CVE-2024-8897
Published: 17 September 2024
Summary
CVE-2024-8897 is a medium-severity Open Redirect (CWE-601) vulnerability in Mozilla Firefox. Its CVSS base score is 6.1 (Medium).
Operationally, ranked in the top 6.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2024-8897 is an open redirect flaw that permits address bar spoofing in Firefox for Android versions prior to 130.0.1. The vulnerability, tracked under CWE-601, allows a malicious site to appear to share the same URL as a trusted site when an attacker can chain an open redirect on the trusted domain. It carries a CVSS 3.1 score of 6.1 and does not affect desktop Firefox or other Mozilla products.
An attacker who can induce a victim to follow a crafted link that triggers the open redirect may spoof the displayed URL, potentially facilitating phishing by making a malicious page masquerade as content from the trusted origin. Exploitation requires user interaction via a redirect and network-level reachability, but no authentication or special privileges on the target device.
Mozilla's advisory MFSA2024-45 and the associated Bugzilla entry confirm that the issue is resolved in Firefox for Android 130.0.1; users are advised to update promptly. The EPSS score remains flat at 0.1183 with no material increase observed after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-49463
Vulnerability details
Under certain conditions, an attacker with the ability to redirect users to a malicious site via an open redirect on a trusted site, may be able to spoof the address bar contents. This can lead to a malicious site to…
more
appear to have the same URL as the trusted site. *This bug only affects Firefox for Android. Other versions of Firefox are unaffected.* This vulnerability affects Firefox for Android < 130.0.1.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.