Thunderbird should be updated to version 128 or newer. Patches have been described in official Mozilla security bulletins MFSA2024-29 and MFSA2024-32.

Who is affected

Mozilla Firefox in versions below 128 and Mozilla Thunderbird in versions below 128.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Mozilla Firefox

    APP
    Mozilla
    < 128.0
  • Mozilla Thunderbird

    APP
    Mozilla
    < 128.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2024-9680CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Use-after-free w Animation timelines Firefox/Thunderbird — RCE

CVE-2022-26486CRITICAL9.6⚠ KEVten sam produkt

An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escap...

CVE-2019-11708CRITICAL10.0⚠ KEVten sam produkt

Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes ...

CVE-2010-3765CRITICAL9.8⚠ KEVten sam produkt

Mozilla Firefox 3.5.x through 3.5.14 and 3.6.x through 3.6.11, Thunderbird 3.1.6 before 3.1.6 and 3.0.x before...

CVE-2026-14241CRITICAL9.8ten sam produkt

Memory safety bugs present in Firefox 152.0.3. Some of these bugs showed evidence of memory corruption and we ...