CVE-2024-6607

Description

It was possible to prevent a user from exiting pointerlock when pressing escape and to overlay customValidity notifications from a `<select>` element over certain permission prompts. This could be used to confuse a user into giving a site unintended permissions. This vulnerability affects Firefox < 128 and Thunderbird < 128.

CVSS v3.1 Score

8.8

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Weakness Type (CWE)

CWE-763 CWE-763

Affected Products

Vendor	Product	Versions
mozilla	firefox	< 128.0
mozilla	thunderbird	< 128.0

References

Advisories & Patches

https://www.mozilla.org/security/advisories/mfsa2024-29/ https://www.mozilla.org/security/advisories/mfsa2024-32/ https://www.mozilla.org/security/advisories/mfsa2024-29/ https://www.mozilla.org/security/advisories/mfsa2024-32/

Exploits

https://bugzilla.mozilla.org/show_bug.cgi?id=1694513 https://bugzilla.mozilla.org/show_bug.cgi?id=1694513

Frequently Asked Questions

What is CVE-2024-6607? +

It was possible to prevent a user from exiting pointerlock when pressing escape and to overlay customValidity notifications from a `<select>` element over certain permission prompts. This could be used to confuse a user into giving a site unintended permissions. This vulnerability affects Firefox < 128 and Thunderbird < 128. It has a CVSS v3.1 base score of 8.8 (HIGH).

How severe is CVE-2024-6607? +

CVE-2024-6607 has a CVSS v3.1 score of 8.8 out of 10, rated HIGH. This is a high-severity vulnerability that should be prioritized for patching.

What products are affected by CVE-2024-6607? +

CVE-2024-6607 affects products from mozilla, specifically: firefox, thunderbird. Check the affected products table above for specific version ranges.

How do I check if I'm vulnerable to CVE-2024-6607? +

You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

CVE-2025-13824

A security issue exists due to improper handling of malformed CIP packets during fuzzing. The controller enters a hard fault …

CVE-2024-44852 9.8

Open Robotics Robotic Operating System 2 ROS2 navigation2 v.humble was discovered to contain a segmentation violation via the component theta_star::ThetaStar::isUnsafeToPlan().

CVE-2025-25215 8.8

An arbitrary free vulnerability exists in the cv_close functionality of Dell ControlVault3 prior to 5.15.10.14 and Dell ControlVault3 Plus prior …

CVE-2023-43532 8.4

Memory corruption while reading ACPI config through the user mode app.

CVE-2021-47087 7.8

In the Linux kernel, the following vulnerability has been resolved: tee: optee: Fix incorrect page free bug Pointer to the …

CVE-2024-2955 7.8

T.38 dissector crash in Wireshark 4.2.0 to 4.0.3 and 4.0.0 to 4.0.13 allows denial of service via packet injection or …