CVSS: 6.4EPSS: 0%CPEs: 33EXPL: 0CVE-2024-11694 – firefox: thunderbird: CSP Bypass and XSS Exposure via Web Compatibility Shims
https://notcve.org/view.php?id=CVE-2024-11694
26 Nov 2024 — Enhanced Tracking Protection's Strict mode may have inadvertently allowed a CSP `frame-src` bypass and DOM-based XSS through the Google SafeFrame shim in the Web Compatibility extension. This issue could have exposed users to malicious frames masquerading as legitimate content. This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Firefox ESR < 115.18, Thunderbird < 133, and Thunderbird < 128.5. Enhanced Tracking Protection's Strict mode may have inadvertently allowed a CSP `frame-src` bypass and D... • https://bugzilla.mozilla.org/show_bug.cgi?id=1924167 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 0CVE-2024-11693
https://notcve.org/view.php?id=CVE-2024-11693
26 Nov 2024 — The executable file warning was not presented when downloading .library-ms files. *Note: This issue only affected Windows operating systems. Other operating systems are unaffected.* This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Thunderbird < 133, and Thunderbird < 128.5. • https://bugzilla.mozilla.org/show_bug.cgi?id=1921458 •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-11702
https://notcve.org/view.php?id=CVE-2024-11702
26 Nov 2024 — Copying sensitive information from Private Browsing tabs on Android, such as passwords, may have inadvertently stored data in the cloud-based clipboard history if enabled. This vulnerability affects Firefox < 133 and Thunderbird < 133. • https://bugzilla.mozilla.org/show_bug.cgi?id=1918884 • CWE-838: Inappropriate Encoding for Output Context •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2024-11701 – Ubuntu Security Notice USN-7134-1
https://notcve.org/view.php?id=CVE-2024-11701
26 Nov 2024 — The incorrect domain may have been displayed in the address bar during an interrupted navigation attempt. This could have led to user confusion and possible spoofing attacks. This vulnerability affects Firefox < 133 and Thunderbird < 133. Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information across domains, or execute arbitrary code. • https://bugzilla.mozilla.org/show_bug.cgi?id=1914797 • CWE-290: Authentication Bypass by Spoofing •
CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0CVE-2024-11692 – firefox: thunderbird: Select list elements could be shown over another site
https://notcve.org/view.php?id=CVE-2024-11692
26 Nov 2024 — An attacker could cause a select dropdown to be shown over another tab; this could have led to user confusion and possible spoofing attacks. This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Thunderbird < 133, and Thunderbird < 128.5. A flaw was found in Mozilla. The Mozilla Foundation's Security Advisory describes the following issue: An attacker could cause a select dropdown to be shown over another tab; this could have led to user confusion and possible spoofing attacks. Multiple security is... • https://bugzilla.mozilla.org/show_bug.cgi?id=1909535 • CWE-290: Authentication Bypass by Spoofing CWE-451: User Interface (UI) Misrepresentation of Critical Information •
CVSS: 8.1EPSS: 0%CPEs: 2EXPL: 0CVE-2024-11700 – Gentoo Linux Security Advisory 202501-10
https://notcve.org/view.php?id=CVE-2024-11700
26 Nov 2024 — Malicious websites may have been able to user intent confirmation through tapjacking. This could have led to users unknowingly approving the launch of external applications, potentially exposing them to underlying vulnerabilities. This vulnerability affects Firefox < 133 and Thunderbird < 133. Malicious websites may have been able to perform user intent confirmation through tapjacking. This could have led to users unknowingly approving the launch of external applications, potentially exposing them to underl... • https://bugzilla.mozilla.org/show_bug.cgi?id=1836921 • CWE-1021: Improper Restriction of Rendered UI Layers or Frames •
CVSS: 8.8EPSS: 0%CPEs: 17EXPL: 0CVE-2024-11691
https://notcve.org/view.php?id=CVE-2024-11691
26 Nov 2024 — Certain WebGL operations on Apple silicon M series devices could have lead to an out-of-bounds write and memory corruption due to a flaw in Apple's GPU driver. *This bug only affected the application on Apple M series hardware. Other platforms were unaffected.* This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Firefox ESR < 115.18, Thunderbird < 133, and Thunderbird < 128.5. Certain WebGL operations on Apple silicon M series devices could have lead to an out-of-bounds write and memory corruptio... • https://bugzilla.mozilla.org/show_bug.cgi?id=1914707 • CWE-787: Out-of-bounds Write •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-11159 – thunderbird: Potential disclosure of plaintext in OpenPGP encrypted message
https://notcve.org/view.php?id=CVE-2024-11159
13 Nov 2024 — Using remote content in OpenPGP encrypted messages can lead to the disclosure of plaintext. This vulnerability affects Thunderbird < 128.4.3 and Thunderbird < 132.0.1. The Mozilla Foundation Security Advisory describes this flaw as: Using remote content in OpenPGP encrypted messages can lead to the disclosure of plaintext. An update for thunderbird is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and R... • https://bugzilla.mozilla.org/show_bug.cgi?id=1925929 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-312: Cleartext Storage of Sensitive Information •
CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 0CVE-2024-10468 – Gentoo Linux Security Advisory 202412-06
https://notcve.org/view.php?id=CVE-2024-10468
29 Oct 2024 — Potential race conditions in IndexedDB could have caused memory corruption, leading to a potentially exploitable crash. This vulnerability affects Firefox < 132 and Thunderbird < 132. Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information across domains, or execute arbitrary code. • https://bugzilla.mozilla.org/show_bug.cgi?id=1914982 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 10.0EPSS: 0%CPEs: 31EXPL: 0CVE-2024-10467 – firefox: thunderbird: Memory safety bugs fixed in Firefox 132, Thunderbird 132, Firefox ESR 128.4, and Thunderbird 128.4
https://notcve.org/view.php?id=CVE-2024-10467
29 Oct 2024 — Memory safety bugs present in Firefox 131, Firefox ESR 128.3, and Thunderbird 128.3. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 132, Firefox ESR < 128.4, Thunderbird < 128.4, and Thunderbird < 132. A flaw was found in Mozilla. The Mozilla Foundation's Security Advisory describes the following issue: Memory safety bugs present in Firefox 131, Firefox ESR 128.... • https://bugzilla.mozilla.org/buglist.cgi?bug_id=1829029%2C1888538%2C1900394%2C1904059%2C1917742%2C1919809%2C1923706 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') CWE-125: Out-of-bounds Read •