CVE-2024-11694
published 2024-11-26CVE-2024-11694: Enhanced Tracking Protection's Strict mode may have inadvertently allowed a CSP `frame-src` bypass and DOM-based XSS through the Google SafeFrame shim in the…
medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
Enhanced Tracking Protection's Strict mode may have inadvertently allowed a CSP `frame-src` bypass and DOM-based XSS through the Google SafeFrame shim in the Web Compatibility extension. This issue could have exposed users to malicious frames masquerading as legitimate content. This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Firefox ESR < 115.18, Thunderbird < 133, Thunderbird < 128.5, and Thunderbird < 115.18.
Affected
21 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | firefox | < firefox 133.0-1 (sid) | firefox 133.0-1 (sid) |
| debian | firefox-esr | < firefox 133.0-1 (sid) | firefox 133.0-1 (sid) |
| debian | thunderbird | < firefox 133.0-1 (sid) | firefox 133.0-1 (sid) |
| mozilla | firefox | < 115.8.0 | 115.8.0 |
| mozilla | firefox | < 133.0 | 133.0 |
| mozilla | firefox | — | — |
| mozilla | firefox | >= 0 < 133.0+build2-0ubuntu0.20.04.1 | 133.0+build2-0ubuntu0.20.04.1 |
| mozilla | firefox | >= 116.0 < 128.5.0 | 128.5.0 |
| mozilla | firefox | >= unspecified < 133 | 133 |
| mozilla | firefox_esr | >= unspecified < 128.5 | 128.5 |
| mozilla | firefox_esr | >= unspecified < 115.18 | 115.18 |
| mozilla | thunderbird | < 115.18.0 | 115.18.0 |
| mozilla | thunderbird | >= 0 < 1:128.5.0esr-1~deb11u1 | 1:128.5.0esr-1~deb11u1 |
| mozilla | thunderbird | >= 0 < 1:128.5.0esr-1~deb12u1 | 1:128.5.0esr-1~deb12u1 |
| mozilla | thunderbird | >= 0 < 1:128.5.0esr-1 | 1:128.5.0esr-1 |
| mozilla | thunderbird | >= 0 < 1:128.5.0esr-1 | 1:128.5.0esr-1 |
| mozilla | thunderbird | >= 116.0 < 128.5.0 | 128.5.0 |
| mozilla | thunderbird | >= 129.0 < 133.0 | 133.0 |
| mozilla | thunderbird | >= unspecified < 133 | 133 |
| mozilla | thunderbird | >= unspecified < 128.5 | 128.5 |
| mozilla | thunderbird | >= unspecified < 115.18 | 115.18 |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
osv6.1MEDIUM
Ubuntu
Thunderbird vulnerability
vendor_ubuntu·2025-01-09
CVE-2024-11694 Thunderbird vulnerability
Title: Thunderbird vulnerability
Summary: Thunderbird could be made to bypass security restrictions.
Masato Kinugawa discovered that Thunderbird did not properly validate the
CSP policy in the Web Compatibility extension. An attacker could
potentially exploit this issue to perform a cross-site scripting attack.
Instructions: In general, a standard system update will make all the necessary changes.
Ubuntu
Firefox vulnerabilities
vendor_ubuntu·2024-12-03·CVSS 4.3
CVE-2024-11692 [MEDIUM] Firefox vulnerabilities
Title: Firefox vulnerabilities
Summary: Several security issues were fixed in Firefox.
Multiple security issues were discovered in Firefox. If a user were
tricked into opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, obtain sensitive
information across domains, or execute arbitrary code. (CVE-2024-11692,
CVE-2024-11694, CVE-2024-11695, CVE-2024-11696, CVE-2024-11697,
CVE-2024-11699, CVE-2024-11701, CVE-2024-11704, CVE-2024-11705,
CVE-2024-11706, CVE-2024-11708)
Instructions: After a standard system update you need to restart Firefox to make all the
necessary changes
Red Hat
firefox: thunderbird: CSP Bypass and XSS Exposure via Web Compatibility Shims
vendor_redhat·2024-11-26·CVSS 6.1
CVE-2024-11694 [MEDIUM] CWE-79 firefox: thunderbird: CSP Bypass and XSS Exposure via Web Compatibility Shims
firefox: thunderbird: CSP Bypass and XSS Exposure via Web Compatibility Shims
Enhanced Tracking Protection's Strict mode may have inadvertently allowed a CSP `frame-src` bypass and DOM-based XSS through the Google SafeFrame shim in the Web Compatibility extension. This issue could have exposed users to malicious frames masquerading as legitimate content. This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Firefox ESR < 115.18, Thunderbird < 133, Thunderbird < 128.5, and Thunderbird < 115.18.
The Mozilla Foundation's Security Advisory: Enhanced Tracking Protection's Strict mode may inadvertently allow a CSP `frame-src` bypass and DOM-based cross-site scripting (XSS) through the Google SafeFrame shim in the Web Compatibility extension. This issue could expose users to malicious
Debian
CVE-2024-11694: firefox - Enhanced Tracking Protection's Strict mode may have inadvertently allowed a CSP ...
vendor_debian·2024·CVSS 6.1
CVE-2024-11694 [MEDIUM] CVE-2024-11694: firefox - Enhanced Tracking Protection's Strict mode may have inadvertently allowed a CSP ...
Enhanced Tracking Protection's Strict mode may have inadvertently allowed a CSP `frame-src` bypass and DOM-based XSS through the Google SafeFrame shim in the Web Compatibility extension. This issue could have exposed users to malicious frames masquerading as legitimate content. This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Firefox ESR < 115.18, Thunderbird < 133, Thunderbird < 128.5, and Thunderbird < 115.18.
Scope: local
sid: resolved (fixed in 133.0-1)
Mozilla
Mozilla Foundation Security Advisory 2024-63: CVE-2024-11694
vendor_mozilla·CVSS 6.1
CVE-2024-11694 [MEDIUM] Mozilla Foundation Security Advisory 2024-63: CVE-2024-11694
Mozilla Foundation Security Advisory 2024-63
CVE: CVE-2024-11694
Product: Firefox
Impact: high
Fixed in: Firefox 133
Mozilla
Mozilla Foundation Security Advisory 2024-68: CVE-2024-11694
vendor_mozilla·CVSS 6.1
CVE-2024-11694 [MEDIUM] Mozilla Foundation Security Advisory 2024-68: CVE-2024-11694
Mozilla Foundation Security Advisory 2024-68
CVE: CVE-2024-11694
Product: Thunderbird
Impact: high
Fixed in: Thunderbird 128.5
Mozilla
Mozilla Foundation Security Advisory 2024-64: CVE-2024-11694
vendor_mozilla·CVSS 6.1
CVE-2024-11694 [MEDIUM] Mozilla Foundation Security Advisory 2024-64: CVE-2024-11694
Mozilla Foundation Security Advisory 2024-64
CVE: CVE-2024-11694
Product: Firefox ESR
Impact: high
Fixed in: Firefox ESR 128.5
Mozilla
Mozilla Foundation Security Advisory 2024-70: CVE-2024-11694
vendor_mozilla·CVSS 6.1
CVE-2024-11694 [MEDIUM] Mozilla Foundation Security Advisory 2024-70: CVE-2024-11694
Mozilla Foundation Security Advisory 2024-70
CVE: CVE-2024-11694
Product: Thunderbird
Impact: moderate
Fixed in: Thunderbird 115.18
Mozilla
Mozilla Foundation Security Advisory 2024-65: CVE-2024-11694
vendor_mozilla·CVSS 6.1
CVE-2024-11694 [MEDIUM] Mozilla Foundation Security Advisory 2024-65: CVE-2024-11694
Mozilla Foundation Security Advisory 2024-65
CVE: CVE-2024-11694
Product: Firefox ESR
Impact: moderate
Fixed in: Firefox ESR 115.18
Mozilla
Mozilla Foundation Security Advisory 2024-67: CVE-2024-11694
vendor_mozilla·CVSS 6.1
CVE-2024-11694 [MEDIUM] Mozilla Foundation Security Advisory 2024-67: CVE-2024-11694
Mozilla Foundation Security Advisory 2024-67
CVE: CVE-2024-11694
Product: Thunderbird
Impact: high
Fixed in: Thunderbird 133
OSV
firefox vulnerabilities
osv·2024-12-03·CVSS 4.3
CVE-2024-11692 [MEDIUM] firefox vulnerabilities
firefox vulnerabilities
Multiple security issues were discovered in Firefox. If a user were
tricked into opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, obtain sensitive
information across domains, or execute arbitrary code. (CVE-2024-11692,
CVE-2024-11694, CVE-2024-11695, CVE-2024-11696, CVE-2024-11697,
CVE-2024-11699, CVE-2024-11701, CVE-2024-11704, CVE-2024-11705,
CVE-2024-11706, CVE-2024-11708)
OSV
CVE-2024-11694: Enhanced Tracking Protection's Strict mode may have inadvertently allowed a CSP `frame-src` bypass and DOM-based XSS through the Google SafeFrame shim
osv·2024-11-26·CVSS 6.1
CVE-2024-11694 [MEDIUM] CVE-2024-11694: Enhanced Tracking Protection's Strict mode may have inadvertently allowed a CSP `frame-src` bypass and DOM-based XSS through the Google SafeFrame shim
Enhanced Tracking Protection's Strict mode may have inadvertently allowed a CSP `frame-src` bypass and DOM-based XSS through the Google SafeFrame shim in the Web Compatibility extension. This issue could have exposed users to malicious frames masquerading as legitimate content. This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Firefox ESR < 115.18, Thunderbird < 133, Thunderbird < 128.5, and Thunderbird < 115.18.
GHSA
GHSA-mjcw-r3mg-3848: Enhanced Tracking Protection's Strict mode may have inadvertently allowed a CSP `frame-src` bypass and DOM-based XSS through the Google SafeFrame shim
ghsa_unreviewed·2024-11-26
CVE-2024-11694 [MEDIUM] CWE-79 GHSA-mjcw-r3mg-3848: Enhanced Tracking Protection's Strict mode may have inadvertently allowed a CSP `frame-src` bypass and DOM-based XSS through the Google SafeFrame shim
Enhanced Tracking Protection's Strict mode may have inadvertently allowed a CSP `frame-src` bypass and DOM-based XSS through the Google SafeFrame shim in the Web Compatibility extension. This issue could have exposed users to malicious frames masquerading as legitimate content. This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Firefox ESR < 115.18, Thunderbird < 133, and Thunderbird < 128.5.
No detection rules found.
No public exploits indexed.
https://bugzilla.mozilla.org/show_bug.cgi?id=1924167https://www.mozilla.org/security/advisories/mfsa2024-63/https://www.mozilla.org/security/advisories/mfsa2024-64/https://www.mozilla.org/security/advisories/mfsa2024-65/https://www.mozilla.org/security/advisories/mfsa2024-67/https://www.mozilla.org/security/advisories/mfsa2024-68/https://www.mozilla.org/security/advisories/mfsa2024-70/https://lists.debian.org/debian-lts-announce/2024/11/msg00029.html
2024-11-26
Published