CVE-2024-8382
First published: Tue Sep 03 2024(Updated: )
Internal browser event interfaces were exposed to web content when privileged EventHandler listener callbacks ran for those events. Web content that tried to use those interfaces would not be able to use them with elevated privileges, but their presence would indicate certain browser features had been used, such as when a user opened the Dev Tools console.
Credit: security@mozilla.org security@mozilla.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/firefox | 131.0.3-1 | |
| debian/firefox-esr | <=115.14.0esr-1~deb11u1<=115.14.0esr-1~deb12u1 | 128.3.1esr-1~deb11u1 128.3.1esr-1~deb12u1 128.3.1esr-2 |
| debian/thunderbird | <=1:115.12.0-1~deb11u1<=1:115.12.0-1~deb12u1 | 1:115.16.0esr-1~deb11u1 1:115.16.0esr-1~deb12u1 1:128.2.0esr-1 1:128.3.0esr-1 |
| Thunderbird | <115.15 | 115.15 |
| Thunderbird | <128.2 | 128.2 |
| Firefox | <130 | 130 |
| Firefox | <130.0 | |
| Firefox ESR | <115.15 | |
| Firefox ESR | >=128.0<128.2 | |
| Firefox ESR | <115.15 | 115.15 |
| Firefox ESR | <128.2 | 128.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.mozilla.org/show_bug.cgi?id=1906744
- https://www.mozilla.org/en-US/security/advisories/mfsa2024-40/
- https://www.mozilla.org/en-US/security/advisories/mfsa2024-39/
- https://www.mozilla.org/en-US/security/advisories/mfsa2024-41/
- https://www.mozilla.org/security/advisories/mfsa2024-39/
- https://www.mozilla.org/security/advisories/mfsa2024-40/
- https://www.mozilla.org/security/advisories/mfsa2024-41/
- https://www.mozilla.org/security/advisories/mfsa2024-43/
- https://www.mozilla.org/security/advisories/mfsa2024-44/
- https://www.mozilla.org/en-US/security/advisories/mfsa2024-43/
- https://www.mozilla.org/en-US/security/advisories/mfsa2024-44/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8382
- https://nvd.nist.gov/vuln/detail/CVE-2024-8382
- https://launchpad.net/bugs/cve/CVE-2024-8382
- https://security-tracker.debian.org/tracker/CVE-2024-8382
- https://ubuntu.com/security/CVE-2024-8382
- https://www.mozilla.org/en-US/security/advisories/mfsa2024-39/#CVE-2024-8382
- https://www.mozilla.org/en-US/security/advisories/mfsa2024-41/#CVE-2024-8382
- https://www.mozilla.org/en-US/security/advisories/mfsa2024-43/#CVE-2024-8382
- https://www.mozilla.org/en-US/security/advisories/mfsa2024-44/#CVE-2024-8382
- https://access.redhat.com/errata/RHSA-2024:6682
- https://access.redhat.com/errata/RHSA-2024:6681
- https://access.redhat.com/errata/RHSA-2024:6684
- https://access.redhat.com/errata/RHSA-2024:6683
- https://access.redhat.com/errata/RHSA-2024:6722
- https://access.redhat.com/errata/RHSA-2024:6720
- https://access.redhat.com/errata/RHSA-2024:6723
- https://access.redhat.com/errata/RHSA-2024:6721
- https://access.redhat.com/errata/RHSA-2024:6719
- https://access.redhat.com/errata/RHSA-2024:6816
- https://access.redhat.com/errata/RHSA-2024:6838
- https://bugzilla.redhat.com/show_bug.cgi?id=2309428
Parent vulnerabilities
(Appears in the following advisories)
Peer vulnerabilities
(Found alongside the following vulnerabilities)
Frequently Asked Questions
What is the severity of CVE-2024-8382?
CVE-2024-8382 is considered a moderate severity vulnerability that exposes internal browser event interfaces.
How do I fix CVE-2024-8382?
To resolve CVE-2024-8382, update Mozilla Firefox or Thunderbird to the latest version beyond 130 for Firefox and 128.2 for Firefox ESR.
What versions of Mozilla products are affected by CVE-2024-8382?
CVE-2024-8382 affects Mozilla Firefox versions up to 130 and Firefox ESR versions up to 128.2.
What is the nature of the vulnerability described in CVE-2024-8382?
CVE-2024-8382 involves the exposure of internal browser event interfaces to web content, potentially indicating certain features.
Are there any alternatives to fix CVE-2024-8382?
Updating to the specified versions is the primary method to mitigate CVE-2024-8382, with no direct alternatives recommended.
- agent/type
- agent/first-publish-date
- agent/author
- agent/severity
- collector/usn-cve
- source/Ubuntu
- collector/launchpad-cve
- source/Launchpad
- agent/description
- agent/event
- collector/security-tracker-debian
- source/Debian
- agent/software-canonical-lookup
- agent/weakness
- collector/mitre-cve
- source/MITRE
- collector/epss-latest
- source/FIRST
- agent/epss
- agent/trending
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2024-8382
- agent/last-modified-date
- agent/references
- agent/source
- collector/mozilla-advisory
- source/Mozilla
- agent/software-canonical-lookup-request
- agent/softwarecombine
- agent/tags
- collector/nvd-api
- source/NVD
- collector/nvd-cve
- package-manager/debian
- vendor/mozilla
- canonical/thunderbird
- canonical/firefox
- canonical/firefox esr
- version/firefox esr/128.0