ISN 2024-22: Firefox ESR Vulnerabilities
First published 6 November 2024
CVSS 3.1: 8.2 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Summary
A security vulnerability has been found in the Firefox ESR web browser used in IGEL OS. This affects the following IGEL products:
IGEL OS 12
IGEL OS 11
Details
It has been discovered that a permission leak is possible from a trusted site to an untrusted site via embed or object elements. This is rated as high and tracked as CVE-2024-10458.
Another high concern is the accessibility mode. When it is enabled, an attacker could cause a use-after-free, which leads to a crash that could potentially be exploited (CVE-2024-10459).
Update Instructions
OS 12: Update to the IGEL OS app with Firefox ESR version 115.17 as soon as it is available from the IGEL App Portal.
OS 11: IGEL is preparing an updated version of OS 11 with the security fix for Firefox ESR.