The remote Redhat Enterprise Linux 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2024:2903 advisory.

    Mozilla Thunderbird is a standalone mail and newsgroup client.

    This update upgrades Thunderbird to version 115.11.0.

    Security Fix(es):

    * firefox: Arbitrary JavaScript execution in PDF.js (CVE-2024-4367)

    * firefox: IndexedDB files retained in private browsing mode (CVE-2024-4767)

    * firefox: Potential permissions request bypass via clickjacking (CVE-2024-4768)

    * firefox: Cross-origin responses could be distinguished between script and     non-script content-types (CVE-2024-4769)

    * firefox: Use-after-free could occur when printing to PDF (CVE-2024-4770)

    * firefox: Memory safety bugs fixed in Firefox 126, Firefox ESR 115.11, and     Thunderbird 115.11 (CVE-2024-4777)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2024:3338 advisory.

    Mozilla Thunderbird is a standalone mail and newsgroup client.

    This update upgrades Thunderbird to version 115.11.0.

    Security Fix(es):

    * Mozilla: Arbitrary JavaScript execution in PDF.js (CVE-2024-4367)

    * Mozilla: IndexedDB files retained in private browsing mode (CVE-2024-4767)

    * Mozilla: Potential permissions request bypass via clickjacking (CVE-2024-4768)

    * Mozilla: Cross-origin responses could be distinguished between script and non-script content-types     (CVE-2024-4769)

    * Mozilla: Use-after-free could occur when printing to PDF (CVE-2024-4770)

    * Mozilla: Memory safety bugs fixed in Firefox 126, Firefox ESR 115.11, and Thunderbird 115.11     (CVE-2024-4777)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 39 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2024-5d7c339890 advisory.

    Update to 115.11.0

    * https://www.mozilla.org/en-US/security/advisories/mfsa2024-23/
    * https://www.thunderbird.net/en-US/thunderbird/115.11.0/releasenotes/

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 40 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2024-7ade906120 advisory.

    Update to 115.11.0

    * https://www.mozilla.org/en-US/security/advisories/mfsa2024-23/
    * https://www.thunderbird.net/en-US/thunderbird/115.11.0/releasenotes/
    * https://www.thunderbird.net/en-US/thunderbird/115.10.0/releasenotes/
    * https://www.mozilla.org/en-US/security/advisories/mfsa2024-20/


Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2024:3783 advisory.

    Mozilla Firefox is an open-source web browser, designed for standards     compliance, performance, and portability.

    This update upgrades Firefox to version 115.11.0 ESR.

    Security Fix(es):

    * firefox: Arbitrary JavaScript execution in PDF.js (CVE-2024-4367)

    * firefox: IndexedDB files retained in private browsing mode (CVE-2024-4767)

    * firefox: Potential permissions request bypass via clickjacking (CVE-2024-4768)

    * firefox: Cross-origin responses could be distinguished between script and     non-script content-types (CVE-2024-4769)

    * firefox: Use-after-free could occur when printing to PDF (CVE-2024-4770)

    * firefox: Memory safety bugs fixed in Firefox 126, Firefox ESR 115.11, and     Thunderbird 115.11 (CVE-2024-4777)

    For more details about the security issue(s), including the impact, a CVSS     score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References     section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the ELSA-2024-3784 advisory.

    [115.11.0-1.0.1]
    - Add Oracle prefs file

    [115.11.0-1]
    - Update to 115.11.0 build2

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of thunderbird installed on the remote host is prior to 115.11.0-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2024-2561 advisory.

    A type check was missing when handling fonts in PDF.js, which would allow arbitrary JavaScript execution     in the PDF.js context. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird <     115.11. (CVE-2024-4367)

    If the `browser.privatebrowsing.autostart` preference is enabled, IndexedDB files were not properly     deleted when the window was closed. This preference is disabled by default in Firefox. This vulnerability     affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11. (CVE-2024-4767)

    A bug in popup notifications' interaction with WebAuthn made it easier for an attacker to trick a user     into granting permissions. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird     < 115.11. (CVE-2024-4768)

    When importing resources using Web Workers, error messages would distinguish the difference between     `application/javascript` responses and non-script responses.  This could have been abused to learn     information cross-origin. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird     < 115.11. (CVE-2024-4769)

    When saving a page to PDF, certain font styles could have led to a potential use-after-free crash. This     vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11. (CVE-2024-4770)

    Memory safety bugs present in Firefox 125, Firefox ESR 115.10, and Thunderbird 115.10. Some of these bugs     showed evidence of memory corruption and we presume that with enough effort some of these could have been     exploited to run arbitrary code. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and     Thunderbird < 115.11. (CVE-2024-4777)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 11 host has a package installed that is affected by a vulnerability as referenced in the dsa-5742 advisory.

    - -------------------------------------------------------------------------     Debian Security Advisory DSA-5742-1                   security@debian.org     https://www.debian.org/security/                       Sebastien Delafond     August 08, 2024                       https://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package        : odoo     CVE ID         : CVE-2024-4367     Debian Bug     : 1074228

    A vulnerability was discovered in odoo, a suite of web based open     source business apps. It could result in the execution of arbitrary     code.

    For the oldstable distribution (bullseye), this problem has been fixed     in version 14.0.0+dfsg.2-7+deb11u2.

    For the stable distribution (bookworm), this problem has been fixed in     version $bookworm_VERSION.

    We recommend that you upgrade your odoo packages.

    For the detailed security status of odoo please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/odoo

    Further information about Debian Security Advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://www.debian.org/security/

    Mailing list: debian-security-announce@lists.debian.org

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote CentOS Linux 7 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2024:2913 advisory.

  - A type check was missing when handling fonts in PDF.js, which would allow arbitrary JavaScript execution     in the PDF.js context. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird <     115.11. (CVE-2024-4367)

  - If the `browser.privatebrowsing.autostart` preference is enabled, IndexedDB files were not properly     deleted when the window was closed. This preference is disabled by default in Firefox. This vulnerability     affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11. (CVE-2024-4767)

  - A bug in popup notifications' interaction with WebAuthn made it easier for an attacker to trick a user     into granting permissions. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird     < 115.11. (CVE-2024-4768)

  - When importing resources using Web Workers, error messages would distinguish the difference between     `application/javascript` responses and non-script responses. This could have been abused to learn     information cross-origin. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird     < 115.11. (CVE-2024-4769)

  - When saving a page to PDF, certain font styles could have led to a potential use-after-free crash. This     vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11. (CVE-2024-4770)

  - Memory safety bugs present in Firefox 125, Firefox ESR 115.10, and Thunderbird 115.10. Some of these bugs     showed evidence of memory corruption and we presume that with enough effort some of these could have been     exploited to run arbitrary code. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and     Thunderbird < 115.11. (CVE-2024-4777)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Atlassian Confluence Server running on the remote host is affected by a vulnerability as referenced in the CONFSERVER-98205 advisory.

  - A type check was missing when handling fonts in PDF.js, which would allow arbitrary JavaScript execution     in the PDF.js context. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird <     115.11. (CVE-2024-4367)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Tencent Linux installed on the remote TencentOS Server 2 host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the TSSA-2024:0148 advisory.

    Package updates are available for TencentOS Server 2 that fix the following vulnerabilities:

    CVE-2024-4367:
    A flaw was found in Mozilla. The Mozilla Foundation Security Advisory describes this flaw as follows: A     type check was missing when handling fonts in PDF.js, which would allow arbitrary JavaScript execution in     the PDF.js context.

    CVE-2024-4767:
    A flaw was found in Mozilla. The Mozilla Foundation Security Advisory describes this flaw as follows: If     the `browser.privatebrowsing.autostart` preference is enabled, IndexedDB files were not properly deleted     when the window was closed. This preference is disabled by default in Firefox.

    CVE-2024-4768:
    A flaw was found in Mozilla. The Mozilla Foundation Security Advisory describes this flaw as follows: A     bug in popup notifications' interaction with WebAuthn made it easier for an attacker to trick a user into     granting permissions.

    CVE-2024-4769:
    A flaw was found in Mozilla. The Mozilla Foundation Security Advisory describes this flaw as follows: When     importing resources using Web Workers, error messages would distinguish the difference between     `application/javascript` responses and non-script responses. This could have been abused to learn     information cross-origin.

    CVE-2024-4770:
    A flaw was found in Mozilla. The Mozilla Foundation Security Advisory describes this flaw as follows: When     saving a page to PDF, certain font styles could have led to a potential use-after-free crash.

    CVE-2024-4777:
    A flaw was found in Mozilla. The Mozilla Foundation Security Advisory describes this flaw as follows:
    Memory safety bugs present in Firefox 125, Firefox ESR 115.10, and Thunderbird 115.10. Some of these bugs     showed evidence of memory corruption, and we presume that with enough effort, some of these could have     been exploited to run arbitrary code.

Tenable has extracted the preceding description block directly from the Tencent Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Tencent Linux installed on the remote TencentOS Server 4 host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the TSSA-2024:0424 advisory.

    Package updates are available for TencentOS Server 4 that fix the following vulnerabilities:

    CVE-2024-4367:
    A type check was missing when handling fonts in PDF.js, which would allow arbitrary JavaScript execution     in the PDF.js context. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird <     115.11.

    CVE-2024-4767:
    If the `browser.privatebrowsing.autostart` preference is enabled, IndexedDB files were not properly     deleted when the window was closed. This preference is disabled by default in Firefox. This vulnerability     affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11.

    CVE-2024-4768:
    A bug in popup notifications' interaction with WebAuthn made it easier for an attacker to trick a user     into granting permissions. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird     < 115.11.

    CVE-2024-4769:
    When importing resources using Web Workers, error messages would distinguish the difference between     `application/javascript` responses and non-script responses.  This could have been abused to learn     information cross-origin. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird     < 115.11.

    CVE-2024-4770:
    When saving a page to PDF, certain font styles could have led to a potential use-after-free crash. This     vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11.

    CVE-2024-4777:
    Memory safety bugs present in Firefox 125, Firefox ESR 115.10, and Thunderbird 115.10. Some of these bugs     showed evidence of memory corruption and we presume that with enough effort some of these could have been     exploited to run arbitrary code. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and     Thunderbird < 115.11.

Tenable has extracted the preceding description block directly from the Tencent Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 11 / 12 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-5691 advisory.

    - -------------------------------------------------------------------------     Debian Security Advisory DSA-5691-1                   security@debian.org     https://www.debian.org/security/                       Moritz Muehlenhoff     May 15, 2024                          https://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package        : firefox-esr     CVE ID         : CVE-2024-4367 CVE-2024-4767 CVE-2024-4768 CVE-2024-4769                      CVE-2024-4770 CVE-2024-4777

    Multiple security issues have been found in the Mozilla Firefox web     browser, which could potentially result in the execution of arbitrary     code or clickjacking.

    For the oldstable distribution (bullseye), these problems have been fixed     in version 115.11.0esr-1~deb11u1.

    For the stable distribution (bookworm), these problems have been fixed in     version 115.11.0esr-1~deb12u1.

    We recommend that you upgrade your firefox-esr packages.

    For the detailed security status of firefox-esr please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/firefox-esr

    Further information about Debian Security Advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://www.debian.org/security/

    Mailing list: debian-security-announce@lists.debian.org

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2024-2883 advisory.

    [115.11.0-1.0.1]
    - Add firefox-oracle-default-prefs.js and remove the corresponding Red Hat file

    [115.11.0-1]
    - Update to 115.11.0 build1

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote AlmaLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2024:2883 advisory.

  - A type check was missing when handling fonts in PDF.js, which would allow arbitrary JavaScript execution     in the PDF.js context. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird <     115.11. (CVE-2024-4367)

  - If the `browser.privatebrowsing.autostart` preference is enabled, IndexedDB files were not properly     deleted when the window was closed. This preference is disabled by default in Firefox. This vulnerability     affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11. (CVE-2024-4767)

  - A bug in popup notifications' interaction with WebAuthn made it easier for an attacker to trick a user     into granting permissions. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird     < 115.11. (CVE-2024-4768)

  - When importing resources using Web Workers, error messages would distinguish the difference between     `application/javascript` responses and non-script responses. This could have been abused to learn     information cross-origin. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird     < 115.11. (CVE-2024-4769)

  - When saving a page to PDF, certain font styles could have led to a potential use-after-free crash. This     vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11. (CVE-2024-4770)

  - Memory safety bugs present in Firefox 125, Firefox ESR 115.10, and Thunderbird 115.10. Some of these bugs     showed evidence of memory corruption and we presume that with enough effort some of these could have been     exploited to run arbitrary code. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and     Thunderbird < 115.11. (CVE-2024-4777)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Published	Updated	Severity
197502	RHEL 9 : thunderbird (RHSA-2024:2903)	Nessus	Red Hat Local Security Checks	5/20/2024	1/23/2025	high
197812	RHEL 8 : thunderbird (RHSA-2024:3338)	Nessus	Red Hat Local Security Checks	5/23/2024	1/23/2025	high
197868	Fedora 39 : thunderbird (2024-5d7c339890)	Nessus	Fedora Local Security Checks	5/23/2024	1/23/2025	high
198108	Fedora 40 : thunderbird (2024-7ade906120)	Nessus	Fedora Local Security Checks	5/30/2024	1/23/2025	high
200269	RHEL 8 : firefox (RHSA-2024:3783)	Nessus	Red Hat Local Security Checks	6/10/2024	1/23/2025	high
200370	Oracle Linux 8 : thunderbird (ELSA-2024-3784)	Nessus	Oracle Linux Local Security Checks	6/11/2024	9/9/2025	high
200384	Amazon Linux 2 : thunderbird (ALAS-2024-2561)	Nessus	Amazon Linux Local Security Checks	6/12/2024	1/23/2025	high
205208	Debian dsa-5742 : odoo-14 - security update	Nessus	Debian Local Security Checks	8/8/2024	1/23/2025	high
208551	CentOS 7 : thunderbird (RHSA-2024:2913)	Nessus	CentOS Local Security Checks	10/9/2024	1/23/2025	high
209247	Atlassian Confluence 3.0.x < 7.19.25 / 7.20.x < 8.5.11 / 8.6.x < 8.9.3 (CONFSERVER-98205)	Nessus	CGI abuses	10/17/2024	1/23/2025	high
238665	TencentOS Server 2: thunderbird (TSSA-2024:0148)	Nessus	Tencent Local Security Checks	6/16/2025	11/20/2025	high
238759	TencentOS Server 4: firefox (TSSA-2024:0424)	Nessus	Tencent Local Security Checks	6/16/2025	11/20/2025	high
197091	Debian dsa-5691 : firefox-esr - security update	Nessus	Debian Local Security Checks	5/15/2024	1/23/2025	high
197405	Oracle Linux 9 : firefox (ELSA-2024-2883)	Nessus	Oracle Linux Local Security Checks	5/17/2024	9/9/2025	high
197534	AlmaLinux 9 : firefox (ALSA-2024:2883)	Nessus	Alma Linux Local Security Checks	5/21/2024	1/23/2025	high

Detections

Analytics

Plugins Search

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high