A vulnerability, which was classified as problematic, was found in Mozilla Firefox up to 122 (Web Browser). This affects an unknown functionality of the component Response Header Handler. The manipulation of the argument Set-Cookie with an unknown input leads to a response splitting vulnerability. CWE is classifying the issue as CWE-443. This weakness can be found at CWE-113. This is going to have an impact on integrity. The summary by CVE is:

Set-Cookie response headers were being incorrectly honored in multipart HTTP responses. If an attacker could control the Content-Type response header, as well as control part of the response body, they could inject Set-Cookie response headers that would have been honored by the browser. This vulnerability affects Firefox < 123 and Firefox ESR < 115.8.

The weakness was shared 02/20/2024. It is possible to read the advisory at mozilla.org. This vulnerability is uniquely identified as CVE-2024-1551 since 02/15/2024. It demands that the victim is doing some kind of user interaction. Technical details of the vulnerability are known, but there is no available exploit. The pricing for an exploit might be around USD $0-$5k at the moment (estimation calculated on 02/20/2024).

Upgrading to version 123 eliminates this vulnerability. The upgrade is hosted for download at mozilla.org.

The entries VDB-254192, VDB-254194, VDB-254195 and VDB-254196 are related to this item.

Productinfo

Type

• Web Browser

Vendor

• Mozilla

Name

• Firefox

Version

• 122

License

• open-source

CPE 2.3info

• 🔒

CPE 2.2info

• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion