Description
There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:
- Memory safety bugs present in Firefox 132, Firefox ESR 128.4, and Thunderbird 128.4. Some of these bugs
showed evidence of memory corruption and we presume that with enough effort some of these could have been
exploited to run arbitrary code. This vulnerability affects Firefox < 133, Firefox ESR < 128.5,
Thunderbird < 133, and Thunderbird < 128.5. (CVE-2024-11699)
- Certain WebGL operations on Apple silicon M series devices could have lead to an out-of-bounds write and
memory corruption due to a flaw in Apple's GPU driver. *This bug only affected the application on Apple M
series hardware. Other platforms were unaffected.* This vulnerability affects Firefox < 133, Firefox ESR <
128.5, Firefox ESR < 115.18, Thunderbird < 133, Thunderbird < 128.5, and Thunderbird < 115.18.
(CVE-2024-11691)
- An attacker could cause a select dropdown to be shown over another tab; this could have led to user
confusion and possible spoofing attacks. This vulnerability affects Firefox < 133, Firefox ESR < 128.5,
Thunderbird < 133, and Thunderbird < 128.5. (CVE-2024-11692)
- The executable file warning was not presented when downloading .library-ms files. *Note: This issue only
affected Windows operating systems. Other operating systems are unaffected.* This vulnerability affects
Firefox < 133, Firefox ESR < 128.5, Thunderbird < 133, and Thunderbird < 128.5. (CVE-2024-11693)
- Enhanced Tracking Protection's Strict mode may have inadvertently allowed a CSP `frame-src` bypass and
DOM-based XSS through the Google SafeFrame shim in the Web Compatibility extension. This issue could have
exposed users to malicious frames masquerading as legitimate content. This vulnerability affects Firefox <
133, Firefox ESR < 128.5, Firefox ESR < 115.18, Thunderbird < 133, Thunderbird < 128.5, and Thunderbird <
115.18. (CVE-2024-11694)
Plugin Details
Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security
Risk Information
Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
Vulnerability Information
Exploit Ease: No known exploits are available
Vulnerability Publication Date: 11/25/2024