Debian Firefox vulnerabilities

CVE-2024-11708 [MEDIUM] CVE-2024-11708: firefox - Missing thread synchronization primitives could have led to a data race on membe... Missing thread synchronization primitives could have led to a data race on members of the PlaybackParams structure. This vulnerability affects Firefox < 133 and Thunderbird < 133. Scope: local sid: resolved (fixed in 133.0-1)

CVE-2024-10941 [MEDIUM] CVE-2024-10941: firefox - A malicious website could have included an iframe with an malformed URI resultin... A malicious website could have included an iframe with an malformed URI resulting in a non-exploitable browser crash. This vulnerability affects Firefox < 126. Scope: local sid: resolved (fixed in 126.0-1)

CVE-2024-11694 [MEDIUM] CVE-2024-11694: firefox - Enhanced Tracking Protection's Strict mode may have inadvertently allowed a CSP ... Enhanced Tracking Protection's Strict mode may have inadvertently allowed a CSP `frame-src` bypass and DOM-based XSS through the Google SafeFrame shim in the Web Compatibility extension. This issue could have exposed users to malicious frames masquerading as legitimate content. This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Firefox ESR < 115.18, Th

CVE-2024-0749 [MEDIUM] CVE-2024-0749: firefox - A phishing site could have repurposed an `about:` dialog to show phishing conten... A phishing site could have repurposed an `about:` dialog to show phishing content with an incorrect origin in the address bar. This vulnerability affects Firefox < 122 and Thunderbird < 115.7. Scope: local sid: resolved (fixed in 122.0-1)

CVE-2024-5691 [MEDIUM] CVE-2024-5691: firefox - By tricking the browser with a `X-Frame-Options` header, a sandboxed iframe coul... By tricking the browser with a `X-Frame-Options` header, a sandboxed iframe could have presented a button that, if clicked by a user, would bypass restrictions to open a new window. This vulnerability affects Firefox < 127, Firefox ESR < 115.12, and Thunderbird < 115.12. Scope: local sid: resolved (fixed in 127.0-1)

CVE-2024-0747 [MEDIUM] CVE-2024-0747: firefox - When a parent page loaded a child in an iframe with `unsafe-inline`, the parent ... When a parent page loaded a child in an iframe with `unsafe-inline`, the parent Content Security Policy could have overridden the child Content Security Policy. This vulnerability affects Firefox < 122, Firefox ESR < 115.7, and Thunderbird < 115.7. Scope: local sid: resolved (fixed in 122.0-1)

CVE-2024-0746 [MEDIUM] CVE-2024-0746: firefox - A Linux user opening the print preview dialog could have caused the browser to c... A Linux user opening the print preview dialog could have caused the browser to crash. This vulnerability affects Firefox < 122, Firefox ESR < 115.7, and Thunderbird < 115.7. Scope: local sid: resolved (fixed in 122.0-1)

CVE-2024-10465 [MEDIUM] CVE-2024-10465: firefox - A clipboard "paste" button could persist across tabs which allowed a spoofing at... A clipboard "paste" button could persist across tabs which allowed a spoofing attack. This vulnerability affects Firefox < 132, Firefox ESR < 128.4, Thunderbird < 128.4, and Thunderbird < 132. Scope: local sid: resolved (fixed in 132.0-1)

CVE-2024-5689 [MEDIUM] CVE-2024-5689: firefox - In addition to detecting when a user was taking a screenshot (XXX), a website wa... In addition to detecting when a user was taking a screenshot (XXX), a website was able to overlay the 'My Shots' button that appeared, and direct the user to a replica Firefox Screenshots page that could be used for phishing. This vulnerability affects Firefox < 127. Scope: local sid: resolved (fixed in 127.0-1)

CVE-2024-6608 [MEDIUM] CVE-2024-6608: firefox - It was possible to move the cursor using pointerlock from an iframe. This allowe... It was possible to move the cursor using pointerlock from an iframe. This allowed moving the cursor outside of the viewport and the Firefox window. This vulnerability affects Firefox < 128 and Thunderbird < 128. Scope: local sid: resolved (fixed in 128.0-1)

CVE-2024-5690 [MEDIUM] CVE-2024-5690: firefox - By monitoring the time certain operations take, an attacker could have guessed w... By monitoring the time certain operations take, an attacker could have guessed which external protocol handlers were functional on a user's system. This vulnerability affects Firefox < 127, Firefox ESR < 115.12, and Thunderbird < 115.12. Scope: local sid: resolved (fixed in 127.0-1)

CVE-2024-3859 [MEDIUM] CVE-2024-3859: firefox - On 32-bit versions there were integer-overflows that led to an out-of-bounds-rea... On 32-bit versions there were integer-overflows that led to an out-of-bounds-read that potentially could be triggered by a malformed OpenType font. This vulnerability affects Firefox < 125, Firefox ESR < 115.10, and Thunderbird < 115.10. Scope: local sid: resolved (fixed in 125.0.1-1)

CVE-2024-2609 [MEDIUM] CVE-2024-2609: firefox - The permission prompt input delay could expire while the window is not in focus.... The permission prompt input delay could expire while the window is not in focus. This makes it vulnerable to clickjacking by malicious websites. This vulnerability affects Firefox < 124, Firefox ESR < 115.10, and Thunderbird < 115.10. Scope: local sid: resolved (fixed in 124.0-1)

CVE-2024-2611 [MEDIUM] CVE-2024-2611: firefox - A missing delay on when pointer lock was used could have allowed a malicious pag... A missing delay on when pointer lock was used could have allowed a malicious page to trick a user into granting permissions. This vulnerability affects Firefox < 124, Firefox ESR < 115.9, and Thunderbird < 115.9. Scope: local sid: resolved (fixed in 124.0-1)

CVE-2024-11706 [MEDIUM] CVE-2024-11706: firefox - A null pointer dereference may have inadvertently occurred in `pk12util`, and sp... A null pointer dereference may have inadvertently occurred in `pk12util`, and specifically in the `SEC_ASN1DecodeItem_Util` function, when handling malformed or improperly formatted input files. This vulnerability affects Firefox < 133 and Thunderbird < 133. Scope: local sid: resolved (fixed in 134.0-1)

CVE-2024-10464 [MEDIUM] CVE-2024-10464: firefox - Repeated writes to history interface attributes could have been used to cause a ... Repeated writes to history interface attributes could have been used to cause a Denial of Service condition in the browser. This was addressed by introducing rate-limiting to this API. This vulnerability affects Firefox < 132, Firefox ESR < 128.4, Thunderbird < 128.4, and Thunderbird < 132. Scope: local sid: resolved (fixed in 132.0-1)

CVE-2024-4775 [MEDIUM] CVE-2024-4775: firefox - An iterator stop condition was missing when handling WASM code in the built-in p... An iterator stop condition was missing when handling WASM code in the built-in profiler, potentially leading to invalid memory access and undefined behavior. *Note:* This issue only affects the application when the profiler is running. This vulnerability affects Firefox < 126. Scope: local sid: resolved (fixed in 126.0-1)

CVE-2024-10460 [MEDIUM] CVE-2024-10460: firefox - The origin of an external protocol handler prompt could have been obscured using... The origin of an external protocol handler prompt could have been obscured using a data: URL within an `iframe`. This vulnerability affects Firefox < 132, Firefox ESR < 128.4, Thunderbird < 128.4, and Thunderbird < 132. Scope: local sid: resolved (fixed in 132.0-1)

CVE-2024-11703 [MEDIUM] CVE-2024-11703: firefox - On Android, Firefox may have inadvertently allowed viewing saved passwords witho... On Android, Firefox may have inadvertently allowed viewing saved passwords without the required device PIN authentication. This vulnerability affects Firefox < 133. Scope: local sid: resolved (fixed in 134.0-1)

CVE-2024-4769 [MEDIUM] CVE-2024-4769: firefox - When importing resources using Web Workers, error messages would distinguish the... When importing resources using Web Workers, error messages would distinguish the difference between `application/javascript` responses and non-script responses. This could have been abused to learn information cross-origin. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11. Scope: local sid: resolved (fixed in 126.0-1)