Cyber Resilience

CVE-2024-8897

Medium

Published: 17 September 2024

Published
17 September 2024
Modified
19 March 2025
KEV Added
Patch
CVSS Score v3.1 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score 0.1183 93.9th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-8897 is a medium-severity Open Redirect (CWE-601) vulnerability in Mozilla Firefox. Its CVSS base score is 6.1 (Medium).

Operationally, ranked in the top 6.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2024-8897 is an open redirect flaw that permits address bar spoofing in Firefox for Android versions prior to 130.0.1. The vulnerability, tracked under CWE-601, allows a malicious site to appear to share the same URL as a trusted site when an attacker can chain an open redirect on the trusted domain. It carries a CVSS 3.1 score of 6.1 and does not affect desktop Firefox or other Mozilla products.

An attacker who can induce a victim to follow a crafted link that triggers the open redirect may spoof the displayed URL, potentially facilitating phishing by making a malicious page masquerade as content from the trusted origin. Exploitation requires user interaction via a redirect and network-level reachability, but no authentication or special privileges on the target device.

Mozilla's advisory MFSA2024-45 and the associated Bugzilla entry confirm that the issue is resolved in Firefox for Android 130.0.1; users are advised to update promptly. The EPSS score remains flat at 0.1183 with no material increase observed after disclosure.

EU & UK References

Vulnerability details

Under certain conditions, an attacker with the ability to redirect users to a malicious site via an open redirect on a trusted site, may be able to spoof the address bar contents. This can lead to a malicious site to…

more

appear to have the same URL as the trusted site. *This bug only affects Firefox for Android. Other versions of Firefox are unaffected.* This vulnerability affects Firefox for Android < 130.0.1.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

mozilla
firefox
≤ 130.0.1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-601

Security awareness includes verifying URLs and avoiding untrusted redirects that lead to malicious sites.

addresses: CWE-601

Validates redirect targets and URLs to ensure they conform to allowed destinations.

References