CVE-2024-11693 — Product UI does not Warn User of Unsafe Actions in Mozilla Firefox

CWE-356 — Product UI does not Warn User of Unsafe Actions10 documents7 sources

Severity

9.8CRITICALNVD

EPSS

0.3%

top 47.56%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Mozilla Firefox ESR Mozilla Thunderbird

Timeline

PublishedNov 26

Description

The executable file warning was not presented when downloading .library-ms files. *Note: This issue only affected Windows operating systems. Other operating systems are unaffected.* This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Thunderbird < 133, and Thunderbird < 128.5.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages5 packages

▶CVEListV5mozilla/firefoxunspecified — 133

▶NVDmozilla/firefox< 128.5.0+1

▶CVEListV5mozilla/firefox_esrunspecified — 128.5

▶CVEListV5mozilla/thunderbirdunspecified — 133+1

▶NVDmozilla/thunderbird129.0 — 133.0+1

🔴Vulnerability Details

OSV

CVE-2024-11693: The executable file warning was not presented when downloading↗2024-11-26

▶

CVEList

CVE-2024-11693: The executable file warning was not presented when downloading↗2024-11-26

▶

GHSA

GHSA-qxf6-g9x3-8w74: The executable file warning was not presented when downloading↗2024-11-26

▶

📋Vendor Advisories

Red Hat

firefox: thunderbird: Download Protections were bypassed by .library-ms files on Windows↗2024-11-26

▶

Debian

CVE-2024-11693: firefox - The executable file warning was not presented when downloading .library-ms files...↗2024

▶

Mozilla

Mozilla Foundation Security Advisory 2024-63: CVE-2024-11693↗

▶

Mozilla

Mozilla Foundation Security Advisory 2024-68: CVE-2024-11693↗

▶

Mozilla

Mozilla Foundation Security Advisory 2024-64: CVE-2024-11693↗

▶