6.5
CVE-2024-11706 - firefox: thunderbird: Null Pointer Dereference in PKCS#12 Utility
A null pointer dereference may have inadvertently occurred in `pk12util`, and specifically in the `SEC_ASN1DecodeItem_Util` function, when handling malformed or improperly formatted input files. This vulnerability affects Firefox < 133 and Thunderbird < 133.
9.8
CVE-2024-11698 - firefox: thunderbird: Fullscreen Lock-Up When Modal Dialog Interrupts Transition on macOS
A flaw in handling fullscreen transitions may have inadvertently caused the application to become stuck in fullscreen mode when a modal dialog was opened during the transition. This issue left users unable to exit fullscreen mode using standard actions like pressing "Esc" or accessing right-click mβ¦
5.4
CVE-2024-11696 - firefox: thunderbird: Unhandled Exception in Add-on Signature Verification
The application failed to account for exceptions thrown by the `loadManifestFromFile` method during add-on signature verification. This flaw, triggered by an invalid or unsupported extension manifest, could have caused runtime errors that disrupted the signature validation process. As a result, theβ¦
9.8
CVE-2024-11704 - firefox: thunderbird: Potential Double-Free Vulnerability in PKCS#7 Decryption Handling
A double-free issue could have occurred in `sec_pkcs7_decoder_start_decrypt()` when handling an error path. Under specific conditions, the same symmetric key could have been freed twice, potentially leading to memory corruption. This vulnerability affects Firefox < 133, Thunderbird < 133, Firefox Eβ¦
8.8
CVE-2024-11697 - firefox: thunderbird: Improper Keypress Handling in Executable File Confirmation Dialog
When handling keypress events, an attacker may have been able to trick a user into bypassing the "Open Executable File?" confirmation dialog. This could have led to malicious code execution. This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Thunderbird < 133, and Thunderbird < 128.5.
5.7
CVE-2024-11703 - firefox: thunderbird: Password access without authentication via PIN bypass on Android
On Android, Firefox may have inadvertently allowed viewing saved passwords without the required device PIN authentication. This vulnerability affects Firefox < 133.
5.4
CVE-2024-11695 - firefox: thunderbird: URL Bar Spoofing via Manipulated Punycode and Whitespace Characters
A crafted URL containing Arabic script and whitespace characters could have hidden the true origin of the page, resulting in a potential spoofing attack. This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Thunderbird < 133, and Thunderbird < 128.5.
6.1
CVE-2024-11694 - firefox: thunderbird: CSP Bypass and XSS Exposure via Web Compatibility Shims
Enhanced Tracking Protection's Strict mode may have inadvertently allowed a CSP `frame-src` bypass and DOM-based XSS through the Google SafeFrame shim in the Web Compatibility extension. This issue could have exposed users to malicious frames masquerading as legitimate content. This vulnerability aβ¦
7.5
CVE-2024-11702 - firefox: thunderbird: Inadequate Clipboard Protection in Private Browsing Mode on Android
Copying sensitive information from Private Browsing tabs on Android, such as passwords, may have inadvertently stored data in the cloud-based clipboard history if enabled. This vulnerability affects Firefox < 133 and Thunderbird < 133.
9.8
CVE-2024-11693 - firefox: thunderbird: Download Protections were bypassed by .library-ms files on Windows
The executable file warning was not presented when downloading .library-ms files. *Note: This issue only affected Windows operating systems. Other operating systems are unaffected.* This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Thunderbird < 133, and Thunderbird < 128.5.