Login Sign Up

CVE-2024-10462

6.5 MEDIUM

📋 TL;DR

This vulnerability allows attackers to spoof website origins in permission prompts by truncating long URLs, potentially tricking users into granting permissions to malicious sites. It affects Firefox, Firefox ESR, and Thunderbird users running outdated versions.

💻 Affected Systems

Products:
  • Firefox
  • Firefox ESR
  • Thunderbird
Versions: Firefox < 132, Firefox ESR < 128.4, Thunderbird < 128.4, Thunderbird < 132
Operating Systems: Windows, macOS, Linux
Default Config Vulnerable: ⚠️ Yes
Notes: All default configurations of affected versions are vulnerable.

📦 What is this software?

Firefox by Mozilla

View all CVEs affecting Firefox →

Firefox by Mozilla

View all CVEs affecting Firefox →

Thunderbird by Mozilla

View all CVEs affecting Thunderbird →

Thunderbird by Mozilla

View all CVEs affecting Thunderbird →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could impersonate legitimate websites in permission prompts, leading users to grant sensitive permissions (like location, camera, microphone) to malicious sites.

🟠

Likely Case

Users might be tricked into granting permissions to spoofed websites, potentially exposing sensitive data or enabling further attacks.

🟢

If Mitigated

With updated browsers and user awareness, the risk is minimal as the vulnerability is patched and users can verify URLs before granting permissions.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires user interaction (clicking permission prompts) but doesn't require authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firefox 132+, Firefox ESR 128.4+, Thunderbird 128.4+, Thunderbird 132+

Vendor Advisory: https://www.mozilla.org/security/advisories/

Restart Required: Yes

Instructions:

1. Open Firefox/Thunderbird. 2. Go to Settings/Preferences > General/About. 3. Allow automatic update or manually download latest version from mozilla.org. 4. Restart the application.

🔧 Temporary Workarounds

Disable automatic permission grants

all

Configure browsers to require explicit user approval for all permission requests

🧯 If You Can't Patch

  • Educate users to carefully inspect full URLs in permission prompts before granting access
  • Implement network filtering to block known malicious domains

🔍 How to Verify

Check if Vulnerable:

Check browser version in Settings/Preferences > General/About and compare with affected versions.

Check Version:

firefox --version or thunderbird --version on command line

Verify Fix Applied:

Confirm version is Firefox 132+, Firefox ESR 128.4+, Thunderbird 128.4+, or Thunderbird 132+.

📡 Detection & Monitoring

Log Indicators:

  • Unusual permission grants to domains with truncated URLs
  • Multiple permission requests from similar-looking domains

Network Indicators:

  • Requests to domains with unusually long URLs that get truncated

SIEM Query:

source="browser_logs" AND event="permission_granted" AND url_length>100

📊 Metadata

CVE ID: CVE-2024-10462
CVSS v3 Score: 6.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
CWE: CWE-290
Published: October 29, 2024
Last Updated: November 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-10462, you might also want to check these:

CVE-2025-66570 10.0

This vulnerability in cpp-httplib allows attackers to inject HTTP headers (REMOTE_ADDR, REMOTE_PORT,...

Same vulnerability type (CWE-290)
CVE-2022-2310 10.0

CVE-2022-2310 is an authentication bypass vulnerability in Skyhigh Secure Web Gateway (SWG) that all...

Same vulnerability type (CWE-290)
CVE-2020-26276 10.0

This vulnerability allows attackers to modify trusted SAML responses in Fleet osquery manager, enabl...

Same vulnerability type (CWE-290)