CVE-2024-10460 – This vulnerability allows attackers to obscure ... (How to Fix)

Q: How do I fix CVE-2024-10460?

1. Open affected application (Firefox/Thunderbird). 2. Click menu → Help → About Firefox/Thunderbird. 3. Application will check for updates and install. 4. Restart when prompted.

Q: What is the severity of CVE-2024-10460?

CVE-2024-10460 has a CVSS score of 5.3 (MEDIUM). This vulnerability allows attackers to obscure the origin of external protocol handler prompts using data: URLs within iframes, potentially tricking users into executing malicious external applications. It affects Firefox, Firefox ESR, and Thunderbird users running outdated versions. The attack requires user interaction but can bypass security warnings.

📋 TL;DR

This vulnerability allows attackers to obscure the origin of external protocol handler prompts using data: URLs within iframes, potentially tricking users into executing malicious external applications. It affects Firefox, Firefox ESR, and Thunderbird users running outdated versions. The attack requires user interaction but can bypass security warnings.

💻 Affected Systems

Products:

Firefox
Firefox ESR
Thunderbird

Versions: Firefox < 132, Firefox ESR < 128.4, Thunderbird < 128.4, Thunderbird < 132

Operating Systems: Windows, Linux, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations of affected versions are vulnerable. The vulnerability requires JavaScript execution and user interaction.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Users could be tricked into launching malicious external applications that compromise their system, leading to malware installation, data theft, or ransomware execution.

🟠

Likely Case

Attackers could use this to launch phishing attacks where users inadvertently execute harmful external protocols, potentially leading to credential theft or limited system compromise.

🟢

If Mitigated

With updated browsers and user awareness, the risk is minimal as the attack still requires user interaction and modern browsers block many dangerous external protocols.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires user interaction (clicking a prompt) but is technically simple. No public proof-of-concept has been disclosed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firefox 132+, Firefox ESR 128.4+, Thunderbird 128.4+, Thunderbird 132+

Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2024-55/

Restart Required: Yes

Instructions:

1. Open affected application (Firefox/Thunderbird). 2. Click menu → Help → About Firefox/Thunderbird. 3. Application will check for updates and install. 4. Restart when prompted.

🔧 Temporary Workarounds

Disable external protocol handlers

all

Prevent external protocol prompts from appearing

about:config → network.protocol-handler.external-default = false

Disable JavaScript

all

Prevent the data: URL iframe technique from executing

about:config → javascript.enabled = false

🧯 If You Can't Patch

Implement web filtering to block malicious sites using this technique
Educate users to never click external protocol prompts from untrusted sources

🔍 How to Verify

Check if Vulnerable:

Check browser version in About dialog. If version is below patched versions, system is vulnerable.

Check Version:

firefox --version or thunderbird --version

Verify Fix Applied:

Verify version is at or above: Firefox 132, Firefox ESR 128.4, Thunderbird 128.4, or Thunderbird 132

📡 Detection & Monitoring

Log Indicators:

External protocol handler prompts from data: URLs
Unusual iframe loading patterns

Network Indicators:

HTTP requests to sites using data: URLs in iframes with external protocol calls

SIEM Query:

source="browser_logs" AND (event="external_protocol" OR event="iframe_load") AND url CONTAINS "data:"

📊 Metadata

CVE ID: CVE-2024-10460

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-346

Published: October 29, 2024

Last Updated: November 3, 2025

🔗 References

https://bugzilla.mozilla.org/show_bug.cgi?id=1912537 Issue Tracking,Permissions Required
https://www.mozilla.org/security/advisories/mfsa2024-55/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2024-56/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2024-58/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2024-59/ Vendor Advisory
https://lists.debian.org/debian-lts-announce/2024/10/msg00034.html
https://lists.debian.org/debian-lts-announce/2024/11/msg00001.html

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-10460, you might also want to check these: