CVE-2024-11697
published 2024-11-26CVE-2024-11697: When handling keypress events, an attacker may have been able to trick a user into bypassing the "Open Executable File?" confirmation dialog. This could have…
high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
When handling keypress events, an attacker may have been able to trick a user into bypassing the "Open Executable File?" confirmation dialog. This could have led to malicious code execution. This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Thunderbird < 133, and Thunderbird < 128.5.
Affected
17 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | firefox | < firefox 133.0-1 (sid) | firefox 133.0-1 (sid) |
| debian | firefox-esr | < firefox 133.0-1 (sid) | firefox 133.0-1 (sid) |
| debian | thunderbird | < firefox 133.0-1 (sid) | firefox 133.0-1 (sid) |
| mozilla | firefox | < 128.5.0 | 128.5.0 |
| mozilla | firefox | < 133.0 | 133.0 |
| mozilla | firefox | — | — |
| mozilla | firefox | >= 0 < 133.0+build2-0ubuntu0.20.04.1 | 133.0+build2-0ubuntu0.20.04.1 |
| mozilla | firefox | >= unspecified < 133 | 133 |
| mozilla | firefox_esr | >= unspecified < 128.5 | 128.5 |
| mozilla | thunderbird | < 128.5.0 | 128.5.0 |
| mozilla | thunderbird | >= 0 < 1:128.5.0esr-1~deb11u1 | 1:128.5.0esr-1~deb11u1 |
| mozilla | thunderbird | >= 0 < 1:128.5.0esr-1~deb12u1 | 1:128.5.0esr-1~deb12u1 |
| mozilla | thunderbird | >= 0 < 1:128.5.0esr-1 | 1:128.5.0esr-1 |
| mozilla | thunderbird | >= 0 < 1:128.5.0esr-1 | 1:128.5.0esr-1 |
| mozilla | thunderbird | >= 129.0 < 133.0 | 133.0 |
| mozilla | thunderbird | >= unspecified < 133 | 133 |
| mozilla | thunderbird | >= unspecified < 128.5 | 128.5 |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
osv8.8HIGH
Ubuntu
Firefox vulnerabilities
vendor_ubuntu·2024-12-03·CVSS 4.3
CVE-2024-11692 [MEDIUM] Firefox vulnerabilities
Title: Firefox vulnerabilities
Summary: Several security issues were fixed in Firefox.
Multiple security issues were discovered in Firefox. If a user were
tricked into opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, obtain sensitive
information across domains, or execute arbitrary code. (CVE-2024-11692,
CVE-2024-11694, CVE-2024-11695, CVE-2024-11696, CVE-2024-11697,
CVE-2024-11699, CVE-2024-11701, CVE-2024-11704, CVE-2024-11705,
CVE-2024-11706, CVE-2024-11708)
Instructions: After a standard system update you need to restart Firefox to make all the
necessary changes
Red Hat
firefox: thunderbird: Improper Keypress Handling in Executable File Confirmation Dialog
vendor_redhat·2024-11-26·CVSS 8.8
CVE-2024-11697 [HIGH] CWE-356 firefox: thunderbird: Improper Keypress Handling in Executable File Confirmation Dialog
firefox: thunderbird: Improper Keypress Handling in Executable File Confirmation Dialog
When handling keypress events, an attacker may have been able to trick a user into bypassing the "Open Executable File?" confirmation dialog. This could have led to malicious code execution. This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Thunderbird < 133, and Thunderbird < 128.5.
A flaw was found in Mozilla. The Mozilla Foundation's Security Advisory describes the following issue: When handling keypress events, an attacker may have been able to trick a user into bypassing the "Open Executable File?" confirmation dialog. This could have led to malicious code execution.
Statement: Red Hat Product Security rates the severity of this flaw as determined by the Mozilla Foundation Security
Debian
CVE-2024-11697: firefox - When handling keypress events, an attacker may have been able to trick a user in...
vendor_debian·2024·CVSS 8.8
CVE-2024-11697 [HIGH] CVE-2024-11697: firefox - When handling keypress events, an attacker may have been able to trick a user in...
When handling keypress events, an attacker may have been able to trick a user into bypassing the "Open Executable File?" confirmation dialog. This could have led to malicious code execution. This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Thunderbird < 133, and Thunderbird < 128.5.
Scope: local
sid: resolved (fixed in 133.0-1)
Mozilla
Mozilla Foundation Security Advisory 2024-68: CVE-2024-11697
vendor_mozilla·CVSS 8.8
CVE-2024-11697 [HIGH] Mozilla Foundation Security Advisory 2024-68: CVE-2024-11697
Mozilla Foundation Security Advisory 2024-68
CVE: CVE-2024-11697
Product: Thunderbird
Impact: high
Fixed in: Thunderbird 128.5
Mozilla
Mozilla Foundation Security Advisory 2024-64: CVE-2024-11697
vendor_mozilla·CVSS 8.8
CVE-2024-11697 [HIGH] Mozilla Foundation Security Advisory 2024-64: CVE-2024-11697
Mozilla Foundation Security Advisory 2024-64
CVE: CVE-2024-11697
Product: Firefox ESR
Impact: high
Fixed in: Firefox ESR 128.5
Mozilla
Mozilla Foundation Security Advisory 2024-63: CVE-2024-11697
vendor_mozilla·CVSS 8.8
CVE-2024-11697 [HIGH] Mozilla Foundation Security Advisory 2024-63: CVE-2024-11697
Mozilla Foundation Security Advisory 2024-63
CVE: CVE-2024-11697
Product: Firefox
Impact: high
Fixed in: Firefox 133
Mozilla
Mozilla Foundation Security Advisory 2024-67: CVE-2024-11697
vendor_mozilla·CVSS 8.8
CVE-2024-11697 [HIGH] Mozilla Foundation Security Advisory 2024-67: CVE-2024-11697
Mozilla Foundation Security Advisory 2024-67
CVE: CVE-2024-11697
Product: Thunderbird
Impact: high
Fixed in: Thunderbird 133
OSV
firefox vulnerabilities
osv·2024-12-03·CVSS 4.3
CVE-2024-11692 [MEDIUM] firefox vulnerabilities
firefox vulnerabilities
Multiple security issues were discovered in Firefox. If a user were
tricked into opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, obtain sensitive
information across domains, or execute arbitrary code. (CVE-2024-11692,
CVE-2024-11694, CVE-2024-11695, CVE-2024-11696, CVE-2024-11697,
CVE-2024-11699, CVE-2024-11701, CVE-2024-11704, CVE-2024-11705,
CVE-2024-11706, CVE-2024-11708)
OSV
CVE-2024-11697: When handling keypress events, an attacker may have been able to trick a user into bypassing the "Open Executable File?" confirmation dialog
osv·2024-11-26·CVSS 8.8
CVE-2024-11697 [HIGH] CVE-2024-11697: When handling keypress events, an attacker may have been able to trick a user into bypassing the "Open Executable File?" confirmation dialog
When handling keypress events, an attacker may have been able to trick a user into bypassing the "Open Executable File?" confirmation dialog. This could have led to malicious code execution. This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Thunderbird < 133, and Thunderbird < 128.5.
GHSA
GHSA-4jp9-q9g7-48gr: When handling keypress events, an attacker may have been able to trick a user into bypassing the "Open Executable File?" confirmation dialog
ghsa_unreviewed·2024-11-26
CVE-2024-11697 [HIGH] CWE-94 GHSA-4jp9-q9g7-48gr: When handling keypress events, an attacker may have been able to trick a user into bypassing the "Open Executable File?" confirmation dialog
When handling keypress events, an attacker may have been able to trick a user into bypassing the "Open Executable File?" confirmation dialog. This could have led to malicious code execution. This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Thunderbird < 133, and Thunderbird < 128.5.
No detection rules found.
No public exploits indexed.
https://bugzilla.mozilla.org/show_bug.cgi?id=1842187https://www.mozilla.org/security/advisories/mfsa2024-63/https://www.mozilla.org/security/advisories/mfsa2024-64/https://www.mozilla.org/security/advisories/mfsa2024-67/https://www.mozilla.org/security/advisories/mfsa2024-68/https://lists.debian.org/debian-lts-announce/2024/11/msg00029.html
2024-11-26
Published