CVSS: 8.6EPSS: 0%CPEs: 1EXPL: 0CVE-2024-11858 – Radare2: command injection via pebble application files in radare2
https://notcve.org/view.php?id=CVE-2024-11858
15 Dec 2024 — A flaw was found in Radare2, which contains a command injection vulnerability caused by insufficient input validation when handling Pebble Application files. Maliciously crafted inputs can inject shell commands during command parsing, leading to unintended behavior during file processing • https://bugzilla.redhat.com/show_bug.cgi?id=2329102 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 6.6EPSS: 0%CPEs: 1EXPL: 0CVE-2024-55566
https://notcve.org/view.php?id=CVE-2024-55566
09 Dec 2024 — ColPack 1.0.10 through 9a7293a has a predictable temporary file (located under /tmp with a name derived from an unseeded RNG). The impact can be overwriting files or making ColPack graphing unavailable to other users. • https://bugzilla.suse.com/show_bug.cgi?id=1225617 • CWE-335: Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) •
CVSS: 5.5EPSS: 0%CPEs: 21EXPL: 0CVE-2024-52337 – Tuned: improper sanitization of `instance_name` parameter of the `instance_create()` method
https://notcve.org/view.php?id=CVE-2024-52337
26 Nov 2024 — A log spoofing flaw was found in the Tuned package due to improper sanitization of some API arguments. This flaw allows an attacker to pass a controlled sequence of characters; newlines can be inserted into the log. Instead of the 'evil' the attacker could mimic a valid TuneD log line and trick the administrator. The quotes '' are usually used in TuneD logs citing raw user input, so there will always be the ' character ending the spoofed input, and the administrator can easily overlook this. This logged str... • https://access.redhat.com/errata/RHSA-2024:10381 • CWE-20: Improper Input Validation •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2024-52336 – Tuned: `script_pre` and `script_post` options allow to pass arbitrary scripts executed by root
https://notcve.org/view.php?id=CVE-2024-52336
26 Nov 2024 — A script injection vulnerability was identified in the Tuned package. The `instance_create()` D-Bus function can be called by locally logged-in users without authentication. This flaw allows a local non-privileged user to execute a D-Bus call with `script_pre` or `script_post` options that permit arbitrary scripts with their absolute paths to be passed. These user or attacker-controlled executable scripts or programs could then be executed by Tuned with root privileges that could allow attackers to local pr... • https://access.redhat.com/errata/RHSA-2024:10384 • CWE-269: Improper Privilege Management •
CVSS: 10.0EPSS: 0%CPEs: 4EXPL: 0CVE-2024-11705 – Ubuntu Security Notice USN-7134-1
https://notcve.org/view.php?id=CVE-2024-11705
26 Nov 2024 — `NSC_DeriveKey` inadvertently assumed that the `phKey` parameter is always non-NULL. When it was passed as NULL, a segmentation fault (SEGV) occurred, leading to crashes. This behavior conflicted with the PKCS#11 v3.0 specification, which allows `phKey` to be NULL for certain mechanisms. This vulnerability affects Firefox < 133 and Thunderbird < 133. Multiple security issues were discovered in Firefox. • https://bugzilla.mozilla.org/show_bug.cgi?id=1921768 • CWE-476: NULL Pointer Dereference •
CVSS: 10.0EPSS: 0%CPEs: 17EXPL: 0CVE-2024-11698 – SUSE Security Advisory - SUSE-SU-2024:4086-1
https://notcve.org/view.php?id=CVE-2024-11698
26 Nov 2024 — A flaw in handling fullscreen transitions may have inadvertently caused the application to become stuck in fullscreen mode when a modal dialog was opened during the transition. This issue left users unable to exit fullscreen mode using standard actions like pressing "Esc" or accessing right-click menus, resulting in a disrupted browsing experience until the browser is restarted. *This bug only affects the application when running on macOS. Other operating systems are unaffected.* This vulnerability affects ... • https://bugzilla.mozilla.org/show_bug.cgi?id=1916152 •
CVSS: 10.0EPSS: 0%CPEs: 6EXPL: 0CVE-2024-11704 – Gentoo Linux Security Advisory 202501-10
https://notcve.org/view.php?id=CVE-2024-11704
26 Nov 2024 — A double-free issue could have occurred in `sec_pkcs7_decoder_start_decrypt()` when handling an error path. Under specific conditions, the same symmetric key could have been freed twice, potentially leading to memory corruption. This vulnerability affects Firefox < 133 and Thunderbird < 133. A double-free issue could have occurred in `sec_pkcs7_decoder_start_decrypt()` when handling an error path. Under specific conditions, the same symmetric key could have been freed twice, potentially leading to memory co... • https://bugzilla.mozilla.org/show_bug.cgi?id=1899402 • CWE-415: Double Free •
CVSS: 6.4EPSS: 0%CPEs: 35EXPL: 0CVE-2024-11696 – firefox: thunderbird: Unhandled Exception in Add-on Signature Verification
https://notcve.org/view.php?id=CVE-2024-11696
26 Nov 2024 — The application failed to account for exceptions thrown by the `loadManifestFromFile` method during add-on signature verification. This flaw, triggered by an invalid or unsupported extension manifest, could have caused runtime errors that disrupted the signature validation process. As a result, the enforcement of signature validation for unrelated add-ons may have been bypassed. Signature validation in this context is used to ensure that third-party applications on the user's computer have not tampered with... • https://bugzilla.mozilla.org/show_bug.cgi?id=1929600 • CWE-347: Improper Verification of Cryptographic Signature CWE-354: Improper Validation of Integrity Check Value •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-11703 – openSUSE Security Advisory - openSUSE-SU-2024:14583-1
https://notcve.org/view.php?id=CVE-2024-11703
26 Nov 2024 — On Android, Firefox may have inadvertently allowed viewing saved passwords without the required device PIN authentication. This vulnerability affects Firefox < 133. These are all security issues fixed in the MozillaFirefox-133.0.3-1.1 package on the GA media of openSUSE Tumbleweed. • https://bugzilla.mozilla.org/show_bug.cgi?id=1928779 • CWE-522: Insufficiently Protected Credentials •
CVSS: 6.4EPSS: 0%CPEs: 35EXPL: 0CVE-2024-11694 – firefox: thunderbird: CSP Bypass and XSS Exposure via Web Compatibility Shims
https://notcve.org/view.php?id=CVE-2024-11694
26 Nov 2024 — Enhanced Tracking Protection's Strict mode may have inadvertently allowed a CSP `frame-src` bypass and DOM-based XSS through the Google SafeFrame shim in the Web Compatibility extension. This issue could have exposed users to malicious frames masquerading as legitimate content. This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Firefox ESR < 115.18, Thunderbird < 133, and Thunderbird < 128.5. Enhanced Tracking Protection's Strict mode may have inadvertently allowed a CSP `frame-src` bypass and D... • https://bugzilla.mozilla.org/show_bug.cgi?id=1924167 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •