Impact
This vulnerability allows an attacker to bypass the same‑origin policy in the Networking: Cookies component. By exploiting the flaw, the attacker can read cookies that normally belong to a different website domain, potentially enabling session hijacking or the theft of user data. The weakness is classified as CWE‑346, which denotes an authentication bypass that is enabled by a user‑controlled key.
Affected Systems
The affected software includes Mozilla Firefox versions prior to 152 and Firefox ESR 140.12, as well as Mozilla Thunderbird prior to 152 and Thunderbird ESR 140.12. All installations of these browsers that have not applied the available update are vulnerable.
Risk and Exploitability
The CVSS score of 9.1 indicates a severe risk, yet the EPSS score of less than 1% suggests that exploitation attempts are currently rare. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is client‑side; an attacker would need to deliver malicious content or scripts that trigger the cookie lookup logic. While the flaw does not grant direct code execution, the ability to read cross‑origin cookies can lead to significant confidentiality breaches if an attacker obtains session tokens or other sensitive data.
OpenCVE Enrichment
Debian DLA
Debian DSA