7.5
CVE-2024-9399 - firefox: thunderbird: Specially crafted WebTransport requests could lead to denial of service
A website configured to initiate a specially crafted WebTransport session could crash the Firefox process leading to a denial of service condition. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Thunderbird < 128.3, and Thunderbird < 131.
5.3
CVE-2024-9398 - firefox: thunderbird: External protocol handlers could be enumerated via popups
By checking the result of calls to `window.open` with specifically set protocol handlers, an attacker could determine if the application which implements that protocol handler is installed. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Thunderbird < 128.3, and Thunderbird < 131.
8.8
CVE-2024-9400 - firefox: thunderbird: Potential memory corruption during JIT compilation
A potential memory corruption vulnerability could be triggered if an attacker had the ability to trigger an OOM at a specific moment during JIT compilation. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Thunderbird < 128.3, and Thunderbird < 131.
8.8
CVE-2024-9396 - firefox: thunderbird: Potential memory corruption may occur when cloning certain objects
It is currently unknown if this issue is exploitable but a condition may arise where the structured clone of certain objects could lead to memory corruption. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Thunderbird < 128.3, and Thunderbird < 131.
6.1
CVE-2024-9394 - firefox: thunderbird: Cross-origin access to JSON contents through multipart responses
An attacker could, via a specially crafted multipart response, execute arbitrary JavaScript under the `resource://devtools` origin. This could allow them to access cross-origin JSON content. This access is limited to "same site" documents by the Site Isolation feature on desktop clients, but full β¦
7.5
CVE-2024-9393 - firefox: thunderbird: Cross-origin access to PDF contents through multipart responses
An attacker could, via a specially crafted multipart response, execute arbitrary JavaScript under the `resource://pdf.js` origin. This could allow them to access cross-origin PDF content. This access is limited to "same site" documents by the Site Isolation feature on desktop clients, but full croβ¦
9.8
CVE-2024-9392 - firefox: thunderbird: Compromised content process can bypass site isolation
A compromised content process could have allowed for the arbitrary loading of cross-origin pages. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Firefox ESR < 115.16, Thunderbird < 128.3, and Thunderbird < 131.
7.1
CVE-2024-41673 - Decidim has a cross-site scripting vulnerability in the version control page
Decidim is a participatory democracy framework. The version control feature used in resources is subject to potential XSS attack through a malformed URL. This vulnerability is fixed in 0.27.8.
7.5
CVE-2024-45408 - eLabFTW contains a direct and indirect information disclosure
eLabFTW is an open source electronic lab notebook for research labs. An incorrect permission check has been found that could allow an authenticated user to access several kinds of otherwise restricted information. If anonymous access is allowed (something disabled by default), this extends to anyonβ¦
8.6
CVE-2024-25632 - Unauthorised granting of administrator privileges over arbitrary teams under certain circumstances
eLabFTW is an open source electronic lab notebook for research labs. In the context of eLabFTW, an administrator is a user account with certain privileges to manage users and content in their assigned team/teams. A user may be an administrator in one team and a regular user in another. The vulnerabβ¦