Mozilla Products November 2024 1st Security Update Advisory

Overview

 

An update has been made available to fix vulnerabilities in the Mozilla Product Line (Thunderbird, Thunderbird, Firefox for iOS, Firefox ESR, Firefox ESR, Firefox versions). Users of affected products are advised to update to the latest version.

 

Affected Products

 

Firefox 133 previous version

Firefox ESR 115.18 previous version

Firefox ESR 128.5 previous version

Firefox for iOS 133 previous version

Thunderbird 128.5 previous version

Thunderbird 133 previous version

 

Resolved Vulnerabilities

 

Moderate URL Bar Missing Address Vulnerability in Firefox for iOS (CVE-2024-53976) [3]

A moderate spoofing vulnerability exists in Firefox for iOS (CVE-2024-53975) [3]

Moderate Key Information Bypass Vulnerability in Firefox (CVE-2024-11703) [6]

High Level Out-of-Bounds Write Vulnerability in Firefox, Firefox ESR, Firefox ESR, and Thunderbird (CVE-2024-11691) [1], [2], [4], [5], [6]

Moderate Key Information Bypass Vulnerability in Firefox, Firefox ESR, Firefox ESR, and Thunderbird (CVE-2024-11694) [1], [2], [4], [5], [6]

High Critical Memory Security Validation Error Vulnerability in Firefox, Firefox ESR, and Thunderbird (CVE-2024-11699) [1], [2], [5], [6]

A moderate vulnerability exists in Firefox, Firefox ESR, and Thunderbird that could allow a picklist element to be displayed on top of another site (CVE-2024-11692) [1], [2], [5], [6]

Moderate spoofing vulnerability in Firefox, Firefox ESR, and Thunderbird (CVE-2024-11695) [1], [2], [5], [6]

Moderate Key Information Bypass Vulnerability in Firefox, Firefox ESR, and Thunderbird (CVE-2024-11693) [1], [2], [5], [6]

Moderate Unhandled Exception Vulnerability in Firefox, Firefox ESR, and Thunderbird (CVE-2024-11696) [1], [2], [5], [6]

Moderate tapjacking potential intent verification vulnerability in Firefox, Thunderbird, and Android (CVE-2024-11700) [2], [6]

Moderate vulnerability due to improper clipboard protection in Firefox, Thunderbird (CVE-2024-11702) [2], [6]

Moderate vulnerability in Firefox and Thunderbird due to misleading address bar state during interrupted browsing (CVE-2024-11701) [2], [6]

 

Vulnerability Patches

 

The following Vulnerability Patches were made available in the November 26, 2024 update. For more information on Vulnerability Patches, Please refer to the “Mozilla” Referenced Sites documentation.

Thunderbird 128.5 version 

Thunderbird 133 version 

Firefox for iOS 133 version 

Firefox ESR 115.18 version 

Firefox ESR 128.5 version 

Firefox 133 version 

 

Referenced Sites

 

[1] Security Vulnerabilities fixed in Thunderbird 128.5

https://www.mozilla.org/en-US/security/advisories/mfsa2024-68/

[2] Security Vulnerabilities fixed in Thunderbird 133

https://www.mozilla.org/en-US/security/advisories/mfsa2024-67/

[3] Security Vulnerabilities fixed in Firefox for iOS 133

https://www.mozilla.org/en-US/security/advisories/mfsa2024-66/

[4] Security Vulnerabilities fixed in Firefox ESR 115.18

https://www.mozilla.org/en-US/security/advisories/mfsa2024-65/

[5] Security Vulnerabilities fixed in Firefox ESR 128.5

https://www.mozilla.org/en-US/security/advisories/mfsa2024-64/

[6] Security Vulnerabilities fixed in Firefox 133

https://www.mozilla.org/en-US/security/advisories/mfsa2024-63/

[7] Update Firefox to the latest release

https://support.mozilla.org/ko/kb/update-firefox-latest-release