CVE-2024-8386 - Vulnerability Details

If a site had been granted the permission to open popup windows, it could cause Select elements to appear on top of another site to perform a spoofing attack. This vulnerability affects Firefox < 130, Firefox ESR < 128.2, and Thunderbird < 128.2.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Mozilla	Firefox Firefox Esr
Redhat	Enterprise Linux Rhel Aus Rhel E4s Rhel Els Rhel Eus Rhel Tus

Configuration 1 [-]

OR	cpe:2.3:a:mozilla:firefox::::::::
	cpe:2.3:a:mozilla:firefox_esr::::::::

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 7 Extended Lifecycle Support
firefox-0:128.2.0-1.el7_9	cpe:/o:redhat:rhel_els:7	RHSA-2024:6838	2024-09-19T00:00:00Z
Red Hat Enterprise Linux 8
firefox-0:128.2.0-1.el8_10	cpe:/a:redhat:enterprise_linux:8	RHSA-2024:6682	2024-09-16T00:00:00Z
thunderbird-0:128.2.0-1.el8_10	cpe:/a:redhat:enterprise_linux:8	RHSA-2024:6684	2024-09-16T00:00:00Z
Red Hat Enterprise Linux 8.2 Advanced Update Support
thunderbird-0:128.2.0-1.el8_2	cpe:/a:redhat:rhel_aus:8.2	RHSA-2024:6723	2024-09-17T00:00:00Z
firefox-0:128.2.0-1.el8_2	cpe:/a:redhat:rhel_aus:8.2	RHSA-2024:6839	2024-09-19T00:00:00Z
Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
thunderbird-0:128.2.0-1.el8_4	cpe:/a:redhat:rhel_aus:8.4	RHSA-2024:6721	2024-09-17T00:00:00Z
firefox-0:128.2.0-1.el8_4	cpe:/a:redhat:rhel_aus:8.4	RHSA-2024:6891	2024-09-19T00:00:00Z
Red Hat Enterprise Linux 8.4 Telecommunications Update Service
thunderbird-0:128.2.0-1.el8_4	cpe:/a:redhat:rhel_tus:8.4	RHSA-2024:6721	2024-09-17T00:00:00Z
firefox-0:128.2.0-1.el8_4	cpe:/a:redhat:rhel_tus:8.4	RHSA-2024:6891	2024-09-19T00:00:00Z
Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
thunderbird-0:128.2.0-1.el8_4	cpe:/a:redhat:rhel_e4s:8.4	RHSA-2024:6721	2024-09-17T00:00:00Z
firefox-0:128.2.0-1.el8_4	cpe:/a:redhat:rhel_e4s:8.4	RHSA-2024:6891	2024-09-19T00:00:00Z
Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
firefox-0:128.2.0-1.el8_6	cpe:/a:redhat:rhel_aus:8.6	RHSA-2024:6892	2024-09-19T00:00:00Z
Red Hat Enterprise Linux 8.6 Telecommunications Update Service
thunderbird-0:128.2.0-1.el8_6	cpe:/a:redhat:rhel_tus:8.6	RHSA-2024:6816	2024-09-19T00:00:00Z
firefox-0:128.2.0-1.el8_6	cpe:/a:redhat:rhel_tus:8.6	RHSA-2024:6892	2024-09-19T00:00:00Z
Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
firefox-0:128.2.0-1.el8_6	cpe:/a:redhat:rhel_e4s:8.6	RHSA-2024:6892	2024-09-19T00:00:00Z
Red Hat Enterprise Linux 8.8 Extended Update Support
thunderbird-0:128.2.0-1.el8_8	cpe:/a:redhat:rhel_eus:8.8	RHSA-2024:6719	2024-09-17T00:00:00Z
firefox-0:128.2.0-1.el8_8	cpe:/a:redhat:rhel_eus:8.8	RHSA-2024:6850	2024-09-19T00:00:00Z
Red Hat Enterprise Linux 9
firefox-0:128.2.0-1.el9_4	cpe:/a:redhat:enterprise_linux:9	RHSA-2024:6681	2024-09-16T00:00:00Z
thunderbird-0:128.2.0-1.el9_4	cpe:/a:redhat:enterprise_linux:9	RHSA-2024:6683	2024-09-16T00:00:00Z
Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions
thunderbird-0:128.2.0-1.el9_0	cpe:/a:redhat:rhel_e4s:9.0	RHSA-2024:6722	2024-09-17T00:00:00Z
firefox-0:128.2.0-1.el9_0	cpe:/a:redhat:rhel_e4s:9.0	RHSA-2024:6782	2024-09-18T00:00:00Z
Red Hat Enterprise Linux 9.2 Extended Update Support
thunderbird-0:128.2.0-1.el9_2	cpe:/a:redhat:rhel_eus:9.2	RHSA-2024:6720	2024-09-17T00:00:00Z
firefox-0:128.2.0-1.el9_2	cpe:/a:redhat:rhel_eus:9.2	RHSA-2024:6786	2024-09-18T00:00:00Z

References

Link	Providers
https://bugzilla.mozilla.org/show_bug.cgi?id=1907032
https://bugzilla.mozilla.org/show_bug.cgi?id=1909163
https://bugzilla.mozilla.org/show_bug.cgi?id=1909529
https://nvd.nist.gov/vuln/detail/CVE-2024-8386
https://www.cve.org/CVERecord?id=CVE-2024-8386
https://www.mozilla.org/security/advisories/mfsa2024-39/
https://www.mozilla.org/security/advisories/mfsa2024-40/
https://www.mozilla.org/security/advisories/mfsa2024-43/

History

Wed, 30 Oct 2024 17:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-290

Thu, 19 Sep 2024 23:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:rhel_aus:8.6 cpe:/a:redhat:rhel_e4s:8.6

Thu, 19 Sep 2024 19:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat rhel Els
CPEs		cpe:/o:redhat:rhel_els:7
Vendors & Products		Redhat rhel Els

Thu, 19 Sep 2024 10:30:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:rhel_tus:8.6

Tue, 17 Sep 2024 19:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat rhel Aus Redhat rhel E4s Redhat rhel Eus Redhat rhel Tus
CPEs		cpe:/a:redhat:rhel_aus:8.2 cpe:/a:redhat:rhel_aus:8.4 cpe:/a:redhat:rhel_e4s:8.4 cpe:/a:redhat:rhel_e4s:9.0 cpe:/a:redhat:rhel_eus:8.8 cpe:/a:redhat:rhel_eus:9.2 cpe:/a:redhat:rhel_tus:8.4
Vendors & Products		Redhat rhel Aus Redhat rhel E4s Redhat rhel Eus Redhat rhel Tus

Tue, 17 Sep 2024 02:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat Redhat enterprise Linux
CPEs		cpe:/a:redhat:enterprise_linux:8 cpe:/a:redhat:enterprise_linux:9
Vendors & Products		Redhat Redhat enterprise Linux

Fri, 06 Sep 2024 16:30:00 +0000

Type	Values Removed	Values Added
Description	If a site had been granted the permission to open popup windows, it could cause Select elements to appear on top of another site to perform a spoofing attack. This vulnerability affects Firefox < 130 and Firefox ESR < 128.2.	If a site had been granted the permission to open popup windows, it could cause Select elements to appear on top of another site to perform a spoofing attack. This vulnerability affects Firefox < 130, Firefox ESR < 128.2, and Thunderbird < 128.2.
References		https://www.mozilla.org/security/advisories/mfsa2024-43/

Fri, 06 Sep 2024 13:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-358

Wed, 04 Sep 2024 16:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mozilla Mozilla firefox Mozilla firefox Esr
Weaknesses		CWE-601
CPEs		cpe:2.3:a:mozilla:firefox:::::::: cpe:2.3:a:mozilla:firefox_esr::::::::
Vendors & Products		Mozilla Mozilla firefox Mozilla firefox Esr
Metrics		cvssV3_1 `{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}`

Tue, 03 Sep 2024 17:00:00 +0000

Type	Values Removed	Values Added
Title		mozilla: SelectElements could be shown over another site if popups are allowed
References		https://nvd.nist.gov/vuln/detail/CVE-2024-8386 https://www.cve.org/CVERecord?id=CVE-2024-8386
Metrics	threat_severity `None`	threat_severity `Low`

Tue, 03 Sep 2024 16:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 03 Sep 2024 13:00:00 +0000

Type	Values Removed	Values Added
Description		If a site had been granted the permission to open popup windows, it could cause Select elements to appear on top of another site to perform a spoofing attack. This vulnerability affects Firefox < 130 and Firefox ESR < 128.2.
References		https://bugzilla.mozilla.org/show_bug.cgi?id=1907032 https://bugzilla.mozilla.org/show_bug.cgi?id=1909163 https://bugzilla.mozilla.org/show_bug.cgi?id=1909529 https://www.mozilla.org/security/advisories/mfsa2024-39/ https://www.mozilla.org/security/advisories/mfsa2024-40/

MITRE

Status: PUBLISHED

Assigner: mozilla

Published: 2024-09-03T12:32:19.249Z

Updated: 2024-11-21T15:06:53.584Z

Reserved: 2024-09-03T06:39:14.172Z

Link: CVE-2024-8386

Vulnrichment

Updated: 2024-09-03T15:44:00.816Z

NVD

Status : Modified

Published: 2024-09-03T13:15:05.860

Modified: 2024-10-30T17:35:16.450

Link: CVE-2024-8386

Redhat

Severity : Low

Publid Date: 2024-09-03T13:15:05Z

Links: CVE-2024-8386 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-8386", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "state": "PUBLISHED", "assignerShortName": "mozilla", "dateReserved": "2024-09-03T06:39:14.172Z", "datePublished": "2024-09-03T12:32:19.249Z", "dateUpdated": "2024-11-21T15:06:53.584Z"}, "containers": {"cna": {"affected": [{"product": "Firefox", "vendor": "Mozilla", "versions": [{"lessThan": "130", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "Firefox ESR", "vendor": "Mozilla", "versions": [{"lessThan": "128.2", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "Thunderbird", "vendor": "Mozilla", "versions": [{"lessThan": "128.2", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "If a site had been granted the permission to open popup windows, it could cause Select elements to appear on top of another site to perform a spoofing attack. This vulnerability affects Firefox < 130, Firefox ESR < 128.2, and Thunderbird < 128.2.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "If a site had been granted the permission to open popup windows, it could cause Select elements to appear on top of another site to perform a spoofing attack. This vulnerability affects Firefox < 130, Firefox ESR < 128.2, and Thunderbird < 128.2."}]}], "problemTypes": [{"descriptions": [{"description": "SelectElements could be shown over another site if popups are allowed", "lang": "en", "type": "text"}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1907032"}, {"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1909163"}, {"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1909529"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2024-39/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2024-40/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2024-43/"}], "credits": [{"lang": "en", "value": "Shaheen Fazim, Hafiizh"}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2024-09-06T18:31:06.466Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-290", "lang": "en", "description": "CWE-290 Authentication Bypass by Spoofing"}]}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-09-03T15:44:49.005338Z", "id": "CVE-2024-8386", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-21T15:06:53.584Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-8386", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-03T15:44:49.005338Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-290", "description": "CWE-290 Authentication Bypass by Spoofing"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-03T15:44:00.816Z"}}], "cna": {"credits": [{"lang": "en", "value": "Shaheen Fazim, Hafiizh"}], "affected": [{"vendor": "Mozilla", "product": "Firefox", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "130", "versionType": "custom"}]}, {"vendor": "Mozilla", "product": "Firefox ESR", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "128.2", "versionType": "custom"}]}, {"vendor": "Mozilla", "product": "Thunderbird", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "128.2", "versionType": "custom"}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1907032"}, {"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1909163"}, {"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1909529"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2024-39/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2024-40/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2024-43/"}], "descriptions": [{"lang": "en", "value": "If a site had been granted the permission to open popup windows, it could cause Select elements to appear on top of another site to perform a spoofing attack. This vulnerability affects Firefox < 130, Firefox ESR < 128.2, and Thunderbird < 128.2.", "supportingMedia": [{"type": "text/html", "value": "If a site had been granted the permission to open popup windows, it could cause Select elements to appear on top of another site to perform a spoofing attack. This vulnerability affects Firefox < 130, Firefox ESR < 128.2, and Thunderbird < 128.2.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "SelectElements could be shown over another site if popups are allowed"}]}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2024-09-06T18:31:06.466Z"}}}, "cveMetadata": {"cveId": "CVE-2024-8386", "state": "PUBLISHED", "dateUpdated": "2024-11-21T15:06:53.584Z", "dateReserved": "2024-09-03T06:39:14.172Z", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "datePublished": "2024-09-03T12:32:19.249Z", "assignerShortName": "mozilla"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*", "matchCriteriaId": "87E41A09-924E-494F-BDF3-8C17EF330178", "versionEndExcluding": "130.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*", "matchCriteriaId": "4530A3A8-2C08-4E9B-9CCB-1B6A65780491", "versionEndExcluding": "128.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "If a site had been granted the permission to open popup windows, it could cause Select elements to appear on top of another site to perform a spoofing attack. This vulnerability affects Firefox < 130, Firefox ESR < 128.2, and Thunderbird < 128.2."}, {"lang": "es", "value": "Si a un sitio se le hubiera otorgado permiso para abrir ventanas emergentes, podr\u00eda provocar que los elementos Select aparecieran sobre otro sitio para realizar un ataque de suplantaci\u00f3n de identidad. Esta vulnerabilidad afecta a Firefox < 130 y Firefox ESR < 128.2."}], "id": "CVE-2024-8386", "lastModified": "2024-10-30T17:35:16.450", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-09-03T13:15:05.860", "references": [{"source": "security@mozilla.org", "tags": ["Issue Tracking", "Permissions Required"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1907032"}, {"source": "security@mozilla.org", "tags": ["Issue Tracking", "Permissions Required"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1909163"}, {"source": "security@mozilla.org", "tags": ["Issue Tracking", "Permissions Required"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1909529"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2024-39/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2024-40/"}, {"source": "security@mozilla.org", "url": "https://www.mozilla.org/security/advisories/mfsa2024-43/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-601"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-290"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2024:6838", "cpe": "cpe:/o:redhat:rhel_els:7", "package": "firefox-0:128.2.0-1.el7_9", "product_name": "Red Hat Enterprise Linux 7 Extended Lifecycle Support", "release_date": "2024-09-19T00:00:00Z"}, {"advisory": "RHSA-2024:6682", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "firefox-0:128.2.0-1.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-09-16T00:00:00Z"}, {"advisory": "RHSA-2024:6684", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "thunderbird-0:128.2.0-1.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-09-16T00:00:00Z"}, {"advisory": "RHSA-2024:6723", "cpe": "cpe:/a:redhat:rhel_aus:8.2", "package": "thunderbird-0:128.2.0-1.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date": "2024-09-17T00:00:00Z"}, {"advisory": "RHSA-2024:6839", "cpe": "cpe:/a:redhat:rhel_aus:8.2", "package": "firefox-0:128.2.0-1.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date": "2024-09-19T00:00:00Z"}, {"advisory": "RHSA-2024:6721", "cpe": "cpe:/a:redhat:rhel_aus:8.4", "package": "thunderbird-0:128.2.0-1.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date": "2024-09-17T00:00:00Z"}, {"advisory": "RHSA-2024:6891", "cpe": "cpe:/a:redhat:rhel_aus:8.4", "package": "firefox-0:128.2.0-1.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date": "2024-09-19T00:00:00Z"}, {"advisory": "RHSA-2024:6721", "cpe": "cpe:/a:redhat:rhel_tus:8.4", "package": "thunderbird-0:128.2.0-1.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", "release_date": "2024-09-17T00:00:00Z"}, {"advisory": "RHSA-2024:6891", "cpe": "cpe:/a:redhat:rhel_tus:8.4", "package": "firefox-0:128.2.0-1.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", "release_date": "2024-09-19T00:00:00Z"}, {"advisory": "RHSA-2024:6721", "cpe": "cpe:/a:redhat:rhel_e4s:8.4", "package": "thunderbird-0:128.2.0-1.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", "release_date": "2024-09-17T00:00:00Z"}, {"advisory": "RHSA-2024:6891", "cpe": "cpe:/a:redhat:rhel_e4s:8.4", "package": "firefox-0:128.2.0-1.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", "release_date": "2024-09-19T00:00:00Z"}, {"advisory": "RHSA-2024:6892", "cpe": "cpe:/a:redhat:rhel_aus:8.6", "package": "firefox-0:128.2.0-1.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "release_date": "2024-09-19T00:00:00Z"}, {"advisory": "RHSA-2024:6816", "cpe": "cpe:/a:redhat:rhel_tus:8.6", "package": "thunderbird-0:128.2.0-1.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date": "2024-09-19T00:00:00Z"}, {"advisory": "RHSA-2024:6892", "cpe": "cpe:/a:redhat:rhel_tus:8.6", "package": "firefox-0:128.2.0-1.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date": "2024-09-19T00:00:00Z"}, {"advisory": "RHSA-2024:6892", "cpe": "cpe:/a:redhat:rhel_e4s:8.6", "package": "firefox-0:128.2.0-1.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date": "2024-09-19T00:00:00Z"}, {"advisory": "RHSA-2024:6719", "cpe": "cpe:/a:redhat:rhel_eus:8.8", "package": "thunderbird-0:128.2.0-1.el8_8", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2024-09-17T00:00:00Z"}, {"advisory": "RHSA-2024:6850", "cpe": "cpe:/a:redhat:rhel_eus:8.8", "package": "firefox-0:128.2.0-1.el8_8", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2024-09-19T00:00:00Z"}, {"advisory": "RHSA-2024:6681", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "firefox-0:128.2.0-1.el9_4", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-09-16T00:00:00Z"}, {"advisory": "RHSA-2024:6683", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "thunderbird-0:128.2.0-1.el9_4", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-09-16T00:00:00Z"}, {"advisory": "RHSA-2024:6722", "cpe": "cpe:/a:redhat:rhel_e4s:9.0", "package": "thunderbird-0:128.2.0-1.el9_0", "product_name": "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date": "2024-09-17T00:00:00Z"}, {"advisory": "RHSA-2024:6782", "cpe": "cpe:/a:redhat:rhel_e4s:9.0", "package": "firefox-0:128.2.0-1.el9_0", "product_name": "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date": "2024-09-18T00:00:00Z"}, {"advisory": "RHSA-2024:6720", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "thunderbird-0:128.2.0-1.el9_2", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2024-09-17T00:00:00Z"}, {"advisory": "RHSA-2024:6786", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "firefox-0:128.2.0-1.el9_2", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2024-09-18T00:00:00Z"}], "bugzilla": {"description": "mozilla: SelectElements could be shown over another site if popups are allowed", "id": "2309432", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2309432"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "status": "verified"}, "cwe": "CWE-358", "details": ["If a site had been granted the permission to open popup windows, it could cause Select elements to appear on top of another site to perform a spoofing attack. This vulnerability affects Firefox < 130, Firefox ESR < 128.2, and Thunderbird < 128.2.", "The Mozilla Foundation's Security Advisory: If a site had been granted permission to open popup windows, it could cause Select elements to appear on top of another site to perform a spoofing attack."], "name": "CVE-2024-8386", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 7"}], "public_date": "2024-09-03T13:15:05Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-8386\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-8386\nhttps://bugzilla.mozilla.org/show_bug.cgi?id=1907032\nhttps://bugzilla.mozilla.org/show_bug.cgi?id=1909163\nhttps://bugzilla.mozilla.org/show_bug.cgi?id=1909529\nhttps://www.mozilla.org/security/advisories/mfsa2024-39/\nhttps://www.mozilla.org/security/advisories/mfsa2024-40/"], "statement": "Red Hat Product Security rates the severity of this flaw as determined by the Mozilla Foundation Security Advisory.", "threat_severity": "Low"}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object