Security Vulnerabilities - CVEs Published In November 2024
`NSC_DeriveKey` inadvertently assumed that the `phKey` parameter is always non-NULL. When it was passed as NULL, a segmentation fault (SEGV) occurred, leading to crashes. This behavior conflicted with the PKCS#11 v3.0 specification, which allows `phKey` to be NULL for certain mechanisms. This vulnerability affects Firefox < 133 and Thunderbird < 133.
CVSS Score
9.1
EPSS Score
0.002
Published
2024-11-26
Certain WebGL operations on Apple silicon M series devices could have lead to an out-of-bounds write and memory corruption due to a flaw in Apple's GPU driver.
*This bug only affected the application on Apple M series hardware. Other platforms were unaffected.* This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Firefox ESR < 115.18, Thunderbird < 133, Thunderbird < 128.5, and Thunderbird < 115.18.
CVSS Score
8.8
EPSS Score
0.003
Published
2024-11-26
An attacker could cause a select dropdown to be shown over another tab; this could have led to user confusion and possible spoofing attacks. This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Thunderbird < 133, and Thunderbird < 128.5.
CVSS Score
4.3
EPSS Score
0.001
Published
2024-11-26
The executable file warning was not presented when downloading .library-ms files.
*Note: This issue only affected Windows operating systems. Other operating systems are unaffected.* This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Thunderbird < 133, and Thunderbird < 128.5.
CVSS Score
9.8
EPSS Score
0.003
Published
2024-11-26
Enhanced Tracking Protection's Strict mode may have inadvertently allowed a CSP `frame-src` bypass and DOM-based XSS through the Google SafeFrame shim in the Web Compatibility extension. This issue could have exposed users to malicious frames masquerading as legitimate content. This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Firefox ESR < 115.18, Thunderbird < 133, Thunderbird < 128.5, and Thunderbird < 115.18.
CVSS Score
6.1
EPSS Score
0.002
Published
2024-11-26
QSEE will randomly experience a fatal error during execution due to speculative instruction fetches from device memory. Device memory is not valid executable memory.
CVSS Score
8.4
EPSS Score
0.0
Published
2024-11-26
Information disclosure due to uninitialized variable.
CVSS Score
8.4
EPSS Score
0.0
Published
2024-11-26
Information disclosure possible while audio playback.
CVSS Score
8.4
EPSS Score
0.0
Published
2024-11-26
Crafted Binder Request Causes Heap UAF in MediaServer
CVSS Score
7.8
EPSS Score
0.0
Published
2024-11-26
An unsigned integer underflow vulnerability in IPA driver result into a buffer over-read while reading NAT entry using debugfs command 'cat /sys/kernel/debug/ipa/ip4_nat'
CVSS Score
8.4
EPSS Score
0.0
Published
2024-11-26