ISHACK AI BOT

Debian: CVE-2024-42333: zabbix -- security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 11/27/2024 Created 12/17/2024 Added 12/16/2024 Modified 12/16/2024 Description The researcher is showing that it is possible to leak a small amount of Zabbix Server memory using an out of bounds read in src/libs/zbxmedia/email.c Solution(s) debian-upgrade-zabbix References https://attackerkb.com/topics/cve-2024-42333 CVE - 2024-42333 DLA-3984-1

Debian: CVE-2024-42332: zabbix -- security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 11/27/2024 Created 12/17/2024 Added 12/16/2024 Modified 12/16/2024 Description The researcher is showing that due to the way the SNMP trap log is parsed, an attacker can craft an SNMP trap with additional lines of information and have forged data show in the Zabbix UI. This attack requires SNMP auth to be off and/or the attacker to know the community/auth details. The attack requires an SNMP item to be configured as text on the target host. Solution(s) debian-upgrade-zabbix References https://attackerkb.com/topics/cve-2024-42332 CVE - 2024-42332 DLA-3984-1

Debian: CVE-2024-42330: zabbix -- security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 11/27/2024 Created 12/17/2024 Added 12/16/2024 Modified 12/16/2024 Description The HttpRequest object allows to get the HTTP headers from the server's response after sending the request. The problem is that the returned strings are created directly from the data returned by the server and are not correctly encoded for JavaScript. This allows to create internal strings that can be used to access hidden properties of objects. Solution(s) debian-upgrade-zabbix References https://attackerkb.com/topics/cve-2024-42330 CVE - 2024-42330 DLA-3984-1

Debian: CVE-2024-36464: zabbix -- security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 11/27/2024 Created 12/17/2024 Added 12/16/2024 Modified 12/16/2024 Description When exporting media types, the password is exported in the YAML in plain text. This appears to be a best practices type issue and may have no actual impact. The user would need to have permissions to access the media types and therefore would be expected to have access to these passwords. Solution(s) debian-upgrade-zabbix References https://attackerkb.com/topics/cve-2024-36464 CVE - 2024-36464 DLA-3984-1

Debian: CVE-2024-42331: zabbix -- security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 11/27/2024 Created 12/17/2024 Added 12/16/2024 Modified 12/16/2024 Description In the src/libs/zbxembed/browser.c file, the es_browser_ctor method retrieves a heap pointer from the Duktape JavaScript engine. This heap pointer is subsequently utilized by the browser_push_error method in the src/libs/zbxembed/browser_error.c file. A use-after-free bug can occur at this stage if the wd->browser heap pointer is freed by garbage collection. Solution(s) debian-upgrade-zabbix References https://attackerkb.com/topics/cve-2024-42331 CVE - 2024-42331 DLA-3984-1

Gentoo Linux: CVE-2024-11695: Mozilla Firefox: Multiple Vulnerabilities Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 11/26/2024 Created 01/25/2025 Added 01/24/2025 Modified 01/24/2025 Description A crafted URL containing Arabic script and whitespace characters could have hidden the true origin of the page, resulting in a potential spoofing attack. This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Thunderbird < 133, and Thunderbird < 128.5. Solution(s) gentoo-linux-upgrade-www-client-firefox gentoo-linux-upgrade-www-client-firefox-bin References https://attackerkb.com/topics/cve-2024-11695 CVE - 2024-11695 202501-10

Gentoo Linux: CVE-2024-11700: Mozilla Firefox: Multiple Vulnerabilities Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 11/26/2024 Created 01/25/2025 Added 01/24/2025 Modified 01/24/2025 Description Malicious websites may have been able to perform user intent confirmation through tapjacking. This could have led to users unknowingly approving the launch of external applications, potentially exposing them to underlying vulnerabilities. This vulnerability affects Firefox < 133 and Thunderbird < 133. Solution(s) gentoo-linux-upgrade-www-client-firefox gentoo-linux-upgrade-www-client-firefox-bin References https://attackerkb.com/topics/cve-2024-11700 CVE - 2024-11700 202501-10

Gentoo Linux: CVE-2024-11708: Mozilla Firefox: Multiple Vulnerabilities Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 11/26/2024 Created 01/25/2025 Added 01/24/2025 Modified 01/24/2025 Description Missing thread synchronization primitives could have led to a data race on members of the PlaybackParams structure. This vulnerability affects Firefox < 133 and Thunderbird < 133. Solution(s) gentoo-linux-upgrade-www-client-firefox gentoo-linux-upgrade-www-client-firefox-bin References https://attackerkb.com/topics/cve-2024-11708 CVE - 2024-11708 202501-10

Gentoo Linux: CVE-2024-11694: Mozilla Firefox: Multiple Vulnerabilities Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 11/26/2024 Created 01/25/2025 Added 01/24/2025 Modified 01/24/2025 Description Enhanced Tracking Protection's Strict mode may have inadvertently allowed a CSP `frame-src` bypass and DOM-based XSS through the Google SafeFrame shim in the Web Compatibility extension. This issue could have exposed users to malicious frames masquerading as legitimate content. This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Firefox ESR < 115.18, Thunderbird < 133, Thunderbird < 128.5, and Thunderbird < 115.18. Solution(s) gentoo-linux-upgrade-www-client-firefox gentoo-linux-upgrade-www-client-firefox-bin References https://attackerkb.com/topics/cve-2024-11694 CVE - 2024-11694 202501-10

MFSA2024-64 Firefox: Security Vulnerabilities fixed in Firefox ESR 128.5 (CVE-2024-11697) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 11/26/2024 Created 11/28/2024 Added 11/27/2024 Modified 11/29/2024 Description When handling keypress events, an attacker may have been able to trick a user into bypassing the "Open Executable File?" confirmation dialog. This could have led to malicious code execution. This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Thunderbird < 133, and Thunderbird < 128.5. Solution(s) mozilla-firefox-esr-upgrade-128_5 References https://attackerkb.com/topics/cve-2024-11697 CVE - 2024-11697 http://www.mozilla.org/security/announce/2024/mfsa2024-64.html

Gentoo Linux: CVE-2024-11697: Mozilla Firefox: Multiple Vulnerabilities Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 11/26/2024 Created 01/25/2025 Added 01/24/2025 Modified 01/24/2025 Description When handling keypress events, an attacker may have been able to trick a user into bypassing the "Open Executable File?" confirmation dialog. This could have led to malicious code execution. This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Thunderbird < 133, and Thunderbird < 128.5. Solution(s) gentoo-linux-upgrade-www-client-firefox gentoo-linux-upgrade-www-client-firefox-bin References https://attackerkb.com/topics/cve-2024-11697 CVE - 2024-11697 202501-10

MFSA2024-63 Firefox: Security Vulnerabilities fixed in Firefox 133 (CVE-2024-11693) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 11/26/2024 Created 11/28/2024 Added 11/27/2024 Modified 11/29/2024 Description The executable file warning was not presented when downloading .library-ms files. *Note: This issue only affected Windows operating systems. Other operating systems are unaffected.* This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Thunderbird < 133, and Thunderbird < 128.5. Solution(s) mozilla-firefox-upgrade-133_0 References https://attackerkb.com/topics/cve-2024-11693 CVE - 2024-11693 http://www.mozilla.org/security/announce/2024/mfsa2024-63.html

MFSA2024-64 Firefox: Security Vulnerabilities fixed in Firefox ESR 128.5 (CVE-2024-11696) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 11/26/2024 Created 11/28/2024 Added 11/27/2024 Modified 11/29/2024 Description The application failed to account for exceptions thrown by the `loadManifestFromFile` method during add-on signature verification. This flaw, triggered by an invalid or unsupported extension manifest, could have caused runtime errors that disrupted the signature validation process. As a result, the enforcement of signature validation for unrelated add-ons may have been bypassed.Signature validation in this context is used to ensure that third-party applications on the user's computer have not tampered with the user's extensions, limiting the impact of this issue. This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Thunderbird < 133, and Thunderbird < 128.5. Solution(s) mozilla-firefox-esr-upgrade-128_5 References https://attackerkb.com/topics/cve-2024-11696 CVE - 2024-11696 http://www.mozilla.org/security/announce/2024/mfsa2024-64.html

MFSA2024-63 Firefox: Security Vulnerabilities fixed in Firefox 133 (CVE-2024-11692) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 11/26/2024 Created 11/28/2024 Added 11/27/2024 Modified 11/29/2024 Description An attacker could cause a select dropdown to be shown over another tab; this could have led to user confusion and possible spoofing attacks. This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Thunderbird < 133, and Thunderbird < 128.5. Solution(s) mozilla-firefox-upgrade-133_0 References https://attackerkb.com/topics/cve-2024-11692 CVE - 2024-11692 http://www.mozilla.org/security/announce/2024/mfsa2024-63.html

MFSA2025-09 Firefox: Security Vulnerabilities fixed in Firefox ESR 128.7 (CVE-2024-11704) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 11/26/2024 Created 02/05/2025 Added 02/05/2025 Modified 02/06/2025 Description A double-free issue could have occurred in `sec_pkcs7_decoder_start_decrypt()` when handling an error path. Under specific conditions, the same symmetric key could have been freed twice, potentially leading to memory corruption. This vulnerability affects Firefox < 133, Thunderbird < 133, Firefox ESR < 128.7, and Thunderbird < 128.7. Solution(s) mozilla-firefox-esr-upgrade-128_7 References https://attackerkb.com/topics/cve-2024-11704 CVE - 2024-11704 http://www.mozilla.org/security/announce/2025/mfsa2025-09.html

MFSA2024-64 Firefox: Security Vulnerabilities fixed in Firefox ESR 128.5 (CVE-2024-11694) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 11/26/2024 Created 11/28/2024 Added 11/27/2024 Modified 12/16/2024 Description Enhanced Tracking Protection's Strict mode may have inadvertently allowed a CSP `frame-src` bypass and DOM-based XSS through the Google SafeFrame shim in the Web Compatibility extension. This issue could have exposed users to malicious frames masquerading as legitimate content. This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Firefox ESR < 115.18, Thunderbird < 133, Thunderbird < 128.5, and Thunderbird < 115.18. Solution(s) mozilla-firefox-esr-upgrade-128_5 References https://attackerkb.com/topics/cve-2024-11694 CVE - 2024-11694 http://www.mozilla.org/security/announce/2024/mfsa2024-64.html

MFSA2024-65 Firefox: Security Vulnerabilities fixed in Firefox ESR 115.18 (CVE-2024-11694) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 11/26/2024 Created 11/28/2024 Added 11/27/2024 Modified 12/16/2024 Description Enhanced Tracking Protection's Strict mode may have inadvertently allowed a CSP `frame-src` bypass and DOM-based XSS through the Google SafeFrame shim in the Web Compatibility extension. This issue could have exposed users to malicious frames masquerading as legitimate content. This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Firefox ESR < 115.18, Thunderbird < 133, Thunderbird < 128.5, and Thunderbird < 115.18. Solution(s) mozilla-firefox-esr-upgrade-115_18 References https://attackerkb.com/topics/cve-2024-11694 CVE - 2024-11694 http://www.mozilla.org/security/announce/2024/mfsa2024-65.html

MFSA2024-63 Firefox: Security Vulnerabilities fixed in Firefox 133 (CVE-2024-11691) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 11/26/2024 Created 11/28/2024 Added 11/27/2024 Modified 12/16/2024 Description Certain WebGL operations on Apple silicon M series devices could have lead to an out-of-bounds write and memory corruption due to a flaw in Apple's GPU driver. *This bug only affected the application on Apple M series hardware. Other platforms were unaffected.* This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Firefox ESR < 115.18, Thunderbird < 133, Thunderbird < 128.5, and Thunderbird < 115.18. Solution(s) mozilla-firefox-upgrade-133_0 References https://attackerkb.com/topics/cve-2024-11691 CVE - 2024-11691 http://www.mozilla.org/security/announce/2024/mfsa2024-63.html

MFSA2024-63 Firefox: Security Vulnerabilities fixed in Firefox 133 (CVE-2024-11704) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 11/26/2024 Created 11/28/2024 Added 11/27/2024 Modified 02/06/2025 Description A double-free issue could have occurred in `sec_pkcs7_decoder_start_decrypt()` when handling an error path. Under specific conditions, the same symmetric key could have been freed twice, potentially leading to memory corruption. This vulnerability affects Firefox < 133, Thunderbird < 133, Firefox ESR < 128.7, and Thunderbird < 128.7. Solution(s) mozilla-firefox-upgrade-133_0 References https://attackerkb.com/topics/cve-2024-11704 CVE - 2024-11704 http://www.mozilla.org/security/announce/2024/mfsa2024-63.html

MFSA2024-65 Firefox: Security Vulnerabilities fixed in Firefox ESR 115.18 (CVE-2024-11691) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 11/26/2024 Created 11/28/2024 Added 11/27/2024 Modified 12/16/2024 Description Certain WebGL operations on Apple silicon M series devices could have lead to an out-of-bounds write and memory corruption due to a flaw in Apple's GPU driver. *This bug only affected the application on Apple M series hardware. Other platforms were unaffected.* This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Firefox ESR < 115.18, Thunderbird < 133, Thunderbird < 128.5, and Thunderbird < 115.18. Solution(s) mozilla-firefox-esr-upgrade-115_18 References https://attackerkb.com/topics/cve-2024-11691 CVE - 2024-11691 http://www.mozilla.org/security/announce/2024/mfsa2024-65.html

MFSA2024-63 Firefox: Security Vulnerabilities fixed in Firefox 133 (CVE-2024-11700) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 11/26/2024 Created 11/28/2024 Added 11/27/2024 Modified 12/04/2024 Description Malicious websites may have been able to perform user intent confirmation through tapjacking. This could have led to users unknowingly approving the launch of external applications, potentially exposing them to underlying vulnerabilities. This vulnerability affects Firefox < 133 and Thunderbird < 133. Solution(s) mozilla-firefox-upgrade-133_0 References https://attackerkb.com/topics/cve-2024-11700 CVE - 2024-11700 http://www.mozilla.org/security/announce/2024/mfsa2024-63.html

MFSA2024-64 Firefox: Security Vulnerabilities fixed in Firefox ESR 128.5 (CVE-2024-11699) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 11/26/2024 Created 11/28/2024 Added 11/27/2024 Modified 11/29/2024 Description Memory safety bugs present in Firefox 132, Firefox ESR 128.4, and Thunderbird 128.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Thunderbird < 133, and Thunderbird < 128.5. Solution(s) mozilla-firefox-esr-upgrade-128_5 References https://attackerkb.com/topics/cve-2024-11699 CVE - 2024-11699 http://www.mozilla.org/security/announce/2024/mfsa2024-64.html

MFSA2024-63 Firefox: Security Vulnerabilities fixed in Firefox 133 (CVE-2024-11705) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 11/26/2024 Created 11/28/2024 Added 11/27/2024 Modified 11/29/2024 Description `NSC_DeriveKey` inadvertently assumed that the `phKey` parameter is always non-NULL. When it was passed as NULL, a segmentation fault (SEGV) occurred, leading to crashes. This behavior conflicted with the PKCS#11 v3.0 specification, which allows `phKey` to be NULL for certain mechanisms. This vulnerability affects Firefox < 133 and Thunderbird < 133. Solution(s) mozilla-firefox-upgrade-133_0 References https://attackerkb.com/topics/cve-2024-11705 CVE - 2024-11705 http://www.mozilla.org/security/announce/2024/mfsa2024-63.html

SUSE: CVE-2024-11697: SUSE Linux Security Advisory Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 11/26/2024 Created 01/04/2025 Added 01/03/2025 Modified 01/03/2025 Description When handling keypress events, an attacker may have been able to trick a user into bypassing the "Open Executable File?" confirmation dialog. This could have led to malicious code execution. This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Thunderbird < 133, and Thunderbird < 128.5. Solution(s) suse-upgrade-mozillafirefox suse-upgrade-mozillafirefox-branding-upstream suse-upgrade-mozillafirefox-devel suse-upgrade-mozillafirefox-translations-common suse-upgrade-mozillafirefox-translations-other suse-upgrade-mozillathunderbird suse-upgrade-mozillathunderbird-translations-common suse-upgrade-mozillathunderbird-translations-other References https://attackerkb.com/topics/cve-2024-11697 CVE - 2024-11697

SUSE: CVE-2024-11693: SUSE Linux Security Advisory Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 11/26/2024 Created 01/04/2025 Added 01/03/2025 Modified 01/03/2025 Description The executable file warning was not presented when downloading .library-ms files. *Note: This issue only affected Windows operating systems. Other operating systems are unaffected.* This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Thunderbird < 133, and Thunderbird < 128.5. Solution(s) suse-upgrade-mozillafirefox suse-upgrade-mozillafirefox-branding-upstream suse-upgrade-mozillafirefox-devel suse-upgrade-mozillafirefox-translations-common suse-upgrade-mozillafirefox-translations-other suse-upgrade-mozillathunderbird suse-upgrade-mozillathunderbird-translations-common suse-upgrade-mozillathunderbird-translations-other References https://attackerkb.com/topics/cve-2024-11693 CVE - 2024-11693