A type check was missing when handling fonts in PDF.js, which would allow arbitrary JavaScript execution in the PDF.js context. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11.

Metrics

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Affected Vendors & Products

Vendors Products
Debian
  • Debian Linux
Mozilla
  • Firefox
  • Firefox Esr
  • Thunderbird
Open-xchange
  • Open-xchange Appsuite Frontend
Redhat
  • Enterprise Linux
  • Rhel Aus
  • Rhel E4s
  • Rhel Eus
  • Rhel Tus

Configuration 1 [-]

OR cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*

Configuration 2 [-]

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

Configuration 3 [-]

OR cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:*:*:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:-:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision10:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision11:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision12:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision13:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision14:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision15:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision16:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision17:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision18:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision19:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision20:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision21:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision22:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision23:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision24:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision25:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision26:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision27:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision28:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision29:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision3:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision30:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision31:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision32:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision33:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision34:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision35:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision36:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision37:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision38:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision39:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision4:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision40:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision41:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision42:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision43:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision44:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision5:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision6:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision7:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision8:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision9:*:*:*:*:*:*
Package CPE Advisory Released Date
Red Hat Enterprise Linux 7
firefox-0:115.11.0-1.el7_9 cpe:/o:redhat:enterprise_linux:7 RHSA-2024:2881 2024-05-16T00:00:00Z
thunderbird-0:115.11.0-1.el7_9 cpe:/o:redhat:enterprise_linux:7 RHSA-2024:2913 2024-05-20T00:00:00Z
Red Hat Enterprise Linux 8
firefox-0:115.11.0-1.el8_10 cpe:/a:redhat:enterprise_linux:8 RHSA-2024:3783 2024-06-10T00:00:00Z
thunderbird-0:115.11.0-1.el8_10 cpe:/a:redhat:enterprise_linux:8 RHSA-2024:3784 2024-06-10T00:00:00Z
Red Hat Enterprise Linux 8.2 Advanced Update Support
firefox-0:115.11.0-1.el8_2 cpe:/a:redhat:rhel_aus:8.2 RHSA-2024:2882 2024-05-16T00:00:00Z
thunderbird-0:115.11.0-1.el8_2 cpe:/a:redhat:rhel_aus:8.2 RHSA-2024:3338 2024-05-23T00:00:00Z
Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
firefox-0:115.11.0-1.el8_4 cpe:/a:redhat:rhel_aus:8.4 RHSA-2024:2886 2024-05-16T00:00:00Z
thunderbird-0:115.11.0-1.el8_4 cpe:/a:redhat:rhel_aus:8.4 RHSA-2024:2911 2024-05-20T00:00:00Z
Red Hat Enterprise Linux 8.4 Telecommunications Update Service
firefox-0:115.11.0-1.el8_4 cpe:/a:redhat:rhel_tus:8.4 RHSA-2024:2886 2024-05-16T00:00:00Z
thunderbird-0:115.11.0-1.el8_4 cpe:/a:redhat:rhel_tus:8.4 RHSA-2024:2911 2024-05-20T00:00:00Z
Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
firefox-0:115.11.0-1.el8_4 cpe:/a:redhat:rhel_e4s:8.4 RHSA-2024:2886 2024-05-16T00:00:00Z
thunderbird-0:115.11.0-1.el8_4 cpe:/a:redhat:rhel_e4s:8.4 RHSA-2024:2911 2024-05-20T00:00:00Z
Red Hat Enterprise Linux 8.6 Extended Update Support
firefox-0:115.11.0-1.el8_6 cpe:/a:redhat:rhel_eus:8.6 RHSA-2024:2887 2024-05-16T00:00:00Z
thunderbird-0:115.11.0-1.el8_6 cpe:/a:redhat:rhel_eus:8.6 RHSA-2024:2912 2024-05-20T00:00:00Z
Red Hat Enterprise Linux 8.8 Extended Update Support
firefox-0:115.11.0-1.el8_8 cpe:/a:redhat:rhel_eus:8.8 RHSA-2024:2885 2024-05-16T00:00:00Z
thunderbird-0:115.11.0-1.el8_8 cpe:/a:redhat:rhel_eus:8.8 RHSA-2024:2905 2024-05-20T00:00:00Z
Red Hat Enterprise Linux 9
firefox-0:115.11.0-1.el9_4 cpe:/a:redhat:enterprise_linux:9 RHSA-2024:2883 2024-05-16T00:00:00Z
thunderbird-0:115.11.0-1.el9_4 cpe:/a:redhat:enterprise_linux:9 RHSA-2024:2888 2024-05-16T00:00:00Z
Red Hat Enterprise Linux 9.0 Extended Update Support
firefox-0:115.11.0-1.el9_0 cpe:/a:redhat:rhel_eus:9.0 RHSA-2024:2884 2024-05-16T00:00:00Z
thunderbird-0:115.11.0-1.el9_0 cpe:/a:redhat:rhel_eus:9.0 RHSA-2024:2904 2024-05-20T00:00:00Z
Red Hat Enterprise Linux 9.2 Extended Update Support
thunderbird-0:115.11.0-1.el9_2 cpe:/a:redhat:rhel_eus:9.2 RHSA-2024:2903 2024-05-20T00:00:00Z
firefox-0:115.11.0-1.el9_2 cpe:/a:redhat:rhel_eus:9.2 RHSA-2024:2906 2024-05-20T00:00:00Z
References
Link Providers
http://seclists.org/fulldisclosure/2024/Aug/30 cve-icon
https://bugzilla.mozilla.org/show_bug.cgi?id=1893645 cve-icon cve-icon
https://lists.debian.org/debian-lts-announce/2024/05/msg00010.html cve-icon cve-icon
https://lists.debian.org/debian-lts-announce/2024/05/msg00012.html cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2024-4367 cve-icon
https://www.cve.org/CVERecord?id=CVE-2024-4367 cve-icon
https://www.mozilla.org/en-US/security/advisories/mfsa2024-22/#CVE-2024-4367 cve-icon
https://www.mozilla.org/en-US/security/advisories/mfsa2024-23/#CVE-2024-4367 cve-icon
https://www.mozilla.org/security/advisories/mfsa2024-21/ cve-icon cve-icon
https://www.mozilla.org/security/advisories/mfsa2024-22/ cve-icon cve-icon
https://www.mozilla.org/security/advisories/mfsa2024-23/ cve-icon cve-icon
History

Wed, 22 Jan 2025 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Debian
Debian debian Linux
Open-xchange
Open-xchange open-xchange Appsuite Frontend
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:*:*:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:-:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision10:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision11:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision12:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision13:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision14:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision15:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision16:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision17:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision18:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision19:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision20:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision21:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision22:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision23:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision24:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision25:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision26:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision27:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision28:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision29:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision30:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision31:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision32:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision33:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision34:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision35:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision36:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision37:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision38:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision39:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision3:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision40:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision41:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision42:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision43:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision44:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision4:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision5:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision6:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision7:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision8:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision9:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
Vendors & Products Debian
Debian debian Linux
Open-xchange
Open-xchange open-xchange Appsuite Frontend
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Fri, 22 Nov 2024 12:00:00 +0000

Type Values Removed Values Added
References

Fri, 01 Nov 2024 04:15:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Mozilla firefox Esr
Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:-:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox_esr:-:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:thunderbird:-:*:*:*:*:*:*:*
Vendors & Products Mozilla
Mozilla firefox
Mozilla firefox Esr
Mozilla thunderbird
References
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 23 Aug 2024 00:30:00 +0000

Type Values Removed Values Added
References
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2025-02-13T17:53:33.642Z

Reserved: 2024-04-30T19:08:43.037Z

Link: CVE-2024-4367

cve-icon Vulnrichment

Updated: 2024-08-22T23:03:16.895Z

cve-icon NVD

Status : Analyzed

Published: 2024-05-14T18:15:12.467

Modified: 2025-01-22T17:16:51.557

Link: CVE-2024-4367

cve-icon Redhat

Severity : Important

Publid Date: 2024-05-14T00:00:00Z

Links: CVE-2024-4367 - Bugzilla