Login Sign Up

CVE-2024-0750

8.8 HIGH

📋 TL;DR

A timing vulnerability in Firefox, Firefox ESR, and Thunderbird allows attackers to manipulate popup notification delays, tricking users into granting unintended permissions. This affects users running vulnerable versions of these applications. Attackers could exploit this through malicious websites or emails.

💻 Affected Systems

Products:
  • Firefox
  • Firefox ESR
  • Thunderbird
Versions: Firefox < 122, Firefox ESR < 115.7, Thunderbird < 115.7
Operating Systems: Windows, Linux, macOS
Default Config Vulnerable: ⚠️ Yes
Notes: All default configurations are vulnerable; no special settings required for exploitation.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Firefox by Mozilla

View all CVEs affecting Firefox →

Firefox Esr by Mozilla

View all CVEs affecting Firefox Esr →

Thunderbird by Mozilla

View all CVEs affecting Thunderbird →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain unauthorized permissions (camera, microphone, location, notifications) leading to privacy violations, data theft, or further system compromise.

🟠

Likely Case

Users inadvertently grant permissions to malicious sites, enabling tracking, unwanted notifications, or limited data access.

🟢

If Mitigated

With user awareness training and proper browser settings, exploitation attempts are recognized and denied.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires user interaction but is straightforward via malicious websites or emails.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firefox 122, Firefox ESR 115.7, Thunderbird 115.7

Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2024-01/

Restart Required: Yes

Instructions:

1. Open the application. 2. Go to Help > About Firefox/Thunderbird. 3. Allow the update to download and install. 4. Restart the application.

🔧 Temporary Workarounds

Disable automatic permission prompts

all

Configure browser to block permission requests by default

about:config > permissions.default.image = 2
about:config > permissions.default.geo = 2

🧯 If You Can't Patch

  • Train users to be cautious with permission prompts and verify URLs before granting access.
  • Use alternative browsers or email clients that are not affected by this vulnerability.

🔍 How to Verify

Check if Vulnerable:

Check the application version in Help > About Firefox/Thunderbird and compare to affected versions.

Check Version:

firefox --version or thunderbird --version

Verify Fix Applied:

Confirm version is Firefox ≥122, Firefox ESR ≥115.7, or Thunderbird ≥115.7.

📡 Detection & Monitoring

Log Indicators:

  • Unusual permission grants in browser logs
  • Multiple permission prompts from single site in short timeframe

Network Indicators:

  • Requests to known malicious domains triggering permission prompts

SIEM Query:

source="browser_logs" AND event="permission_granted" AND user_agent="*Firefox*" AND version<122

📊 Metadata

CVE ID: CVE-2024-0750
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-451
Published: January 23, 2024
Last Updated: June 20, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-0750, you might also want to check these:

CVE-2025-8043 9.8

This vulnerability involves incorrect URL truncation in Firefox and Thunderbird, which could allow a...

Same vulnerability type (CWE-451)
CVE-2026-2634 9.8

This vulnerability in Firefox for iOS allows malicious scripts to desynchronize the address bar from...

Same vulnerability type (CWE-451)
CVE-2026-0906 9.8

This vulnerability allows attackers to spoof the URL bar (Omnibox) in Google Chrome on Android, pote...

Same vulnerability type (CWE-451)