CVE-2024-11696

Published: Nov 26, 2024Modified: Nov 3, 2025

5.4

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.5

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

The application failed to account for exceptions thrown by the `loadManifestFromFile` method during add-on signature verification. This flaw, triggered by an invalid or unsupported extension manifest, could have caused runtime errors that disrupted the signature validation process. As a result, the enforcement of signature validation for unrelated add-ons may have been bypassed. Signature validation in this context is used to ensure that third-party applications on the user's computer have not tampered with the user's extensions, limiting the impact of this issue. This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Thunderbird < 133, and Thunderbird < 128.5.

Affected (4)

Products: Mozilla: Firefox, Thunderbird

2 products

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Mozilla Firefox	Before 133.0
Mozilla Firefox	Before 128.5.0
Mozilla Thunderbird	Before 128.5.0
Mozilla Thunderbird	From 129.0 to 133.0

Related CWEs

Improper Verification of Cryptographic Signature

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

References (6)

https://bugzilla.mozilla.org/show_bug.cgi?id=1929600

Source: security@mozilla.org

Issue Tracking

https://www.mozilla.org/security/advisories/mfsa2024-63/

Source: security@mozilla.org

Vendor Advisory

https://www.mozilla.org/security/advisories/mfsa2024-64/

Source: security@mozilla.org

Vendor Advisory

https://www.mozilla.org/security/advisories/mfsa2024-67/

Source: security@mozilla.org

Vendor Advisory

https://www.mozilla.org/security/advisories/mfsa2024-68/

Source: security@mozilla.org

Vendor Advisory

https://lists.debian.org/debian-lts-announce/2024/11/msg00029.html

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.