CVE-2024-9393

HIGH Year: 2024
CVSS v3 Score
7.5
High
Weakness Type
CWE-346
View all →

Vulnerability Description

An attacker could, via a specially crafted multipart response, execute arbitrary JavaScript under the `resource://pdf.js` origin. This could allow them to access cross-origin PDF content. This access is limited to "same site" documents by the Site Isolation feature on desktop clients, but full cross-origin access is possible on Android versions. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Firefox ESR < 115.16, Thunderbird < 128.3, and Thunderbird < 131.

Related Vulnerabilities

CVE-2001-1452

HIGH
CVSS:7.5(High)

By default, DNS servers on Windows NT 4.0 and Windows 2000 Server cache glue records received from non-delegated name servers, which allows remote attackers to poison the DNS cache via spoofed DNS res...

CWE-3462001

CVE-2005-0877

HIGH
CVSS:7.5(High)

Dnsmasq before 2.21 allows remote attackers to poison the DNS cache via answers to queries that were not made by Dnsmasq.

CWE-3462005

CVE-2014-1487

HIGH
CVSS:7.5(High)

The Web workers implementation in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, and SeaMonkey before 2.24 allows remote attackers to bypass the Same Origin Policy...

CWE-3462014

CVE-2016-5168

HIGH
CVSS:7.5(High)

Skia, as used in Google Chrome before 50.0.2661.94, allows remote attackers to bypass the Same Origin Policy and obtain sensitive information.

CWE-3462016

CVE-2016-9902

HIGH
CVSS:7.5(High)

The Pocket toolbar button, once activated, listens for events fired from it's own pages but does not verify the origin of incoming events. This allows content from other origins to fire events and inj...

CWE-3462016

CVE-2017-7561

HIGH
CVSS:7.5(High)

Red Hat JBoss EAP version 3.0.7 through before 4.0.0.Beta1 is vulnerable to a server-side cache poisoning or CORS requests in the JAX-RS component resulting in a moderate impact.

CWE-3462017