PT-2024-8826 · Mozilla+9 · Firefox+10
Rob Wu
·
Published
2024-11-25
·
Updated
2026-05-19
·
CVE-2024-11696
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions:
Firefox versions prior to 133
Firefox ESR versions prior to 128.5
Thunderbird versions prior to 133
Thunderbird versions prior to 128.5
Description:
The application failed to account for exceptions thrown by the
loadManifestFromFile method during add-on signature verification. This flaw could have caused runtime errors that disrupted the signature validation process, potentially bypassing the enforcement of signature validation for unrelated add-ons. Signature validation is used to ensure that third-party applications have not tampered with the user's extensions.Recommendations:
For Firefox versions prior to 133, update to version 133 or later to resolve the issue.
For Firefox ESR versions prior to 128.5, update to version 128.5 or later to resolve the issue.
For Thunderbird versions prior to 133, update to version 133 or later to resolve the issue.
For Thunderbird versions prior to 128.5, update to version 128.5 or later to resolve the issue.
As a temporary workaround, consider disabling the
loadManifestFromFile method until a patch is available.Fix
Improper Verification of Cryptographic Signature
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Almalinux
Astra Linux
Centos
Firefox
Linuxmint
Red Hat
Rocky Linux
Suse
Thunderbird
Ubuntu