CVSS: 7.8EPSS: 0%CPEs: 31EXPL: 0CVE-2024-9399 – firefox: thunderbird: Specially crafted WebTransport requests could lead to denial of service
https://notcve.org/view.php?id=CVE-2024-9399
01 Oct 2024 — A website configured to initiate a specially crafted WebTransport session could crash the Firefox process leading to a denial of service condition. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Thunderbird < 128.3, and Thunderbird < 131. The Mozilla Foundation's Security Advisory: A website configured to initiate a specially crafted WebTransport session could crash the Firefox process, leading to a denial of service condition. Gentoo Linux Security Advisory 202412-6 - Multiple vulnerabiliti... • https://bugzilla.mozilla.org/show_bug.cgi?id=1907726 • CWE-404: Improper Resource Shutdown or Release CWE-754: Improper Check for Unusual or Exceptional Conditions •
CVSS: 5.3EPSS: 0%CPEs: 31EXPL: 0CVE-2024-9398 – firefox: thunderbird: External protocol handlers could be enumerated via popups
https://notcve.org/view.php?id=CVE-2024-9398
01 Oct 2024 — By checking the result of calls to `window.open` with specifically set protocol handlers, an attacker could determine if the application which implements that protocol handler is installed. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Thunderbird < 128.3, and Thunderbird < 131. The Mozilla Foundation's Security Advisory: By checking the result of calls to window.open with specifically set protocol handlers, an attacker could determine if the application which implements that protocol handl... • https://bugzilla.mozilla.org/show_bug.cgi?id=1881037 • CWE-203: Observable Discrepancy •
CVSS: 6.4EPSS: 0%CPEs: 31EXPL: 0CVE-2024-9397 – firefox: thunderbird: Potential directory upload bypass via clickjacking
https://notcve.org/view.php?id=CVE-2024-9397
01 Oct 2024 — A missing delay in directory upload UI could have made it possible for an attacker to trick a user into granting permission via clickjacking. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Thunderbird < 128.3, and Thunderbird < 131. A flaw was found in Mozilla. The Mozilla Foundation's Security Advisory describes the issue as follows: A missing delay in directory upload UI could have made it possible for an attacker to trick a user into granting permission via clickjacking. Multiple vulnerab... • https://bugzilla.mozilla.org/show_bug.cgi?id=1916659 • CWE-1021: Improper Restriction of Rendered UI Layers or Frames •
CVSS: 8.8EPSS: 0%CPEs: 32EXPL: 0CVE-2024-9396 – firefox: thunderbird: Potential memory corruption may occur when cloning certain objects
https://notcve.org/view.php?id=CVE-2024-9396
01 Oct 2024 — It is currently unknown if this issue is exploitable but a condition may arise where the structured clone of certain objects could lead to memory corruption. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Thunderbird < 128.3, and Thunderbird < 131. A flaw was found in Mozilla. The Mozilla Foundation's Security Advisory describes the issue as follows: It is currently unknown if this issue is exploitable, but a condition may arise where the structured clone of certain objects could lead to mem... • https://bugzilla.mozilla.org/show_bug.cgi?id=1912471 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 7.8EPSS: 0%CPEs: 33EXPL: 0CVE-2024-9394 – firefox: thunderbird: Cross-origin access to JSON contents through multipart responses
https://notcve.org/view.php?id=CVE-2024-9394
01 Oct 2024 — An attacker could, via a specially crafted multipart response, execute arbitrary JavaScript under the `resource://devtools` origin. This could allow them to access cross-origin JSON content. This access is limited to "same site" documents by the Site Isolation feature on desktop clients, but full cross-origin access is possible on Android versions. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Firefox ESR < 115.16, Thunderbird < 128.3, and Thunderbird < 131. A flaw was found in Mozilla. • https://bugzilla.mozilla.org/show_bug.cgi?id=1918874 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.8EPSS: 0%CPEs: 33EXPL: 0CVE-2024-9393 – firefox: thunderbird: Cross-origin access to PDF contents through multipart responses
https://notcve.org/view.php?id=CVE-2024-9393
01 Oct 2024 — An attacker could, via a specially crafted multipart response, execute arbitrary JavaScript under the `resource://pdf.js` origin. This could allow them to access cross-origin PDF content. This access is limited to "same site" documents by the Site Isolation feature on desktop clients, but full cross-origin access is possible on Android versions. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Firefox ESR < 115.16, Thunderbird < 128.3, and Thunderbird < 131. A flaw was found in Mozilla. • https://bugzilla.mozilla.org/show_bug.cgi?id=1918301 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-346: Origin Validation Error •
CVSS: 9.8EPSS: 0%CPEs: 34EXPL: 0CVE-2024-9392 – firefox: thunderbird: Compromised content process can bypass site isolation
https://notcve.org/view.php?id=CVE-2024-9392
01 Oct 2024 — A compromised content process could have allowed for the arbitrary loading of cross-origin pages. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Firefox ESR < 115.16, Thunderbird < 128.3, and Thunderbird < 131. The Mozilla Foundation's Security Advisory: A compromised content process could allow for the arbitrary loading of cross-origin pages. Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. Versions greater than or... • https://bugzilla.mozilla.org/show_bug.cgi?id=1905843 • CWE-346: Origin Validation Error •
CVSS: 8.5EPSS: 0%CPEs: 7EXPL: 0CVE-2024-21489 – uplot: Prototype Pollution in uplot
https://notcve.org/view.php?id=CVE-2024-21489
01 Oct 2024 — Versions of the package uplot before 1.6.31 are vulnerable to Prototype Pollution via the uplot.assign function due to missing check if the attribute resolves to the object prototype. A flaw was found in uPlot. This vulnerability allows prototype pollution via the uplot.assign function due to missing checks for attributes that resolve to the object prototype. • https://github.com/leeoniya/uPlot/blob/c52e5001c1d959a99ac495a53e4deca5c44464d2/src/utils.js%23L437-L452 • CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •
CVSS: 5.9EPSS: 0%CPEs: 9EXPL: 0CVE-2024-38796 – Integer overflow in PeCoffLoaderRelocateImage
https://notcve.org/view.php?id=CVE-2024-38796
27 Sep 2024 — EDK2 contains a vulnerability in the PeCoffLoaderRelocateImage(). An Attacker may cause memory corruption due to an overflow via an adjacent network. A successful exploit of this vulnerability may lead to a loss of Confidentiality, Integrity, and/or Availability. A flaw was found in the EDK2 package. This flaw allows an attacker to cause memory corruption due to an overflow via an adjacent network. • https://github.com/tianocore/edk2/security/advisories/GHSA-xpcr-7hjq-m6qm • CWE-122: Heap-based Buffer Overflow •
CVSS: 4.4EPSS: 0%CPEs: 16EXPL: 0CVE-2024-45770 – Pcp: pmpost symlink attack allows escalating pcp to root user
https://notcve.org/view.php?id=CVE-2024-45770
19 Sep 2024 — A vulnerability was found in Performance Co-Pilot (PCP). This flaw can only be exploited if an attacker has access to a compromised PCP system account. The issue is related to the pmpost tool, which is used to log messages in the system. Under certain conditions, it runs with high-level privileges. Se encontró una vulnerabilidad en Performance Co-Pilot (PCP). • https://access.redhat.com/errata/RHSA-2024:6837 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •