CVE-2024-5692

Improper Input Validation (CWE-20)

Published: Jun 11, 2024

010
CVSS 6.5EPSS 0.05%Medium
CVE info copied to clipboard

[Moderate] On Windows 10, when using the 'Save As' functionality, an attacker could have tricked the browser into saving the file with a disallowed extension such as .url by including an invalid character in the extension. Note: This issue only affected Windows operating systems. Other operating systems are unaffected.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Timeline

First Article

Feedly found the first article mentioning CVE-2024-5692. See article

Jun 11, 2024 at 1:15 PM / Mozilla Foundation Security Advisories
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Jun 11, 2024 at 1:15 PM
CVE Assignment

NVD published the first details for CVE-2024-5692

Jun 11, 2024 at 1:15 PM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Nessus (200316)

Jun 11, 2024 at 7:15 PM
Vendor Advisory

RedHat CVE advisory released a security advisory (CVE-2024-5692).

Jun 11, 2024 at 9:01 PM
CVSS

A CVSS base score of 6.1 has been assigned.

Jun 11, 2024 at 9:01 PM / redhat-cve-advisories
EPSS

EPSS Score was set to: 0.05% (Percentile: 15.4%)

Jun 12, 2024 at 1:34 PM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (756456)

Jun 13, 2024 at 1:15 AM
CVSS

A CVSS base score of 6.5 has been assigned.

Aug 1, 2024 at 2:05 PM / nvd
Static CVE Timeline Graph

Affected Systems

Mozilla/firefox
+null more

Patches

Mozilla Advisory
+null more

Links to Mitre Att&cks

T1562.003: Impair Command History Logging
+null more

Attack Patterns

CAPEC-10: Buffer Overflow via Environment Variables
+null more

Vendor Advisory

Mozilla Foundation Security Advisory 2024-28
By tricking the browser with a X-Frame-Options header, a sandboxed iframe could have presented a button that, if clicked by a user, would bypass restrictions to open a new window. CVE-2024-5691 - Sandboxed iframes were able to bypass sandbox restrictions to open a new window

News

Security Bulletin: Multiple Vulnerabilities in IBM Cloud Pak for Multicloud Management
Vulnerability Details CVEID: CVE-2024-1135 DESCRIPTION: Gunicorn is vulnerable to HTTP request smuggling, caused by improper parsing of the HTTP transfer-encoding headers. By sending a specially crafted HTTP(S) transfer-encoding header, an attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks. CVSS Base score: 7.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/287833 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) CVEID:
Oracle Solaris update for thrid-party components
The vulnerability allows a remote attacker to execute arbitrary code on the target system. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Oracle Solaris Third Party Bulletin
Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Third Party Bulletin security patches as soon as possible. Starting January 20, 2015, Third Party Bulletins are released on the same day when Oracle Critical Patch Updates are released.
SUSE: 2024:2399-1 important: MozillaFirefox Security Advisory Updates
* SUSE Linux Enterprise High Performance Computing 15 SP2 * SUSE Linux Enterprise High Performance Computing 15 SP3
Security: Mehrere Probleme in MozillaFirefox (SUSE)
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (noarch) * SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (noarch)
See 49 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:Required
Scope:Unchanged
Confidentiality:None
Integrity:High
Availability Impact:None

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI