9.8
CVSSv3

CVE-2024-9680

Published: 09/10/2024 Updated: 26/11/2024

Vulnerability Summary

Exploited Use-After-Free Code Execution in Firefox Animation Timelines

An attacker managed to run code in the content process by exploiting a use-after-free flaw in Animation timelines. This vulnerability has been reported as being exploited in the wild. It affects Firefox versions below 131.0.2, Firefox ESR below 128.3.1, and Firefox ESR below 115.16.1.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

mozilla firefox

mozilla thunderbird

mozilla thunderbird 131.0

debian debian linux 11.0

Vendor Advisories

Debian Bug report logs - #1084989 thunderbird: new upstream release (12831) fixing critical CVE-2024-9680 Package: thunderbird; Maintainer for thunderbird is Carsten Schoenert <cschoenert@t-onlinede>; Source for thunderbird is src:thunderbird (PTS, buildd, popcon) Reported by: Rodrigo Campos <rodrigo@sdfgcomar> ...
A compromised content process could have allowed for the arbitrary loading of cross-origin pages This vulnerability affects Firefox < 131, Firefox ESR < 1283, Firefox ESR < 11516, Thunderbird < 1283, and Thunderbird < 131 (CVE-2024-9392) An attacker could, via a specially crafted multipart response, execute arbitrary JavaScript ...
A compromised content process could have allowed for the arbitrary loading of cross-origin pages This vulnerability affects Firefox < 131, Firefox ESR < 1283, Firefox ESR < 11516, Thunderbird < 1283, and Thunderbird < 131 (CVE-2024-9392) An attacker could, via a specially crafted multipart response, execute arbitrary JavaScript ...
Mozilla Foundation Security Advisory 2024-51 Security Vulnerability fixed in Firefox 13102, Firefox ESR 12831, Firefox ESR 115161 Announced October 9, 2024 Impact critical Products Firefox, Firefox ESR Fixed in ...
Mozilla Foundation Security Advisory 2024-52 Security Vulnerability fixed in Thunderbird 13101, Thunderbird 12831, Thunderbird 115160 Announced October 10, 2024 Impact critical Products Thunderbird Fixed in ...
Check Point Reference: CPAI-2024-0981 Date Published: 21 Oct 2024 Severity: Critical ...

Github Repositories

A proposal to curtail the power of "thenable" objects.

Curtailing the power of "Thenables" Quoting MDN: The JavaScript ecosystem had made multiple Promise implementations long before it became part of the language Despite being represented differently internally, at the minimum, all Promise-like objects implement the Thenable interface A thenable implements the then() method, which is called with two callbacks: one fo

Firefox CVE-2024-9680 CVE-2024-9680 Description An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines We have had reports of this vulnerability being exploited in the wild This vulnerability affects Firefox < 13102, Firefox ESR < 12831, Firefox ESR < 115161, Thunderbird < 1

Recent Articles

Firefox and Windows zero-days exploited by Russian RomCom hackers
BleepingComputer • Sergiu Gatlan • 26 Nov 2024

Firefox and Windows zero-days exploited by Russian RomCom hackers By Sergiu Gatlan November 26, 2024 07:13 AM 2 ​Russian-based RomCom cybercrime group chained two zero-day vulnerabilities in recent attacks targeting Firefox and Tor Browser users across Europe and North America. The first flaw (CVE-2024-9680) is a use-after-free bug in Firefox's animation timeline feature that allows code execution in the web browser's sandbox. Mozilla patched this vulnerability on October 9, 2024, one day afte...

SolarWinds Web Help Desk flaw is now exploited in attacks
BleepingComputer • Bill Toulas • 16 Oct 2024

SolarWinds Web Help Desk flaw is now exploited in attacks By Bill Toulas October 16, 2024 03:53 PM 0 CISA has added three flaws to its 'Known Exploited Vulnerabilities' (KEV) catalog, among which is a critical hardcoded credentials flaw in SolarWinds Web Help Desk (WHD) that the vendor fixed in late August 2024. SolarWinds Web Help Desk is an IT help desk suite used by 300,000 customers worldwide, including government agencies, large corporations, and healthcare organizations. The SolarWind...

Mozilla fixes Firefox zero-day actively exploited in attacks
BleepingComputer • Bill Toulas • 09 Oct 2024

Mozilla fixes Firefox zero-day actively exploited in attacks By Bill Toulas October 9, 2024 01:34 PM 0 Mozilla has issued an emergency security update for the Firefox browser to address a critical use-after-free vulnerability that is currently exploited in attacks. The vulnerability, tracked as CVE-2024-9680, and discovered by ESET researcher Damien Schaeffer, is a use-after-free in Animation timelines. This type of flaw occurs when memory that has been freed is still used by the program, allowi...

Interpol nabs thousands, seizes millions in global cybercrime-busting op
The Register

Topics Security Off-Prem On-Prem Software Offbeat Special Features Vendor Voice Vendor Voice Resources Also, script kiddies still a threat, Tornado Cash is back, UK firms lose billions to avoidable attacks, and more

Infosec in brief Interpol and its financial supporters in the South Korean government are back with another round of anti-cybercrime arrests via the fifth iteration of Operation HAECHI, this time nabbing more than 5,500 people suspected of scamming and seizing hundreds of millions in digital and fiat currencies.  HAECHI V, an operation which ran from July to November of this year, was funded by South Korea but involved cooperation with law enforcement in 40 countries. The op targeted seven ...

Mozilla patches critical Firefox vuln that attackers are already exploiting
The Register

Topics Security Off-Prem On-Prem Software Offbeat Special Features Vendor Voice Vendor Voice Resources Firefixed: It's maintenance time for low-complexity, high-impact security flaw Campaigners claim 'Privacy Preserving Attribution' in Firefox does the opposite

It's patch time for Firefox fans as Mozilla issues a security advisory for a critical code execution vulnerability in the browser. Mozilla said CVE-2024-9680 is a use-after-free issue in Animation timelines – the pane within the Firefox browser's Page Inspector that depicts how a given element's animation progresses. The most alarming aspect of the advisory, however, was Mozilla revealing that the vulnerability is being exploited in the wild already. Underlining the severity of the vulnerabili...