CVSS: 10.0EPSS: 0%CPEs: 6EXPL: 0CVE-2024-11704 – Gentoo Linux Security Advisory 202501-10
https://notcve.org/view.php?id=CVE-2024-11704
26 Nov 2024 — A double-free issue could have occurred in `sec_pkcs7_decoder_start_decrypt()` when handling an error path. Under specific conditions, the same symmetric key could have been freed twice, potentially leading to memory corruption. This vulnerability affects Firefox < 133 and Thunderbird < 133. A double-free issue could have occurred in `sec_pkcs7_decoder_start_decrypt()` when handling an error path. Under specific conditions, the same symmetric key could have been freed twice, potentially leading to memory co... • https://bugzilla.mozilla.org/show_bug.cgi?id=1899402 • CWE-415: Double Free •
CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 0CVE-2024-11697 – firefox: thunderbird: Improper Keypress Handling in Executable File Confirmation Dialog
https://notcve.org/view.php?id=CVE-2024-11697
26 Nov 2024 — When handling keypress events, an attacker may have been able to trick a user into bypassing the "Open Executable File?" confirmation dialog. This could have led to malicious code execution. This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Thunderbird < 133, and Thunderbird < 128.5. A flaw was found in Mozilla. • https://bugzilla.mozilla.org/show_bug.cgi?id=1842187 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-356: Product UI does not Warn User of Unsafe Actions •
CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0CVE-2024-11696 – firefox: thunderbird: Unhandled Exception in Add-on Signature Verification
https://notcve.org/view.php?id=CVE-2024-11696
26 Nov 2024 — The application failed to account for exceptions thrown by the `loadManifestFromFile` method during add-on signature verification. This flaw, triggered by an invalid or unsupported extension manifest, could have caused runtime errors that disrupted the signature validation process. As a result, the enforcement of signature validation for unrelated add-ons may have been bypassed. Signature validation in this context is used to ensure that third-party applications on the user's computer have not tampered with... • https://bugzilla.mozilla.org/show_bug.cgi?id=1929600 • CWE-347: Improper Verification of Cryptographic Signature CWE-354: Improper Validation of Integrity Check Value •
CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0CVE-2024-11695 – firefox: thunderbird: URL Bar Spoofing via Manipulated Punycode and Whitespace Characters
https://notcve.org/view.php?id=CVE-2024-11695
26 Nov 2024 — A crafted URL containing Arabic script and whitespace characters could have hidden the true origin of the page, resulting in a potential spoofing attack. This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Thunderbird < 133, and Thunderbird < 128.5. A flaw was found in Mozilla. The Mozilla Foundation's Security Advisory describes the following issue: A crafted URL containing Arabic script and whitespace characters could have hidden the true origin of the page, resulting in a potential spoofing at... • https://bugzilla.mozilla.org/show_bug.cgi?id=1925496 • CWE-451: User Interface (UI) Misrepresentation of Critical Information CWE-1021: Improper Restriction of Rendered UI Layers or Frames •
CVSS: 6.4EPSS: 0%CPEs: 33EXPL: 0CVE-2024-11694 – firefox: thunderbird: CSP Bypass and XSS Exposure via Web Compatibility Shims
https://notcve.org/view.php?id=CVE-2024-11694
26 Nov 2024 — Enhanced Tracking Protection's Strict mode may have inadvertently allowed a CSP `frame-src` bypass and DOM-based XSS through the Google SafeFrame shim in the Web Compatibility extension. This issue could have exposed users to malicious frames masquerading as legitimate content. This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Firefox ESR < 115.18, Thunderbird < 133, and Thunderbird < 128.5. Enhanced Tracking Protection's Strict mode may have inadvertently allowed a CSP `frame-src` bypass and D... • https://bugzilla.mozilla.org/show_bug.cgi?id=1924167 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 0CVE-2024-11693
https://notcve.org/view.php?id=CVE-2024-11693
26 Nov 2024 — The executable file warning was not presented when downloading .library-ms files. *Note: This issue only affected Windows operating systems. Other operating systems are unaffected.* This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Thunderbird < 133, and Thunderbird < 128.5. • https://bugzilla.mozilla.org/show_bug.cgi?id=1921458 •
CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0CVE-2024-11692 – firefox: thunderbird: Select list elements could be shown over another site
https://notcve.org/view.php?id=CVE-2024-11692
26 Nov 2024 — An attacker could cause a select dropdown to be shown over another tab; this could have led to user confusion and possible spoofing attacks. This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Thunderbird < 133, and Thunderbird < 128.5. A flaw was found in Mozilla. The Mozilla Foundation's Security Advisory describes the following issue: An attacker could cause a select dropdown to be shown over another tab; this could have led to user confusion and possible spoofing attacks. Multiple security is... • https://bugzilla.mozilla.org/show_bug.cgi?id=1909535 • CWE-290: Authentication Bypass by Spoofing CWE-451: User Interface (UI) Misrepresentation of Critical Information •
CVSS: 8.8EPSS: 0%CPEs: 17EXPL: 0CVE-2024-11691
https://notcve.org/view.php?id=CVE-2024-11691
26 Nov 2024 — Certain WebGL operations on Apple silicon M series devices could have lead to an out-of-bounds write and memory corruption due to a flaw in Apple's GPU driver. *This bug only affected the application on Apple M series hardware. Other platforms were unaffected.* This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Firefox ESR < 115.18, Thunderbird < 133, and Thunderbird < 128.5. Certain WebGL operations on Apple silicon M series devices could have lead to an out-of-bounds write and memory corruptio... • https://bugzilla.mozilla.org/show_bug.cgi?id=1914707 • CWE-787: Out-of-bounds Write •
CVSS: 10.0EPSS: 0%CPEs: 31EXPL: 0CVE-2024-10467 – firefox: thunderbird: Memory safety bugs fixed in Firefox 132, Thunderbird 132, Firefox ESR 128.4, and Thunderbird 128.4
https://notcve.org/view.php?id=CVE-2024-10467
29 Oct 2024 — Memory safety bugs present in Firefox 131, Firefox ESR 128.3, and Thunderbird 128.3. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 132, Firefox ESR < 128.4, Thunderbird < 128.4, and Thunderbird < 132. A flaw was found in Mozilla. The Mozilla Foundation's Security Advisory describes the following issue: Memory safety bugs present in Firefox 131, Firefox ESR 128.... • https://bugzilla.mozilla.org/buglist.cgi?bug_id=1829029%2C1888538%2C1900394%2C1904059%2C1917742%2C1919809%2C1923706 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') CWE-125: Out-of-bounds Read •
CVSS: 7.8EPSS: 0%CPEs: 31EXPL: 0CVE-2024-10466 – firefox: DOM push subscription message could hang Firefox
https://notcve.org/view.php?id=CVE-2024-10466
29 Oct 2024 — By sending a specially crafted push message, a remote server could have hung the parent process, causing the browser to become unresponsive. This vulnerability affects Firefox < 132, Firefox ESR < 128.4, Thunderbird < 128.4, and Thunderbird < 132. The Mozilla Foundation's Security Advisory: By sending a specially crafted push message, a remote server could hang the parent process, causing the browser to become unresponsive. Multiple security issues were discovered in Firefox. If a user were tricked into ope... • https://bugzilla.mozilla.org/show_bug.cgi?id=1924154 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CWE-400: Uncontrolled Resource Consumption •