CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-11703 – openSUSE Security Advisory - openSUSE-SU-2024:14583-1
https://notcve.org/view.php?id=CVE-2024-11703
26 Nov 2024 — On Android, Firefox may have inadvertently allowed viewing saved passwords without the required device PIN authentication. This vulnerability affects Firefox < 133. These are all security issues fixed in the MozillaFirefox-133.0.3-1.1 package on the GA media of openSUSE Tumbleweed. • https://bugzilla.mozilla.org/show_bug.cgi?id=1928779 • CWE-522: Insufficiently Protected Credentials •
CVSS: 6.4EPSS: 0%CPEs: 35EXPL: 0CVE-2024-11694 – firefox: thunderbird: CSP Bypass and XSS Exposure via Web Compatibility Shims
https://notcve.org/view.php?id=CVE-2024-11694
26 Nov 2024 — Enhanced Tracking Protection's Strict mode may have inadvertently allowed a CSP `frame-src` bypass and DOM-based XSS through the Google SafeFrame shim in the Web Compatibility extension. This issue could have exposed users to malicious frames masquerading as legitimate content. This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Firefox ESR < 115.18, Thunderbird < 133, and Thunderbird < 128.5. Enhanced Tracking Protection's Strict mode may have inadvertently allowed a CSP `frame-src` bypass and D... • https://bugzilla.mozilla.org/show_bug.cgi?id=1924167 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0CVE-2024-11702 – openSUSE Security Advisory - openSUSE-SU-2024:14583-1
https://notcve.org/view.php?id=CVE-2024-11702
26 Nov 2024 — Copying sensitive information from Private Browsing tabs on Android, such as passwords, may have inadvertently stored data in the cloud-based clipboard history if enabled. This vulnerability affects Firefox < 133 and Thunderbird < 133. These are all security issues fixed in the MozillaFirefox-133.0.3-1.1 package on the GA media of openSUSE Tumbleweed. • https://bugzilla.mozilla.org/show_bug.cgi?id=1918884 • CWE-838: Inappropriate Encoding for Output Context •
CVSS: 10.0EPSS: 0%CPEs: 4EXPL: 0CVE-2024-11701 – Ubuntu Security Notice USN-7134-1
https://notcve.org/view.php?id=CVE-2024-11701
26 Nov 2024 — The incorrect domain may have been displayed in the address bar during an interrupted navigation attempt. This could have led to user confusion and possible spoofing attacks. This vulnerability affects Firefox < 133 and Thunderbird < 133. Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information across domains, or execute arbitrary code. • https://bugzilla.mozilla.org/show_bug.cgi?id=1914797 • CWE-290: Authentication Bypass by Spoofing •
CVSS: 8.8EPSS: 0%CPEs: 17EXPL: 0CVE-2024-11691 – SUSE Security Advisory - SUSE-SU-2024:4086-1
https://notcve.org/view.php?id=CVE-2024-11691
26 Nov 2024 — Certain WebGL operations on Apple silicon M series devices could have lead to an out-of-bounds write and memory corruption due to a flaw in Apple's GPU driver. *This bug only affected the application on Apple M series hardware. Other platforms were unaffected.* This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Firefox ESR < 115.18, Thunderbird < 133, and Thunderbird < 128.5. Certain WebGL operations on Apple silicon M series devices could have lead to an out-of-bounds write and memory corruptio... • https://bugzilla.mozilla.org/show_bug.cgi?id=1914707 • CWE-787: Out-of-bounds Write •
CVSS: 10.0EPSS: 1%CPEs: 28EXPL: 0CVE-2024-53899 – virtualenv: potential command injection via virtual environment activation scripts
https://notcve.org/view.php?id=CVE-2024-53899
24 Nov 2024 — virtualenv before 20.26.6 allows command injection through the activation scripts for a virtual environment. Magic template strings are not quoted correctly when replacing. NOTE: this is not the same as CVE-2024-9287. A flaw was found in the virtualenv Python package. Due to the improper handling of quotes in magic template strings, the virtual environment activation script is vulnerable to OS command injection,leading to the loss of confidentiality,integrity and availability of the system. • https://github.com/pypa/virtualenv/issues/2768 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.8EPSS: 1%CPEs: 1EXPL: 0CVE-2024-11249
https://notcve.org/view.php?id=CVE-2024-11249
20 Nov 2024 — - Update the rustls crate to version 0.23.17. - Update the zlib-rs crate to version 0.4.0. The update to zlib-rs v0.4.0 also addresses CVE-2024-11249 (stack overflow during decompression with malicious input). This issue had no actual impact in Fedora, because no applications yet use the the zlib-rs feature of rustls and rustls is the only dependent package of zlib-rs. •
CVSS: 6.5EPSS: 0%CPEs: 17EXPL: 0CVE-2024-45818 – Deadlock in x86 HVM standard VGA handling
https://notcve.org/view.php?id=CVE-2024-45818
12 Nov 2024 — The hypervisor contains code to accelerate VGA memory accesses for HVM guests, when the (virtual) VGA is in "standard" mode. Locking involved there has an unusual discipline, leaving a lock acquired past the return from the function that acquired it. This behavior results in a problem when emulating an instruction with two memory accesses, both of which touch VGA memory (plus some further constraints which aren't relevant here). When emulating the 2nd access, the lock that is already being held would be att... • https://xenbits.xenproject.org/xsa/advisory-463.html • CWE-667: Improper Locking •
CVSS: 5.5EPSS: 0%CPEs: 15EXPL: 0CVE-2024-45819 – libxl leaks data to PVH guests via ACPI tables
https://notcve.org/view.php?id=CVE-2024-45819
12 Nov 2024 — PVH guests have their ACPI tables constructed by the toolstack. The construction involves building the tables in local memory, which are then copied into guest memory. While actually used parts of the local memory are filled in correctly, excess space that is being allocated is left with its prior contents. PVH guests have their ACPI tables constructed by the toolstack. The construction involves building the tables in local memory, which are then copied into guest memory. • https://xenbits.xenproject.org/xsa/advisory-464.html • CWE-276: Incorrect Default Permissions •
CVSS: 10.0EPSS: 1%CPEs: 27EXPL: 0CVE-2024-52533 – glib: buffer overflow in set_connect_msg()
https://notcve.org/view.php?id=CVE-2024-52533
11 Nov 2024 — gio/gsocks4aproxy.c in GNOME GLib before 2.82.1 has an off-by-one error and resultant buffer overflow because SOCKS4_CONN_MSG_LEN is not sufficient for a trailing '\0' character. A flaw was found in the Glib library. A buffer overflow condition can be triggered in certain conditions due to an off-by-one error in SOCKS4_CONN_MSG_LEN. This issue may lead to an application crash or other undefined behavior. This update for glib2 fixes the following issues. • https://gitlab.gnome.org/GNOME/glib/-/issues/3461 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') CWE-193: Off-by-one Error •