CVSS: 7.8EPSS: 0%CPEs: 35EXPL: 0CVE-2024-9394 – firefox: thunderbird: Cross-origin access to JSON contents through multipart responses
https://notcve.org/view.php?id=CVE-2024-9394
01 Oct 2024 — An attacker could, via a specially crafted multipart response, execute arbitrary JavaScript under the `resource://devtools` origin. This could allow them to access cross-origin JSON content. This access is limited to "same site" documents by the Site Isolation feature on desktop clients, but full cross-origin access is possible on Android versions. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Firefox ESR < 115.16, Thunderbird < 128.3, and Thunderbird < 131. A flaw was found in Mozilla. • https://bugzilla.mozilla.org/show_bug.cgi?id=1918874 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.8EPSS: 0%CPEs: 35EXPL: 0CVE-2024-9393 – firefox: thunderbird: Cross-origin access to PDF contents through multipart responses
https://notcve.org/view.php?id=CVE-2024-9393
01 Oct 2024 — An attacker could, via a specially crafted multipart response, execute arbitrary JavaScript under the `resource://pdf.js` origin. This could allow them to access cross-origin PDF content. This access is limited to "same site" documents by the Site Isolation feature on desktop clients, but full cross-origin access is possible on Android versions. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Firefox ESR < 115.16, Thunderbird < 128.3, and Thunderbird < 131. A flaw was found in Mozilla. • https://bugzilla.mozilla.org/show_bug.cgi?id=1918301 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-346: Origin Validation Error •
CVSS: 9.8EPSS: 0%CPEs: 34EXPL: 0CVE-2024-9392 – firefox: thunderbird: Compromised content process can bypass site isolation
https://notcve.org/view.php?id=CVE-2024-9392
01 Oct 2024 — A compromised content process could have allowed for the arbitrary loading of cross-origin pages. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Firefox ESR < 115.16, Thunderbird < 128.3, and Thunderbird < 131. The Mozilla Foundation's Security Advisory: A compromised content process could allow for the arbitrary loading of cross-origin pages. Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially ex... • https://bugzilla.mozilla.org/show_bug.cgi?id=1905843 • CWE-346: Origin Validation Error •
CVSS: 8.4EPSS: 0%CPEs: 2EXPL: 0CVE-2023-47480
https://notcve.org/view.php?id=CVE-2023-47480
20 Sep 2024 — An issue in Pure Data 0.54-0 and fixed in 0.54-1 allows a local attacker to escalate privileges via the set*id () function. • https://puredata.info • CWE-252: Unchecked Return Value •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2024-7788 – Signatures in "repair mode" should not be trusted
https://notcve.org/view.php?id=CVE-2024-7788
17 Sep 2024 — Improper Digital Signature Invalidation vulnerability in Zip Repair Mode of The Document Foundation LibreOffice allows Signature forgery vulnerability in LibreOfficeThis issue affects LibreOffice: from 24.2 before < 24.2.5. It was discovered that LibreOffice would incorrectly handle digital signature verification after repairing a corrupted document. A remote attacker could possibly use this issue to forge valid signatures. • https://www.libreoffice.org/about-us/security/advisories/CVE-2024-7788 • CWE-347: Improper Verification of Cryptographic Signature •
CVSS: 10.0EPSS: 0%CPEs: 35EXPL: 0CVE-2024-44187 – webkitgtk: A malicious website may exfiltrate data cross-origin
https://notcve.org/view.php?id=CVE-2024-44187
16 Sep 2024 — A cross-origin issue existed with "iframe" elements. This was addressed with improved tracking of security origins. This issue is fixed in Safari 18, visionOS 2, watchOS 11, macOS Sequoia 15, iOS 18 and iPadOS 18, tvOS 18. A malicious website may exfiltrate data cross-origin. A vulnerability was found in WebKit. • https://support.apple.com/en-us/121238 • CWE-346: Origin Validation Error •
CVSS: 7.8EPSS: 0%CPEs: 9EXPL: 0CVE-2024-40866 – webkitgtk: Visiting a malicious website may lead to address bar spoofing
https://notcve.org/view.php?id=CVE-2024-40866
16 Sep 2024 — The issue was addressed with improved UI. This issue is fixed in Safari 18, macOS Sequoia 15. Visiting a malicious website may lead to address bar spoofing. A flaw was found in WebKit. This flaw allows a remote attacker to conduct spoofing attacks by exploiting an inconsistent user interface issue. • https://support.apple.com/en-us/121238 •
CVSS: 7.5EPSS: 0%CPEs: 8EXPL: 0CVE-2024-8775 – Ansible-core: exposure of sensitive information in ansible vault files due to improper logging
https://notcve.org/view.php?id=CVE-2024-8775
14 Sep 2024 — A flaw was found in Ansible, where sensitive information stored in Ansible Vault files can be exposed in plaintext during the execution of a playbook. This occurs when using tasks such as include_vars to load vaulted variables without setting the no_log: true parameter, resulting in sensitive data being printed in the playbook output or logs. This can lead to the unintentional disclosure of secrets like passwords or API keys, compromising security and potentially allowing unauthorized access or actions. An ... • https://access.redhat.com/security/cve/CVE-2024-8775 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-45751 – Ubuntu Security Notice USN-7024-1
https://notcve.org/view.php?id=CVE-2024-45751
06 Sep 2024 — tgt (aka Linux target framework) before 1.0.93 attempts to achieve entropy by calling rand without srand. The PRNG seed is always 1, and thus the sequence of challenges is always identical. It was discovered that tgt attempts to achieve entropy by calling rand without srand. The PRNG seed is always 1, and thus the sequence of challenges is always identical. • https://github.com/fujita/tgt/compare/v1.0.92...v1.0.93 • CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) •
CVSS: 10.0EPSS: 0%CPEs: 36EXPL: 0CVE-2024-8384 – mozilla: Garbage collection could mis-color cross-compartment objects in OOM conditions
https://notcve.org/view.php?id=CVE-2024-8384
03 Sep 2024 — The JavaScript garbage collector could mis-color cross-compartment objects if OOM conditions were detected at the right point between two passes. This could have led to memory corruption. This vulnerability affects Firefox < 130, Firefox ESR < 128.2, and Firefox ESR < 115.15. The JavaScript garbage collector could mis-color cross-compartment objects if OOM conditions were detected at the right point between two passes. This could have led to memory corruption. • https://bugzilla.mozilla.org/show_bug.cgi?id=1911288 • CWE-416: Use After Free CWE-787: Out-of-bounds Write •