The remote Fedora 40 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2024-7ade906120 advisory.

    Update to 115.11.0

    * https://www.mozilla.org/en-US/security/advisories/mfsa2024-23/
    * https://www.thunderbird.net/en-US/thunderbird/115.11.0/releasenotes/
    * https://www.thunderbird.net/en-US/thunderbird/115.10.0/releasenotes/
    * https://www.mozilla.org/en-US/security/advisories/mfsa2024-20/


Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2024:3783 advisory.

    Mozilla Firefox is an open-source web browser, designed for standards     compliance, performance, and portability.

    This update upgrades Firefox to version 115.11.0 ESR.

    Security Fix(es):

    * firefox: Arbitrary JavaScript execution in PDF.js (CVE-2024-4367)

    * firefox: IndexedDB files retained in private browsing mode (CVE-2024-4767)

    * firefox: Potential permissions request bypass via clickjacking (CVE-2024-4768)

    * firefox: Cross-origin responses could be distinguished between script and     non-script content-types (CVE-2024-4769)

    * firefox: Use-after-free could occur when printing to PDF (CVE-2024-4770)

    * firefox: Memory safety bugs fixed in Firefox 126, Firefox ESR 115.11, and     Thunderbird 115.11 (CVE-2024-4777)

    For more details about the security issue(s), including the impact, a CVSS     score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References     section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the ELSA-2024-3784 advisory.

    [115.11.0-1.0.1]
    - Add Oracle prefs file

    [115.11.0-1]
    - Update to 115.11.0 build2

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of thunderbird installed on the remote host is prior to 115.11.0-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2024-2561 advisory.

    A type check was missing when handling fonts in PDF.js, which would allow arbitrary JavaScript execution     in the PDF.js context. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird <     115.11. (CVE-2024-4367)

    If the `browser.privatebrowsing.autostart` preference is enabled, IndexedDB files were not properly     deleted when the window was closed. This preference is disabled by default in Firefox. This vulnerability     affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11. (CVE-2024-4767)

    A bug in popup notifications' interaction with WebAuthn made it easier for an attacker to trick a user     into granting permissions. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird     < 115.11. (CVE-2024-4768)

    When importing resources using Web Workers, error messages would distinguish the difference between     `application/javascript` responses and non-script responses.  This could have been abused to learn     information cross-origin. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird     < 115.11. (CVE-2024-4769)

    When saving a page to PDF, certain font styles could have led to a potential use-after-free crash. This     vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11. (CVE-2024-4770)

    Memory safety bugs present in Firefox 125, Firefox ESR 115.10, and Thunderbird 115.10. Some of these bugs     showed evidence of memory corruption and we presume that with enough effort some of these could have been     exploited to run arbitrary code. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and     Thunderbird < 115.11. (CVE-2024-4777)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 11 host has a package installed that is affected by a vulnerability as referenced in the dsa-5742 advisory.

    - -------------------------------------------------------------------------     Debian Security Advisory DSA-5742-1                   security@debian.org     https://www.debian.org/security/                       Sebastien Delafond     August 08, 2024                       https://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package        : odoo     CVE ID         : CVE-2024-4367     Debian Bug     : 1074228

    A vulnerability was discovered in odoo, a suite of web based open     source business apps. It could result in the execution of arbitrary     code.

    For the oldstable distribution (bullseye), this problem has been fixed     in version 14.0.0+dfsg.2-7+deb11u2.

    For the stable distribution (bookworm), this problem has been fixed in     version $bookworm_VERSION.

    We recommend that you upgrade your odoo packages.

    For the detailed security status of odoo please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/odoo

    Further information about Debian Security Advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://www.debian.org/security/

    Mailing list: debian-security-announce@lists.debian.org

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote CentOS Linux 7 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2024:2913 advisory.

  - A type check was missing when handling fonts in PDF.js, which would allow arbitrary JavaScript execution     in the PDF.js context. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird <     115.11. (CVE-2024-4367)

  - If the `browser.privatebrowsing.autostart` preference is enabled, IndexedDB files were not properly     deleted when the window was closed. This preference is disabled by default in Firefox. This vulnerability     affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11. (CVE-2024-4767)

  - A bug in popup notifications' interaction with WebAuthn made it easier for an attacker to trick a user     into granting permissions. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird     < 115.11. (CVE-2024-4768)

  - When importing resources using Web Workers, error messages would distinguish the difference between     `application/javascript` responses and non-script responses. This could have been abused to learn     information cross-origin. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird     < 115.11. (CVE-2024-4769)

  - When saving a page to PDF, certain font styles could have led to a potential use-after-free crash. This     vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11. (CVE-2024-4770)

  - Memory safety bugs present in Firefox 125, Firefox ESR 115.10, and Thunderbird 115.10. Some of these bugs     showed evidence of memory corruption and we presume that with enough effort some of these could have been     exploited to run arbitrary code. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and     Thunderbird < 115.11. (CVE-2024-4777)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Atlassian Confluence Server running on the remote host is affected by a vulnerability as referenced in the CONFSERVER-98205 advisory.

  - A type check was missing when handling fonts in PDF.js, which would allow arbitrary JavaScript execution     in the PDF.js context. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird <     115.11. (CVE-2024-4367)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 11 / 12 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-5691 advisory.

    - -------------------------------------------------------------------------     Debian Security Advisory DSA-5691-1                   security@debian.org     https://www.debian.org/security/                       Moritz Muehlenhoff     May 15, 2024                          https://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package        : firefox-esr     CVE ID         : CVE-2024-4367 CVE-2024-4767 CVE-2024-4768 CVE-2024-4769                      CVE-2024-4770 CVE-2024-4777

    Multiple security issues have been found in the Mozilla Firefox web     browser, which could potentially result in the execution of arbitrary     code or clickjacking.

    For the oldstable distribution (bullseye), these problems have been fixed     in version 115.11.0esr-1~deb11u1.

    For the stable distribution (bookworm), these problems have been fixed in     version 115.11.0esr-1~deb12u1.

    We recommend that you upgrade your firefox-esr packages.

    For the detailed security status of firefox-esr please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/firefox-esr

    Further information about Debian Security Advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://www.debian.org/security/

    Mailing list: debian-security-announce@lists.debian.org

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Published	Updated	Severity
198108	Fedora 40 : thunderbird (2024-7ade906120)	Nessus	Fedora Local Security Checks	5/30/2024	1/23/2025	high
200269	RHEL 8 : firefox (RHSA-2024:3783)	Nessus	Red Hat Local Security Checks	6/10/2024	1/23/2025	high
200370	Oracle Linux 8 : thunderbird (ELSA-2024-3784)	Nessus	Oracle Linux Local Security Checks	6/11/2024	1/23/2025	high
200384	Amazon Linux 2 : thunderbird (ALAS-2024-2561)	Nessus	Amazon Linux Local Security Checks	6/12/2024	1/23/2025	high
205208	Debian dsa-5742 : odoo-14 - security update	Nessus	Debian Local Security Checks	8/8/2024	1/23/2025	high
208551	CentOS 7 : thunderbird (RHSA-2024:2913)	Nessus	CentOS Local Security Checks	10/9/2024	1/23/2025	high
209247	Atlassian Confluence 3.0.x < 7.19.25 / 7.20.x < 8.5.11 / 8.6.x < 8.9.3 (CONFSERVER-98205)	Nessus	CGI abuses	10/17/2024	1/23/2025	high
197091	Debian dsa-5691 : firefox-esr - security update	Nessus	Debian Local Security Checks	5/15/2024	1/23/2025	high

Detections

Analytics

Plugins Search

high

high

high

high

high

high

high

high